@online{037:20190320:apt38:4c7f1d4, author = {@037}, title = {{APT38 DYEPACK FRAMEWORK}}, date = {2019-03-20}, organization = {Github (649)}, url = {https://github.com/649/APT38-DYEPACK}, language = {English}, urldate = {2019-12-17} } @online{0verfl0w:20190115:analyzing:bf3b215, author = {0verfl0w_}, title = {{Analyzing COMmunication in Malware}}, date = {2019-01-15}, organization = {0ffset Blog}, url = {https://0ffset.net/reverse-engineering/analyzing-com-mechanisms-in-malware/}, language = {English}, urldate = {2020-01-06} } @online{0verfl0w:20190205:revisiting:8e39d7e, author = {0verfl0w_}, title = {{Revisiting Hancitor in Depth}}, date = {2019-02-05}, organization = {0ffset Blog}, url = {https://0ffset.net/reverse-engineering/malware-analysis/reversing-hancitor-again/}, language = {English}, urldate = {2020-01-06} } @online{0verfl0w:20190313:analysing:1f83706, author = {0verfl0w_}, title = {{Analysing ISFB – The First Loader}}, date = {2019-03-13}, organization = {0ffset Blog}, url = {https://0ffset.net/reverse-engineering/malware-analysis/analysing-isfb-loader/}, language = {English}, urldate = {2020-01-10} } @online{0verfl0w:20190525:analyzing:84874ea, author = {0verfl0w_}, title = {{Analyzing ISFB – The Second Loader}}, date = {2019-05-25}, organization = {0ffset Blog}, url = {https://0ffset.net/reverse-engineering/malware-analysis/analyzing-isfb-second-loader/}, language = {English}, urldate = {2020-01-13} } @online{0verfl0w:20190531:defeating:eb0994e, author = {0verfl0w_}, title = {{Defeating Commercial and Custom Packers like a Pro - VMProtect, ASPack, PECompact, and more}}, date = {2019-05-31}, organization = {Youtube (0verfl0w_)}, url = {https://www.youtube.com/watch?v=N4f2e8Mygag}, language = {English}, urldate = {2020-01-08} } @online{0verfl0w:20190708:analyzing:b984acf, author = {0verfl0w_}, title = {{Analyzing KSL0T (Turla’s Keylogger), Part 2 – Reupload}}, date = {2019-07-08}, organization = {0ffset Blog}, url = {https://0ffset.net/reverse-engineering/malware-analysis/analyzing-turlas-keylogger-2/}, language = {English}, urldate = {2020-01-10} } @online{0verfl0w:20190708:analyzing:f246b28, author = {0verfl0w_}, title = {{Analyzing KSL0T (Turla’s Keylogger), Part 1 – Reupload}}, date = {2019-07-08}, organization = {0ffset Blog}, url = {https://0ffset.net/reverse-engineering/malware-analysis/analyzing-turlas-keylogger-1/}, language = {English}, urldate = {2020-01-06} } @online{0verfl0w:20200607:dealing:b50665d, author = {0verfl0w_}, title = {{Dealing with Obfuscated Macros, Statically - NanoCore}}, date = {2020-06-07}, organization = {Zero2Automated Blog}, url = {https://zero2auto.com/2020/06/07/dealing-with-obfuscated-macros/}, language = {English}, urldate = {2020-06-11} } @online{0x09al:20181020:dropboxc2c:bf05a34, author = {0x09AL}, title = {{DropboxC2C}}, date = {2018-10-20}, url = {https://github.com/0x09AL/DropboxC2C}, language = {English}, urldate = {2020-03-06} } @online{0x0:20191221:shamoon:eb1828b, author = {Myrtus 0x0}, title = {{Shamoon 2012 Complete Analysis}}, date = {2019-12-21}, organization = {MalwareInDepth}, url = {https://malwareindepth.com/shamoon-2012/}, language = {English}, urldate = {2020-01-12} } @online{0x0:20200404:nanocore:6649008, author = {Myrtus 0x0}, title = {{Nanocore & CypherIT}}, date = {2020-04-04}, organization = {MalwareInDepth}, url = {https://malwareindepth.com/defeating-nanocore-and-cypherit/}, language = {English}, urldate = {2020-04-07} } @online{0xebfe:20130330:fooled:88d133a, author = {0xEBFE}, title = {{Fooled by Andromeda}}, date = {2013-03-30}, organization = {0xEBFE Blog about life}, url = {http://www.0xebfe.net/blog/2013/03/30/fooled-by-andromeda/}, language = {English}, urldate = {2019-07-27} } @online{0xffff0800:20181114:amadey:e362501, author = {0xffff0800}, title = {{Tweet on Amadey C2}}, date = {2018-11-14}, organization = {Twitter (@0xffff0800)}, url = {https://twitter.com/0xffff0800/status/1062948406266642432}, language = {English}, urldate = {2020-01-07} } @online{0xffff0800:20190222:pe:ea39c56, author = {0xffff0800}, title = {{Tweet on PE}}, date = {2019-02-22}, organization = {Twitter}, url = {https://twitter.com/i/web/status/1099147896950185985}, language = {English}, urldate = {2020-01-08} } @online{0xffff0800:20190302:opjerusalm:4743e08, author = {@0xffff0800}, title = {{Tweet on #OpJerusalm Ransomware}}, date = {2019-03-02}, organization = {Twitter (@0xffff0800)}, url = {https://twitter.com/0xffff0800/status/1102078898320302080}, language = {English}, urldate = {2019-07-08} } @online{1d8:20200713:remcos:531702d, author = {1d8}, title = {{Remcos RAT Macro Dropper Doc}}, date = {2020-07-13}, organization = {Github (1d8)}, url = {https://github.com/1d8/analyses/blob/master/RemcosDocDropper.MD}, language = {English}, urldate = {2020-07-16} } @online{20140313:20140313:energy:8736af5, author = {2014-03-13}, title = {{Energy Watering Hole Attack Used LightsOut Exploit Kit}}, date = {2014-03-13}, organization = {Threatpost}, url = {https://threatpost.com/energy-watering-hole-attack-used-lightsout-exploit-kit/104772/}, language = {English}, urldate = {2020-01-08} } @online{360:20180712:blue:ca92dea, author = {360}, title = {{Blue Pork Mushroom (APT-C-12) targeted attack technical details revealed}}, date = {2018-07-12}, organization = {360 Threat Intelligence}, url = {https://mp.weixin.qq.com/s/S-hiGFNC6WXGrkjytAVbpA}, language = {Chinese}, urldate = {2020-04-06} } @online{360:20180921:poison:d1cab92, author = {Qihoo 360}, title = {{Poison Ivy Group and the Cyberespionage Campaign Against Chinese Military and Goverment}}, date = {2018-09-21}, organization = {Qihoo 360 Technology}, url = {http://blogs.360.cn/post/APT_C_01_en.html}, language = {English}, urldate = {2019-11-29} } @online{360:20181205:operation:65a4907, author = {360}, title = {{Operation Poison Needles - APT Group Attacked the Polyclinic of the Presidential Administration of Russia, Exploiting a Zero-day}}, date = {2018-12-05}, organization = {360}, url = {http://blogs.360.cn/post/PoisonNeedles_CVE-2018-15982_EN}, language = {English}, urldate = {2020-01-06} } @online{360:20190228:urlzone:e1814da, author = {360威胁情报中心}, title = {{URLZone: Analysis of Suspected Attacks Against Japanese Hi-Tech Enterprise Employees}}, date = {2019-02-28}, organization = {Weixin}, url = {https://mp.weixin.qq.com/s/NRytT94ne5gKN31CSLq6GA}, language = {Chinese}, urldate = {2019-11-27} } @online{360:20200302:cia:d88b9c9, author = {Qihoo 360}, title = {{The CIA Hacking Group (APT-C-39) Conducts Cyber-Espionage Operation on China's Critical Industries for 11 Years}}, date = {2020-03-02}, organization = {Qihoo 360 Technology}, url = {http://blogs.360.cn/post/APT-C-39_CIA_EN.html}, language = {English}, urldate = {2020-03-03} } @online{360:20200406:darkhotel:78f0a7f, author = {Qihoo 360}, title = {{The DarkHotel (APT-C-06) Attacked Chinese Institutions Abroad via Exploiting SangFor VPN Vulnerability}}, date = {2020-04-06}, organization = {360.cn}, url = {https://blogs.360.cn/post/APT_Darkhotel_attacks_during_coronavirus_pandemic.html}, language = {English}, urldate = {2020-04-07} } @online{360:20200828:sneak:bc0fea4, author = {360威胁情报中心}, title = {{The "sneak camera" in mobile pornography software}}, date = {2020-08-28}, organization = {360 Core Security}, url = {https://blogs.360.cn/post/shou-ji-se-qing-ruan-jian-zhong-de-tou-pai-zhe.html}, language = {English}, urldate = {2020-09-06} } @online{3xp0rt:20200405:lets:fb49d9f, author = {3xp0rt}, title = {{Let's check: Sorano Stealer}}, date = {2020-04-05}, url = {https://3xp0rt.xyz/lpmkikVic}, language = {English}, urldate = {2020-05-20} } @online{3xp0rt:20200407:decompiled:83e10aa, author = {3xp0rt}, title = {{Decompiled SoranoStealer}}, date = {2020-04-07}, organization = {Github (3xp0rt)}, url = {https://github.com/3xp0rt/SoranoStealer}, language = {English}, urldate = {2020-05-20} } @online{3xp0rt:20200624:new:6b725c2, author = {3xp0rt}, title = {{Tweet on new version of TaurusStealer (v1.4)}}, date = {2020-06-24}, organization = {Twitter (@3xp0rtblog)}, url = {https://twitter.com/3xp0rtblog/status/1275746149719252992}, language = {English}, urldate = {2020-06-24} } @online{3xp0rt:20200814:osiris:5de6596, author = {3xp0rt}, title = {{Tweet on Osiris}}, date = {2020-08-14}, organization = {Twitter (@3xp0rtblog)}, url = {https://twitter.com/3xp0rtblog/status/1294157781415743488}, language = {English}, urldate = {2020-08-18} } @online{3xp0rt:20200906:of:b1e77c3, author = {3xp0rt}, title = {{Tweet and description of NixScare Stealer}}, date = {2020-09-06}, organization = {Twitter (@3xp0rtblog)}, url = {https://twitter.com/3xp0rtblog/status/1302584919592501248}, language = {English}, urldate = {2020-09-15} } @online{42:20171027:tracking:bde654e, author = {Unit 42}, title = {{Tracking Subaat: Targeted Phishing Attack Leads to Threat Actor’s Repository}}, date = {2017-10-27}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/10/unit42-tracking-subaat-targeted-phishing-attacks-point-leader-threat-actors-repository/}, language = {English}, urldate = {2019-12-20} } @online{42:20190222:new:7bda906, author = {Unit 42}, title = {{New BabyShark Malware Targets U.S. National Security Think Tanks}}, date = {2019-02-22}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/}, language = {English}, urldate = {2020-01-07} } @online{42:20190312:operation:3610bc8, author = {Unit 42}, title = {{Operation Comando: How to Run a Cheap and Effective Credit Card Business}}, date = {2019-03-12}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/operation-comando-or-how-to-run-a-cheap-and-effective-credit-card-business/}, language = {English}, urldate = {2019-10-23} } @online{42:20191202:imminent:462e901, author = {Unit 42}, title = {{Imminent Monitor – a RAT Down Under}}, date = {2019-12-02}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/imminent-monitor-a-rat-down-under/}, language = {English}, urldate = {2020-01-06} } @online{471:20200331:revil:0e5226a, author = {Intel 471}, title = {{REvil Ransomware-as-a-Service – An analysis of a ransomware affiliate operation}}, date = {2020-03-31}, organization = {Intel 471}, url = {https://blog.intel471.com/2020/03/31/revil-ransomware-as-a-service-an-analysis-of-a-ransomware-affiliate-operation/}, language = {English}, urldate = {2020-04-01} } @online{471:20200414:understanding:ca95961, author = {Intel 471}, title = {{Understanding the relationship between Emotet, Ryuk and TrickBot}}, date = {2020-04-14}, organization = {Intel 471}, url = {https://blog.intel471.com/2020/04/14/understanding-the-relationship-between-emotet-ryuk-and-trickbot/}, language = {English}, urldate = {2020-04-26} } @online{471:20200521:brief:048d164, author = {Intel 471}, title = {{A brief history of TA505}}, date = {2020-05-21}, organization = {Intel 471}, url = {https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/}, language = {English}, urldate = {2020-05-23} } @online{471:20200708:irans:0bc8398, author = {Intel 471}, title = {{Iran’s domestic espionage: Lessons from recent data leaks}}, date = {2020-07-08}, organization = {Intel 471}, url = {https://blog.intel471.com/2020/07/08/irans-domestic-espionage-lessons-from-recent-data-leaks/}, language = {English}, urldate = {2020-07-11} } @online{471:20200715:flowspec:683a5a1, author = {Intel 471}, title = {{Flowspec – TA505’s bulletproof hoster of choice}}, date = {2020-07-15}, organization = {Intel 471}, url = {https://blog.intel471.com/2020/07/15/flowspec-ta505s-bulletproof-hoster-of-choice/}, language = {English}, urldate = {2020-07-16} } @online{471:20200812:prioritizing:83e5896, author = {Intel 471}, title = {{Prioritizing “critical” vulnerabilities: A threat intelligence perspective}}, date = {2020-08-12}, organization = {Intel 471}, url = {https://blog.intel471.com/2020/08/12/prioritizing-critical-vulnerabilities-a-threat-intelligence-perspective/}, language = {English}, urldate = {2020-08-14} } @online{471:20200916:partners:c65839f, author = {Intel 471}, title = {{Partners in crime: North Koreans and elite Russian-speaking cybercriminals}}, date = {2020-09-16}, organization = {Intel 471}, url = {https://public.intel471.com/blog/partners-in-crime-north-koreans-and-elite-russian-speaking-cybercriminals/}, language = {English}, urldate = {2020-09-23} } @online{471:20201015:that:2d4b495, author = {Intel 471}, title = {{That was quick: Trickbot is back after disruption attempts}}, date = {2020-10-15}, organization = {Intel 471}, url = {https://public.intel471.com/blog/trickbot-online-emotet-microsoft-cyber-command-disruption-attempts/}, language = {English}, urldate = {2020-10-15} } @online{471:20201020:global:570e26f, author = {Intel 471}, title = {{Global Trickbot disruption operation shows promise}}, date = {2020-10-20}, organization = {Intel 471}, url = {https://public.intel471.com/blog/global-trickbot-disruption-operation-shows-promise/}, language = {English}, urldate = {2020-10-21} } @online{51ddh4r7h4:20180820:advanced:9eb6e5c, author = {51ddh4r7h4}, title = {{Advanced Brazilian Malware Analysis}}, date = {2018-08-20}, organization = {ReversingMinds' Blog}, url = {http://reversingminds-blog.logdown.com/posts/7807545-analysis-of-advanced-brazilian-banker-malware}, language = {English}, urldate = {2020-01-13} } @online{5loyd:20171103:trochilus:964b44c, author = {5loyd}, title = {{Trochilus}}, date = {2017-11-03}, organization = {Github (5loyd)}, url = {https://github.com/5loyd/trochilus/}, language = {English}, urldate = {2020-01-08} } @online{9b:20180627:latest:5770e87, author = {9b}, title = {{Latest observed JS payload used for APT32 profiling}}, date = {2018-06-27}, organization = {Github (9b)}, url = {https://gist.github.com/9b/141a5c7ab8b4280901722e2cd931b7ef}, language = {English}, urldate = {2020-01-09} } @online{:2010:trojandownloaderw32chyminea:30597d8, author = {_}, title = {{Trojan-Downloader:W32/Chymine.A}}, date = {2010}, organization = {F-Secure}, url = {https://www.f-secure.com/v-descs/trojan-downloader_w32_chymine_a.shtml}, language = {English}, urldate = {2019-09-22} } @online{:20130203:forum:e9bf784, author = {小男孩}, title = {{Forum Post: GetPwd_K8 one-click to get the plain text password of the system login user based on French ...}}, date = {2013-02-03}, url = {https://ihonker.org/thread-1504-1-1.html}, language = {Chinese}, urldate = {2020-01-23} } @online{:20131217:bebloh:dcd1f5f, author = {}, title = {{Bebloh – a well-known banking Trojan with noteworthy innovations}}, date = {2013-12-17}, organization = {Gdata}, url = {https://www.gdatasoftware.com/blog/2013/12/23978-bebloh-a-well-known-banking-trojan-with-noteworthy-innovations}, language = {English}, urldate = {2019-10-28} } @online{:20141022:cryakl:aaecc86, author = {Артём Семенченко and Федор Синицын and Татьяна Куликова}, title = {{Шифровальщик Cryakl или Фантомас разбушевался}}, date = {2014-10-22}, organization = {Kaspersky Labs}, url = {https://securelist.ru/shifrovalshhik-cryakl-ili-fantomas-razbushevalsya/24070/}, language = {Russian}, urldate = {2019-12-16} } @techreport{:20170225:silent:5a11e12, author = {Kyoung-Ju Kwak (郭炅周)}, title = {{Silent RIFLE: Response Against Advanced Threat}}, date = {2017-02-25}, institution = {Financial Security Institute}, url = {https://hackcon.org/uploads/327/05%20-%20Kwak.pdf}, language = {English}, urldate = {2020-03-04} } @online{:20180602:hidden:674cfb9, author = {安全豹}, title = {{"Hidden Bee" strikes: Kingsoft Internet Security intercepts the world's first bootkit-level mining botnet (Part 1)}}, date = {2018-06-02}, organization = {Freebuf}, url = {https://www.freebuf.com/column/174581.html}, language = {Chinese}, urldate = {2020-01-13} } @online{:20180726:analysis:66722b6, author = {奇安信威胁情报中心 | 事件追踪}, title = {{Analysis of the latest attack activities of APT-C-35}}, date = {2018-07-26}, url = {https://ti.360.net/blog/articles/latest-activity-of-apt-c-35/}, language = {Chinese}, urldate = {2020-01-08} } @online{:20181005:post:4890d7d, author = {_}, title = {{Post 0x17.2: Analyzing Turla’s Keylogger}}, date = {2018-10-05}, url = {https://0ffset.wordpress.com/2018/10/05/post-0x17-2-turla-keylogger/}, language = {English}, urldate = {2019-07-27} } @online{:20181225:bittertapt17:faf6bde, author = {腾讯电脑管家}, title = {{BITTER/T-APT-17 reports on the latest attacks on sensitive agencies such as military, nuclear, and government agencies in China}}, date = {2018-12-25}, organization = {Tencent}, url = {https://www.freebuf.com/articles/database/192726.html}, language = {Chinese}, urldate = {2020-03-02} } @online{:20190124:excel:2dd401c, author = {事件追踪}, title = {{Excel 4.0 Macro Utilized by TA505 to Target Financial Institutions Recently}}, date = {2019-01-24}, organization = {奇安信威胁情报中心}, url = {https://ti.360.net/blog/articles/excel-4.0-macro-utilized-by-ta505-to-target-financial-institutions-recently-en/}, language = {English}, urldate = {2019-12-02} } @online{:20190214:suspected:25adc45, author = {奇安信威胁情报中心}, title = {{Suspected Molerats New Attack in the Middle East}}, date = {2019-02-14}, organization = {360.cn}, url = {https://ti.360.net/blog/articles/suspected-molerats-new-attack-in-the-middle-east/}, language = {Chinese}, urldate = {2019-10-12} } @online{:20190214:suspected:5df65f1, author = {事件追踪}, title = {{Suspected Molerats' New Attack in the Middle East}}, date = {2019-02-14}, organization = {奇安信威胁情报中心}, url = {https://ti.360.net/blog/articles/suspected-molerats-new-attack-in-the-middle-east-en/}, language = {English}, urldate = {2020-01-07} } @online{:20190306:taidoor:651efa6, author = {NTT セキュリティ and ジャパン株式会社}, title = {{Taidoor を用いた標的型攻撃}}, date = {2019-03-06}, organization = {Unit CANARY}, url = {https://www.nttsecurity.com/docs/librariesprovider3/resources/taidoor%E3%82%92%E7%94%A8%E3%81%84%E3%81%9F%E6%A8%99%E7%9A%84%E5%9E%8B%E6%94%BB%E6%92%83%E8%A7%A3%E6%9E%90%E3%83%AC%E3%83%9D%E3%83%BC%E3%83%88_v1}, language = {English}, urldate = {2020-01-13} } @online{:20190319:aptc27:6ab4857, author = {奇安信威胁情报中心}, title = {{APT-C-27 (Goldmouse): Suspected Target Attack against the Middle East with WinRAR Exploit}}, date = {2019-03-19}, url = {https://ti.360.net/blog/articles/apt-c-27-(goldmouse):-suspected-target-attack-against-the-middle-east-with-winrar-exploit-en/}, language = {English}, urldate = {2019-10-26} } @online{:20190813::eae3d10, author = {奇安信威胁情报中心}, title = {{洞察人性:一起利用政治人物桃色丑闻的诱饵攻击活动披露}}, date = {2019-08-13}, url = {https://wemp.app/posts/80ab2b2d-4e0e-4960-94b7-4d452a06fd38?utm_source=latest-posts}, language = {Chinese}, urldate = {2020-01-13} } @online{:20200723::adadd32, author = {AhnLab ASEC 분석팀}, title = {{국내 인터넷 커뮤니티 사이트에서 악성코드 유포 (유틸리티 위장)}}, date = {2020-07-23}, organization = {AhnLab}, url = {https://asec.ahnlab.com/1360}, language = {Korean}, urldate = {2020-07-30} } @online{:20200816:wastedlocker:4210f22, author = {谷川哲司}, title = {{WastedLocker IoC collection}}, date = {2020-08-16}, organization = {Hatena Blog}, url = {https://ioc.hatenablog.com/entry/2020/08/16/132853}, language = {Japanese}, urldate = {2020-10-02} } @online{:20200819:njrat:a8e3234, author = {AhnLab ASEC 분석팀}, title = {{국내 유명 웹하드를 통해 유포되는 njRAT 악성코드}}, date = {2020-08-19}, organization = {AhnLab}, url = {https://asec.ahnlab.com/1369}, language = {Korean}, urldate = {2020-08-25} } @online{a:2016:cyber:140f384, author = {Monnappa K A}, title = {{CYBER ATTACK IMPERSONATING IDENTITY OF INDIAN THINK TANK TO TARGET CENTRAL BUREAU OF INVESTIGATION (CBI) AND POSSIBLY INDIAN ARMY OFFICIALS}}, date = {2016}, organization = {Cysinfo}, url = {https://cysinfo.com/cyber-attack-targeting-cbi-and-possibly-indian-army-officials}, language = {English}, urldate = {2020-01-07} } @online{a:20180910:turla:c92b687, author = {Monnappa K A}, title = {{turla gazer backdoor code injection & winlogon shell persistence}}, date = {2018-09-10}, organization = {Youtube ( Monnappa K A)}, url = {https://www.youtube.com/watch?v=Pvzhtjl86wc}, language = {English}, urldate = {2020-01-13} } @online{a:20190513:chacha:840508a, author = {Amigo A}, title = {{ChaCha Ransomware}}, date = {2019-05-13}, url = {https://id-ransomware.blogspot.com/2019/05/chacha-ransomware.html}, language = {Russian}, urldate = {2019-12-02} } @online{a:20200411:rhino:c3d7b04, author = {Amigo A}, title = {{Rhino Ransomware}}, date = {2020-04-11}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/04/rhino-ransomware.html}, language = {Russian}, urldate = {2020-05-18} } @online{a:20201016:geofenced:8c31198, author = {Cassandra A. and Proofpoint Threat Research Team}, title = {{Geofenced Amazon Japan Credential Phishing Volumes Rival Emotet}}, date = {2020-10-16}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/geofenced-amazon-japan-credential-phishing-volumes-rival-emotet}, language = {English}, urldate = {2020-10-23} } @online{abbasi:20180716:danabot:08d5942, author = {Fahim Abbasi}, title = {{DanaBot Riding Fake MYOB Invoice Emails}}, date = {2018-07-16}, organization = {SpiderLabs Blog}, url = {https://www.trustwave.com/Resources/SpiderLabs-Blog/DanaBot-Riding-Fake-MYOB-Invoice-Emails/}, language = {English}, urldate = {2020-01-10} } @online{abbati:20161108:analysis:374eea4, author = {Amaud Abbati}, title = {{Analysis of IOS.GUIINJECT Adware Library}}, date = {2016-11-08}, organization = {SentinelOne}, url = {https://sentinelone.com/blogs/analysis-ios-guiinject-adware-library/}, language = {English}, urldate = {2020-01-08} } @online{abbati:20170823:cs:1ecb9bb, author = {Arnaud Abbati}, title = {{CS: Go Hacks for Mac – OSX.Pwnet.A}}, date = {2017-08-23}, organization = {SentinelOne}, url = {https://sentinelone.com/blog/osx-pwnet-a-csgo-hack-and-sneaky-miner/}, language = {English}, urldate = {2019-08-07} } @online{abbati:20171128:osxcpumeaner:23f69f0, author = {Arnaud Abbati}, title = {{OSX.CPUMEANER: New Cryptocurrency Mining Trojan Targets MacOS}}, date = {2017-11-28}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/osx-cpumeaner-miner-trojan-software-pirates/}, language = {English}, urldate = {2019-12-05} } @online{abel:20180720:malware:62e1c9e, author = {Robert Abel}, title = {{Malware author ‘Anarchy’ builds 18,000-strong Huawei router botnet}}, date = {2018-07-20}, url = {https://www.scmagazine.com/malware-author-anarchy-builds-18000-strong-huawei-router-botnet/article/782395/}, language = {English}, urldate = {2019-11-27} } @online{abrams:20160214:padcrypt:626523d, author = {Lawrence Abrams}, title = {{PadCrypt: The first ransomware with Live Support Chat and an Uninstaller}}, date = {2016-02-14}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/padcrypt-the-first-ransomware-with-live-support-chat-and-an-uninstaller/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20160408:cryptohost:d0f5780, author = {Lawrence Abrams}, title = {{CryptoHost Decrypted: Locks files in a password protected RAR File}}, date = {2016-04-08}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/cryptohost-decrypted-locks-files-in-a-password-protected-rar-file/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20160722:stampado:207584f, author = {Lawrence Abrams}, title = {{Stampado Ransomware campaign decrypted before it Started}}, date = {2016-07-22}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/stampado-ransomware-campaign-decrypted-before-it-started/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20160908:philadelphia:18b2e18, author = {Lawrence Abrams}, title = {{The Philadelphia Ransomware offers a Mercy Button for Compassionate Criminals}}, date = {2016-09-08}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/the-philadelphia-ransomware-offers-a-mercy-button-for-compassionate-criminals/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20160928:introducing:f09b941, author = {Lawrence Abrams}, title = {{Introducing Her Royal Highness, the Princess Locker Ransomware}}, date = {2016-09-28}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/introducing-her-royal-highness-the-princess-locker-ransomware/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20160930:hacked:760d56c, author = {Lawrence Abrams}, title = {{Hacked Steam accounts spreading Remote Access Trojan}}, date = {2016-09-30}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/hacked-steam-accounts-spreading-remote-access-trojan/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20161027:indev:79b8937, author = {Lawrence Abrams}, title = {{In-Dev Ransomware forces you do to Survey before unlocking Computer}}, date = {2016-10-27}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20161115:cryptoluck:19599ea, author = {Lawrence Abrams}, title = {{CryptoLuck Ransomware being Malvertised via RIG-E Exploit Kits}}, date = {2016-11-15}, organization = {Bleeping Computer}, url = {http://www.bleepingcomputer.com/news/security/cryptoluck-ransomware-being-malvertised-via-rig-e-exploit-kits/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20170119:new:b020afc, author = {Lawrence Abrams}, title = {{New Satan Ransomware available through a Ransomware as a Service.}}, date = {2017-01-19}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-satan-ransomware-available-through-a-ransomware-as-a-service-/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20170207:erebus:2328bb9, author = {Lawrence Abrams}, title = {{Erebus Ransomware Utilizes a UAC Bypass and Request a $90 Ransom Payment}}, date = {2017-02-07}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/erebus-ransomware-utilizes-a-uac-bypass-and-request-a-90-ransom-payment/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20170315:revenge:b047d2f, author = {Lawrence Abrams}, title = {{Revenge Ransomware, a CryptoMix Variant, Being Distributed by RIG Exploit Kit}}, date = {2017-03-15}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/revenge-ransomware-a-cryptomix-variant-being-distributed-by-rig-exploit-kit/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20170816:locky:7445bd0, author = {Lawrence Abrams}, title = {{Locky Ransomware switches to the Lukitus extension for Encrypted Files}}, date = {2017-08-16}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/locky-ransomware-switches-to-the-lukitus-extension-for-encrypted-files/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20170816:synccrypt:c8d0c48, author = {Lawrence Abrams}, title = {{SyncCrypt Ransomware Hides Inside JPG Files, Appends .KK Extension}}, date = {2017-08-16}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/synccrypt-ransomware-hides-inside-jpg-files-appends-kk-extension/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20170825:new:a2d73b9, author = {Lawrence Abrams}, title = {{New Arena Crysis Ransomware Variant Released}}, date = {2017-08-25}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-arena-crysis-ransomware-variant-released/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20170828:new:4c237c7, author = {Lawrence Abrams}, title = {{New Nuclear BTCWare Ransomware Released (Updated)}}, date = {2017-08-28}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-nuclear-btcware-ransomware-released-updated/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20171031:oni:b366161, author = {Lawrence Abrams}, title = {{ONI Ransomware Used in Month-Long Attacks Against Japanese Companies}}, date = {2017-10-31}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/oni-ransomware-used-in-month-long-attacks-against-japanese-companies/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20171213:work:d439b4b, author = {Lawrence Abrams}, title = {{WORK Cryptomix Ransomware Variant Released}}, date = {2017-12-13}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/work-cryptomix-ransomware-variant-released/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20171222:new:eadbe96, author = {Lawrence Abrams}, title = {{New .DOC GlobeImposter Ransomware Variant Malspam Campaign Underway}}, date = {2017-12-22}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-doc-globeimposter-ransomware-variant-malspam-campaign-underway/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20180121:evrial:5df289b, author = {Lawrence Abrams}, title = {{Evrial Trojan Switches Bitcoin Addresses Copied to Windows Clipboard}}, date = {2018-01-21}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/evrial-trojan-switches-bitcoin-addresses-copied-to-windows-clipboard/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20180126:velso:4b06608, author = {Lawrence Abrams}, title = {{The Velso Ransomware Being Manually Installed by Attackers}}, date = {2018-01-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/the-velso-ransomware-being-manually-installed-by-attackers/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20180129:gandcrab:9e003f9, author = {Lawrence Abrams}, title = {{GandCrab Ransomware Distributed by Exploit Kits, Appends GDCB Extension}}, date = {2018-01-29}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-distributed-by-exploit-kits-appends-gdcb-extension/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20180208:gandcrab:40fb494, author = {Lawrence Abrams}, title = {{GandCrab Ransomware Being Distributed Via Malspam Disguised as Receipts}}, date = {2018-02-08}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-being-distributed-via-malspam-disguised-as-receipts/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20180209:black:85fdc3c, author = {Lawrence Abrams}, title = {{Black Ruby Ransomware Skips Victims in Iran and Adds a Miner for Good Measure}}, date = {2018-02-09}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/black-ruby-ransomware-skips-victims-in-iran-and-adds-a-miner-for-good-measure/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20180209:dexcrypt:a7d1f62, author = {Lawrence Abrams}, title = {{DexCrypt MBRLocker Demands 30 Yuan To Gain Access to Computer}}, date = {2018-02-09}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/dexcrypt-mbrlocker-demands-30-yuan-to-gain-access-to-computer/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20180226:thanatos:546a986, author = {Lawrence Abrams}, title = {{Thanatos Ransomware Is First to Use Bitcoin Cash. Messes Up Encryption}}, date = {2018-02-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/thanatos-ransomware-is-first-to-use-bitcoin-cash-messes-up-encryption/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20180323:avcrypt:edb1b07, author = {Lawrence Abrams}, title = {{The AVCrypt Ransomware Tries To Uninstall Your AV Software}}, date = {2018-03-23}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/the-avcrypt-ransomware-tries-to-uninstall-your-av-software/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20180514:stalinlocker:5c9f91e, author = {Lawrence Abrams}, title = {{StalinLocker Deletes Your Files Unless You Enter the Right Code}}, date = {2018-05-14}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/stalinlocker-deletes-your-files-unless-you-enter-the-right-code/}, language = {English}, urldate = {2020-03-02} } @online{abrams:20180626:thanatos:bbe20fc, author = {Lawrence Abrams}, title = {{Thanatos Ransomware Decryptor Released by the Cisco Talos Group}}, date = {2018-06-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/thanatos-ransomware-decryptor-released-by-the-cisco-talos-group/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20180912:feedify:7beba8a, author = {Lawrence Abrams}, title = {{Feedify Hacked with Magecart Information Stealing Script}}, date = {2018-09-12}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/feedify-hacked-with-magecart-information-stealing-script/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20180914:kraken:643744c, author = {Lawrence Abrams}, title = {{Kraken Cryptor Ransomware Masquerading as SuperAntiSpyware Security Program}}, date = {2018-09-14}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/kraken-cryptor-ransomware-masquerading-as-superantispyware-security-program/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20181001:roaming:3a9e1c5, author = {Lawrence Abrams}, title = {{Roaming Mantis Group Testing Coinhive Miner Redirects on iPhones}}, date = {2018-10-01}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/roaming-mantis-group-testing-coinhive-miner-redirects-on-iphones/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20181113:hookads:ef89e4e, author = {Lawrence Abrams}, title = {{HookAds Malvertising Installing Malware via the Fallout Exploit Kit}}, date = {2018-11-13}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/hookads-malvertising-installing-malware-via-the-fallout-exploit-kit/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20181119:visiondirect:6c2560e, author = {Lawrence Abrams}, title = {{VisionDirect Data Breach Caused by MageCart Attack}}, date = {2018-11-19}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/visiondirect-data-breach-caused-by-magecart-attack/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20190104:how:8932d09, author = {Lawrence Abrams}, title = {{How to Decrypt the Aurora Ransomware with AuroraDecrypter}}, date = {2019-01-04}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/ransomware/decryptor/how-to-decrypt-the-aurora-ransomware-with-auroradecrypter/}, language = {English}, urldate = {2019-12-17} } @online{abrams:20190115:djvu:a8b1d06, author = {Lawrence Abrams}, title = {{Djvu Ransomware Spreading New .TRO Variant Through Cracks & Adware Bundles}}, date = {2019-01-15}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/djvu-ransomware-spreading-new-tro-variant-through-cracks-and-adware-bundles/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20190117:blackrouter:2e83ebf, author = {Lawrence Abrams}, title = {{BlackRouter Ransomware Promoted as a RaaS by Iranian Developer}}, date = {2019-01-17}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/blackrouter-ransomware-promoted-as-a-raas-by-iranian-developer/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20190305:cryptomix:33e7eac, author = {Lawrence Abrams}, title = {{CryptoMix Clop Ransomware Says It's Targeting Networks, Not Computers}}, date = {2019-03-05}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/cryptomix-clop-ransomware-says-its-targeting-networks-not-computers/}, language = {English}, urldate = {2020-01-13} } @online{abrams:20190426:closer:ba13483, author = {Lawrence Abrams}, title = {{A Closer Look at the RobbinHood Ransomware}}, date = {2019-04-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/a-closer-look-at-the-robbinhood-ransomware/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20190601:gandcrab:cb581e3, author = {Lawrence Abrams}, title = {{GandCrab Ransomware Shutting Down After Claiming to Earn $2 Billion}}, date = {2019-06-01}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-shutting-down-after-claiming-to-earn-25-billion/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20190613:pylocky:15be611, author = {Lawrence Abrams}, title = {{pyLocky Decryptor Released by French Authorities}}, date = {2019-06-13}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/pylocky-decryptor-released-by-french-authorities/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20190719:elusive:153c1b0, author = {Lawrence Abrams}, title = {{Elusive MegaCortex Ransomware Found - Here is What We Know}}, date = {2019-07-19}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/elusive-megacortex-ransomware-found-here-is-what-we-know/}, language = {English}, urldate = {2020-01-15} } @online{abrams:20190906:lilocked:4042feb, author = {Lawrence Abrams}, title = {{Lilocked Ransomware Actively Targeting Servers and Web Sites}}, date = {2019-09-06}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/lilocked-ransomware-actively-targeting-servers-and-web-sites/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20190911:ryuk:8a18715, author = {Lawrence Abrams}, title = {{Ryuk Related Malware Steals Confidential Military, Financial Files}}, date = {2019-09-11}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ryuk-related-malware-steals-confidential-military-financial-files/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20190917:tflower:31c9072, author = {Lawrence Abrams}, title = {{TFlower Ransomware - The Latest Attack Targeting Businesses}}, date = {2019-09-17}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/tflower-ransomware-the-latest-attack-targeting-businesses/}, language = {English}, urldate = {2019-10-15} } @online{abrams:20191010:nemty:319e3b7, author = {Lawrence Abrams}, title = {{Nemty Ransomware Decryptor Released, Recover Files for Free}}, date = {2019-10-10}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/nemty-ransomware-decryptor-released-recover-files-for-free/}, language = {English}, urldate = {2020-01-09} } @online{abrams:20191025:new:f7feebd, author = {Lawrence Abrams}, title = {{New FuxSocy Ransomware Impersonates the Notorious Cerber}}, date = {2019-10-25}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-fuxsocy-ransomware-impersonates-the-notorious-cerber/}, language = {English}, urldate = {2020-01-13} } @online{abrams:20191105:new:14b4aaf, author = {Lawrence Abrams}, title = {{New Megacortex Ransomware Changes Windows Passwords, Threatens to Publish Data}}, date = {2019-11-05}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-megacortex-ransomware-changes-windows-passwords-threatens-to-publish-data/}, language = {English}, urldate = {2020-01-07} } @online{abrams:20191121:allied:a3d69d7, author = {Lawrence Abrams}, title = {{Allied Universal Breached by Maze Ransomware, Stolen Data Leaked}}, date = {2019-11-21}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/allied-universal-breached-by-maze-ransomware-stolen-data-leaked/}, language = {English}, urldate = {2020-01-08} } @online{abrams:20191202:facebook:5630b4e, author = {Lawrence Abrams}, title = {{Facebook Ads Manager Targeted by New Info-Stealing Trojan}}, date = {2019-12-02}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/facebook-ads-manager-targeted-by-new-info-stealing-trojan/}, language = {English}, urldate = {2020-02-26} } @online{abrams:20191211:maze:acb23da, author = {Lawrence Abrams}, title = {{Maze Ransomware Behind Pensacola Cyberattack, $1M Ransom Demand}}, date = {2019-12-11}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/maze-ransomware-behind-pensacola-cyberattack-1m-ransom-demand/}, language = {English}, urldate = {2020-01-09} } @online{abrams:20191212:another:77246f4, author = {Lawrence Abrams}, title = {{Another Ransomware Will Now Publish Victims' Data If Not Paid}}, date = {2019-12-12}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/another-ransomware-will-now-publish-victims-data-if-not-paid/}, language = {English}, urldate = {2020-01-05} } @online{abrams:20191215:ryuk:74f6eab, author = {Lawrence Abrams}, title = {{Ryuk Ransomware Likely Behind New Orleans Cyberattack}}, date = {2019-12-15}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ryuk-ransomware-likely-behind-new-orleans-cyberattack/}, language = {English}, urldate = {2020-01-13} } @online{abrams:20191223:fbi:7c11cf8, author = {Lawrence Abrams}, title = {{FBI Issues Alert For LockerGoga and MegaCortex Ransomware}}, date = {2019-12-23}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/fbi-issues-alert-for-lockergoga-and-megacortex-ransomware/}, language = {English}, urldate = {2020-01-08} } @online{abrams:20191224:maze:33a4e28, author = {Lawrence Abrams}, title = {{Maze Ransomware Releases Files Stolen from City of Pensacola}}, date = {2019-12-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/maze-ransomware-releases-files-stolen-from-city-of-pensacola/}, language = {English}, urldate = {2020-02-13} } @online{abrams:20191226:ryuk:acc2284, author = {Lawrence Abrams}, title = {{Ryuk Ransomware Stops Encrypting Linux Folders}}, date = {2019-12-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ryuk-ransomware-stops-encrypting-linux-folders/}, language = {English}, urldate = {2020-01-08} } @online{abrams:20200108:snake:aaf992f, author = {Lawrence Abrams}, title = {{SNAKE Ransomware Is the Next Threat Targeting Business Networks}}, date = {2020-01-08}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/snake-ransomware-is-the-next-threat-targeting-business-networks/}, language = {English}, urldate = {2020-01-12} } @online{abrams:20200109:sodinokibi:c0204cc, author = {Lawrence Abrams}, title = {{Sodinokibi Ransomware Says Travelex Will Pay, One Way or Another}}, date = {2020-01-09}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-says-travelex-will-pay-one-way-or-another/}, language = {English}, urldate = {2020-01-13} } @online{abrams:20200111:sodinokibi:8fe0ebe, author = {Lawrence Abrams}, title = {{Sodinokibi Ransomware Publishes Stolen Data for the First Time}}, date = {2020-01-11}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-publishes-stolen-data-for-the-first-time/}, language = {English}, urldate = {2020-01-20} } @online{abrams:20200114:ryuk:b2e47fa, author = {Lawrence Abrams}, title = {{Ryuk Ransomware Uses Wake-on-Lan To Encrypt Offline Devices}}, date = {2020-01-14}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ryuk-ransomware-uses-wake-on-lan-to-encrypt-offline-devices/}, language = {English}, urldate = {2020-01-15} } @online{abrams:20200114:united:a309baa, author = {Lawrence Abrams}, title = {{United Nations Targeted With Emotet Malware Phishing Attack}}, date = {2020-01-14}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/united-nations-targeted-with-emotet-malware-phishing-attack/}, language = {English}, urldate = {2020-01-20} } @online{abrams:20200116:trickbot:ed6fdb3, author = {Lawrence Abrams}, title = {{TrickBot Now Uses a Windows 10 UAC Bypass to Evade Detection}}, date = {2020-01-16}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/trickbot-now-uses-a-windows-10-uac-bypass-to-evade-detection/}, language = {English}, urldate = {2020-01-20} } @online{abrams:20200118:new:4ad3c25, author = {Lawrence Abrams}, title = {{New Jersey Synagogue Suffers Sodinokibi Ransomware Attack}}, date = {2020-01-18}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-jersey-synagogue-suffers-sodinokibi-ransomware-attack/}, language = {English}, urldate = {2020-01-22} } @online{abrams:20200121:bitpylock:ded9871, author = {Lawrence Abrams}, title = {{BitPyLock Ransomware Now Threatens to Publish Stolen Data}}, date = {2020-01-21}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/bitpylock-ransomware-now-threatens-to-publish-stolen-data/}, language = {English}, urldate = {2020-01-22} } @online{abrams:20200123:trickbot:5ca7827, author = {Lawrence Abrams}, title = {{TrickBot Now Steals Windows Active Directory Credentials}}, date = {2020-01-23}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/trickbot-now-steals-windows-active-directory-credentials/}, language = {English}, urldate = {2020-01-27} } @online{abrams:20200124:new:05d5a6a, author = {Lawrence Abrams}, title = {{New Ryuk Info Stealer Targets Government and Military Secrets}}, date = {2020-01-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-ryuk-info-stealer-targets-government-and-military-secrets/}, language = {English}, urldate = {2020-02-03} } @online{abrams:20200128:ragnarok:713a314, author = {Lawrence Abrams}, title = {{Ragnarok Ransomware Targets Citrix ADC, Disables Windows Defender}}, date = {2020-01-28}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ragnarok-ransomware-targets-citrix-adc-disables-windows-defender/}, language = {English}, urldate = {2020-01-28} } @online{abrams:20200129:malware:920dc7e, author = {Lawrence Abrams}, title = {{Malware Tries to Trump Security Software With POTUS Impeachment}}, date = {2020-01-29}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/malware-tries-to-trump-security-software-with-potus-impeachment/}, language = {English}, urldate = {2020-02-03} } @online{abrams:20200130:trickbot:22db786, author = {Lawrence Abrams}, title = {{TrickBot Uses a New Windows 10 UAC Bypass to Launch Quietly}}, date = {2020-01-30}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly/}, language = {English}, urldate = {2020-02-03} } @online{abrams:20200205:mailto:3027008, author = {Lawrence Abrams}, title = {{Mailto (NetWalker) Ransomware Targets Enterprise Networks}}, date = {2020-02-05}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/mailto-netwalker-ransomware-targets-enterprise-networks/}, language = {English}, urldate = {2020-02-11} } @online{abrams:20200206:ransomware:8b6a606, author = {Lawrence Abrams}, title = {{Ransomware Exploits GIGABYTE Driver to Kill AV Processes}}, date = {2020-02-06}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ransomware-exploits-gigabyte-driver-to-kill-av-processes/}, language = {English}, urldate = {2020-02-13} } @online{abrams:20200213:parallax:9842604, author = {Lawrence Abrams}, title = {{Parallax RAT: Common Malware Payload After Hacker Forums Promotion}}, date = {2020-02-13}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/parallax-rat-common-malware-payload-after-hacker-forums-promotion/}, language = {English}, urldate = {2020-04-01} } @online{abrams:20200225:doppelpaymer:9ca20ab, author = {Lawrence Abrams}, title = {{DoppelPaymer Ransomware Launches Site to Post Victim's Data}}, date = {2020-02-25}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/doppelpaymer-ransomware-launches-site-to-post-victims-data/}, language = {English}, urldate = {2020-02-26} } @online{abrams:20200226:sodinokibi:7d730ac, author = {Lawrence Abrams}, title = {{Sodinokibi Ransomware May Tip NASDAQ on Attacks to Hurt Stock Prices}}, date = {2020-02-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-may-tip-nasdaq-on-attacks-to-hurt-stock-prices/}, language = {English}, urldate = {2020-03-02} } @online{abrams:20200302:new:e4cb07c, author = {Lawrence Abrams}, title = {{New PwndLocker Ransomware Targeting U.S. Cities, Enterprises}}, date = {2020-03-02}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-pwndlocker-ransomware-targeting-us-cities-enterprises/}, language = {English}, urldate = {2020-03-02} } @online{abrams:20200303:ransomware:8be6fa7, author = {Lawrence Abrams}, title = {{Ransomware Attackers Use Your Cloud Backups Against You}}, date = {2020-03-03}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ransomware-attackers-use-your-cloud-backups-against-you/}, language = {English}, urldate = {2020-03-04} } @online{abrams:20200304:ryuk:31f2ce0, author = {Lawrence Abrams}, title = {{Ryuk Ransomware Attacked Epiq Global Via TrickBot Infection}}, date = {2020-03-04}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ryuk-ransomware-attacked-epiq-global-via-trickbot-infection/}, language = {English}, urldate = {2020-03-09} } @online{abrams:20200305:pwndlocker:d9b200a, author = {Lawrence Abrams}, title = {{PwndLocker Ransomware Gets Pwned: Decryption Now Available}}, date = {2020-03-05}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/pwndlocker-ransomware-gets-pwned-decryption-now-available/}, language = {English}, urldate = {2020-03-05} } @online{abrams:20200307:ransomware:f839049, author = {Lawrence Abrams}, title = {{Ransomware Threatens to Reveal Company's 'Dirty' Secrets}}, date = {2020-03-07}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ransomware-threatens-to-reveal-companys-dirty-secrets/}, language = {English}, urldate = {2020-03-11} } @online{abrams:20200317:new:d6fa158, author = {Lawrence Abrams}, title = {{New Nefilim Ransomware Threatens to Release Victims' Data}}, date = {2020-03-17}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-nefilim-ransomware-threatens-to-release-victims-data/}, language = {English}, urldate = {2020-03-19} } @online{abrams:20200319:redline:5966456, author = {Lawrence Abrams}, title = {{RedLine Info-Stealing Malware Spread by Folding@home Phishing}}, date = {2020-03-19}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/redline-info-stealing-malware-spread-by-folding-home-phishing/}, language = {English}, urldate = {2020-03-22} } @online{abrams:20200321:netwalker:5d2936c, author = {Lawrence Abrams}, title = {{Netwalker Ransomware Infecting Users via Coronavirus Phishing}}, date = {2020-03-21}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/netwalker-ransomware-infecting-users-via-coronavirus-phishing/}, language = {English}, urldate = {2020-03-22} } @online{abrams:20200324:three:fb92d03, author = {Lawrence Abrams}, title = {{Three More Ransomware Families Create Sites to Leak Stolen Data}}, date = {2020-03-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/}, language = {English}, urldate = {2020-03-26} } @online{abrams:20200411:sodinokibi:82f9f79, author = {Lawrence Abrams}, title = {{Sodinokibi Ransomware to stop taking Bitcoin to hide money trail}}, date = {2020-04-11}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-to-stop-taking-bitcoin-to-hide-money-trail/}, language = {English}, urldate = {2020-04-26} } @online{abrams:20200418:it:bb2d626, author = {Lawrence Abrams}, title = {{IT services giant Cognizant suffers Maze Ransomware cyber attack}}, date = {2020-04-18}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/it-services-giant-cognizant-suffers-maze-ransomware-cyber-attack/}, language = {English}, urldate = {2020-04-20} } @online{abrams:20200424:bazarbackdoor:86afc50, author = {Lawrence Abrams}, title = {{BazarBackdoor: TrickBot gang’s new stealthy network-hacking malware}}, date = {2020-04-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/bazarbackdoor-trickbot-gang-s-new-stealthy-network-hacking-malware/}, language = {English}, urldate = {2020-05-02} } @online{abrams:20200608:new:c1f97ec, author = {Lawrence Abrams}, title = {{New Avaddon Ransomware launches in massive smiley spam campaign}}, date = {2020-06-08}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-avaddon-ransomware-launches-in-massive-smiley-spam-campaign/}, language = {English}, urldate = {2020-06-10} } @online{abrams:20200622:indiabulls:ce0fcdb, author = {Lawrence Abrams}, title = {{Indiabulls Group hit by CLOP Ransomware, gets 24h leak deadline}}, date = {2020-06-22}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/indiabulls-group-hit-by-clop-ransomware-gets-24h-leak-deadline/}, language = {English}, urldate = {2020-06-23} } @online{abrams:20200626:new:d6e2d17, author = {Lawrence Abrams}, title = {{New Ransom X Ransomware used in Texas TxDOT cyberattack}}, date = {2020-06-26}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/new-ransom-x-ransomware-used-in-texas-txdot-cyberattack/}, language = {English}, urldate = {2020-07-11} } @online{abrams:20200626:ransom:9e453cd, author = {Lawrence Abrams}, title = {{Ransom .exx notes}}, date = {2020-06-26}, organization = {Github (Bleeping)}, url = {https://github.com/Bleeping/Ransom.exx}, language = {English}, urldate = {2020-07-11} } @online{abrams:20200711:trickbot:7e70ad3, author = {Lawrence Abrams}, title = {{TrickBot malware mistakenly warns victims that they are infected}}, date = {2020-07-11}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/trickbot-malware-mistakenly-warns-victims-that-they-are-infected/}, language = {English}, urldate = {2020-07-15} } @online{abrams:20200713:new:a9e2a62, author = {Lawrence Abrams}, title = {{New AgeLocker Ransomware uses Googler's utility to encrypt files}}, date = {2020-07-13}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/new-agelocker-ransomware-uses-googlers-utility-to-encrypt-files/}, language = {English}, urldate = {2020-07-15} } @online{abrams:20200720:emotettrickbot:a8e84d2, author = {Lawrence Abrams}, title = {{Emotet-TrickBot malware duo is back infecting Windows machines}}, date = {2020-07-20}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/emotet-trickbot-malware-duo-is-back-infecting-windows-machines/}, language = {English}, urldate = {2020-07-21} } @online{abrams:20200821:darkside:3ebbc35, author = {Lawrence Abrams}, title = {{DarkSide: New targeted ransomware demands million dollar ransoms}}, date = {2020-08-21}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/darkside-new-targeted-ransomware-demands-million-dollar-ransoms/}, language = {English}, urldate = {2020-08-24} } @online{abrams:20200825:ryuk:fbd5d99, author = {Lawrence Abrams}, title = {{Ryuk successor Conti Ransomware releases data leak site}}, date = {2020-08-25}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/ryuk-successor-conti-ransomware-releases-data-leak-site/}, language = {English}, urldate = {2020-08-26} } @online{abrams:20200826:suncrypt:426964e, author = {Lawrence Abrams}, title = {{SunCrypt Ransomware sheds light on the Maze ransomware cartel}}, date = {2020-08-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/suncrypt-ransomware-sheds-light-on-the-maze-ransomware-cartel/}, language = {English}, urldate = {2020-08-27} } @online{abrams:20200917:maze:81b8c38, author = {Lawrence Abrams}, title = {{Maze ransomware now encrypts via virtual machines to evade detection}}, date = {2020-09-17}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/maze-ransomware-now-encrypts-via-virtual-machines-to-evade-detection/}, language = {English}, urldate = {2020-09-21} } @online{abrams:20200923:agelocker:1826fc8, author = {Lawrence Abrams}, title = {{AgeLocker ransomware targets QNAP NAS devices, steals data}}, date = {2020-09-23}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/agelocker-ransomware-targets-qnap-nas-devices-steals-data/}, language = {English}, urldate = {2020-09-25} } @online{abrams:20200923:government:bf7b212, author = {Lawrence Abrams}, title = {{Government software provider Tyler Technologies hit by ransomware}}, date = {2020-09-23}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/government-software-provider-tyler-technologies-hit-by-ransomware/}, language = {English}, urldate = {2020-10-02} } @online{abrams:20200924:mount:0456f2a, author = {Lawrence Abrams}, title = {{Mount Locker ransomware joins the multi-million dollar ransom game}}, date = {2020-09-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/mount-locker-ransomware-joins-the-multi-million-dollar-ransom-game/}, language = {English}, urldate = {2020-10-02} } @online{abrams:20201016:thunderx:7e8ece8, author = {Lawrence Abrams}, title = {{ThunderX Ransomware rebrands as Ranzy Locker, adds data leak site}}, date = {2020-10-16}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/thunderx-ransomware-rebrands-as-ranzy-locker-adds-data-leak-site/}, language = {English}, urldate = {2020-10-23} } @online{abrams:20201020:barnes:f210b39, author = {Lawrence Abrams}, title = {{Barnes & Noble hit by Egregor ransomware, strange data leaked}}, date = {2020-10-20}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/barnes-and-noble-hit-by-egregor-ransomware-strange-data-leaked/}, language = {English}, urldate = {2020-10-23} } @online{abrams:20201022:french:6d52e19, author = {Lawrence Abrams}, title = {{French IT giant Sopra Steria hit by Ryuk ransomware}}, date = {2020-10-22}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/french-it-giant-sopra-steria-hit-by-ryuk-ransomware/}, language = {English}, urldate = {2020-10-26} } @online{abusech:20130118:feodo:5354db0, author = {abuse.ch}, title = {{Feodo Tracker}}, date = {2013-01-18}, organization = {abuse.ch}, url = {https://feodotracker.abuse.ch/?filter=version_e}, language = {English}, urldate = {2020-01-13} } @online{abusech:2018:feodo:3a9a017, author = {abuse.ch}, title = {{Feodo Tracker}}, date = {2018}, organization = {abuse.ch}, url = {https://feodotracker.abuse.ch/}, language = {English}, urldate = {2019-11-17} } @online{abuseio:20190504:abuseio:d5062ca, author = {Abuse.io}, title = {{Abuse.io Report - Lockergoga}}, date = {2019-05-04}, organization = {Abuse.io}, url = {https://www.abuse.io/lockergoga.txt}, language = {English}, urldate = {2020-01-07} } @online{acalvio:20180613:lateral:ab17115, author = {Team Acalvio}, title = {{Lateral Movement Technique Employed by Hidden Cobra}}, date = {2018-06-13}, organization = {Acalvio}, url = {https://www.acalvio.com/lateral-movement-technique-employed-by-hidden-cobra/}, language = {English}, urldate = {2020-01-13} } @online{accenture:2018:hogfish:4bd6290, author = {Accenture}, title = {{HOGFISH REDLEAVES CAMPAIGN}}, date = {2018}, organization = {Accenture}, url = {http://blog.alyac.co.kr/1853}, language = {English}, urldate = {2020-01-06} } @online{ackerman:20181221:overruled:74ac7b4, author = {Geoff Ackerman and Rick Cole and Andrew Thompson and Alex Orleans and Nick Carr}, title = {{OVERRULED: Containing a Potentially Destructive Adversary}}, date = {2018-12-21}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html}, language = {English}, urldate = {2019-12-20} } @online{ackerman:20190821:taking:3b8daac, author = {Pascal Ackerman}, title = {{Taking a Closer Look at the LookBack Malware Campaign – Part 1}}, date = {2019-08-21}, organization = {Threatgen}, url = {https://threatgen.com/taking-a-closer-look-at-the-lookback-malware-campaign-part-1/}, language = {English}, urldate = {2020-01-13} } @online{acsc:20200523:summary:32bbf2b, author = {Australian Cyber Security Centre (ACSC)}, title = {{Summary of Tradecraft Trends for 2019-20: Tactics, Techniques and Procedures Used to Target Australian Networks}}, date = {2020-05-23}, organization = {Australian Cyber Security Centre}, url = {https://www.cyber.gov.au/threats/summary-of-tradecraft-trends-for-2019-20-tactics-techniques-and-procedures-used-to-target-australian-networks}, language = {English}, urldate = {2020-05-23} } @techreport{acsc:20200618:advisory:ed0f53c, author = {Australian Cyber Security Centre (ACSC)}, title = {{Advisory 2020-008: Copy-Paste Compromises –tactics, techniques and procedures used to target multiple Australian networks}}, date = {2020-06-18}, institution = {Australian Cyber Security Centre}, url = {https://www.cyber.gov.au/sites/default/files/2020-06/ACSC-Advisory-2020-008-Copy-Paste-Compromises.pdf}, language = {English}, urldate = {2020-06-19} } @online{action09:20181116:c0ld:89e6c06, author = {Action09}, title = {{(C)0ld Case : From Aerospace to China’s interests.}}, date = {2018-11-16}, organization = {CyberThreatIntelligence Blog}, url = {https://cyberthreatintelligenceblog.wordpress.com/2018/11/16/c0ld-case-from-aerospace-to-chinas-interests/}, language = {English}, urldate = {2020-01-07} } @online{actiondan:20180219:intro:0d978b0, author = {ActionDan}, title = {{Intro to Using GScript for Red Teams}}, date = {2018-02-19}, url = {http://lockboxx.blogspot.com/2018/02/intro-to-using-gscript-for-red-teams.html}, language = {English}, urldate = {2019-12-20} } @online{adair:20161109:powerduke:335bceb, author = {Steven Adair}, title = {{PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs}}, date = {2016-11-09}, organization = {Volexity}, url = {https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/}, language = {English}, urldate = {2019-12-24} } @online{adamitis:20181105:persian:5adf8c2, author = {Danny Adamitis and Warren Mercer and Paul Rascagnères and Vitor Ventura and Eric Kuhla}, title = {{Persian Stalker pillages Iranian users of Instagram and Telegram}}, date = {2018-11-05}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2018/11/persian-stalker.html}, language = {English}, urldate = {2019-11-27} } @online{adamitis:20190417:dns:0146532, author = {Danny Adamitis and David Maynor and Warren Mercer and Matthew Olney and Paul Rascagnères}, title = {{DNS Hijacking Abuses Trust In Core Internet Service}}, date = {2019-04-17}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2019/04/seaturtle.html}, language = {English}, urldate = {2020-01-09} } @online{adamitis:20190520:recent:4bb543f, author = {Danny Adamitis and David Maynor and Kendall McKay}, title = {{Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques}}, date = {2019-05-20}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2019/05/recent-muddywater-associated-blackwater.html}, language = {English}, urldate = {2020-01-07} } @online{adamitis:20190709:sea:62515b8, author = {Danny Adamitis and Paul Rascagnères}, title = {{Sea Turtle Keeps on Swimming}}, date = {2019-07-09}, organization = {Talos Intelligence}, url = {https://blog.talosintelligence.com/2019/07/sea-turtle-keeps-on-swimming.html}, language = {English}, urldate = {2020-06-08} } @online{adamitis:20190911:autumn:8bec4cb, author = {Danny Adamitis and Elizabeth Wharton}, title = {{Autumn Aperture}}, date = {2019-09-11}, organization = {Prevailion}, url = {https://blog.prevailion.com/2019/09/autumn-aperture-report.html}, language = {English}, urldate = {2020-06-08} } @online{adamitis:20200107:summer:637a53f, author = {Danny Adamitis}, title = {{Summer Mirage}}, date = {2020-01-07}, organization = {Prevailion}, url = {https://blog.prevailion.com/2020/01/summer-mirage.html}, language = {English}, urldate = {2020-01-12} } @online{adamitis:20200206:triune:ada8ad3, author = {Danny Adamitis}, title = {{The Triune Threat: MasterMana Returns}}, date = {2020-02-06}, organization = {Prevailion}, url = {https://blog.prevailion.com/2020/02/the-triune-threat-mastermana-returns.html}, language = {English}, urldate = {2020-04-13} } @online{adamitis:20200506:phantom:2a752f7, author = {Danny Adamitis}, title = {{Phantom in the Command Shell}}, date = {2020-05-06}, organization = {Prevailion}, url = {https://blog.prevailion.com/2020/05/phantom-in-command-shell5.html}, language = {English}, urldate = {2020-05-07} } @online{adamitis:20200605:gh0st:849c227, author = {Danny Adamitis}, title = {{The Gh0st Remains the Same}}, date = {2020-06-05}, organization = {Prevailion}, url = {https://blog.prevailion.com/2020/06/the-gh0st-remains-same8.html}, language = {English}, urldate = {2020-06-08} } @online{adamov:20170502:targeted:31454f7, author = {Alexander Adamov}, title = {{Targeted attack against the Ukrainian military}}, date = {2017-05-02}, url = {https://nioguard.blogspot.de/2017/05/targeted-attack-against-ukrainian.html}, language = {English}, urldate = {2019-12-17} } @techreport{adams:20161207:trickbot:fc3427c, author = {Joshua Adams}, title = {{The TrickBot Evolution}}, date = {2016-12-07}, institution = {Botconf}, url = {https://www.botconf.eu/wp-content/uploads/2016/11/2016-LT09-TrickBot-Adams.pdf}, language = {English}, urldate = {2020-01-09} } @online{admin001:20191120:shadow:49b26ff, author = {admin001}, title = {{Shadow of the Circle Hovering Over Central Asia - The Golden Eagle (APT-C-34) Organizing Attack Revealed}}, date = {2019-11-20}, organization = {360}, url = {http://blogs.360.cn/post/APT-C-34_Golden_Falcon.html}, language = {English}, urldate = {2020-01-10} } @techreport{advisory:20200528:sandworm:d509ae5, author = {Cybersecurity Advisory}, title = {{Sandworm Actors Exploiting Vulnerability in EXIM Mail Transfer Agent}}, date = {2020-05-28}, institution = {National Security Agency}, url = {https://media.defense.gov/2020/May/28/2002306626/-1/-1/0/CSA%20Sandworm%20Actors%20Exploiting%20Vulnerability%20in%20Exim%20Transfer%20Agent%2020200528.pdf}, language = {English}, urldate = {2020-05-29} } @online{affairs:20140202:us:872a22b, author = {Office of Public Affairs}, title = {{U.S. Leads Multi-National Action Against “Gameover Zeus” Botnet and “Cryptolocker” Ransomware, Charges Botnet Administrator}}, date = {2014-02-02}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/us-leads-multi-national-action-against-gameover-zeus-botnet-and-cryptolocker-ransomware}, language = {English}, urldate = {2020-01-08} } @online{affairs:20170328:russian:e9c593c, author = {Office of Public Affairs}, title = {{Russian Citizen Pleads Guilty for Involvement in Global Botnet Conspiracy}}, date = {2017-03-28}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/russian-citizen-pleads-guilty-involvement-global-botnet-conspiracy}, language = {English}, urldate = {2020-01-07} } @online{affairs:20180523:justice:806d785, author = {Office of Public Affairs}, title = {{Justice Department Announces Actions to Disrupt Advanced Persistent Threat 28 Botnet of Infected Routers and Network Storage Devices}}, date = {2018-05-23}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/justice-department-announces-actions-disrupt-advanced-persistent-threat-28-botnet-infected}, language = {English}, urldate = {2020-01-06} } @online{affairs:20180906:north:9b30dd0, author = {Office of Public Affairs}, title = {{North Korean Regime-Backed Programmer Charged With Conspiracy to Conduct Multiple Cyber Attacks and Intrusions}}, date = {2018-09-06}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/north-korean-regime-backed-programmer-charged-conspiracy-conduct-multiple-cyber-attacks-and}, language = {English}, urldate = {2020-01-07} } @online{affairs:20181128:two:9032b25, author = {Office of Public Affairs}, title = {{Two Iranian Men Indicted for Deploying Ransomware to Extort Hospitals, Municipalities, and Public Institutions, Causing Over $30 Million in Losses}}, date = {2018-11-28}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/two-iranian-men-indicted-deploying-ransomware-extort-hospitals-municipalities-and-public}, language = {English}, urldate = {2020-01-08} } @online{affairs:20190213:former:3518c47, author = {Office of Public Affairs}, title = {{Former U.S. Counterintelligence Agent Charged With Espionage on Behalf of Iran; Four Iranians Charged With a Cyber Campaign Targeting Her Former Colleagues}}, date = {2019-02-13}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/former-us-counterintelligence-agent-charged-espionage-behalf-iran-four-iranians-charged-cyber}, language = {English}, urldate = {2019-10-14} } @online{affairs:20190411:two:8ce139a, author = {Office of Public Affairs}, title = {{Two Romanian Cybercriminals Convicted of All 21 Counts Relating to Infecting Over 400,000 Victim Computers with Malware and Stealing Millions of Dollars}}, date = {2019-04-11}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/two-romanian-cybercriminals-convicted-all-21-counts-relating-infecting-over-400000-victim}, language = {English}, urldate = {2019-10-13} } @online{affairs:20190516:goznym:714f938, author = {Office of Public Affairs}, title = {{GozNym Cyber-Criminal Network Operating out of Europe Targeting American Entities Dismantled in International Operation}}, date = {2019-05-16}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/goznym-cyber-criminal-network-operating-out-europe-targeting-american-entities-dismantled}, language = {English}, urldate = {2020-01-08} } @online{agency:20191025:qsnatch:9631c95, author = {Finnish Transport & Communications Agency}, title = {{QSnatch - Malware designed for QNAP NAS devices}}, date = {2019-10-25}, organization = {Finnish Transport & Communications Agency}, url = {https://www.kyberturvallisuuskeskus.fi/en/news/qsnatch-malware-designed-qnap-nas-devices}, language = {English}, urldate = {2020-01-10} } @techreport{agency:20200813:russian:c0ae2d5, author = {National Security Agency and Federal Bureau of Investigation}, title = {{Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware}}, date = {2020-08-13}, institution = {National Security Agency}, url = {https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF}, language = {English}, urldate = {2020-08-14} } @techreport{agency:202008:finspy:9de4cba, author = {Defensive Lab Agency}, title = {{FinSpy Android Technical Analysis}}, date = {2020-08}, institution = {Defensive Lab Agency}, url = {https://raw.githubusercontent.com/DefensiveLabAgency/FinSpy-for-Android/master/20200806_finspy_android_analysis_public_release.pdf}, language = {English}, urldate = {2020-10-02} } @techreport{agency:20201020:chinese:73ad10e, author = {National Security Agency}, title = {{Chinese State-Sponsored Actors Exploit Publicly Known Vulnerabilities}}, date = {2020-10-20}, institution = {National Security Agency}, url = {https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF}, language = {English}, urldate = {2020-10-23} } @online{agman:20200817:uncover:948e868, author = {Yaniv Agman}, title = {{Uncover Malware Payload Executions Automatically with Tracee}}, date = {2020-08-17}, organization = {Aqua}, url = {https://blog.aquasec.com/ebpf-container-tracing-malware-detection}, language = {English}, urldate = {2020-08-21} } @techreport{ahinkaya:20200828:cerberus:5575c7b, author = {Ali Rıza Şahinkaya and Can Atakan Işık and Rıdvan Ethem Canavar}, title = {{Cerberus Banking Trojan Analysis}}, date = {2020-08-28}, institution = {CYBER WISE}, url = {https://www.biznet.com.tr/wp-content/uploads/2020/08/Cerberus.pdf}, language = {English}, urldate = {2020-09-03} } @online{ahinkaya:20200831:cerberus:ecd6606, author = {Ali Rıza Şahinkaya and Can Atakan Işık and Rıdvan Ethem Canavar}, title = {{Cerberus Banking Trojan Research}}, date = {2020-08-31}, organization = {Github (ics-iot-bootcamp)}, url = {https://github.com/ics-iot-bootcamp/cerberus_research}, language = {English}, urldate = {2020-09-21} } @online{ahl:20130807:breaking:aff06e9, author = {Ian Ahl and Tony Lee and Dennis Hanzlik}, title = {{Breaking Down the China Chopper Web Shell - Part I}}, date = {2013-08-07}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html}, language = {English}, urldate = {2019-12-20} } @online{ahl:20170606:privileges:9598d5f, author = {Ian Ahl}, title = {{Privileges and Credentials: Phished at the Request of Counsel}}, date = {2017-06-06}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html}, language = {English}, urldate = {2019-12-20} } @online{ahn:20190304:kimsuky:e84d908, author = {Chang-Yong Ahn}, title = {{Kimsuky}}, date = {2019-03-04}, organization = {AhnLab}, url = {https://www.ahnlab.com/kr/site/securityinfo/secunews/secuNewsView.do?menu_dist=2&curPage=1&seq=28102}, language = {Korean}, urldate = {2019-10-23} } @online{ahnlab:20180330:magniber:5d13799, author = {AhnLab}, title = {{Magniber}}, date = {2018-03-30}, organization = {AhnLab}, url = {http://asec.ahnlab.com/1124}, language = {English}, urldate = {2019-07-09} } @techreport{ahnlab:20180623:full:dced6a4, author = {AhnLab}, title = {{Full Discloser of Andariel, A Subgroup of Lazarus Threat Group}}, date = {2018-06-23}, institution = {AhnLab}, url = {https://global.ahnlab.com/global/upload/download/techreport/[AhnLab]Andariel_a_Subgroup_of_Lazarus%20(3).pdf}, language = {English}, urldate = {2019-12-24} } @techreport{ahnlab:20180625:asec:dcc35cb, author = {AhnLab}, title = {{ASEC Report vol. 91 (2018)}}, date = {2018-06-25}, institution = {AhnLab}, url = {http://image.ahnlab.com/file_upload/asecissue_files/ASEC%20REPORT_vol.91.pdf}, language = {Korean}, urldate = {2020-01-10} } @techreport{ahnlab:20190221:operation:3e3c720, author = {AhnLab}, title = {{Operation Kabar Cobra}}, date = {2019-02-21}, institution = {AhnLab}, url = {http://download.ahnlab.com/kr/site/library/%5bAnalysis_Report%5dOperation_Kabar_Cobra.pdf}, language = {Korean}, urldate = {2019-12-02} } @techreport{ahnlab:20200302:analysis:c0c47c3, author = {AhnLab}, title = {{Analysis Report: MyKings Botnet}}, date = {2020-03-02}, institution = {AhnLab}, url = {http://download.ahnlab.com/kr/site/library/[AhnLab]Analysis%20Report_MyKings%20Botnet.pdf}, language = {Korean}, urldate = {2020-03-04} } @online{ahnlab:20200406:shadow:450342b, author = {AhnLab}, title = {{Shadow Force behind normal certificate reveals seven years}}, date = {2020-04-06}, organization = {AhnLab}, url = {https://www.ahnlab.com/kr/site/securityinfo/secunews/secuNewsView.do?curPage=1&menu_dist=2&seq=29129}, language = {Korean}, urldate = {2020-05-18} } @online{aime:20200323:fin7:66bea6f, author = {Félix Aime and Yury Namestnikov}, title = {{Fin7 APT: how billion dollar crime ring remains active after leaders’ arrest}}, date = {2020-03-23}, organization = {Kaspersky Labs}, url = {https://www.brighttalk.com/webcast/15591/382191/fin7-apt-how-billion-dollar-crime-ring-remains-active-after-leaders-arrest}, language = {English}, urldate = {2020-04-07} } @online{ajjan:20130305:russian:4bb6a48, author = {Anand Ajjan}, title = {{Russian ransomware takes advantage of Windows PowerShell}}, date = {2013-03-05}, organization = {Sophos Naked Security}, url = {https://nakedsecurity.sophos.com/2013/03/05/russian-ransomware-windows-powershell/}, language = {English}, urldate = {2020-01-27} } @techreport{akamai:20160404:threat:14239df, author = {Akamai}, title = {{Threat Advisory: “BillGates” Botnet}}, date = {2016-04-04}, institution = {Akamai}, url = {https://www.akamai.com/kr/ko/multimedia/documents/state-of-the-internet/bill-gates-botnet-threat-advisory.pdf}, language = {English}, urldate = {2020-01-07} } @techreport{akamai:20161001:kaitenstd:40de1e6, author = {Akamai}, title = {{Kaiten/STD router DDoS Malware}}, date = {2016-10-01}, institution = {Akamai}, url = {https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/kaiten-std-router-ddos-malware-threat-advisory.pdf}, language = {English}, urldate = {2020-01-08} } @techreport{akamei:20171016:upnproxy:044596d, author = {Akamei}, title = {{UPnProxy: Blackhat Proxies via NAT Injections}}, date = {2017-10-16}, institution = {Akamai}, url = {https://www.akamai.com/uk/en/multimedia/documents/white-paper/upnproxy-blackhat-proxies-via-nat-injections-white-paper.pdf}, language = {English}, urldate = {2019-12-10} } @online{albassam:20160816:equation:e185e6b, author = {Mustafa Al-Bassam}, title = {{Equation Group firewall operations catalogue}}, date = {2016-08-16}, url = {https://musalbas.com/blog/2016/08/16/equation-group-firewall-operations-catalogue.html}, language = {English}, urldate = {2019-11-20} } @online{albors:20151216:nemucod:b1c1305, author = {Josep Albors}, title = {{Nemucod malware spreads ransomware Teslacrypt around the world}}, date = {2015-12-16}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2015/12/16/nemucod-malware-spreads-ransomware-teslacrypt-around-world/}, language = {English}, urldate = {2019-11-14} } @online{alert:20191203:threat:f7b8cb6, author = {Red Alert}, title = {{THREAT ACTOR TARGETING HONG KONG PRO-DEMOCRACY FIGURES}}, date = {2019-12-03}, organization = {NSHC}, url = {https://redalert.nshc.net/2019/12/03/threat-actor-targeting-hong-kong-activists}, language = {English}, urldate = {2020-06-03} } @techreport{alert:201912:cybercrime:b12d39c, author = {Visa Security Alert}, title = {{Cybercrime Groups (FIN8) Targeting Fuel Dispenser Merchants}}, date = {2019-12}, institution = {VISA}, url = {https://usa.visa.com/dam/VCOM/global/support-legal/documents/cybercrime-groups-targeting-fuel-dispenser-merchants.pdf}, language = {English}, urldate = {2020-07-23} } @techreport{alert:202008:baka:586781b, author = {Visa Security Alert}, title = {{‘Baka’ JavaScript Skimmer Identified}}, date = {2020-08}, institution = {VISA}, url = {https://usa.visa.com/content/dam/VCOM/global/support-legal/documents/visa-security-alert-baka-javascript-skimmer.pdf}, language = {English}, urldate = {2020-09-06} } @techreport{alert:20200925:visa:3bac371, author = {Visa Security Alert}, title = {{Visa Security Alert: New Malware Samples identified in Point-of-Sale Compromises}}, date = {2020-09-25}, institution = {VISA}, url = {https://usa.visa.com/dam/VCOM/global/support-legal/documents/new-pos-malware-samples.pdf}, language = {English}, urldate = {2020-10-05} } @online{alexuiop1337:20190731:github:215c261, author = {Alexuiop1337}, title = {{Github Repository for SoranoStealer}}, date = {2019-07-31}, organization = {Github (Alexuiop1337)}, url = {https://github.com/Alexuiop1337/SoranoStealer}, language = {English}, urldate = {2020-01-06} } @online{algayar:20171224:lilyofthevalley:40d90c1, author = {Mustapha Algayar}, title = {{LilyOfTheValley Repository}}, date = {2017-12-24}, organization = {Github (LilyOfTheValley)}, url = {https://github.com/En14c/LilyOfTheValley}, language = {English}, urldate = {2020-01-10} } @online{alguacil:201911:vb2019:a565e76, author = {Alexandre Mundo Alguacil and John Fokker}, title = {{VB2019 paper: Different ways to cook a crab: GandCrab ransomware-as-a-service (RaaS) analysed in depth}}, date = {2019-11}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2019/11/vb2019-paper-different-ways-cook-crab-gandcrab-ransomware-service-raas-analysed-indepth/}, language = {English}, urldate = {2020-01-08} } @online{alienvault:20190801:hexane:3d63fd0, author = {AlienVault}, title = {{Hexane Targeting Oil and Gas}}, date = {2019-08-01}, organization = {AlienVault OTX}, url = {https://otx.alienvault.com/pulse/5d4301edb3f3406ac01acc0f}, language = {English}, urldate = {2019-11-28} } @online{alintanahin:20140702:kivars:4fe6877, author = {Kervin Alintanahin and Ronnie Giagone}, title = {{KIVARS With Venom: Targeted Attacks Upgrade with 64-bit “Support”}}, date = {2014-07-02}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/kivars-with-venom-targeted-attacks-upgrade-with-64-bit-support/}, language = {English}, urldate = {2020-06-19} } @techreport{alintanahin:20150513:operation:a90911a, author = {Kervin Alintanahin}, title = {{Operation Tropic Trooper}}, date = {2015-05-13}, institution = {Trend Micro}, url = {http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-tropic-trooper.pdf}, language = {English}, urldate = {2020-01-06} } @online{allievi:20141028:threat:a302fbd, author = {Andrea Allievi and Douglas Goddard and Shaun Hurley and Alain Zidouemba}, title = {{Threat Spotlight: Group 72, Opening the ZxShell}}, date = {2014-10-28}, organization = {Cisco}, url = {https://blogs.cisco.com/security/talos/opening-zxshell}, language = {English}, urldate = {2019-10-15} } @online{allievi:20150320:threat:2f200b6, author = {Andrea Allievi and Ben Baker and Nick Biasini and JJ Cummings and Douglas Goddard and William Largent and Angel Villegas and Alain Zidouemba}, title = {{Threat Spotlight: PoSeidon, A Deep Dive Into Point of Sale Malware}}, date = {2015-03-20}, organization = {Cisco Talos}, url = {https://blogs.cisco.com/security/talos/poseidon}, language = {English}, urldate = {2020-01-13} } @online{allievi:20150427:threat:3754b13, author = {Andrea Allievi and Earl Carter and Emmanuel Tacheau}, title = {{Threat Spotlight: TeslaCrypt – Decrypt It Yourself}}, date = {2015-04-27}, organization = {Cisco Talos}, url = {https://blogs.cisco.com/security/talos/teslacrypt}, language = {English}, urldate = {2019-10-15} } @online{alonso:20170224:hunting:073d36e, author = {Angel Alonso}, title = {{Hunting Retefe with Splunk - some interesting points}}, date = {2017-02-24}, organization = {Some stuff about security.. Blog}, url = {http://blog.angelalonso.es/2017/02/hunting-retefe-with-splunk-some24.html}, language = {English}, urldate = {2020-01-06} } @online{alonsoparrizas:20151028:reversing:92cdf4f, author = {Angel Alonso-Parrizas}, title = {{Reversing the C2C HTTP Emmental communication}}, date = {2015-10-28}, url = {http://blog.angelalonso.es/2015/10/reversing-c2c-http-emmental.html}, language = {English}, urldate = {2019-12-05} } @online{alonsoparrizas:20151103:reversing:762708a, author = {Angel Alonso-Parrizas}, title = {{Reversing the SMS C&C protocol of Emmental (1st part - understanding the code)}}, date = {2015-11-03}, url = {http://blog.angelalonso.es/2015/11/reversing-sms-c-protocol-of-emmental.html}, language = {English}, urldate = {2019-10-14} } @techreport{alperovitch:20140224:art:df5650c, author = {Dmitri Alperovitch}, title = {{The Art of Attribution Identifying and Pursuing your Cyber Adversaries}}, date = {2014-02-24}, institution = {RSA Conference}, url = {https://docs.huihoo.com/rsaconference/usa-2014/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries-final.pdf}, language = {English}, urldate = {2020-04-06} } @online{alperovitch:20140707:deep:63e59f7, author = {Dmitri Alperovitch}, title = {{Deep in Thought: Chinese Targeting of National Security Think Tanks}}, date = {2014-07-07}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/deep-thought-chinese-targeting-national-security-think-tanks/}, language = {English}, urldate = {2019-12-20} } @online{alperovitch:20141014:crowdstrike:9be6684, author = {Dmitri Alperovitch}, title = {{CrowdStrike Discovers Use of 64-bit Zero-Day Privilege Escalation Exploit (CVE-2014-4113) by Hurricane Panda}}, date = {2014-10-14}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/}, language = {English}, urldate = {2020-06-03} } @online{alperovitch:20150413:cyber:93796f8, author = {Dmitri Alperovitch}, title = {{Cyber Deterrence in Action? A story of one long HURRICANE PANDA campaign}}, date = {2015-04-13}, organization = {CrowdStrike}, url = {http://www.crowdstrike.com/blog/cyber-deterrence-in-action-a-story-of-one-long-hurricane-panda-campaign/}, language = {English}, urldate = {2019-12-20} } @online{alperovitch:20150413:cyber:9cee61c, author = {Dmitri Alperovitch}, title = {{Cyber Deterrence in Action? A story of one long HURRICANE PANDA campaign}}, date = {2015-04-13}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/cyber-deterrence-in-action-a-story-of-one-long-hurricane-panda-campaign/}, language = {English}, urldate = {2020-06-03} } @online{alperovitch:20160615:bears:604c1d9, author = {Dmitri Alperovitch}, title = {{Bears in the Midst: Intrusion into the Democratic National Committee}}, date = {2016-06-15}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/}, language = {English}, urldate = {2019-12-20} } @online{altheide:20201021:media:fce4b18, author = {Cory Altheide and DAnon and Sam S. and Proofpoint Threat Research Team}, title = {{Media Coverage Doesn’t Deter Actor From Threatening Democratic Voters}}, date = {2020-10-21}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/media-coverage-doesnt-deter-actor-threatening-democratic-voters}, language = {English}, urldate = {2020-10-26} } @online{alvares:20200622:comparative:270905b, author = {Marcos Alvares}, title = {{Comparative analysis between Bindiff and Diaphora - Patched Smokeloader Study Case}}, date = {2020-06-22}, organization = {security.neurolabs}, url = {http://security.neurolabs.club/2020/04/diffing-malware-samples-using-bindiff.html}, language = {English}, urldate = {2020-06-24} } @online{alvarez:20121203:compromised:1e6dcb7, author = {Raul Alvarez}, title = {{Compromised library}}, date = {2012-12-03}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2012/12/compromised-library}, language = {English}, urldate = {2019-12-17} } @online{alvarez:20140718:birds:9f9e509, author = {Raul Alvarez}, title = {{Bird's nest}}, date = {2014-07-18}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2014/08/bird-s-nest}, language = {English}, urldate = {2019-11-28} } @online{alyac:20190131:lazarus:bbb47f8, author = {Alyac}, title = {{Lazarus APT Organization Attacks with Operation Extreme Job}}, date = {2019-01-31}, organization = {ESTsecurity}, url = {https://blog.alyac.co.kr/2105}, language = {Korean}, urldate = {2019-10-21} } @online{alyac:20190327:lazarus:2172304, author = {Alyac}, title = {{라자루스(Lazarus) 그룹, 이스라엘 군수업체 대상 APT 역습}}, date = {2019-03-27}, url = {https://blog.alyac.co.kr/m/2219}, language = {Korean}, urldate = {2020-07-15} } @online{alyac:20190327:lazarus:df092d7, author = {Alyac}, title = {{Lazarus Group APT Counterattack Against Israeli Military}}, date = {2019-03-27}, organization = {ESTsecurity}, url = {https://blog.alyac.co.kr/2219}, language = {Korean}, urldate = {2020-06-29} } @online{alyac:20190610:special:f4e2a26, author = {Alyac}, title = {{[Special Report] APT Campaign 'Konni' & 'Kimsuky' Organizations Found in Common}}, date = {2019-06-10}, organization = {ESTsecurity}, url = {https://blog.alyac.co.kr/2347}, language = {Korean}, urldate = {2020-03-17} } @online{alyac:20190627:lazarus:9afc51d, author = {Alyac}, title = {{Lazarus APT Group attacks with a malicious '진실겜.xls' via the Telegram messenger}}, date = {2019-06-27}, organization = {ESTsecurity}, url = {https://blog.alyac.co.kr/2388}, language = {Korean}, urldate = {2020-03-17} } @techreport{alyac:20200330:spy:e23215b, author = {Alyac}, title = {{The 'Spy Cloud' Operation: Geumseong121 group carries out the APT attack disguising the evidence of North Korean defection}}, date = {2020-03-30}, institution = {EST Security}, url = {https://blog.alyac.co.kr/attachment/cfile8.uf@9977CF405E81A09B1C4CE2.pdf}, language = {English}, urldate = {2020-04-07} } @online{alyac:20200725:special:ca84b90, author = {Alyac}, title = {{[Special Report] Thallium Group sued by Microsoft in the US, threatens 'Fake Striker' APT campaign against South Korea}}, date = {2020-07-25}, organization = {ESTsecurity}, url = {https://blog.alyac.co.kr/3120}, language = {Korean}, urldate = {2020-07-30} } @online{alyac:20201016:thallium:aff8d61, author = {Alyac}, title = {{탈륨조직의 국내 암호화폐 지갑 펌웨어로 위장한 다차원 APT 공격 분석출처 ( THALLIUM)}}, date = {2020-10-16}, organization = {Alyac}, url = {https://blog.alyac.co.kr/3310}, language = {Korean}, urldate = {2020-10-23} } @online{alyushin:20150914:shade:3558938, author = {Victor Alyushin and Fedor Sinitsyn}, title = {{The Shade Encryptor: a Double Threat}}, date = {2015-09-14}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-shade-encryptor-a-double-threat/72087/}, language = {English}, urldate = {2019-12-20} } @online{amawaka:20200310:apt40:2199052, author = {Asuna Amawaka}, title = {{APT40 goes from Template Injections to OLE-Linkings for payload delivery}}, date = {2020-03-10}, organization = {insomniacs(Medium)}, url = {https://medium.com/insomniacs/apt40-goes-from-template-injections-to-ole-linkings-for-payload-delivery-99eb43170a97}, language = {English}, urldate = {2020-04-16} } @online{amawaka:20200315:dad:5cad035, author = {Asuna Amawaka}, title = {{Dad! There’s A Rat In Here!}}, date = {2020-03-15}, organization = {insomniacs(Medium)}, url = {https://medium.com/insomniacs/dad-theres-a-rat-in-here-e3729b65bf7a}, language = {English}, urldate = {2020-04-16} } @online{amawaka:20200506:shadows:889fc47, author = {Asuna Amawaka}, title = {{Shadows with a chance of BlackNix}}, date = {2020-05-06}, organization = {Medium Asuna Amawaka}, url = {https://medium.com/insomniacs/shadows-with-a-chance-of-blacknix-badc0f2f41cb}, language = {English}, urldate = {2020-06-12} } @online{amr:20190410:project:460b6e5, author = {AMR and GReAT}, title = {{Project TajMahal – a sophisticated new APT framework}}, date = {2019-04-10}, organization = {Kaspersky Labs}, url = {https://securelist.com/project-tajmahal/90240/}, language = {English}, urldate = {2019-12-20} } @online{amr:20190925:ransomware:ec80bad, author = {AMR}, title = {{Ransomware: two pieces of good news}}, date = {2019-09-25}, organization = {Kaspersky Labs}, url = {https://securelist.com/ransomware-two-pieces-of-good-news/93355/}, language = {English}, urldate = {2020-01-08} } @online{amr:20191101:chrome:4c689f4, author = {AMR and GReAT}, title = {{Chrome 0-day exploit CVE-2019-13720 used in Operation WizardOpium}}, date = {2019-11-01}, organization = {Kaspersky Labs}, url = {https://securelist.com/chrome-0-day-exploit-cve-2019-13720-used-in-operation-wizardopium/94866/}, language = {English}, urldate = {2020-01-08} } @online{amr:20191210:windows:1a5c25d, author = {AMR and GReAT}, title = {{Windows 0-day exploit CVE-2019-1458 used in Operation WizardOpium}}, date = {2019-12-10}, organization = {Kaspersky Labs}, url = {https://securelist.com/windows-0-day-exploit-cve-2019-1458-used-in-operation-wizardopium/95432}, language = {English}, urldate = {2020-05-05} } @online{amr:20200305:mokes:698295f, author = {AMR}, title = {{Mokes and Buerak distributed under the guise of security certificates}}, date = {2020-03-05}, organization = {Kaspersky Labs}, url = {https://securelist.com/mokes-and-buerak-distributed-under-the-guise-of-security-certificates/96324/}, language = {English}, urldate = {2020-03-09} } @online{analysis:20170314:rig:56f3334, author = {Broad Analysis}, title = {{Rig Exploit Kit via the EiTest delivers CryptoShield/REVENGE ransomware}}, date = {2017-03-14}, organization = {Broad Analysis}, url = {http://www.broadanalysis.com/2017/03/14/rig-exploit-kit-via-the-eitest-delivers-cryptoshieldrevenge-ransomware/}, language = {English}, urldate = {2020-01-07} } @online{analysis:20190412:rig:0230572, author = {Analysis}, title = {{Rig Exploit Kit delivers Bunitu Malware}}, date = {2019-04-12}, organization = {BroadAnalysis}, url = {https://broadanalysis.com/2019/04/12/rig-exploit-kit-delivers-bunitu-malware/}, language = {English}, urldate = {2020-01-10} } @online{anand:20200521:blox:14090c1, author = {Chetan Anand}, title = {{Blox Tales #6: Subpoena-Themed Phishing With CAPTCHA Redirect}}, date = {2020-05-21}, organization = {Armorblox}, url = {https://www.armorblox.com/blog/blox-tales-6-subpoena-themed-phishing-with-captcha-redirect/}, language = {English}, urldate = {2020-05-23} } @online{anbalagan:20200605:new:9f3abf8, author = {Gayathri Anbalagan}, title = {{New Campaign Abusing StackBlitz Tool to Host Phishing Pages}}, date = {2020-06-05}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/new-campaign-abusing-stackblitz-tool-host-phishing-pages}, language = {English}, urldate = {2020-08-05} } @online{ancel:20150930:when:ed6915f, author = {Benoît Ancel}, title = {{When ELF.BillGates met Windows}}, date = {2015-09-30}, organization = {ThisIsSecurity}, url = {https://thisissecurity.stormshield.com/2015/09/30/when-elf-billgates-met-windows/}, language = {English}, urldate = {2020-01-13} } @online{ancel:20161020:nexter91:909eaee, author = {Benoît Ancel}, title = {{Tweet on nexter91 Panel}}, date = {2016-10-20}, organization = {Twitter (@benkow_)}, url = {https://twitter.com/benkow_/status/789006720668405760}, language = {English}, urldate = {2020-01-07} } @online{ancel:20170227:spambot:b40e584, author = {Benoît Ancel}, title = {{Spambot safari #2 - Online Mail System}}, date = {2017-02-27}, organization = {Benkow Lab}, url = {https://benkowlab.blogspot.fr/2017/02/spambot-safari-2-online-mail-system.html}, language = {English}, urldate = {2020-01-09} } @online{ancel:20170816:quick:e3a37c1, author = {Benoît Ancel}, title = {{Quick look at another Alina fork: XBOT-POS}}, date = {2017-08-16}, organization = {Benkow Lab}, url = {https://benkowlab.blogspot.de/2017/08/quick-look-at-another-alina-fork-xbot.html}, language = {English}, urldate = {2020-01-10} } @online{ancel:20170829:from:7ef6dac, author = {Benoît Ancel}, title = {{From Onliner Spambot to millions of email's lists and credentials}}, date = {2017-08-29}, organization = {Benkow Lab}, url = {https://benkowlab.blogspot.com/2017/08/from-onliner-spambot-to-millions-of.html}, language = {English}, urldate = {2020-01-06} } @online{ancel:20190607:zeusaction:5977152, author = {Benoît Ancel}, title = {{Tweet on ZeusAction hashes}}, date = {2019-06-07}, organization = {Twitter (@benkow_)}, url = {https://twitter.com/benkow_/status/1136983062699487232}, language = {English}, urldate = {2020-01-06} } @techreport{ancel:2019:dreambot:e29023e, author = {Benoît Ancel and Peter Kruse}, title = {{Dreambot Business overview 2019}}, date = {2019}, institution = {CSIS}, url = {http://benkow.cc/DreambotSAS19.pdf}, language = {English}, urldate = {2019-12-10} } @online{ancel:20200207:installcapital:23b3760, author = {Benoît Ancel}, title = {{InstallCapital — When AdWare Becomes Pay-per-Install Cyber-Crime}}, date = {2020-02-07}, organization = {Medium CSIS Techblog}, url = {https://medium.com/csis-techblog/installcapital-when-adware-becomes-pay-per-install-cyber-crime-15516249a451}, language = {English}, urldate = {2020-02-09} } @online{ancel:20200501:end:939414e, author = {Benoît Ancel}, title = {{The end of Dreambot? Obituary for a loved piece of Gozi.}}, date = {2020-05-01}, organization = {CSIS}, url = {https://medium.com/csis-techblog/the-end-of-dreambot-a-loved-piece-of-gozi-24cc9bfc8122}, language = {English}, urldate = {2020-05-05} } @online{anderson:20170612:bahamut:9810646, author = {Collin Anderson}, title = {{Bahamut, Pursuing a Cyber Espionage Actor in the Middle East}}, date = {2017-06-12}, organization = {Bellingcat}, url = {https://www.bellingcat.com/news/mena/2017/06/12/bahamut-pursuing-cyber-espionage-actor-middle-east/}, language = {English}, urldate = {2020-01-13} } @online{anderson:20171027:bahamut:e17abf8, author = {Collin Anderson}, title = {{Bahamut Revisited, More Cyber Espionage in the Middle East and South Asia}}, date = {2017-10-27}, organization = {Bellingcat}, url = {https://www.bellingcat.com/resources/case-studies/2017/10/27/bahamut-revisited-cyber-espionage-middle-east-south-asia/}, language = {English}, urldate = {2020-01-06} } @online{anderson:20180104:irans:dcad15c, author = {Collin Anderson and Karim Sadjapour}, title = {{Iran’s Cyber Ecosystem: Who Are the Threat Actors?}}, date = {2018-01-04}, organization = {Carnegie Endowment for International Peace}, url = {https://carnegieendowment.org/2018/01/04/iran-s-cyber-ecosystem-who-are-threat-actors-pub-75140}, language = {English}, urldate = {2020-04-25} } @online{anderson:20180703:iranian:8f4a4d5, author = {Collin Anderson}, title = {{Tweet on Iranian Malware}}, date = {2018-07-03}, organization = {Twitter (@CDA)}, url = {https://twitter.com/CDA/status/1014144988454772736}, language = {English}, urldate = {2020-09-21} } @online{anderson:20200820:revealing:7a1da00, author = {Chad Anderson}, title = {{Revealing REvil Ransomware With DomainTools and Maltego}}, date = {2020-08-20}, organization = {DomainTools}, url = {https://www.domaintools.com/resources/blog/revealing-revil-ransomware-with-domaintools-and-maltego}, language = {English}, urldate = {2020-08-24} } @online{andonov:20151207:thriving:196c5eb, author = {Dimiter Andonov and William Ballenthin and Nalani Fraser and Will Matson and Jay Taylor}, title = {{Thriving Beyond The Operating System: Financial Threat Group Targets Volume Boot Record}}, date = {2015-12-07}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2015/12/fin1-targets-boot-record.html}, language = {English}, urldate = {2020-04-21} } @online{andrewjess:20191213:python:8af049c, author = {@AndrewJess}, title = {{Стиллер паролей на python с отправкой на почту}}, date = {2019-12-13}, url = {https://habr.com/en/sandbox/135410/}, language = {Russian}, urldate = {2020-03-04} } @techreport{andriesse:201310:highly:bc65090, author = {Dennis Andriesse and Christian Rossow and Brett Stone-Gross and Daniel Plohmann and Herbert Bos}, title = {{Highly Resilient Peer-to-Peer Botnets Are Here: An Analysis of Gameover Zeus}}, date = {2013-10}, institution = {MALWARE Conference}, url = {http://www.syssec-project.eu/m/page-media/3/zeus_malware13.pdf}, language = {English}, urldate = {2020-01-08} } @online{ang:20180426:necurs:83d08fc, author = {Miguel Ang}, title = {{Necurs Evolves to Evade Spam Detection via Internet Shortcut File}}, date = {2018-04-26}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/necurs-evolves-to-evade-spam-detection-via-internet-shortcut-file/}, language = {English}, urldate = {2020-01-10} } @online{ang:20200428:loki:169b27e, author = {Miguel Ang}, title = {{Loki Info Stealer Propagates through LZH Files}}, date = {2020-04-28}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/loki-info-stealer-propagates-through-lzh-files}, language = {English}, urldate = {2020-08-14} } @online{anishell:20110603:anishell:6870af0, author = {Ani-Shell}, title = {{Ani-Shell}}, date = {2011-06-03}, organization = {Sourceforge}, url = {http://ani-shell.sourceforge.net/}, language = {English}, urldate = {2020-01-13} } @techreport{anomali:20171102:country:853fdd8, author = {Anomali}, title = {{Country Profile: Russian Federation}}, date = {2017-11-02}, institution = {Anomali}, url = {https://www.anomali.com/files/white-papers/russian-federation-country-profile.pdf}, language = {English}, urldate = {2020-09-23} } @online{anonymous:20170210:rebranding:877e1bd, author = {Anonymous}, title = {{Rebranding iSpy Keylogger: Gear Informer}}, date = {2017-02-10}, organization = {Wapack Labs}, url = {https://wapacklabs.blogspot.ch/2017/02/rebranding-ispy-keylogger-gear-informer.html}, language = {English}, urldate = {2020-01-07} } @techreport{anssi:20190326:informations:7965c3d, author = {ANSSI}, title = {{INFORMATIONS CONCERNANTLES RANÇONGICIELSLOCKERGOGA ET RYUK}}, date = {2019-03-26}, institution = {ANSSI}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2019-ACT-005.pdf}, language = {French}, urldate = {2020-01-10} } @techreport{anssi:20200129:tat:3d59e6e, author = {ANSSI}, title = {{État de la menace rançongiciel}}, date = {2020-01-29}, institution = {ANSSI}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf}, language = {English}, urldate = {2020-02-03} } @online{antenucci:20190327:psixbot:9e1a258, author = {Stefano Antenucci and Antonio Parata}, title = {{PsiXBot: The Evolution Of A Modular .NET Bot}}, date = {2019-03-27}, organization = {Fox-IT}, url = {https://blog.fox-it.com/2019/03/27/psixbot-the-evolution-of-a-modular-net-bot/}, language = {English}, urldate = {2019-10-12} } @online{antil:20190912:innfirat:22e8987, author = {Sahil Antil and Rohit Chaturvedi}, title = {{InnfiRAT: A new RAT aiming for your cryptocurrency and more}}, date = {2019-09-12}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/innfirat-new-rat-aiming-your-cryptocurrency-and-more}, language = {English}, urldate = {2020-01-10} } @online{antivirnews:20110120:beschreibung:678e455, author = {antivirnews}, title = {{Beschreibung des Virus Backdoor.Win32. Buterat.afj}}, date = {2011-01-20}, url = {http://antivirnews.blogspot.com/2011/01/backdoorwin32-buteratafj.html}, language = {Russian}, urldate = {2020-01-10} } @online{anton:20200602:hunting:5aa320f, author = {Anton}, title = {{Hunting Malicious Macros}}, date = {2020-06-02}, organization = {Pwntario Blog}, url = {https://blog.pwntario.com/team-posts/antons-posts/hunting-malicious-macros#first}, language = {English}, urldate = {2020-06-03} } @online{anubhav:20160923:hancitor:220140e, author = {Ankit Anubhav and Dileep Kumar Jallepalli}, title = {{Hancitor (AKA Chanitor) observed using multiple attack approaches}}, date = {2016-09-23}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2016/09/hancitor_aka_chanit.html}, language = {English}, urldate = {2019-12-20} } @online{anubhav:20180718:huawai:e28ad1e, author = {Ankit Anubhav}, title = {{Tweet on Huawai Router Hacker Anarchy}}, date = {2018-07-18}, organization = {Twitter (@anit_anubhav)}, url = {https://twitter.com/ankit_anubhav/status/1019647993547550720}, language = {English}, urldate = {2020-01-13} } @techreport{anubislabs:20151015:dridex:4dafca8, author = {AnubisLabs}, title = {{Dridex: Chasing a botnet from the inside}}, date = {2015-10-15}, institution = {BitSight}, url = {https://cdn2.hubspot.net/hubfs/507516/ANB_MIR_Dridex_PRv7_final.pdf}, language = {English}, urldate = {2020-08-06} } @online{anurag:20200405:trojan:2bb6584, author = {Anurag}, title = {{Trojan Agent Tesla – Malware Analysis}}, date = {2020-04-05}, organization = {MalwrAnalysis}, url = {https://malwr-analysis.com/2020/04/05/trojan-agent-tesla-malware-analysis/}, language = {English}, urldate = {2020-04-08} } @online{anurag:20200622:njrat:381c066, author = {Anurag}, title = {{njRat Malware Analysis}}, date = {2020-06-22}, url = {https://malwr-analysis.com/2020/06/21/njrat-malware-analysis/}, language = {English}, urldate = {2020-06-22} } @online{anxin:20190116:latest:60776ef, author = {Qi Anxin}, title = {{Latest Target Attack of DarkHydruns Group Against Middle East}}, date = {2019-01-16}, organization = {360.cn}, url = {https://ti.360.net/blog/articles/latest-target-attack-of-darkhydruns-group-against-middle-east-en/}, language = {English}, urldate = {2019-12-15} } @online{anyrun:20180208:anyrun:611fc13, author = {ANY.RUN}, title = {{ANY.RUN analysis of MBRLock}}, date = {2018-02-08}, organization = {ANY.RUN}, url = {https://app.any.run/tasks/0a7e643f-7562-4575-b8a5-747bd6b5f02d}, language = {English}, urldate = {2020-01-13} } @online{anyrun:20180321:bandios:cd8a14c, author = {ANY.RUN}, title = {{Tweet on Bandios / Colony}}, date = {2018-03-21}, organization = {Twitter (@anyrun_app)}, url = {https://twitter.com/anyrun_app/status/976385355384590337}, language = {English}, urldate = {2020-01-07} } @online{anyrun:20190719:anyrun:890dfc0, author = {ANY.RUN}, title = {{ANY.RUN analysis on URL}}, date = {2019-07-19}, organization = {ANY.RUN}, url = {https://app.any.run/tasks/ea024149-8e83-41c0-b0ed-32ec38dea4a6/}, language = {English}, urldate = {2020-01-08} } @online{anyrun:20190924:anyrun:649c085, author = {ANY.RUN}, title = {{ANY.RUN analysis on unidentified sample}}, date = {2019-09-24}, organization = {ANY.RUN}, url = {https://app.any.run/tasks/4e48bcbf-015b-4a57-bb98-50f9531ff37a}, language = {English}, urldate = {2020-01-13} } @online{apra:20200929:cobaltstrikescan:ab5f221, author = {Apra}, title = {{CobaltStrikeScan}}, date = {2020-09-29}, organization = {Github (Apr4h)}, url = {https://github.com/Apr4h/CobaltStrikeScan}, language = {English}, urldate = {2020-10-05} } @online{aprozper:20180322:ghostminer:711cbd2, author = {Asaf Aprozper and Gal Bitensky}, title = {{GhostMiner: Cryptomining Malware Goes Fileless}}, date = {2018-03-22}, organization = {Minerva}, url = {https://blog.minerva-labs.com/ghostminer-cryptomining-malware-goes-fileless}, language = {English}, urldate = {2020-01-07} } @online{aprozper:20190128:azorult:78563e2, author = {Asaf Aprozper and Gal Bitensky}, title = {{AZORult: Now, as A Signed “Google Update”}}, date = {2019-01-28}, organization = {Minerva Labs}, url = {https://blog.minerva-labs.com/azorult-now-as-a-signed-google-update}, language = {English}, urldate = {2019-12-04} } @online{apvrille:20170315:teardown:76fb758, author = {Axelle Apvrille}, title = {{Teardown of a Recent Variant of Android/Ztorg (Part 1)}}, date = {2017-03-15}, organization = {Fortinet}, url = {https://blog.fortinet.com/2017/03/15/teardown-of-a-recent-variant-of-android-ztorg-part-1}, language = {English}, urldate = {2019-12-10} } @online{apvrille:20170315:teardown:e3c30e6, author = {Axelle Apvrille}, title = {{Teardown of Android/Ztorg (Part 2)}}, date = {2017-03-15}, organization = {Fortinet}, url = {http://blog.fortinet.com/2017/03/08/teardown-of-android-ztorg-part-2}, language = {English}, urldate = {2019-12-24} } @online{apvrille:20200918:locating:56e0b57, author = {Axelle Apvrille}, title = {{Locating the Trojan inside an infected COVID-19 contact tracing app}}, date = {2020-09-18}, organization = {Medium cryptax}, url = {https://medium.com/@cryptax/locating-the-trojan-inside-an-infected-covid-19-contact-tracing-app-21e23f90fbfe}, language = {English}, urldate = {2020-09-25} } @online{apvrille:20200925:into:cf7b514, author = {Axelle Apvrille}, title = {{Into Android Meterpreter and how the malware launches it - part 2}}, date = {2020-09-25}, organization = {Medium cryptax}, url = {https://medium.com/@cryptax/into-android-meterpreter-and-how-the-malware-launches-it-part-2-ef5aad2ebf12}, language = {English}, urldate = {2020-09-25} } @online{aquilino:20130715:signed:013bd1d, author = {Broderick Aquilino}, title = {{Signed Mac Malware Using Right-to-Left Override Trick}}, date = {2013-07-15}, organization = {F-Secure}, url = {https://archive.f-secure.com/weblog/archives/00002576.html}, language = {English}, urldate = {2020-05-19} } @online{aquino:20140306:siesta:9a574bc, author = {Maharlito Aquino}, title = {{The Siesta Campaign: A New Targeted Attack Awakens}}, date = {2014-03-06}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/the-siesta-campaign-a-new-targeted-attack-awakens/}, language = {English}, urldate = {2020-01-13} } @online{ar6s:2019:rat:f0a6a2f, author = {Ar6s}, title = {{[RAT] DARK TRACK ALIEN 4.1}}, date = {2019}, organization = {Cracked.to Forum}, url = {https://cracked.to/Thread-Release-RAT-Dark-track-alien-4-1}, language = {English}, urldate = {2020-01-07} } @online{arada:20130924:osxleveragea:ba6e883, author = {Eduardo De La Arada}, title = {{OSX/Leverage.a Analysis}}, date = {2013-09-24}, organization = {AT&T}, url = {https://www.alienvault.com/blogs/labs-research/osx-leveragea-analysis}, language = {English}, urldate = {2020-01-13} } @techreport{archer:20190531:qealler:2d73860, author = {Jeff Archer}, title = {{Qealler Unloaded}}, date = {2019-05-31}, institution = {Github (jeFF0Falltrades)}, url = {https://github.com/jeFF0Falltrades/Malware-Writeups/blob/master/Qealler/Qealler-Unloaded.pdf}, language = {English}, urldate = {2019-12-17} } @online{archer:20190815:micropsia:8ed52a1, author = {Jeff Archer}, title = {{MICROPSIA (APT-C-23)}}, date = {2019-08-15}, organization = {Github (jeFF0Falltrades)}, url = {https://github.com/jeFF0Falltrades/IoCs/blob/master/APT/micropsia_apt_c_23.md}, language = {English}, urldate = {2019-12-10} } @online{archer:20190914:wsh:103aefa, author = {Jeff Archer}, title = {{WSH RAT (A variant of H-Worm/Houdini)}}, date = {2019-09-14}, organization = {Github (jeFF0Falltrades)}, url = {https://github.com/jeFF0Falltrades/IoCs/blob/master/Broadbased/wsh_rat.md}, language = {English}, urldate = {2020-01-06} } @online{archer:20191103:dtrack:de46ce3, author = {Jeff Archer}, title = {{DTrack}}, date = {2019-11-03}, organization = {Github (jeFF0Falltrades)}, url = {https://github.com/jeFF0Falltrades/IoCs/blob/master/APT/dtrack_lazarus_group.md}, language = {English}, urldate = {2019-12-18} } @online{archer:20191205:poshc2:3066e19, author = {Jeff Archer}, title = {{PoshC2 (specifically as used by APT33)}}, date = {2019-12-05}, organization = {Github (jeFF0Falltrades)}, url = {https://github.com/jeFF0Falltrades/IoCs/blob/master/APT/poshc2_apt_33.md}, language = {English}, urldate = {2020-01-06} } @online{archer:20200211:metamorfo:663ae17, author = {Jeff Archer}, title = {{Metamorfo (aka Casbaneiro)}}, date = {2020-02-11}, organization = {Github (jeFF0Falltrades)}, url = {https://github.com/jeFF0Falltrades/IoCs/blob/master/Broadbased/metamorfo.md}, language = {English}, urldate = {2020-02-11} } @online{arkbird:20200817:short:a510811, author = {Arkbird}, title = {{Short twitter thread with analysis on Loup ATM malware}}, date = {2020-08-17}, organization = {Twitter (@Arkbird_SOLG)}, url = {https://twitter.com/Arkbird_SOLG/status/1295396936896438272}, language = {English}, urldate = {2020-08-25} } @online{arkbird:20200903:development:cf8dd7d, author = {Arkbird}, title = {{Tweet on development in more_eggs}}, date = {2020-09-03}, organization = {Twitter (@Arkbird_SOLG)}, url = {https://twitter.com/Arkbird_SOLG/status/1301536930069278727}, language = {English}, urldate = {2020-09-15} } @online{arkbird:20200911:discovery:99adb88, author = {Arkbird}, title = {{Tweet on discovery of a sample}}, date = {2020-09-11}, organization = {Twitter (@Arkbird_SOLG)}, url = {https://twitter.com/Arkbird_SOLG/status/1304187749373800455}, language = {English}, urldate = {2020-10-21} } @online{arkbirdsolg:20200505:operation:448dc4a, author = {@Arkbird_SOLG}, title = {{Operation Flash Cobra}}, date = {2020-05-05}, organization = {Github (StrangerealIntel)}, url = {https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/North%20Korea/APT/Lazarus/2020-05-05/Analysis.md}, language = {English}, urldate = {2020-05-07} } @online{arkbirdsolg:20200622:ftcode:1f79b62, author = {Twitter (@Arkbird_SOLG)}, title = {{FTcode targets European countries}}, date = {2020-06-22}, organization = {Github (StrangerealIntel)}, url = {https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/Unknown/2020-06-22/Analysis.md}, language = {English}, urldate = {2020-06-24} } @online{armelli:20200708:named:c581e3d, author = {Matthew Armelli and Stuart Caudill and John Patrick Dees and Max Egar and Jennifer Keltz and Lan Pelekis and John Sakellariadis and Vipratap Vikram Singh and Katherine von Ofenheim and Neal Pollard}, title = {{Named But Hardly Shamed: What is the Impact of Information Disclosures on an APT Operations?}}, date = {2020-07-08}, organization = {COLUMBIA | SIPA}, url = {https://sipa.columbia.edu/file/12461/download?token=o5TRWZnI}, language = {English}, urldate = {2020-07-13} } @techreport{army:20200724:atp:37eeefe, author = {Department of the Army}, title = {{ATP 7-100.2: North Korean Tactics}}, date = {2020-07-24}, institution = {Department of the Army}, url = {https://armypubs.army.mil/epubs/DR_pubs/DR_a/ARN30043-ATP_7-100.2-000-WEB-2.pdf}, language = {English}, urldate = {2020-08-20} } @online{arndt:20200924:zloader:ad8bf21, author = {Jamie Arndt}, title = {{zLoader XLM Update: Macro code and behavior change}}, date = {2020-09-24}, organization = {Click All the Things! Blog}, url = {https://clickallthethings.wordpress.com/2020/09/21/zloader-xlm-update-macro-code-and-behavior-change/}, language = {English}, urldate = {2020-09-25} } @online{arneson:20190124:cisco:58d9a8f, author = {John Arneson}, title = {{Cisco AMP tracks new campaign that delivers Ursnif}}, date = {2019-01-24}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2019/01/amp-tracks-ursnif.html}, language = {English}, urldate = {2019-10-12} } @online{arntz:20171031:analyzing:9d5c49e, author = {Pieter Arntz}, title = {{Analyzing malware by API calls}}, date = {2017-10-31}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2017/10/analyzing-malware-by-api-calls/}, language = {English}, urldate = {2019-12-20} } @online{arntz:20200710:threat:f64cac0, author = {Pieter Arntz}, title = {{Threat spotlight: WastedLocker, customized ransomware}}, date = {2020-07-10}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-spotlight/2020/07/threat-spotlight-wastedlocker-customized-ransomware/}, language = {English}, urldate = {2020-07-15} } @online{arntz:20200813:chrome:2120054, author = {Pieter Arntz}, title = {{Chrome extensions that lie about their permissions}}, date = {2020-08-13}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/puppum/2020/08/chrome-extensions-that-lie-about-their-permissions/}, language = {English}, urldate = {2020-08-14} } @online{aronov:20150723:analysis:0162f34, author = {Igor Aronov}, title = {{An Analysis of the Qadars Banking Trojan}}, date = {2015-07-23}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/an-analysis-of-the-qadars-trojan/}, language = {English}, urldate = {2020-01-10} } @online{arsene:20160808:possibly:55e5441, author = {Liviu Arsene}, title = {{Possibly Italy-Born Android RAT Reported in China, Find Bitdefender Researchers}}, date = {2016-08-08}, organization = {Bitdefender}, url = {https://hotforsecurity.bitdefender.com/blog/possibly-italy-born-android-rat-reported-in-china-find-bitdefender-researchers-16264.html}, language = {English}, urldate = {2020-01-06} } @online{arsene:20171026:keranger:a908ea4, author = {Liviu Arsene}, title = {{Keranger: the first “in-the-wild” ransomware for Macs. But certainly not the last}}, date = {2017-10-26}, organization = {Macworld}, url = {https://www.macworld.com/article/3234650/macs/keranger-the-first-in-the-wild-ransomware-for-macs-but-certainly-not-the-last.html}, language = {English}, urldate = {2020-01-08} } @online{arsene:20200107:hold:b9c1aa4, author = {Liviu Arsene}, title = {{Hold My Beer Mirai – Spinoff Named ‘LiquorBot’ Incorporates Cryptomining}}, date = {2020-01-07}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2020/01/hold-my-beer-mirai-spinoff-named-liquorbot-incorporates-cryptomining/}, language = {English}, urldate = {2020-01-13} } @techreport{arsene:20200318:new:2d895da, author = {Liviu Arsene and Radu Tudorica and Alexandru Maximciuc and Cristina Vatamanu}, title = {{New TrickBot Module Bruteforces RDP Connections, Targets Select Telecommunication Services in US and Hong Kong}}, date = {2020-03-18}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/316/Bitdefender-Whitepaper-TrickBot-en-EN-interactive.pdf}, language = {English}, urldate = {2020-03-19} } @online{arsene:20200320:5:46813c6, author = {Liviu Arsene}, title = {{5 Times More Coronavirus-themed Malware Reports during March}}, date = {2020-03-20}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter}, language = {English}, urldate = {2020-03-26} } @online{arsene:20200325:new:51ce027, author = {Liviu Arsene}, title = {{New Router DNS Hijacking Attacks Abuse Bitbucket to Host Infostealer}}, date = {2020-03-25}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2020/03/new-router-dns-hijacking-attacks-abuse-bitbucket-to-host-infostealer/}, language = {English}, urldate = {2020-03-30} } @online{arsene:20200326:android:946032b, author = {Liviu Arsene}, title = {{Android Apps and Malware Capitalize on Coronavirus}}, date = {2020-03-26}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2020/03/android-apps-and-malware-capitalize-on-coronavirus}, language = {English}, urldate = {2020-03-26} } @online{arsene:20200513:global:6217d6f, author = {Liviu Arsene}, title = {{Global Ransomware and Cyberattacks on Healthcare Spike during Pandemic}}, date = {2020-05-13}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2020/05/global-ransomware-and-cyberattacks-on-healthcare-spike-during-pandemic/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter}, language = {English}, urldate = {2020-07-06} } @techreport{arsene:20200521:iranian:d9e1468, author = {Liviu Arsene and Bogdan Rusu}, title = {{Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia}}, date = {2020-05-21}, institution = {Bitdefender}, url = {https://bitdefender.com/files/News/CaseStudies/study/332/Bitdefender-Whitepaper-Chafer-creat4491-en-EN-interactive.pdf}, language = {English}, urldate = {2020-05-23} } @techreport{arsene:20200630:strongpity:ed365fb, author = {Liviu Arsene and Radu Tudorica and Cristina Vatamanu and Alexandru Maximciuc}, title = {{StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure}}, date = {2020-06-30}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf}, language = {English}, urldate = {2020-06-30} } @techreport{arsene:20200820:more:a98fa7e, author = {Liviu Arsene and Victor Vrabie and Bogdan Rusu and Alexandru Maximciuc and Cristina Vatamanu}, title = {{More Evidence of APT Hackers-for-Hire Usedfor Industrial Espionage}}, date = {2020-08-20}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/365/Bitdefender-PR-Whitepaper-APTHackers-creat4740-en-EN-GenericUse.pdf}, language = {English}, urldate = {2020-08-27} } @online{arzamendi:20180118:arc:384a9b0, author = {Pete Arzamendi and Matt Bing and Kirk Soluk}, title = {{The ARC of Satori}}, date = {2018-01-18}, organization = {NetScout}, url = {https://www.arbornetworks.com/blog/asert/the-arc-of-satori/}, language = {English}, urldate = {2019-11-29} } @techreport{asd:20181214:investigationreport:6eda856, author = {ASD}, title = {{Investigationreport: Compromise of an Australian companyvia their Managed Service Provider}}, date = {2018-12-14}, institution = {Australian Cyber Security Centre}, url = {https://www.cyber.gov.au/sites/default/files/2019-03/msp_investigation_report.pdf}, language = {English}, urldate = {2020-03-11} } @online{asec:20171016:operation:68f1182, author = {ASEC}, title = {{Operation Bitter Biscuit}}, date = {2017-10-16}, organization = {AhnLab}, url = {http://asec.ahnlab.com/tag/Operation%20Bitter%20Biscuit}, language = {Korean}, urldate = {2020-01-13} } @techreport{asec:20191010:asec:6452cd4, author = {ASEC}, title = {{ASEC Report Vol. 96}}, date = {2019-10-10}, institution = {AhnLab}, url = {https://global.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.96_ENG.pdf}, language = {English}, urldate = {2020-01-13} } @online{ash:20180626:rancor:99f5616, author = {Brittany Ash and Josh Grunzweig and Tom Lancaster}, title = {{RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families}}, date = {2018-06-26}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/}, language = {English}, urldate = {2019-12-20} } @online{ash:20180626:rancor:cc2a967, author = {Brittany Ash and Josh Grunzweig and Tom Lancaster}, title = {{RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families}}, date = {2018-06-26}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/}, language = {English}, urldate = {2019-12-18} } @online{ashford:20180802:three:1fa3b70, author = {Warwick Ashford}, title = {{Three Carbanak cyber heist gang members arrested}}, date = {2018-08-02}, organization = {ComputerWeekly}, url = {https://www.computerweekly.com/news/252446153/Three-Carbanak-cyber-heist-gang-members-arrested}, language = {English}, urldate = {2020-01-10} } @online{ashman:20190605:upgraded:519af7d, author = {Ofir Ashman}, title = {{Upgraded JasperLoader Infecting Machines with New Targets & Functional Improvements: What You Need to Know}}, date = {2019-06-05}, organization = {ThreatStop}, url = {https://blog.threatstop.com/upgraded-jasperloader-infecting-machines}, language = {English}, urldate = {2020-01-08} } @online{ashton:20200621:maersk:5121522, author = {Gavin Ashton}, title = {{Maersk, me & notPetya}}, date = {2020-06-21}, organization = {GVNSHTN}, url = {https://gvnshtn.com/maersk-me-notpetya/}, language = {English}, urldate = {2020-08-18} } @online{asinovsky:20200618:ginp:724e3ef, author = {Pavel Asinovsky}, title = {{Ginp Malware Operations are on the Rise, Aiming to Expand in Turkey}}, date = {2020-06-18}, organization = {IBM Security}, url = {https://securityintelligence.com/posts/ginp-malware-operations-rising-expansions-turkey/}, language = {English}, urldate = {2020-06-19} } @online{askar:20200726:inmemory:5556cad, author = {Askar}, title = {{In-Memory shellcode decoding to evade AVs/EDRs}}, date = {2020-07-26}, organization = {Shells.System blog}, url = {https://shells.systems/in-memory-shellcode-decoding-to-evade-avs/}, language = {English}, urldate = {2020-07-30} } @online{asoltanei:20200331:infected:eaa940e, author = {Oana Asoltanei and Alin Mihai Barbatei and Ioan-Septimiu Dinulica}, title = {{Infected Zoom Apps for Android Target Work-From-Home Users}}, date = {2020-03-31}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2020/03/infected-zoom-apps-for-android-target-work-from-home-users}, language = {English}, urldate = {2020-04-07} } @techreport{asoltanei:20200619:bitterapt:2e8e1d2, author = {Oana Asoltanei and Denis Cosmin Nutiu and Alin Mihai Barbatei}, title = {{BitterAPT Revisited: the Untold Evolution of an Android Espionage Tool}}, date = {2020-06-19}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/352/Bitdefender-PR-Whitepaper-BitterAPT-creat4571-en-EN-GenericUse.pdf}, language = {English}, urldate = {2020-06-21} } @online{asoltanei:20201008:fake:88db68e, author = {Oana Asoltanei and Elena Flondor and Alin Mihai Barbatei and Liviu Aarsene}, title = {{Fake Users Rave but Real Users Rant as Apps on Google Play Deal Aggressive Adware}}, date = {2020-10-08}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2020/10/fake-users-rave-but-real-users-rant-as-apps-on-google-play-deal-aggressive-adware/}, language = {English}, urldate = {2020-10-12} } @online{asrar:201901:destructive:f4cc200, author = {Irfan Asrar}, title = {{Destructive Attack "Dustman" Technical Report}}, date = {2019-01}, organization = {LinkedIn Irfan Asrar}, url = {https://www.linkedin.com/posts/iasrar_dustman-report-in-english-activity-6619216346083393537-NV1z/}, language = {English}, urldate = {2020-01-13} } @online{asrar:20200104:dustman:8df5168, author = {Irfan Asrar}, title = {{Tweet on Dustman}}, date = {2020-01-04}, organization = {Twitter (@Irfan_Asrar)}, url = {https://twitter.com/Irfan_Asrar/status/1213544175355908096}, language = {English}, urldate = {2020-01-09} } @online{assante:20151230:current:342c55e, author = {Michael J. Assante}, title = {{Current Reporting on the Cyber Attack in Ukraine Resulting in Power Outage}}, date = {2015-12-30}, organization = {SANS}, url = {https://ics.sans.org/blog/2015/12/30/current-reporting-on-the-cyber-attack-in-ukraine-resulting-in-power-outage}, language = {English}, urldate = {2019-12-17} } @online{aswanda:20180622:formbook:ce3c98b, author = {Aswanda}, title = {{FormBook stealer: Data theft made easy}}, date = {2018-06-22}, organization = {InQuest}, url = {http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/}, language = {English}, urldate = {2020-01-09} } @online{attck:2019:admin338:c8e4d93, author = {MITRE ATT&CK}, title = {{Group description: admin@338}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0018/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:apt1:9f69f1f, author = {MITRE ATT&CK}, title = {{Group description: APT1}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0006/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:apt28:f03c2bd, author = {MITRE ATT&CK}, title = {{Group description: APT28}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0007/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:apt37:b488fef, author = {MITRE ATT&CK}, title = {{Group description: APT37}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0067/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:apt39:573abf3, author = {MITRE ATT&CK}, title = {{Group description: APT39}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0087/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:blackoasis:ceb12ff, author = {MITRE ATT&CK}, title = {{Group description: BlackOasis}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0063/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:bronze:b7965ff, author = {MITRE ATT&CK}, title = {{Group description: BRONZE BUTLER}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0060/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:carbanak:0e2fe5c, author = {MITRE ATT&CK}, title = {{Group description: Carbanak}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0008/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:charming:f900c21, author = {MITRE ATT&CK}, title = {{Group description: Charming Kitten}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0058/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:cleaver:ac864e2, author = {MITRE ATT&CK}, title = {{Group description: Cleaver}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0003/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:cobalt:0e0496e, author = {MITRE ATT&CK}, title = {{Group description: Cobalt Group}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0080/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:copykittens:a691b76, author = {MITRE ATT&CK}, title = {{Group description: CopyKittens}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0052/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:dark:01cd067, author = {MITRE ATT&CK}, title = {{Group description: Dark Caracal}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0070/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:darkhotel:eab9170, author = {MITRE ATT&CK}, title = {{Group description: Darkhotel}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0012/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:darkhydrus:b9db207, author = {MITRE ATT&CK}, title = {{Group description: DarkHydrus}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0079/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:deep:7220dc2, author = {MITRE ATT&CK}, title = {{Group description: Deep Panda}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0009/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:dragonfly:c84141f, author = {MITRE ATT&CK}, title = {{Group description: Dragonfly}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0035/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:dragonok:f2cc4fa, author = {MITRE ATT&CK}, title = {{Group description: DragonOK}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0017/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:dust:699660d, author = {MITRE ATT&CK}, title = {{Group description: Dust Storm}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0031/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:elderwood:581a3e4, author = {MITRE ATT&CK}, title = {{Group description: Elderwood}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0066/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:equation:8b2ae74, author = {MITRE ATT&CK}, title = {{Group description: Equation}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0020/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:fin10:ae5d375, author = {MITRE ATT&CK}, title = {{Group description: FIN10}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0051/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:fin4:dd68444, author = {MITRE ATT&CK}, title = {{Group description: FIN4}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0085/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:fin5:48f7065, author = {MITRE ATT&CK}, title = {{Group description: FIN5}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0053/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:fin6:791eaef, author = {MITRE ATT&CK}, title = {{Group description: FIN6}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0037/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:fin7:be45dfe, author = {MITRE ATT&CK}, title = {{Group description: FIN7}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0046/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:fin8:2b2b924, author = {MITRE ATT&CK}, title = {{Group description: FIN8}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0061}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:gamaredon:982ecc4, author = {MITRE ATT&CK}, title = {{Group description: Gamaredon Group}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0047/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:gcman:23384a0, author = {MITRE ATT&CK}, title = {{Group description: GCMAN}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0036/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:gorgon:f7c9936, author = {MITRE ATT&CK}, title = {{Group description: Gorgon Group}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0078/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:group5:fcdeaa8, author = {MITRE ATT&CK}, title = {{Group description: Group5}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0043/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:honeybee:9d1ffa6, author = {MITRE ATT&CK}, title = {{Group description: Honeybee}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0072/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:ke3chang:89a4a35, author = {MITRE ATT&CK}, title = {{Group description: Ke3chang}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0004/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:lazarus:a298c2f, author = {MITRE ATT&CK}, title = {{Group description: Lazarus Group}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0032/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:leafminer:c73518e, author = {MITRE ATT&CK}, title = {{Group description: Leafminer}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0077/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:leviathan:249223a, author = {MITRE ATT&CK}, title = {{Group description: Leviathan}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0065/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:lotus:98bf87a, author = {MITRE ATT&CK}, title = {{Group description: Lotus Blossom}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0030/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:magic:f2f07ab, author = {MITRE ATT&CK}, title = {{Group description: Magic Hound}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0059/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:menupass:8fde950, author = {MITRE ATT&CK}, title = {{Group description: menuPass}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0045/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:moafee:021312c, author = {MITRE ATT&CK}, title = {{Group description: Moafee}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0002/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:molerats:9927c33, author = {MITRE ATT&CK}, title = {{Group description: Molerats}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0021/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:muddywater:b990d10, author = {MITRE ATT&CK}, title = {{Group description: MuddyWater}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0069/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:naikon:f6661ca, author = {MITRE ATT&CK}, title = {{Group description: Naikon}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0019/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:neodymium:2979fa4, author = {MITRE ATT&CK}, title = {{Group description: NEODYMIUM}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0055/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:night:45c6d39, author = {MITRE ATT&CK}, title = {{Group description: Night Dragon}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0014/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:oilrig:40b5deb, author = {MITRE ATT&CK}, title = {{Group description: OilRig}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0049/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:orangeworm:7b6180d, author = {MITRE ATT&CK}, title = {{Group description: Orangeworm}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0071/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:patchwork:b9fa9e1, author = {MITRE ATT&CK}, title = {{Group description: Patchwork}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0040/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:pittytiger:9fde514, author = {MITRE ATT&CK}, title = {{Group description: PittyTiger}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0011/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:platinum:7fbd5ec, author = {MITRE ATT&CK}, title = {{Group description: PLATINUM}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0068/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:poseidon:9c4e9d2, author = {MITRE ATT&CK}, title = {{Group description: Poseidon Group}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0033/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:promethium:845588e, author = {MITRE ATT&CK}, title = {{Group description: PROMETHIUM}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0056/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:putter:db997a2, author = {MITRE ATT&CK}, title = {{Group description: Putter Panda}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0024/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:rancor:d326bb1, author = {MITRE ATT&CK}, title = {{Group description: Rancor}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0075/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:rtm:24fd219, author = {MITRE ATT&CK}, title = {{Group description: RTM}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0048/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:sandworm:2c635f5, author = {MITRE ATT&CK}, title = {{Group description: Sandworm Team}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0034/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:scarlet:c7d064d, author = {MITRE ATT&CK}, title = {{Group description: Scarlet Mimic}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0029/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:sowbug:1065fa1, author = {MITRE ATT&CK}, title = {{Group description: Sowbug}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0054/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:stealth:5d9f9cd, author = {MITRE ATT&CK}, title = {{Group description: Stealth Falcon}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0038/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:stolen:1489d7d, author = {MITRE ATT&CK}, title = {{Group description: Stolen Pencil}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0086/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:strider:e8991a7, author = {MITRE ATT&CK}, title = {{Group description: Strider}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0041/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:suckfly:686a402, author = {MITRE ATT&CK}, title = {{Group description: Suckfly}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0039/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:ta459:3a8408d, author = {MITRE ATT&CK}, title = {{Group description: TA459}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0062/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:taidoor:e2e9ac3, author = {MITRE ATT&CK}, title = {{Group description: Taidoor}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0015/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:tempveles:c62b7f7, author = {MITRE ATT&CK}, title = {{Group description: TEMP.Veles}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0088/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:threat:739dbdd, author = {MITRE ATT&CK}, title = {{Group description: Threat Group-3390}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0027/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:thrip:b7cf7c3, author = {MITRE ATT&CK}, title = {{Group description: Thrip}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0076/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:tool:5022816, author = {MITRE ATT&CK}, title = {{Tool description: NanHaiShu}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/software/S0228/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:tool:ae50919, author = {MITRE ATT&CK}, title = {{Tool description: BUBBLEWRAP}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/software/S0043/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:tool:aef0372, author = {MITRE ATT&CK}, title = {{Tool description: HALFBAKED}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/software/S0151/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:tool:e80f843, author = {MITRE ATT&CK}, title = {{Tool description: ELMER}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/software/S0064}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:tool:ebc79ce, author = {MITRE ATT&CK}, title = {{Tool description: BLACKCOFFEE}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/software/S0069/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:tool:fd89dda, author = {MITRE ATT&CK}, title = {{Tool description: China Chopper}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/software/S0020/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:tropic:0324452, author = {MITRE ATT&CK}, title = {{Group description: Tropic Trooper}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0081/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:turla:6c3dec8, author = {MITRE ATT&CK}, title = {{Group description: Turla}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0010/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:winnti:ad3b350, author = {MITRE ATT&CK}, title = {{Group description: Winnti Group}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0044/}, language = {English}, urldate = {2019-12-20} } @online{atweeteruser:20190726:malware:dce6863, author = {a_tweeter_user}, title = {{Tweet on Malware}}, date = {2019-07-26}, organization = {Twitter (@a_tweeter_user)}, url = {https://twitter.com/a_tweeter_user/status/1154764787823316993}, language = {English}, urldate = {2020-01-08} } @online{authos:20160320:hidden:151e4e4, author = {Tripwire Guest Authos}, title = {{Hidden Tear Project: Forbidden Fruit Is the Sweetest}}, date = {2016-03-20}, organization = {Tripwire}, url = {https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/hidden-tear-project-forbidden-fruit-is-the-sweetest/}, language = {English}, urldate = {2020-01-08} } @online{avast:20171220:video:4c6aaa5, author = {Avast}, title = {{Video about Catelites Bot - Airbank Example}}, date = {2017-12-20}, organization = {YouTube}, url = {https://www.youtube.com/watch?v=1LOy0ZyjEOk}, language = {English}, urldate = {2020-01-07} } @online{avast:2018:hide:cd78bb0, author = {Avast}, title = {{Hide 'N Seek}}, date = {2018}, organization = {Avast}, url = {https://threatlabs.avast.com/botnet}, language = {English}, urldate = {2019-12-17} } @online{aydinbas:20190502:formbook:d1ef715, author = {Johann Aydinbas}, title = {{FormBook - Hiding in plain sight}}, date = {2019-05-02}, organization = {Usual Suspect RE}, url = {https://usualsuspect.re/article/formbook-hiding-in-plain-sight}, language = {English}, urldate = {2020-01-13} } @techreport{ayers:20191113:through:70cc3b3, author = {Jen Ayers and Jason Rivera}, title = {{Through the Eyes of the Adversary}}, date = {2019-11-13}, institution = {CrowdStrike}, url = {https://na.eventscloud.com/file_uploads/6568237bca6dc156e5c5557c5989e97c_CrowdStrikeFal.Con2019_ThroughEyesOfAdversary_J.Ayers.pdf}, language = {English}, urldate = {2020-03-22} } @online{b:20200815:doublefantasy:6c843b6, author = {Adrien B}, title = {{Tweet on DoubleFantasy}}, date = {2020-08-15}, organization = {Twitter (@Int2e_)}, url = {https://twitter.com/Int2e_/status/1294565186939092994}, language = {English}, urldate = {2020-08-18} } @online{babaee:20200908:automated:eb3272c, author = {Hamidreza Babaee}, title = {{Automated dynamic import resolving using binary emulation}}, date = {2020-09-08}, organization = {Lopqto's Adventures}, url = {https://lopqto.me/posts/automated-dynamic-import-resolving}, language = {English}, urldate = {2020-09-09} } @online{babe:201904:analyzing:3a404ff, author = {Cafe Babe}, title = {{Analyzing Emotet with Ghidra — Part 1}}, date = {2019-04}, url = {https://medium.com/@0xd0cf11e/analyzing-emotet-with-ghidra-part-1-4da71a5c8d69}, language = {English}, urldate = {2019-12-06} } @online{baca:20200326:would:a184711, author = {Alejandro Baca and Rodel Mendrez}, title = {{Would You Exchange Your Security for a Gift Card?}}, date = {2020-03-26}, organization = {SpiderLabs Blog}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/would-you-exchange-your-security-for-a-gift-card/}, language = {English}, urldate = {2020-03-30} } @techreport{backdoor:201803:oceanlotus:a2c3636, author = {OceanLotus: Old techniques, new backdoor}, title = {{OceanLotus: Old techniques, new backdoor}}, date = {2018-03}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2018/03/ESET_OceanLotus.pdf}, language = {English}, urldate = {2020-01-07} } @online{bacurio:20160621:curious:8607f46, author = {Floser Bacurio and Roland Dela Paz}, title = {{The Curious Case of an Unknown Trojan Targeting German-Speaking Users}}, date = {2016-06-21}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/the-curious-case-of-an-unknown-trojan-targeting-german-speaking-users.html}, language = {English}, urldate = {2020-01-08} } @online{bacurio:20170214:remcos:e924c55, author = {Floser Bacurio and Joie Salvio}, title = {{REMCOS: A New RAT In The Wild}}, date = {2017-02-14}, organization = {Fortinet}, url = {https://blog.fortinet.com/2017/02/14/remcos-a-new-rat-in-the-wild-2}, language = {English}, urldate = {2020-01-09} } @online{bacurio:20171207:peculiar:e4c095f, author = {Floser Bacurio and Joie Salvio}, title = {{A Peculiar Case of Orcus RAT Targeting Bitcoin Investors}}, date = {2017-12-07}, organization = {Fortinet}, url = {https://blog.fortinet.com/2017/12/07/a-peculiar-case-of-orcus-rat-targeting-bitcoin-investors}, language = {English}, urldate = {2020-01-08} } @online{bader:20150112:dga:b961e18, author = {Johannes Bader}, title = {{The DGA of Shiotob}}, date = {2015-01-12}, url = {https://www.johannesbader.ch/2015/01/the-dga-of-shiotob/}, language = {English}, urldate = {2019-12-19} } @online{bader:20150210:dga:2ff5cf7, author = {Johannes Bader}, title = {{The DGA of Banjori}}, date = {2015-02-10}, organization = {Johannes Bader's Blog}, url = {https://www.johannesbader.ch/2015/02/the-dga-of-banjori/}, language = {English}, urldate = {2020-01-07} } @online{bader:20150306:dga:3673443, author = {Johannes Bader}, title = {{The DGA of DirCrypt}}, date = {2015-03-06}, url = {https://www.johannesbader.ch/2015/03/the-dga-of-dircrypt/}, language = {English}, urldate = {2019-11-28} } @online{bader:20150310:dga:4409507, author = {Johannes Bader}, title = {{The DGA of Pykspa}}, date = {2015-03-10}, organization = {Johannes Bader Blog}, url = {https://www.johannesbader.ch/2015/03/the-dga-of-pykspa/}, language = {English}, urldate = {2019-12-19} } @online{bader:20150522:dga:9ba1744, author = {Johannes Bader}, title = {{The DGA of Ranbyus}}, date = {2015-05-22}, organization = {Johannes Bader Blog}, url = {https://www.johannesbader.ch/2015/05/the-dga-of-ranbyus/}, language = {English}, urldate = {2020-01-06} } @online{bader:20150610:win32upatrebi:36ea1eb, author = {Johannes Bader}, title = {{Win32/Upatre.BI - Part One}}, date = {2015-06-10}, url = {https://johannesbader.ch/2015/06/Win32-Upatre-BI-Part-1-Unpacking/}, language = {English}, urldate = {2019-12-02} } @online{bader:20150719:faulty:e287eee, author = {Johannes Bader}, title = {{The Faulty Precursor of Pykspa's DGA}}, date = {2015-07-19}, organization = {Johannes Bader Blog}, url = {https://www.johannesbader.ch/2015/07/pykspas-inferior-dga-version/}, language = {English}, urldate = {2020-01-09} } @online{bader:20160110:dga:cb8a5e5, author = {Johannes Bader}, title = {{The DGA in Alureon/DNSChanger}}, date = {2016-01-10}, url = {https://www.johannesbader.ch/2016/01/the-dga-in-alureon-dnschanger/}, language = {English}, urldate = {2019-12-17} } @online{bader:20160221:phorpiex:ab65d87, author = {Johannes Bader}, title = {{Phorpiex - An IRC worm}}, date = {2016-02-21}, organization = {Johannes Bader Blog}, url = {https://www.johannesbader.ch/2016/02/phorpiex/}, language = {English}, urldate = {2020-01-06} } @online{bader:20160224:dga:735ff10, author = {Johannes Bader}, title = {{The DGA of Qakbot.T}}, date = {2016-02-24}, organization = {Johannes Bader Blog}, url = {https://www.johannesbader.ch/2016/02/the-dga-of-qakbot/}, language = {English}, urldate = {2020-01-06} } @online{bader:20160306:dga:fe673b7, author = {Johannes Bader}, title = {{The DGA of PadCrypt}}, date = {2016-03-06}, url = {https://johannesbader.ch/2016/03/the-dga-of-padcrypt/}, language = {English}, urldate = {2019-12-06} } @online{bader:20160412:dga:469d85e, author = {Johannes Bader}, title = {{The DGA of Qadars v3}}, date = {2016-04-12}, url = {https://www.johannesbader.ch/2016/04/the-dga-of-qadars/}, language = {English}, urldate = {2019-07-11} } @online{bader:20170725:dridex:44f64d8, author = {Johannes Bader}, title = {{Dridex Loot}}, date = {2017-07-25}, organization = {Github (viql)}, url = {https://viql.github.io/dridex/}, language = {English}, urldate = {2020-01-07} } @online{bader:20180429:new:b8e7b59, author = {Johannes Bader}, title = {{The new Domain Generation Algorithm of Nymaim}}, date = {2018-04-29}, url = {https://johannesbader.ch/2018/04/the-new-domain-generation-algorithm-of-nymaim/}, language = {English}, urldate = {2020-01-07} } @online{bader:20190708:dga:0c56ba3, author = {Johannes Bader}, title = {{The DGA of Pitou}}, date = {2019-07-08}, url = {https://johannesbader.ch/2019/07/the-dga-of-pitou/}, language = {English}, urldate = {2020-01-10} } @online{bader:20191112:dga:0a1d2c8, author = {Johannes Bader}, title = {{The DGA of QSnatch}}, date = {2019-11-12}, organization = {Johannes Bader Blog}, url = {https://bin.re/blog/the-dga-of-qsnatch/}, language = {English}, urldate = {2020-01-13} } @online{bader:20200123:dga:129802e, author = {Johannes Bader}, title = {{The DGA of a Monero Miner Downloader}}, date = {2020-01-23}, organization = {Johannes Bader's Blog}, url = {https://johannesbader.ch/blog/the-dga-of-a-monero-miner-downloader/}, language = {English}, urldate = {2020-01-27} } @online{bader:20200426:dga:edd448c, author = {Johannes Bader}, title = {{The DGA of Zloader}}, date = {2020-04-26}, organization = {Johannes Bader's Blog}, url = {https://johannesbader.ch/blog/the-dga-of-zloader/}, language = {English}, urldate = {2020-04-26} } @online{bader:20200714:domain:51498ab, author = {Johannes Bader}, title = {{The Domain Generation Algorithm of BazarBackdoor}}, date = {2020-07-14}, organization = {Johannes Bader's Blog}, url = {https://johannesbader.ch/blog/the-dga-of-bazarbackdoor/}, language = {English}, urldate = {2020-07-15} } @online{bader:20200715:defective:3a3721f, author = {Johannes Bader}, title = {{The Defective Domain Generation Algorithm of BazarBackdoor}}, date = {2020-07-15}, organization = {Johannes Bader's Blog}, url = {https://johannesbader.ch/blog/the-buggy-dga-of-bazarbackdoor/}, language = {English}, urldate = {2020-07-15} } @techreport{bailey:201601:matryoshka:3c7753f, author = {Michael Bailey}, title = {{MATRYOSHKA MINING}}, date = {2016-01}, institution = {FireEye}, url = {https://www2.fireeye.com/rs/848-DID-242/images/wp-mandiant-matryoshka-mining.pdf}, language = {English}, urldate = {2019-11-27} } @online{bailey:20190422:carbanak:c94c9f1, author = {Michael Bailey and James T. Bennett}, title = {{CARBANAK Week Part One: A Rare Occurrence}}, date = {2019-04-22}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-one-a-rare-occurrence.html}, language = {English}, urldate = {2019-12-20} } @online{bailey:20190423:carbanak:cbe986c, author = {Michael Bailey and James T. Bennett}, title = {{CARBANAK Week Part Two: Continuing the CARBANAK Source Code Analysis}}, date = {2019-04-23}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-two-continuing-source-code-analysis.html}, language = {English}, urldate = {2019-12-20} } @online{bailey:20200208:reversing:b033cdc, author = {Michael Bailey}, title = {{Reversing the Gophe SPambot: Confronting COM Code and Surmounting STL Snags}}, date = {2020-02-08}, organization = {FireEye}, url = {https://github.com/strictlymike/presentations/tree/master/2020/2020.02.08_BSidesHuntsville}, language = {English}, urldate = {2020-10-05} } @online{bailey:20200407:thinking:7ee19d0, author = {Michael Bailey}, title = {{Thinking Outside the Bochs: Code Grafting to Unpack Malware in Emulation}}, date = {2020-04-07}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/04/code-grafting-to-unpack-malware-in-emulation.html}, language = {English}, urldate = {2020-05-05} } @online{baird:20170320:necurs:ee5da07, author = {Sean Baird and Edmund Brumaghin and Earl Carter and Jaeson Schultz}, title = {{Necurs Diversifies Its Portfolio}}, date = {2017-03-20}, organization = {Cisco Talos}, url = {http://blog.talosintelligence.com/2017/03/necurs-diversifies.html}, language = {English}, urldate = {2020-01-07} } @online{baker:20150318:feds:e9fe961, author = {Mike Baker}, title = {{Feds warned Premera about security flaws before breach}}, date = {2015-03-18}, organization = {Seattle Times}, url = {https://www.seattletimes.com/business/local-business/feds-warned-premera-about-security-flaws-before-breach/}, language = {English}, urldate = {2020-01-10} } @online{baker:20150504:threat:726f1f2, author = {Ben Baker and Alex Chiu}, title = {{Threat Spotlight: Rombertik – Gazing Past the Smoke, Mirrors, and Trapdoors}}, date = {2015-05-04}, organization = {Cisco Talos}, url = {http://blogs.cisco.com/security/talos/rombertik}, language = {English}, urldate = {2020-01-06} } @online{baker:20161207:floki:69ffd12, author = {Ben Baker and Edmund Brumaghin and Mariano Graziano and Jonas Zaddach}, title = {{Floki Bot Strikes, Talos and Flashpoint Respond}}, date = {2016-12-07}, organization = {Cisco Talos}, url = {http://blog.talosintel.com/2016/12/flokibot-collab.html#more}, language = {English}, urldate = {2020-01-09} } @online{baker:20180703:smoking:067be1f, author = {Ben Baker and Holger Unterbrink}, title = {{Smoking Guns - Smoke Loader learned new tricks}}, date = {2018-07-03}, organization = {Talos Intelligence}, url = {https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html}, language = {English}, urldate = {2019-10-14} } @online{baker:20200706:wastedlocker:f33e129, author = {Ben Baker and Edmund Brumaghin and JJ Cummings and Arnaud Zobec}, title = {{WastedLocker Goes "Big-Game Hunting" in 2020}}, date = {2020-07-06}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/07/wastedlocker-emerges.html}, language = {English}, urldate = {2020-07-07} } @online{ballenthin:20200117:404:cc95f5f, author = {William Ballenthin and Josh Madeley}, title = {{404 Exploit Not Found: Vigilante Deploying Mitigation for Citrix NetScaler Vulnerability While Maintaining Backdoor}}, date = {2020-01-17}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/01/vigilante-deploying-mitigation-for-citrix-netscaler-vulnerability-while-maintaining-backdoor.html}, language = {English}, urldate = {2020-01-17} } @online{bambenek:20160502:osint:54b6791, author = {John Bambenek}, title = {{OSINT Feed}}, date = {2016-05-02}, organization = {John Bambenek}, url = {http://osint.bambenekconsulting.com/feeds/}, language = {English}, urldate = {2020-01-06} } @online{bambenek:20190207:inside:2a18c89, author = {John Bambenek}, title = {{An Inside Look at the Infrastructure Behind the Russian APT Gamaredon Group}}, date = {2019-02-07}, organization = {ThreatStop}, url = {https://blog.threatstop.com/russian-apt-gamaredon-group}, language = {English}, urldate = {2020-01-06} } @online{bancal:20200130:cyber:0a267d4, author = {Damien Bancal}, title = {{Cyber attaque à l’encontre des serveurs de Bouygues Construction}}, date = {2020-01-30}, organization = {ZATAZ}, url = {https://www.zataz.com/cyber-attaque-a-lencontre-des-serveurs-de-bouygues-construction/}, language = {French}, urldate = {2020-02-03} } @online{banksecurity:20190601:new:3ddfbf1, author = {Bank_Security}, title = {{New ATM Malware NVISOSPIT}}, date = {2019-06-01}, organization = {Twitter (@Bank_Security)}, url = {https://twitter.com/Bank_Security/status/1134850646413385728}, language = {English}, urldate = {2019-11-17} } @online{bao:20200707:cobalt:cf80aa8, author = {Ladislav Bačo}, title = {{Cobalt Strike stagers used by FIN6}}, date = {2020-07-07}, organization = {MWLab}, url = {https://malwarelab.eu/posts/fin6-cobalt-strike/}, language = {English}, urldate = {2020-07-11} } @online{bar:20160502:prince:7769673, author = {Tomer Bar and Simon Conant}, title = {{Prince of Persia: Infy Malware Active In Decade of Targeted Attacks}}, date = {2016-05-02}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/}, language = {English}, urldate = {2020-01-06} } @online{bar:20160502:prince:8b14d7f, author = {Tomer Bar and Simon Conant}, title = {{Prince of Persia: Infy Malware Active In Decade of Targeted Attacks}}, date = {2016-05-02}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2016/05/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/}, language = {English}, urldate = {2019-12-20} } @online{bar:20160502:prince:cfd5940, author = {Tomer Bar and Simon Conant}, title = {{Prince of Persia: Infy Malware Active In Decade of Targeted Attacks}}, date = {2016-05-02}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2016/05/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/}, language = {English}, urldate = {2020-04-06} } @online{bar:20160628:prince:b1d2cdd, author = {Tomer Bar and Lior Efraim and Simon Conant}, title = {{Prince of Persia – Game Over}}, date = {2016-06-28}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2016/06/unit42-prince-of-persia-game-over/}, language = {English}, urldate = {2019-10-28} } @online{bar:20170405:targeted:49e76a6, author = {Tomer Bar and Tom Lancaster}, title = {{Targeted Attacks in the Middle East Using KASPERAGENT and MICROPSIA}}, date = {2017-04-05}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-targeted-attacks-middle-east-using-kasperagent-micropsia/}, language = {English}, urldate = {2019-12-10} } @online{bar:20170405:targeted:feb4b54, author = {Tomer Bar and Tom Lancaster}, title = {{Targeted Attacks in the Middle East Using KASPERAGENT and MICROPSIA}}, date = {2017-04-05}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2017/04/unit42-targeted-attacks-middle-east-using-kasperagent-micropsia/}, language = {English}, urldate = {2019-12-20} } @online{bar:20170801:prince:db6038a, author = {Tomer Bar and Simon Conant}, title = {{Prince of Persia – Ride the Lightning: Infy returns as “Foudre”}}, date = {2017-08-01}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/08/unit42-prince-persia-ride-lightning-infy-returns-foudre/}, language = {English}, urldate = {2019-12-20} } @online{bar:20170801:prince:e7d5542, author = {Tomer Bar and Simon Conant}, title = {{Prince of Persia – Ride the Lightning: Infy returns as “Foudre”}}, date = {2017-08-01}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-prince-persia-ride-lightning-infy-returns-foudre/}, language = {English}, urldate = {2020-01-08} } @online{barabosch:20200203:dissecting:c1a6bca, author = {Thomas Barabosch}, title = {{Dissecting Emotet – Part 1}}, date = {2020-02-03}, organization = {Telekom}, url = {https://www.telekom.com/en/blog/group/article/cybersecurity-dissecting-emotet-part-one-592612}, language = {English}, urldate = {2020-02-07} } @online{barabosch:20200306:dissecting:809bc54, author = {Thomas Barabosch}, title = {{Dissecting Emotet - Part 2}}, date = {2020-03-06}, organization = {Telekom}, url = {https://www.telekom.com/en/blog/group/article/cybersecurity-dissecting-emotet-part-two-596128}, language = {English}, urldate = {2020-03-09} } @online{barabosch:20200326:ta505s:24d9805, author = {Thomas Barabosch}, title = {{TA505's Box of Chocolate - On Hidden Gems packed with the TA505 Packer}}, date = {2020-03-26}, organization = {Telekom}, url = {https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672}, language = {English}, urldate = {2020-03-27} } @online{barabosch:20200514:lolsnif:c7a2736, author = {Thomas Barabosch}, title = {{LOLSnif – Tracking Another Ursnif-Based Targeted Campaign}}, date = {2020-05-14}, organization = {Telekom}, url = {https://www.telekom.com/en/blog/group/article/lolsnif-tracking-another-ursnif-based-targeted-campaign-600062}, language = {English}, urldate = {2020-05-14} } @online{barabosch:20200616:ta505:619f2c6, author = {Thomas Barabosch}, title = {{TA505 returns with a new bag of tricks}}, date = {2020-06-16}, organization = {Telekom}, url = {https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-returns-with-a-new-bag-of-tricks-602104}, language = {English}, urldate = {2020-06-18} } @online{barabosch:20201006:eager:54da318, author = {Thomas Barabosch}, title = {{Eager Beaver: A Short Overview of the Restless Threat Actor TA505}}, date = {2020-10-06}, organization = {Telekom}, url = {https://www.telekom.com/en/blog/group/article/eager-beaver-a-short-overview-of-the-restless-threat-actor-ta505-609546}, language = {English}, urldate = {2020-10-08} } @online{baranov:20121212:analysis:6e76df4, author = {Artem Baranov}, title = {{Analysis of VirTool:WinNT/Exforel.A rootkit}}, date = {2012-12-12}, url = {https://artemonsecurity.blogspot.com/2012/12/analysis-of-virtoolwinntexforela-rootkit.html}, language = {English}, urldate = {2020-09-25} } @online{baranov:20161003:remsec:3877dab, author = {Artem Baranov}, title = {{Remsec driver analysis}}, date = {2016-10-03}, url = {https://artemonsecurity.blogspot.com/2016/10/remsec-driver-analysis.html}, language = {English}, urldate = {2020-03-28} } @online{baranov:20161010:remsec:9ed5754, author = {Artem Baranov}, title = {{Remsec driver analysis - Part 2}}, date = {2016-10-10}, url = {https://artemonsecurity.blogspot.com/2016/10/remsec-driver-analysis-part-2.html}, language = {English}, urldate = {2020-03-28} } @online{baranov:20161011:remsec:02eae63, author = {Artem Baranov}, title = {{Remsec driver analysis - Part 3}}, date = {2016-10-11}, url = {https://artemonsecurity.blogspot.com/2016/10/remsec-driver-analysis-part-3.html}, language = {English}, urldate = {2020-03-28} } @online{baranov:20170113:finfisher:436b89e, author = {Artem Baranov}, title = {{Finfisher rootkit analysis}}, date = {2017-01-13}, url = {https://artemonsecurity.blogspot.de/2017/01/finfisher-rootkit-analysis.html}, language = {English}, urldate = {2019-11-26} } @online{baranov:20170330:equationdrug:7255a48, author = {Artem Baranov}, title = {{EquationDrug rootkit analysis (mstcp32.sys)}}, date = {2017-03-30}, url = {http://artemonsecurity.blogspot.com/2017/03/equationdrug-rootkit-analysis-mstcp32sys.html}, language = {English}, urldate = {2020-01-07} } @online{baranov:20170413:stuxnet:c221f57, author = {Artem Baranov}, title = {{Stuxnet drivers: detailed analysis}}, date = {2017-04-13}, organization = {A blog about rootkits research and the Windows kernel}, url = {http://artemonsecurity.blogspot.de/2017/04/stuxnet-drivers-detailed-analysis.html}, language = {English}, urldate = {2020-01-08} } @online{barboza:20181229:malware:d5d8d0d, author = {Tony Barboza and Meg James and Emily Alpert Reyes}, title = {{Malware attack disrupts delivery of L.A. Times and Tribune papers across the U.S.}}, date = {2018-12-29}, organization = {Los Angeles Times}, url = {https://www.latimes.com/local/lanow/la-me-ln-times-delivery-disruption-20181229-story.html}, language = {English}, urldate = {2020-01-10} } @online{barc:20180619:backswap:f0869a4, author = {Hubert Barc}, title = {{Backswap malware analysis}}, date = {2018-06-19}, organization = {CERT.PL}, url = {https://www.cert.pl/en/news/single/backswap-malware-analysis/}, language = {English}, urldate = {2019-12-10} } @online{barker:20201001:duck:edcc017, author = {Dylan Barker and Quinten Bowen and Ryan Campbell}, title = {{Duck Hunting with Falcon Complete: Analyzing a Fowl Banking Trojan, Part 1}}, date = {2020-10-01}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-analyzing-a-fowl-banking-trojan-part-1/}, language = {English}, urldate = {2020-10-07} } @online{barrett:20091029:twoheaded:0032db0, author = {Larry Barrett}, title = {{Two-Headed Trojan Targets Online Banks}}, date = {2009-10-29}, organization = {InternetNews}, url = {http://www.internetnews.com/security/article.php/3846186/TwoHeaded+Trojan+Targets+Online+Banks.htm}, language = {English}, urldate = {2020-01-08} } @online{bartblaze:20141110:thoughts:d7d0d68, author = {BartBlaze}, title = {{Thoughts on Absolute Computrace}}, date = {2014-11-10}, organization = {Blaze's Security Blog}, url = {https://bartblaze.blogspot.de/2014/11/thoughts-on-absolute-computrace.html}, language = {English}, urldate = {2019-11-26} } @online{bartblaze:20150303:c99shell:a7f3a5b, author = {BartBlaze}, title = {{C99Shell not dead}}, date = {2015-03-03}, organization = {Blaze's Security Blog}, url = {https://bartblaze.blogspot.com/2015/03/c99shell-not-dead.html}, language = {English}, urldate = {2020-01-13} } @online{bartblaze:20150925:notes:79b37fe, author = {BartBlaze}, title = {{Notes on Linux/Xor.DDoS}}, date = {2015-09-25}, organization = {Blaze's Security Blog}, url = {https://bartblaze.blogspot.com/2015/09/notes-on-linuxxorddos.html}, language = {English}, urldate = {2020-01-08} } @online{bartblaze:20160202:vipasana:cf5cdd6, author = {BartBlaze}, title = {{Vipasana ransomware new ransom on the block}}, date = {2016-02-02}, organization = {Blaze's Security Blog}, url = {https://bartblaze.blogspot.com/2016/02/vipasana-ransomware-new-ransom-on-block.html}, language = {English}, urldate = {2020-09-15} } @online{bartblaze:20160726:otx:b95458e, author = {BartBlaze}, title = {{OTX Pulse on R980 ransomware}}, date = {2016-07-26}, organization = {AlienVault}, url = {https://otx.alienvault.com/pulse/57976b52b900fe01376feb01/}, language = {English}, urldate = {2020-01-13} } @online{bartblaze:20170824:crystal:16adb4a, author = {BartBlaze}, title = {{Crystal Finance Millennium used to spread malware}}, date = {2017-08-24}, organization = {Blaze's Security Blog}, url = {https://bartblaze.blogspot.com/2017/08/crystal-finance-millennium-used-to.html}, language = {English}, urldate = {2020-02-01} } @online{bartblaze:20171203:notes:53a752f, author = {BartBlaze}, title = {{Notes on Linux/BillGates}}, date = {2017-12-03}, organization = {Blaze's Security Blog}, url = {https://bartblaze.blogspot.com/2017/12/notes-on-linuxbillgates.html}, language = {English}, urldate = {2020-01-13} } @online{bartblaze:20180320:unlock92:863a267, author = {BartBlaze}, title = {{Tweet on Unlock92 Ransomware}}, date = {2018-03-20}, organization = {Twitter (@bartblaze)}, url = {https://twitter.com/bartblaze/status/976188821078462465}, language = {English}, urldate = {2020-01-07} } @online{bartblaze:20180410:maktub:e67ade0, author = {BartBlaze}, title = {{Maktub ransomware: possibly rebranded as Iron}}, date = {2018-04-10}, organization = {Blaze's Security Blog}, url = {https://bartblaze.blogspot.de/2018/04/maktub-ransomware-possibly-rebranded-as.html}, language = {English}, urldate = {2019-07-10} } @online{bartblaze:20180415:this:1eaf3ba, author = {BartBlaze}, title = {{This is Spartacus: new ransomware on the block}}, date = {2018-04-15}, organization = {Blaze's Security Blog}, url = {https://bartblaze.blogspot.com/2018/04/this-is-spartacus-new-ransomware-on.html}, language = {English}, urldate = {2020-01-22} } @online{bartblaze:20180422:satan:04f63e8, author = {BartBlaze}, title = {{Satan ransomware adds EternalBlue exploit}}, date = {2018-04-22}, organization = {Blaze's Security Blog}, url = {https://bartblaze.blogspot.com/2018/04/satan-ransomware-adds-eternalblue.html}, language = {English}, urldate = {2020-01-10} } @online{bartblaze:20200114:satan:4d45ea5, author = {BartBlaze}, title = {{Satan ransomware rebrands as 5ss5c ransomware}}, date = {2020-01-14}, organization = {Blaze's Security Blog}, url = {https://bartblaze.blogspot.com/2020/01/satan-ransomware-rebrands-as-5ss5c.html}, language = {English}, urldate = {2020-01-17} } @online{bartblaze:20200913:cryakl:3d29bf0, author = {BartBlaze}, title = {{Tweet on Cryakl 2.0.0.0}}, date = {2020-09-13}, organization = {Twitter (@bartblaze)}, url = {https://twitter.com/bartblaze/status/1305197264332369920}, language = {English}, urldate = {2020-09-15} } @techreport{bartholomew:20160907:wave:96e9f50, author = {Brian Bartholomew and Juan Andrés Guerrero-Saade}, title = {{Wave Your False Flags! Deception Tactics Muddying Attribution in Targeted Attacks}}, date = {2016-09-07}, institution = {Virus Bulletin}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/10/20114955/Bartholomew-GuerreroSaade-VB2016.pdf}, language = {English}, urldate = {2020-03-13} } @online{bartholomew:20170202:kopiluwak:d5c0245, author = {Brian Bartholomew}, title = {{KopiLuwak: A New JavaScript Payload from Turla}}, date = {2017-02-02}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/77429/kopiluwak-a-new-javascript-payload-from-turla/}, language = {English}, urldate = {2019-12-20} } @online{bartholomew:20191105:dadjoke:81e2a63, author = {Brian Bartholomew}, title = {{DADJOKE}}, date = {2019-11-05}, url = {https://prezi.com/view/jGyAzyy5dTOkDrtwsJi5/}, language = {English}, urldate = {2020-01-07} } @online{bartholomew:20200103:nice:ddc5c57, author = {Brian Bartholomew}, title = {{Nice One, Dad: Dissecting A Rare Malware Used By Leviathan}}, date = {2020-01-03}, organization = {Youtube (BSides Belfast)}, url = {https://www.youtube.com/watch?v=vx9IB88wXSE}, language = {English}, urldate = {2020-01-13} } @online{bary:20200115:analyzing:02aabc4, author = {Guy Bary}, title = {{Analyzing Magecart Malware – From Zero to Hero}}, date = {2020-01-15}, organization = {PerimeterX}, url = {https://www.perimeterx.com/blog/analyzing_magecart_malware_from_zero_to_hero/}, language = {English}, urldate = {2020-01-17} } @online{bashis:20170306:0day:e03d5c7, author = {bashis}, title = {{0-Day: Dahua backdoor Generation 2 and 3}}, date = {2017-03-06}, url = {http://seclists.org/fulldisclosure/2017/Mar/7}, language = {English}, urldate = {2019-12-18} } @online{baskin:20200603:medusa:8d92754, author = {Brian Baskin}, title = {{Medusa Locker Ransomware}}, date = {2020-06-03}, organization = {VMWare Carbon Black}, url = {https://www.carbonblack.com/2020/06/03/tau-threat-analyis-medusa-locker-ransomware/}, language = {English}, urldate = {2020-06-04} } @online{baskin:20200708:tau:4b05a00, author = {Brian Baskin}, title = {{TAU Threat Discovery: Conti Ransomware}}, date = {2020-07-08}, organization = {VMWare Carbon Black}, url = {https://www.carbonblack.com/blog/tau-threat-discovery-conti-ransomware/}, language = {English}, urldate = {2020-07-08} } @online{bassat:20170807:new:d776333, author = {Omri Ben Bassat}, title = {{New Variants of Agent.BTZ/ComRAT Found: The Threat That Hit The Pentagon In 2008 Still Evolving; Part 1/2}}, date = {2017-08-07}, organization = {Intezer}, url = {http://www.intezer.com/new-variants-of-agent-btz-comrat-found/}, language = {English}, urldate = {2019-12-17} } @online{bassat:20170913:new:376f00f, author = {Omri Ben Bassat}, title = {{New Variants of Agent.BTZ/ComRAT Found: The Threat That Hit The Pentagon In 2008 Still Evolving; Part 2/2}}, date = {2017-09-13}, organization = {Intezer}, url = {http://www.intezer.com/new-variants-of-agent-btz-comrat-found-part-2/}, language = {English}, urldate = {2019-12-24} } @online{bassat:20180529:iron:5943a09, author = {Omri Ben Bassat}, title = {{Iron Cybercrime Group Under The Scope}}, date = {2018-05-29}, organization = {Intezer}, url = {https://www.intezer.com/iron-cybercrime-group-under-the-scope-2/}, language = {English}, urldate = {2019-12-05} } @techreport{bataille:201810:hunting:c5ffe40, author = {Adrian Bataille and Matias Bevilacqua}, title = {{Hunting for PLATINUM}}, date = {2018-10}, institution = {FireEye}, url = {https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s01-hunting-for-platinum.pdf}, language = {English}, urldate = {2020-01-07} } @online{batsec:20200811:defending:7710531, author = {batsec}, title = {{Defending Your Malware}}, date = {2020-08-11}, organization = {Dylan Codes Blog}, url = {https://blog.dylan.codes/defending-your-malware/}, language = {English}, urldate = {2020-08-12} } @online{baumgartner:20141103:be2:ea8544a, author = {Kurt Baumgartner and Maria Garnaeva}, title = {{BE2 custom plugins, router abuse, and target profiles}}, date = {2014-11-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/}, language = {English}, urldate = {2019-12-20} } @online{baumgartner:20141208:penquin:afd9ae5, author = {Kurt Baumgartner and Costin Raiu}, title = {{The ‘Penquin’ Turla}}, date = {2014-12-08}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/67962/the-penquin-turla-2/}, language = {English}, urldate = {2019-12-20} } @online{baumgartner:20150217:be2:f7ce288, author = {Kurt Baumgartner and Maria Garnaeva}, title = {{BE2 extraordinary plugins, Siemens targeting, dev fails}}, date = {2015-02-17}, organization = {Kaspersky Labs}, url = {https://securelist.com/be2-extraordinary-plugins-siemens-targeting-dev-fails/68838/}, language = {English}, urldate = {2019-12-20} } @online{baumgartner:20150304:whos:0b8331c, author = {Kurt Baumgartner and Juan Andrés Guerrero-Saade}, title = {{Who’s Really Spreading through the Bright Star?}}, date = {2015-03-04}, organization = {Kaspersky Labs}, url = {https://securelist.com/whos-really-spreading-through-the-bright-star/68978/}, language = {English}, urldate = {2019-12-20} } @online{baumgartner:20150331:sinkholing:7a359b4, author = {Kurt Baumgartner and Costin Raiu}, title = {{Sinkholing Volatile Cedar DGA Infrastructure}}, date = {2015-03-31}, organization = {Kaspersky Labs}, url = {https://securelist.com/sinkholing-volatile-cedar-dga-infrastructure/69421/}, language = {English}, urldate = {2019-12-20} } @online{baumgartner:20150514:naikon:9edea2f, author = {Kurt Baumgartner and Maxim Golovkin}, title = {{The Naikon APT}}, date = {2015-05-14}, organization = {Kaspersky Labs}, url = {https://securelist.com/analysis/publications/69953/the-naikon-apt/}, language = {English}, urldate = {2019-12-20} } @techreport{baumgartner:20150529:msnmm:3d6b500, author = {Kurt Baumgartner and Maxim Golovkin}, title = {{THE MsnMM CAMPAIGNS: The Earliest Naikon APT Campaigns}}, date = {2015-05-29}, institution = {Kaspersky Labs}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf}, language = {English}, urldate = {2020-01-09} } @techreport{baumgartner:201505:msnmm:13a9145, author = {Kurt Baumgartner and Maxim Golovkin}, title = {{The MsnMM Campaigns - The Earliest Naikon APTCampaigns}}, date = {2015-05}, institution = {Kaspersky Labs}, url = {https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/TheNaikonAPT-MsnMM1.pdf}, language = {English}, urldate = {2019-07-11} } @online{baumgartner:20150617:spring:dc116aa, author = {Kurt Baumgartner}, title = {{The Spring Dragon APT}}, date = {2015-06-17}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/70726/the-spring-dragon-apt/}, language = {English}, urldate = {2019-12-20} } @online{baumgartner:20161003:strongpity:d4a8c09, author = {Kurt Baumgartner}, title = {{On the StrongPity Waterhole Attacks Targeting Italian and Belgian Encryption Users}}, date = {2016-10-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/76147/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/}, language = {English}, urldate = {2019-12-20} } @online{baumgartner:20161006:strongpity:898bc2b, author = {Kurt Baumgartner}, title = {{On the StrongPity Waterhole Attacks Targeting Italian and Belgian Encryption Users}}, date = {2016-10-06}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/conference/vb2016/abstracts/last-minute-paper-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users}, language = {English}, urldate = {2020-01-09} } @online{bautista:20190110:pylocky:92bf2fc, author = {Mike Bautista}, title = {{Pylocky Unlocked: Cisco Talos releases PyLocky ransomware decryptor}}, date = {2019-01-10}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2019/01/pylocky-unlocked-cisco-talos-releases.html}, language = {English}, urldate = {2019-10-15} } @online{baz:20170228:dridexs:f72a5ec, author = {Magal Baz and Or Safran}, title = {{Dridex’s Cold War: Enter AtomBombing}}, date = {2017-02-28}, organization = {Security Intelligence}, url = {https://securityintelligence.com/dridexs-cold-war-enter-atombombing/}, language = {English}, urldate = {2019-12-16} } @online{bazally:20161227:pegasus:9fd5170, author = {Max Bazally}, title = {{Pegasus internals: Technical Teardown of the Pegasus malware and Trident exploit chain}}, date = {2016-12-27}, organization = {CCC}, url = {https://media.ccc.de/v/33c3-7901-pegasus_internals}, language = {English}, urldate = {2020-01-08} } @online{beaumont:20190321:how:ecfbbf1, author = {Kevin Beaumont}, title = {{How Lockergoga took down Hydro — ransomware used in targeted attacks aimed at big business}}, date = {2019-03-21}, organization = {DoublePulsar}, url = {https://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880}, language = {English}, urldate = {2019-11-29} } @online{beaumont:20201016:second:197ec38, author = {Kevin Beaumont}, title = {{Second Zerologon attacker seen exploiting internet honeypot}}, date = {2020-10-16}, organization = {Medium Doublepulsar}, url = {https://doublepulsar.com/second-zerologon-attacker-seen-exploiting-internet-honeypot-c7fb074451ef}, language = {English}, urldate = {2020-10-23} } @online{beckman:20171208:gratefulpos:0ba1053, author = {Kent Beckman}, title = {{GratefulPOS credit card stealing malware - just in time for the shopping season}}, date = {2017-12-08}, organization = {RSA}, url = {https://community.rsa.com/community/products/netwitness/blog/2017/12/08/gratefulpos-credit-card-stealing-malware-just-in-time-for-the-shopping-season}, language = {English}, urldate = {2020-01-08} } @online{beer:20190829:implant:f25a696, author = {Ian Beer and Project Zero}, title = {{Implant Teardown}}, date = {2019-08-29}, organization = {Google}, url = {https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html}, language = {English}, urldate = {2020-01-06} } @online{beery:20200903:bitcoin:932fb45, author = {Tal Be'ery}, title = {{The Bitcoin Ransomware Detective Strikes Again: The UCSF Case}}, date = {2020-09-03}, organization = {ZenGo}, url = {https://zengo.com/bitcoin-ransomware-detective-ucsf/}, language = {English}, urldate = {2020-09-06} } @online{bekerman:20170329:new:e4007ca, author = {Dima Bekerman}, title = {{New Mirai Variant Launches 54 Hour DDoS Attack against US College}}, date = {2017-03-29}, organization = {Imperva}, url = {https://www.incapsula.com/blog/new-mirai-variant-ddos-us-college.html}, language = {English}, urldate = {2020-01-05} } @online{bencsath:20170103:technical:1c2e81e, author = {Boldizsar Bencsath}, title = {{Technical details on the Fancy Bear Android malware (poprd30.apk)}}, date = {2017-01-03}, organization = {CrySyS Lab}, url = {http://blog.crysys.hu/2017/01/technical-details-on-the-fancy-bear-android-malware-poprd30-apk/}, language = {English}, urldate = {2020-01-09} } @online{bencsath:20170302:update:0e03ee6, author = {Boldizsar Bencsath}, title = {{Update on the Fancy Bear Android malware (poprd30.apk)}}, date = {2017-03-02}, organization = {Laboratory of Cryptography and System Security}, url = {http://blog.crysys.hu/2017/03/update-on-the-fancy-bear-android-malware-poprd30-apk/}, language = {English}, urldate = {2019-10-13} } @techreport{bencsath:201803:territorial:04343bb, author = {Boldizsar Bencsath}, title = {{Territorial Dispute – NSA’s perspective on APT landscape}}, date = {2018-03}, institution = {CrySyS Lab}, url = {https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf}, language = {English}, urldate = {2020-05-07} } @online{benge:20190502:qakbot:8c34660, author = {Ashlee Benge and Nick Randolph}, title = {{Qakbot levels up with new obfuscation techniques}}, date = {2019-05-02}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2019/05/qakbot-levels-up-with-new-obfuscation.html}, language = {English}, urldate = {2019-10-14} } @online{benkow:20140820:command:ec27583, author = {Benkow}, title = {{Command Line Confusion}}, date = {2014-08-20}, organization = {ThisIsSecurity}, url = {https://thisissecurity.stormshield.com/2014/08/20/poweliks-command-line-confusion/}, language = {English}, urldate = {2020-01-07} } @online{bennett:20130213:number:c947ab9, author = {James T. Bennett}, title = {{The Number of the Beast}}, date = {2013-02-13}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2013/02/the-number-of-the-beast.html}, language = {English}, urldate = {2020-04-24} } @online{bennett:20130228:its:1534b7e, author = {James T. Bennett}, title = {{It's a Kind of Magic}}, date = {2013-02-28}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2013/02/its-a-kind-of-magic-1.html}, language = {English}, urldate = {2020-04-24} } @online{bennett:20190424:carbanak:2376f75, author = {James T. Bennett and Michael Bailey}, title = {{CARBANAK Week Part Three: Behind the CARBANAK Backdoor}}, date = {2019-04-24}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-three-behind-the-backdoor.html}, language = {English}, urldate = {2019-12-20} } @online{bennett:20190425:carbanak:be237af, author = {James T. Bennett and Michael Bailey}, title = {{CARBANAK Week Part Four: The CARBANAK Desktop Video Player}}, date = {2019-04-25}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-four-desktop-video-player.html}, language = {English}, urldate = {2019-12-20} } @online{berchem:20170810:weltweite:5df6bfa, author = {Tom Berchem}, title = {{Weltweite Spamwelle verbreitet teuflische Variante des Locky}}, date = {2017-08-10}, organization = {botfrei Blog}, url = {https://blog.botfrei.de/2017/08/weltweite-spamwelle-verbreitet-teufliche-variante-des-locky/}, language = {German}, urldate = {2019-12-10} } @online{berdnikov:20170925:simple:62b80bb, author = {Vasily Berdnikov and Dmitry Karasovsky and Alexey Shulmin}, title = {{A simple example of a complex cyberattack}}, date = {2017-09-25}, organization = {Kaspersky Labs}, url = {https://securelist.com/a-simple-example-of-a-complex-cyberattack/82636/}, language = {English}, urldate = {2019-12-20} } @techreport{berdnikov:20171125:microcin:69e0ae0, author = {Vasily Berdnikov and Dmitry Karasovsky and Alexey Shulmin}, title = {{MICROCIN MALWARE: TECHNICAL DETAILS AND INDICATORS OF COMPROMISE}}, date = {2017-11-25}, institution = {Kaspersky Labs}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07170759/Microcin_Technical_4PDF_eng_final_s.pdf}, language = {English}, urldate = {2020-04-06} } @online{berdnikov:20190313:fourth:98b1131, author = {Vasily Berdnikov and Boris Larin}, title = {{The fourth horseman: CVE-2019-0797 vulnerability}}, date = {2019-03-13}, organization = {Kaspersky Labs}, url = {https://securelist.com/cve-2019-0797-zero-day-vulnerability/89885/}, language = {English}, urldate = {2019-12-20} } @online{bergbom:20180206:danderspritzpeddlecheap:b09bc8f, author = {John Bergbom}, title = {{DanderSpritz/PeddleCheap traffic analysis (Part 1 of 2)}}, date = {2018-02-06}, organization = {Forcepoint}, url = {https://www.forcepoint.com/fr/blog/security-labs/new-whitepaper-danderspritzpeddlecheap-traffic-analysis-part-1-2#}, language = {English}, urldate = {2020-05-07} } @online{bergin:20160520:special:46b3cc4, author = {Tom Bergin and Nathan Layne}, title = {{Special Report: Cyber thieves exploit banks' faith in SWIFT transfer network}}, date = {2016-05-20}, organization = {Reuters}, url = {https://www.reuters.com/article/us-cyber-heist-swift-specialreport-idUSKCN0YB0DD}, language = {English}, urldate = {2019-12-17} } @online{bermejo:20170622:following:7126b3b, author = {Lenart Bermejo and Razor Huang and CH Lei}, title = {{Following the Trail of BlackTech’s Cyber Espionage Campaigns}}, date = {2017-06-22}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/}, language = {English}, urldate = {2019-12-24} } @techreport{bermejo:201706:following:61e6dae, author = {Lenart Bermejo and Razor Huang and CH Lei}, title = {{Following the Trail of BlackTech’s Cyber Espionage Campaigns}}, date = {2017-06}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/appendix-following-the-trail-of-blacktechs-cyber-espionage-campaigns.pdf}, language = {English}, urldate = {2020-01-07} } @online{bermejo:20170717:android:593475f, author = {Lenart Bermejo and Jordan Pan and Cedric Pernet}, title = {{Android Backdoor GhostCtrl can Silently Record Your Audio, Video, and More}}, date = {2017-07-17}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/android-backdoor-ghostctrl-can-silently-record-your-audio-video-and-more/}, language = {English}, urldate = {2020-01-13} } @online{bermejo:20170807:backdoorcarrying:317ebe3, author = {Lenart Bermejo and Ronnie Giagone and Rubio Wu and Fyodor Yarochkin}, title = {{Backdoor-carrying Emails Set Sights on Russian-speaking Businesses}}, date = {2017-08-07}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses/}, language = {English}, urldate = {2020-01-09} } @online{bermejo:20181120:lazarus:1d8d3b3, author = {Lenart Bermejo and Joelson Soares}, title = {{Lazarus Continues Heists, Mounts Attacks on Financial Organizations in Latin America}}, date = {2018-11-20}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-continues-heists-mounts-attacks-on-financial-organizations-in-latin-america/}, language = {English}, urldate = {2020-01-06} } @online{berninger:20200528:masked:44cad71, author = {Matthew Berninger}, title = {{The Masked SYNger: Investigating a Traffic Phenomenon}}, date = {2020-05-28}, organization = {Rapid7 Labs}, url = {https://blog.rapid7.com/2020/05/28/the-masked-synger-investigating-a-traffic-phenomenon/}, language = {English}, urldate = {2020-05-29} } @online{best:20150912:stuxnet:c9b43da, author = {Emma Best}, title = {{Stuxnet code}}, date = {2015-09-12}, organization = {Archive-org}, url = {https://archive.org/details/Stuxnet}, language = {English}, urldate = {2020-01-09} } @online{beukema:20200622:hijacking:b46d971, author = {Wietze Beukema}, title = {{Hijacking DLLs in Windows}}, date = {2020-06-22}, organization = {wietzebeukema.nl}, url = {https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows}, language = {English}, urldate = {2020-06-24} } @online{beuth:20200617:die:4272009, author = {Patrick Beuth}, title = {{Die erste Cyberwaffe und ihre Folgen}}, date = {2020-06-17}, organization = {Der Spiegel}, url = {https://www.spiegel.de/netzwelt/web/die-erste-cyberwaffe-und-ihre-folgen-a-a0ed08c9-5080-4ac2-8518-ed69347dc147}, language = {German}, urldate = {2020-06-18} } @online{bhat:20160201:tracking:f5fa1f1, author = {Raashid Bhat}, title = {{Tracking the footprints of PushDo Trojan}}, date = {2016-02-01}, organization = {Blueliv}, url = {https://www.blueliv.com/research/tracking-the-footproints-of-pushdo-trojan/}, language = {English}, urldate = {2019-11-20} } @online{bhat:20170222:dissecting:8124914, author = {Raashid Bhat}, title = {{Dissecting the Qadars Banking Trojan}}, date = {2017-02-22}, organization = {PhishLabs}, url = {https://info.phishlabs.com/blog/dissecting-the-qadars-banking-trojan}, language = {English}, urldate = {2019-12-20} } @online{bhat:20180906:dissecting:8c82fb5, author = {Raashid Bhat}, title = {{Dissecting DEloader malware with obfuscation}}, date = {2018-09-06}, organization = {int 0xcc blog}, url = {https://int0xcc.svbtle.com/dissecting-obfuscated-deloader-malware}, language = {English}, urldate = {2020-01-06} } @online{bhat:20180918:taste:e7dd98d, author = {Raashid Bhat}, title = {{A taste of our own medicine: How SmokeLoader is deceiving configuration extraction by using binary code as bait}}, date = {2018-09-18}, organization = {int 0xcc blog}, url = {https://int0xcc.svbtle.com/a-taste-of-our-own-medicine-how-smokeloader-is-deceiving-dynamic-configuration-extraction-by-using-binary-code-as-bait}, language = {English}, urldate = {2020-01-10} } @online{bhat:20190422:dissecting:ffba987, author = {Raashid Bhat}, title = {{Dissecting Emotet’s network communication protocol}}, date = {2019-04-22}, organization = {int 0xcc blog}, url = {https://int0xcc.svbtle.com/dissecting-emotet-s-network-communication-protocol}, language = {English}, urldate = {2020-01-06} } @online{bhat:20190730:practical:d049779, author = {Raashid Bhat}, title = {{Practical Threat Hunting and Incidence Response : A Case of A Pony Malware Infection}}, date = {2019-07-30}, organization = {int 0xcc blog}, url = {https://int0xcc.svbtle.com/practical-threat-hunting-and-incidence-response-a-case-of-a-pony-malware-infection}, language = {English}, urldate = {2020-01-08} } @online{bhat:20200311:emotet:c178008, author = {Raashid Bhat}, title = {{Tweet on Emotet Deobfuscation with Video}}, date = {2020-03-11}, organization = {Twitter (@raashidbhatt)}, url = {https://twitter.com/raashidbhatt/status/1237853549200936960}, language = {English}, urldate = {2020-03-13} } @online{bhat:20200331:emotet:50264e0, author = {Raashid Bhat}, title = {{Emotet Binary Deobfuscation | Coconut Paradise | Episode 1}}, date = {2020-03-31}, organization = {Youtube (Infosec Alpha)}, url = {https://www.youtube.com/watch?v=_mGMJFNJWSk}, language = {English}, urldate = {2020-04-23} } @online{bhat:20200422:flattenthecurve:0bdf5a3, author = {Raashid Bhat}, title = {{FlattenTheCurve - Emotet Control Flow Unflattening | Episode 2}}, date = {2020-04-22}, organization = {Youtube (Infosec Alpha)}, url = {https://www.youtube.com/watch?v=8PHCZdpNKrw}, language = {English}, urldate = {2020-04-23} } @online{biaczak:20200901:characterizing:422e6a1, author = {Piotr Białczak and Wojciech Mazurczyk}, title = {{Characterizing Anomalies in Malware-Generated HTTP Traffic}}, date = {2020-09-01}, url = {https://www.hindawi.com/journals/scn/2020/8848863/}, language = {English}, urldate = {2020-09-03} } @online{biasini:20171024:threat:7bd8515, author = {Nick Biasini}, title = {{Threat Spotlight: Follow the Bad Rabbit}}, date = {2017-10-24}, organization = {Cisco Talos}, url = {http://blog.talosintelligence.com/2017/10/bad-rabbit.html}, language = {English}, urldate = {2019-12-10} } @online{biasini:20180509:gandcrab:50296a6, author = {Nick Biasini and Nick Lister and Christopher Marczewski}, title = {{Gandcrab Ransomware Walks its Way onto Compromised Sites}}, date = {2018-05-09}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2018/05/gandcrab-compromised-sites.html}, language = {English}, urldate = {2019-10-21} } @online{biasini:20190220:combing:bdc059c, author = {Nick Biasini and Edmund Brumaghin and Matthew Molyett}, title = {{Combing Through Brushaloader Amid Massive Detection Uptick}}, date = {2019-02-20}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2019/02/combing-through-brushaloader.html}, language = {English}, urldate = {2019-11-29} } @online{biasini:20190425:jasperloader:ebe50ca, author = {Nick Biasini and Edmund Brumaghin and Andrew Williams}, title = {{JasperLoader Emerges, Targets Italy with Gootkit Banking Trojan}}, date = {2019-04-25}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2019/04/jasperloader-targets-italy.html}, language = {English}, urldate = {2020-01-09} } @online{biasini:20190523:sorpresa:e7cbd9d, author = {Nick Biasini and Edmund Brumaghin}, title = {{Sorpresa! JasperLoader targets Italy with a new bag of tricks}}, date = {2019-05-23}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2019/05/sorpresa-jasperloader.html}, language = {English}, urldate = {2020-01-06} } @online{biasini:20200213:threat:443d687, author = {Nick Biasini and Edmund Brumaghin}, title = {{Threat actors attempt to capitalize on coronavirus outbreak}}, date = {2020-02-13}, organization = {Talos}, url = {https://blog.talosintelligence.com/2020/02/coronavirus-themed-malware.html}, language = {English}, urldate = {2020-03-19} } @online{biasini:20200511:astaroth:f325070, author = {Nick Biasini and Edmund Brumaghin and Nick Lister}, title = {{Astaroth - Maze of obfuscation and evasion reveals dark stealer}}, date = {2020-05-11}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/05/astaroth-analysis.html}, language = {English}, urldate = {2020-05-11} } @online{biasini:20200701:threat:a726b7e, author = {Nick Biasini and Edmund Brumaghin and Mariano Graziano}, title = {{Threat Spotlight: Valak Slithers Its Way Into Manufacturing and Transportation Networks}}, date = {2020-07-01}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/07/valak-emerges.html}, language = {English}, urldate = {2020-08-18} } @online{biermann:20201008:hanois:3f2def5, author = {Kai Biermann and Thi Do Nguyen and Hakan Tanriverdi and Maximilian Zierer}, title = {{Hanois Hacker}}, date = {2020-10-08}, organization = {ZEIT Online}, url = {https://www.zeit.de/politik/deutschland/2020-10/cyberspionage-vietnam-hackerangriffe-deutschland-bmw-verfassungsschutz-oceanlotus-apt32/komplettansicht}, language = {German}, urldate = {2020-10-12} } @techreport{bilodeau:201403:operation:40b7f42, author = {Olivier Bilodeau and Pierre-Marc Bureau and Joan Calvet and Alexis Dorais-Joncas and Marc-Etienne M.Léveillé and Benjamin Vanheuverzwijn}, title = {{OPERATION WINDIGO}}, date = {2014-03}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf}, language = {English}, urldate = {2020-01-08} } @online{bing:20170418:shadow:f8c81a6, author = {Chris Bing}, title = {{Shadow Brokers leaks show U.S. spies successfully hacked Russian, Iranian targets}}, date = {2017-04-18}, organization = {CyberScoop}, url = {https://www.cyberscoop.com/nsa-shadow-brokers-leaks-iran-russia-optimusprime-stoicsurgeon/}, language = {English}, urldate = {2020-01-12} } @online{bing:20180320:kasperskys:9cf65c1, author = {Chris Bing and Patrick Howell O'Neill}, title = {{Kaspersky's 'Slingshot' report burned an ISIS-focused intelligence operation}}, date = {2018-03-20}, organization = {CyberScoop}, url = {https://www.cyberscoop.com/kaspersky-slingshot-isis-operation-socom-five-eyes/}, language = {English}, urldate = {2019-07-11} } @techreport{biradar:20150120:reversing:8a25caf, author = {Basavaraj K. Biradar}, title = {{Reversing the Inception APT malware}}, date = {2015-01-20}, institution = {Blue Coat}, url = {https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/Inception_APT_Analysis_Bluecoat.pdf}, language = {English}, urldate = {2020-04-21} } @online{bishopfox:20190117:sliver:915fc7e, author = {BishopFox}, title = {{Sliver Implant Framework}}, date = {2019-01-17}, organization = {Github (BishopFox)}, url = {https://github.com/BishopFox/sliver}, language = {English}, urldate = {2020-01-07} } @techreport{bissell:2018:latest:1c1fba4, author = {Kelly Bissell and Joshua Ray and Uwe Kissman and Ryan LaSalle and Gareth Russell}, title = {{LATEST CYBER ESPIONAGE MALWARE ATTACKS}}, date = {2018}, institution = {Accenture Security}, url = {https://www.accenture.com/t00010101T000000Z__w__/gb-en/_acnmedia/PDF-46/Accenture-Security-Elise-Threat-Analysis.pdf}, language = {English}, urldate = {2020-01-08} } @techreport{bitdefender:20151217:apt28:fca586f, author = {Bitdefender}, title = {{APT28 Under the Scope: A Journey into Exfiltrating Intelligence and Government Information}}, date = {2015-12-17}, institution = {Bitdefender}, url = {https://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender_In-depth_analysis_of_APT28%E2%80%93The_Political_Cyber-Espionage.pdf}, language = {English}, urldate = {2020-01-09} } @techreport{bitdefender:20160630:pacifier:2b7078c, author = {Bitdefender}, title = {{Pacifier APT}}, date = {2016-06-30}, institution = {Bitdefender}, url = {http://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf}, language = {English}, urldate = {2020-01-13} } @techreport{bitdefender:20160630:pacifier:642af11, author = {Bitdefender}, title = {{Pacifier APT}}, date = {2016-06-30}, institution = {Bitdefender}, url = {https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf}, language = {English}, urldate = {2020-01-08} } @techreport{bitdefender:20160630:pacifier:cbcb081, author = {Bitdefender}, title = {{Pacifier APT}}, date = {2016-06-30}, institution = {Bitdefender}, url = {https://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender-Whitepaper-PAC-A4-en_EN1.pdf}, language = {English}, urldate = {2020-01-09} } @techreport{bitdefender:20170221:dissecting:eec4e1f, author = {Bitdefender}, title = {{Dissecting the APT28 Mac OS X Payload}}, date = {2017-02-21}, institution = {Bitdefender}, url = {https://download.bitdefender.com/resources/files/News/CaseStudies/study/143/Bitdefender-Whitepaper-APT-Mac-A4-en-EN-web.pdf}, language = {English}, urldate = {2020-01-10} } @techreport{bitdefender:20190604:blueprint:ce0583c, author = {Bitdefender}, title = {{An APT Blueprint: Gaining New Visibility into Financial Threats}}, date = {2019-06-04}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf}, language = {English}, urldate = {2019-12-18} } @techreport{bitdefender:20191029:close:30321a7, author = {Bitdefender}, title = {{A close look at Fallout Exploit Kit and Raccoon Stealer}}, date = {2019-10-29}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/289/Bitdefender-WhitePaper-Fallout.pdf}, language = {English}, urldate = {2020-01-09} } @online{bitensky:20170518:uiwix:4cc9aa8, author = {Gal Bitensky}, title = {{UIWIX – Evasive Ransomware Exploiting ETERNALBLUE}}, date = {2017-05-18}, organization = {Minerva}, url = {https://www.minerva-labs.com/post/uiwix-evasive-ransomware-exploiting-eternalblue}, language = {English}, urldate = {2020-01-08} } @online{bitensky:20180517:analyzing:c25d2ac, author = {Gal Bitensky}, title = {{Analyzing an AZORult Attack – Evasion in a Cloak of Multiple Layers}}, date = {2018-05-17}, organization = {Minerva Labs}, url = {https://blog.minerva-labs.com/puffstealer-evasion-in-a-cloak-of-multiple-layers}, language = {English}, urldate = {2019-10-14} } @online{bizeul:20140711:eye:3cb48c1, author = {David Bizeul and Ivan Fontarensky and Ronan Mouchoux and Fabien Perigaud and Cedric Pernet}, title = {{The Eye of the Tiger}}, date = {2014-07-11}, organization = {Airbus}, url = {http://blog.airbuscybersecurity.com/post/2014/07/The-Eye-of-the-Tiger2}, language = {English}, urldate = {2019-11-25} } @online{bizeul:20140711:eye:bdaf0a0, author = {David Bizeul and Ivan Fontarensky and Ronan Mouchoux and Fabien Perigaud and Cedric Pernet}, title = {{The Eye of the Tiger}}, date = {2014-07-11}, organization = {Airbus}, url = {http://blog.cassidiancybersecurity.com/post/2014/07/The-Eye-of-the-Tiger2}, language = {English}, urldate = {2019-11-29} } @online{bkmsft:20190724:apt17:8b88bcb, author = {Ben K (bkMSFT)}, title = {{Tweet on APT17}}, date = {2019-07-24}, organization = {Twitter (@bkMSFT)}, url = {https://twitter.com/bkMSFT/status/1153994428949749761}, language = {English}, urldate = {2020-01-07} } @online{bkmsft:20191203:zirconium:c025731, author = {Ben K (bkMSFT)}, title = {{Tweet on ZIRCONIUM alias for APT31}}, date = {2019-12-03}, organization = {Twitter (@bkMSFT)}, url = {https://twitter.com/bkMSFT/status/1201876664667582466}, language = {English}, urldate = {2020-06-16} } @online{black:20180703:iranian:2e94ec4, author = {Samantha Black}, title = {{Iranian APT Charming Kitten impersonates ClearSky, the security firm that uncovered its campaigns}}, date = {2018-07-03}, organization = {Cyware}, url = {https://cyware.com/news/iranian-apt-charming-kitten-impersonates-clearsky-the-security-firm-that-uncovered-its-campaigns-7fea0b4f}, language = {English}, urldate = {2020-01-08} } @online{blackhacker511:20190104:github:e7e5d16, author = {BlackHacker511}, title = {{Github Repository: BlackNET}}, date = {2019-01-04}, organization = {Github (BlackHacker511)}, url = {https://github.com/FarisCode511/BlackNET/}, language = {English}, urldate = {2020-07-13} } @online{blackhacker511:20191123:blackworm:9cf1955, author = {BlackHacker511}, title = {{BlackWorm v6.0 Black Ninja}}, date = {2019-11-23}, organization = {Github (BlackHacker511)}, url = {https://github.com/BlackHacker511/BlackWorm}, language = {English}, urldate = {2020-01-13} } @techreport{blackorbird:20191205:apt32:0afe4e7, author = {blackorbird}, title = {{APT32 Report}}, date = {2019-12-05}, institution = {Github (blackorbird)}, url = {https://github.com/blackorbird/APT_REPORT/blob/master/Oceanlotus/apt32_report_2019.pdf}, language = {Japanese}, urldate = {2020-01-10} } @online{blackorbird:20200408:wannaren:8da1d44, author = {blackorbird}, title = {{Tweet on WannaRen}}, date = {2020-04-08}, organization = {Twitter (@blackorbird)}, url = {https://twitter.com/blackorbird/status/1247834024711577601}, language = {English}, urldate = {2020-05-05} } @techreport{blaich:20180118:dark:31c31f6, author = {Andrew Blaich and Apurva Kumar and Jeremy Richards and Michael Flossman and Cooper Quintin and Eva Galperin}, title = {{Dark Caracal: Cyber-espionage at a Global Scal}}, date = {2018-01-18}, institution = {Lookout}, url = {https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf}, language = {English}, urldate = {2020-06-08} } @online{blasco:20120702:sykipot:09eeec7, author = {Jaime Blasco}, title = {{Sykipot is back}}, date = {2012-07-02}, organization = {AT&T}, url = {https://www.alienvault.com/blogs/labs-research/sykipot-is-back}, language = {English}, urldate = {2019-12-18} } @online{blasco:20130321:new:511f1a7, author = {Jaime Blasco}, title = {{New Sykipot developments}}, date = {2013-03-21}, organization = {AT&T}, url = {https://www.alienvault.com/open-threat-exchange/blog/new-sykipot-developments}, language = {English}, urldate = {2020-01-12} } @online{blasco:20140828:scanbox:a0cc92a, author = {Jaime Blasco}, title = {{Scanbox: A Reconnaissance Framework Used with Watering Hole Attacks}}, date = {2014-08-28}, organization = {AT&T}, url = {https://www.alienvault.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks}, language = {English}, urldate = {2019-12-06} } @online{blasco:20190402:xwo:11817a2, author = {Jaime Blasco and Chris Doman}, title = {{Xwo - A Python-based bot scanner}}, date = {2019-04-02}, organization = {AT&T}, url = {https://www.alienvault.com/blogs/labs-research/xwo-a-python-based-bot-scanner}, language = {English}, urldate = {2020-01-06} } @online{bleepingcomputer:20170417:remove:4727489, author = {BleepingComputer}, title = {{Remove Search.searchetan.com Chrome New Tab Page}}, date = {2017-04-17}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/virus-removal/remove-search-searchetan.com-chrome-new-tab-page}, language = {English}, urldate = {2020-01-06} } @online{blog:20081124:iwormnuwarw:424455b, author = {NoVirusThanks Blog}, title = {{I-Worm/Nuwar.W + Rustock.E Variant – Analysis}}, date = {2008-11-24}, organization = {NoVirusThanks Blog}, url = {http://blog.novirusthanks.org/2008/11/i-wormnuwarw-rustocke-variant-analysis/}, language = {English}, urldate = {2019-10-15} } @online{blog:20170413:decrypting:c59a1bd, author = {Koodous Blog}, title = {{Decrypting Bankbot communications.}}, date = {2017-04-13}, organization = {Koodous}, url = {http://blog.koodous.com/2017/04/decrypting-bankbot-communications.html}, language = {English}, urldate = {2019-08-07} } @techreport{blueliv:20151026:chasing:975ef1a, author = {Blueliv}, title = {{Chasing cybercrime: network insights of Dyre and Dridex Trojan bankers}}, date = {2015-10-26}, institution = {Blueliv}, url = {https://www.blueliv.com/downloads/documentation/reports/Network_insights_of_Dyre_and_Dridex_Trojan_bankers.pdf}, language = {English}, urldate = {2020-01-13} } @techreport{blueliv:201609:chasing:1c02f62, author = {Blueliv}, title = {{Chasing Cybercrime: Network insights into Vawtrak v2}}, date = {2016-09}, institution = {Blueliv}, url = {https://www.blueliv.com/downloads/network-insights-into-vawtrak-v2.pdf}, language = {English}, urldate = {2020-01-07} } @online{blueliv:20171006:trickbot:a2a9ac8, author = {Blueliv}, title = {{TrickBot banking trojan using EFLAGS as an anti-hook technique}}, date = {2017-10-06}, organization = {Blueliv}, url = {https://www.blueliv.com/research/trickbot-banking-trojan-using-eflags-as-an-anti-hook-technique/}, language = {English}, urldate = {2020-01-08} } @techreport{blueliv:201807:necurs:652cee2, author = {Blueliv}, title = {{Necurs Malware Overview}}, date = {2018-07}, institution = {Blueliv}, url = {https://www.blueliv.com/wp-content/uploads/2018/07/Blueliv-Necurs-report-2017.pdf}, language = {English}, urldate = {2019-12-10} } @online{bocereg:20200924:apps:88b3497, author = {Alexandra Bocereg and Oana Asoltanei and Ioan-Septimiu Dinulica and Bogdan Botezatu}, title = {{Apps on Google Play Tainted with Cerberus Banker Malware}}, date = {2020-09-24}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2020/09/apps-on-google-play-tainted-with-cerberus-banker-malware/}, language = {English}, urldate = {2020-10-13} } @online{boczan:20180605:evolution:372e566, author = {Tamas Boczan}, title = {{The Evolution of GandCrab Ransomware}}, date = {2018-06-05}, organization = {VMRay}, url = {http://www.vmray.com/cyber-security-blog/gandcrab-ransomware-evolution-analysis/}, language = {English}, urldate = {2019-11-20} } @online{boczan:20190625:analyzing:fe5a161, author = {Tamas Boczan}, title = {{Analyzing Ursnif’s Behavior Using a Malware Sandbox}}, date = {2019-06-25}, organization = {VMRay}, url = {https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/}, language = {English}, urldate = {2019-12-17} } @online{boddy:20170615:trickbot:6eb1db4, author = {Sara Boddy and Jesse Smith and Doron Voolf}, title = {{Trickbot Expands Global Targets Beyond Banks and Payment Processors to CRMs}}, date = {2017-06-15}, organization = {F5}, url = {https://f5.com/labs/articles/threat-intelligence/malware/trickbot-expands-global-targets-beyond-banks-and-payment-processors-to-crms}, language = {English}, urldate = {2019-12-24} } @online{boguslavskiy:20200715:inside:f9b95b1, author = {Yelisey Boguslavskiy and Samantha van de Ven}, title = {{Inside REvil Extortionist “Machine”: Predictive Insights}}, date = {2020-07-15}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/post/inside-revil-extortionist-machine-predictive-insights}, language = {English}, urldate = {2020-07-16} } @online{bohio:20150319:analyzing:eac298c, author = {Muhammad Junaid Bohio}, title = {{Analyzing a Backdoor/Bot forthe MIPS Platform}}, date = {2015-03-19}, url = {https://www.sans.org/reading-room/whitepapers/malicious/analyzing-backdoor-bot-mips-platform-35902}, language = {English}, urldate = {2020-09-21} } @online{boldewin:20181231:fastcashmalwaredissected:d72e332, author = {Frank Boldewin}, title = {{FastCashMalwareDissected}}, date = {2018-12-31}, organization = {Github Repository}, url = {https://github.com/fboldewin/FastCashMalwareDissected/}, language = {English}, urldate = {2019-07-10} } @online{boldewin:20190328:javadispcash:8899167, author = {Frank Boldewin}, title = {{Tweet on JavaDispCash}}, date = {2019-03-28}, organization = {Twitter (@r3c0nst)}, url = {https://twitter.com/r3c0nst/status/1111254169623674882}, language = {English}, urldate = {2020-01-06} } @online{boldewin:20190601:atm:7c1d0c2, author = {Frank Boldewin}, title = {{Tweet on ATM Malware NVISOSPIT}}, date = {2019-06-01}, organization = {Twitter (@r3c0nst)}, url = {https://twitter.com/r3c0nst/status/1135606944427905025}, language = {English}, urldate = {2019-11-26} } @online{boldewin:20190710:xfs:aa523ad, author = {Frank Boldewin}, title = {{Tweet on XFS ATM malware}}, date = {2019-07-10}, organization = {Twitter (@r3c0nst)}, url = {https://twitter.com/r3c0nst/status/1149043362244308992}, language = {English}, urldate = {2020-01-06} } @online{boldewin:20190828:atm:b393cb8, author = {Frank Boldewin}, title = {{Tweet on ATM Malware}}, date = {2019-08-28}, organization = {Twitter (@r3c0nst)}, url = {https://twitter.com/r3c0nst/status/1166773324548063232}, language = {English}, urldate = {2019-12-05} } @online{boldewin:20191129:libertad:974f5d8, author = {Frank Boldewin}, title = {{Libertad y gloria - A Mexican cyber heist story - CyberCrimeCon19 Singapore}}, date = {2019-11-29}, organization = {Github (fboldewin)}, url = {https://github.com/fboldewin/Libertad-y-gloria---A-Mexican-cyber-heist-story---CyberCrimeCon19-Singapore}, language = {English}, urldate = {2019-12-17} } @online{boldewin:20200227:dispcashbr:7dda1c8, author = {Frank Boldewin}, title = {{Tweet on DispCashBR}}, date = {2020-02-27}, organization = {Twitter (@r3c0nst)}, url = {https://twitter.com/r3c0nst/status/1232944566208286720}, language = {English}, urldate = {2020-02-27} } @online{boldewin:20200817:loup:c8e43e4, author = {Frank Boldewin}, title = {{Tweet on Loup}}, date = {2020-08-17}, organization = {Twitter (@r3c0nst)}, url = {https://twitter.com/r3c0nst/status/1295275546780327936}, language = {English}, urldate = {2020-08-17} } @online{bone:20200617:detecting:be87469, author = {Rob Bone}, title = {{Detecting PoshC2 – Indicators of Compromise}}, date = {2020-06-17}, organization = {Nettitude Labs}, url = {https://labs.nettitude.com/blog/detecting-poshc2-indicators-of-compromise/}, language = {English}, urldate = {2020-06-18} } @online{bonfa:20101115:tracing:4f23185, author = {Giuseppe Bonfa}, title = {{Tracing the Crimeware Origins by Reversing Injected Code}}, date = {2010-11-15}, organization = {Infosec}, url = {http://resources.infosecinstitute.com/zeroaccess-malware-part-4-tracing-the-crimeware-origins-by-reversing-injected-code/}, language = {English}, urldate = {2020-01-05} } @online{bonfa:20101116:zeroaccess:14293db, author = {Giuseppe Bonfa}, title = {{ZEROACCESS MALWARE - PART 3: The Device Driver Process Injection Rootkit}}, date = {2010-11-16}, url = {http://resources.infosecinstitute.com/zeroaccess-malware-part-3-the-device-driver-process-injection-rootkit/}, language = {English}, urldate = {2020-01-08} } @online{bonfa:20101120:kernelmode:b6d039e, author = {Giuseppe Bonfa}, title = {{The Kernel-Mode Device Driver Stealth Rootkit}}, date = {2010-11-20}, organization = {InfoSec Institute}, url = {http://resources.infosecinstitute.com/zeroaccess-malware-part-2-the-kernel-mode-device-driver-stealth-rootkit/}, language = {English}, urldate = {2020-01-13} } @online{bonfa:201011:zeroaccess:fd02426, author = {Giuseppe Bonfa}, title = {{ZEROACCESS MALWARE - PART 1: De-Obfuscating and Reversing the User-Mode Agent Dropper}}, date = {2010-11}, organization = {InfoSec Institute}, url = {http://resources.infosecinstitute.com/step-by-step-tutorial-on-reverse-engineering-malware-the-zeroaccessmaxsmiscer-crimeware-rootkit/}, language = {English}, urldate = {2019-12-17} } @online{borders:20190329:exodus:e3044af, author = {Security without Borders}, title = {{Exodus: New Android Spyware Made in Italy}}, date = {2019-03-29}, organization = {Security Without Borders}, url = {https://securitywithoutborders.org/blog/2019/03/29/exodus.html}, language = {English}, urldate = {2019-07-09} } @techreport{boris:20141113:computer:290f01d, author = {Ivanov Boris}, title = {{Computer Forensic Investigation of mobile Banking Trojan}}, date = {2014-11-13}, institution = {ZeroNights}, url = {http://2014.zeronights.ru/assets/files/slides/ivanovb-zeronights.pdf}, language = {English}, urldate = {2019-11-27} } @online{borja:20200914:analysis:36d3fee, author = {Aprilyn Borja and Abraham Camba and Khristoffer Jocson and Ryan Maglaque and Gilbert Sison and Jay Yaneza}, title = {{Analysis of a Convoluted Attack Chain Involving Ngrok}}, date = {2020-09-14}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/20/i/analysis-of-a-convoluted-attack-chain-involving-ngrok.html}, language = {English}, urldate = {2020-09-23} } @online{boscovich:20120913:microsoft:da601a2, author = {Richard Domingues Boscovich}, title = {{Microsoft Disrupts the Emerging Nitol Botnet Being Spread through an Unsecure Supply Chain}}, date = {2012-09-13}, organization = {Microsoft}, url = {https://blogs.technet.microsoft.com/microsoft_blog/2012/09/13/microsoft-disrupts-the-emerging-nitol-botnet-being-spread-through-an-unsecure-supply-chain/}, language = {English}, urldate = {2020-01-13} } @online{botezatu:20170505:inside:0cff0e6, author = {Bogdan Botezatu and Alexandru Maximciuc and Cristina Vatamanu and Adrian Schipur}, title = {{Inside Netrepser – a JavaScript-based Targeted Attack}}, date = {2017-05-05}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2017/05/inside-netrepser-a-javascript-based-targeted-attack/}, language = {English}, urldate = {2020-01-08} } @online{botezatu:20180124:new:f993782, author = {Bogdan Botezatu}, title = {{New Hide ‘N Seek IoT Botnet using custom-built Peer-to-Peer communication spotted in the wild}}, date = {2018-01-24}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2018/01/new-hide-n-seek-iot-botnet-using-custom-built-peer-to-peer-communication-spotted-in-the-wild/}, language = {English}, urldate = {2020-01-08} } @online{botezatu:20180413:radrat:e2bc7ad, author = {Bogdan Botezatu and Eduard Budaca}, title = {{RadRAT: An all-in-one toolkit for complex espionage ops}}, date = {2018-04-13}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2018/04/radrat-an-all-in-one-toolkit-for-complex-espionage-ops/}, language = {English}, urldate = {2020-01-09} } @online{botezatu:20180507:hide:0fd8d9a, author = {Bogdan Botezatu}, title = {{Hide and Seek IoT Botnet resurfaces with new tricks, persistence}}, date = {2018-05-07}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2018/05/hide-and-seek-iot-botnet-resurfaces-with-new-tricks-persistence/}, language = {English}, urldate = {2020-01-06} } @online{botezatu:20181025:gandcrab:4e85fe9, author = {Bogdan Botezatu}, title = {{GandCrab Ransomware decryption tool}}, date = {2018-10-25}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2018/02/gandcrab-ransomware-decryption-tool-available-for-free/}, language = {English}, urldate = {2020-01-10} } @online{botezatu:20190219:new:21079a9, author = {Bogdan Botezatu}, title = {{New GandCrab v5.1 Decryptor Available Now}}, date = {2019-02-19}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2019/02/new-gandcrab-v5-1-decryptor-available-now/}, language = {English}, urldate = {2019-10-15} } @online{botezatu:20190416:inside:8302b5d, author = {Bogdan Botezatu and Cristofor Ochinca and Andrei Ardelean}, title = {{Inside Scranos – A Cross Platform, Rootkit-Enabled Spyware Operation}}, date = {2019-04-16}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2019/04/inside-scranos-a-cross-platform-rootkit-enabled-spyware-operation/}, language = {English}, urldate = {2019-12-18} } @online{botezatu:20190617:good:c24ed06, author = {Bogdan Botezatu}, title = {{Good riddance, GandCrab! We’re still fixing the mess you left behind}}, date = {2019-06-17}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2019/06/good-riddance-gandcrab-were-still-fixing-the-mess-you-left-behind}, language = {English}, urldate = {2020-01-10} } @techreport{botezatu:20190625:scranos:13c5096, author = {Bogdan Botezatu and Andrei Ardelean and Cristofor Ochinca and Cristian Alexandru and Istrate and Claudiu Stefan Coblis}, title = {{Scranos Revisited – Rethinking persistence to keep established network alive}}, date = {2019-06-25}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/271/Bitdefender-Whitepaper-Scranos-2.pdf}, language = {English}, urldate = {2020-01-08} } @online{bousseaden:20200625:close:be8a8b2, author = {Samir Bousseaden and Daniel Stepanic}, title = {{A close look at the advanced techniques used in a Malaysian-focused APT campaign}}, date = {2020-06-25}, organization = {Elastic}, url = {https://www.elastic.co/blog/advanced-techniques-used-in-malaysian-focused-apt-campaign}, language = {English}, urldate = {2020-06-25} } @online{boutin:20131218:qadars:98a9a63, author = {Jean-Ian Boutin}, title = {{Qadars – a banking Trojan with the Netherlands in its sights}}, date = {2013-12-18}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2013/12/18/qadars-a-banking-trojan-with-the-netherlands-in-its-sights/}, language = {English}, urldate = {2019-11-14} } @online{boutin:20150409:operation:077f5fe, author = {Jean-Ian Boutin}, title = {{Operation Buhtrap, the trap for Russian accountants}}, date = {2015-04-09}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2015/04/09/operation-buhtrap/}, language = {English}, urldate = {2019-11-14} } @online{boutin:20151111:operation:baffed9, author = {Jean-Ian Boutin}, title = {{Operation Buhtrap malware distributed via ammyy.com}}, date = {2015-11-11}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2015/11/11/operation-buhtrap-malware-distributed-via-ammyy-com/}, language = {English}, urldate = {2020-01-08} } @online{boutin:20170606:turlas:f9b4935, author = {Jean-Ian Boutin}, title = {{Turla’s watering hole campaign: An updated Firefox extension abusing Instagram}}, date = {2017-06-06}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/06/06/turlas-watering-hole-campaign-updated-firefox-extension-abusing-instagram/}, language = {English}, urldate = {2019-11-14} } @online{boutin:20181105:bluehat:65f6d65, author = {Jean-Ian Boutin and Frédéric Vachon}, title = {{BlueHat v18 || First STRONTIUM UEFI Rootkit Unveiled}}, date = {2018-11-05}, organization = {Youtube (MSRC)}, url = {https://www.youtube.com/watch?v=VeoXT0nEcFU}, language = {English}, urldate = {2019-12-17} } @online{boutin:20190711:buhtrap:ec174bc, author = {Jean-Ian Boutin}, title = {{Buhtrap group uses zero‑day in latest espionage campaigns}}, date = {2019-07-11}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/07/11/buhtrap-zero-day-espionage-campaigns/}, language = {English}, urldate = {2019-11-14} } @online{boutin:20200611:gamaredon:14a96c2, author = {Jean-Ian Boutin}, title = {{Gamaredon group grows its game}}, date = {2020-06-11}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/}, language = {English}, urldate = {2020-06-11} } @online{boutin:20201012:eset:a7eeb51, author = {Jean-Ian Boutin}, title = {{ESET takes part in global operation to disrupt Trickbot}}, date = {2020-10-12}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/10/12/eset-takes-part-global-operation-disrupt-trickbot/}, language = {English}, urldate = {2020-10-12} } @online{brad:20180117:reviewing:49ad844, author = {brad}, title = {{Reviewing the spam filters: Malspam pushing Gozi-ISFB}}, date = {2018-01-17}, organization = {SANS ISC}, url = {https://isc.sans.edu/forums/diary/Reviewing+the+spam+filters+Malspam+pushing+GoziISFB/23245}, language = {English}, urldate = {2019-12-20} } @online{brady:20190117:pond:572e6e8, author = {Matthew Brady}, title = {{Pond Loach delivers BadCake malware}}, date = {2019-01-17}, organization = {Accenture}, url = {https://www.accenture.com/us-en/blogs/blogs-pond-loach-delivers-badcake-malware}, language = {English}, urldate = {2020-03-03} } @online{brandt:20190503:megacortex:fc2d16b, author = {Andrew Brandt}, title = {{“MegaCortex” ransomware wants to be The One}}, date = {2019-05-03}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2019/05/03/megacortex-ransomware-wants-to-be-the-one/}, language = {English}, urldate = {2019-11-27} } @online{brandt:20200206:living:811742c, author = {Andrew Brandt and Mark Loman}, title = {{Living off another land: Ransomware borrows vulnerable driver to remove security software}}, date = {2020-02-06}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2020/02/06/living-off-another-land-ransomware-borrows-vulnerable-driver-to-remove-security-software/}, language = {English}, urldate = {2020-02-13} } @online{brandt:20200624:glupteba:fc4095d, author = {Andrew Brandt}, title = {{Glupteba malware hides in plain sight}}, date = {2020-06-24}, organization = {Sophos Labs}, url = {https://news.sophos.com/en-us/2020/06/24/glupteba-report/?cmp=30728}, language = {English}, urldate = {2020-06-24} } @online{brandt:20200729:emotets:cb1de9b, author = {Andrew Brandt}, title = {{Emotet’s return is the canary in the coal mine}}, date = {2020-07-29}, organization = {Sophos Labs}, url = {https://news.sophos.com/en-us/2020/07/28/emotets-return-is-the-canary-in-the-coal-mine/?cmp=30728}, language = {English}, urldate = {2020-07-30} } @online{brandt:20200917:maze:714f603, author = {Andrew Brandt and Peter Mackenzie}, title = {{Maze attackers adopt Ragnar Locker virtual machine technique}}, date = {2020-09-17}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2020/09/17/maze-attackers-adopt-ragnar-locker-virtual-machine-technique/}, language = {English}, urldate = {2020-09-21} } @online{brandt:20200924:emaildelivered:742cfe6, author = {Andrew Brandt and Andrew O'Donnell and Fraser Howard}, title = {{Email-delivered MoDi RAT attack pastes PowerShell commands}}, date = {2020-09-24}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2020/09/24/email-delivered-modi-rat-attack-pastes-powershell-commands}, language = {English}, urldate = {2020-09-25} } @techreport{brave:20180515:human:b4396ac, author = {Brave}, title = {{HUMAN RIGHTS UNDER SURVEILLANCE DIGITAL THREATS AGAINST HUMAN RIGHTS DEFENDERS IN PAKISTAN}}, date = {2018-05-15}, institution = {Amnesty International}, url = {https://www.amnesty.org/download/Documents/ASA3383662018ENGLISH.PDF}, language = {English}, urldate = {2019-12-10} } @online{breach:20200130:tracking:bfa4550, author = {Under The Breach}, title = {{Tracking Down REvil’s “Lalartu” by utilizing multiple OSINT methods}}, date = {2020-01-30}, organization = {Under The Breach}, url = {https://medium.com/@underthebreach/tracking-down-revils-lalartu-by-utilizing-multiple-osint-methods-2bf3a6c65a80}, language = {English}, urldate = {2020-01-31} } @online{breakdown:20170403:shadow:962f78d, author = {Malware Breakdown}, title = {{Shadow Server Domains Leading to RIG Exploit Kit Dropping Smoke Loader}}, date = {2017-04-03}, organization = {Malware Breakdown}, url = {https://malwarebreakdown.com/2017/04/03/shadow-server-domains-leads-to-rig-exploit-kit-dropping-smoke-loader-which-downloads-neutrino-bot-aka-kasidet/}, language = {English}, urldate = {2019-12-18} } @online{breakdown:20170724:seamless:7e55e6a, author = {Malware Breakdown}, title = {{The Seamless Campaign Drops Ramnit. Follow-up Malware: AZORult Stealer, Smoke Loader, etc.}}, date = {2017-07-24}, organization = {Malware Breakdown}, url = {https://malwarebreakdown.com/2017/07/24/the-seamless-campaign-drops-ramnit-follow-up-malware-azorult-stealer-smoke-loader-etc/}, language = {English}, urldate = {2020-01-10} } @online{breakdown:20170823:seamless:3a2c794, author = {Malware Breakdown}, title = {{The Seamless Campaign Isn’t Losing Any Steam}}, date = {2017-08-23}, url = {https://malwarebreakdown.com/2017/08/23/the-seamless-campaign-isnt-losing-any-steam/}, language = {English}, urldate = {2019-12-04} } @online{breakdown:20170911:re:5d563f4, author = {Malware Breakdown}, title = {{“Re: Details” Malspam Downloads CoreBot Banking Trojan}}, date = {2017-09-11}, organization = {Malware Breakdown}, url = {https://malwarebreakdown.com/2017/09/11/re-details-malspam-downloads-corebot-banking-trojan/}, language = {English}, urldate = {2020-01-08} } @online{breakdown:20180321:fobos:15877e7, author = {Malware Breakdown}, title = {{Fobos Malvertising Campaign Delivers Bunitu Proxy Trojan via RIG EK}}, date = {2018-03-21}, organization = {Malware Breakdown Blog}, url = {https://malwarebreakdown.com/2018/03/21/fobos-malvertising-campaign-delivers-bunitu-proxy-trojan-via-rig-ek/}, language = {English}, urldate = {2019-10-13} } @online{breen:20140505:vt:121e664, author = {Kevin Breen}, title = {{VT Comments Page on Blue Banana Sample}}, date = {2014-05-05}, url = {https://www.virustotal.com/gui/file/60faab36491e07f10bf6a3ebe66ed9238459b2af7e36118fccd50583728141a4/community}, language = {English}, urldate = {2020-10-13} } @techreport{breitenbacher:20200617:operation:7969e3a, author = {Dominik Breitenbacher and Kaspars Osis}, title = {{Operation In(ter)ception: Targeted Attacks against European Aerospace and Military Companies}}, date = {2020-06-17}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_Operation_Interception.pdf}, language = {English}, urldate = {2020-06-17} } @online{brenner:20170626:how:b5978ec, author = {Bill Brenner}, title = {{How Spora ransomware tries to fool antivirus}}, date = {2017-06-26}, organization = {Sophos}, url = {https://nakedsecurity.sophos.com/2017/06/26/how-spora-ransomware-tries-to-fool-antivirus/}, language = {English}, urldate = {2019-10-14} } @online{brewster:20140807:sophisticated:5f484c8, author = {Tom Brewster}, title = {{Sophisticated 'Turla' hackers spying on European governments, say researchers}}, date = {2014-08-07}, organization = {The Guardian}, url = {https://www.theguardian.com/technology/2014/aug/07/turla-hackers-spying-governments-researcher-kaspersky-symantec}, language = {English}, urldate = {2020-01-05} } @online{brewster:20170215:inside:8b5faed, author = {Thomas Brewster}, title = {{Inside OilRig -- Tracking Iran's Busiest Hacker Crew On Its Global Rampage}}, date = {2017-02-15}, organization = {Forbes}, url = {https://www.forbes.com/sites/thomasbrewster/2017/02/15/oilrig-iran-hackers-cyberespionage-us-turkey-saudi-arabia/#56749aa2468a}, language = {English}, urldate = {2020-01-13} } @online{brewster:20170504:behind:4da1ded, author = {Thomas Brewster}, title = {{Behind The Mystery Of Russia's 'Dyre' Hackers Who Stole Millions From American Business}}, date = {2017-05-04}, organization = {Forbes}, url = {https://www.forbes.com/sites/thomasbrewster/2017/05/04/dyre-hackers-stealing-millions-from-american-coporates}, language = {English}, urldate = {2020-01-09} } @online{brewster:20170727:with:b21b072, author = {Thomas Brewster}, title = {{With Fake News And Femmes Fatales, Iran's Spies Learn To Love Facebook}}, date = {2017-07-27}, organization = {Forbes}, url = {https://www.forbes.com/sites/thomasbrewster/2017/07/27/iran-hackers-oilrig-use-fake-personas-on-facebook-linkedin-for-cyberespionage/}, language = {English}, urldate = {2020-01-07} } @online{brewster:20180830:hackers:d006ceb, author = {Thomas Brewster}, title = {{Hackers Are Exposing An Apple Mac Weakness In Middle East Espionage}}, date = {2018-08-30}, organization = {Forbes}, url = {https://www.forbes.com/sites/thomasbrewster/2018/08/30/apple-mac-loophole-breached-in-middle-east-hacks/}, language = {English}, urldate = {2019-11-26} } @online{bromiley:20161007:attacking:0d71422, author = {Matt Bromiley and Preston Lewis}, title = {{Attacking the Hospitality and Gaming Industries: Tracking an Attacker Around the World in 7 Years}}, date = {2016-10-07}, organization = {FireEye}, url = {https://www.youtube.com/watch?v=fevGZs0EQu8}, language = {English}, urldate = {2020-04-17} } @online{bromiley:20190718:hard:7a6144e, author = {Matt Bromiley and Noah Klapprodt and Nick Schroeder and Jessica Rocchio}, title = {{Hard Pass: Declining APT34’s Invite to Join Their Professional Network}}, date = {2019-07-18}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html}, language = {English}, urldate = {2019-12-20} } @online{brook:20120725:new:67f3d60, author = {Chris Brook}, title = {{New and Improved Madi Spyware Campaign Continues}}, date = {2012-07-25}, organization = {Threatpost}, url = {https://threatpost.com/new-and-improved-madi-spyware-campaign-continues-072512/76849/}, language = {English}, urldate = {2019-12-17} } @online{brook:20160425:attackers:61e599a, author = {Chris Brook}, title = {{Attackers Behind GozNym Trojan Set Sights on Europe}}, date = {2016-04-25}, organization = {Threat Post}, url = {https://threatpost.com/attackers-behind-goznym-trojan-set-sights-on-europe/117647/}, language = {English}, urldate = {2019-11-23} } @online{brook:20160823:goznym:29466b9, author = {Chris Brook}, title = {{GozNym Banking Trojan Targeting German Banks}}, date = {2016-08-23}, organization = {Threatpost}, url = {https://threatpost.com/goznym-banking-trojan-targeting-german-banks/120075/}, language = {English}, urldate = {2020-01-08} } @online{brook:20171114:iceid:5a074d2, author = {Chris Brook}, title = {{IceID Banking Trojan Targeting Banks, Payment Card Providers, E-Commerce Sites}}, date = {2017-11-14}, organization = {Digital Guardian}, url = {https://digitalguardian.com/blog/iceid-banking-trojan-targeting-banks-payment-card-providers-e-commerce-sites}, language = {English}, urldate = {2019-07-10} } @online{brooks:20200602:malware:bc0b560, author = {Casey Brooks}, title = {{tweet on malware called dnstunnel RAT}}, date = {2020-06-02}, organization = {Twitter (@DrunkBinary)}, url = {https://twitter.com/DrunkBinary/status/1267568386516692992}, language = {English}, urldate = {2020-06-05} } @online{brown:20181025:new:7234825, author = {Sophia Brown}, title = {{New sLoad malware downloader being leveraged by APT group TA554 to spread Ramnit}}, date = {2018-10-25}, url = {https://cyware.com/news/new-sload-malware-downloader-being-leveraged-by-apt-group-ta554-to-spread-ramnit-7d03f2d9}, language = {English}, urldate = {2019-11-22} } @online{brown:20181211:new:fa1fc12, author = {Sophia Brown}, title = {{New Satan ransomware variant ‘Lucky’ exposes 10 server-side vulnerabilities}}, date = {2018-12-11}, organization = {Cyware}, url = {https://cyware.com/news/new-satan-ransomware-variant-lucky-exposes-10-server-side-vulnerabilities-070afbd2}, language = {English}, urldate = {2020-01-07} } @online{brown:20200507:detecting:5059f43, author = {Jesse Brown}, title = {{Detecting COR_PROFILER manipulation for persistence}}, date = {2020-05-07}, organization = {Red Canary}, url = {https://redcanary.com/blog/cor_profiler-for-persistence/}, language = {English}, urldate = {2020-06-02} } @online{brubaker:20200715:financially:f217555, author = {Nathan Brubaker and Daniel Kapellmann Zafra and Keith Lunden and Ken Proska and Corey Hildebrandt}, title = {{Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families}}, date = {2020-07-15}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html}, language = {English}, urldate = {2020-07-16} } @online{brumaghin:20160711:when:0155a0a, author = {Edmund Brumaghin and Warren Mercer}, title = {{When Paying Out Doesn't Pay Off}}, date = {2016-07-11}, organization = {Talos}, url = {http://blog.talosintel.com/2016/07/ranscam.html}, language = {English}, urldate = {2020-01-09} } @online{brumaghin:20170502:covert:32e078f, author = {Edmund Brumaghin and Colin Grady}, title = {{Covert Channels and Poor Decisions: The Tale of DNSMessenger}}, date = {2017-05-02}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2017/03/dnsmessenger.html}, language = {English}, urldate = {2019-11-26} } @online{brumaghin:20170918:ccleanup:5ba0369, author = {Edmund Brumaghin and Ross Gibb and Warren Mercer and Matthew Molyett and Craig Williams}, title = {{CCleanup: A Vast Number of Machines at Risk}}, date = {2017-09-18}, organization = {Cisco Talos}, url = {http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html}, language = {English}, urldate = {2020-01-08} } @online{brumaghin:20170920:ccleaner:e034063, author = {Edmund Brumaghin and Earl Carter and Warren Mercer and Matthew Molyett and Matthew Olney and Paul Rascagnères and Craig Williams}, title = {{CCleaner Command and Control Causes Concern}}, date = {2017-09-20}, organization = {Cisco Talos}, url = {http://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html}, language = {English}, urldate = {2020-01-06} } @online{brumaghin:20171011:spoofed:9f0fc69, author = {Edmund Brumaghin and Colin Grady and Dave Maynor and @Simpo13}, title = {{Spoofed SEC Emails Distribute Evolved DNSMessenger}}, date = {2017-10-11}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2017/10/dnsmessenger-sec-campaign.html}, language = {English}, urldate = {2020-01-09} } @online{brumaghin:20171102:poisoning:c00599d, author = {Edmund Brumaghin and Earl Carter and Emmanuel Tacheau}, title = {{Poisoning the Well: Banking Trojan Targets Google Search Results}}, date = {2017-11-02}, organization = {Talos}, url = {http://blog.talosintelligence.com/2017/11/zeus-panda-campaign.html}, language = {English}, urldate = {2019-11-21} } @online{brumaghin:20180306:gozi:6146f77, author = {Edmund Brumaghin and Holger Unterbrink and Adam Weller}, title = {{Gozi ISFB Remains Active in 2018, Leverages "Dark Cloud" Botnet For Distribution}}, date = {2018-03-06}, organization = {Cisco Talos}, url = {http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html}, language = {English}, urldate = {2019-12-17} } @online{brumaghin:20180626:files:661b639, author = {Edmund Brumaghin and Earl Carter and Andrew Williams}, title = {{Files Cannot Be Decrypted? Challenge Accepted. Talos Releases ThanatosDecryptor}}, date = {2018-06-26}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2018/06/ThanatosDecryptor.html}, language = {English}, urldate = {2020-01-09} } @online{brumaghin:20180822:picking:925912d, author = {Edmund Brumaghin and Holger Unterbrink and Eric Kuhla and Lilia Gonzalez Medina}, title = {{Picking Apart Remcos Botnet-In-A-Box}}, date = {2018-08-22}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2018/08/picking-apart-remcos.html}, language = {English}, urldate = {2019-10-23} } @online{brumaghin:20180926:vpnfilter:343892a, author = {Edmund Brumaghin}, title = {{VPNFilter III: More Tools for the Swiss Army Knife of Malware}}, date = {2018-09-26}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2018/09/vpnfilter-part-3.html}, language = {English}, urldate = {2019-12-17} } @online{brumaghin:20181108:metamorfo:d12fe7e, author = {Edmund Brumaghin and Warren Mercer and Paul Rascagnères and Vitor Ventura}, title = {{Metamorfo Banking Trojan Keeps Its Sights on Brazil}}, date = {2018-11-08}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2018/11/metamorfo-brazilian-campaigns.html}, language = {English}, urldate = {2020-01-06} } @online{brumaghin:20190130:fake:3499d4e, author = {Edmund Brumaghin and Paul Rascagnères and Jungsoo An}, title = {{Fake Cisco Job Posting Targets Korean Candidates}}, date = {2019-01-30}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2019/01/fake-korean-job-posting.html}, language = {English}, urldate = {2020-01-10} } @online{brumaghin:20190415:new:bf931b1, author = {Edmund Brumaghin and Holger Unterbrink}, title = {{New HawkEye Reborn Variant Emerges Following Ownership Change}}, date = {2019-04-15}, organization = {Talos}, url = {https://blog.talosintelligence.com/2019/04/hawkeye-reborn.html}, language = {English}, urldate = {2020-01-09} } @online{brumaghin:20190715:sweed:9725699, author = {Edmund Brumaghin}, title = {{SWEED: Exposing years of Agent Tesla campaigns}}, date = {2019-07-15}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2019/07/sweed-agent-tesla.html}, language = {English}, urldate = {2020-01-08} } @online{brumaghin:20190828:rat:dadd9c5, author = {Edmund Brumaghin and Holger Unterbrink}, title = {{RAT Ratatouille: Backdooring PCs with leaked RATs}}, date = {2019-08-28}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2019/08/rat-ratatouille-revrat-orcus.html}, language = {English}, urldate = {2020-01-13} } @online{brumaghin:20190926:divergent:2d282a0, author = {Edmund Brumaghin}, title = {{Divergent: "Fileless" NodeJS Malware Burrows Deep Within the Host}}, date = {2019-09-26}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2019/09/divergent-analysis.html}, language = {English}, urldate = {2019-10-24} } @online{brumaghin:20200423:threat:4f7f840, author = {Edmund Brumaghin and Amit Raut}, title = {{Threat Spotlight: MedusaLocker}}, date = {2020-04-23}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/04/medusalocker.html}, language = {English}, urldate = {2020-04-26} } @online{bryant:20190213:hunting:8c671bf, author = {Josh Bryant and Robert Falcone}, title = {{Hunting Webshells: Tracking TwoFace - SANS Threat Hunting Summit 2018}}, date = {2019-02-13}, organization = {Youtube (SANS Digital Forensics & Incident Response)}, url = {https://www.youtube.com/watch?v=GjquFKa4afU}, language = {English}, urldate = {2020-01-13} } @techreport{bryant:20190708:hunting:7ce53d5, author = {Josh M. Bryant and Robert Falcone}, title = {{Hunting Webshells: Tracking TwoFace}}, date = {2019-07-08}, institution = {SANS}, url = {https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1536345486.pdf}, language = {English}, urldate = {2020-01-09} } @online{bsi:20201020:die:0683ad4, author = {BSI}, title = {{Die Lage der IT-Sicherheit in Deutschland 2020}}, date = {2020-10-20}, organization = {Bundesamt für Sicherheit in der Informationstechnik}, url = {https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2020.pdf?__blob=publicationFile&v=2}, language = {German}, urldate = {2020-10-21} } @online{buchka:20160303:attack:fa7a7ba, author = {Nikita Buchka and Mikhail Kuzin}, title = {{Attack on Zygote: a new twist in the evolution of mobile threats}}, date = {2016-03-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/attack-on-zygote-a-new-twist-in-the-evolution-of-mobile-threats/74032/}, language = {English}, urldate = {2019-12-20} } @online{buchka:20161228:switcher:a2408dd, author = {Nikita Buchka}, title = {{Switcher: Android joins the ‘attack-the-router’ club}}, date = {2016-12-28}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/mobile/76969/switcher-android-joins-the-attack-the-router-club/}, language = {English}, urldate = {2019-12-20} } @online{buchka:20171218:jack:5842578, author = {Nikita Buchka and Anton Kivva and Dmitry Galov}, title = {{Jack of all trades}}, date = {2017-12-18}, organization = {Kaspersky Labs}, url = {https://securelist.com/jack-of-all-trades/83470/}, language = {English}, urldate = {2019-12-20} } @online{buchka:20180116:skygofree:4e0990c, author = {Nikita Buchka and Alexey Firsh}, title = {{Skygofree: Following in the footsteps of HackingTeam}}, date = {2018-01-16}, organization = {Kaspersky Labs}, url = {https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/}, language = {English}, urldate = {2019-12-20} } @online{bucket:20140330:ioc:053d0b0, author = {IOC Bucket}, title = {{IOC Bucket for Putter Panda}}, date = {2014-03-30}, organization = {IOC Bucket}, url = {https://www.iocbucket.com/iocs/7f7999ab7f223409ea9ea10cff82b064ce2a1a31}, language = {English}, urldate = {2020-01-09} } @online{budd:20150916:operation:7889703, author = {Christopher Budd}, title = {{Operation Iron Tiger: Attackers Shift from East Asia to the United States}}, date = {2015-09-16}, organization = {Trend Micro}, url = {http://newsroom.trendmicro.com/blog/operation-iron-tiger-attackers-shift-east-asia-united-states}, language = {English}, urldate = {2019-12-17} } @techreport{buggenhout:2014:history:049d4d1, author = {Erik Van Buggenhout}, title = {{A history of ATM violence}}, date = {2014}, institution = {nviso}, url = {http://www.isg.rhul.ac.uk/dl/weekendconference2014/slides/Erik_VanBuggenhout.pdf}, language = {English}, urldate = {2020-01-08} } @online{bukhteyev:20180805:ramnits:1268bad, author = {Alexey Bukhteyev}, title = {{Ramnit’s Network of Proxy Servers}}, date = {2018-08-05}, organization = {Check Point}, url = {https://research.checkpoint.com/ramnits-network-proxy-servers/}, language = {English}, urldate = {2020-01-09} } @online{bukhteyev:20191119:phorpiex:50c2cb1, author = {Alexey Bukhteyev}, title = {{Phorpiex Breakdown}}, date = {2019-11-19}, organization = {Check Point}, url = {https://research.checkpoint.com/2019/phorpiex-breakdown/}, language = {English}, urldate = {2020-01-06} } @online{bunce:20190815:gootkit:1052b18, author = {Daniel Bunce}, title = {{Gootkit Banking Trojan | Deep Dive into Anti-Analysis Features}}, date = {2019-08-15}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/gootkit-banking-trojan-deep-dive-anti-analysis-features/}, language = {English}, urldate = {2019-12-20} } @online{bunce:20190815:gootkit:480c7e8, author = {Daniel Bunce}, title = {{Gootkit Banking Trojan | Deep Dive into Anti-Analysis Features}}, date = {2019-08-15}, organization = {Sentinel LABS}, url = {https://labs.sentinelone.com/gootkit-banking-trojan-deep-dive-anti-analysis-features/}, language = {English}, urldate = {2020-06-18} } @online{bunce:20190829:gootkit:b379f2c, author = {Daniel Bunce}, title = {{Gootkit Banking Trojan | Part 2: Persistence & Other Capabilities}}, date = {2019-08-29}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/gootkit-banking-trojan-persistence-other-capabilities/}, language = {English}, urldate = {2020-01-08} } @online{bunce:20200622:unpacking:8a02d84, author = {Daniel Bunce}, title = {{Unpacking Visual Basic Packers – IcedID}}, date = {2020-06-22}, organization = {zero2auto}, url = {https://zero2auto.com/2020/06/22/unpacking-visual-basic-packers/}, language = {English}, urldate = {2020-06-24} } @online{bunce:20200820:dbatloadermodiloader:6cccf7e, author = {Daniel Bunce}, title = {{DBatLoader/ModiLoader Analysis – First Stage}}, date = {2020-08-20}, organization = {Zero2Automated Blog}, url = {https://zero2auto.com/2020/08/20/dbatloader-modiloader-first-stage/}, language = {English}, urldate = {2020-08-25} } @techreport{bundeskriminalamt:20200821:mgliche:fbbf1b2, author = {Bundeskriminalamt}, title = {{Mögliche Cyberspionage mittels der Schadsoftware GOLDENSPY}}, date = {2020-08-21}, institution = {Bundeskriminalamt}, url = {https://www.bka.de/SharedDocs/Downloads/DE/IhreSicherheit/Warnhinweise/WarnhinweisGOLDENSPY.pdf}, language = {German}, urldate = {2020-08-27} } @online{buonopane:20190201:information:2fbf14a, author = {Paul Buonopane}, title = {{Information about lnkr5, malware distributed via Chrome extensions}}, date = {2019-02-01}, organization = {Github (Zenexer)}, url = {https://github.com/Zenexer/lnkr}, language = {English}, urldate = {2020-05-05} } @online{buonopane:20190201:lnkr:f79885e, author = {Paul Buonopane}, title = {{LNKR - Extension analysis - Flash Playlist}}, date = {2019-02-01}, organization = {Github (Zenexer)}, url = {https://github.com/Zenexer/lnkr/blob/master/recon/extensions/fanagokoaogopceablgmpndejhedkjjb/README.md}, language = {English}, urldate = {2020-05-05} } @online{burbage:20180416:rat:3c30776, author = {Paul Burbage and Mike Mimoso}, title = {{RAT Gone Rogue: Meet ARS VBS Loader}}, date = {2018-04-16}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/blog/meet-ars-vbs-loader/}, language = {English}, urldate = {2019-12-17} } @online{burbage:20180912:malware:5b7d58a, author = {Paul Burbage and Mike Mimoso}, title = {{Malware Campaign Targeting Jaxx Cryptocurrency Wallet Users Shut Down}}, date = {2018-09-12}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/blog/malware-campaign-targets-jaxx-cryptocurrency-wallet-users/}, language = {English}, urldate = {2020-01-08} } @online{burbage:20181102:new:4781b19, author = {Paul Burbage}, title = {{Tweet on New Stealer}}, date = {2018-11-02}, organization = {Twitter (@hexlax)}, url = {https://twitter.com/hexlax/status/1058356670835908610}, language = {English}, urldate = {2020-01-07} } @online{burbage:20191228:tale:2e5f361, author = {Paul Burbage}, title = {{The Tale of the Pija-Droid Firefinch}}, date = {2019-12-28}, url = {https://medium.com/@paul.k.burbage/the-tale-of-the-pija-droid-firefinch-4d304fde5ca2}, language = {English}, urldate = {2020-02-14} } @online{burchard:20200528:berlin:c5c42b4, author = {Hans von der Burchard and Laurens Cerulus}, title = {{Berlin seeks sanctions against Russian hackers over Bundestag cyberattack}}, date = {2020-05-28}, organization = {POLITICO}, url = {https://www.politico.eu/article/berlin-sanctions-against-russian-hacker-bundestag-cyberattack-angela-merkel-gru/}, language = {English}, urldate = {2020-05-29} } @online{bureau:20121218:malicious:c863bcf, author = {Pierre-Marc Bureau}, title = {{Malicious Apache module used for content injection: Linux/Chapro.A}}, date = {2012-12-18}, organization = {ESET Research}, url = {http://blog.eset.com/2012/12/18/malicious-apache-module-used-for-content-injection-linuxchapro-a}, language = {English}, urldate = {2019-12-20} } @online{bureau:20130426:linuxcdorkeda:ab3e321, author = {Pierre-Marc Bureau}, title = {{Linux/Cdorked.A: New Apache backdoor being used in the wild to serve Blackhole}}, date = {2013-04-26}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/}, language = {English}, urldate = {2019-11-14} } @online{bureau:20130925:win32napolar:aba54b1, author = {Pierre-Marc Bureau}, title = {{Win32/Napolar – A new bot on the block}}, date = {2013-09-25}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2013/09/25/win32napolar-a-new-bot-on-the-block/}, language = {English}, urldate = {2019-11-14} } @online{bureau:20140318:operation:1b1bd17, author = {Pierre-Marc Bureau}, title = {{Operation Windigo – the vivisection of a large Linux server‑side credential‑stealing malware campaign}}, date = {2014-03-18}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2014/03/18/operation-windigo-the-vivisection-of-a-large-linux-server-side-credential-stealing-malware-campaign/}, language = {English}, urldate = {2019-11-14} } @online{bureau:20200305:vietnam:23ec4c0, author = {Microstep Intelligence Bureau}, title = {{Vietnam National Background APT organization "Sea Lotus" used the topic of the epidemic to attack our government agencies}}, date = {2020-03-05}, organization = {Microstep Intelligence Bureau}, url = {https://m.threatbook.cn/detail/2527}, language = {Chinese}, urldate = {2020-04-26} } @online{burgess:20200821:evolution:6d5c407, author = {Josh Burgess and Steve Ginty}, title = {{The Evolution of Ransomware & Pinchy Spider's Shot at the Title}}, date = {2020-08-21}, organization = {Vimeo (RiskIQ)}, url = {https://vimeo.com/449849549}, language = {English}, urldate = {2020-08-25} } @online{burt:20190327:new:9ba6b3b, author = {Tom Burt}, title = {{New steps to protect customers from hacking}}, date = {2019-03-27}, organization = {Microsoft}, url = {https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/}, language = {English}, urldate = {2020-01-13} } @online{burt:20200310:new:251948a, author = {Tom Burt}, title = {{New action to disrupt world’s largest online criminal network}}, date = {2020-03-10}, organization = {Microsoft}, url = {https://blogs.microsoft.com/on-the-issues/2020/03/10/necurs-botnet-cyber-crime-disrupt/}, language = {English}, urldate = {2020-03-11} } @online{burt:20200707:microsoft:3300f46, author = {Tom Burt}, title = {{Microsoft takes legal action against COVID-19-related cybercrime}}, date = {2020-07-07}, organization = {Microsoft}, url = {https://blogs.microsoft.com/on-the-issues/2020/07/07/digital-crimes-unit-covid-19-cybercrime/}, language = {English}, urldate = {2020-07-08} } @online{burt:20200910:new:ec117be, author = {Tom Burt}, title = {{New cyberattacks targeting U.S. elections}}, date = {2020-09-10}, organization = {Microsoft}, url = {https://blogs.microsoft.com/on-the-issues/2020/09/10/cyberattacks-us-elections-trump-biden/}, language = {English}, urldate = {2020-09-10} } @online{burt:20201012:new:045c1c3, author = {Tom Burt}, title = {{New action to combat ransomware ahead of U.S. elections}}, date = {2020-10-12}, organization = {Microsoft}, url = {https://blogs.microsoft.com/on-the-issues/2020/10/12/trickbot-ransomware-cyberthreat-us-elections/}, language = {English}, urldate = {2020-10-12} } @online{burt:20201020:update:12549c2, author = {Tom Burt}, title = {{An update on disruption of Trickbot}}, date = {2020-10-20}, organization = {Microsoft}, url = {https://blogs.microsoft.com/on-the-issues/2020/10/20/trickbot-ransomware-disruption-update/}, language = {English}, urldate = {2020-10-23} } @online{bushidotoken:20200509:turkey:a764ff0, author = {BushidoToken}, title = {{Turkey targeted by Cerberus and Anubis Android banking Trojan campaigns}}, date = {2020-05-09}, organization = {BushidoToken}, url = {https://bushidotoken.blogspot.com/2020/05/turkey-targeted-by-cerberus-and-anubis.html}, language = {English}, urldate = {2020-05-13} } @online{bushidotoken:20200528:ozh:d9cd398, author = {BushidoToken}, title = {{Tweet on OZH RAT}}, date = {2020-05-28}, organization = {Twitter (@BushidoToken)}, url = {https://twitter.com/BushidoToken/status/1266075992679948289}, language = {English}, urldate = {2020-05-29} } @online{bushidotoken:20200614:deepdive:3a375ca, author = {BushidoToken}, title = {{Deep-dive: The DarkHotel APT}}, date = {2020-06-14}, organization = {BushidoToken}, url = {https://blog.bushidotoken.net/2020/06/deep-dive-darkhotel-apt.html}, language = {English}, urldate = {2020-06-16} } @online{bustami:20181213:powersing:2a7b1db, author = {Mo Bustami}, title = {{POWERSING - From LNK Files To Janicab Through YouTube & Twitter}}, date = {2018-12-13}, organization = {Security 0wnage}, url = {https://sec0wn.blogspot.com/2018/12/powersing-from-lnk-files-to-janicab.html}, language = {English}, urldate = {2020-08-25} } @online{byers:20200908:ghostdnsbusters:9531dcd, author = {Nick Byers and Manabu Niseki and CERT-BR}, title = {{GhostDNSbusters: Illuminating GhostDNS Infrastructure}}, date = {2020-09-08}, organization = {Team Cymru}, url = {https://team-cymru.com/2020/09/08/ghostdnsbusters/}, language = {English}, urldate = {2020-09-15} } @online{byteatlas:20150415:knowledge:0d028a7, author = {ByteAtlas}, title = {{Knowledge Fragment: Bruteforcing Andromeda Configuration Buffers}}, date = {2015-04-15}, url = {https://byte-atlas.blogspot.ch/2015/04/kf-andromeda-bruteforcing.html}, language = {English}, urldate = {2020-01-07} } @online{byteraptors:20200603:wizardopium:b83073d, author = {ByteRaptors}, title = {{The WizardOpium LPE: Exploiting CVE-2019-1458}}, date = {2020-06-03}, organization = {ByteRaptors Blog}, url = {https://byteraptors.github.io/windows/exploitation/2020/06/03/exploitingcve2019-1458.html}, language = {English}, urldate = {2020-06-12} } @online{c0d3inj3ct:20180524:javascript:af29dab, author = {c0d3inj3cT}, title = {{JavaScript based Bot using Github C&C}}, date = {2018-05-24}, organization = {pwncode.io blog}, url = {http://www.pwncode.io/2018/05/javascript-based-bot-using-github-c.html}, language = {English}, urldate = {2020-05-23} } @online{c0d3inj3ct:20191224:unpacking:3102f76, author = {c0d3inj3cT}, title = {{Unpacking Payload used in Bottle EK}}, date = {2019-12-24}, organization = {pwncode.io blog}, url = {http://www.pwncode.io/2019/12/unpacking-payload-used-in-bottle-ek.html}, language = {English}, urldate = {2020-03-11} } @online{c0d3inj3ct:20191225:blacknet:80468eb, author = {c0d3inj3cT}, title = {{BlackNet RAT - When you leave the Panel unprotected}}, date = {2019-12-25}, organization = {pwncode.io blog}, url = {http://www.pwncode.io/2019/12/blacknet-rat-when-you-leave-panel.html}, language = {English}, urldate = {2020-03-11} } @online{c4i:20170216:breaking:b65439a, author = {IDF C4I and Ido Naor}, title = {{Breaking The Weakest Link Of The Strongest Chain}}, date = {2017-02-16}, organization = {Kaspersky Labs}, url = {https://securelist.com/breaking-the-weakest-link-of-the-strongest-chain/77562/}, language = {English}, urldate = {2019-12-20} } @online{c4i:20170216:breaking:cc7bead, author = {IDF C4I and Ido Naor}, title = {{Breaking The Weakest Link Of The Strongest Chain}}, date = {2017-02-16}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/}, language = {English}, urldate = {2019-12-20} } @online{c:20200608:tau:f5b25ff, author = {A C}, title = {{TAU Threat Analysis: Hakbit Ransomware}}, date = {2020-06-08}, organization = {VMWare Carbon Black}, url = {https://www.carbonblack.com/2020/06/08/tau-threat-analysis-hakbit-ransomware/}, language = {English}, urldate = {2020-06-10} } @online{c:20200615:tau:c60e41f, author = {A C}, title = {{TAU Threat Analysis: Relations to Hakbit Ransomware}}, date = {2020-06-15}, organization = {VMWare Carbon Black}, url = {https://www.carbonblack.com/2020/06/15/tau-threat-analysis-relations-to-hakbit-ransomware/}, language = {English}, urldate = {2020-06-16} } @online{caban:20180707:youve:b02f5ff, author = {Dan Caban and Muks Hirani}, title = {{You’ve Got Mail!}}, date = {2018-07-07}, organization = {Youtube (SteelCon)}, url = {https://www.youtube.com/watch?time_continue=1333&v=1CGAmjAV8nI}, language = {English}, urldate = {2020-01-08} } @online{cadieux:20190430:sodinokibi:d04e315, author = {Pierre Cadieux and Colin Grady and Jaeson Schultz and Matt Valites}, title = {{Sodinokibi ransomware exploits WebLogic Server vulnerability}}, date = {2019-04-30}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html}, language = {English}, urldate = {2019-12-17} } @online{calvet:20150305:casper:be062ed, author = {Joan Calvet}, title = {{Casper Malware: After Babar and Bunny, Another Espionage Cartoon}}, date = {2015-03-05}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2015/03/05/casper-malware-babar-bunny-another-espionage-cartoon/}, language = {English}, urldate = {2019-11-14} } @online{camastra:20190220:spoofing:f2e825b, author = {Luigino Camastra and Jan Širmer and Adolf Středa and Lukáš Obrdlík}, title = {{Spoofing in the reeds with Rietspoof}}, date = {2019-02-20}, organization = {Avast Decoded}, url = {https://decoded.avast.io/threatintel/spoofing-in-the-reeds-with-rietspoof/}, language = {English}, urldate = {2020-01-06} } @online{camastra:20200514:planted:03eab5a, author = {Luigino Camastra}, title = {{APT Group Planted Backdoors Targeting High Profile Networks in Central Asia}}, date = {2020-05-14}, organization = {Avast Decoded}, url = {https://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia/}, language = {English}, urldate = {2020-05-14} } @online{camba:20121009:bkdrsarhusta:92d2b93, author = {Abraham Latimer Camba}, title = {{BKDR_SARHUST.A}}, date = {2012-10-09}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/bkdr_sarhust.a}, language = {English}, urldate = {2020-01-05} } @online{camba:20130227:bkdrrarstone:8c1d7b2, author = {Abraham Camba}, title = {{BKDR_RARSTONE: New RAT to Watch Out For}}, date = {2013-02-27}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/bkdr_rarstone-new-rat-to-watch-out-for/}, language = {English}, urldate = {2020-01-08} } @online{cameron:20170915:welp:8da10de, author = {Dell Cameron}, title = {{Welp, Vevo Just Got Hacked}}, date = {2017-09-15}, url = {https://gizmodo.com/welp-vevo-just-got-hacked-1813390834}, language = {English}, urldate = {2019-10-17} } @online{cameron:20181030:us:45da6b7, author = {Dell Cameron}, title = {{U.S. Indicts Chinese Hacker-Spies in Conspiracy to Steal Aerospace Secrets}}, date = {2018-10-30}, organization = {Gizmodo}, url = {https://gizmodo.com/u-s-indicts-chinese-hacker-spies-in-conspiracy-to-stea-1830111695}, language = {English}, urldate = {2019-11-27} } @online{camichel:20190309:retefe:3414337, author = {Corsin Camichel}, title = {{retefe: Artefacts from various retefe campaigns}}, date = {2019-03-09}, organization = {Github (cocaman)}, url = {https://github.com/cocaman/retefe}, language = {English}, urldate = {2020-01-13} } @online{camichel:20190523:analysing:9a4f909, author = {Corsin Camichel}, title = {{Analysing "Retefe" with Sysmon and Splunk}}, date = {2019-05-23}, organization = {Vulnerability.ch Blog}, url = {https://vulnerability.ch/2019/05/analysing-retefe-with-sysmon-and-splunk/}, language = {English}, urldate = {2019-07-09} } @online{camichel:20200512:absent:f352502, author = {Corsin Camichel}, title = {{Tweet on AbSent Loader}}, date = {2020-05-12}, organization = {Twitter (@cocaman)}, url = {https://twitter.com/cocaman/status/1260069549069733888}, language = {English}, urldate = {2020-05-15} } @online{campbell:20190502:2019:1fe00f6, author = {Bryan Campbell and Proofpoint Threat Insight Team}, title = {{2019: The Return of Retefe}}, date = {2019-05-02}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/2019-return-retefe}, language = {English}, urldate = {2019-12-20} } @online{campbell:20190926:new:d228362, author = {Bryan Campbell and Jeremy Hedges and Proofpoint Threat Insight Team}, title = {{New WhiteShadow downloader uses Microsoft SQL to retrieve malware}}, date = {2019-09-26}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware}, language = {English}, urldate = {2020-02-26} } @online{campbell:20191114:ta2101:e79f6fb, author = {Bryan Campbell and Proofpoint Threat Insight Team}, title = {{TA2101 plays government imposter to distribute malware to German, Italian, and US organizations}}, date = {2019-11-14}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/ta2101-plays-government-imposter-distribute-malware-german-italian-and-us}, language = {English}, urldate = {2019-11-27} } @online{campbell:20200608:analysis:500f9fe, author = {Ryan Campbell}, title = {{Analysis of Valak Maldoc}}, date = {2020-06-08}, organization = {Security Soup Blog}, url = {https://security-soup.net/analysis-of-valak-maldoc/}, language = {English}, urldate = {2020-06-08} } @online{can:20190313:n:bfbaff0, author = {Ahmet Bilal Can}, title = {{N Ways to Unpack Mobile Malware}}, date = {2019-03-13}, organization = {Pentest Blog}, url = {https://pentest.blog/n-ways-to-unpack-mobile-malware/}, language = {English}, urldate = {2020-01-09} } @online{can:20190718:android:5097363, author = {Ahmet Bilal Can}, title = {{Android Malware Analysis : Dissecting Hydra Dropper}}, date = {2019-07-18}, url = {https://pentest.blog/android-malware-analysis-dissecting-hydra-dropper/}, language = {English}, urldate = {2019-12-05} } @techreport{canada:2011:snowglobe:2cf6813, author = {CSE Canada}, title = {{SNOWGLOBE: From Discovery to Attribution}}, date = {2011}, institution = {Spiegel Online}, url = {http://www.spiegel.de/media/media-35683.pdf}, language = {English}, urldate = {2019-12-17} } @online{canary:20200617:threat:3a7f962, author = {Red Canary}, title = {{Threat Detection: Blue Mockingbird}}, date = {2020-06-17}, organization = {Youtube (Red Canary)}, url = {https://www.youtube.com/watch?v=6t_E8KOmZSs}, language = {English}, urldate = {2020-06-19} } @online{cannell:20130725:zeroaccess:4853854, author = {Joshua Cannell}, title = {{ZeroAccess uses Self-Debugging}}, date = {2013-07-25}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2013/07/zeroaccess-anti-debug-uses-debugger/}, language = {English}, urldate = {2019-12-20} } @online{cannell:20130801:sophos:404c6a5, author = {Joshua Cannell}, title = {{Sophos Discovers ZeroAccess Using RLO}}, date = {2013-08-01}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2013/08/sophos-discovers-zeroaccess-using-rlo/}, language = {English}, urldate = {2019-12-20} } @online{cannell:20130926:new:428977b, author = {Joshua Cannell}, title = {{New Solarbot Malware Debuts, Creator Publicly Advertising}}, date = {2013-09-26}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2013/09/new-solarbot-malware-debuts-creator-publicly-advertising/}, language = {English}, urldate = {2019-12-20} } @online{cannings:20160616:sakula:cece262, author = {David Cannings}, title = {{Sakula: an adventure in DLL planting}}, date = {2016-06-16}, organization = {NCC Group}, url = {https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2016/june/sakula-an-adventure-in-dll-planting/?page=1}, language = {English}, urldate = {2020-01-06} } @online{cannings:20170403:investigation:7deb188, author = {Rich Cannings and Jason Woloz and Neel Mehta and Ken Bodzak and Wentao Chang and Megan Ruthven}, title = {{An investigation of Chrysaor Malware on Android}}, date = {2017-04-03}, organization = {Google}, url = {https://android-developers.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html}, language = {English}, urldate = {2019-12-17} } @online{cannings:20170403:investigation:8de942a, author = {Rich Cannings and Jason Woloz and Neel Mehta and Ken Bodzak and Wentao Chang and Megan Ruthven}, title = {{An Investigation of Chrysaor Malware on Android}}, date = {2017-04-03}, organization = {Google}, url = {https://security.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html}, language = {English}, urldate = {2020-01-08} } @online{cannings:20170403:technical:e27583c, author = {David Cannings}, title = {{Technical Notes on RedLeaves}}, date = {2017-04-03}, organization = {Github (nccgroup)}, url = {https://github.com/nccgroup/Cyber-Defence/tree/master/Technical%20Notes/Red%20Leaves}, language = {English}, urldate = {2020-01-06} } @online{cannon:20171207:new:035f809, author = {Vincent Cannon and Nalani Fraser and Yogesh Londhe and Manish Sardiwal and Nick Richard and Jacqueline O’Leary}, title = {{New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit}}, date = {2017-12-07}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html}, language = {English}, urldate = {2019-12-20} } @online{cao:20200324:operation:89da9bd, author = {Elliot Cao and Joseph Chen and William Gamazo Sanchez and Lilang Wu and Ecular Xu}, title = {{Operation Poisoned News: Hong Kong Users Targeted With Mobile Malware via Local News Links}}, date = {2020-03-24}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/operation-poisoned-news-hong-kong-users-targeted-with-mobile-malware-via-local-news-links/}, language = {English}, urldate = {2020-03-25} } @techreport{cao:20200324:technical:dc23839, author = {Elliot Cao and Joseph Chen and William Gamazo Sanchez and Lilang Wu and Ecular Xu}, title = {{Technical Brief: Operation Poisoned News: Hong Kong Users Targeted with Mobile Malware via Local News Links}}, date = {2020-03-24}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/Tech-Brief-Operation-Poisoned-News-Hong-Kong-Users-Targeted-with-Mobile-Malware-via-Local-News-Links.pdf}, language = {English}, urldate = {2020-03-25} } @online{capilla:20161121:android:5150467, author = {Sergi Àlvarez i Capilla}, title = {{Android malware analysis with Radare: Dissecting the Triada Trojan}}, date = {2016-11-21}, organization = {NowSecure}, url = {https://www.nowsecure.com/blog/2016/11/21/android-malware-analysis-radare-triada-trojan/}, language = {English}, urldate = {2020-01-10} } @online{caragay:20150924:credit:59e0581, author = {RonJay Caragay and Michael Marcos}, title = {{Credit Card-Scraping Kasidet Builder Leads to Spike in Detections}}, date = {2015-09-24}, organization = {Trend Micro}, url = {http://blog.trendmicro.com/trendlabs-security-intelligence/credit-card-scraping-kasidet-builder-leads-to-spike-in-detections/}, language = {English}, urldate = {2020-01-13} } @techreport{carcano:20181001:triton:7863291, author = {Andrea Carcano}, title = {{TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of Industrial Control Systems, Forever}}, date = {2018-10-01}, institution = {SANS Cyber Summit}, url = {https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1538425180.pdf}, language = {English}, urldate = {2020-01-20} } @online{care:202008:critical:415c34d, author = {CARE}, title = {{Critical Infrastructure Ransomware Attacks}}, date = {2020-08}, organization = {Temple University}, url = {https://sites.temple.edu/care/ci-rw-attacks/}, language = {English}, urldate = {2020-09-15} } @online{carr:20170514:cyber:0ac720f, author = {Nick Carr}, title = {{Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations}}, date = {2017-05-14}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html}, language = {English}, urldate = {2019-12-20} } @online{carr:20170524:apt32:4060afe, author = {Nick Carr}, title = {{APT32: New Cyber Espionage Group}}, date = {2017-05-24}, organization = {BrightTALK (FireEye)}, url = {https://www.brighttalk.com/webcast/10703/261205}, language = {English}, urldate = {2020-01-07} } @online{carr:20170630:obfuscation:c3d947e, author = {Nick Carr and Daniel Bohannon}, title = {{Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques}}, date = {2017-06-30}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html}, language = {English}, urldate = {2019-12-20} } @online{carr:20180801:hunt:0fe0e15, author = {Nick Carr and Kimberly Goody and Steve Miller and Barry Vengerik}, title = {{On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation}}, date = {2018-08-01}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html}, language = {English}, urldate = {2019-12-20} } @online{carr:20181106:griffon:c7f800f, author = {Nick Carr}, title = {{Tweet on a GRIFFON sample}}, date = {2018-11-06}, organization = {Twitter (@ItsReallyNick)}, url = {https://twitter.com/ItsReallyNick/status/1059898708286939136}, language = {English}, urldate = {2019-12-17} } @online{carr:20190605:malware:a6892ae, author = {Nick Carr}, title = {{Tweet on Malware Sample}}, date = {2019-06-05}, organization = {Twitter (@ItsReallyNick)}, url = {https://twitter.com/ItsReallyNick/status/1136502701301346305}, language = {English}, urldate = {2020-01-07} } @online{carr:20191010:mahalo:917c5b2, author = {Nick Carr and Josh Yoder and Kimberly Goody and Scott Runnels and Jeremy Kennelly and Jordan Nuce}, title = {{Mahalo FIN7: Responding to the Criminal Operators’ New Tools and Techniques}}, date = {2019-10-10}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/10/mahalo-fin7-responding-to-new-tools-and-techniques.html}, language = {English}, urldate = {2019-11-18} } @online{carr:20191220:grunt:02cb116, author = {Nick Carr}, title = {{Tweet on GRUNT payload}}, date = {2019-12-20}, organization = {Twitter (@ItsReallyNick)}, url = {https://twitter.com/ItsReallyNick/status/1208141697282117633}, language = {English}, urldate = {2020-01-09} } @online{carr:20200114:rough:1c149da, author = {Nick Carr and Matt Bromiley}, title = {{Rough Patch: I Promise It'll Be 200 OK (Citrix ADC CVE-2019-19781)}}, date = {2020-01-14}, organization = {FireEye}, url = {https://www.fireeye.com/blog/products-and-services/2020/01/rough-patch-promise-it-will-be-200-ok.html}, language = {English}, urldate = {2020-01-17} } @online{carr:20200601:malware:62e3d49, author = {Nick Carr}, title = {{Tweet on malware called NETFLASH}}, date = {2020-06-01}, organization = {Twitter (@ItsReallyNick)}, url = {https://twitter.com/ItsReallyNick/status/1267475216923594755}, language = {English}, urldate = {2020-06-05} } @online{carvey:20190404:mimikatz:243c11a, author = {Harlan Carvey}, title = {{Mimikatz in the Wild: Bypassing Signature-Based Detections Using the “AK47 of Cyber”}}, date = {2019-04-04}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/credential-theft-mimikatz-techniques/}, language = {English}, urldate = {2019-12-20} } @online{case:20190902:digital:0f6cd23, author = {Andrew Case and Matthew Meltzer and Steven Adair}, title = {{Digital Crackdown: Large-Scale Surveillance and Exploitation of Uyghurs}}, date = {2019-09-02}, organization = {Volexity}, url = {https://www.volexity.com/blog/2019/09/02/digital-crackdown-large-scale-surveillance-and-exploitation-of-uyghurs/}, language = {English}, urldate = {2019-12-06} } @online{case:20200421:evil:54c1d46, author = {Andrew Case and Dave Lassalle and Matthew Meltzer and Sean Koessel and Steven Adair and Thomas Lancaster}, title = {{Evil Eye Threat Actor Resurfaces with iOS Exploit and Updated Implant}}, date = {2020-04-21}, organization = {Volexity}, url = {https://www.volexity.com/blog/2020/04/21/evil-eye-threat-actor-resurfaces-with-ios-exploit-and-updated-implant/}, language = {English}, urldate = {2020-04-22} } @online{caselden:20150418:operation:f2f3cba, author = {Dan Caselden and Yasir Khalid and James “Tom” Bennett and Genwei Jiang and Corbin Souffrant and Joshua Homan and Jonathan Wrolstad and Chris Phillips and Darien Kin}, title = {{Operation RussianDoll: Adobe & Windows Zero-Day Exploits Likely Leveraged by Russia’s APT28 in Highly-Targeted Attack}}, date = {2015-04-18}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html}, language = {English}, urldate = {2019-10-16} } @online{caselden:20150623:operation:dc2929c, author = {Dan Caselden and Erica Eng}, title = {{Operation Clandestine Wolf – Adobe Flash Zero-Day in APT3 Phishing Campaign}}, date = {2015-06-23}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html}, language = {English}, urldate = {2019-12-20} } @online{cashdollar:20190613:latest:1dba306, author = {Larry Cashdollar}, title = {{Latest ECHOBOT: 26 Infection Vectors}}, date = {2019-06-13}, organization = {Akamai}, url = {https://blogs.akamai.com/sitr/2019/06/latest-echobot-26-infection-vectors.html}, language = {English}, urldate = {2020-01-08} } @online{caspi:20170504:osx:9f62c96, author = {Ofer Caspi}, title = {{OSX Malware is Catching Up, and it wants to Read Your HTTPS Traffic}}, date = {2017-05-04}, organization = {Check Point Software Technologies Ltd}, url = {http://blog.checkpoint.com/2017/04/27/osx-malware-catching-wants-read-https-traffic/}, language = {English}, urldate = {2019-11-24} } @online{caspi:20170713:osxdok:b34ca60, author = {Ofer Caspi}, title = {{OSX/Dok Refuses to Go Away and It’s After Your Money}}, date = {2017-07-13}, organization = {Check Point}, url = {https://blog.checkpoint.com/2017/07/13/osxdok-refuses-go-away-money/}, language = {English}, urldate = {2020-01-05} } @online{caspi:20180724:emotet:a26725d, author = {Ofer Caspi and Ben Herzog}, title = {{Emotet: The Tricky Trojan that ‘Git Clones’}}, date = {2018-07-24}, organization = {Check Point}, url = {https://research.checkpoint.com/emotet-tricky-trojan-git-clones/}, language = {English}, urldate = {2020-01-13} } @online{caspi:20200519:trickbot:50c2a51, author = {Ofer Caspi}, title = {{TrickBot BazarLoader In-Depth}}, date = {2020-05-19}, organization = {AlienLabs}, url = {https://cybersecurity.att.com/blogs/labs-research/trickbot-bazarloader-in-depth}, language = {English}, urldate = {2020-05-20} } @online{casualmalware:20200311:firebird:6d1f8a2, author = {casual_malware}, title = {{Tweet on FireBird RAT}}, date = {2020-03-11}, organization = {Twitter (@casual_malware)}, url = {https://twitter.com/casual_malware/status/1237775601035096064}, language = {English}, urldate = {2020-03-13} } @techreport{ccc:20111008:analyse:0c4a8c9, author = {CCC}, title = {{ANALYSE EINER REGIERUNGS-MALWARE}}, date = {2011-10-08}, institution = {CCC}, url = {http://www.ccc.de/system/uploads/76/original/staatstrojaner-report23.pdf}, language = {English}, urldate = {2020-01-07} } @online{ccncert:20181104:betabot:fd654de, author = {CCN-CERT}, title = {{BetaBot y Fleercivet, dos nuevos informes de código dañino del CCN-CERT}}, date = {2018-11-04}, organization = {CCN-CERT}, url = {https://www.ccn-cert.cni.es/seguridad-al-dia/comunicados-ccn-cert/6087-betabot-y-fleercivet-dos-nuevos-informes-de-codigo-danino-del-ccn-cert.html}, language = {English}, urldate = {2020-01-10} } @online{ccncert:201911:informe:69b39b5, author = {CCN-CERT}, title = {{Informe Código Dañino CCN-CERT ID-26/19}}, date = {2019-11}, organization = {CCN-CERT}, url = {https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos/4217-ccn-cert-id-26-19-ryuk-1/file.html}, language = {Espanyol}, urldate = {2020-01-10} } @online{ccncert:202005:malware:e6aed81, author = {CCN-CERT}, title = {{Malware report CCN-CERT ID-15/20 Snake Locker}}, date = {2020-05}, organization = {CCN-CERT}, url = {https://www.ccn-cert.cni.es/pdf/5045-ccn-cert-id-15-20-snake-locker-english-1/file.html}, language = {English}, urldate = {2020-06-10} } @online{centeno:20180501:legitimate:bd0644c, author = {Raphael Centeno}, title = {{Legitimate Application AnyDesk Bundled with New Ransomware Variant}}, date = {2018-05-01}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/legitimate-application-anydesk-bundled-with-new-ransomware-variant/}, language = {English}, urldate = {2019-10-14} } @online{centeno:20190508:dharma:cc5ac04, author = {Raphael Centeno}, title = {{Dharma Ransomware Uses AV Tool to Distract from Malicious Activities}}, date = {2019-05-08}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/dharma-ransomware-uses-av-tool-to-distract-from-malicious-activities/}, language = {English}, urldate = {2020-01-06} } @online{centeno:20200521:backdoor:d6d37a9, author = {Raphael Centeno and Llallum Victoria}, title = {{Backdoor, Devil Shadow Botnet Hidden in Fake Zoom Installers}}, date = {2020-05-21}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/backdoor-devil-shadow-botnet-hidden-in-fake-zoom-installers/}, language = {English}, urldate = {2020-05-23} } @online{centeno:20200921:cybercriminals:0dbaa08, author = {Raphael Centeno}, title = {{Cybercriminals Distribute Backdoor With VPN Installer}}, date = {2020-09-21}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/20/i/wind-up-windscribe-vpn-bundled-with-backdoor.html}, language = {English}, urldate = {2020-09-23} } @online{center:20130222:recent:b3d3f80, author = {Microsoft Security Response Center}, title = {{Recent Cyberattacks}}, date = {2013-02-22}, organization = {Microsoft}, url = {https://blogs.technet.microsoft.com/msrc/2013/02/22/recent-cyberattacks/}, language = {English}, urldate = {2019-12-20} } @online{center:20180330:analysis:4f1feb9, author = {Qi Anxin Threat Intelligence Center}, title = {{Analysis of the latest cyber attack activity of the APT organization against sensitive institutions in China}}, date = {2018-03-30}, organization = {360 Threat Intelligence}, url = {https://ti.360.net/blog/articles/analysis-of-apt-c-09-target-china/}, language = {Chinese}, urldate = {2020-01-13} } @techreport{center:201803:oilrig:b3c95ff, author = {NYOTRON ATTACK RESPONSE CENTER}, title = {{OilRig is Back with Next-Generation Tools and Techniques}}, date = {2018-03}, institution = {Nyotron}, url = {https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018b.pdf}, language = {English}, urldate = {2019-10-13} } @online{center:20180523:sidewinderapttapt04:2f4c2cc, author = {Tencent Mimi Threat Intelligence Center}, title = {{SideWinder“响尾蛇”APT组织(T-APT-04):针对南亚的定向攻击威胁}}, date = {2018-05-23}, organization = {Tencent}, url = {https://s.tencent.com/research/report/479.html}, language = {Chinese}, urldate = {2020-01-06} } @techreport{center:20180614:cyber:b2150a3, author = {Cyber ​​Emergency Center}, title = {{Cyber ​​Emergency Center Report No. 3}}, date = {2018-06-14}, institution = {LAC}, url = {https://www.lac.co.jp/lacwatch/pdf/20180614_cecreport_vol3.pdf}, language = {English}, urldate = {2020-07-20} } @online{center:20180723:golden:acfd437, author = {Qi Anxin Threat Intelligence Center}, title = {{Golden Rat Organization-targeted attack in Syria}}, date = {2018-07-23}, organization = {360 Threat Intelligence}, url = {https://ti.360.net/blog/articles/analysis-of-apt-c-27/}, language = {Chinese}, urldate = {2020-04-28} } @online{center:20181129:analysis:08c590c, author = {Qi Anxin Threat Intelligence Center}, title = {{Analysis Of Targeted Attack Against Pakistan By Exploiting InPage Vulnerability And Related APT Groups}}, date = {2018-11-29}, organization = {360 Threat Intelligence}, url = {https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english}, language = {English}, urldate = {2020-03-02} } @online{center:20181129:analysis:d46e3e4, author = {Threat Intelligence Center}, title = {{Analysis Of Targeted Attack Against Pakistan By Exploiting InPage Vulnerability And Related APT Groups}}, date = {2018-11-29}, organization = {360 Threat Intelligence}, url = {https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/}, language = {English}, urldate = {2020-01-10} } @online{center:20181212:donot:32e8fb0, author = {Qi Anxin Threat Intelligence Center}, title = {{Donot (APT-C-35) Group Is Targeting Pakistani Businessman Working In China}}, date = {2018-12-12}, organization = {360 Threat Intelligence}, url = {https://ti.360.net/blog/articles/donot-group-is-targeting-pakistani-businessman-working-in-china-en/}, language = {English}, urldate = {2020-01-13} } @online{center:20190218:aptc36:abbf9ea, author = {Anxin Threat Intelligence Center}, title = {{APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations}}, date = {2019-02-18}, organization = {360 Threat Intelligence}, url = {https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/}, language = {English}, urldate = {2020-01-09} } @online{center:20190819:konni:5af29f8, author = {East Security Response Center}, title = {{Konni APT organization emerges as an attack disguised as Russian document}}, date = {2019-08-19}, organization = {EST Security}, url = {https://blog.alyac.co.kr/2474}, language = {Korean}, urldate = {2020-01-20} } @online{center:20191212:gallium:79f6460, author = {Microsoft Threat Intelligence Center}, title = {{GALLIUM: Targeting global telecom}}, date = {2019-12-12}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/}, language = {English}, urldate = {2020-01-07} } @techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } @online{center:20200604::a1c780b, author = {Chianxin Virus Response Center}, title = {{脚本系贼寇之风兴起,买卖体系堪比勒索软件}}, date = {2020-06-04}, url = {https://mp.weixin.qq.com/s/REXBtbnI2zXj4H3u6ofMMw}, language = {Chinese}, urldate = {2020-07-16} } @online{center:20200701::fc5fdee, author = {360 Threat Intelligence Center}, title = {{游走在东欧和中亚的奇幻熊}}, date = {2020-07-01}, organization = {360}, url = {https://mp.weixin.qq.com/s/pE_6VRDk-2aTI996sff0og}, language = {Chinese}, urldate = {2020-10-26} } @online{center:20200821:recurrence:d780ef1, author = {Baidu Security Emergency Response Center}, title = {{Recurrence and research of macro attacks under macOS}}, date = {2020-08-21}, organization = {Baidu Security Emergency Response Center}, url = {https://mp.weixin.qq.com/s/a_0Vbnr38drTZAlQfoH10A}, language = {Chinese}, urldate = {2020-08-25} } @online{center:20200825:darkhotel:cf3af4b, author = {360 Threat Intelligence Center}, title = {{Darkhotel (APT-C-06) organized multiple attacks using the Thinmon backdoor framework to reveal the secrets}}, date = {2020-08-25}, organization = {360 Threat Intelligence Center}, url = {https://mp.weixin.qq.com/s/nyxZFXgrtm2-tBiV3-wiMg}, language = {Chinese}, urldate = {2020-08-25} } @online{center:20201023:apt28:099c6cd, author = {360 Threat Intelligence Center}, title = {{APT28携小众压缩包诱饵对北约、中亚目标的定向攻击分析}}, date = {2020-10-23}, organization = {360}, url = {https://mp.weixin.qq.com/s/6R7bFs9lH1I3BNdkatCC9g}, language = {Chinese}, urldate = {2020-10-26} } @techreport{centre:20180705:nciipc:2796c50, author = {National Critical Information Infrastructure Protection Centre}, title = {{NCIIPC Newsletter July 2018}}, date = {2018-07-05}, institution = {National Critical Information Infrastructure Protection Centre}, url = {https://nciipc.gov.in/documents/NCIIPC_Newsletter_July18.pdf}, language = {English}, urldate = {2020-01-10} } @online{cepe:20100531:sasfis:7642314, author = {Joseph Cepe}, title = {{SASFIS Malware Uses a New Trick}}, date = {2010-05-31}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/sasfis-malware-uses-a-new-trick/}, language = {English}, urldate = {2020-01-09} } @techreport{cepe:20100531:sasfis:c0eab28, author = {Joseph Cepe}, title = {{SASFIS Malware Uses a New Trick}}, date = {2010-05-31}, institution = {Trend Micro}, url = {https://aptnotes.malwareconfig.com/web/viewer.html?file=../APTnotes/2014/apt28.pdf}, language = {English}, urldate = {2020-01-08} } @online{cerberus:201906:twitter:97cd9de, author = {Android Cerberus}, title = {{Twitter Account of Android Cerberus}}, date = {2019-06}, organization = {Twitter (@AndroidCerberus)}, url = {https://twitter.com/AndroidCerberus}, language = {English}, urldate = {2020-01-09} } @online{cert:20160306:network:f9244d3, author = {thyssenkrupp CERT}, title = {{Network detector for Winnti malware}}, date = {2016-03-06}, organization = {Github (TKCERT)}, url = {https://github.com/TKCERT/winnti-detector}, language = {English}, urldate = {2020-01-07} } @online{cert:20160906:kzcert:3d8bb82, author = {KZ CERT}, title = {{KZ-CERT has analyzed another sample of malicious software, which is a component of targeted attacks (Targeted attacks, Advanced Persistent Threats (APT))}}, date = {2016-09-06}, organization = {KZ CERT}, url = {http://www.kz-cert.kz/page/502}, language = {Kazakh}, urldate = {2019-10-16} } @techreport{cert:20161104:from:a139d13, author = {Antiy CERT}, title = {{FROM EQUATION TO EQUATIONS}}, date = {2016-11-04}, institution = {Antiy CERT}, url = {https://www.antiy.com/response/FROM_EQUATION_TO_EQUATIONS.pdf}, language = {English}, urldate = {2020-08-18} } @online{cert:20180423:energetic:451033f, author = {Kaspersky Lab ICS CERT}, title = {{Energetic Bear/Crouching Yeti: attacks on servers}}, date = {2018-04-23}, organization = {Kaspersky Labs}, url = {https://securelist.com/energetic-bear-crouching-yeti/85345/}, language = {English}, urldate = {2019-12-20} } @online{cert:20180522:nmap:1ee2530, author = {thyssenkrupp CERT}, title = {{Nmap Script to scan for Winnti infections}}, date = {2018-05-22}, organization = {Github (TKCERT)}, url = {https://github.com/TKCERT/winnti-nmap-script}, language = {English}, urldate = {2020-01-07} } @online{cert:20180919::c3b6955, author = {Antiy CERT}, title = {{绿斑”行动——持续多年的攻击}}, date = {2018-09-19}, url = {https://www.antiy.com/response/20180919.html}, language = {English}, urldate = {2020-08-14} } @online{cert:20190124:greyenergys:523e803, author = {Kaspersky Lab ICS CERT}, title = {{GreyEnergy’s overlap with Zebrocy}}, date = {2019-01-24}, organization = {Kaspersky Labs}, url = {https://securelist.com/greyenergys-overlap-with-zebrocy/89506/}, language = {English}, urldate = {2019-12-20} } @online{cert:20200522:analysis:fc8e2b2, author = {Antiy CERT}, title = {{Analysis of Ramsay components of Darkhotel's infiltration and isolation network}}, date = {2020-05-22}, organization = {Antiy CERT}, url = {https://www.antiy.cn/research/notice&report/research_report/20200522.html}, language = {Chinese}, urldate = {2020-05-23} } @online{cert:20200616:active:1c01229, author = {New Zealand CERT}, title = {{Active ransomware campaign leveraging remote access technologies}}, date = {2020-06-16}, organization = {New Zealand CERT}, url = {https://www.cert.govt.nz/it-specialists/advisories/active-ransomware-campaign-leveraging-remote-access-technologies/}, language = {English}, urldate = {2020-06-21} } @online{cert:20200617:targeted:4a2a126, author = {Kaspersky Lab ICS CERT}, title = {{Targeted attacks on industrial companies using Snake ransomware}}, date = {2020-06-17}, organization = {Kaspersky Labs}, url = {https://ics-cert.kaspersky.com/alerts/2020/06/17/targeted-attacks-on-industrial-companies-using-snake-ransomware/}, language = {English}, urldate = {2020-06-18} } @techreport{cert:20200924:threat:2d7986d, author = {Kaspersky Lab ICS CERT}, title = {{Threat landscape for industrial automation systems - H1 2020}}, date = {2020-09-24}, institution = {Kaspersky Labs}, url = {https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf}, language = {English}, urldate = {2020-10-04} } @online{certagid:20200713:campagna:1da46a9, author = {Cert-AgID}, title = {{Campagna sLoad v.2.9.3 veicolata via PEC}}, date = {2020-07-13}, organization = {Cert-AgID}, url = {https://cert-agid.gov.it/news/campagna-sload-v-2-9-3-veicolata-via-pec/}, language = {Italian}, urldate = {2020-07-15} } @online{certbund:20191108:spam:0630ad5, author = {CERT-Bund}, title = {{Tweet on Spam Mails containing MAZE}}, date = {2019-11-08}, organization = {Twitter (@certbund)}, url = {https://twitter.com/certbund/status/1192756294307995655}, language = {English}, urldate = {2020-01-08} } @online{certem:20180803:certfr:65e03cf, author = {CERT-EM}, title = {{CERT-FR ALERT BULLETIN}}, date = {2018-08-03}, organization = {CERT-EM}, url = {https://www.cert.ssi.gouv.fr/alerte/CERTFR-2018-ALE-008/}, language = {French}, urldate = {2020-01-08} } @techreport{certeu:20200603:cyber:681a7c2, author = {CERT-EU}, title = {{Cyber brief (June2020)}}, date = {2020-06-03}, institution = {CERT-EU}, url = {https://media.cert.europa.eu/static/MEMO/2020/TLP-WHITE-CERT-EU-CYBER-BRIEF-20-06%20v1.1.pdf}, language = {English}, urldate = {2020-06-05} } @online{certfr:20191122:rapport:c457ee8, author = {CERT-FR}, title = {{RAPPORT MENACES ET INCIDENTS DU CERT-FR}}, date = {2019-11-22}, organization = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/cti/CERTFR-2019-CTI-009/}, language = {French}, urldate = {2020-01-07} } @online{certfr:20200318:rapport:abbc7c4, author = {CERT-FR}, title = {{Rapport Menaces et Incidents du CERT-FR: Attaques par le rançongiciel Mespinoza/Pysa}}, date = {2020-03-18}, organization = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/cti/CERTFR-2020-CTI-002/}, language = {French}, urldate = {2020-03-26} } @techreport{certfr:20200423:le:4dbca96, author = {CERT-FR}, title = {{LE GROUPE CYBERCRIMINEL SILENCE}}, date = {2020-04-23}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-004.pdf}, language = {French}, urldate = {2020-05-07} } @online{certfr:20200525:indicateurs:642332f, author = {CERT-FR}, title = {{INDICATEURS DE COMPROMISSION DU CERT-FR - Objet: Le code malveillant Dridex}}, date = {2020-05-25}, organization = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/ioc/CERTFR-2020-IOC-003/}, language = {French}, urldate = {2020-06-03} } @techreport{certfr:20200525:le:ac94f72, author = {CERT-FR}, title = {{Le Code Malveillant Dridex: Origines et Usages}}, date = {2020-05-25}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-005.pdf}, language = {French}, urldate = {2020-05-26} } @techreport{certfr:20200622:volution:fba1cfa, author = {CERT-FR}, title = {{Évolution De Lactivité du Groupe Cybercriminel TA505}}, date = {2020-06-22}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf}, language = {French}, urldate = {2020-06-24} } @techreport{certfr:20200717:malware:5c58cdf, author = {CERT-FR}, title = {{The Malware Dridex: Origins and Uses}}, date = {2020-07-17}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf}, language = {English}, urldate = {2020-07-20} } @techreport{certfr:20200820:development:d518522, author = {CERT-FR}, title = {{Development of the Activity of the TA505 Cybercriminal Group}}, date = {2020-08-20}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf}, language = {English}, urldate = {2020-08-28} } @online{certfr:20200907:bulletin:f7b2023, author = {CERT-FR}, title = {{Bulletin d'alerte du CERT-FR: Recrudescence d’activité Emotet en France}}, date = {2020-09-07}, organization = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/alerte/CERTFR-2020-ALE-019/}, language = {English}, urldate = {2020-09-15} } @techreport{certil:20170424:wave:d0c610f, author = {CERT-IL}, title = {{Wave attacks against government agencies, academia and business entities in Israel}}, date = {2017-04-24}, institution = {CERT-IL}, url = {https://www.gov.il/BlobFolder/reports/attack_il/he/CERT-IL-ALERT-W-120.pdf}, language = {Hebrew}, urldate = {2020-05-18} } @online{certopmd:20190110:dnspionage:88c7100, author = {CERT-OPMD}, title = {{[DNSPIONAGE] – Focus on internal actions}}, date = {2019-01-10}, organization = {CERT-OPMD}, url = {https://blog-cert.opmd.fr/dnspionage-focus-on-internal-actions/}, language = {English}, urldate = {2020-01-09} } @online{certpa:20190110:divergent:c0ab442, author = {Cert-PA}, title = {{“Divergent” malware Fileless}}, date = {2019-01-10}, organization = {Cert-Pa}, url = {https://www.cert-pa.it/notizie/devergent-malware-fileless/}, language = {Italian}, urldate = {2019-11-23} } @online{certpa:20200310:campagna:dac7559, author = {Cert-PA}, title = {{Campagna sLoad “Star Wars Edition” veicolata via PEC}}, date = {2020-03-10}, organization = {Cert-Pa}, url = {https://www.cert-pa.it/notizie/campagna-sload-star-wars-edition-veicolata-via-pec/}, language = {Italian}, urldate = {2020-03-11} } @online{certpa:20200323:pwndlocker:3607042, author = {Cert-PA}, title = {{PwndLocker si rinnova in ProLock Ransomware}}, date = {2020-03-23}, organization = {Cert-Pa}, url = {https://www.cert-pa.it/notizie/pwndlocker-si-rinnova-in-prolock-ransomware/}, language = {Italian}, urldate = {2020-03-25} } @techreport{certpl:20110603:botnet:fd65588, author = {CERT.PL}, title = {{Botnet Hamweq - analiza}}, date = {2011-06-03}, institution = {CERT Polska / NASK}, url = {https://www.cert.pl/wp-content/uploads/2011/06/201106_hamweq.pdf}, language = {Polish}, urldate = {2019-11-28} } @online{certpl:20141215:banatrix:ff1a5a2, author = {CERT.PL}, title = {{Banatrix – an indepth look}}, date = {2014-12-15}, organization = {CERT.PL}, url = {https://www.cert.pl/en/news/single/banatrix-an-indepth-look/}, language = {English}, urldate = {2019-10-23} } @online{certpl:20151110:talking:d93cf24, author = {CERT.PL}, title = {{Talking to Dridex (part 0) – inside the dropper}}, date = {2015-11-10}, organization = {CERT.PL}, url = {https://www.cert.pl/en/news/single/talking-dridex-part-0-inside-the-dropper/}, language = {English}, urldate = {2020-01-06} } @techreport{certpl:201512:zeusp2p:47dc4ed, author = {CERT.PL}, title = {{ZeuS-P2P monitoring and analysis}}, date = {2015-12}, institution = {CERT.PL}, url = {https://www.cert.pl/wp-content/uploads/2015/12/2013-06-p2p-rap_en.pdf}, language = {English}, urldate = {2020-01-13} } @online{certpl:20191118:brushaloader:f75d346, author = {CERT.PL}, title = {{Brushaloader gaining new layers like a pro}}, date = {2019-11-18}, organization = {CERT.PL}, url = {https://www.cert.pl/en/news/single/brushaloader-gaining-new-layers-like-a-pro/}, language = {English}, urldate = {2020-01-13} } @online{certua:20180903:bulk:09fa177, author = {Cert-UA}, title = {{Bulk mailing of spyware like Pterodo}}, date = {2018-09-03}, organization = {Cert-UA}, url = {https://cert.gov.ua/news/42}, language = {Ukrainian}, urldate = {2020-01-08} } @online{certua:20181115:pterodo:3ed19e5, author = {Cert-UA}, title = {{Виявлена підготовка до проведення кібератаки з використанням ШПЗ типу Pterodo}}, date = {2018-11-15}, organization = {Cert-UA}, url = {https://cert.gov.ua/news/46}, language = {Ukrainian}, urldate = {2020-01-13} } @online{ch0sys:20170615:dubrute:3cb7c5a, author = {ch0sys}, title = {{DUBrute}}, date = {2017-06-15}, organization = {Github (ch0sys)}, url = {https://github.com/ch0sys/DUBrute}, language = {English}, urldate = {2020-01-08} } @online{chang:20160603:sends:176f9ab, author = {Yin Hong Chang and Sudeep Singh}, title = {{APT Group Sends Spear Phishing Emails to Indian Government Officials}}, date = {2016-06-03}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2016/06/apt_group_sends_spea.html}, language = {English}, urldate = {2019-12-20} } @online{chang:20170619:erebus:dee1998, author = {Ziv Chang and Gilbert Sison and Jeanne Jocson}, title = {{Erebus Resurfaces as Linux Ransomware}}, date = {2017-06-19}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/erebus-resurfaces-as-linux-ransomware/}, language = {English}, urldate = {2020-01-08} } @online{channell:20200612:what:af937e9, author = {Justin Channell}, title = {{What is the Gibberish Hack?}}, date = {2020-06-12}, organization = {SUCURI}, url = {https://blog.sucuri.net/2020/06/gibberish-hack.html}, language = {English}, urldate = {2020-06-16} } @online{charlie:20200713:fell:f278f19, author = {Charlie}, title = {{Fell Deeds Awake}}, date = {2020-07-13}, organization = {Cofense}, url = {https://cofenselabs.com/fell-deeds-awake/}, language = {English}, urldate = {2020-07-15} } @online{chaturvedi:20200710:deep:f2d16c7, author = {Rohit Chaturvedi and Naveen Selvan}, title = {{Deep Dive Into the M00nD3V Logger}}, date = {2020-07-10}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/deep-dive-m00nd3v-logger}, language = {English}, urldate = {2020-07-16} } @online{chaudhari:20171003:evolution:5462d67, author = {Pavankumar Chaudhari}, title = {{Evolution of jRAT JAVA Malware}}, date = {2017-10-03}, organization = {Seqrite}, url = {https://blogs.seqrite.com/evolution-of-jrat-java-malware/}, language = {English}, urldate = {2020-01-06} } @online{chaudhari:20200512:java:47c27e7, author = {Pavankumar Chaudhari}, title = {{Java RAT Campaign Targets Co-Operative Banks in India}}, date = {2020-05-12}, organization = {Seqrite}, url = {https://www.seqrite.com/blog/java-rat-campaign-targets-co-operative-banks-in-india/}, language = {English}, urldate = {2020-05-23} } @online{chaudhari:20200810:gorgon:3a961be, author = {Pavankumar Chaudhari}, title = {{Gorgon APT targeting MSME sector in India}}, date = {2020-08-10}, organization = {Seqrite}, url = {https://www.seqrite.com/blog/gorgon-apt-targeting-msme-sector-in-india/}, language = {English}, urldate = {2020-08-13} } @online{chebyshev:20200225:mobile:e40c963, author = {Victor Chebyshev}, title = {{Mobile malware evolution 2019}}, date = {2020-02-25}, organization = {Kaspersky Labs}, url = {https://securelist.com/mobile-malware-evolution-2019/96280/}, language = {English}, urldate = {2020-02-26} } @techreport{checkpoint:20131212:malware:45645af, author = {Checkpoint}, title = {{Malware Research Group HIMAN Malware Analysis}}, date = {2013-12-12}, institution = {Checkpoint}, url = {https://www.checkpoint.com/threatcloud-central/downloads/check-point-himan-malware-analysis.pdf}, language = {English}, urldate = {2019-12-17} } @online{checkpoint:20190204:speakup:9fa2718, author = {Checkpoint}, title = {{SpeakUp: A New Undetected Backdoor Linux Trojan}}, date = {2019-02-04}, organization = {Checkpoint}, url = {https://research.checkpoint.com/speakup-a-new-undetected-backdoor-linux-trojan/}, language = {English}, urldate = {2019-07-11} } @online{checkpoint:20200721:how:5980135, author = {Checkpoint}, title = {{How scammers are hiding their phishing trips in public clouds}}, date = {2020-07-21}, organization = {Checkpoint}, url = {https://blog.checkpoint.com/2020/07/21/how-scammers-are-hiding-their-phishing-trips-in-public-clouds/}, language = {English}, urldate = {2020-07-30} } @online{chen:20140602:sinowal:6d7af96, author = {Chao Chen}, title = {{Sinowal banking trojan}}, date = {2014-06-02}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2014/06/sinowal-banking-trojan}, language = {English}, urldate = {2020-01-10} } @online{chen:20151217:slembunk:df100af, author = {Zhaofeng Chen and Jimmy Su and Wu Zhou and Jing Xie and Heqing Huang}, title = {{SlemBunk: An Evolving Android Trojan Family Targeting Users of Worldwide Banking Apps}}, date = {2015-12-17}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2015/12/slembunk_an_evolvin.html}, language = {English}, urldate = {2019-12-20} } @online{chen:20160622:after:aaa03f7, author = {Joseph C Chen}, title = {{After Angler: Shift in Exploit Kit Landscape and New Crypto-Ransomware Activity}}, date = {2016-06-22}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/angler-shift-ek-landscape-new-crytpo-ransomware-activity/}, language = {English}, urldate = {2019-10-12} } @online{chen:20161027:blackgear:00f52d4, author = {Joey Chen and MingYen Hsieh}, title = {{BLACKGEAR Espionage Campaign Evolves, Adds Japan To Target List}}, date = {2016-10-27}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/blackgear-espionage-campaign-evolves-adds-japan-target-list/}, language = {English}, urldate = {2019-12-18} } @online{chen:20171107:redbaldknightbronze:63a08fe, author = {Joey Chen and MingYen Hsieh}, title = {{REDBALDKNIGHT/BRONZE BUTLER’s Daserf Backdoor Now Using Steganography}}, date = {2017-11-07}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/}, language = {English}, urldate = {2020-01-09} } @online{chen:20180717:blackgear:69b5213, author = {Joey Chen}, title = {{Blackgear Cyberespionage Campaign Resurfaces, Abuses Social Media for C&C Communication}}, date = {2018-07-17}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/blackgear-cyberespionage-campaign-resurfaces-abuses-social-media-for-cc-communication/}, language = {English}, urldate = {2020-01-13} } @online{chen:20180918:magecart:af83872, author = {Joseph C Chen}, title = {{Magecart Skimming Attack Targets Mobile Users of Hotel Chain Booking Websites}}, date = {2018-09-18}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/magecart-skimming-attack-targets-mobile-users-of-hotel-chain-booking-websites/}, language = {English}, urldate = {2020-01-08} } @online{chen:20190418:predator:5135f9f, author = {Yueh-Ting Chen and Evgeny Ananin}, title = {{Predator the Thief: New Routes of Delivery}}, date = {2019-04-18}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/predator-the-thief-new-routes-delivery.html}, language = {English}, urldate = {2019-12-17} } @online{chen:20190503:mirrorthief:05f07e5, author = {Joseph C Chen}, title = {{Mirrorthief Group Uses Magecart Skimming Attack to Hit Hundreds of Campus Online Stores in US and Canada}}, date = {2019-05-03}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/mirrorthief-group-uses-magecart-skimming-attack-to-hit-hundreds-of-campus-online-stores-in-us-and-canada/}, language = {English}, urldate = {2019-11-27} } @online{chen:20191009:fin6:11bb05d, author = {Joseph C. Chen}, title = {{FIN6 Compromised E-commerce Platform via Magecart to Inject Credit Card Skimmers Into Thousands of Online Shops}}, date = {2019-10-09}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/fin6-compromised-e-commerce-platform-via-magecart-to-inject-credit-card-skimmers-into-thousands-of-online-shops/}, language = {English}, urldate = {2020-02-25} } @techreport{chen:20191129:operation:16f5aaa, author = {Joey Chen and Hiroyuki Kakara and Masaoki Shoji}, title = {{Operation ENDTRADE:TICK: 2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data}}, date = {2019-11-29}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf}, language = {English}, urldate = {2020-06-02} } @online{chen:20191129:operation:749d75d, author = {Joey Chen and Hiroyuki Kakara and Masaoki Shoji}, title = {{Operation ENDTRADE: Finding Multi-Stage Backdoors that TICK}}, date = {2019-11-29}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/operation-endtrade-finding-multi-stage-backdoors-that-tick/}, language = {English}, urldate = {2019-12-17} } @online{chen:20200217:clambling:1a0bb8e, author = {Theo Chen and Zero Chen}, title = {{CLAMBLING - A New Backdoor Base On Dropbox}}, date = {2020-02-17}, organization = {Talent-Jump Technologies}, url = {http://www.talent-jump.com/article/2020/02/17/CLAMBLING-A-New-Backdoor-Base-On-Dropbox-en/}, language = {English}, urldate = {2020-03-30} } @online{chen:20200512:tropic:8fff7a4, author = {Joey Chen}, title = {{Tropic Trooper’s Back: USBferry Attack Targets Air-gapped Environments}}, date = {2020-05-12}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-troopers-back-usbferry-attack-targets-air-gapped-environments/}, language = {English}, urldate = {2020-05-14} } @techreport{chen:20200512:tropic:a3285d0, author = {Joey Chen}, title = {{Tropic Trooper’s Back: USBferry Attack Targets Air-gapped Environments (Technical Brief)}}, date = {2020-05-12}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf}, language = {English}, urldate = {2020-05-14} } @online{chen:20200626:us:8bce65c, author = {Joseph C Chen}, title = {{US Local Government Services Targeted by New Magecart Credit Card Skimming Attack}}, date = {2020-06-26}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/us-local-government-services-targeted-by-new-magecart-credit-card-skimming-attack/}, language = {English}, urldate = {2020-06-30} } @online{chen:20200806:water:e7860e3, author = {Marshall Chen and Loseway Lu and Yorkbing Yap and Fyodor Yarochkin}, title = {{Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts}}, date = {2020-08-06}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/water-nue-campaign-targets-c-suites-office-365-accounts/}, language = {English}, urldate = {2020-08-13} } @online{chen:20200902:cybersquatting:b5f5a8f, author = {Zhanhao Chen and Janos Szurdi}, title = {{Cybersquatting: Attackers Mimicking Domains of Major Brands Including Facebook, Apple, Amazon and Netflix to Scam Consumers}}, date = {2020-09-02}, organization = {paloalto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/cybersquatting/}, language = {English}, urldate = {2020-09-03} } @online{cheng:20170421:china:8c7d327, author = {Jonathan Cheng and Josh Chin}, title = {{China Hacked South Korea Over Missile Defense, U.S. Firm Says}}, date = {2017-04-21}, organization = {The Wall Street Journal}, url = {https://www.wsj.com/articles/chinas-secret-weapon-in-south-korea-missile-fight-hackers-1492766403}, language = {English}, urldate = {2020-08-17} } @online{cheng:20170421:china:ab10228, author = {Jonathan Cheng and Josh Chin}, title = {{China Hacked South Korea Over Missile Defense, U.S. Firm Says}}, date = {2017-04-21}, organization = {The Wall Street Journal}, url = {https://www.wsj.com/articles/chinas-secret-weapon-in-south-korea-missile-fight-hackers-1492766403?emailToken=JRrydPtyYnqTg9EyZsw31FwuZ7JNEOKCXF7LaW/HM1DLsjnUp6e6wLgph560pnmiTAN/5ssf7moyADPQj2p2Gc+YkL1yi0zhIiUM9M6aj1HTYQ==}, language = {English}, urldate = {2020-01-06} } @techreport{cherepanov:20141113:roaming:1b09324, author = {Anton Cherepanov}, title = {{Roaming tiger}}, date = {2014-11-13}, institution = {ZeroNights}, url = {http://2014.zeronights.org/assets/files/slides/roaming_tiger_zeronights_2014.pdf}, language = {English}, urldate = {2020-01-09} } @online{cherepanov:20150908:carbanak:c9457cd, author = {Anton Cherepanov}, title = {{Carbanak gang is back and packing new guns}}, date = {2015-09-08}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2015/09/08/carbanak-gang-is-back-and-packing-new-guns/}, language = {English}, urldate = {2019-11-14} } @techreport{cherepanov:20160517:operation:e907b67, author = {Anton Cherepanov}, title = {{Operation Groundbait: Analysis of a surveillance toolkit}}, date = {2016-05-17}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2016/05/Operation-Groundbait.pdf}, language = {English}, urldate = {2019-10-25} } @online{cherepanov:20161213:rise:d6ee3c1, author = {Anton Cherepanov}, title = {{The rise of TeleBots: Analyzing disruptive KillDisk attacks}}, date = {2016-12-13}, organization = {ESET Research}, url = {http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/}, language = {English}, urldate = {2019-12-20} } @online{cherepanov:20170523:xdata:98a14a3, author = {Anton Cherepanov}, title = {{XData ransomware making rounds amid global WannaCryptor scare}}, date = {2017-05-23}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/05/23/xdata-ransomware-making-rounds-amid-global-wannacryptor-scare/}, language = {English}, urldate = {2020-01-13} } @online{cherepanov:20170612:industroyer:15f0bec, author = {Anton Cherepanov and Robert Lipovsky}, title = {{Industroyer: Biggest threat to industrial control systems since Stuxnet}}, date = {2017-06-12}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/06/12/industroyer-biggest-threat-industrial-control-systems-since-stuxnet/}, language = {English}, urldate = {2019-11-14} } @techreport{cherepanov:20170612:win32industroyer:060c0e6, author = {Anton Cherepanov}, title = {{WIN32/INDUSTROYER: A new threat for industrial control systems}}, date = {2017-06-12}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf}, language = {English}, urldate = {2020-01-13} } @online{cherepanov:20170630:telebots:84aa93d, author = {Anton Cherepanov}, title = {{TeleBots are back: Supply‑chain attacks against Ukraine}}, date = {2017-06-30}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/}, language = {English}, urldate = {2019-12-20} } @techreport{cherepanov:20170703:blackenergy:2403feb, author = {Anton Cherepanov and Robert Lipovsky}, title = {{BlackEnergy – what we really know about the notorious cyber attacks}}, date = {2017-07-03}, institution = {ESET Research}, url = {https://www.virusbulletin.com/uploads/pdf/magazine/2016/VB2016-Cherepanov-Lipovsky.pdf}, language = {English}, urldate = {2019-10-14} } @online{cherepanov:20170704:analysis:37c48b2, author = {Anton Cherepanov}, title = {{Analysis of TeleBots’ cunning backdoor}}, date = {2017-07-04}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/07/04/analysis-of-telebots-cunning-backdoor/}, language = {English}, urldate = {2019-11-14} } @online{cherepanov:20171005:industroyer:4406e62, author = {Anton Cherepanov and Robert Lipovsky}, title = {{Industroyer: Biggest threat to industrial control systems since Stuxnet}}, date = {2017-10-05}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/conference/vb2017/abstracts/last-minute-paper-industroyer-biggest-threat-industrial-control-systems-stuxnet/}, language = {English}, urldate = {2020-01-09} } @online{cherepanov:20180709:certificates:ae214b6, author = {Anton Cherepanov}, title = {{Certificates stolen from Taiwanese tech‑companies misused in Plead malware campaign}}, date = {2018-07-09}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/07/09/certificates-stolen-taiwanese-tech-companies-plead-malware-campaign/}, language = {English}, urldate = {2019-11-14} } @online{cherepanov:20181011:new:8e588c3, author = {Anton Cherepanov and Robert Lipovsky}, title = {{New TeleBots backdoor: First evidence linking Industroyer to NotPetya}}, date = {2018-10-11}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/}, language = {English}, urldate = {2019-11-14} } @online{cherepanov:20181017:eset:c34687b, author = {Anton Cherepanov and Robert Lipovsky}, title = {{ESET unmasks ‘GREYENERGY’ cyber-espionage group}}, date = {2018-10-17}, organization = {ESET Research}, url = {https://www.eset.com/int/greyenergy-exposed/}, language = {English}, urldate = {2020-01-13} } @online{cherepanov:20181017:greyenergy:f328dbf, author = {Anton Cherepanov and Robert Lipovsky}, title = {{GreyEnergy: Updated arsenal of one of the most dangerous threat actors}}, date = {2018-10-17}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/10/17/greyenergy-updated-arsenal-dangerous-threat-actors/}, language = {English}, urldate = {2020-01-07} } @techreport{cherepanov:20181018:greyenergy:9885d0c, author = {Anton Cherepanov}, title = {{GREYENERGY: A successor to BlackEnergy}}, date = {2018-10-18}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf}, language = {English}, urldate = {2020-01-09} } @online{cherepanov:20190514:plead:3140588, author = {Anton Cherepanov}, title = {{Plead malware distributed via MitM attacks at router level, misusing ASUS WebStorage}}, date = {2019-05-14}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/05/14/plead-malware-mitm-asus-webstorage/}, language = {English}, urldate = {2019-11-14} } @online{cherepanov:20200910:who:2fdc6a6, author = {Anton Cherepanov}, title = {{Who is calling? CDRThief targets Linux VoIP softswitches}}, date = {2020-09-10}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/09/10/who-callin-cdrthief-linux-voip-softswitches/}, language = {English}, urldate = {2020-09-15} } @online{chester:20170813:analysis:11db4f8, author = {Adam Chester}, title = {{Analysis of APT28 hospitality malware (Part 2)}}, date = {2017-08-13}, url = {https://blog.xpnsec.com/apt28-hospitality-malware-part-2/}, language = {English}, urldate = {2020-01-08} } @online{chester:20190510:exploring:758b4e8, author = {Adam Chester}, title = {{Exploring Mimikatz - Part 1 - WDigest}}, date = {2019-05-10}, organization = {XPN Blog}, url = {https://blog.xpnsec.com/exploring-mimikatz-part-1/}, language = {English}, urldate = {2020-09-01} } @online{chiang:20070403:case:5dd68c2, author = {Ken Chiang and Levi Lloyd}, title = {{A Case Study of the Rustock Rootkit and Spam Bot}}, date = {2007-04-03}, organization = {USENIX}, url = {https://www.usenix.org/legacy/event/hotbots07/tech/full_papers/chiang/chiang_html/index.html}, language = {English}, urldate = {2019-12-17} } @techreport{chien:2011:nitro:76c8338, author = {Eric Chien and Gavin O'Gorman}, title = {{The Nitro Attacks}}, date = {2011}, institution = {Symantec}, url = {http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_nitro_attacks.pdf}, language = {English}, urldate = {2020-01-13} } @online{chili:20180201:operation:305d726, author = {Ivona Alexandra Chili and Bogdan Botezatu}, title = {{Operation PZChao: a possible return of the Iron Tiger APT}}, date = {2018-02-01}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2018/02/operation-pzchao-a-possible-return-of-the-iron-tiger-apt/}, language = {English}, urldate = {2020-01-05} } @online{chimino:20190206:icedid:ef0caad, author = {Itzik Chimino and Limor Kessem and Ophir Harpaz}, title = {{IcedID Operators Using ATSEngine Injection Panel to Hit E-Commerce Sites}}, date = {2019-02-06}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/icedid-operators-using-atsengine-injection-panel-to-hit-e-commerce-sites/}, language = {English}, urldate = {2020-01-08} } @online{chirgwin:20180110:taiwanese:1ccf7ce, author = {Richard Chirgwin}, title = {{Taiwanese cops give malware-laden USB sticks as prizes for security quiz}}, date = {2018-01-10}, organization = {The Register}, url = {https://www.theregister.co.uk/2018/01/10/taiwanese_police_malware/}, language = {English}, urldate = {2020-01-09} } @online{chiu:20170621:player:b44064a, author = {Alex Chiu and Warren Mercer and Jaeson Schultz and Sean Baird and Matthew Molyett}, title = {{Player 1 Limps Back Into the Ring - Hello again, Locky!}}, date = {2017-06-21}, organization = {Cisco}, url = {http://blog.talosintelligence.com/2017/06/necurs-locky-campaign.html}, language = {English}, urldate = {2019-12-17} } @online{chohan:20180816:chinese:91aaa15, author = {Sanil Chohan and Winnona Desombre and Justin Grosfelt}, title = {{Chinese Cyberespionage Originating From Tsinghua University Infrastructure}}, date = {2018-08-16}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/chinese-cyberespionage-operations/}, language = {English}, urldate = {2020-01-09} } @online{chokepoint:20170417:azazel:0fc47c6, author = {chokepoint}, title = {{Azazel}}, date = {2017-04-17}, organization = {Github (chokepoint)}, url = {https://github.com/chokepoint/azazel}, language = {English}, urldate = {2020-01-10} } @online{chong:20120416:detailed:3f191a4, author = {Rong Hwa Chong}, title = {{Detailed Analysis Of Sykipot (Smartcard Proxy Variant)}}, date = {2012-04-16}, organization = {SANS}, url = {https://www.sans.org/reading-room/whitepapers/malicious/detailed-analysis-sykipot-smartcard-proxy-variant-33919}, language = {English}, urldate = {2020-01-07} } @online{chong:20130401:trojanaptbanechant:3b8eea7, author = {Rong Hwa Chong}, title = {{Trojan.APT.BaneChant: In-Memory Trojan That Observes for Multiple Mouse Clicks}}, date = {2013-04-01}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2013/04/trojan-apt-banechant-in-memory-trojan-that-observes-for-multiple-mouse-clicks.html}, language = {English}, urldate = {2020-07-15} } @online{chris:20140501:hunting:bcefc84, author = {Chris}, title = {{Hunting Hidden Lynx: How OSINT is Crucial for APT Analysis}}, date = {2014-05-01}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/hidden-lynx-analysis/}, language = {English}, urldate = {2020-01-07} } @online{chrisjd20:20170512:powershellwebbackdoor:ceb76d4, author = {chrisjd20}, title = {{powershell_web_backdoor}}, date = {2017-05-12}, organization = {Github (chrisjd20)}, url = {https://github.com/chrisjd20/powershell_web_backdoor}, language = {English}, urldate = {2020-01-06} } @online{chrysaidos:20151104:droidjack:d4ab0f5, author = {Nikolaos Chrysaidos}, title = {{DroidJack isn’t the only spying software out there: Avast discovers OmniRat}}, date = {2015-11-04}, organization = {Avast}, url = {https://blog.avast.com/2015/11/05/droidjack-isnt-the-only-spying-software-out-there-avast-discovers-that-omnirat-is-currently-being-used-and-spread-by-criminals-to-gain-full-remote-co}, language = {English}, urldate = {2019-12-10} } @online{chrysaidos:20171220:new:6ebc559, author = {Nikolaos Chrysaidos}, title = {{New version of mobile malware Catelites possibly linked to Cron cyber gang}}, date = {2017-12-20}, organization = {Avast}, url = {https://blog.avast.com/new-version-of-mobile-malware-catelites-possibly-linked-to-cron-cyber-gang}, language = {English}, urldate = {2020-01-07} } @online{chumley:20140529:iranian:38c457f, author = {Cheryl K. Chumley}, title = {{Iranian hackers sucker punch U.S. defense officials with creative social-media scam}}, date = {2014-05-29}, organization = {The Washington Times}, url = {https://www.washingtontimes.com/news/2014/may/29/iranian-hackers-sucker-punch-us-defense-heads-crea/}, language = {English}, urldate = {2020-01-06} } @online{ciccarelli:20191121:going:0e7cac5, author = {Mario Ciccarelli}, title = {{Going Deep | A Guide to Reversing Smoke Loader Malware}}, date = {2019-11-21}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/going-deep-a-guide-to-reversing-smoke-loader-malware/}, language = {English}, urldate = {2020-01-07} } @online{cid:20140318:windigo:7fd6adb, author = {Daniel B. Cid}, title = {{Windigo Linux Analysis – Ebury and Cdorked}}, date = {2014-03-18}, url = {https://blog.sucuri.net/2014/03/windigo-linux-analysis-ebury-and-cdorked.html}, language = {English}, urldate = {2019-12-18} } @online{cimpanu:20160112:trochilus:2b0bc1c, author = {Catalin Cimpanu}, title = {{Trochilus RAT Evades Antivirus Detection, Used for Cyber-Espionage in South-East Asia}}, date = {2016-01-12}, organization = {Softpedia News}, url = {https://news.softpedia.com/news/trochilus-rat-evades-antivirus-detection-used-for-cyber-espionage-in-south-east-asia-498776.shtml}, language = {English}, urldate = {2020-01-13} } @online{cimpanu:20160309:korean:06f01a0, author = {Catalin Cimpanu}, title = {{Korean Energy and Transportation Targets Attacked by OnionDog APT}}, date = {2016-03-09}, organization = {SOFTPEDIA® NEWS}, url = {http://news.softpedia.com/news/korean-energy-and-transportation-targets-attacked-by-oniondog-apt-501534.shtml}, language = {English}, urldate = {2019-12-24} } @online{cimpanu:20160911:free:c125edd, author = {Catalin Cimpanu}, title = {{Free Darktrack RAT Has the Potential of Being the Best RAT on the Market Search}}, date = {2016-09-11}, organization = {Softpedia News}, url = {http://news.softpedia.com/news/free-darktrack-rat-has-the-potential-of-being-the-best-rat-on-the-market-508179.shtml}, language = {English}, urldate = {2019-12-17} } @online{cimpanu:20161209:proof:25c0bdd, author = {Catalin Cimpanu}, title = {{"Proof of Concept" CryptoWire Ransomware Spawns Lomix and UltraLocker Families}}, date = {2016-12-09}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/-proof-of-concept-cryptowire-ransomware-spawns-lomix-and-ultralocker-families/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20170104:firecrypt:5b965cd, author = {Catalin Cimpanu}, title = {{FireCrypt Ransomware Comes With a DDoS Component}}, date = {2017-01-04}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/firecrypt-ransomware-comes-with-a-ddos-component/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20170117:new:3c28f96, author = {Catalin Cimpanu}, title = {{New GhostAdmin Malware Used for Data Theft and Exfiltration}}, date = {2017-01-17}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-ghostadmin-malware-used-for-data-theft-and-exfiltration/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20170206:polish:577f33c, author = {Catalin Cimpanu}, title = {{Polish Banks Infected with Malware Hosted on Their Own Government's Site}}, date = {2017-02-06}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/polish-banks-infected-with-malware-hosted-on-their-own-governments-site/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20170410:longhorn:97fddcb, author = {Catalin Cimpanu}, title = {{Longhorn Cyber-Espionage Group Is Actually the CIA}}, date = {2017-04-10}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/longhorn-cyber-espionage-group-is-actually-the-cia/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20170421:brickerbot:658d8b8, author = {Catalin Cimpanu}, title = {{BrickerBot Author Claims He Bricked Two Million Devices}}, date = {2017-04-21}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/brickerbot-author-claims-he-bricked-two-million-devices/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20170622:locky:4a088f0, author = {Catalin Cimpanu}, title = {{Locky Ransomware Returns, but Targets Only Windows XP & Vista}}, date = {2017-06-22}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/locky-ransomware-returns-but-targets-only-windows-xp-and-vista/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20170629:ransomware:d2d7b40, author = {Catalin Cimpanu}, title = {{Ransomware Attacks Continue in Ukraine with Mysterious WannaCry Clone}}, date = {2017-06-29}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ransomware-attacks-continue-in-ukraine-with-mysterious-wannacry-clone/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20170826:us:0d7249a, author = {Catalin Cimpanu}, title = {{US Arrests Chinese Man Involved With Sakula Malware Used in OPM and Anthem Hacks}}, date = {2017-08-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/us-arrests-chinese-man-involved-with-sakula-malware-used-in-opm-and-anthem-hacks/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20171101:cryptoshuffler:64a3db4, author = {Catalin Cimpanu}, title = {{CryptoShuffler Stole $150,000 by Replacing Bitcoin Wallet IDs in PC Clipboards}}, date = {2017-11-01}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/cryptoshuffler-stole-150-000-by-replacing-bitcoin-wallet-ids-in-pc-clipboards/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20171109:ordinypt:cc9c071, author = {Catalin Cimpanu}, title = {{Ordinypt Ransomware Intentionally Destroys Files, Currently Targeting Germany}}, date = {2017-11-09}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ordinypt-ransomware-intentionally-destroys-files-currently-targeting-germany/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20171124:mirai:ea4773e, author = {Catalin Cimpanu}, title = {{Mirai Activity Picks up Once More After Publication of PoC Exploit Code}}, date = {2017-11-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/mirai-activity-picks-up-once-more-after-publication-of-poc-exploit-code/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20171211:brickerbot:52db283, author = {Catalin Cimpanu}, title = {{BrickerBot Author Retires Claiming to Have Bricked over 10 Million IoT Devices}}, date = {2017-12-11}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/brickerbot-author-retires-claiming-to-have-bricked-over-10-million-iot-devices/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20171212:moneytaker:b5f4fbb, author = {Catalin Cimpanu}, title = {{MoneyTaker Hacker Group Steals Millions from US and Russian Banks}}, date = {2017-12-12}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/moneytaker-hacker-group-steals-millions-from-us-and-russian-banks/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20180124:new:90c5883, author = {Catalin Cimpanu}, title = {{New HNS IoT Botnet Has Already Amassed 14K Bots}}, date = {2018-01-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-hns-iot-botnet-has-already-amassed-14k-bots/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20180226:nanocore:4659d30, author = {Catalin Cimpanu}, title = {{Nanocore RAT Author Gets 33 Months in Prison}}, date = {2018-02-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/nanocore-rat-author-gets-33-months-in-prison/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20180418:stresspaint:640ad68, author = {Catalin Cimpanu}, title = {{Stresspaint Malware Steals Facebook Credentials and Session Cookies}}, date = {2018-04-18}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/stresspaint-malware-steals-facebook-credentials-and-session-cookies/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20180427:north:b7ed973, author = {Catalin Cimpanu}, title = {{North Korean Hackers Are up to No Good Again}}, date = {2018-04-27}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/north-korean-hackers-are-up-to-no-good-again/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20180508:hide:5ab3dfd, author = {Catalin Cimpanu}, title = {{"Hide and Seek" Becomes First IoT Botnet Capable of Surviving Device Reboots}}, date = {2018-05-08}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/hide-and-seek-becomes-first-iot-botnet-capable-of-surviving-device-reboots/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20180612:trik:137e306, author = {Catalin Cimpanu}, title = {{Trik Spam Botnet Leaks 43 Million Email Addresses}}, date = {2018-06-12}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/trik-spam-botnet-leaks-43-million-email-addresses/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20180614:dbger:c326e0a, author = {Catalin Cimpanu}, title = {{DBGer Ransomware Uses EternalBlue and Mimikatz to Spread Across Networks}}, date = {2018-06-14}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/dbger-ransomware-uses-eternalblue-and-mimikatz-to-spread-across-networks/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20180615:chinese:e0be0ab, author = {Catalin Cimpanu}, title = {{Chinese Cyber-Espionage Group Hacked Government Data Center}}, date = {2018-06-15}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/chinese-cyber-espionage-group-hacked-government-data-center/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20180615:hacker:e0452dd, author = {Catalin Cimpanu}, title = {{Hacker Breaches Syscoin GitHub Account and Poisons Official Client}}, date = {2018-06-15}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/hacker-breaches-syscoin-github-account-and-poisons-official-client/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20180706:hns:c7115f1, author = {Catalin Cimpanu}, title = {{HNS Evolves From IoT to Cross-Platform Botnet}}, date = {2018-07-06}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/hns-evolves-from-iot-to-cross-platform-botnet/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20180719:router:38a2d38, author = {Catalin Cimpanu}, title = {{Router Crapfest: Malware Author Builds 18,000-Strong Botnet in a Day}}, date = {2018-07-19}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/router-crapfest-malware-author-builds-18-000-strong-botnet-in-a-day/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20180728:new:b35a74a, author = {Catalin Cimpanu}, title = {{New Underminer Exploit Kit Discovered Pushing Bootkits and CoinMiners}}, date = {2018-07-28}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-underminer-exploit-kit-discovered-pushing-bootkits-and-coinminers/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20180821:microsoft:bc5c2f0, author = {Catalin Cimpanu}, title = {{Microsoft Disrupts APT28 Hacking Campaign Aimed at US Midterm Elections}}, date = {2018-08-21}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/microsoft-disrupts-apt28-hacking-campaign-aimed-at-us-midterm-elections/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20180823:lazarus:e929232, author = {Catalin Cimpanu}, title = {{Lazarus Group Deploys Its First Mac Malware in Cryptocurrency Exchange Hack}}, date = {2018-08-23}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/lazarus-group-deploys-its-first-mac-malware-in-cryptocurrency-exchange-hack/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20180824:iranian:04296ee, author = {Catalin Cimpanu}, title = {{Iranian Hackers Charged in March Are Still Actively Phishing Universities}}, date = {2018-08-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/iranian-hackers-charged-in-march-are-still-actively-phishing-universities/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20180905:new:c1c9e19, author = {Catalin Cimpanu}, title = {{New Silence hacking group suspected of having ties to cyber-security industry}}, date = {2018-09-05}, organization = {ZDNet}, url = {https://www.zdnet.com/article/new-silence-hacking-group-suspected-of-having-ties-to-cyber-security-industry/}, language = {English}, urldate = {2019-12-19} } @online{cimpanu:20190116:north:8f56bd0, author = {Catalin Cimpanu}, title = {{North Korean hackers infiltrate Chile's ATM network after Skype job interview}}, date = {2019-01-16}, organization = {ZDNet}, url = {https://www.zdnet.com/article/north-korean-hackers-infiltrate-chiles-atm-network-after-skype-job-interview/}, language = {English}, urldate = {2020-01-10} } @online{cimpanu:20190214:127:78132dd, author = {Catalin Cimpanu}, title = {{127 million user records from 8 companies put up for sale on the dark web}}, date = {2019-02-14}, organization = {ZDNet}, url = {https://www.zdnet.com/article/127-million-user-records-from-8-companies-put-up-for-sale-on-the-dark-web/}, language = {English}, urldate = {2019-12-24} } @online{cimpanu:20190217:hacker:19fe800, author = {Catalin Cimpanu}, title = {{Hacker puts up for sale third round of hacked databases on the Dark Web}}, date = {2019-02-17}, organization = {ZDNet}, url = {https://www.zdnet.com/article/hacker-puts-up-for-sale-third-round-of-hacked-databases-on-the-dark-web/}, language = {English}, urldate = {2020-01-10} } @online{cimpanu:20190317:round:53521b8, author = {Catalin Cimpanu}, title = {{Round 4: Hacker returns and puts 26Mil user records for sale on the Dark Web}}, date = {2019-03-17}, organization = {ZDNet}, url = {https://www.zdnet.com/article/round-4-hacker-returns-and-puts-26mil-user-records-for-sale-on-the-dark-web/}, language = {English}, urldate = {2019-12-15} } @online{cimpanu:20190415:hacker:4b851e8, author = {Catalin Cimpanu}, title = {{A hacker has dumped nearly one billion user records over the past two months}}, date = {2019-04-15}, organization = {ZDNet}, url = {https://www.zdnet.com/article/a-hacker-has-dumped-nearly-one-billion-user-records-over-the-past-two-months/}, language = {English}, urldate = {2020-01-05} } @online{cimpanu:20190419:security:683479e, author = {Catalin Cimpanu}, title = {{Security researcher MalwareTech pleads guilty}}, date = {2019-04-19}, organization = {ZDNet}, url = {https://www.zdnet.com/article/security-researcher-malwaretech-pleads-guilty/}, language = {English}, urldate = {2020-01-13} } @online{cimpanu:20190509:new:f8a3f46, author = {Catalin Cimpanu}, title = {{New leaks of Iranian cyber-espionage operations hit Telegram and the Dark Web}}, date = {2019-05-09}, organization = {ZDNet}, url = {https://www.zdnet.com/article/new-leaks-of-iranian-cyber-espionage-operations-hit-telegram-and-the-dark-web/}, language = {English}, urldate = {2020-01-09} } @online{cimpanu:20191010:new:3f09021, author = {Catalin Cimpanu}, title = {{New espionage malware found targeting Russian-speaking users in Eastern Europe}}, date = {2019-10-10}, organization = {ZDNet}, url = {https://www.zdnet.com/article/new-espionage-malware-found-targeting-russian-speaking-users-in-eastern-europe/}, language = {English}, urldate = {2020-01-06} } @online{cimpanu:20191120:new:f9c81de, author = {Catalin Cimpanu}, title = {{New Roboto botnet emerges targeting Linux servers running Webmin}}, date = {2019-11-20}, organization = {ZDNet}, url = {https://www.zdnet.com/article/new-roboto-botnet-emerges-targeting-linux-servers-running-webmin}, language = {English}, urldate = {2019-12-17} } @online{cimpanu:20191123:extensive:4db6fce, author = {Catalin Cimpanu}, title = {{Extensive hacking operation discovered in Kazakhstan}}, date = {2019-11-23}, organization = {ZDNet}, url = {https://www.zdnet.com/article/extensive-hacking-operation-discovered-in-kazakhstan/}, language = {English}, urldate = {2020-01-08} } @online{cimpanu:20200108:naive:31da98b, author = {Catalin Cimpanu}, title = {{Naive IoT botnet wastes its time mining cryptocurrency}}, date = {2020-01-08}, organization = {ZDNet}, url = {https://www.zdnet.com/article/naive-iot-botnet-wastes-its-time-mining-cryptocurrency/}, language = {English}, urldate = {2020-01-13} } @online{cimpanu:20200123:someone:fb903da, author = {Catalin Cimpanu}, title = {{Someone is uninstalling the Phorpiex malware from infected PCs and telling users to install an antivirus}}, date = {2020-01-23}, organization = {ZDNet}, url = {https://www.zdnet.com/article/someone-is-uninstalling-the-phorpiex-malware-from-infected-pcs-and-telling-users-to-install-an-antivirus/}, language = {English}, urldate = {2020-01-27} } @online{cimpanu:20200129:dod:57de65d, author = {Catalin Cimpanu}, title = {{DOD contractor suffers ransomware infection}}, date = {2020-01-29}, organization = {ZDNet}, url = {https://www.zdnet.com/article/dod-contractor-suffers-ransomware-infection/}, language = {English}, urldate = {2020-02-03} } @online{cimpanu:20200210:fbi:1904430, author = {Catalin Cimpanu}, title = {{FBI warns about ongoing attacks against software supply chain companies}}, date = {2020-02-10}, organization = {ZDNet}, url = {https://www.zdnet.com/article/fbi-warns-about-ongoing-attacks-against-software-supply-chain-companies/}, language = {English}, urldate = {2020-02-11} } @online{cimpanu:20200220:croatias:ac07fa3, author = {Catalin Cimpanu}, title = {{Croatia's largest petrol station chain impacted by cyber-attack}}, date = {2020-02-20}, organization = {ZDNet}, url = {https://www.zdnet.com/article/croatias-largest-petrol-station-chain-impacted-by-cyber-attack/}, language = {English}, urldate = {2020-02-26} } @online{cimpanu:20200229:meet:b1d7dbd, author = {Catalin Cimpanu}, title = {{Meet the white-hat group fighting Emotet, the world's most dangerous malware}}, date = {2020-02-29}, organization = {ZDNet}, url = {https://www.zdnet.com/article/meet-the-white-hat-group-fighting-emotet-the-worlds-most-dangerous-malware/}, language = {English}, urldate = {2020-03-02} } @online{cimpanu:20200319:france:9882b07, author = {Catalin Cimpanu}, title = {{France warns of new ransomware gang targeting local governments}}, date = {2020-03-19}, organization = {ZDNet}, url = {https://www.zdnet.com/article/france-warns-of-new-ransomware-gang-targeting-local-governments/}, language = {English}, urldate = {2020-03-26} } @online{cimpanu:20200327:booz:90c4f8d, author = {Catalin Cimpanu}, title = {{Booz Allen analyzed 200+ Russian hacking operations to better understand their tactics}}, date = {2020-03-27}, organization = {ZDNet}, url = {https://www.zdnet.com/article/booz-allen-analyzed-200-russian-hacking-operations-to-better-understand-their-tactics/}, language = {English}, urldate = {2020-03-27} } @online{cimpanu:20200331:fbi:91630df, author = {Catalin Cimpanu}, title = {{FBI re-sends alert about supply chain attacks for the third time in three months}}, date = {2020-03-31}, organization = {ZDNet}, url = {https://www.zdnet.com/article/fbi-re-sends-alert-about-supply-chain-attacks-for-the-third-time-in-three-months/}, language = {English}, urldate = {2020-04-07} } @online{cimpanu:20200427:shade:4d47bf1, author = {Catalin Cimpanu}, title = {{Shade (Troldesh) ransomware shuts down and releases decryption keys}}, date = {2020-04-27}, organization = {ZDNet}, url = {https://www.zdnet.com/article/shade-troldesh-ransomware-shuts-down-and-releases-all-decryption-keys/}, language = {English}, urldate = {2020-04-28} } @online{cimpanu:20200518:fbi:54e14c9, author = {Catalin Cimpanu}, title = {{FBI: ProLock ransomware gains access to victim networks via Qakbot infections}}, date = {2020-05-18}, organization = {ZDNet}, url = {https://www.zdnet.com/article/fbi-prolock-ransomware-gains-access-to-victim-networks-via-qakbot-infections/}, language = {English}, urldate = {2020-05-18} } @online{cimpanu:20200602:revil:883c59f, author = {Catalin Cimpanu}, title = {{REvil ransomware gang launches auction site to sell stolen data}}, date = {2020-06-02}, organization = {ZDNet}, url = {https://www.zdnet.com/article/revil-ransomware-gang-launches-auction-site-to-sell-stolen-data/}, language = {English}, urldate = {2020-06-03} } @online{cimpanu:20200603:ransomware:116ecb8, author = {Catalin Cimpanu}, title = {{Ransomware gang says it breached one of NASA's IT contractors}}, date = {2020-06-03}, organization = {ZDNet}, url = {https://www.zdnet.com/article/ransomware-gang-says-it-breached-one-of-nasas-it-contractors/}, language = {English}, urldate = {2020-06-03} } @online{cimpanu:20200615:web:a10a55d, author = {Catalin Cimpanu}, title = {{Web skimmers found on the websites of Intersport, Claire's, and Icing}}, date = {2020-06-15}, organization = {ZDNet}, url = {https://www.zdnet.com/article/web-skimmers-found-on-the-websites-of-intersport-claires-and-icing/}, language = {English}, urldate = {2020-06-16} } @online{cimpanu:20200715:chinese:0ff06bd, author = {Catalin Cimpanu}, title = {{Chinese state hackers target Hong Kong Catholic Church}}, date = {2020-07-15}, organization = {ZDNet}, url = {https://www.zdnet.com/article/chinese-state-hackers-target-hong-kong-catholic-church/}, language = {English}, urldate = {2020-07-30} } @online{cimpanu:20200729:kaspersky:d874677, author = {Catalin Cimpanu}, title = {{Kaspersky: New hacker-for-hire mercenary group is targeting European law firms}}, date = {2020-07-29}, organization = {ZDNet}, url = {https://www.zdnet.com/article/kaspersky-new-hacker-for-hire-mercenary-group-is-targeting-european-law-firms/}, language = {English}, urldate = {2020-08-18} } @online{cimpanu:20200804:ransomware:e0320ee, author = {Catalin Cimpanu}, title = {{Ransomware gang publishes tens of GBs of internal data from LG and Xerox}}, date = {2020-08-04}, organization = {ZDNet}, url = {https://www.zdnet.com/article/ransomware-gang-publishes-tens-of-gbs-of-internal-data-from-lg-and-xerox/}, language = {English}, urldate = {2020-08-18} } @online{cimpanu:20200810:fbi:10c4512, author = {Catalin Cimpanu}, title = {{FBI says an Iranian hacking group is attacking F5 networking devices}}, date = {2020-08-10}, organization = {ZDNet}, url = {https://www.zdnet.com/article/fbi-says-an-iranian-hacking-group-is-attacking-f5-networking-devices}, language = {English}, urldate = {2020-09-18} } @online{cimpanu:20200810:fbi:704abe2, author = {Catalin Cimpanu}, title = {{FBI says an Iranian hacking group is attacking F5 networking devices}}, date = {2020-08-10}, organization = {ZDNet}, url = {https://www.zdnet.com/article/fbi-says-an-iranian-hacking-group-is-attacking-f5-networking-devices/}, language = {English}, urldate = {2020-08-12} } @online{cimpanu:20200901:iranian:5f8dd6c, author = {Catalin Cimpanu}, title = {{Iranian hackers are selling access to compromised companies on an underground forum}}, date = {2020-09-01}, organization = {ZDNet}, url = {https://www.zdnet.com/article/iranian-hackers-are-selling-access-to-compromised-companies-on-an-underground-forum}, language = {English}, urldate = {2020-09-18} } @online{cimpanu:20201008:german:7b88550, author = {Catalin Cimpanu}, title = {{German tech giant Software AG down after ransomware attack}}, date = {2020-10-08}, organization = {ZDNet}, url = {https://www.zdnet.com/article/german-tech-giant-software-ag-down-after-ransomware-attack/}, language = {English}, urldate = {2020-10-12} } @online{cimpanu:20201015:ubisoft:51fe666, author = {Catalin Cimpanu}, title = {{Ubisoft, Crytek data posted on ransomware gang's site}}, date = {2020-10-15}, organization = {ZDNet}, url = {https://www.zdnet.com/article/ubisoft-crytek-data-posted-on-ransomware-gangs-site/}, language = {English}, urldate = {2020-10-21} } @online{cimpanu:20201022:eu:ed3c7a4, author = {Catalin Cimpanu}, title = {{EU sanctions Russia over 2015 German Parliament hack}}, date = {2020-10-22}, organization = {ZDNet}, url = {https://www.zdnet.com/article/eu-sanctions-russia-over-2015-german-parliament-hack/}, language = {English}, urldate = {2020-10-26} } @techreport{circl:20130329:analysis:b3c48b0, author = {CIRCL}, title = {{Analysis Report (TLP:WHITE) Analysis of a PlugX variant (PlugX version 7.0)}}, date = {2013-03-29}, institution = {Computer Incident Response Center Luxembourg}, url = {https://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf}, language = {English}, urldate = {2019-11-24} } @techreport{circl:20130529:malware:cd9f6f8, author = {CIRCL}, title = {{Malware analysis report of a Backdoor.Snifula variant}}, date = {2013-05-29}, institution = {CIRCL}, url = {https://www.circl.lu/assets/files/tr-13/tr-13-snifula-analysis-report-v1.3.pdf}, language = {English}, urldate = {2019-07-11} } @techreport{circl:20130530:analysis:e828e08, author = {CIRCL}, title = {{Analysis of a stage 3 Miniduke sample}}, date = {2013-05-30}, institution = {CIRCL}, url = {https://www.circl.lu/files/tr-14/circl-analysisreport-miniduke-stage3-public.pdf}, language = {English}, urldate = {2020-01-08} } @online{circl:20141126:tr23:fb5d867, author = {CIRCL}, title = {{TR-23 Analysis - NetWiredRC malware}}, date = {2014-11-26}, organization = {CIRCL}, url = {https://www.circl.lu/pub/tr-23/}, language = {English}, urldate = {2020-01-09} } @online{circl:2014:tr25:97f9b0e, author = {CIRCL}, title = {{TR-25 Analysis - Turla / Pfinet / Snake/ Uroburos}}, date = {2014}, organization = {circl.lu}, url = {https://www.circl.lu/pub/tr-25/}, language = {English}, urldate = {2020-07-01} } @online{cisa:20170412:ics:0d94c2e, author = {CISA}, title = {{ICS Alert (ICS-ALERT-17-102-01A)}}, date = {2017-04-12}, organization = {CISA}, url = {https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-102-01A}, language = {English}, urldate = {2020-01-09} } @online{cisa:20170612:alert:7799e28, author = {CISA}, title = {{Alert (TA17-163A)}}, date = {2017-06-12}, organization = {CISA}, url = {https://www.us-cert.gov/ncas/alerts/TA17-163A}, language = {English}, urldate = {2020-01-08} } @online{cisa:20180809:malware:71c0559, author = {CISA}, title = {{Malware Analysis Report (AR18-221A)}}, date = {2018-08-09}, organization = {CISA}, url = {https://www.us-cert.gov/ncas/analysis-reports/AR18-221A}, language = {English}, urldate = {2020-01-07} } @online{cisa:20190509:malware:0fa3b40, author = {CISA}, title = {{Malware Analysis Report (AR19-129A)}}, date = {2019-05-09}, organization = {CISA}, url = {https://www.us-cert.gov/ncas/analysis-reports/AR19-129A}, language = {English}, urldate = {2020-01-08} } @online{cisa:20190909:malware:f266520, author = {CISA}, title = {{Malware Analysis Report (AR19-252A)}}, date = {2019-09-09}, organization = {CISA}, url = {https://www.us-cert.gov/ncas/analysis-reports/ar19-252a}, language = {English}, urldate = {2020-01-07} } @online{cisa:20191031:malware:4eccc2d, author = {CISA}, title = {{Malware Analysis Report (AR19-304A)}}, date = {2019-10-31}, organization = {CISA}, url = {https://www.us-cert.gov/ncas/analysis-reports/ar19-304a}, language = {English}, urldate = {2020-01-09} } @online{cisa:2019:hidden:52ee565, author = {CISA}, title = {{HIDDEN COBRA - North Korean Malicious Cyber Activity}}, date = {2019}, organization = {CISA}, url = {https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity}, language = {English}, urldate = {2020-01-07} } @online{cisa:20200826:mar103017061v1:735a8fc, author = {CISA}, title = {{MAR-10301706-1.v1 - North Korean Remote Access Tool: ECCENTRICBANDWAGON}}, date = {2020-08-26}, organization = {CISA}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar20-239a}, language = {English}, urldate = {2020-09-01} } @online{cisa:20200826:mar103017062v1:e64b3ac, author = {CISA}, title = {{MAR-10301706-2.v1 - North Korean Remote Access Tool: VIVACIOUSGIFT}}, date = {2020-08-26}, organization = {CISA}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar20-239b}, language = {English}, urldate = {2020-09-01} } @techreport{citizenlab:20100406:shadows:0ddd0ca, author = {CitizenLab and Information Warfare Monitor and Shadowserver Foundation}, title = {{SHADOWS IN THE CLOUD: Investigating Cyber Espionage 2.0}}, date = {2010-04-06}, institution = {CitizenLab}, url = {https://citizenlab.ca/wp-content/uploads/2017/05/shadows-in-the-cloud.pdf}, language = {English}, urldate = {2020-01-13} } @techreport{clearsky:201707:operationwilted:7e57e58, author = {ClearSky and Trend Micro}, title = {{OperationWilted Tulip}}, date = {2017-07}, institution = {ClearSky}, url = {https://www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf}, language = {English}, urldate = {2020-01-06} } @online{clearsky:20180213:enfal:e063cf1, author = {ClearSky}, title = {{Tweet on Enfal loader}}, date = {2018-02-13}, organization = {Twitter (@ClearskySec)}, url = {https://twitter.com/ClearskySec/status/963829930776723461}, language = {English}, urldate = {2019-07-10} } @techreport{clearsky:20201015:operation:dead010, author = {ClearSky}, title = {{Operation Quicksand: MuddyWater’s Offensive Attack Against Israeli Organizations}}, date = {2020-10-15}, institution = {ClearSky}, url = {https://www.clearskysec.com/wp-content/uploads/2020/10/Operation-Quicksand.pdf}, language = {English}, urldate = {2020-10-21} } @online{clueley:20200109:man:cea3f4b, author = {Graham Clueley}, title = {{Man jailed for using webcam RAT to spy on women in their bedrooms}}, date = {2020-01-09}, organization = {The State of Security}, url = {https://www.tripwire.com/state-of-security/featured/man-jailed-using-webcam-rat-women-bedrooms/}, language = {English}, urldate = {2020-01-20} } @online{cluley:20121113:new:627d122, author = {Graham Cluley}, title = {{New variant of Mac Trojan discovered, targeting Tibet}}, date = {2012-11-13}, organization = {Sophos}, url = {https://nakedsecurity.sophos.com/2012/11/13/new-mac-trojan/}, language = {English}, urldate = {2020-01-08} } @online{cluley:20150526:moose:4cb9940, author = {Graham Cluley}, title = {{Moose – the router worm with an appetite for social networks}}, date = {2015-05-26}, organization = {ESET Research}, url = {http://www.welivesecurity.com/2015/05/26/moose-router-worm/}, language = {English}, urldate = {2019-12-20} } @online{cluley:20170830:new:c821389, author = {Graham Cluley}, title = {{New ESET research uncovers Gazer, the stealthy backdoor that spies on embassies}}, date = {2017-08-30}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/08/30/eset-research-cyberespionage-gazer/}, language = {English}, urldate = {2019-11-14} } @online{cluley:20170904:despite:6f4a25f, author = {Graham Cluley}, title = {{Despite appearances, WikiLeaks wasn’t hacked}}, date = {2017-09-04}, organization = {Graham Cluley Blog}, url = {https://www.grahamcluley.com/despite-appearances-wikileaks-wasnt-hacked/}, language = {English}, urldate = {2019-11-28} } @online{cluley:20200409:travelex:bb5a2d7, author = {Graham Cluley}, title = {{Travelex paid hackers $2.3 million worth of Bitcoin after ransomware attack}}, date = {2020-04-09}, organization = {Graham Cluley Blog}, url = {https://www.grahamcluley.com/travelex-paid-ransom/}, language = {English}, urldate = {2020-04-26} } @online{cluley:20200505:kaiji:94f85b6, author = {Graham Cluley}, title = {{Kaiji – a new strain of IoT malware seizing control and launching DDoS attacks}}, date = {2020-05-05}, organization = {Bitdefender}, url = {https://www.bitdefender.com/box/blog/iot-news/kaiji-new-strain-iot-malware-seizing-control-launching-ddos-attacks/}, language = {English}, urldate = {2020-05-06} } @online{cn33liz:20170605:javascript:36e302d, author = {Cn33liz}, title = {{A JavaScript and VBScript Based Empire Launcher - by Cn33liz 2017}}, date = {2017-06-05}, organization = {Github (Cn33liz)}, url = {https://github.com/Cn33liz/StarFighters}, language = {English}, urldate = {2020-04-07} } @online{cna:201901:destructive:38ed2c3, author = {Saudi Arabia CNA}, title = {{Destructive Attack “DUSTMAN” Technical Report}}, date = {2019-01}, organization = {Saudi Arabia CNA}, url = {https://www.scribd.com/document/442225568/Saudi-Arabia-CNA-report}, language = {English}, urldate = {2020-01-13} } @online{cobb:20130502:stealthiness:6579e26, author = {Stephen Cobb}, title = {{The stealthiness of Linux/Cdorked: a clarification}}, date = {2013-05-02}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2013/05/02/the-stealthiness-of-linuxcdorked-a-clarification/}, language = {English}, urldate = {2019-11-14} } @online{cobli:20180618:six:c3dc8c0, author = {Claudiu Cobliș and Cristian Istrate and Cornel Punga and Andrei Ardelean}, title = {{Six Years and Counting: Inside the Complex Zacinlo Ad Fraud Operation}}, date = {2018-06-18}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/wp-content/uploads/downloads/six-years-and-counting-inside-the-complex-zacinlo-ad-fraud-operation/}, language = {English}, urldate = {2020-07-08} } @online{codeandsec:20141002:finfisher:3b1d9c1, author = {CodeAndSec}, title = {{FinFisher Malware Analysis - Part 2}}, date = {2014-10-02}, organization = {CodeAndSec}, url = {https://www.codeandsec.com/FinFisher-Malware-Analysis-Part-2}, language = {English}, urldate = {2020-03-19} } @online{codercto:20181220:analysis:60da1aa, author = {Codercto}, title = {{Analysis of the attack activities of Hailian Lotus APT group against large domestic investment companies}}, date = {2018-12-20}, organization = {Codercto}, url = {https://www.codercto.com/a/46729.html}, language = {Chinese}, urldate = {2020-01-07} } @online{coding:20140801:soraya:4e51b2f, author = {Coding and Security}, title = {{Soraya Malware Analysis - Dropper}}, date = {2014-08-01}, organization = {Coding and Security}, url = {https://www.codeandsec.com/Soraya-Malware-Analysis-Dropper}, language = {English}, urldate = {2020-01-09} } @online{coding:20161203:sophisticated:af2cbb4, author = {Coding and Security}, title = {{"Sophisticated" and "Genius" Shamoon 2.0 Malware Analysis}}, date = {2016-12-03}, organization = {Coding and Security}, url = {https://www.codeandsec.com/Sophisticated-CyberWeapon-Shamoon-2-Malware-Analysis}, language = {English}, urldate = {2020-01-08} } @online{cofense:20170323:tales:cbdee9a, author = {Cofense}, title = {{Tales from the Trenches: Loki Bot Malware}}, date = {2017-03-23}, organization = {Cofense}, url = {https://phishme.com/loki-bot-malware/}, language = {English}, urldate = {2019-12-02} } @online{cofense:20190121:kutaki:3bff835, author = {Cofense}, title = {{The Kutaki Malware Bypasses Gateways to Steal Users’ Credentials}}, date = {2019-01-21}, organization = {Cofense}, url = {https://cofense.com/kutaki-malware-bypasses-gateways-steal-users-credentials/}, language = {English}, urldate = {2020-01-06} } @online{cognizant:20200418:cognizant:0e20ac0, author = {Cognizant}, title = {{Cognizant Security Incident Update}}, date = {2020-04-18}, organization = {Cognizant}, url = {https://web.archive.org/save/https://news.cognizant.com/2020-04-18-cognizant-security-update}, language = {English}, urldate = {2020-04-20} } @techreport{cognizant:20200617:notice:37fe994, author = {Cognizant}, title = {{Notice of Data Breach}}, date = {2020-06-17}, institution = {Cognizant}, url = {https://oag.ca.gov/system/files/Letter%204.pdf}, language = {English}, urldate = {2020-06-18} } @online{cohen:20180521:decrypting:37d595c, author = {Itay Cohen}, title = {{Decrypting APT33’s Dropshot Malware with Radare2 and Cutter – Part 1}}, date = {2018-05-21}, organization = {MegaBeets}, url = {https://www.megabeets.net/decrypting-dropshot-with-radare2-and-cutter-part-1/}, language = {English}, urldate = {2019-07-10} } @online{cohen:20180629:backswap:1605a3d, author = {Ruby Cohen and Doron Voolf}, title = {{BackSwap Defrauds Online Banking Customers Using Hidden Input Fields}}, date = {2018-06-29}, organization = {F5}, url = {https://www.f5.com/labs/articles/threat-intelligence/backswap-defrauds-online-banking-customers-using-hidden-input-fi}, language = {English}, urldate = {2020-01-10} } @online{cohen:20180820:ryuk:5756495, author = {Itay Cohen and Ben Herzog}, title = {{Ryuk Ransomware: A Targeted Campaign Break-Down}}, date = {2018-08-20}, organization = {Check Point}, url = {https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/}, language = {English}, urldate = {2019-12-10} } @online{cohen:20181130:evolution:045e447, author = {Itay Cohen}, title = {{The Evolution of BackSwap}}, date = {2018-11-30}, organization = {Check Point}, url = {https://research.checkpoint.com/the-evolution-of-backswap/}, language = {English}, urldate = {2020-01-10} } @online{cohen:20190117:qealler:3db4f96, author = {David Cohen}, title = {{Qealler — The Silent Java Credential Thief}}, date = {2019-01-17}, organization = {CyberArk}, url = {https://www.cyberark.com/threat-research-blog/qealler-the-silent-java-credential-thief/}, language = {English}, urldate = {2020-05-18} } @online{cohen:20190424:deobfuscating:581c86e, author = {Itay Cohen}, title = {{Deobfuscating APT32 Flow Graphs with Cutter and Radare2}}, date = {2019-04-24}, organization = {Check Point Research}, url = {https://research.checkpoint.com/deobfuscating-apt32-flow-graphs-with-cutter-and-radare2/}, language = {English}, urldate = {2020-05-06} } @online{cohen:20201002:graphology:af4c7bd, author = {Itay Cohen and Eyal Itkin}, title = {{Graphology of an Exploit – Hunting for exploits by looking for the author’s fingerprints}}, date = {2020-10-02}, organization = {Check Point Research}, url = {https://research.checkpoint.com/2020/graphology-of-an-exploit-volodya/}, language = {English}, urldate = {2020-10-06} } @online{coldshell:20180828:walk:fb8dcc6, author = {Coldshell}, title = {{A walk through the AcridRain Stealer}}, date = {2018-08-28}, organization = {This is Security}, url = {https://thisissecurity.stormshield.com/2018/08/28/acridrain-stealer/}, language = {English}, urldate = {2020-01-07} } @online{coldshell:20190118:nymaim:1d2e6f9, author = {Coldshell}, title = {{Nymaim deobfuscation}}, date = {2019-01-18}, organization = {Github (coldshell)}, url = {https://github.com/coldshell/Malware-Scripts/tree/master/Nymaim}, language = {English}, urldate = {2020-01-10} } @online{cole:20200205:stomp:77ecf4b, author = {Rick Cole and Andrew Moore and Genevieve Stark and Blaine Stancill}, title = {{STOMP 2 DIS: Brilliance in the (Visual) Basics}}, date = {2020-02-05}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html}, language = {English}, urldate = {2020-02-09} } @online{conant:20180207:rat:5f1eba8, author = {Simon Conant}, title = {{RAT Trapped? LuminosityLink Falls Foul of Vermin Eradication Efforts}}, date = {2018-02-07}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/02/unit42-rat-trapped-luminositylink-falls-foul-vermin-eradication-efforts/}, language = {English}, urldate = {2019-12-20} } @techreport{consulting:20201020:incident:275ade2, author = {F-Secure Consulting}, title = {{Incident Readiness: Preparing a proactive response to attacks}}, date = {2020-10-20}, institution = {F-Secure}, url = {https://www.f-secure.com/content/dam/f-secure/en/consulting/our-thinking/collaterals/digital/f-secure-consulting-incident-readiness-proactive-response-guide-2020.pdf}, language = {English}, urldate = {2020-10-23} } @online{contextis:20191003:avivore:421fc23, author = {Contextis}, title = {{AVIVORE – Hunting Global Aerospace through the Supply Chain}}, date = {2019-10-03}, organization = {Contextis}, url = {https://www.contextis.com/de/blog/avivore}, language = {English}, urldate = {2020-01-09} } @online{coogan:20100204:spyeye:5c54efe, author = {Peter Coogan}, title = {{SpyEye Bot versus Zeus Bot}}, date = {2010-02-04}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/spyeye-bot-versus-zeus-bot}, language = {English}, urldate = {2020-01-06} } @online{coogan:20100426:spyeyes:fb53c77, author = {Peter Coogan}, title = {{SpyEye’s "Kill Zeus" Bark is Worse Than its Bite}}, date = {2010-04-26}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/spyeye-s-kill-zeus-bark-worse-its-bite}, language = {English}, urldate = {2019-12-16} } @online{corera:20161010:how:29d38b3, author = {Gordon Corera}, title = {{How France's TV5 was almost destroyed by 'Russian hackers'}}, date = {2016-10-10}, organization = {BBC}, url = {https://www.bbc.com/news/technology-37590375}, language = {English}, urldate = {2020-01-09} } @online{cornateanu:20200303:extracting:a48a754, author = {Ryan Cornateanu}, title = {{Extracting Embedded Payloads From Malware}}, date = {2020-03-03}, url = {https://medium.com/@ryancor/extracting-embedded-payloads-from-malware-aaca8e9aa1a9}, language = {English}, urldate = {2020-03-04} } @online{corp:20201008:taiwan:3a6afa1, author = {CyCraft Technology Corp}, title = {{Taiwan Government Targeted by Multiple Cyberattacks in April 2020 Part 1: Waterbear Malware}}, date = {2020-10-08}, organization = {Medium CyCraft}, url = {https://medium.com/cycraft/taiwan-government-targeted-by-multiple-cyberattacks-in-april-2020-1980acde92b0}, language = {English}, urldate = {2020-10-23} } @online{corp:20201014:taiwan:7628b24, author = {CyCraft Technology Corp}, title = {{Taiwan Government Targeted by Multiple Cyberattacks in April 2020 Part 2: Owlproxy Malware}}, date = {2020-10-14}, organization = {Medium CyCraft}, url = {https://medium.com/cycraft/taiwan-government-targeted-by-multiple-cyberattacks-in-april-2020-3b20cea1dc20}, language = {English}, urldate = {2020-10-23} } @online{cortes:20171005:freemilk:1c7eb5d, author = {Juan Cortes and Esmid Idrizovic}, title = {{FreeMilk: A Highly Targeted Spear Phishing Campaign}}, date = {2017-10-05}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-freemilk-highly-targeted-spear-phishing-campaign/}, language = {English}, urldate = {2020-01-08} } @online{cortes:20171005:freemilk:a929f1b, author = {Juan Cortes and Esmid Idrizovic}, title = {{FreeMilk: A Highly Targeted Spear Phishing Campaign}}, date = {2017-10-05}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/}, language = {English}, urldate = {2019-12-20} } @online{costis:20200724:tau:2730a2c, author = {Andrew Costis}, title = {{TAU Threat Discovery: Cryptocurrency Clipper Malware Evolves}}, date = {2020-07-24}, organization = {VMWare Carbon Black}, url = {https://www.carbonblack.com/blog/tau-threat-discovery-cryptocurrency-clipper-malware-evolves/}, language = {English}, urldate = {2020-08-05} } @online{couchard:20200925:catching:f381664, author = {Guillaume Couchard and Qimin Wang and Thiam Loong Siew}, title = {{Catching Lazarus: Threat Intelligence to Real Detection Logic - Part One}}, date = {2020-09-25}, organization = {F-Secure Labs}, url = {https://labs.f-secure.com/blog/catching-lazarus-threat-intelligence-to-real-detection-logic}, language = {English}, urldate = {2020-10-05} } @online{couchard:20201023:catching:5788228, author = {Guillaume Couchard and Qimin Wang and Thiam Loong Siew}, title = {{Catching Lazarus: Threat Intelligence to Real Detection Logic - Part Two}}, date = {2020-10-23}, organization = {F-Secure Labs}, url = {https://labs.f-secure.com/blog/catching-lazarus-threat-intelligence-to-real-detection-logic-part-two}, language = {English}, urldate = {2020-10-26} } @online{coveware:20190129:phobos:8423f74, author = {CoveWare}, title = {{Phobos Ransomware, A Combo of CrySiS and Dharma}}, date = {2019-01-29}, organization = {CodeWare}, url = {https://www.coveware.com/blog/phobos-ransomware-distributed-dharma-crew}, language = {English}, urldate = {2020-01-08} } @online{cowman:20191218:understanding:d629d14, author = {Pete Cowman}, title = {{Understanding Ransomware Series: Detecting Sodin}}, date = {2019-12-18}, organization = {Hatching.io}, url = {https://hatching.io/blog/ransomware-part2}, language = {English}, urldate = {2020-01-08} } @online{cowman:20200827:smokeloader:6b86b56, author = {Pete Cowman}, title = {{Smokeloader Analysis and More Family Detections}}, date = {2020-08-27}, organization = {Hatching.io}, url = {https://hatching.io/blog/tt-2020-08-27/}, language = {English}, urldate = {2020-09-03} } @online{creaktive:20180521:tiny:13fd580, author = {creaktive}, title = {{Tiny SHell}}, date = {2018-05-21}, organization = {Github (creaktive)}, url = {https://github.com/creaktive/tsh}, language = {English}, urldate = {2020-01-10} } @online{creus:20160926:sofacys:2c11dc9, author = {Dani Creus and Tyler Halfpop and Robert Falcone}, title = {{Sofacy’s ‘Komplex’ OS X Trojan}}, date = {2016-09-26}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/}, language = {English}, urldate = {2019-12-20} } @online{creus:20160926:sofacys:6ddbb81, author = {Dani Creus and Tyler Halfpop and Robert Falcone}, title = {{Sofacy’s ‘Komplex’ OS X Trojan}}, date = {2016-09-26}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-sofacys-komplex-os-x-trojan/}, language = {English}, urldate = {2020-01-13} } @online{crook:20200622:dynamic:47a0942, author = {Jack Crook}, title = {{Dynamic Correlation, ML and Hunting}}, date = {2020-06-22}, organization = {FindingBad Blogspot}, url = {http://findingbad.blogspot.com/2020/06/dynamic-correlation-ml-and-hunting.html}, language = {English}, urldate = {2020-06-23} } @techreport{crowdstrike:20150206:crowdstrike:fbcc37f, author = {CrowdStrike}, title = {{CrowdStrike Global Threat Intel Report 2014}}, date = {2015-02-06}, institution = {CrowdStrike}, url = {https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf}, language = {English}, urldate = {2020-05-11} } @techreport{crowdstrike:20150210:global:da4da20, author = {CrowdStrike}, title = {{Global Threat Intel Report}}, date = {2015-02-10}, institution = {CrowdStrike}, url = {http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf}, language = {English}, urldate = {2020-01-09} } @techreport{crowdstrike:2018:2018:5ba6206, author = {CrowdStrike}, title = {{2018 Global Threat Report}}, date = {2018}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2018GlobalThreatReport.pdf}, language = {English}, urldate = {2019-12-17} } @online{crowdstrike:2019:2019:2c268c8, author = {CrowdStrike}, title = {{2019 CrowdStrike Global Threat Report}}, date = {2019}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/}, language = {English}, urldate = {2020-07-16} } @techreport{crowdstrike:2019:2019:4e50c97, author = {CrowdStrike}, title = {{2019 CrowdStrike Global Threat Report}}, date = {2019}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2019GlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-15} } @techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } @techreport{crowdstrike:20200610:csit20081:a09522b, author = {CrowdStrike}, title = {{CSIT-20081 : Technical Analysis Of The Netwalker Ransomware}}, date = {2020-06-10}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/ReportCSIT-20081e.pdf}, language = {English}, urldate = {2020-07-23} } @online{crowdstrike:2020:2019:f849658, author = {CrowdStrike}, title = {{2019 Crowdstrike Global Threat Report}}, date = {2020}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report}, language = {English}, urldate = {2020-07-23} } @online{cryptolaemus:20180912:emotet:013e01b, author = {Cryptolaemus}, title = {{Emotet IOC}}, date = {2018-09-12}, organization = {Cryptolaemus Pastedump}, url = {https://paste.cryptolaemus.com}, language = {English}, urldate = {2020-01-13} } @online{cryptome:20121125:parastoo:b652ed3, author = {Cryptome}, title = {{Parastoo Hacks IAEA}}, date = {2012-11-25}, organization = {Cryptome}, url = {https://cryptome.org/2012/11/parastoo-hacks-iaea.htm}, language = {English}, urldate = {2020-01-06} } @techreport{csis:2012:w32tinba:542635f, author = {Peter Kruse (CSIS) and Feike Hacquebord (Trend Micro) and Robert McArdle (Trend Micro)}, title = {{W32.Tinba (Tinybanker) The Turkish Incident}}, date = {2012}, institution = {CSIS Trend Micro}, url = {http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_w32-tinba-tinybanker.pdf}, language = {English}, urldate = {2019-12-24} } @techreport{csis:20200110:threat:7454f36, author = {CSIS}, title = {{Threat Matrix H1 2019}}, date = {2020-01-10}, institution = {CSIS}, url = {https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf}, language = {English}, urldate = {2020-01-22} } @online{ctu:20150730:sakula:8025917, author = {Dell Secureworks CTU}, title = {{Sakula Malware Family}}, date = {2015-07-30}, organization = {Secureworks}, url = {https://www.secureworks.com/research/sakula-malware-family}, language = {English}, urldate = {2020-01-06} } @online{cucci:20200419:reversing:4523233, author = {Kyle Cucci}, title = {{Reversing Ryuk: A Technical Analysis of Ryuk Ransomware}}, date = {2020-04-19}, organization = {SecurityLiterate}, url = {https://securityliterate.com/reversing-ryuk-a-technical-analysis-of-ryuk-ransomware/}, language = {English}, urldate = {2020-08-13} } @online{cucci:20200819:chantays:3998ebb, author = {Kyle Cucci}, title = {{Chantay’s Resume: Investigating a CV-Themed ZLoader Malware}}, date = {2020-08-19}, organization = {SecurityLiterate}, url = {https://securityliterate.com/chantays-resume-investigating-a-cv-themed-zloader-malware-campaign/}, language = {English}, urldate = {2020-09-01} } @online{cummings:20191217:incident:44acf5c, author = {JJ Cummings and Dave Liebenberg}, title = {{Incident Response lessons from recent Maze ransomware attacks}}, date = {2019-12-17}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2019/12/IR-Lessons-Maze.html}, language = {English}, urldate = {2020-01-09} } @online{curtis:20201019:revisited:df05745, author = {Curtis}, title = {{Revisited: Fancy Bear's New Faces...and Sandworms' too}}, date = {2020-10-19}, organization = {Riskint Blog}, url = {https://www.riskint.blog/post/revisited-fancy-bear-s-new-faces-and-sandworms-too}, language = {English}, urldate = {2020-10-23} } @online{cutler:20190515:winnti:269a852, author = {Silas Cutler and Juan Andrés Guerrero-Saade}, title = {{Winnti: More than just Windows and Gates}}, date = {2019-05-15}, organization = {Chronicle}, url = {https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a}, language = {English}, urldate = {2019-10-14} } @online{cutler:20191116:fresh:871567d, author = {Silas Cutler}, title = {{Fresh PlugX October 2019}}, date = {2019-11-16}, organization = {Silas Cutler's Blog}, url = {https://silascutler.blogspot.com/2019/11/fresh-plugx-october-2019.html}, language = {English}, urldate = {2020-01-07} } @online{cyber:20190328:unleash:f5f7048, author = {Skylight Cyber}, title = {{Unleash The Hash - ShadowHammer MAC Address List}}, date = {2019-03-28}, organization = {Skylight Cyber}, url = {https://skylightcyber.com/2019/03/28/unleash-the-hash-shadowhammer-mac-list/}, language = {English}, urldate = {2019-10-23} } @online{cyber:20200611:snowstorm:7112209, author = {MDR Cyber}, title = {{SNOWSTORM: Hacker-for-hire and physical surveillance targeted financial analyst}}, date = {2020-06-11}, organization = {Mishcon de Reya}, url = {https://www.mishcon.com/news/snowstorm-hacker-for-hire-and-physical-surveillance-targeted-financial-analyst}, language = {English}, urldate = {2020-06-12} } @techreport{cyberark:20200224:analyzing:57cc981, author = {CyberArk}, title = {{Analyzing the Raccoon Stealer}}, date = {2020-02-24}, institution = {CyberArk}, url = {https://lp.cyberark.com/rs/316-CZP-275/images/CyberArk-Labs-Racoon-Malware-wp.pdf}, language = {English}, urldate = {2020-04-15} } @techreport{cyberint:2019:legit:9925ea3, author = {CyberInt}, title = {{Legit Remote Admin Tools Turn into Threat Actors' Tools}}, date = {2019}, institution = {CyberInt}, url = {https://e.cyberint.com/hubfs/Report%20Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors%20Tools/CyberInt_Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors'%20Tools_Report.pdf}, language = {English}, urldate = {2019-12-19} } @online{cybermalveillance:20191106:outil:dfa36a5, author = {Cybermalveillance}, title = {{Outil de déchiffrement du rançongiciel (ransomware) PyLocky versions 1 et 2}}, date = {2019-11-06}, organization = {Cybermalveillance}, url = {https://www.cybermalveillance.gouv.fr/nos-articles/outil-dechiffrement-rancongiciel-ransomware-pylocky-v1-2/}, language = {French}, urldate = {2019-12-18} } @online{cybersecurity:201606:operation:eb6c3d9, author = {ClearSky Cybersecurity}, title = {{Operation DustySky Part 2}}, date = {2016-06}, organization = {clearskysec}, url = {https://www.europol.europa.eu/newsroom/news/mastermind-behind-eur-1-billion-cyber-bank-robbery-arrested-in-spain}, language = {English}, urldate = {2019-12-24} } @techreport{cybersecurity:20170210:ar1720045:43c91fd, author = {National Cybersecurity and Communications Integration Center}, title = {{AR-17-20045 - Enhanced Analysis of GRIZZLY STEPPE Activity}}, date = {2017-02-10}, institution = {Department of Homeland Security}, url = {https://www.us-cert.gov/sites/default/files/publications/AR-17-20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity.pdf}, language = {English}, urldate = {2019-11-05} } @online{cybersecurity:20180720:alert:89ca0c7, author = {National Cybersecurity and Communications Integration Center}, title = {{Alert (TA18-201A) Emotet Malware}}, date = {2018-07-20}, organization = {NCCIC}, url = {https://www.us-cert.gov/ncas/alerts/TA18-201A}, language = {English}, urldate = {2019-10-27} } @online{cyberthreat:20200501:chin:3a4fb89, author = {Cyberthreat}, title = {{Chiến dịch của nhóm APT Trung Quốc Goblin Panda tấn công vào Việt Nam lợi dụng đại dịch Covid-19 (phần 1)}}, date = {2020-05-01}, organization = {Viettel Cybersecurity}, url = {https://blog.viettelcybersecurity.com/p1-chien-dich-cua-nhom-apt-trung-quoc-goblin-panda-tan-cong-vao-viet-nam-loi-dung-dai-dich-covid-19/}, language = {Vietnamese}, urldate = {2020-09-09} } @online{cyberx:20170128:radiation:141e735, author = {CyberX}, title = {{Radiation Report}}, date = {2017-01-28}, organization = {CyberX}, url = {http://get.cyberx-labs.com/radiation-report}, language = {English}, urldate = {2020-01-13} } @techreport{cylance:20160406:operation:d4da7b5, author = {Cylance}, title = {{Operation Cleaver}}, date = {2016-04-06}, institution = {Cylance}, url = {https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf}, language = {English}, urldate = {2020-01-10} } @techreport{cylance:20181102:spyrats:67888b3, author = {Cylance}, title = {{The SpyRATs of OceanLotus}}, date = {2018-11-02}, institution = {Cylance}, url = {https://www.cylance.com/content/dam/cylance-web/en-us/resources/knowledge-center/resource-library/reports/SpyRATsofOceanLotusMalwareWhitePaper.pdf}, language = {English}, urldate = {2020-01-10} } @techreport{cymmetria:2016:unveiling:da4224b, author = {Cymmetria}, title = {{Unveiling Patchwork: The Copy-Paste APT}}, date = {2016}, institution = {Cymmetria}, url = {https://s3-us-west-2.amazonaws.com/cymmetria-blog/public/Unveiling_Patchwork.pdf}, language = {English}, urldate = {2020-01-06} } @online{cymmetria:20170919:unveiling:e67fe90, author = {Cymmetria}, title = {{Unveiling Patchwork – a targeted attack caught with cyber deception}}, date = {2017-09-19}, organization = {Cymmetria}, url = {https://www.cymmetria.com/patchwork-targeted-attack/}, language = {English}, urldate = {2019-12-18} } @online{cymru:20190725:unmasking:91638f6, author = {Team Cymru}, title = {{Unmasking AVE_MARIA}}, date = {2019-07-25}, organization = {Team Cymru}, url = {https://blog.team-cymru.com/2019/07/25/unmasking-ave_maria/}, language = {English}, urldate = {2020-01-08} } @online{cymru:20200219:azorult:de72301, author = {Team Cymru}, title = {{Azorult – what we see using our own tools}}, date = {2020-02-19}, organization = {Team Cymru}, url = {https://blog.team-cymru.com/2020/02/19/azorult-what-we-see-using-our-own-tools/}, language = {English}, urldate = {2020-02-26} } @online{cymru:20200325:how:b1d8c31, author = {Team Cymru}, title = {{How the Iranian Cyber Security Agency Detects Emissary Panda Malware}}, date = {2020-03-25}, organization = {Team Cymru}, url = {https://team-cymru.com/2020/03/25/how-the-iranian-cyber-security-agency-detects-emissary-panda-malware/}, language = {English}, urldate = {2020-07-13} } @online{cyrus:20190424:introducing:f1d4536, author = {Richie Cyrus}, title = {{Introducing Venator: A macOS tool for proactive detection}}, date = {2019-04-24}, organization = {SpecterOps}, url = {https://posts.specterops.io/introducing-venator-a-macos-tool-for-proactive-detection-34055a017e56}, language = {English}, urldate = {2020-01-07} } @techreport{d00rt:20180706:lokibot:6508667, author = {d00rt}, title = {{LokiBot Infostealer Jihacked Version}}, date = {2018-07-06}, institution = {Github (d00rt)}, url = {https://github.com/d00rt/hijacked_lokibot_version/blob/master/doc/LokiBot_hijacked_2018.pdf}, language = {English}, urldate = {2020-01-10} } @online{d00rt:20190105:emotet:8dee25a, author = {d00rt}, title = {{Emotet Research}}, date = {2019-01-05}, organization = {Github (d00rt)}, url = {https://github.com/d00rt/emotet_research}, language = {English}, urldate = {2020-01-10} } @online{d00rtrm:2019:emutet:8913da8, author = {D00RT_RM}, title = {{Emutet}}, date = {2019}, url = {https://d00rt.github.io/emotet_network_protocol/}, language = {English}, urldate = {2020-01-07} } @online{d:20151019:github:b15ea7e, author = {Anderson D}, title = {{Github Repository for AllaKore}}, date = {2015-10-19}, organization = {Github (Anderson-D)}, url = {https://github.com/Anderson-D/AllaKore}, language = {English}, urldate = {2020-01-08} } @online{daavid:20140623:havex:21f2ca4, author = {Daavid}, title = {{Havex Hunts For ICS/SCADA Systems}}, date = {2014-06-23}, organization = {F-Secure}, url = {https://www.f-secure.com/weblog/archives/00002718.html}, language = {English}, urldate = {2020-01-09} } @online{dahan:20170425:shadowwali:565d1c1, author = {Assaf Dahan}, title = {{ShadowWali: New variant of the xxmm family of backdoors}}, date = {2017-04-25}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/labs-shadowwali-new-variant-of-the-xxmm-family-of-backdoors}, language = {English}, urldate = {2020-02-11} } @online{dahan:20170524:operation:d79be79, author = {Assaf Dahan}, title = {{Operation Cobalt Kitty: A large-scale APT in Asia carried out by the OceanLotus Group}}, date = {2017-05-24}, organization = {Cybereason}, url = {https://www.cybereason.com/labs-operation-cobalt-kitty-a-large-scale-apt-in-asia-carried-out-by-the-oceanlotus-group/}, language = {English}, urldate = {2020-01-09} } @online{dahan:20181003:new:5f6c0b5, author = {Assaf Dahan}, title = {{New Betabot campaign under the microscope}}, date = {2018-10-03}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/betabot-banking-trojan-neurevt}, language = {English}, urldate = {2020-01-06} } @online{dahan:20190312:new:a435b52, author = {Assaf Dahan and Cybereason Nocturnus}, title = {{New Ursnif Variant targets Japan packed with new Features}}, date = {2019-03-12}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/new-ursnif-variant-targets-japan-packed-with-new-features}, language = {English}, urldate = {2019-11-28} } @online{dahan:20191120:phoenix:9c5d752, author = {Assaf Dahan}, title = {{Phoenix: The Tale of the Resurrected Keylogger}}, date = {2019-11-20}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/phoenix-the-tale-of-the-resurrected-alpha-keylogger}, language = {English}, urldate = {2020-02-11} } @online{dahan:20191211:dropping:0849f70, author = {Assaf Dahan and Lior Rochberger and Eli Salem and Mary Zhao and Niv Yona and Omer Yampel and Matt Hart}, title = {{Dropping Anchor: From a TrickBot Infection to the Discovery of the Anchor Malware}}, date = {2019-12-11}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware}, language = {English}, urldate = {2020-01-06} } @online{dahl:20130503:department:8be1534, author = {Matt Dahl}, title = {{Department of Labor Strategic Web Compromise}}, date = {2013-05-03}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/department-labor-strategic-web-compromise/}, language = {English}, urldate = {2019-12-20} } @online{dahl:20131010:regional:120d284, author = {Matt Dahl}, title = {{Regional Conflict and Cyber Blowback}}, date = {2013-10-10}, organization = {CrowdStrike}, url = {https://web.archive.org/web/20160315044507/https://www.crowdstrike.com/blog/regional-conflict-and-cyber-blowback/}, language = {English}, urldate = {2020-05-18} } @online{dahl:20140513:cat:e5c45ff, author = {Matt Dahl}, title = {{Cat Scratch Fever: CrowdStrike Tracks Newly Reported Iranian Actor as FLYING KITTEN}}, date = {2014-05-13}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/cat-scratch-fever-crowdstrike-tracks-newly-reported-iranian-actor-flying-kitten/}, language = {English}, urldate = {2019-12-20} } @online{dahl:20141124:i:38a6ade, author = {Matt Dahl}, title = {{I am Ironman: DEEP PANDA Uses Sakula Malware to Target Organizations in Multiple Sectors}}, date = {2014-11-24}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/ironman-deep-panda-uses-sakula-malware-target-organizations-multiple-sectors/}, language = {English}, urldate = {2019-12-20} } @online{dahl:20190125:widespread:48d15a3, author = {Matt Dahl}, title = {{Widespread DNS Hijacking Activity Targets Multiple Sectors}}, date = {2019-01-25}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/widespread-dns-hijacking-activity-targets-multiple-sectors/}, language = {English}, urldate = {2019-12-20} } @online{dahl:20200601:malware:aa6f2ab, author = {Matt Dahl}, title = {{Tweet on malware called knspy used by Donot}}, date = {2020-06-01}, organization = {Twitter (@voodoodahl1)}, url = {https://twitter.com/voodoodahl1/status/1267571622732578816}, language = {English}, urldate = {2020-06-04} } @online{dahms:20140602:molerats:8b00d0d, author = {Timothy Dahms}, title = {{Molerats, Here for Spring!}}, date = {2014-06-02}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2014/06/molerats-here-for-spring.html}, language = {English}, urldate = {2019-12-20} } @online{dallas:20190326:babylon:32e6481, author = {Korben Dallas}, title = {{Tweet on Babylon RAT IOCs}}, date = {2019-03-26}, organization = {Twitter (@KorbenD_Intel)}, url = {https://twitter.com/KorbenD_Intel/status/1110654679980085262}, language = {English}, urldate = {2020-01-13} } @online{dan:20180208:merlin:cfc9e6b, author = {Action Dan}, title = {{Merlin for Red Teams}}, date = {2018-02-08}, organization = {Lockboxx}, url = {http://lockboxx.blogspot.com/2018/02/merlin-for-red-teams.html}, language = {English}, urldate = {2020-01-09} } @online{danchev:20080610:whos:504e579, author = {Dancho Danchev}, title = {{Who's behind the GPcode ransomware?}}, date = {2008-06-10}, organization = {ZDNet}, url = {http://www.zdnet.com/article/whos-behind-the-gpcode-ransomware/}, language = {English}, urldate = {2019-12-18} } @online{danchev:20120928:dissecting:1ee1a3f, author = {Dancho Danchev}, title = {{Dissecting 'Operation Ababil' - an OSINT Analysis}}, date = {2012-09-28}, organization = {Dancho Danchev's Blog}, url = {http://ddanchev.blogspot.com.es/2012/09/dissecting-operation-ababil-osint.html}, language = {English}, urldate = {2020-01-10} } @online{dangu:20180123:uncovering:a3ba605, author = {Jerome Dangu}, title = {{Uncovering 2017’s Largest Malvertising Operation}}, date = {2018-01-23}, organization = {Confiant}, url = {https://blog.confiant.com/uncovering-2017s-largest-malvertising-operation-b84cd38d6b85}, language = {English}, urldate = {2019-12-24} } @online{dangu:20180305:zirconium:06d9e29, author = {Jerome Dangu}, title = {{Zirconium was one step ahead of Chrome’s redirect blocker with 0-day}}, date = {2018-03-05}, organization = {Confiant}, url = {https://blog.confiant.com/zirconium-was-one-step-ahead-of-chromes-redirect-blocker-with-0-day-2d61802efd0d}, language = {English}, urldate = {2020-01-09} } @online{dannythesloth:20190608:vanilla:bcf3518, author = {DannyTheSloth}, title = {{Vanilla RAT}}, date = {2019-06-08}, organization = {Github (DannyTheSloth)}, url = {https://github.com/DannyTheSloth/VanillaRAT}, language = {English}, urldate = {2020-01-13} } @techreport{dantzig:20191219:operation:96804be, author = {Maarten van Dantzig and Erik Schamper}, title = {{Operation Wocao: Shining a light on one of China’s hidden hacking groups}}, date = {2019-12-19}, institution = {Fox-IT}, url = {https://resources.fox-it.com/rs/170-CAK-271/images/201912_Report_Operation_Wocao.pdf}, language = {English}, urldate = {2020-01-13} } @online{data:20140228:uroburos:f6fdb48, author = {G Data}, title = {{Uroburos - highly complex espionage software with Russian roots}}, date = {2014-02-28}, organization = {G Data Blog}, url = {https://www.gdatasoftware.com/blog/2014/02/23968-uroburos-highly-complex-espionage-software-with-russian-roots}, language = {English}, urldate = {2019-11-28} } @online{data:20140307:uroburos:22ddc69, author = {G Data}, title = {{Uroburos – Deeper travel into kernel protection mitigation}}, date = {2014-03-07}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/2014/03/23966-uroburos-deeper-travel-into-kernel-protection-mitigation}, language = {English}, urldate = {2019-11-23} } @online{data:20140513:uroburos:a8b1175, author = {G Data}, title = {{Uroburos rootkit: Belgian Foreign Ministry stricken}}, date = {2014-05-13}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/2014/05/23958-uroburos-rootkit-belgian-foreign-ministry-stricken}, language = {English}, urldate = {2019-10-27} } @online{data:20140602:analysis:1038a5f, author = {G Data}, title = {{Analysis of Uroburos, using WinDbg}}, date = {2014-06-02}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/2014/06/23953-analysis-of-uroburos-using-windbg}, language = {English}, urldate = {2020-01-09} } @online{data:20140731:poweliks:250c05f, author = {G Data}, title = {{Poweliks: the persistent malware without a file}}, date = {2014-07-31}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/2014/07/23947-poweliks-the-persistent-malware-without-a-file}, language = {English}, urldate = {2020-01-10} } @online{data:20141030:com:0da80b3, author = {G Data}, title = {{COM Object hijacking: the discreet way of persistence}}, date = {2014-10-30}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence}, language = {English}, urldate = {2020-01-07} } @techreport{data:20141031:operation:9205b87, author = {G Data}, title = {{OPERATION “TOOHASH”: HOW TARGETED ATTACKS WORK}}, date = {2014-10-31}, institution = {G Data}, url = {https://public.gdatasoftware.com/Presse/Publikationen/Whitepaper/EN/GDATA_TooHash_CaseStudy_102014_EN_v1.pdf}, language = {English}, urldate = {2020-01-08} } @online{data:20141111:uroburos:8dce097, author = {G Data}, title = {{The Uroburos case: new sophisticated RAT identified}}, date = {2014-11-11}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/2014/11/23937-the-uroburos-case-new-sophisticated-rat-identified}, language = {English}, urldate = {2020-01-08} } @online{data:20150115:weiterentwicklung:a65efbe, author = {G Data}, title = {{Weiterentwicklung anspruchsvoller Spyware: von Agent.BTZ zu ComRAT}}, date = {2015-01-15}, organization = {G Data}, url = {https://blog.gdata.de/2015/01/23779-weiterentwicklung-anspruchsvoller-spyware-von-agent-btz-zu-comrat}, language = {English}, urldate = {2020-01-08} } @online{data:20150120:analysis:2fe6cf2, author = {G Data}, title = {{Analysis of Project Cobra}}, date = {2015-01-20}, organization = {G Data}, url = {https://blog.gdatasoftware.com/2015/01/23926-analysis-of-project-cobra}, language = {English}, urldate = {2020-01-05} } @online{data:20150218:babar:24e6c08, author = {G Data}, title = {{Babar: espionage software finally found and put under the microscope}}, date = {2015-02-18}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/2015/02/24270-babar-espionage-software-finally-found-and-put-under-the-microscope}, language = {English}, urldate = {2019-12-02} } @online{data:20160411:manamecrypt:06eda37, author = {G Data}, title = {{Manamecrypt – a ransomware that takes a different route}}, date = {2016-04-11}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/2016/04/28234-manamecrypt-a-ransomware-that-takes-a-different-route}, language = {English}, urldate = {2020-01-08} } @online{data:20161123:analysis:0bbfdb9, author = {G Data}, title = {{Analysis: Ursnif - spying on your data since 2007}}, date = {2016-11-23}, organization = {G Data}, url = {https://blog.gdatasoftware.com/2016/11/29325-analysis-ursnif-spying-on-your-data-since-2007}, language = {English}, urldate = {2020-01-10} } @online{data:20170512:warning:162cfc4, author = {G Data}, title = {{Warning: Massive "WannaCry" Ransomware campaign launched}}, date = {2017-05-12}, organization = {G Data}, url = {https://blog.gdatasoftware.com/2017/05/29751-wannacry-ransomware-campaign}, language = {English}, urldate = {2020-01-13} } @online{data:20170703:who:7b53706, author = {G Data}, title = {{Who is behind Petna?}}, date = {2017-07-03}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/2017/07/29859-who-is-behind-petna}, language = {English}, urldate = {2020-01-08} } @online{data:20170711:ordinypt:a3f61cf, author = {G Data}, title = {{Ordinypt hat es auf Benutzer aus Deutschland abgesehen}}, date = {2017-07-11}, organization = {G Data}, url = {https://www.gdata.de/blog/2017/11/30151-ordinypt}, language = {Deutsch}, urldate = {2020-01-08} } @online{data:20170720:rurktar:fa8bc7e, author = {G Data}, title = {{Rurktar - Spyware under Construction}}, date = {2017-07-20}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/2017/07/29896-rurktar-spyware-under-construction}, language = {English}, urldate = {2020-01-09} } @online{data:20171012:emotet:c99dec0, author = {G Data}, title = {{Emotet beutet Outlook aus}}, date = {2017-10-12}, organization = {G Data}, url = {https://www.gdata.de/blog/2017/10/30110-emotet-beutet-outlook-aus}, language = {English}, urldate = {2019-12-05} } @online{data:20191121:new:cbeb2e4, author = {G Data}, title = {{New SectopRAT: Remote access malware utilizes second desktop to control browsers}}, date = {2019-11-21}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/2019/11/35548-new-sectoprat-remote-access-malware-utilizes-second-desktop-to-control-browsers}, language = {English}, urldate = {2020-01-10} } @online{data:20200630:ransomware:3f071e1, author = {G Data}, title = {{Ransomware on the Rise: Buran’s transformation into Zeppelin}}, date = {2020-06-30}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/2020/06/35946-burans-transformation-into-zeppelin}, language = {English}, urldate = {2020-07-02} } @online{davenport:20141218:keypoint:4c1fd04, author = {Christian Davenport}, title = {{KeyPoint network breach could affect thousands of federal workers}}, date = {2014-12-18}, organization = {The Washington Post}, url = {https://www.washingtonpost.com/business/economy/keypoint-suffers-network-breach-thousands-of-fed-workers-could-be-affected/2014/12/18/e6c7146c-86e1-11e4-a702-fa31ff4ae98e_story.html}, language = {English}, urldate = {2020-01-13} } @online{davila:20200518:eleethub:d605473, author = {Asher Davila and Yang Ji}, title = {{Eleethub: A Cryptocurrency Mining Botnet with Rootkit for Self-Hiding}}, date = {2020-05-18}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/los-zetas-from-eleethub-botnet/}, language = {English}, urldate = {2020-05-20} } @online{davis:20170921:apt33:52822d2, author = {Stuart Davis and Nick Carr}, title = {{APT33: New Insights into Iranian Cyber Espionage Group}}, date = {2017-09-21}, organization = {FireEye}, url = {https://www.brighttalk.com/webcast/10703/275683}, language = {English}, urldate = {2019-12-20} } @online{davis:20180529:mexico:d40bc2d, author = {Michelle Davis}, title = {{Mexico Foiled a $110 Million Bank Heist, Then Kept It a Secret}}, date = {2018-05-29}, organization = {Bloomberg}, url = {https://www.bloomberg.com/news/articles/2018-05-29/mexico-foiled-a-110-million-bank-heist-then-kept-it-a-secret}, language = {English}, urldate = {2020-01-07} } @online{davison:20170804:smoke:06d64d3, author = {Jason Davison}, title = {{Smoke Loader Adds Additional Obfuscation Methods to Mitigate Analysis}}, date = {2017-08-04}, organization = {PhishLabs}, url = {https://info.phishlabs.com/blog/smoke-loader-adds-additional-obfuscation-methods-to-mitigate-analysis}, language = {English}, urldate = {2020-01-08} } @online{davison:20180321:trickbot:1f0576e, author = {Jason Davison}, title = {{TrickBot Banking Trojan Adapts with New Module}}, date = {2018-03-21}, organization = {Webroot}, url = {https://www.webroot.com/blog/2018/03/21/trickbot-banking-trojan-adapts-new-module/}, language = {English}, urldate = {2020-01-13} } @online{dcso:20190314:pegasusbuhtrap:2e48e0e, author = {DCSO}, title = {{Pegasus/Buhtrap analysis of the malware stage based on the leaked source code}}, date = {2019-03-14}, organization = {DCSO}, url = {https://blog.dcso.de/pegasus-buhtrap-analysis-of-the-malware-stage-based-on-the-leaked-source-code/}, language = {English}, urldate = {2020-01-07} } @online{dcso:20190318:enterprise:ff92a62, author = {DCSO}, title = {{Enterprise Malware-as-a-Service: Lazarus Group and the Evolution of Ransomware}}, date = {2019-03-18}, organization = {DCSO}, url = {https://blog.dcso.de/enterprise-malware-as-a-service/}, language = {English}, urldate = {2020-01-06} } @online{dcso:20200116:curious:15c5610, author = {DCSO}, title = {{A Curious Case of CVE-2019-19781 Palware: remove_bds}}, date = {2020-01-16}, organization = {DCSO}, url = {https://blog.dcso.de/a-curious-case-of-cve-2019-19781-palware-remove_bds/}, language = {English}, urldate = {2020-01-17} } @online{deacon:20200331:indepth:3719ebb, author = {Joshua Deacon and Lloyd Macrohon}, title = {{An In-depth Look at MailTo Ransomware, Part One of Three}}, date = {2020-03-31}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/an-in-depth-look-at-mailto-ransomware-part-one-of-three/}, language = {English}, urldate = {2020-04-14} } @online{deacon:20200408:indepth:c6628d7, author = {Joshua Deacon and Lloyd Macrohon}, title = {{An In-depth Look at MailTo Ransomware, Part Two of Three}}, date = {2020-04-08}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/an-in-depth-look-at-mailto-ransomware-part-two-of-three/}, language = {English}, urldate = {2020-04-14} } @online{deacon:20200410:indepth:13fc66f, author = {Joshua Deacon and Lloyd Macrohon}, title = {{An In-depth Look at MailTo Ransomware, Part Three of Three}}, date = {2020-04-10}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/an-in-depth-look-at-mailto-ransomware-part-three-of-three/}, language = {English}, urldate = {2020-04-14} } @online{decapua:20200225:feds:423f929, author = {Joel DeCapua}, title = {{Feds Fighting Ransomware: How the FBI Investigates and How You Can Help}}, date = {2020-02-25}, organization = {RSA Conference}, url = {https://www.youtube.com/watch?v=LUxOcpIRxmg}, language = {English}, urldate = {2020-03-04} } @techreport{decker:20090522:pushdo:518e04c, author = {Alice Decker and David Sancho and Loucif Kharouni and Max Goncharov and Robert McArdle}, title = {{Pushdo / Cutwail Botnet}}, date = {2009-05-22}, institution = {Trend Micro}, url = {https://www.trendmicro.de/cloud-content/us/pdfs/business/white-papers/wp_study-of-pushdo-cutwail-botnet.pdf}, language = {English}, urldate = {2020-01-13} } @online{decrypterfixer:20140911:torrentlocker:10d80ec, author = {DecrypterFixer}, title = {{TorrentLocker Ransomware Cracked and Decrypter has been made}}, date = {2014-09-11}, organization = {BleepingComputer Forums}, url = {http://www.bleepingcomputer.com/forums/t/547708/torrentlocker-ransomware-cracked-and-decrypter-has-been-made/}, language = {English}, urldate = {2020-01-06} } @online{dedola:20200820:transparent:b63fac6, author = {Giampaolo Dedola}, title = {{Transparent Tribe: Evolution analysis, part 1}}, date = {2020-08-20}, organization = {Kaspersky Labs}, url = {https://securelist.com/transparent-tribe-part-1/98127/}, language = {English}, urldate = {2020-08-24} } @online{dedola:20200826:transparent:b6f0422, author = {Giampaolo Dedola}, title = {{Transparent Tribe: Evolution analysis, part 2}}, date = {2020-08-26}, organization = {Kaspersky Labs}, url = {https://securelist.com/transparent-tribe-part-2/98233/}, language = {English}, urldate = {2020-08-27} } @online{dee:20181113:amadey:81d3bc6, author = {Dee}, title = {{Tweet on Amadey Malware}}, date = {2018-11-13}, organization = {Twitter (@ViriBack)}, url = {https://twitter.com/ViriBack/status/1062405363457118210}, language = {English}, urldate = {2020-01-07} } @online{dee:20200129:borr:528fccb, author = {Dee}, title = {{Tweet on Borr}}, date = {2020-01-29}, organization = {Twitter (@ViriBack)}, url = {https://twitter.com/ViriBack/status/1222704498923032576}, language = {English}, urldate = {2020-02-13} } @online{defense:20191111:revenge:114921b, author = {Binary Defense}, title = {{Revenge Is A Dish Best Served… Obfuscated?}}, date = {2019-11-11}, organization = {Binary Defense}, url = {https://www.binarydefense.com/revenge-is-a-dish-best-served-obfuscated}, language = {English}, urldate = {2020-01-09} } @techreport{defense:20200901:military:670494d, author = {US Department of Defense}, title = {{Military and Security Developments Involving the People’s Republic of China 2020}}, date = {2020-09-01}, institution = {US Department of Defense}, url = {https://media.defense.gov/2020/Sep/01/2002488689/-1/-1/1/2020-DOD-CHINA-MILITARY-POWER-REPORT-FINAL.PDF}, language = {English}, urldate = {2020-09-01} } @online{degrippo:20200316:ta505:6cfbbb0, author = {Sherrod DeGrippo}, title = {{TA505 and Others Launch New Coronavirus Campaigns; Now the Largest Collection of Attack Types in Years}}, date = {2020-03-16}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/ta505-and-others-launch-new-coronavirus-campaigns-now-largest-collection-attack}, language = {English}, urldate = {2020-04-26} } @online{degrippo:20200622:hakbit:4d8be82, author = {Sherrod DeGrippo and Proofpoint Threat Research Team}, title = {{Hakbit Ransomware Campaign Against Germany, Austria, Switzerland}}, date = {2020-06-22}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/hakbit-ransomware-campaign-against-germany-austria-switzerland}, language = {English}, urldate = {2020-06-23} } @online{degrippo:20200717:ta547:cec93e0, author = {Sherrod DeGrippo}, title = {{TA547 Pivots from Ursnif Banking Trojan to Ransomware in Australian Campaign}}, date = {2020-07-17}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/security-briefs/ta547-pivots-ursnif-banking-trojan-ransomware-australian-campaign}, language = {English}, urldate = {2020-07-23} } @online{delmas:20170226:treasurehunter:cd0c965, author = {Arnaud Delmas}, title = {{TreasureHunter : A POS Malware Case Study}}, date = {2017-02-26}, url = {http://adelmas.com/blog/treasurehunter.php}, language = {English}, urldate = {2019-12-02} } @online{delmas:20170314:analyzing:1c055df, author = {Arnaud Delmas}, title = {{Analyzing and Deobfuscating FlokiBot Banking Trojan}}, date = {2017-03-14}, organization = {Arnaud Delmas}, url = {http://adelmas.com/blog/flokibot.php}, language = {English}, urldate = {2020-01-08} } @online{deloitte:20200122:project:0a44796, author = {Deloitte}, title = {{Project Lurus}}, date = {2020-01-22}, organization = {Deloitte}, url = {https://www.cityofpensacola.com/DocumentCenter/View/18879/Deloitte-Executive-Summary-PDF}, language = {English}, urldate = {2020-02-13} } @online{delpy:20190104:mimikatz:caaf928, author = {Benjamin Delpy}, title = {{mimikatz Repository}}, date = {2019-01-04}, organization = {Github (gentilkiwi)}, url = {https://github.com/gentilkiwi/mimikatz}, language = {English}, urldate = {2020-01-07} } @online{deluca:20201020:fbi:db32b2f, author = {Alex DeLuca}, title = {{FBI Investigating Threatening Emails Sent To Democrats In Florida}}, date = {2020-10-20}, organization = {WUFT}, url = {https://www.wuft.org/news/2020/10/20/fbi-investigating-threatening-emails-sent-to-democrats-in-florida/}, language = {English}, urldate = {2020-10-23} } @online{demetria:20121030:jacksbot:8a7230b, author = {Johanne Demetria}, title = {{JACKSBOT Has Some Dirty Tricks up Its Sleeves}}, date = {2012-10-30}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/jacksbot-has-some-dirty-tricks-up-its-sleeves/}, language = {English}, urldate = {2020-01-06} } @techreport{demirkapi:20200805:demystifying:147bf1e, author = {Bill Demirkapi}, title = {{Demystifying Modern Windows Rootkits}}, date = {2020-08-05}, institution = {BlackHat}, url = {https://billdemirkapi.me/slides/Demystifying-Modern-Windows-Rootkits-BH.pdf}, language = {English}, urldate = {2020-08-18} } @online{dennesen:20141201:fin4:0760295, author = {Kristen Dennesen and Jordan Berry and Barry Vengerik and Jonathan Wrolstad}, title = {{FIN4: Stealing Insider Information for an Advantage in Stock Trading?}}, date = {2014-12-01}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2014/11/fin4_stealing_insid.html}, language = {English}, urldate = {2019-12-20} } @techreport{dereszowski:20150211:turladevelopment:98e2483, author = {Andrzej Dereszowski}, title = {{Turla-development & operations}}, date = {2015-02-11}, institution = {FIRST Tbilisi}, url = {https://www.first.org/resources/papers/tbilisi2014/turla-operations_and_development.pdf}, language = {English}, urldate = {2020-01-06} } @online{desai:201608:agent:d527844, author = {Deepen Desai}, title = {{Agent Tesla Keylogger delivered using cybersquatting}}, date = {2016-08}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/agent-tesla-keylogger-delivered-using-cybersquatting}, language = {English}, urldate = {2019-11-26} } @online{desai:20200319:new:00516c3, author = {Shivang Desai}, title = {{New Android App Offers Coronavirus Safety Mask But Delivers SMS Trojan}}, date = {2020-03-19}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/new-android-app-offers-coronavirus-safety-mask-delivers-sms-trojan}, language = {English}, urldate = {2020-03-26} } @online{desai:20200729:android:fb3b3d0, author = {Shivang Desai}, title = {{Android Spyware Targeting Tanzania Premier League}}, date = {2020-07-29}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/android-spyware-targeting-tanzania-premier-league}, language = {English}, urldate = {2020-08-05} } @online{desai:20200908:tiktok:d920a43, author = {Shivang Desai}, title = {{TikTok Spyware: A detailed analysis of spyware masquerading as TikTok}}, date = {2020-09-08}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/tiktok-spyware}, language = {English}, urldate = {2020-09-15} } @online{designativedave:20121116:remote:d5d4856, author = {DesignativeDave}, title = {{Remote Administration Tool for Android devices}}, date = {2012-11-16}, organization = {Github (DesignativeDave)}, url = {https://github.com/DesignativeDave/androrat}, language = {English}, urldate = {2019-11-26} } @online{devadoss:20200629:initial:0c8ed48, author = {Dinesh Devadoss}, title = {{Tweet on initial Discovery of EvilQuest}}, date = {2020-06-29}, organization = {Twitter (@dineshdina04)}, url = {https://twitter.com/dineshdina04/status/1277668001538433025}, language = {English}, urldate = {2020-07-01} } @online{devane:20160721:phishing:314ff25, author = {Oliver Devane and Mohinder Gill}, title = {{Phishing Attacks Employ Old but Effective Password Stealer}}, date = {2016-07-21}, organization = {McAfee}, url = {https://securingtomorrow.mcafee.com/mcafee-labs/phishing-attacks-employ-old-effective-password-stealer/}, language = {English}, urldate = {2019-12-17} } @online{dex:20200514:energy:43e92b4, author = {Dex}, title = {{The energy reserves in the Eastern Mediterranean Sea and a malicious campaign of APT10 against Turkey}}, date = {2020-05-14}, organization = {Lab52}, url = {https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/}, language = {English}, urldate = {2020-06-10} } @techreport{dfir:20200221:apt10:e9c3328, author = {ADEO DFIR}, title = {{APT10 Threat Analysis Report}}, date = {2020-02-21}, institution = {ADEO DFIR}, url = {https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf}, language = {English}, urldate = {2020-03-03} } @online{dhanalakshmi:20180705:look:c39d2cb, author = {Dhanalakshmi}, title = {{A Look At Recent Tinba Banking Trojan Variant}}, date = {2018-07-05}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/look-recent-tinba-banking-trojan-variant}, language = {English}, urldate = {2019-11-20} } @online{die:20130203:infection:ac33cd2, author = {Malware Must Die!}, title = {{The infection of Styx Exploit Kit (Landing page: painterinvoice.ru + Payload: PWS/Ursnif Variant)}}, date = {2013-02-03}, organization = {Malware Must Die!}, url = {http://blog.malwaremustdie.org/2013/02/the-infection-of-styx-exploit-kit.html}, language = {English}, urldate = {2019-07-11} } @online{dietrich:20181130:virut:2b9101c, author = {Christian J. Dietrich}, title = {{Virut Resurrects -- Musings on long-term sinkholing}}, date = {2018-11-30}, url = {https://chrisdietri.ch/post/virut-resurrects/}, language = {English}, urldate = {2019-11-25} } @online{digiamo:20181001:cds:a580f8f, author = {Christopher DiGiamo and Nalani Fraser and Jacqueline O’Leary}, title = {{CDS 2018 | Unmasking APT X}}, date = {2018-10-01}, organization = {Youtube (FireEye Inc.)}, url = {https://youtu.be/8hJyLkLHH8Q?t=1208}, language = {English}, urldate = {2020-01-06} } @online{digitrust:20170105:qrat:d5e7b46, author = {DigiTrust}, title = {{QRAT is Living in The World of JAVA}}, date = {2017-01-05}, organization = {DigiTrust}, url = {https://www.digitrustgroup.com/java-rat-qrat/}, language = {English}, urldate = {2020-01-09} } @techreport{dimaggio:20150806:black:af5cf27, author = {Jon DiMaggio}, title = {{The Black Vine cyberespionage group}}, date = {2015-08-06}, institution = {Symantec}, url = {https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-black-vine-cyberespionage-group.pdf}, language = {English}, urldate = {2020-01-10} } @techreport{dimaggio:20150806:black:b0fbb35, author = {Jon DiMaggio}, title = {{The Black Vine cyberespionage group}}, date = {2015-08-06}, institution = {Symantec}, url = {https://www-west.symantec.com/content/dam/symantec/docs/security-center/white-papers/black-vine-cyberespionage-group-15-en.pdf}, language = {English}, urldate = {2020-04-21} } @online{dimaggio:20160315:suckfly:0b3835e, author = {Jon DiMaggio}, title = {{Suckfly: Revealing the secret life of your code signing certificates}}, date = {2016-03-15}, organization = {Symantec}, url = {http://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates}, language = {English}, urldate = {2020-01-05} } @online{dimaggio:20160315:suckfly:a1c8359, author = {Jon DiMaggio}, title = {{Suckfly: Revealing the secret life of your code signing certificates}}, date = {2016-03-15}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=62e325ae-f551-4855-b9cf-28a7d52d1534&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } @online{dimaggio:20160329:taiwan:4b83179, author = {Jon DiMaggio}, title = {{Taiwan targeted with new cyberespionage back door Trojan}}, date = {2016-03-29}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/taiwan-targeted-new-cyberespionage-back-door-trojan}, language = {English}, urldate = {2019-12-18} } @online{dimaggio:20160329:taiwan:de4b254, author = {Jon DiMaggio}, title = {{Taiwan targeted with new cyberespionage back doorTrojan}}, date = {2016-03-29}, organization = {Symantec}, url = {https://app.box.com/s/xqh458fe1url7mgl072hhd0yxqw3x0jm}, language = {English}, urldate = {2020-01-20} } @online{dimaggio:20160428:tick:9fec91a, author = {Jon DiMaggio}, title = {{Tick cyberespionage group zeros in on Japan}}, date = {2016-04-28}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/tick-cyberespionage-group-zeros-japan}, language = {English}, urldate = {2020-01-10} } @online{dimaggio:20160517:indian:98dff05, author = {Jon DiMaggio}, title = {{Indian organizations targeted in Suckfly attacks}}, date = {2016-05-17}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7a60af1f-7786-446c-976b-7c71a16e9d3b&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } @online{dimaggio:20160517:indian:baa172f, author = {Jon DiMaggio}, title = {{Indian organizations targeted in Suckfly attacks}}, date = {2016-05-17}, organization = {Symantec}, url = {http://www.symantec.com/connect/blogs/indian-organizations-targeted-suckfly-attacks}, language = {English}, urldate = {2019-10-23} } @online{dimchev:20160927:new:3bba3cd, author = {Alex Dimchev}, title = {{New Voldemort/Nagini Ransomware Virus Infection}}, date = {2016-09-27}, organization = {Best Security Research}, url = {http://bestsecuritysearch.com/voldemortnagini-ransomware-virus/}, language = {English}, urldate = {2019-11-28} } @online{dimino:20120802:cridex:a9b195f, author = {Andre M. DiMino}, title = {{Cridex Analysis using Volatility}}, date = {2012-08-02}, url = {http://www.sempersecurus.org/2012/08/cridex-analysis-using-volatility.html}, language = {English}, urldate = {2019-10-23} } @online{dimino:20120803:cridex:eab5b19, author = {Andre DiMino}, title = {{Cridex Analysis using Volatility}}, date = {2012-08-03}, organization = {Contagio Dump}, url = {http://contagiodump.blogspot.com/2012/08/cridex-analysis-using-volatility-by.html}, language = {English}, urldate = {2019-12-18} } @online{division:2000:2000:6d829fc, author = {CERT Division}, title = {{2000 CERT Advisories}}, date = {2000}, organization = {Carnegie Mellon University}, url = {https://resources.sei.cmu.edu/library/asset-view.cfm?assetID=496186}, language = {English}, urldate = {2020-01-08} } @techreport{division:20200514:malware:34fa46f, author = {Leonardo’s Cyber Security division}, title = {{Malware Technical Insight Turla "Penquin_x64"}}, date = {2020-05-14}, institution = {Leonardo}, url = {https://www.leonardocompany.com/documents/20142/10868623/Malware+Technical+Insight+_Turla+%E2%80%9CPenquin_x64%E2%80%9D.pdf}, language = {English}, urldate = {2020-05-14} } @techreport{division:20200707:cosmic:cc97389, author = {AGARI CYBER INTELLIGENCE DIVISION}, title = {{Cosmic Lynx: The Rise of Russian BEC}}, date = {2020-07-07}, institution = {}, url = {https://www.agari.com/cyber-intelligence-research/whitepapers/acid-agari-cosmic-lynx.pdf}, language = {English}, urldate = {2020-07-08} } @online{dixon:20180623:oceanlotus:555d8bf, author = {Brandon Dixon and Steve Ginty}, title = {{OceanLotus 2018: Malicious Infrastructure}}, date = {2018-06-23}, organization = {passivetotal}, url = {https://community.riskiq.com/projects/53b4bd1e-dad0-306b-7712-d2a608400c8f}, language = {English}, urldate = {2019-11-16} } @online{dodia:20190315:immortal:43b3d3d, author = {Rajdeepsinh Dodia and Uday Pratap Singh}, title = {{Immortal information stealer}}, date = {2019-03-15}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/immortal-information-stealer}, language = {English}, urldate = {2020-06-08} } @online{dodia:20190808:saefko:bdc733d, author = {Rajdeepsinh Dodia and Priyanka Bhati}, title = {{Saefko: A new multi-layered RAT}}, date = {2019-08-08}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/saefko-new-multi-layered-rat}, language = {English}, urldate = {2019-11-26} } @online{dodia:20200116:ftcode:9e80307, author = {Rajdeepsinh Dodia and Amandeep Kumar and Atinderpal Singh}, title = {{FTCODE Ransomware - New Version Includes Stealing Capabilities}}, date = {2020-01-16}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/ftcode-ransomware--new-version-includes-stealing-capabilities}, language = {English}, urldate = {2020-01-27} } @techreport{doerr:20190808:enemy:3962b21, author = {Eric Doerr}, title = {{The Enemy Within: Modern Supply Chain Attacks}}, date = {2019-08-08}, institution = {BlackHat}, url = {https://i.blackhat.com/USA-19/Thursday/us-19-Doerr-The-Enemy-Within-Modern-Supply-Chain-Attacks.pdf}, language = {English}, urldate = {2020-08-14} } @online{doffman:20190816:warning:65452b4, author = {Zak Doffman}, title = {{Warning As Devious New Android Malware Hides In Fake Adobe Flash Player Installations (Updated)}}, date = {2019-08-16}, organization = {Forbes}, url = {https://www.forbes.com/sites/zakdoffman/2019/08/16/dangerous-new-android-trojan-hides-from-malware-researchers-and-taunts-them-on-twitter/}, language = {English}, urldate = {2020-01-08} } @techreport{doherty:20130917:hidden:1b7b01c, author = {Stephen Doherty and Jozsef Gegeny and Branko Spasojevic and Jonell Baltazar}, title = {{Hidden Lynx – Professional Hackers for Hire}}, date = {2013-09-17}, institution = {Symantec}, url = {http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/hidden_lynx.pdf}, language = {English}, urldate = {2020-01-08} } @techreport{doherty:20130917:hidden:72a1bd7, author = {Stephen Doherty and Jozsef Gegeny and Branko Spasojevic and Jonell Baltazar}, title = {{Hidden Lynx – Professional Hackers for Hire}}, date = {2013-09-17}, institution = {Symantec}, url = {https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/hidden_lynx.pdf}, language = {English}, urldate = {2020-04-21} } @online{dolas:20200731:masslogger:b17ff73, author = {Aniruddha Dolas}, title = {{MassLogger: An Emerging Spyware and Keylogger}}, date = {2020-07-31}, organization = {Seqrite}, url = {https://www.seqrite.com/blog/masslogger-an-emerging-spyware-and-keylogger/}, language = {English}, urldate = {2020-08-05} } @online{dolgushev:20181019:darkpulsar:c98e816, author = {Andrey Dolgushev and Dmitry Tarakanov and Vasily Berdnikov}, title = {{DarkPulsar}}, date = {2018-10-19}, organization = {Kaspersky Labs}, url = {https://securelist.com/darkpulsar/88199/}, language = {English}, urldate = {2019-12-20} } @online{dolgushev:20191105:darkuniverse:36ead28, author = {Andrey Dolgushev and Vasily Berdnikov and Alexander Fedotov}, title = {{DarkUniverse – the mysterious APT framework #27}}, date = {2019-11-05}, organization = {Kaspersky Labs}, url = {https://securelist.com/darkuniverse-the-mysterious-apt-framework-27/94897/}, language = {English}, urldate = {2020-04-24} } @online{domaintools:20170321:hunt:e4d1473, author = {DomainTools}, title = {{Hunt Case Study: Hunting Campaign Indicators on Privacy Protected Attack Infrastructure}}, date = {2017-03-21}, organization = {DomainTools}, url = {https://www.domaintools.com/resources/blog/case-study-hunting-campaign-indicators-on-privacy-protected-attack-infrastr}, language = {English}, urldate = {2020-05-18} } @online{doman:20141027:scanbox:c4beb38, author = {Chris Doman and Tom Lancaster}, title = {{ScanBox framework – who’s affected, and who’s using it?}}, date = {2014-10-27}, organization = {PWC}, url = {http://pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whos-affected-and-whos-using-it-1.html}, language = {English}, urldate = {2020-01-07} } @online{doman:20161026:moonlight:1edffaa, author = {Chris Doman}, title = {{Moonlight – Targeted attacks in the Middle East}}, date = {2016-10-26}, organization = {Unknown}, url = {https://www.vectra.ai/blogpost/moonlight-middle-east-targeted-attacks}, language = {English}, urldate = {2020-04-06} } @online{doman:20170612:open:b143d52, author = {Christopher Doman}, title = {{Open Source Malware - Sharing is caring?}}, date = {2017-06-12}, organization = {SlideShare}, url = {https://www.slideshare.net/ChristopherDoman/open-source-malware-sharing-is-caring}, language = {English}, urldate = {2020-01-13} } @online{doman:20181008:delivery:8f2c9ed, author = {Chris Doman}, title = {{Delivery (Key)Boy}}, date = {2018-10-08}, organization = {AT&T Cybersecurity}, url = {https://www.alienvault.com/blogs/labs-research/delivery-keyboy}, language = {English}, urldate = {2019-10-15} } @online{doman:20190306:internet:c3afbc0, author = {Chris Doman}, title = {{Internet of Termites}}, date = {2019-03-06}, organization = {AT&T}, url = {https://www.alienvault.com/blogs/labs-research/internet-of-termites}, language = {English}, urldate = {2020-01-07} } @online{doman:20200516:recent:bb6d18e, author = {Chris Doman and James Campbell}, title = {{Recent Attacks Against Supercomputers}}, date = {2020-05-16}, organization = {Cado Security}, url = {https://www.cadosecurity.com/2020/05/16/1318/}, language = {English}, urldate = {2020-05-18} } @online{doman:20200611:ongoing:d94778b, author = {Chris Doman and James Campbell}, title = {{An Ongoing AWS Phishing Campaign}}, date = {2020-06-11}, organization = {Cado Security}, url = {https://www.cadosecurity.com/2020/06/11/an-ongoing-aws-phishing-campaign/}, language = {English}, urldate = {2020-06-12} } @online{doman:20200817:team:a654242, author = {Chris Doman and James Campbell}, title = {{Team TNT - The First Crypto-Mining Worm to Steal AWS Credentials}}, date = {2020-08-17}, organization = {Cado Security}, url = {https://www.cadosecurity.com/2020/08/17/teamtnt-the-first-crypto-mining-worm-to-steal-aws-credentials/}, language = {English}, urldate = {2020-08-19} } @online{donohue:20141125:regin:15d544f, author = {Brain Donohue}, title = {{Regin APT Attacks Among the Most Sophisticated Ever Analyzed}}, date = {2014-11-25}, organization = {Kaspersky Labs}, url = {https://www.kaspersky.com/blog/regin-apt-most-sophisticated/6852/}, language = {English}, urldate = {2019-12-17} } @online{doraisjoncas:20120316:osximuler:badbc2e, author = {Alexis Dorais-Joncas}, title = {{OSX/Imuler updated: still a threat on Mac OS X}}, date = {2012-03-16}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2012/03/16/osximuler-updated-still-a-threat-on-mac-os-x/}, language = {English}, urldate = {2019-11-14} } @online{dorfman:20200715:exclusive:6a11ebe, author = {Zach Dorfman and Kim Zetter and Jenna McLaughlin and Sean D. Naylor}, title = {{Exclusive: Secret Trump order gives CIA more powers to launch cyberattacks}}, date = {2020-07-15}, organization = {Yahoo News}, url = {https://news.yahoo.com/secret-trump-order-gives-cia-more-powers-to-launch-cyberattacks-090015219.html}, language = {English}, urldate = {2020-07-16} } @online{dorneanu:20140707:disect:49df4ee, author = {Victor Dorneanu}, title = {{Disect Android APKs like a Pro - Static code analysis}}, date = {2014-07-07}, url = {http://blog.dornea.nu/2014/07/07/disect-android-apks-like-a-pro-static-code-analysis/}, language = {English}, urldate = {2020-01-07} } @online{douglas:20170309:spora:7038fba, author = {Kevin Douglas}, title = {{Spora Ransomware: Understanding the HTA Infection Vector}}, date = {2017-03-09}, organization = {Tenable}, url = {https://www.linkedin.com/pulse/spora-ransomware-understanding-hta-infection-vector-kevin-douglas}, language = {English}, urldate = {2020-01-10} } @online{downey:20190422:unpacking:2cb6558, author = {Mike Downey}, title = {{Unpacking & Decrypting FlawedAmmyy}}, date = {2019-04-22}, organization = {SANS}, url = {https://www.sans.org/reading-room/whitepapers/reverseengineeringmalware/unpacking-decrypting-flawedammyy-38930}, language = {English}, urldate = {2020-01-09} } @online{downs:20151016:surveillance:86d472f, author = {Rob Downs}, title = {{Surveillance Malware Trends: Tracking Predator Pain and HawkEye}}, date = {2015-10-16}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2015/10/surveillance-malware-trends-tracking-predator-pain-and-hawkeye/}, language = {English}, urldate = {2019-12-20} } @techreport{dragos:20170613:crashoverride:33b0a7e, author = {Dragos}, title = {{CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations}}, date = {2017-06-13}, institution = {Dragos}, url = {https://dragos.com/wp-content/uploads/CrashOverride-01.pdf}, language = {English}, urldate = {2020-01-13} } @techreport{dragos:20170613:crashoverride:ee53f66, author = {Dragos}, title = {{CRASHOVERRIDE: Analysis of the Threatto Electric Grid Operations}}, date = {2017-06-13}, institution = {Dragos}, url = {https://dragos.com/blog/crashoverride/CrashOverride-01.pdf}, language = {English}, urldate = {2020-01-10} } @techreport{dragos:20171213:trisis:43675c1, author = {Dragos}, title = {{TRISIS Malware: Analysis of Safety System Targeted Malware}}, date = {2017-12-13}, institution = {Dragos}, url = {https://dragos.com/blog/trisis/TRISIS-01.pdf}, language = {English}, urldate = {2020-01-13} } @techreport{dragos:20180301:industrial:6e4e898, author = {Dragos}, title = {{INDUSTRIAL CONTROL SYSTEM THREATS}}, date = {2018-03-01}, institution = {Dragos}, url = {https://dragos.com/media/2017-Review-Industrial-Control-System-Threats.pdf}, language = {English}, urldate = {2020-01-08} } @online{dragos:20180802:raspite:1873c25, author = {Dragos}, title = {{Raspite}}, date = {2018-08-02}, organization = {Dragos}, url = {https://dragos.com/blog/20180802Raspite.html}, language = {English}, urldate = {2020-01-13} } @online{dragos:20190403:allanite:46dcddd, author = {Dragos}, title = {{Allanite}}, date = {2019-04-03}, organization = {Dragos}, url = {https://dragos.com/blog/20180510Allanite.html}, language = {English}, urldate = {2020-01-09} } @techreport{dragos:20190801:global:2b76e8c, author = {Dragos}, title = {{Global Oil and Gas Cyber Threat Perspective}}, date = {2019-08-01}, institution = {Dragos}, url = {https://dragos.com/wp-content/uploads/Dragos-Oil-and-Gas-Threat-Perspective-2019.pdf}, language = {English}, urldate = {2020-01-09} } @online{dragos:2019:adversary:0237a20, author = {Dragos}, title = {{Adversary Reports}}, date = {2019}, organization = {Dragos}, url = {https://dragos.com/adversaries.html}, language = {English}, urldate = {2020-01-10} } @online{dragos:20200109:parisite:d17dd24, author = {Dragos}, title = {{PARISITE}}, date = {2020-01-09}, organization = {Dragos}, url = {https://www.dragos.com/threat/parisite}, language = {English}, urldate = {2020-09-18} } @techreport{dragos:202001:north:41ab73f, author = {Dragos}, title = {{North American Electric Cyber Threat Perspective}}, date = {2020-01}, institution = {Dragos}, url = {https://www.dragos.com/wp-content/uploads/NA-EL-Threat-Perspective-2019.pdf}, language = {English}, urldate = {2020-09-18} } @online{dragos:20200203:ekans:041a3ee, author = {Dragos}, title = {{EKANS Ransomware and ICS Operations}}, date = {2020-02-03}, organization = {Dragos}, url = {https://dragos.com/blog/industry-news/ekans-ransomware-and-ics-operations/}, language = {English}, urldate = {2020-02-04} } @techreport{dragos:20200224:2019:b583cc8, author = {Dragos}, title = {{2019 Year In Review: The ICS Landscape and Threat Actviity Groups}}, date = {2020-02-24}, institution = {Dragos}, url = {https://www.dragos.com/wp-content/uploads/The-ICS-Threat-Landscape.pdf}, language = {English}, urldate = {2020-09-18} } @online{driker:20200915:rudeminer:1cea628, author = {David Driker and Amir Landau}, title = {{Rudeminer, Blacksquid and Lucifer Walk Into A Bar}}, date = {2020-09-15}, organization = {Checkpoint}, url = {https://research.checkpoint.com/2020/rudeminer-blacksquid-and-lucifer-walk-into-a-bar/}, language = {English}, urldate = {2020-09-18} } @online{drstache:20200212:manabotnet:9a3d3c6, author = {DrStache}, title = {{Tweet on ManaBotnet}}, date = {2020-02-12}, organization = {Twitter (@DrStache_)}, url = {https://twitter.com/DrStache_/status/1227662001247268864}, language = {English}, urldate = {2020-02-27} } @online{drweb:20120822:first:3c5cc7e, author = {Dr.Web}, title = {{The first Trojan in history to steal Linux and Mac OS X passwords}}, date = {2012-08-22}, organization = {Dr.Web}, url = {https://news.drweb.com/show/?i=2679&lng=en&c=14}, language = {English}, urldate = {2020-01-13} } @online{drweb:20140409:backdoorgootkit112a:b63758d, author = {Dr.Web}, title = {{BackDoor.Gootkit.112—a new multi-purpose backdoor}}, date = {2014-04-09}, organization = {Dr.Web}, url = {https://news.drweb.com/show/?i=4338&lng=en}, language = {English}, urldate = {2019-07-11} } @online{drweb:20160822:trojanmutabaha1:912e922, author = {Dr.Web}, title = {{Trojan.Mutabaha.1}}, date = {2016-08-22}, organization = {Dr.Web}, url = {http://vms.drweb.ru/virus/?_is=1&i=8477920}, language = {Russian}, urldate = {2020-01-09} } @online{drweb:20160908:doctor:00c53a5, author = {Dr.Web}, title = {{Doctor Web discovers Linux Trojan written in Rust}}, date = {2016-09-08}, organization = {Dr.Web}, url = {https://news.drweb.com/show/?c=5&i=10193&lng=en}, language = {English}, urldate = {2020-01-05} } @online{drweb:20170511:macbackdoorsystemd1:c74a3ef, author = {Dr.Web}, title = {{Mac.BackDoor.Systemd.1}}, date = {2017-05-11}, organization = {Dr.Web}, url = {https://vms.drweb.com/virus/?_is=1&i=15299312&lng=en}, language = {English}, urldate = {2020-01-08} } @online{drweb:20180807:doctor:4154c38, author = {Dr.Web}, title = {{Doctor Web discovered a clipper Trojan for Android}}, date = {2018-08-07}, organization = {Dr.Web}, url = {https://news.drweb.com/show?lng=en&i=12739}, language = {English}, urldate = {2020-01-13} } @online{drweb:20190508:new:06a3aa5, author = {Dr.Web}, title = {{A new threat for macOS spreads as WhatsApp}}, date = {2019-05-08}, organization = {Dr.Web}, url = {https://news.drweb.ru/show/?i=13281&c=23}, language = {English}, urldate = {2020-01-08} } @techreport{drweb:20200720:study:442ba99, author = {Dr.Web}, title = {{Study of the APT attacks on state institutions in Kazakhstan and Kyrgyzstan}}, date = {2020-07-20}, institution = {Dr.Web}, url = {https://st.drweb.com/static/new-www/news/2020/july/Study_of_the_APT_attacks_on_state_institutions_in_Kazakhstan_and_Kyrgyzstan_en.pdf}, language = {English}, urldate = {2020-10-02} } @techreport{drweb:20200925:spear:aeadfac, author = {Dr.Web}, title = {{Spear phishing campaigns threaten Russian fuel and energy companies}}, date = {2020-09-25}, institution = {Dr.Web}, url = {https://st.drweb.com/static/new-www/news/2020/september/tek_rf_article_en.pdf}, language = {English}, urldate = {2020-10-02} } @online{dsouza:20190311:resecurity:8388bc5, author = {Melissa Dsouza}, title = {{Resecurity reports ‘IRIDUIM’ behind Citrix data breach, 200+ government agencies, oil and gas companies, and technology companies also targeted.}}, date = {2019-03-11}, organization = {Packt}, url = {https://hub.packtpub.com/resecurity-reports-iriduim-behind-citrix-data-breach-200-government-agencies-oil-and-gas-companies-and-technology-companies-also-targeted/}, language = {English}, urldate = {2020-01-10} } @online{ducharme:20190911:watchbog:7f5240b, author = {Luke DuCharme and Paul Lee}, title = {{Watchbog and the Importance of Patching}}, date = {2019-09-11}, organization = {Talos Intelligence}, url = {https://blog.talosintelligence.com/2019/09/watchbog-patching.html}, language = {English}, urldate = {2020-05-18} } @online{ducklin:20140121:digitally:4a7a4ee, author = {Paul Ducklin}, title = {{Digitally signed data-stealing malware targets Mac users in “undelivered courier item” attack}}, date = {2014-01-21}, organization = {Sophos Naked Security}, url = {https://nakedsecurity.sophos.com/2014/01/21/data-stealing-malware-targets-mac-users-in-undelivered-courier-item-attack/}, language = {English}, urldate = {2020-01-09} } @online{ducklin:20160229:hawkeye:e5bd59b, author = {Paul Ducklin}, title = {{The “HawkEye” attack: how cybercrooks target small businesses for big money}}, date = {2016-02-29}, organization = {Sophos}, url = {https://nakedsecurity.sophos.com/2016/02/29/the-hawkeye-attack-how-cybercrooks-target-small-businesses-for-big-money/}, language = {English}, urldate = {2019-11-27} } @online{ducklin:20200624:glupteba:8f0c66a, author = {Paul Ducklin}, title = {{Glupteba - the malware that gets secret messages from the Bitcoin blockchain}}, date = {2020-06-24}, organization = {Sophos Naked Security}, url = {https://nakedsecurity.sophos.com/2020/06/24/glupteba-the-bot-that-gets-secret-messages-from-the-bitcoin-blockchain/}, language = {English}, urldate = {2020-06-26} } @online{dudek:20190410:trisis:480b199, author = {Marcin Dudek}, title = {{TRISIS / TRITON / HatMan Malware Repository}}, date = {2019-04-10}, organization = {Github (ICSrepo)}, url = {https://github.com/ICSrepo/TRISIS-TRITON-HATMAN}, language = {English}, urldate = {2019-07-09} } @techreport{dumont:20181201:dark:20efc15, author = {Romain Dumont and Marc-Etienne M.Léveillé and Hugo Porcher}, title = {{THE DARK SIDE OF THE FORSSHE: A landscape of OpenSSH backdoors}}, date = {2018-12-01}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf}, language = {English}, urldate = {2020-01-09} } @online{dumont:20190409:oceanlotus:eb8a99f, author = {Romain Dumont}, title = {{OceanLotus: macOS malware update}}, date = {2019-04-09}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/}, language = {English}, urldate = {2019-11-14} } @online{duncan:20160509:pseudodarkleech:5dff946, author = {Brad Duncan}, title = {{PSEUDO-DARKLEECH ANGLER EK FROM 185.118.66.154 SENDS BEDEP/CRYPTXXX}}, date = {2016-05-09}, organization = {Malware Traffic Analysis}, url = {http://malware-traffic-analysis.net/2016/05/09/index.html}, language = {English}, urldate = {2020-01-08} } @online{duncan:20170117:eitest:f6e103b, author = {Brad Duncan}, title = {{EITEST RIG-V FROM 92.53.127.86 SENDS SPORA RANSOMWARE}}, date = {2017-01-17}, organization = {Malware Traffic Analysis}, url = {http://malware-traffic-analysis.net/2017/01/17/index2.html}, language = {English}, urldate = {2020-01-13} } @online{duncan:20170117:vreikstadi:aea370f, author = {Brad Duncan}, title = {{Tweet on Vreikstadi Malspam}}, date = {2017-01-17}, organization = {Twitter (@malware_traffic)}, url = {https://twitter.com/malware_traffic/status/821483557990318080}, language = {English}, urldate = {2020-01-08} } @online{duncan:20170121:sage:cf422da, author = {Brad Duncan}, title = {{Sage 2.0 Ransomware}}, date = {2017-01-21}, organization = {SANS ISC InfoSec Forums}, url = {https://isc.sans.edu/forums/diary/Sage+20+Ransomware/21959/}, language = {English}, urldate = {2019-07-11} } @online{duncan:20170403:dhl:b9c41a9, author = {Brad Duncan}, title = {{DHL Invoice Malspam/Photo Malspam}}, date = {2017-04-03}, organization = {Malware Traffic Analysis}, url = {http://malware-traffic-analysis.net/2017/04/03/index2.html}, language = {English}, urldate = {2020-01-13} } @online{duncan:20170425:20170425:dfd0f09, author = {Brian Duncan}, title = {{2017-04-25 - "GOOD MAN" CAMPAIGN RIG EK SENDS LATENTBOT}}, date = {2017-04-25}, organization = {Malware Traffic Analysis}, url = {http://malware-traffic-analysis.net/2017/04/25/index.html}, language = {English}, urldate = {2019-11-29} } @online{duncan:20170509:rig:c6b2df9, author = {Brad Duncan}, title = {{RIG EK SENDS BUNITU TROJAN}}, date = {2017-05-09}, organization = {Malware Traffic Analysis}, url = {http://malware-traffic-analysis.net/2017/05/09/index.html}, language = {English}, urldate = {2020-01-08} } @online{duncan:20170516:20170516:920d589, author = {Brad Duncan}, title = {{2017-05-16 - MORE EXAMPLES OF MALSPAM PUSHING JAFF RANSOMWARE}}, date = {2017-05-16}, organization = {Malware Traffic Analysis}, url = {http://malware-traffic-analysis.net/2017/05/16/index.html}, language = {English}, urldate = {2020-01-07} } @online{duncan:20170612:20170612:04b2c09, author = {Brian Duncan}, title = {{2017-06-12 - LOKI BOT MALSPAM - SUBJECT: RE: PURCHASE ORDER 457211}}, date = {2017-06-12}, organization = {Malware Traffic Analysis}, url = {http://www.malware-traffic-analysis.net/2017/06/12/index.html}, language = {English}, urldate = {2019-11-28} } @online{duncan:20170627:checking:23c2251, author = {Brad Duncan}, title = {{Checking out the new Petya variant}}, date = {2017-06-27}, organization = {SANS}, url = {https://isc.sans.edu/forums/diary/Checking+out+the+new+Petya+variant/22562/}, language = {English}, urldate = {2020-01-06} } @online{duncan:20170704:malspam:3713609, author = {Brad Duncan}, title = {{MALSPAM WITH JAVA-BASED RAT}}, date = {2017-07-04}, organization = {Malware Traffic Analysis}, url = {http://malware-traffic-analysis.net/2017/07/04/index.html}, language = {English}, urldate = {2020-01-10} } @online{duncan:20170901:eitest:6388761, author = {Brad Duncan}, title = {{EITest: HoeflerText Popups Targeting Google Chrome Users Now Push RAT Malware}}, date = {2017-09-01}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/09/unit42-hoeflertext-popups-targeting-google-chrome-users-now-pushing-rat-malware/}, language = {English}, urldate = {2019-12-20} } @online{duncan:20171013:blank:71e7858, author = {Brad Duncan}, title = {{Blank Slate Malspam Stops Pushing Locky, Starts Pushing Sage 2.2 Randsomware}}, date = {2017-10-13}, organization = {Malware Traffic Analysis}, url = {http://malware-traffic-analysis.net/2017/10/13/index.html}, language = {English}, urldate = {2020-01-13} } @online{duncan:20171102:20171102:dfff76e, author = {Brad Duncan}, title = {{2017-11-02 - ADVENTURES WITH SMOKE LOADER}}, date = {2017-11-02}, organization = {Malware Traffic Analysis}, url = {http://www.malware-traffic-analysis.net/2017/11/02/index.html}, language = {English}, urldate = {2020-01-06} } @online{duncan:20171123:necurs:15f819e, author = {Brad Duncan}, title = {{NECURS BOTNET MALSPAM PUSHES "SCARAB" RANSOMWARE}}, date = {2017-11-23}, organization = {Malware Traffic Analysis}, url = {http://malware-traffic-analysis.net/2017/11/23/index.html}, language = {English}, urldate = {2020-01-10} } @online{duncan:20171222:malspam:4a3fd87, author = {Brad Duncan}, title = {{MALSPAM USES CVE-2017-0199 TO DISTRIBUTE REMCOS RAT}}, date = {2017-12-22}, organization = {Malware Traffic Analysis}, url = {http://malware-traffic-analysis.net/2017/12/22/index.html}, language = {English}, urldate = {2019-07-11} } @online{duncan:20180104:malspam:ce2dfac, author = {Brad Duncan}, title = {{MALSPAM PUSHING PCRAT/GH0ST}}, date = {2018-01-04}, organization = {Malware Traffic Analysis}, url = {http://www.malware-traffic-analysis.net/2018/01/04/index.html}, language = {English}, urldate = {2019-12-24} } @online{duncan:20180201:quick:320f855, author = {Brad Duncan}, title = {{Quick Test Drive of Trickbot (It now has a Monero Module)}}, date = {2018-02-01}, organization = {Malware Traffic Analysis}, url = {http://www.malware-traffic-analysis.net/2018/02/01/}, language = {English}, urldate = {2019-07-09} } @online{duncan:20180307:ransomware:504a693, author = {Brad Duncan}, title = {{Ransomware news: GlobeImposter gets a facelift, GandCrab is still out there}}, date = {2018-03-07}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/23417}, language = {English}, urldate = {2020-01-06} } @online{duncan:20181204:malspam:8e2d810, author = {Brad Duncan}, title = {{Malspam pushing Lokibot malware}}, date = {2018-12-04}, url = {https://isc.sans.edu/diary/24372}, language = {English}, urldate = {2019-10-29} } @online{duncan:20181219:malspam:b8c4580, author = {Brad Duncan}, title = {{MALSPAM PUSHING THE MYDOOM WORM IS STILL A THING}}, date = {2018-12-19}, organization = {Malware Traffic Analysis}, url = {https://www.malware-traffic-analysis.net/2018/12/19/index.html}, language = {English}, urldate = {2020-01-13} } @online{duncan:20190117:emotet:0754347, author = {Brad Duncan}, title = {{Emotet infections and follow-up malware}}, date = {2019-01-17}, organization = {SANS ISC InfoSec Forums}, url = {https://isc.sans.edu/forums/diary/Emotet+infections+and+followup+malware/24532/}, language = {English}, urldate = {2020-01-13} } @online{duncan:20190123:russian:150eb22, author = {Brad Duncan and Mike Harbison}, title = {{Russian Language Malspam Pushing Redaman Banking Malware}}, date = {2019-01-23}, url = {https://unit42.paloaltonetworks.com/russian-language-malspam-pushing-redaman-banking-malware/}, language = {English}, urldate = {2020-01-06} } @online{duncan:20190220:more:a3216b8, author = {Brad Duncan}, title = {{More Russian language malspam pushing Shade (Troldesh) ransomware}}, date = {2019-02-20}, organization = {SANS ISC InfoSec Forums}, url = {https://isc.sans.edu/forums/diary/More+Russian+language+malspam+pushing+Shade+Troldesh+ransomware/24668/}, language = {English}, urldate = {2020-01-13} } @online{duncan:20190522:shade:7647744, author = {Brad Duncan}, title = {{Shade Ransomware Hits High-Tech, Wholesale, Education Sectors in U.S, Japan, India, Thailand, Canada}}, date = {2019-05-22}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/shade-ransomware-hits-high-tech-wholesale-education-sectors-in-u-s-japan-india-thailand-canada/}, language = {English}, urldate = {2020-01-13} } @online{duncan:20190625:rig:31ecb33, author = {Brad Duncan}, title = {{Rig Exploit Kit sends Pitou.B Trojan}}, date = {2019-06-25}, organization = {SANS}, url = {https://isc.sans.edu/diary/rss/25068}, language = {English}, urldate = {2019-12-17} } @online{duncan:20190711:recent:bd25d5a, author = {Brad Duncan}, title = {{Recent AZORult activity}}, date = {2019-07-11}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/25120}, language = {English}, urldate = {2020-01-10} } @online{duncan:20191108:wireshark:f37b983, author = {Brad Duncan}, title = {{Wireshark Tutorial: Examining Trickbot Infections}}, date = {2019-11-08}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/wireshark-tutorial-examining-trickbot-infections/}, language = {English}, urldate = {2020-01-06} } @online{duncan:20191122:trickbot:e14933b, author = {Brad Duncan}, title = {{Trickbot Updates Password Grabber Module}}, date = {2019-11-22}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/trickbot-updates-password-grabber-module/}, language = {English}, urldate = {2020-01-22} } @online{duncan:20191219:valak:a793639, author = {Brad Duncan}, title = {{Tweet on Valak Malware}}, date = {2019-12-19}, organization = {Twitter (@malware_traffic)}, url = {https://twitter.com/malware_traffic/status/1207824548021886977}, language = {English}, urldate = {2020-01-05} } @online{duncan:20191223:wireshark:11f95ab, author = {Brad Duncan}, title = {{Wireshark Tutorial: Examining Ursnif Infections}}, date = {2019-12-23}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/wireshark-tutorial-examining-ursnif-infections/}, language = {English}, urldate = {2020-01-13} } @online{duncan:20200123:german:2c867b2, author = {Brad Duncan}, title = {{German language malspam pushes Ursnif}}, date = {2020-01-23}, organization = {SANS ISC InfoSec Forums}, url = {https://isc.sans.edu/forums/diary/German+language+malspam+pushes+Ursnif/25732/}, language = {English}, urldate = {2020-01-26} } @online{duncan:20200528:goodbye:87a0245, author = {Brad Duncan}, title = {{Goodbye Mworm, Hello Nworm: TrickBot Updates Propagation Module}}, date = {2020-05-28}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/goodbye-mworm-hello-nworm-trickbot-updates-propagation-module/}, language = {English}, urldate = {2020-05-29} } @online{duncan:20200724:evolution:a372b2b, author = {Brad Duncan}, title = {{Evolution of Valak, from Its Beginnings to Mass Distribution}}, date = {2020-07-24}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/valak-evolution/}, language = {English}, urldate = {2020-08-05} } @online{duncan:20200821:wireshark:d98d5ed, author = {Brad Duncan}, title = {{Wireshark Tutorial: Decrypting HTTPS Traffic}}, date = {2020-08-21}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/wireshark-tutorial-decrypting-https-traffic/}, language = {English}, urldate = {2020-08-25} } @online{duncan:20200907:collection:09ab7be, author = {Brad Duncan}, title = {{Collection of recent Dridex IOCs}}, date = {2020-09-07}, organization = {Github (pan-unit42)}, url = {https://github.com/pan-unit42/tweets/blob/master/2020-09-07-Dridex-IOCs.txt}, language = {English}, urldate = {2020-09-15} } @online{duncan:20200910:recent:f9e103f, author = {Brad Duncan}, title = {{Recent Dridex activity}}, date = {2020-09-10}, organization = {SANS ISC InfoSec Forums}, url = {https://isc.sans.edu/forums/diary/Recent+Dridex+activity/26550/}, language = {English}, urldate = {2020-09-15} } @online{dunwoody:20170403:dissecting:65071e7, author = {Matthew Dunwoody}, title = {{Dissecting One of APT29’s Fileless WMI and PowerShell Backdoors (POSHSPY)}}, date = {2017-04-03}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html}, language = {English}, urldate = {2019-12-20} } @online{dunwoody:20170404:poshspy:dc59dda, author = {Matthew Dunwoody}, title = {{POSHSPY backdoor code}}, date = {2017-04-04}, organization = {GitHub (matthewdunwoody)}, url = {https://github.com/matthewdunwoody/POSHSPY}, language = {English}, urldate = {2019-12-18} } @online{dunwoody:20181119:not:e581291, author = {Matthew Dunwoody and Andrew Thompson and Ben Withnell and Jonathan Leathery and Michael Matonis and Nick Carr}, title = {{Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign}}, date = {2018-11-19}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html}, language = {English}, urldate = {2019-12-20} } @online{duquette:20130124:linuxsshdoora:0b9dc3e, author = {Sébastien Duquette}, title = {{Linux/SSHDoor.A Backdoored SSH daemon that steals passwords}}, date = {2013-01-24}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2013/01/24/linux-sshdoor-a-backdoored-ssh-daemon-that-steals-passwords/}, language = {English}, urldate = {2019-11-14} } @online{durando:20170426:bankbot:f7430c7, author = {Dario Durando and David Maciejak}, title = {{BankBot, the Prequel}}, date = {2017-04-26}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/bankbot-the-prequel.html}, language = {English}, urldate = {2019-12-17} } @online{durando:20170919:look:79fa513, author = {Dario Durando}, title = {{A Look Into The New Strain Of BankBot}}, date = {2017-09-19}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/a-look-into-the-new-strain-of-bankbot.html}, language = {English}, urldate = {2020-01-13} } @online{durando:20190703:bianlian:c6f94bb, author = {Dario Durando}, title = {{BianLian: A New Wave Emerges}}, date = {2019-07-03}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/new-wave-bianlian-malware.html}, language = {English}, urldate = {2019-12-24} } @online{durando:20190904:funkybot:625b9ba, author = {Dario Durando}, title = {{FunkyBot: A New Android Malware Family Targeting Japan}}, date = {2019-09-04}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/funkybot-malware-targets-japan.html}, language = {English}, urldate = {2020-01-13} } @online{dutcher:20130904:sykipot:3c79c33, author = {Darin Dutcher}, title = {{Sykipot Now Targeting US Civil Aviation Sector Information}}, date = {2013-09-04}, organization = {Trend Micro}, url = {http://blog.trendmicro.com/trendlabs-security-intelligence/sykipot-now-targeting-us-civil-aviation-sector-information/}, language = {English}, urldate = {2020-01-08} } @online{dutcher:20130904:sykipot:8fffe0c, author = {Darin Dutcher}, title = {{Sykipot Now Targeting US Civil Aviation Sector Information}}, date = {2013-09-04}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/sykipot-now-targeting-us-civil-aviation-sector-information/}, language = {English}, urldate = {2019-12-05} } @online{dwoskin:20190220:microsoft:9d4cb73, author = {Elizabeth Dwoskin and Craig Timberg}, title = {{Microsoft says it has found another Russian operation targeting prominent think tanks}}, date = {2019-02-20}, organization = {Washington Post}, url = {https://www.washingtonpost.com/technology/2019/02/20/microsoft-says-it-has-found-another-russian-operation-targeting-prominent-think-tanks/?utm_term=.870ff11468ae}, language = {English}, urldate = {2019-11-29} } @online{east:20150619:russian:fe2f7aa, author = {London South East}, title = {{Russian Hackers Suspected In Cyberattack On German Parliament}}, date = {2015-06-19}, organization = {London South East}, url = {http://www.lse.co.uk/AllNews.asp?code=kwdwehme&headline=Russian_Hackers_Suspected_In_Cyberattack_On_German_Parliament}, language = {English}, urldate = {2020-01-05} } @techreport{ebach:20170622:analysis:25ecd34, author = {Luca Ebach}, title = {{Analysis Results of Zeus.Variant.Panda}}, date = {2017-06-22}, institution = {G Data}, url = {https://cyberwtf.files.wordpress.com/2017/07/panda-whitepaper.pdf}, language = {English}, urldate = {2019-12-02} } @online{ebach:20200831:trickbot:c975ec5, author = {Luca Ebach}, title = {{Trickbot rdpscanDll – Transforming Candidate Credentials for Brute-Forcing RDP Servers}}, date = {2020-08-31}, organization = {cyber.wtf blog}, url = {https://cyber.wtf/2020/08/31/trickbot-rdpscandll-password-transof/}, language = {English}, urldate = {2020-08-31} } @online{eckman:20201007:ghostdnsbusters:9a32391, author = {Brian Eckman}, title = {{GhostDNSbusters (Part 2)}}, date = {2020-10-07}, organization = {Team Cymru}, url = {https://team-cymru.com/blog/2020/10/07/ghostdnsbusters-part-2/}, language = {English}, urldate = {2020-10-12} } @online{editor:20170118:flashback:4ac713f, author = {Editor}, title = {{Flashback Wednesday: Pakistani Brain}}, date = {2017-01-18}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/01/18/flashback-wednesday-pakistani-brain/}, language = {English}, urldate = {2019-11-14} } @online{editor:20171024:kiev:b706a68, author = {Editor}, title = {{Kiev metro hit with a new variant of the infamous Diskcoder ransomware}}, date = {2017-10-24}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/10/24/kiev-metro-hit-new-variant-infamous-diskcoder-ransomware/?utm_content=buffer8ffe4&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer}, language = {English}, urldate = {2019-11-14} } @online{edmondson:20190118:black:e66dcec, author = {Mark Edmondson}, title = {{BLACK ENERGY – Analysis}}, date = {2019-01-18}, url = {https://marcusedmondson.com/2019/01/18/black-energy-analysis/}, language = {English}, urldate = {2020-01-08} } @techreport{edwards:2011:survey:e95ca12, author = {Jeff Edwards and Jose Nazario}, title = {{A Survey of Contemporary Chinese DDoS Malware}}, date = {2011}, institution = {Virus Bulletin}, url = {https://www.virusbulletin.com/uploads/pdf/conference_slides/2011/Edwards-Nazario-VB2011.pdf}, language = {English}, urldate = {2020-01-06} } @techreport{edwards:20161016:hajime:e095dad, author = {Sam Edwards and Ioannis Profetis}, title = {{Hajime: Analysis of a decentralizedinternet worm for IoT devices}}, date = {2016-10-16}, institution = {RapidityNetworks}, url = {https://security.rapiditynetworks.com/publications/2016-10-16/hajime.pdf}, language = {English}, urldate = {2020-01-09} } @online{ehmke:20200820:webinar:cad7a98, author = {Kyle Ehmke}, title = {{[webinar] Proactive Infrastructure Hunting with ThreatConnect & DomainTools}}, date = {2020-08-20}, organization = {ThreatConnect}, url = {https://threatconnect.com/resource/proactive-infrastructure-hunting-with-threatconnect-domaintools/}, language = {English}, urldate = {2020-09-06} } @online{eidgenossenschaft:20190812:trojaner:60574cc, author = {Schweizerische Eidgenossenschaft}, title = {{Trojaner Emotet greift Unternehmensnetzwerke an}}, date = {2019-08-12}, organization = {Schweizerische Eidgenossenschaft}, url = {https://www.melani.admin.ch/melani/de/home/dokumentation/newsletter/Trojaner_Emotet_greift_Unternehmensnetzwerke_an.html}, language = {German}, urldate = {2020-01-08} } @online{eisenkraft:20190619:check:0a79b2b, author = {Kobi Eisenkraft and Moshe Hayun}, title = {{Check Point’s Threat Emulation Stops Large-Scale Phishing Campaign in Germany}}, date = {2019-06-19}, organization = {Check Point}, url = {https://blog.checkpoint.com/2019/06/19/sandblast-agent-phishing-germany-campaign-security-hack-ransomware/}, language = {English}, urldate = {2020-01-08} } @online{elastic:20200630:detection:79c8fbe, author = {Elastic}, title = {{Detection Rules by Elastic}}, date = {2020-06-30}, organization = {Github (elastic)}, url = {https://github.com/elastic/detection-rules}, language = {English}, urldate = {2020-07-02} } @online{eldeeb:20190820:source:66124bb, author = {Sherif Eldeeb}, title = {{Source code: TinyMet}}, date = {2019-08-20}, organization = {Github (SherifEldeeb)}, url = {https://github.com/SherifEldeeb/TinyMet}, language = {English}, urldate = {2020-02-13} } @online{elder:20190625:ransomware:4b72d11, author = {Jeff Elder}, title = {{Ransomware strain Troldesh spikes again – Avast tracks new attacks}}, date = {2019-06-25}, organization = {Avast}, url = {https://blog.avast.com/ransomware-strain-troldesh-spikes}, language = {English}, urldate = {2020-01-09} } @online{elevenpaths:20180511:new:8c874e9, author = {ElevenPaths}, title = {{New report: Malware attacks Chilean banks and bypasses SmartScreen, by exploiting DLL Hijacking within popular software}}, date = {2018-05-11}, organization = {Think Big}, url = {http://blog.en.elevenpaths.com/2018/05/new-report-malware-attacks-chilean.html}, language = {English}, urldate = {2020-01-08} } @online{elshinbary:20200505:deep:f5661cb, author = {Abdallah Elshinbary}, title = {{Deep Analysis of Ryuk Ransomware}}, date = {2020-05-05}, organization = {N1ght-W0lf Blog}, url = {https://n1ght-w0lf.github.io/malware%20analysis/ryuk-ransomware/}, language = {English}, urldate = {2020-05-10} } @online{elshinbary:20200621:deep:1a39a3f, author = {Abdallah Elshinbary}, title = {{Deep Analysis of SmokeLoader}}, date = {2020-06-21}, organization = {N1ght-W0lf Blog}, url = {https://n1ght-w0lf.github.io/malware%20analysis/smokeloader/}, language = {English}, urldate = {2020-06-22} } @online{elshinbary:20200704:deep:bdfbd8a, author = {Abdallah Elshinbary}, title = {{Deep Analysis of Anubis Banking Malware}}, date = {2020-07-04}, organization = {N1ght-W0lf Blog}, url = {https://n1ght-w0lf.github.io/malware%20analysis/anubis-banking-malware/}, language = {English}, urldate = {2020-07-06} } @online{elshinbary:20200715:deep:9b38d20, author = {Abdallah Elshinbary}, title = {{Deep Analysis of QBot Banking Trojan}}, date = {2020-07-15}, organization = {N1ght-W0lf Blog}, url = {https://n1ght-w0lf.github.io/malware%20analysis/qbot-banking-trojan/}, language = {English}, urldate = {2020-07-16} } @techreport{elwell:20181001:attcking:3c6d888, author = {Regina Elwell and Katie Nickels}, title = {{ATT&CKing FIN7}}, date = {2018-10-01}, institution = {FireEye}, url = {https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf}, language = {English}, urldate = {2020-06-25} } @online{endo:20180803:volatility:4597ce0, author = {Takuya Endo and Yukako Uchida}, title = {{Volatility Plugin for Detecting Cobalt Strike Beacon}}, date = {2018-08-03}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/en/2018/08/volatility-plugin-for-detecting-cobalt-strike-beacon.html}, language = {English}, urldate = {2019-07-11} } @techreport{eng:2011:nitro:656e464, author = {Erica Eng and Gavin O'Gorman}, title = {{The Nitro Attacks: Stealing Secrets from the Chemical Industry}}, date = {2011}, institution = {Symantec}, url = {https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2011/the_nitro_attacks.pdf}, language = {English}, urldate = {2020-04-21} } @online{entdark:20170530:bankbot:4cb608c, author = {entdark}, title = {{Bankbot on Google Play}}, date = {2017-05-30}, organization = {Koodous}, url = {http://blog.koodous.com/2017/05/bankbot-on-google-play.html}, language = {English}, urldate = {2020-01-13} } @online{eremin:20190322:azorult:3080ee5, author = {Alexander Eremin}, title = {{AZORult++: Rewriting history}}, date = {2019-03-22}, organization = {Kaspersky Labs}, url = {https://securelist.com/azorult-analysis-history/89922/}, language = {English}, urldate = {2019-12-20} } @online{eremin:20200324:people:752ed0f, author = {Alexander Eremin}, title = {{People infected with coronavirus are all around you, says Ginp Trojan}}, date = {2020-03-24}, organization = {Kaspersky Labs}, url = {https://www.kaspersky.com/blog/ginp-trojan-coronavirus-finder/34338/}, language = {English}, urldate = {2020-03-26} } @online{eremin:20200623:oh:4e55504, author = {Alexander Eremin}, title = {{Oh, what a boot-iful mornin’ Rovnix bootkit back in business}}, date = {2020-06-23}, organization = {Kaspersky Labs}, url = {https://securelist.com/oh-what-a-boot-iful-mornin/97365}, language = {English}, urldate = {2020-06-23} } @online{erlich:20181025:game:af49ad1, author = {Chen Erlich and Yakov Goldberg}, title = {{Game of Trojans: Dissecting the #Khalesi Infostealer Malware}}, date = {2018-10-25}, organization = {enSilo}, url = {https://blog.ensilo.com/game-of-trojans-dissecting-khalesi-infostealer-malware}, language = {English}, urldate = {2020-01-06} } @online{erlich:20190716:avast:b3dec63, author = {Chen Erlich}, title = {{The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable}}, date = {2019-07-16}, organization = {enSilo}, url = {https://medium.com/@chenerlich/the-avast-abuser-metamorfo-banking-malware-hides-by-abusing-avast-executable-ac9b8b392767}, language = {English}, urldate = {2020-04-13} } @online{erquiaga:20190412:analysis:bb76a6f, author = {María José Erquiaga}, title = {{Analysis of an IRC based Botnet}}, date = {2019-04-12}, organization = {Stratosphere Lab}, url = {https://www.stratosphereips.org/blog/2019/4/12/analysis-of-a-irc-based-botnet}, language = {English}, urldate = {2020-01-10} } @online{eschweiler:20181025:cutwail:494e458, author = {Sebastian Eschweiler and Brett Stone-Gross and Bex Hartley}, title = {{Cutwail Spam Campaign Uses Steganography to Distribute URLZone}}, date = {2018-10-25}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/cutwail-spam-campaign-uses-steganography-to-distribute-urlzone/}, language = {English}, urldate = {2019-12-20} } @online{escinsecurity:20180129:weekly:2cd5b6e, author = {EscInSecurity}, title = {{Weekly TrickBot Analysis - End of w/c 22-Jan-2018 to 1000119}}, date = {2018-01-29}, organization = {EscInSecurity}, url = {https://escinsecurity.blogspot.de/2018/01/weekly-trickbot-analysis-end-of-wc-22.html}, language = {English}, urldate = {2020-01-09} } @online{eset:20090805:pc:16d1905, author = {Eset}, title = {{PC Users Threatened by Conficker Worm and new Internet-browser Modifier}}, date = {2009-08-05}, organization = {ESET Research}, url = {https://www.eset.com/int/about/newsroom/press-releases/announcements/press-threatsense-report-july-2009/}, language = {English}, urldate = {2020-03-19} } @online{eset:20170627:new:891fe4f, author = {Eset}, title = {{New WannaCryptor‑like ransomware attack hits globally: All you need to know}}, date = {2017-06-27}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/06/27/new-ransomware-attack-hits-ukraine/}, language = {English}, urldate = {2020-01-08} } @techreport{eset:201801:diplomats:89688b4, author = {Eset}, title = {{Diplomats in Eastern Europe bitten by a Turla mosquito}}, date = {2018-01}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf}, language = {English}, urldate = {2020-01-08} } @online{esparza:20091001:detecting:3586ef7, author = {Jose Miguel Esparza}, title = {{Detecting ZeuS}}, date = {2009-10-01}, organization = {Eternal Todo}, url = {http://eternal-todo.com/blog/detecting-zeus}, language = {English}, urldate = {2020-01-10} } @online{esparza:20091106:new:f49d94c, author = {Jose Miguel Esparza}, title = {{New ZeuS binary}}, date = {2009-11-06}, organization = {Eternal Todo}, url = {http://eternal-todo.com/blog/new-zeus-binary}, language = {English}, urldate = {2020-01-08} } @online{esparza:20100202:zeus:c1a8f1f, author = {Jose Miguel Esparza}, title = {{ZeuS spreading via Facebook}}, date = {2010-02-02}, organization = {EternalTODO Blog}, url = {http://eternal-todo.com/blog/zeus-spreading-facebook}, language = {English}, urldate = {2019-07-11} } @online{esparza:20130901:yet:d6bf0b6, author = {Jose Miguel Esparza}, title = {{Yet another Andromeda / Gamarue analysis}}, date = {2013-09-01}, organization = {Eternal Todo}, url = {https://eternal-todo.com/blog/yet-another-andromeda-gamarue-analysis}, language = {English}, urldate = {2020-01-10} } @online{esparza:20141005:dissecting:93f306b, author = {Jose Miguel Esparza}, title = {{Dissecting SmokeLoader (or Yulia's sweet ass proposition)}}, date = {2014-10-05}, organization = {Eternal Todo}, url = {https://eternal-todo.com/blog/smokeloader-analysis-yulia-photo}, language = {English}, urldate = {2020-01-13} } @online{esparza:20150417:andromedagamarue:2330f4e, author = {Jose Miguel Esparza}, title = {{Andromeda/Gamarue bot loves JSON too (new versions details)}}, date = {2015-04-17}, organization = {Eternal Todo}, url = {https://eternal-todo.com/blog/andromeda-gamarue-loves-json}, language = {English}, urldate = {2020-01-10} } @online{esparza:20191106:spanish:eaf5520, author = {Jose Miguel Esparza and Blueliv Team}, title = {{Spanish consultancy Everis suffers BitPaymer ransomware attack: a brief analysis}}, date = {2019-11-06}, organization = {Blueliv}, url = {https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/research/everis-bitpaymer-ransomware-attack-analysis-dridex/}, language = {English}, urldate = {2020-01-08} } @online{europol:20140710:global:63da679, author = {Europol}, title = {{Global Action Targeting Shylock Malware}}, date = {2014-07-10}, organization = {Europol}, url = {https://www.europol.europa.eu/newsroom/news/global-action-targeting-shylock-malware}, language = {English}, urldate = {2019-12-18} } @online{europol:20171204:andromeda:2024e4d, author = {Europol}, title = {{Andromeda botnet dismantled in international cyber operation}}, date = {2017-12-04}, organization = {Europol}, url = {https://www.europol.europa.eu/newsroom/news/andromeda-botnet-dismantled-in-international-cyber-operation}, language = {English}, urldate = {2020-01-09} } @online{europol:20181025:pay:d82bbfc, author = {Europol}, title = {{Pay No More: universal GandCrab decryption tool released for free on No More Ransom}}, date = {2018-10-25}, organization = {Europol}, url = {https://www.europol.europa.eu/newsroom/news/pay-no-more-universal-gandcrab-decryption-tool-released-for-free-no-more-ransom}, language = {English}, urldate = {2019-11-26} } @online{europol:20190516:goznym:37f6fa9, author = {Europol}, title = {{GOZNYM MALWARE: CYBERCRIMINAL NETWORK DISMANTLED IN INTERNATIONAL OPERATION}}, date = {2019-05-16}, organization = {Europol}, url = {https://www.europol.europa.eu/newsroom/news/goznym-malware-cybercriminal-network-dismantled-in-international-operation}, language = {English}, urldate = {2019-12-18} } @online{evans:20190917:cryptocurrency:8f3a9e9, author = {Christopher Evans and David Liebenberg}, title = {{Cryptocurrency miners aren’t dead yet: Documenting the voracious but simple “Panda”}}, date = {2019-09-17}, organization = {Talos}, url = {https://blog.talosintelligence.com/2019/09/panda-evolution.html}, language = {English}, urldate = {2019-10-31} } @online{evans:20200711:injecting:3d78e32, author = {Peter Evans and Rodel Mendrez}, title = {{Injecting Magecart into Magento Global Config}}, date = {2020-07-11}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/injecting-magecart-into-magento-global-config/}, language = {English}, urldate = {2020-07-15} } @online{evild3ad:20110430:bkatrojaner:f7e6f23, author = {evild3ad}, title = {{BKA-Trojaner (Ransomware)}}, date = {2011-04-30}, organization = {evild3ad blog}, url = {https://www.evild3ad.com/405/bka-trojaner-ransomware/}, language = {English}, urldate = {2020-01-06} } @online{ewane:20170609:macspy:608f090, author = {Peter Ewane}, title = {{MacSpy: OS X Mac RAT as a Service}}, date = {2017-06-09}, organization = {AT&T}, url = {https://www.alienvault.com/blogs/labs-research/macspy-os-x-rat-as-a-service}, language = {English}, urldate = {2019-12-04} } @techreport{ewhitehats:20180809:kovter:3181581, author = {eWhitehats}, title = {{Kovter Uncovered: Malware Teardown}}, date = {2018-08-09}, institution = {Github (ewhitehats)}, url = {https://github.com/ewhitehats/kovterTools/blob/master/KovterWhitepaper.pdf}, language = {English}, urldate = {2020-01-09} } @online{eybisi:20190407:mobile:c60bdb5, author = {Eybisi}, title = {{Mobile Malware Analysis : Tricks used in Anubis}}, date = {2019-04-07}, organization = {Eybisi}, url = {https://eybisi.run/Mobile-Malware-Analysis-Tricks-used-in-Anubis/}, language = {English}, urldate = {2020-01-08} } @online{f0rb1dd3n:20190304:reptile:cc8715f, author = {f0rb1dd3n}, title = {{Reptile}}, date = {2019-03-04}, organization = {Github (f0rb1dd3n)}, url = {https://github.com/f0rb1dd3n/Reptile}, language = {English}, urldate = {2020-01-10} } @online{f:20160512:hancitor:9c250c0, author = {Axel F and Matthew Mesa}, title = {{Hancitor and Ruckguv Reappear, Updated and With Vawtrak On Deck}}, date = {2016-05-12}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappear}, language = {English}, urldate = {2019-12-20} } @online{f:20160707:nettraveler:a613df3, author = {Axel F}, title = {{NetTraveler APT Targets Russian, European Interests}}, date = {2016-07-07}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/nettraveler-apt-targets-russian-european-interests}, language = {English}, urldate = {2019-12-20} } @online{f:20170427:targets:b3540fd, author = {Axel F}, title = {{APT Targets Financial Analysts with CVE-2017-0199}}, date = {2017-04-27}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/apt-targets-financial-analysts}, language = {English}, urldate = {2019-12-20} } @online{f:20171016:leviathan:a898346, author = {Axel F and Pierre T}, title = {{Leviathan: Espionage actor spearphishes maritime and defense targets}}, date = {2017-10-16}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets}, language = {English}, urldate = {2019-12-20} } @online{f:20190515:threat:06b415a, author = {Axel F and Proofpoint Threat Insight Team}, title = {{Threat Actor Profile: TA542, From Banker to Malware Distribution Service}}, date = {2019-05-15}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta542-banker-malware-distribution-service}, language = {English}, urldate = {2019-12-20} } @online{f:20200318:coronavirus:8fe12a3, author = {Axel F and Sam Scholten}, title = {{Coronavirus Threat Landscape Update}}, date = {2020-03-18}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update}, language = {English}, urldate = {2020-03-26} } @online{f:20200828:comprehensive:df5ff9b, author = {Axel F and Proofpoint Threat Research Team}, title = {{A Comprehensive Look at Emotet’s Summer 2020 Return}}, date = {2020-08-28}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-summer-2020-return}, language = {English}, urldate = {2020-08-30} } @online{f:20201001:emotet:59780d9, author = {Axel F and Proofpoint Threat Research Team}, title = {{Emotet Makes Timely Adoption of Political and Elections Lures}}, date = {2020-10-01}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/emotet-makes-timely-adoption-political-and-elections-lures}, language = {English}, urldate = {2020-10-05} } @online{facebook:20130215:protecting:491c151, author = {Facebook}, title = {{Protecting People On Facebook}}, date = {2013-02-15}, organization = {Facebook}, url = {https://www.facebook.com/notes/facebook-security/protecting-people-on-facebook/10151249208250766}, language = {English}, urldate = {2020-01-13} } @techreport{facebook:20200901:august:b00a9e2, author = {Facebook}, title = {{August 2020 Coordinated Inauthentic Behavior Report}}, date = {2020-09-01}, institution = {Facebook}, url = {https://about.fb.com/wp-content/uploads/2020/09/August-2020-CIB-Report.pdf}, language = {English}, urldate = {2020-09-01} } @techreport{fagerland:2012:many:c938856, author = {Snorre Fagerland}, title = {{The many faces of Gh0st Rat}}, date = {2012}, institution = {Norman ASA}, url = {http://download01.norman.no/documents/ThemanyfacesofGh0stRat.pdf}, language = {English}, urldate = {2019-12-20} } @techreport{fagerland:20131211:chinese:b7bb523, author = {Snorre Fagerland}, title = {{The Chinese Malware Complexes: The Maudi Surveillance Operation}}, date = {2013-12-11}, institution = {Norman Shark}, url = {https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2012/NormanShark-MaudiOperation.pdf}, language = {English}, urldate = {2020-01-27} } @online{fagerland:20141209:blue:0d254a1, author = {Snorre Fagerland and Waylon Grange}, title = {{Blue Coat Exposes “The Inception Framework”; Very Sophisticated, Layered Malware Attack Targeted at Military, Diplomats, and Business Execs}}, date = {2014-12-09}, organization = {Blue Coat}, url = {https://web.archive.org/web/20160710180729/https://www.bluecoat.com/security-blog/2014-12-09/blue-coat-exposes-%E2%80%9C-inception-framework%E2%80%9D-very-sophisticated-layered-malware}, language = {English}, urldate = {2020-04-21} } @techreport{fagerland:20141209:inception:1966734, author = {Snorre Fagerland and Waylon Grange}, title = {{The Inception Framework: Cloud-hosted APT}}, date = {2014-12-09}, institution = {Blue Coat}, url = {https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2014/bcs_wp_InceptionReport_EN_v12914.pdf}, language = {English}, urldate = {2020-04-21} } @online{fagerland:201602:from:78bc745, author = {Snorre Fagerland}, title = {{From Seoul to Sony The History of the Darkseoul Group and the Sony Intrusion Malware Destover}}, date = {2016-02}, organization = {Blue Coat Systems Inc}, url = {https://app.box.com/s/xyyord0b806e6or2nh92coxw2areyyx4}, language = {English}, urldate = {2020-08-18} } @online{fakterman:20200903:no:7719da5, author = {Tom Fakterman}, title = {{No Rest for the Wicked: Evilnum Unleashes PyVil RAT}}, date = {2020-09-03}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/no-rest-for-the-wicked-evilnum-unleashes-pyvil-rat}, language = {English}, urldate = {2020-09-04} } @online{falcone:20150518:cmstar:3d947f0, author = {Robert Falcone}, title = {{Cmstar Downloader: Lurid and Enfal’s New Cousin}}, date = {2015-05-18}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2015/05/cmstar-downloader-lurid-and-enfals-new-cousin/}, language = {English}, urldate = {2019-12-20} } @online{falcone:20150727:ups:ae69e4c, author = {Robert Falcone and Richard Wartell}, title = {{UPS: Observations on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload}}, date = {2015-07-27}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2015/07/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/}, language = {English}, urldate = {2019-12-20} } @online{falcone:20150923:chinese:4faf76a, author = {Robert Falcone and Jen Miller-Osborn}, title = {{Chinese Actors Use ‘3102’ Malware in Attacks on US Government and EU Media}}, date = {2015-09-23}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2015/09/chinese-actors-use-3102-malware-in-attacks-on-us-government-and-eu-media/}, language = {English}, urldate = {2019-12-20} } @online{falcone:20150923:chinese:7210cf9, author = {Robert Falcone and Jen Miller-Osborn}, title = {{Chinese Actors Use ‘3102’ Malware in Attacks on US Government and EU Media}}, date = {2015-09-23}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2015/09/chinese-actors-use-3102-malware-in-attacks-on-us-government-and-eu-media/}, language = {English}, urldate = {2019-12-20} } @online{falcone:20151218:attack:e1f82ab, author = {Robert Falcone and Jen Miller-Osborn}, title = {{Attack on French Diplomat Linked to Operation Lotus Blossom}}, date = {2015-12-18}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/attack-on-french-diplomat-linked-to-operation-lotus-blossom/}, language = {English}, urldate = {2020-01-06} } @online{falcone:20160124:scarlet:c5ef791, author = {Robert Falcone and Jen Miller-Osborn}, title = {{Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists}}, date = {2016-01-24}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/scarlet-mimic-years-long-espionage-targets-minority-activists/}, language = {English}, urldate = {2020-01-08} } @online{falcone:20160203:emissary:99f3e21, author = {Robert Falcone and Jen Miller-Osborn}, title = {{Emissary Trojan Changelog: Did Operation Lotus Blossom Cause It to Evolve?}}, date = {2016-02-03}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2016/02/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/}, language = {English}, urldate = {2019-12-20} } @online{falcone:20160325:projectm:afcff3a, author = {Robert Falcone and Simon Conant}, title = {{ProjectM: Link Found Between Pakistani Actor and Operation Transparent Tribe}}, date = {2016-03-25}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-projectm-link-found-between-pakistani-actor-and-operation-transparent-tribe}, language = {English}, urldate = {2020-01-10} } @online{falcone:20160526:oilrig:89b6b4d, author = {Robert Falcone and Bryan Lee}, title = {{The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor}}, date = {2016-05-26}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/}, language = {English}, urldate = {2019-12-20} } @online{falcone:20160526:oilrig:99f488f, author = {Robert Falcone and Bryan Lee}, title = {{The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor}}, date = {2016-05-26}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/}, language = {English}, urldate = {2020-01-13} } @online{falcone:20160614:new:0c98099, author = {Robert Falcone and Bryan Lee}, title = {{New Sofacy Attacks Against US Government Agency}}, date = {2016-06-14}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-new-sofacy-attacks-against-us-government-agency/}, language = {English}, urldate = {2019-10-29} } @online{falcone:20160614:new:1ba80fd, author = {Robert Falcone and Bryan Lee}, title = {{New Sofacy Attacks Against US Government Agency}}, date = {2016-06-14}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2016/06/unit42-new-sofacy-attacks-against-us-government-agency/}, language = {English}, urldate = {2019-12-20} } @online{falcone:20160614:new:b51d1ab, author = {Robert Falcone and Bryan Lee}, title = {{New Sofacy Attacks Against US Government Agency}}, date = {2016-06-14}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2016/06/unit42-new-sofacy-attacks-against-us-government-agency/}, language = {English}, urldate = {2020-09-15} } @online{falcone:20160726:attack:2df4ff7, author = {Robert Falcone and Jen Miller-Osborn}, title = {{Attack Delivers ‘9002’ Trojan Through Google Drive}}, date = {2016-07-26}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2016/07/unit-42-attack-delivers-9002-trojan-through-google-drive/}, language = {English}, urldate = {2019-12-20} } @online{falcone:20161017:dealerschoice:14aaca9, author = {Robert Falcone and Bryan Lee}, title = {{‘DealersChoice’ is Sofacy’s Flash Player Exploit Platform}}, date = {2016-10-17}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platform/}, language = {English}, urldate = {2019-12-20} } @online{falcone:20161130:shamoon:6befcf1, author = {Robert Falcone}, title = {{Shamoon 2: Return of the Disttrack Wiper}}, date = {2016-11-30}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/?adbsc=social68389776&adbid=804134348374970368&adbpl=tw&adbpr=4487645412}, language = {English}, urldate = {2019-12-20} } @online{falcone:20161215:let:d1d1011, author = {Robert Falcone and Bryan Lee}, title = {{Let It Ride: The Sofacy Group’s DealersChoice Attacks Continue}}, date = {2016-12-15}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/}, language = {English}, urldate = {2020-01-07} } @online{falcone:20170109:second:2e36550, author = {Robert Falcone}, title = {{Second Wave of Shamoon 2 Attacks Identified}}, date = {2017-01-09}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-second-wave-shamoon-2-attacks-identified/}, language = {English}, urldate = {2020-01-07} } @online{falcone:20170214:xagentosx:33ef060, author = {Robert Falcone}, title = {{XAgentOSX: Sofacy’s XAgent macOS Tool}}, date = {2017-02-14}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2017/02/unit42-xagentosx-sofacys-xagent-macos-tool/}, language = {English}, urldate = {2019-12-20} } @online{falcone:20170326:shamoon:8a62f1a, author = {Robert Falcone and Bryan Lee}, title = {{Shamoon 2: Delivering Disttrack}}, date = {2017-03-26}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2017/03/unit42-shamoon-2-delivering-disttrack/}, language = {English}, urldate = {2019-12-20} } @online{falcone:20170427:oilrig:fd3e813, author = {Robert Falcone}, title = {{OilRig Actors Provide a Glimpse into Development and Testing Efforts}}, date = {2017-04-27}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-oilrig-actors-provide-glimpse-development-testing-efforts/}, language = {English}, urldate = {2020-01-07} } @online{falcone:20170727:oilrig:36046ef, author = {Robert Falcone and Bryan Lee}, title = {{OilRig Uses ISMDoor Variant; Possibly Linked to Greenbug Threat Group}}, date = {2017-07-27}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group/}, language = {English}, urldate = {2019-11-16} } @online{falcone:20170731:twoface:8fe5f2d, author = {Robert Falcone and Bryan Lee}, title = {{TwoFace Webshell: Persistent Access Point for Lateral Movement}}, date = {2017-07-31}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-twoface-webshell-persistent-access-point-lateral-movement/}, language = {English}, urldate = {2020-01-07} } @online{falcone:20170926:striking:45926d9, author = {Robert Falcone and Bryan Lee}, title = {{Striking Oil: A Closer Look at Adversary Infrastructure}}, date = {2017-09-26}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-striking-oil-closer-look-adversary-infrastructure/}, language = {English}, urldate = {2020-01-08} } @online{falcone:20170926:striking:f9aa319, author = {Robert Falcone and Bryan Lee}, title = {{Striking Oil: A Closer Look at Adversary Infrastructure}}, date = {2017-09-26}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/09/unit42-striking-oil-closer-look-adversary-infrastructure/}, language = {English}, urldate = {2019-12-20} } @online{falcone:20171009:oilrig:71ea256, author = {Robert Falcone and Bryan Lee}, title = {{OilRig Group Steps Up Attacks with New Delivery Documents and New Injector Trojan}}, date = {2017-10-09}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-oilrig-group-steps-attacks-new-delivery-documents-new-injector-trojan/}, language = {English}, urldate = {2019-10-14} } @online{falcone:20171108:oilrig:a8a3089, author = {Robert Falcone}, title = {{OilRig Deploys “ALMA Communicator” – DNS Tunneling Trojan}}, date = {2017-11-08}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/11/unit42-oilrig-deploys-alma-communicator-dns-tunneling-trojan/}, language = {English}, urldate = {2019-12-20} } @online{falcone:20171211:oilrig:8d7f26f, author = {Robert Falcone}, title = {{OilRig Performs Tests on the TwoFace Webshell}}, date = {2017-12-11}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-oilrig-performs-tests-twoface-webshell/}, language = {English}, urldate = {2020-01-10} } @online{falcone:20180125:oilrig:80920f0, author = {Robert Falcone}, title = {{OilRig uses RGDoor IIS Backdoor on Targets in the Middle East}}, date = {2018-01-25}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/}, language = {English}, urldate = {2020-01-08} } @online{falcone:20180125:oilrig:ac00139, author = {Robert Falcone}, title = {{OilRig uses RGDoor IIS Backdoor on Targets in the Middle East}}, date = {2018-01-25}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/}, language = {English}, urldate = {2019-12-20} } @online{falcone:20180727:new:90cdd2c, author = {Robert Falcone and Bryan Lee and Tom Lancaster}, title = {{New Threat Actor Group DarkHydrus Targets Middle East Government}}, date = {2018-07-27}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/}, language = {English}, urldate = {2019-12-20} } @online{falcone:20180802:gorgon:06112b1, author = {Robert Falcone and David Fuertes and Josh Grunzweig and Kyle Wilhoit}, title = {{The Gorgon Group: Slithering Between Nation State and Cybercrime}}, date = {2018-08-02}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/}, language = {English}, urldate = {2019-12-20} } @online{falcone:20180802:gorgon:8a338cc, author = {Robert Falcone and David Fuertes and Josh Grunzweig and Kyle Wilhoit}, title = {{The Gorgon Group: Slithering Between Nation State and Cybercrime}}, date = {2018-08-02}, url = {https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/}, language = {English}, urldate = {2019-11-29} } @online{falcone:20180807:darkhydrus:d449ea2, author = {Robert Falcone}, title = {{DarkHydrus Uses Phishery to Harvest Credentials in the Middle East}}, date = {2018-08-07}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-darkhydrus-uses-phishery-harvest-credentials-middle-east/}, language = {English}, urldate = {2020-01-09} } @online{falcone:20181116:analyzing:037fccb, author = {Robert Falcone and Kyle Wilhoit}, title = {{Analyzing OilRig’s Ops Tempo from Testing to Weaponization to Delivery}}, date = {2018-11-16}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-analyzing-oilrigs-ops-tempo-testing-weaponization-delivery/}, language = {English}, urldate = {2020-01-09} } @online{falcone:20181120:sofacy:b1ef88a, author = {Robert Falcone and Bryan Lee}, title = {{Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan}}, date = {2018-11-20}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/11/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/}, language = {English}, urldate = {2019-12-20} } @online{falcone:20181120:sofacy:bb4fd84, author = {Robert Falcone and Bryan Lee}, title = {{Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan}}, date = {2018-11-20}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/}, language = {English}, urldate = {2020-01-08} } @online{falcone:20181213:shamoon:1623fe7, author = {Robert Falcone}, title = {{Shamoon 3 Targets Oil and Gas Organization}}, date = {2018-12-13}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/}, language = {English}, urldate = {2020-01-10} } @online{falcone:20181218:sofacy:3573b82, author = {Robert Falcone}, title = {{Sofacy Creates New ‘Go’ Variant of Zebrocy Tool}}, date = {2018-12-18}, organization = {paloalto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/sofacy-creates-new-go-variant-of-zebrocy-tool/}, language = {English}, urldate = {2020-01-07} } @online{falcone:20190108:darkhydrus:3996fa4, author = {Robert Falcone and Bryan Lee}, title = {{DarkHydrus delivers new Trojan that can use Google Drive for C2 communications}}, date = {2019-01-08}, organization = {paloalto Netoworks: Unit42}, url = {https://unit42.paloaltonetworks.com/darkhydrus-delivers-new-trojan-that-can-use-google-drive-for-c2-communications/}, language = {English}, urldate = {2020-01-07} } @online{falcone:20190304:new:5bf1cea, author = {Robert Falcone and Brittany Ash}, title = {{New Python-Based Payload MechaFlounder Used by Chafer}}, date = {2019-03-04}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/}, language = {English}, urldate = {2019-12-24} } @online{falcone:20190416:dns:fed953e, author = {Robert Falcone}, title = {{DNS Tunneling in the Wild: Overview of OilRig’s DNS Tunneling}}, date = {2019-04-16}, url = {https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/}, language = {English}, urldate = {2019-12-03} } @online{falcone:20190417:aggah:f17c88f, author = {Robert Falcone and Brittany Ash}, title = {{Aggah Campaign: Bit.ly, BlogSpot, and Pastebin Used for C2 in Large Scale Campaign}}, date = {2019-04-17}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/aggah-campaign-bit-ly-blogspot-and-pastebin-used-for-c2-in-large-scale-campaign/}, language = {English}, urldate = {2020-01-07} } @online{falcone:20190528:emissary:dc0f942, author = {Robert Falcone and Tom Lancaster}, title = {{Emissary Panda Attacks Middle East Government Sharepoint Servers}}, date = {2019-05-28}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/}, language = {English}, urldate = {2020-01-09} } @online{falcone:20200303:molerats:990b000, author = {Robert Falcone and Bryan Lee and Alex Hinchliffe}, title = {{Molerats Delivers Spark Backdoor to Government and Telecommunications Organizations}}, date = {2020-03-03}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/}, language = {English}, urldate = {2020-03-03} } @online{falcone:20200722:oilrig:4c26a7f, author = {Robert Falcone}, title = {{OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory}}, date = {2020-07-22}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/}, language = {English}, urldate = {2020-07-23} } @online{falcone:20200904:thanos:b5eb551, author = {Robert Falcone}, title = {{Thanos Ransomware: Destructive Variant Targeting State-Run Organizations in the Middle East and North Africa}}, date = {2020-09-04}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/thanos-ransomware/}, language = {English}, urldate = {2020-09-06} } @techreport{falliere:2009:zeus:73559c2, author = {Nicolas Falliere and Eric Chien}, title = {{Zeus: King of the Bots}}, date = {2009}, institution = {Symantec}, url = {http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/zeus_king_of_bots.pdf}, language = {English}, urldate = {2020-01-07} } @techreport{falliere:201107:sality:85158ba, author = {Nicolas Falliere}, title = {{Sality: Story of a Peerto-Peer Viral Network}}, date = {2011-07}, institution = {Symantec}, url = {https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/sality_peer_to_peer_viral_network.pdf}, language = {English}, urldate = {2019-11-28} } @techreport{falliere:2012:w32qakbot:974b5b5, author = {Nicolas Falliere}, title = {{W32.Qakbot in Detail}}, date = {2012}, institution = {Symantec}, url = {http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf}, language = {English}, urldate = {2019-11-28} } @techreport{faou:201702:read:03c3c9e, author = {Matthieu Faou and Jean-Ian Boutin}, title = {{Read The Manual: A Guide to the RTM Banking Trojan}}, date = {2017-02}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf}, language = {English}, urldate = {2019-11-25} } @online{faou:20180905:powerpool:5cde83e, author = {Matthieu Faou}, title = {{PowerPool malware exploits ALPC LPE zero‑day vulnerability}}, date = {2018-09-05}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/09/05/powerpool-malware-exploits-zero-day-vulnerability/}, language = {English}, urldate = {2019-11-14} } @online{faou:20190507:turla:0300283, author = {Matthieu Faou}, title = {{Turla LightNeuron: An email too far}}, date = {2019-05-07}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/05/07/turla-lightneuron-email-too-far/}, language = {English}, urldate = {2019-11-14} } @online{faou:20190529:dive:3afd32e, author = {Matthieu Faou and Romain Dumont}, title = {{A dive into Turla PowerShell usage}}, date = {2019-05-29}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/}, language = {English}, urldate = {2019-11-14} } @techreport{faou:201905:turla:5a8a05f, author = {Matthieu Faou}, title = {{TURLA LIGHTNEURON: One email away from remote code execution}}, date = {2019-05}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf}, language = {English}, urldate = {2020-01-08} } @techreport{faou:20191017:operation:b695c9b, author = {Matthieu Faou and Mathieu Tartare and Thomas Dupuy}, title = {{OPERATION GHOST The Dukes aren’t back — they never left}}, date = {2019-10-17}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf}, language = {English}, urldate = {2020-05-18} } @online{faou:20200312:tracking:913d16e, author = {Matthieu Faou}, title = {{Tracking Turla: New backdoor delivered via Armenian watering holes}}, date = {2020-03-12}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/03/12/tracking-turla-new-backdoor-armenian-watering-holes/}, language = {English}, urldate = {2020-03-13} } @online{faou:20200526:from:804e2da, author = {Matthieu Faou}, title = {{From Agent.BTZ to ComRAT v4: A ten‑year journey}}, date = {2020-05-26}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/05/26/agentbtz-comratv4-ten-year-journey/}, language = {English}, urldate = {2020-05-27} } @techreport{faou:20200526:from:89e2854, author = {Matthieu Faou}, title = {{From Agent.BTZ to ComRAT v4: A ten‑year journey (White Paper)}}, date = {2020-05-26}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf}, language = {English}, urldate = {2020-05-27} } @online{faou:20200902:kryptocibule:9fb272b, author = {Matthieu Faou and Alexandre Côté Cyr}, title = {{KryptoCibule: The multitasking multicurrency cryptostealer}}, date = {2020-09-02}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/09/02/kryptocibule-multitasking-multicurrency-cryptostealer/}, language = {English}, urldate = {2020-09-03} } @techreport{faou:20200930:xdspy:3189c15, author = {Matthieu Faou and Francis Labelle}, title = {{XDSPY: STEALING GOVERNMENT SECRETS SINCE 2011}}, date = {2020-09-30}, institution = {Virus Bulletin}, url = {https://vblocalhost.com/uploads/VB2020-Faou-Labelle.pdf}, language = {English}, urldate = {2020-10-08} } @online{faou:20201001:xdspy:33a6429, author = {Matthieu Faou}, title = {{XDSpy Indicators of Compromise}}, date = {2020-10-01}, organization = {Github (eset)}, url = {https://github.com/eset/malware-ioc/tree/master/xdspy/}, language = {English}, urldate = {2020-10-08} } @online{faou:20201002:xdspy:c3724c7, author = {Matthieu Faou}, title = {{XDSpy: Stealing government secrets since 2011}}, date = {2020-10-02}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/10/02/xdspy-stealing-government-secrets-since-2011/}, language = {English}, urldate = {2020-10-05} } @online{faouzi:20150929:andromeda:06d70c0, author = {Ayoub Faouzi}, title = {{Andromeda Bot Analysis part 1}}, date = {2015-09-29}, organization = {InfoSec Institute}, url = {http://resources.infosecinstitute.com/andromeda-bot-analysis/}, language = {English}, urldate = {2020-01-13} } @online{faouzi:20150929:andromeda:543098f, author = {Ayoub Faouzi}, title = {{Andromeda Bot Analysis part 2}}, date = {2015-09-29}, organization = {InfoSec Institute}, url = {http://resources.infosecinstitute.com/andromeda-bot-analysis-part-two/}, language = {English}, urldate = {2020-01-07} } @online{faouzi:20151009:beta:fffb6be, author = {Ayoub Faouzi}, title = {{Beta Bot Analysis: Part 1}}, date = {2015-10-09}, organization = {InfoSec Institute}, url = {http://resources.infosecinstitute.com/beta-bot-analysis-part-1/#gref}, language = {English}, urldate = {2020-01-07} } @online{faria:20200701:threat:54ff8db, author = {John Faria}, title = {{Threat Bulletin: Cutting-off the Command-and-Control Infrastructure of CollectorGoomba}}, date = {2020-07-01}, organization = {VMRay}, url = {https://www.vmray.com/cyber-security-blog/cutting-off-command-and-control-infrastructure-collectorgoomba-threat-bulletin}, language = {English}, urldate = {2020-07-02} } @online{faria:20200701:threat:b9163dc, author = {John Faria}, title = {{Threat Bulletin: Cutting-off the Command-and-Control Infrastructure of CollectorGoomba}}, date = {2020-07-01}, organization = {VMRay}, url = {https://www.vmray.com/cyber-security-blog/cutting-off-command-and-control-infrastructure-collectorgoomba-threat-bulletin/}, language = {English}, urldate = {2020-07-02} } @online{farina:20190111:avemaria:a3fd77c, author = {Antonio Farina and Luca Mella and Antonio Pirozzi}, title = {{The “AVE_MARIA” Malware}}, date = {2019-01-11}, organization = {Cybaze-Yorio Z-Lab}, url = {https://blog.yoroi.company/research/the-ave_maria-malware/}, language = {English}, urldate = {2019-11-26} } @techreport{farinholt:20200126:dark:9c2f434, author = {Brown Farinholt and Mohammad Rezaeirad and Damon McCoy and Kirill Levchenko}, title = {{Dark Matter: Uncovering the DarkComet RAT Ecosystem}}, date = {2020-01-26}, institution = {}, url = {https://www.sysnet.ucsd.edu/sysnet/miscpapers/darkmatter-www20.pdf}, language = {English}, urldate = {2020-03-07} } @online{fbi:20181220:chinese:06e7a78, author = {FBI}, title = {{Chinese Hackers Indicted - Members of APT 10 Group Targeted Intellectual Property and Confidential Business Information}}, date = {2018-12-20}, organization = {FBI}, url = {https://www.fbi.gov/news/stories/chinese-hackers-indicted-122018}, language = {English}, urldate = {2019-11-28} } @online{fbi:20200325:fbi:f2ba305, author = {FBI}, title = {{FBI Flash CP-000111-MW: Kwampirs Malware Indicators of Compromise Employed in Ongoing Cyber Supply Chain Campaign Targeting Global Industries}}, date = {2020-03-25}, organization = {FBI}, url = {http://www.documentcloud.org/documents/6821581-FLASH-CP-000111-MW-Downgraded-Version.html}, language = {English}, urldate = {2020-04-07} } @techreport{fbi:20200728:indicators:7dada00, author = {FBI}, title = {{Indicators Associated with Netwalker Ransomware}}, date = {2020-07-28}, institution = {FBI}, url = {https://www.ic3.gov/media/news/2020/200929-2.pdf}, language = {English}, urldate = {2020-10-05} } @techreport{fbi:20200823:ac000129tt:39b2ab4, author = {FBI}, title = {{AC-000129-TT: Chinese Government-Mandated Tax Software Contains Malware, Enabling Backdoor Access}}, date = {2020-08-23}, institution = {FBI}, url = {https://www.ic3.gov/media/news/2020/200728.pdf}, language = {English}, urldate = {2020-08-27} } @techreport{fbi:20200910:fbi:596f87c, author = {FBI and National Cyber Investigative Joint Task Force (NCIJTF)}, title = {{FBI PIN NUMBER 20200910-001: Cyber Actors Conduct CredentialStuffing Attacks Against US Financial Sector}}, date = {2020-09-10}, institution = {FBI}, url = {https://www.ic3.gov/media/news/2020/200929-1.pdf}, language = {English}, urldate = {2020-10-05} } @techreport{fbi:20200916:fbi:76fd945, author = {FBI}, title = {{FBI Flash AC-000133-TT: Indictment of China-Based Cyber Actors Associated with APT 41for Intrusion Activities}}, date = {2020-09-16}, institution = {FBI}, url = {https://assets.documentcloud.org/documents/7210602/FLASH-AC-000133-TT-Published.pdf}, language = {English}, urldate = {2020-09-18} } @techreport{fbi:20200917:fbi:144c69c, author = {FBI}, title = {{FBI FLASH ME-000134-MW: Indicators of Compromise Associated with Rana Intelligence Computing, also known as APT39, Chafer, Cadelspy, Remexi, and ITG07}}, date = {2020-09-17}, institution = {FBI}, url = {https://www.ic3.gov/media/news/2020/200917-2.pdf}, language = {English}, urldate = {2020-09-23} } @techreport{fbi:20200917:fbi:9893ba0, author = {FBI}, title = {{FBI PIN Number 20200917-001: IRGC-Associated Cyber Operations Against US Company Networks}}, date = {2020-09-17}, institution = {FBI}, url = {https://www.ic3.gov/media/news/2020/200917-1.pdf}, language = {English}, urldate = {2020-09-23} } @online{fbi:20200922:alert:61bd784, author = {FBI}, title = {{Alert Number I-092220-PSA: Foreign Actors and Cybercriminals Likely to Spread Disinformation Regarding 2020 Election Results}}, date = {2020-09-22}, organization = {FBI}, url = {https://www.ic3.gov/media/2020/200922.aspx}, language = {English}, urldate = {2020-09-25} } @online{fbi:20200924:alert:7ae81a3, author = {FBI}, title = {{Alert Number I-092420-PSA: Cyber Threats to Voting Processes Could Slow But Not Prevent Voting}}, date = {2020-09-24}, organization = {FBI}, url = {https://www.ic3.gov/media/2020/200924.aspx}, language = {English}, urldate = {2020-09-25} } @online{fbi:20200928:alert:62dc80c, author = {FBI}, title = {{Alert Number I-092820-PSA: False Claims of Hacked Voter Information Likely Intended to Cast Doubt on Legitimacy of U.S. Elections}}, date = {2020-09-28}, organization = {FBI}, url = {https://www.ic3.gov/media/2020/200928.aspx}, language = {English}, urldate = {2020-10-05} } @online{fbi:20200930:alert:cc6c032, author = {FBI}, title = {{Alert Number I-093020-PSA: Distributed Denial of Service Attacks Could Hinder Access to Voting Information, Would Not Prevent Voting}}, date = {2020-09-30}, organization = {FBI}, url = {https://www.ic3.gov/media/2020/200930.aspx}, language = {English}, urldate = {2020-10-05} } @online{fbi:20201001:alert:f641a9f, author = {FBI}, title = {{Alert Number I-100120-PSA: Foreign Actors Likely to Use Online Journals to Spread Disinformation Regarding 2020 Elections}}, date = {2020-10-01}, organization = {FBI}, url = {https://www.ic3.gov/media/2020/201001.aspx}, language = {English}, urldate = {2020-10-05} } @online{fbi:20201002:alert:ad3b2e0, author = {FBI}, title = {{Alert Number I-100220-PSA: Spoofed Internet Domains and Email Accounts Pose Cyber and Disinformation Risks to Voters}}, date = {2020-10-02}, organization = {FBI}, url = {https://www.ic3.gov/media/2020/201002.aspx}, language = {English}, urldate = {2020-10-05} } @online{fbi:20201019:gru:8a34c71, author = {FBI}, title = {{GRU HACKERS' DESTRUCTIVE MALWARE AND INTERNATIONAL CYBER ATTACKS}}, date = {2020-10-19}, organization = {FBI}, url = {https://www.fbi.gov/wanted/cyber/gru-hackers-destructive-malware-and-international-cyber-attacks}, language = {English}, urldate = {2020-10-19} } @online{feeley:20190215:sinful:729f693, author = {Brendon Feeley and Bex Hartley}, title = {{“Sin”-ful SPIDERS: WIZARD SPIDER and LUNAR SPIDER Sharing the Same Web}}, date = {2019-02-15}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/}, language = {English}, urldate = {2019-12-20} } @online{feeley:20190306:pinchy:f5060bd, author = {Brendon Feeley and Bex Hartley and Sergei Frankoff}, title = {{PINCHY SPIDER Affiliates Adopt “Big Game Hunting” Tactics to Distribute GandCrab Ransomware}}, date = {2019-03-06}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/pinchy-spider-adopts-big-game-hunting/}, language = {English}, urldate = {2019-12-20} } @online{feeley:20190320:new:07bf05b, author = {Brendon Feeley and Brett Stone-Gross}, title = {{New Evidence Proves Ongoing WIZARD SPIDER / LUNAR SPIDER Collaboration}}, date = {2019-03-20}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/wizard-spider-lunar-spider-shared-proxy-module/}, language = {English}, urldate = {2019-12-20} } @online{fernandez:20190823:ransomware:dffa5db, author = {Manny Fernandez and David E. Sanger and Marina Trahan Martinez}, title = {{Ransomware Attacks Are Testing Resolve of Cities Across America}}, date = {2019-08-23}, organization = {The New York Times}, url = {https://www.nytimes.com/2019/08/22/us/ransomware-attacks-hacking.html}, language = {English}, urldate = {2020-01-13} } @online{fernndez:20201013:tracing:14bb6fa, author = {Gerardo Fernández and Vicente Diaz}, title = {{Tracing fresh Ryuk campaigns itw}}, date = {2020-10-13}, organization = {VirusTotal}, url = {https://blog.virustotal.com/2020/10/tracing-fresh-ryuk-campaigns-itw.html}, language = {English}, urldate = {2020-10-23} } @online{ferrell:20200618:hiding:c2db03f, author = {John Ferrell}, title = {{Hiding In Plain Sight}}, date = {2020-06-18}, organization = {Medium Huntress Labs}, url = {https://blog.huntresslabs.com/hiding-in-plain-sight-556469e0a4e}, language = {English}, urldate = {2020-06-19} } @online{figueroa:20201022:inside:228798e, author = {Marco Figueroa}, title = {{An Inside Look at How Ryuk Evolved Its Encryption and Evasion Techniques}}, date = {2020-10-22}, organization = {Sentinel LABS}, url = {https://labs.sentinelone.com/an-inside-look-at-how-ryuk-evolved-its-encryption-and-evasion-techniques/}, language = {English}, urldate = {2020-10-26} } @online{finkle:20130219:exclusive:fc04bd6, author = {Jim Finkle and Joseph Menn}, title = {{Exclusive: Apple, Macs hit by hackers who targeted Facebook}}, date = {2013-02-19}, organization = {Reuters}, url = {https://www.reuters.com/article/us-apple-hackers/exclusive-apple-macs-hit-by-hackers-who-targeted-facebook-idUSBRE91I10920130219}, language = {English}, urldate = {2020-01-09} } @online{finkle:20170105:taiwan:1c7585c, author = {Jim Finkle and J.R. Wu}, title = {{Taiwan ATM heist linked to European hacking spree: security firm}}, date = {2017-01-05}, organization = {Reuters}, url = {https://www.reuters.com/article/us-taiwan-cyber-atms/taiwan-atm-heist-linked-to-european-hacking-spree-security-firm-idUSKBN14P0CX}, language = {English}, urldate = {2020-01-07} } @techreport{fireeye:20130219:apt1:8d8a51a, author = {FireEye}, title = {{APT1: Exposing One of China’s Cyber Espionage Units}}, date = {2013-02-19}, institution = {FireEye}, url = {https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf}, language = {English}, urldate = {2020-01-06} } @techreport{fireeye:2014:apt28:27799d1, author = {FireEye}, title = {{APT28}}, date = {2014}, institution = {FireEye}, url = {http://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf}, language = {English}, urldate = {2020-01-08} } @techreport{fireeye:2014:apt28:277f9ab, author = {FireEye}, title = {{APT28: A Windows into Russia's Cyber Espionage Operations?}}, date = {2014}, institution = {FireEye}, url = {https://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf}, language = {English}, urldate = {2019-12-04} } @techreport{fireeye:2014:operation:2160679, author = {FireEye}, title = {{Operation Quantum Entanglement}}, date = {2014}, institution = {FireEye}, url = {http://csecybsec.com/download/zlab/20180713_CSE_APT28_X-Agent_Op-Roman%20Holiday-Report_v6_1.pdf}, language = {English}, urldate = {2020-01-12} } @techreport{fireeye:201504:apt30:0129bf7, author = {FireEye}, title = {{APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION}}, date = {2015-04}, institution = {FireEye}, url = {https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf}, language = {English}, urldate = {2020-01-07} } @techreport{fireeye:201505:hiding:8695fc2, author = {FireEye}, title = {{HIDING IN PLAIN SIGHT: FIREEYE AND MICROSOFT EXPOSE OBFUSCATION TACTIC}}, date = {2015-05}, institution = {FireEye}, url = {https://www2.fireeye.com/rs/fireye/images/APT17_Report.pdf}, language = {English}, urldate = {2019-12-19} } @techreport{fireeye:20150908:two:c836c9a, author = {FireEye}, title = {{Two for One: Microsoft Office Encapsulated PostScriptand Windows Privilege Escalation Zero-Days}}, date = {2015-09-08}, institution = {FireEye}, url = {https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/twoforonefinal.pdf}, language = {English}, urldate = {2020-01-20} } @techreport{fireeye:201511:pinpointing:03765ec, author = {FireEye}, title = {{PINPOINTING TARGETS: Exploiting Web Analytics to Ensnare Victims}}, date = {2015-11}, institution = {FireEye}, url = {https://www2.fireeye.com/rs/848-DID-242/images/rpt-witchcoven.pdf}, language = {English}, urldate = {2020-01-08} } @techreport{fireeye:20160308:southeast:cc3c8de, author = {FireEye}, title = {{SOUTHEAST ASIA: AN EVOLVING CYBER THREAT LANDSCAPE}}, date = {2016-03-08}, institution = {FireEye}, url = {https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-southeast-asia-threat-landscape.pdf}, language = {English}, urldate = {2020-01-06} } @techreport{fireeye:20160426:apt31:ecc41bd, author = {FireEye}, title = {{APT31 Threat Group Profile}}, date = {2016-04-26}, institution = {FireEye}, url = {https://github.com/GuardaCyber/APT-Groups-and-Operations/blob/master/Reports/FireEye%20Intel%20-%20APT31%20Threat%20Group%20Profile.pdf}, language = {English}, urldate = {2019-10-13} } @techreport{fireeye:201604:follow:5df2e81, author = {FireEye}, title = {{Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6}}, date = {2016-04}, institution = {FireEye}, url = {https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf}, language = {English}, urldate = {2020-04-23} } @online{fireeye:20160608:spear:0d7a2c9, author = {FireEye}, title = {{Spear Phishing Attacks: Why They are Successful and How to Stop Them}}, date = {2016-06-08}, organization = {FireEye}, url = {https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html}, language = {English}, urldate = {2020-01-09} } @online{fireeye:20170314:mtrend:0ea7d30, author = {FireEye}, title = {{M-Trend 2017: A View From the Front Lines}}, date = {2017-03-14}, organization = {FireEye}, url = {https://content.fireeye.com/m-trends/rpt-m-trends-2017}, language = {English}, urldate = {2020-06-03} } @techreport{fireeye:20170616:fin10:aa62677, author = {FireEye}, title = {{FIN10: Anatomy of a Cyber Extortion Operation}}, date = {2017-06-16}, institution = {FireEye}, url = {https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin10.pdf}, language = {English}, urldate = {2020-01-08} } @online{fireeye:20171201:advanced:da42c60, author = {FireEye}, title = {{Advanced Persistent Threat Groups}}, date = {2017-12-01}, organization = {FireEye}, url = {https://www.fireeye.com/current-threats/apt-groups.html}, language = {English}, urldate = {2020-01-07} } @online{fireeye:20180203:attacks:c65eb33, author = {FireEye}, title = {{Attacks Leveraging Adobe Zero-Day (CVE-2018-4878) – Threat Attribution, Attack Scenario and Recommendations}}, date = {2018-02-03}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2018/02/attacks-leveraging-adobe-zero-day.html}, language = {English}, urldate = {2020-04-06} } @online{fireeye:20180220:apt37:2ca8466, author = {FireEye}, title = {{APT37 (Reaper): The Overlooked North Korean Actor}}, date = {2018-02-20}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2018/02/apt37-overlooked-north-korean-actor.html}, language = {English}, urldate = {2019-12-20} } @techreport{fireeye:20180220:apt37:bc54ada, author = {FireEye}, title = {{APT37 (REAPER) The Overlooked North Korean Actor}}, date = {2018-02-20}, institution = {FireEye}, url = {https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf}, language = {English}, urldate = {2019-12-20} } @online{fireeye:20180316:suspected:2a77316, author = {FireEye}, title = {{Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries}}, date = {2018-03-16}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html}, language = {English}, urldate = {2019-12-20} } @online{fireeye:2018:apt38:20161b7, author = {FireEye}, title = {{APT38}}, date = {2018}, organization = {FireEye}, url = {https://content.fireeye.com/apt/rpt-apt38}, language = {English}, urldate = {2020-01-13} } @techreport{fireeye:2018:apt38:c81b87d, author = {FireEye}, title = {{APT38}}, date = {2018}, institution = {FireEye}, url = {https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/pf/apt/rpt-apt38-2018.pdf}, language = {English}, urldate = {2020-01-07} } @techreport{fireeye:2018:forrester:ae307d3, author = {FireEye}, title = {{The Forrester New Wave™: External Threat Intelligence Services, Q3 2018.}}, date = {2018}, institution = {FireEye}, url = {http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf}, language = {English}, urldate = {2020-01-08} } @techreport{fireeye:2018:mtrends2018:f07ca60, author = {FireEye}, title = {{M-TRENDS2018}}, date = {2018}, institution = {FireEye}, url = {https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf}, language = {English}, urldate = {2020-01-08} } @online{fireeye:20190411:mtrend:597b240, author = {FireEye}, title = {{M-Trend 2019}}, date = {2019-04-11}, organization = {FireEye}, url = {https://content.fireeye.com/m-trends/rpt-m-trends-2019}, language = {English}, urldate = {2020-01-10} } @online{fireeye:20190809:double:40f736e, author = {FireEye}, title = {{Double Dragon APT41, a dual espionage and cyber crime operation}}, date = {2019-08-09}, organization = {FireEye}, url = {https://content.fireeye.com/apt-41/rpt-apt41/}, language = {English}, urldate = {2019-12-18} } @online{fireeye:20190904:apt41:43d6dab, author = {FireEye}, title = {{APT41: Double Dragon APT41, a dual espionage and cyber crime operation}}, date = {2019-09-04}, organization = {FireEye}, url = {https://content.fireeye.com/apt-41/rpt-apt41}, language = {English}, urldate = {2020-01-13} } @online{fireeye:20190904:apt41:b5d6780, author = {FireEye}, title = {{APT41: Double Dragon APT41, a dual espionage and cyber crime operation}}, date = {2019-09-04}, organization = {FireEye}, url = {https://content.fireeye.com/api/pdfproxy?id=86840}, language = {English}, urldate = {2020-01-13} } @online{fireeye:20200117:state:c000016, author = {FireEye}, title = {{State of the Hack: Spotlight Iran - from Cain & Abel to full SANDSPY}}, date = {2020-01-17}, organization = {FireEye}, url = {https://youtu.be/pBDu8EGWRC4?t=2492}, language = {English}, urldate = {2020-09-18} } @online{fireeye:20200219:mtrends:193613a, author = {FireEye}, title = {{M-Trends 2020}}, date = {2020-02-19}, organization = {FireEye}, url = {https://content.fireeye.com/m-trends/rpt-m-trends-2020}, language = {English}, urldate = {2020-02-20} } @online{firsh:20180503:whos:19ffd6f, author = {Alexey Firsh}, title = {{Who’s who in the Zoo}}, date = {2018-05-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/whos-who-in-the-zoo/85394/}, language = {English}, urldate = {2020-05-18} } @online{firsh:20180503:whos:79a3074, author = {Alexey Firsh}, title = {{Who’s who in the Zoo}}, date = {2018-05-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/whos-who-in-the-zoo/85394}, language = {English}, urldate = {2019-12-20} } @techreport{firsh:20180503:whos:b1957dc, author = {Alexey Firsh}, title = {{WHO’S WHO IN THEZOO. CYBERESPIONAGE OPERATION TARGETS ANDROID USERS IN THE MIDDLE EAST.}}, date = {2018-05-03}, institution = {Kaspersky Labs}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/03114450/ZooPark_for_public_final_edit.pdf}, language = {English}, urldate = {2020-01-09} } @online{firsh:20180829:busygasper:bf544dd, author = {Alexey Firsh}, title = {{BusyGasper – the unfriendly spy}}, date = {2018-08-29}, organization = {Kaspersky Labs}, url = {https://securelist.com/busygasper-the-unfriendly-spy/87627/}, language = {English}, urldate = {2019-12-20} } @online{firsh:20200326:ios:9898c0f, author = {Alexey Firsh and Kurt Baumgartner and Brian Bartholomew}, title = {{iOS exploit chain deploys LightSpy feature-rich malware}}, date = {2020-03-26}, organization = {Kaspersky Labs}, url = {https://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/}, language = {English}, urldate = {2020-03-27} } @online{firsh:20200428:hiding:97cbb7b, author = {Alexey Firsh and Lev Pikman}, title = {{Hiding in plain sight: PhantomLance walks into a market}}, date = {2020-04-28}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-phantomlance/96772/}, language = {English}, urldate = {2020-05-05} } @online{fishbein:20200728:watch:cf3e499, author = {Nicole Fishbein and Michael Kajiloti}, title = {{Watch Your Containers: Doki Infecting Docker Servers in the Cloud}}, date = {2020-07-28}, organization = {Intezer}, url = {https://www.intezer.com/container-security/watch-your-containers-doki-infecting-docker-servers-in-the-cloud/}, language = {English}, urldate = {2020-07-30} } @online{fishbein:20200908:attackers:46e4aab, author = {Nicole Fishbein}, title = {{Attackers Abusing Legitimate Cloud Monitoring Tools to Conduct Cyber Attacks}}, date = {2020-09-08}, organization = {Intezer}, url = {https://www.intezer.com/blog/cloud-workload-protection/attackers-abusing-legitimate-cloud-monitoring-tools-to-conduct-cyber-attacks/}, language = {English}, urldate = {2020-09-15} } @online{fishbein:20201001:storm:5dbbfae, author = {Nicole Fishbein and Avigayil Mechtinger}, title = {{A Storm is Brewing: IPStorm Now Has Linux Malware}}, date = {2020-10-01}, organization = {Intezer}, url = {https://www.intezer.com/blog/research/a-storm-is-brewing-ipstorm-now-has-linux-malware/}, language = {English}, urldate = {2020-10-05} } @online{fisher:20130320:researchers:dcff6dc, author = {Dennis Fisher}, title = {{Researchers Uncover ‘TeamSpy’ Attack Campaign Against Government, Research Targets}}, date = {2013-03-20}, url = {https://threatpost.com/researchers-uncover-teamspy-attack-campaign-targeting-government-research-targets-032013/77646/}, language = {English}, urldate = {2019-11-20} } @online{fisher:20190212:groups:6605dcc, author = {Dennis Fisher}, title = {{APT Groups Moving Down the Supply Chain}}, date = {2019-02-12}, organization = {Duo}, url = {https://duo.com/decipher/apt-groups-moving-down-the-supply-chain}, language = {English}, urldate = {2019-11-26} } @online{fisher:20201016:trickbot:be18c46, author = {Dennis Fisher}, title = {{Trickbot Up to Its Old Tricks}}, date = {2020-10-16}, organization = {Duo}, url = {https://duo.com/decipher/trickbot-up-to-its-old-tricks}, language = {English}, urldate = {2020-10-23} } @techreport{fitzgibbon:20090401:confickerc:bb043d2, author = {Niall Fitzgibbon and Mike Wood}, title = {{Conficker.C A Technical Analysis}}, date = {2009-04-01}, institution = {Sophos Labs}, url = {https://www.sophos.com/fr-fr/medialibrary/PDFs/marketing%20material/confickeranalysis.pdf}, language = {English}, urldate = {2019-12-17} } @online{flade:20200505:brenjagd:96d209e, author = {Florian Flade and Georg Mascolo}, title = {{Bärenjagd}}, date = {2020-05-05}, url = {https://www.sueddeutsche.de/politik/hack-bundestag-angriff-russland-1.4891668}, language = {English}, urldate = {2020-05-05} } @online{flashpoint:20151207:flashpoint:3f5aee6, author = {Flashpoint and Talos}, title = {{Flashpoint and Talos Analyze the Curious Case of the flokibot Connector}}, date = {2015-12-07}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/flokibot-curious-case-brazilian-connector/}, language = {English}, urldate = {2019-11-20} } @online{flashpoint:20161003:multipurpose:436518b, author = {Flashpoint}, title = {{Multi-Purpose “Floki Bot” Emerges as New Malware Kit}}, date = {2016-10-03}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/blog/cybercrime/floki-bot-emerges-new-malware-kit/}, language = {English}, urldate = {2020-01-07} } @online{flashpoint:20170126:dridex:2ca4920, author = {Flashpoint}, title = {{Dridex Banking Trojan Returns, Leverages New UAC Bypass Method}}, date = {2017-01-26}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/blog-dridex-banking-trojan-returns/}, language = {English}, urldate = {2020-01-08} } @online{flashpoint:20170525:linguistic:70ffc44, author = {Flashpoint}, title = {{Linguistic Analysis of WannaCry Ransomware Messages Suggests Chinese-Speaking Authors}}, date = {2017-05-25}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/blog/linguistic-analysis-wannacry-ransomware/}, language = {English}, urldate = {2019-12-10} } @online{flashpoint:20170727:new:bb5c883, author = {Flashpoint}, title = {{New Version of “Trickbot” Adds Worm Propagation Module}}, date = {2017-07-27}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/blog/new-version-trickbot-adds-worm-propagation-module/}, language = {English}, urldate = {2020-01-13} } @online{flashpoint:20170825:wirex:2f29c36, author = {Flashpoint}, title = {{The WireX Botnet: How Industry Collaboration Disrupted a DDoS Attack}}, date = {2017-08-25}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/blog/wirex-botnet-industry-collaboration/}, language = {English}, urldate = {2020-01-08} } @online{flashpoint:20180510:treasurehunter:d6e33c1, author = {Flashpoint}, title = {{TreasureHunter Point-of-Sale Malware and Builder Source Code Leaked}}, date = {2018-05-10}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/blog/treasurehunter-source-code-leaked/}, language = {English}, urldate = {2020-01-08} } @techreport{flashpoint:202007:zeppelin:8c54ff6, author = {Flashpoint}, title = {{Zeppelin Ransomware Analysis}}, date = {2020-07}, institution = {Flashpoint}, url = {https://storage.pardot.com/272312/124918/Flashpoint_Hunt_Team___Zeppelin_Ransomware_Analysis.pdf}, language = {English}, urldate = {2020-08-14} } @techreport{flores:20120106:official:5984bcc, author = {Rick Flores}, title = {{Official Malware Report: Malware Reverse Engineering}}, date = {2012-01-06}, institution = {Exploit-DB}, url = {https://www.exploit-db.com/docs/english/18387-malware-reverse-engineering-part-1---static-analysis.pdf}, language = {English}, urldate = {2020-01-09} } @online{florio:20070717:trojangpcodere:f491e6b, author = {Elia Florio}, title = {{Trojan.Gpcoder.E}}, date = {2007-07-17}, organization = {Symantec}, url = {https://www.symantec.com/security_response/writeup.jsp?docid=2007-071711-3132-99&tabid=2}, language = {English}, urldate = {2020-01-10} } @online{flossman:20170216:viperrat:85bc048, author = {Michael Flossman}, title = {{ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar}}, date = {2017-02-16}, organization = {Lookout}, url = {https://blog.lookout.com/blog/2017/02/16/viperrat-mobile-apt/}, language = {English}, urldate = {2020-01-13} } @online{flossman:20170831:lookout:4dc3061, author = {Michael Flossman}, title = {{Lookout discovers sophisticated xRAT malware tied to 2014 “Xsser / mRAT” surveillance campaign against Hong Kong protesters}}, date = {2017-08-31}, organization = {Lookout}, url = {https://blog.lookout.com/xrat-mobile-threat}, language = {English}, urldate = {2020-01-09} } @online{flossman:20171020:jaderat:88e09f8, author = {Michael Flossman}, title = {{JadeRAT mobile surveillanceware spikes in espionage activity}}, date = {2017-10-20}, organization = {Lookout}, url = {http://paper.seebug.org/345/}, language = {English}, urldate = {2019-12-19} } @online{flossman:20171020:jaderat:946d7ac, author = {Michael Flossman}, title = {{JadeRAT mobile surveillanceware spikes in espionage activity}}, date = {2017-10-20}, organization = {Lookout}, url = {https://blog.lookout.com/mobile-threat-jaderat}, language = {English}, urldate = {2020-01-08} } @online{flossman:20171116:tropic:4cd1fde, author = {Michael Flossman}, title = {{Tropic Trooper goes mobile with Titan surveillanceware}}, date = {2017-11-16}, organization = {Lookout}, url = {https://blog.lookout.com/titan-mobile-threat}, language = {English}, urldate = {2020-01-06} } @online{fois:20190111:threat:5be977b, author = {Quentin Fois}, title = {{Threat Actor “Cold River”: Network Traffic Analysis and a Deep Dive on Agent Drable}}, date = {2019-01-11}, organization = {Lastline}, url = {https://www.lastline.com/labsblog/threat-actor-cold-river-network-traffic-analysis-and-a-deep-dive-on-agent-drable/}, language = {English}, urldate = {2020-01-09} } @online{fokker:20181030:fallout:fa86aca, author = {John Fokker and Marc Rivero López}, title = {{Fallout Exploit Kit Releases the Kraken Ransomware on Its Victims}}, date = {2018-10-30}, organization = {McAfee}, url = {https://securingtomorrow.mcafee.com/mcafee-labs/fallout-exploit-kit-releases-the-kraken-ransomware-on-its-victims/}, language = {English}, urldate = {2019-12-17} } @online{fokker:20190109:ryuk:350f477, author = {John Fokker and Christiaan Beek}, title = {{Ryuk Ransomware Attack: Rush to Attribution Misses the Point}}, date = {2019-01-09}, organization = {McAfee}, url = {https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/ryuk-ransomware-attack-rush-to-attribution-misses-the-point/}, language = {English}, urldate = {2020-01-09} } @techreport{fontarensky:20140711:eye:2641a17, author = {Ivan Fontarensky and Fabien Perigaud and Ronan Mouchoux and Cedric Pernet and David Bizeul}, title = {{The Eye of the Tiger}}, date = {2014-07-11}, institution = {Airbus Defence & Space}, url = {https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2014/2014.07.11.Pitty_Tiger/Pitty_Tiger_Final_Report.pdf}, language = {English}, urldate = {2020-01-13} } @techreport{fontarensky:2014:eye:a4c3c1b, author = {Ivan Fontarensky and Fabien Perigaud and Ronan Mouchoux and Cedric Pernet and David Bizeul}, title = {{The Eye of the Tiger}}, date = {2014}, institution = {Airbus Defence & Space}, url = {https://bitbucket.org/cybertools/whitepapers/downloads/Pitty%20Tiger%20Final%20Report.pdf}, language = {English}, urldate = {2020-01-08} } @online{fortiguard:20190228:empiremonkey:9163175, author = {FortiGuard}, title = {{EmpireMonkey malware distribution}}, date = {2019-02-28}, organization = {Fortiguard}, url = {https://fortiguard.com/encyclopedia/botnet/7630456}, language = {English}, urldate = {2020-03-22} } @online{fortiguard:20190510:activity:4b58c05, author = {FortiGuard}, title = {{Activity Summary - Week Ending May 10, 2019}}, date = {2019-05-10}, organization = {Fortiguard}, url = {https://fortiguard.com/resources/threat-brief/2019/05/10/fortiguard-threat-intelligence-brief-may-10-2019}, language = {English}, urldate = {2019-11-28} } @online{foundation:20190516:goznym:37cf686, author = {The Shadowserver Foundation}, title = {{Goznym Indictments – action following on from successful Avalanche Operations}}, date = {2019-05-16}, organization = {The Shadowserver Foundation}, url = {https://www.shadowserver.org/news/goznym-indictments-action-following-on-from-successful-avalanche-operations/}, language = {English}, urldate = {2020-01-10} } @online{foundation:20200315:has:80a92d5, author = {Shadowserver Foundation}, title = {{Has The Sun Set On The Necurs Botnet?}}, date = {2020-03-15}, organization = {The Shadowserver Foundation}, url = {https://www.shadowserver.org/news/has-the-sun-set-on-the-necurs-botnet/}, language = {English}, urldate = {2020-03-17} } @online{fr3dhk:20200610:masslogger:c1f2c2f, author = {FR3D.HK}, title = {{MassLogger - Frankenstein's Creation}}, date = {2020-06-10}, organization = {FR3D.HK}, url = {https://fr3d.hk/blog/masslogger-frankenstein-s-creation}, language = {English}, urldate = {2020-06-18} } @online{fr3dhk:20201006:ixware:9d39aa5, author = {FR3D.HK}, title = {{IXWare - Kids will be skids}}, date = {2020-10-06}, organization = {FR3D.HK}, url = {https://fr3d.hk/blog/ixware-kids-will-be-skids}, language = {English}, urldate = {2020-10-19} } @online{franceschibicchierai:20150218:meet:2f64fcb, author = {Lorenzo Franceschi-Bicchierai}, title = {{Meet Babar, a New Malware Almost Certainly Created by France}}, date = {2015-02-18}, organization = {Vice Motherboard}, url = {https://motherboard.vice.com/read/meet-babar-a-new-malware-almost-certainly-created-by-france}, language = {English}, urldate = {2020-01-10} } @online{franceschibicchierai:20150705:spy:30cea5b, author = {Lorenzo Franceschi-Bicchierai}, title = {{Spy Tech Company 'Hacking Team' Gets Hacked}}, date = {2015-07-05}, organization = {Vice}, url = {https://www.vice.com/en_us/article/gvye3m/spy-tech-company-hacking-team-gets-hacked}, language = {English}, urldate = {2019-10-14} } @online{franceschibicchierai:20170921:this:b59488a, author = {Lorenzo Franceschi-Bicchierai}, title = {{This Ransomware Demands Nudes Instead of Bitcoin}}, date = {2017-09-21}, organization = {Vice}, url = {https://motherboard.vice.com/en_us/article/yw3w47/this-ransomware-demands-nudes-instead-of-bitcoin}, language = {English}, urldate = {2019-10-29} } @online{franceschibicchierai:20190329:researchers:5987d8a, author = {Lorenzo Franceschi-Bicchierai and Riccardo Coluccini}, title = {{Researchers Find Google Play Store Apps Were Actually Government Malware}}, date = {2019-03-29}, organization = {Vice Motherboard}, url = {https://motherboard.vice.com/en_us/article/43z93g/hackers-hid-android-malware-in-google-play-store-exodus-esurv}, language = {English}, urldate = {2020-01-06} } @online{franceschibicchierai:20190401:prosecutors:7880fc0, author = {Lorenzo Franceschi-Bicchierai}, title = {{Prosecutors Launch Investigation Into Company That Put Malware on Google Play Store}}, date = {2019-04-01}, organization = {Vice Motherboard}, url = {https://motherboard.vice.com/en_us/article/eveeq4/prosecutors-investigation-esurv-exodus-malware-on-google-play-store}, language = {English}, urldate = {2020-01-08} } @online{franceschibicchierai:20200721:worlds:666e813, author = {Lorenzo Franceschi-Bicchierai}, title = {{'World's Most Wanted Man' Involved in Bizarre Attempt to Buy Hacking Tools}}, date = {2020-07-21}, organization = {Vice}, url = {https://www.vice.com/en_us/article/jgxvdx/jan-marsalek-wirecard-bizarre-attempt-to-buy-hacking-team-spyware}, language = {English}, urldate = {2020-07-30} } @online{frank:20200430:eventbot:f5a167d, author = {Daniel Frank and Lior Rochberger and Yaron Rimmer and Assaf Dahan}, title = {{EVENTBOT: A NEW MOBILE BANKING TROJAN IS BORN}}, date = {2020-04-30}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born}, language = {English}, urldate = {2020-05-04} } @online{frank:20200716:bazar:3ed900d, author = {Daniel Frank and Mary Zhao and Assaf Dahan}, title = {{A Bazar of Tricks: Following Team9’s Development Cycles}}, date = {2020-07-16}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles}, language = {English}, urldate = {2020-07-16} } @online{frankoff:20141204:inside:80c0fea, author = {Sergei Frankoff}, title = {{Inside The New Asprox/Kuluoz (October 2013 - January 2014)}}, date = {2014-12-04}, url = {http://oalabs.openanalysis.net/2014/12/04/inside-the-new-asprox-kuluoz-october-2013-january-2014/}, language = {English}, urldate = {2020-01-08} } @online{frankoff:20180111:unpacking:bd095df, author = {Sergei Frankoff}, title = {{Unpacking Pykspa Malware With Python and IDA Pro - Subscriber Request Part 1}}, date = {2018-01-11}, organization = {Youtube (OALabs)}, url = {https://www.youtube.com/watch?v=HfSQlC76_s4}, language = {English}, urldate = {2019-11-29} } @online{frankoff:20180304:unpacking:4d7dc7c, author = {Sergei Frankoff}, title = {{Unpacking Gootkit Malware With IDA Pro and X64dbg - Subscriber Request}}, date = {2018-03-04}, organization = {Youtube (OALabs)}, url = {https://www.youtube.com/watch?v=242Tn0IL2jE}, language = {English}, urldate = {2020-01-08} } @online{frankoff:20180312:python:eb6b9f5, author = {Sergei Frankoff}, title = {{Python decryptor for newer AdWind config file}}, date = {2018-03-12}, organization = {Github (herrcore)}, url = {https://gist.github.com/herrcore/8336975475e88f9bc539d94000412885}, language = {English}, urldate = {2020-01-09} } @online{frankoff:20180520:unpacking:7db8c96, author = {Sergei Frankoff}, title = {{Unpacking Gootkit Part 2 - Debugging Anti-Analysis Tricks With IDA Pro and x64dbg}}, date = {2018-05-20}, organization = {Youtube (OALabs)}, url = {https://www.youtube.com/watch?v=QgUlPvEE4aw}, language = {English}, urldate = {2020-01-08} } @online{frankoff:20181026:unpacking:b6155cc, author = {Sergei Frankoff}, title = {{Unpacking Bokbot / IcedID Malware - Part 1}}, date = {2018-10-26}, organization = {Youtube (OALabs)}, url = {https://www.youtube.com/watch?v=wObF9n2UIAM}, language = {English}, urldate = {2020-01-08} } @online{frankoff:20181114:big:723025d, author = {Sergei Frankoff and Bex Hartley}, title = {{Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware}}, date = {2018-11-14}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/}, language = {English}, urldate = {2019-12-20} } @online{frankoff:20190822:remcos:b86c5bd, author = {Sergei Frankoff}, title = {{Remcos RAT Unpacked From VB6 With x64dbg Debugger}}, date = {2019-08-22}, organization = {Youtube (OALabs)}, url = {https://www.youtube.com/watch?v=DIH4SvKuktM}, language = {English}, urldate = {2020-01-10} } @online{frankoff:20200126:ida:a8194b4, author = {Sergei Frankoff and Sean Wilson}, title = {{IDA Pro Automated String Decryption For REvil Ransomware}}, date = {2020-01-26}, organization = {Youtube (OALabs)}, url = {https://www.youtube.com/watch?v=l2P5CMH9TE0}, language = {English}, urldate = {2020-01-27} } @online{frankoff:20200530:irc:a711f6e, author = {Sergei Frankoff}, title = {{IRC Botnet Reverse Engineering Part 1 - Preparing Binary for Analysis in IDA PRO}}, date = {2020-05-30}, organization = {Youtube (OALabs)}, url = {https://www.youtube.com/watch?v=JPvcLLYR0tE}, language = {English}, urldate = {2020-06-05} } @online{frankoff:20200713:how:fd519be, author = {Sergei Frankoff and OALabs}, title = {{How To Sinkhole A Botnet}}, date = {2020-07-13}, organization = {Youtube (OALabs)}, url = {https://www.youtube.com/watch?v=FAFuSO9oAl0}, language = {English}, urldate = {2020-07-16} } @online{frankowicz:20160512:latentbot:9506f35, author = {Kamil Frankowicz}, title = {{LatentBot – modularny i silnie zaciemniony bot}}, date = {2016-05-12}, organization = {CERT.PL}, url = {https://www.cert.pl/news/single/latentbot-modularny-i-silnie-zaciemniony-bot/}, language = {Polish}, urldate = {2019-12-18} } @online{frankowicz:20160810:cryptxxx:1ee108b, author = {Kamil Frankowicz}, title = {{CryptXXX \ CrypMIC – intensywnie dystrybuowany ransomware w ramach exploit-kitów}}, date = {2016-08-10}, organization = {CERT.PL}, url = {https://www.cert.pl/news/single/cryptxxx-crypmic-ransomware-dystrybuowany-ramach-exploit-kitow/}, language = {Polish}, urldate = {2019-10-14} } @online{fraser:20190807:apt41:ce48314, author = {Nalani Fraser and Fred Plan and Jacqueline O’Leary and Vincent Cannon and Raymond Leong and Dan Perez and Chi-en Shen}, title = {{APT41: A Dual Espionage and Cyber Crime Operation}}, date = {2019-08-07}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html}, language = {English}, urldate = {2019-12-20} } @online{french:20191204:ransomware:92a6fae, author = {David French}, title = {{Ransomware, interrupted: Sodinokibi and the supply chain}}, date = {2019-12-04}, organization = {Elastic}, url = {https://www.elastic.co/blog/ransomware-interrupted-sodinokibi-and-the-supply-chain}, language = {English}, urldate = {2020-06-30} } @online{fumik0:20181015:predator:9c3fcd9, author = {fumik0}, title = {{Predator The Thief: In-depth analysis (v2.3.5)}}, date = {2018-10-15}, organization = {fumik0 blog}, url = {https://fumik0.com/2018/10/15/predator-the-thief-in-depth-analysis-v2-3-5/}, language = {English}, urldate = {2020-01-10} } @online{fumik0:20181224:lets:f7dfc2c, author = {fumik0}, title = {{Let’s dig into Vidar – An Arkei Copycat/Forked Stealer (In-depth analysis)}}, date = {2018-12-24}, organization = {fumik0 blog}, url = {https://fumik0.com/2018/12/24/lets-dig-into-vidar-an-arkei-copycat-forked-stealer-in-depth-analysis/}, language = {English}, urldate = {2020-01-13} } @online{fumik0:2018:entry:62d5ae4, author = {fumik0}, title = {{Entry on Rarog}}, date = {2018}, organization = {fumik0 malware tracker}, url = {https://tracker.fumik0.com/malware/Rarog}, language = {English}, urldate = {2020-01-08} } @online{fumik0:20190503:lets:39770a3, author = {fumik0}, title = {{Let’s nuke Megumin Trojan}}, date = {2019-05-03}, organization = {fumik0 blog}, url = {https://fumik0.com/2019/05/03/lets-nuke-megumin-trojan/}, language = {English}, urldate = {2019-11-28} } @online{fumko:20190325:lets:e773175, author = {fumko}, title = {{Let’s play with Qulab, an exotic malware developed in AutoIT}}, date = {2019-03-25}, url = {https://fumik0.com/2019/03/25/lets-play-with-qulab-an-exotic-malware-developed-in-autoit/}, language = {English}, urldate = {2020-01-05} } @online{fumko:20190524:overview:7963f07, author = {fumko}, title = {{Overview of Proton Bot, another loader in the wild!}}, date = {2019-05-24}, url = {https://fumik0.com/2019/05/24/overview-of-proton-bot-another-loader-in-the-wild/}, language = {English}, urldate = {2019-12-19} } @online{funko:20191225:lets:599836d, author = {funko}, title = {{Let’s play (again) with Predator the thief}}, date = {2019-12-25}, url = {https://fumik0.com/2019/12/25/lets-play-again-with-predator-the-thief/}, language = {English}, urldate = {2020-01-08} } @online{gaffie:20200819:respondermultirelay:191b62a, author = {Laurent Gaffie}, title = {{Responder/MultiRelay}}, date = {2020-08-19}, organization = {Github (lgandx)}, url = {https://github.com/lgandx/Responder}, language = {English}, urldate = {2020-08-24} } @online{gahr:201710:lokibot:45755da, author = {Wesley Gahr and Pham Duy Phuc and Niels Croese}, title = {{LokiBot - The first hybrid Android malware}}, date = {2017-10}, organization = {Threat Fabric}, url = {https://www.threatfabric.com/blogs/lokibot_the_first_hybrid_android_malware.html}, language = {English}, urldate = {2019-12-19} } @techreport{gaiscert:20200527:dridex:90bd3bd, author = {GAIS-CERT}, title = {{Dridex Banking Trojan Technical Analysis Report}}, date = {2020-05-27}, institution = {GAIS-CERT}, url = {https://gaissecurity.com/uploads/csirt/EN-Dridex-banking-trojan.pdf}, language = {English}, urldate = {2020-06-24} } @online{gallagher:20150805:newly:dc763a1, author = {Sean Gallagher}, title = {{Newly discovered Chinese hacking group hacked 100+ websites to use as “watering holes”}}, date = {2015-08-05}, organization = {Ars Technica}, url = {https://arstechnica.com/information-technology/2015/08/newly-discovered-chinese-hacking-group-hacked-100-websites-to-use-as-watering-holes/}, language = {English}, urldate = {2020-01-06} } @online{gallagher:20170421:researchers:f1ea70c, author = {Sean Gallagher}, title = {{Researchers claim China trying to hack South Korea missile defense efforts}}, date = {2017-04-21}, organization = {Ars Technica}, url = {https://arstechnica.com/information-technology/2017/04/researchers-claim-china-trying-to-hack-south-korea-missile-defense-efforts/}, language = {English}, urldate = {2020-01-08} } @online{gallagher:20190508:robbinhood:a7fdd3f, author = {Sean Gallagher}, title = {{“RobbinHood” ransomware takes down Baltimore City government networks}}, date = {2019-05-08}, organization = {Ars Technica}, url = {https://arstechnica.com/information-technology/2019/05/baltimore-city-government-hit-by-robbinhood-ransomware/}, language = {English}, urldate = {2019-12-18} } @online{gallagher:20200727:prolock:4992cfc, author = {Sean Gallagher}, title = {{ProLock ransomware gives you the first 8 kilobytes of decryption for free}}, date = {2020-07-27}, organization = {Sophos Labs}, url = {https://news.sophos.com/en-us/2020/07/27/prolock-ransomware-gives-you-the-first-8-kilobytes-of-decryption-for-free/}, language = {English}, urldate = {2020-07-30} } @online{gallagher:20201014:theyre:99f5d1e, author = {Sean Gallagher}, title = {{They’re back: inside a new Ryuk ransomware attack}}, date = {2020-10-14}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/}, language = {English}, urldate = {2020-10-16} } @online{gallagher:20201021:lockbit:13c4faa, author = {Sean Gallagher}, title = {{LockBit uses automated attack tools to identify tasty targets}}, date = {2020-10-21}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2020/10/21/lockbit-attackers-uses-automated-attack-tools-to-identify-tasty-targets}, language = {English}, urldate = {2020-10-23} } @online{galperin:20140119:vietnamese:6ff15b6, author = {Eva Galperin and Morgan Marquis-Boire}, title = {{Vietnamese Malware Gets Very Personal}}, date = {2014-01-19}, organization = {Electronic Frontier Foundation}, url = {https://www.eff.org/deeplinks/2014/01/vietnamese-malware-gets-personal}, language = {English}, urldate = {2020-01-13} } @techreport{galperin:201608:operation:38ba7ff, author = {Eva Galperin and Cooper Quintin and Morgan Marquis-Boire and Claudio Guarnieri}, title = {{Operation Manul}}, date = {2016-08}, institution = {Electronic Frontier Foundation}, url = {https://www.eff.org/files/2018/01/29/operation-manul.pdf}, language = {English}, urldate = {2020-06-08} } @online{gamblin:20170715:mirai:72ffffb, author = {Jerry Gamblin}, title = {{Mirai BotNet Source Code}}, date = {2017-07-15}, organization = {Github (jgamblin)}, url = {https://github.com/jgamblin/Mirai-Source-Code}, language = {English}, urldate = {2019-12-17} } @online{gandhi:20160810:android:81912fe, author = {Viral Gandhi}, title = {{Android Marcher: Continuously Evolving Mobile Malware}}, date = {2016-08-10}, organization = {Zscaler}, url = {https://www.zscaler.de/blogs/research/android-marcher-continuously-evolving-mobile-malware}, language = {English}, urldate = {2020-01-10} } @online{gandler:20200330:zeus:bef1da7, author = {Amir Gandler and Limor Kessem}, title = {{Zeus Sphinx Trojan Awakens Amidst Coronavirus Spam Frenzy}}, date = {2020-03-30}, organization = {IBM}, url = {https://securityintelligence.com/posts/zeus-sphinx-trojan-awakens-amidst-coronavirus-spam-frenzy/}, language = {English}, urldate = {2020-04-01} } @online{ganti:2004:mydoom:461c630, author = {Srinivas Ganti}, title = {{MyDoom and its backdoor}}, date = {2004}, organization = {GIAC}, url = {https://www.giac.org/paper/gcih/619/mydoom-backdoor/106503}, language = {English}, urldate = {2019-12-05} } @online{garage4hackers:20140921:reversing:33b3a34, author = {garage4hackers}, title = {{Reversing Tinba: World's smallest trojan-banker DGA Code}}, date = {2014-09-21}, organization = {garage4hackers}, url = {http://garage4hackers.com/entry.php?b=3086}, language = {English}, urldate = {2019-07-11} } @online{gardo:20160323:new:c7c1042, author = {Tomáš Gardoň}, title = {{New self‑protecting USB trojan able to avoid detection}}, date = {2016-03-23}, organization = {ESET Research}, url = {http://www.welivesecurity.com/2016/03/23/new-self-protecting-usb-trojan-able-to-avoid-detection/}, language = {English}, urldate = {2019-12-20} } @online{gardo:20170822:gamescom:764a8eb, author = {Tomáš Gardoň}, title = {{Gamescom 2017: It’s all fun and games until black hats step in}}, date = {2017-08-22}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/08/22/gamescom-2017-fun-blackhats/}, language = {English}, urldate = {2019-11-14} } @online{gastesi:20100907:zeus:330336f, author = {Mikel Gastesi}, title = {{ZeuS: The missing link}}, date = {2010-09-07}, organization = {S21sec}, url = {https://www.s21sec.com/en/zeus-the-missing-link/}, language = {English}, urldate = {2020-01-17} } @online{gatlan:20190517:teamviewer:563f298, author = {Sergiu Gatlan}, title = {{TeamViewer Confirms Undisclosed Breach From 2016}}, date = {2019-05-17}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/teamviewer-confirms-undisclosed-breach-from-2016/}, language = {English}, urldate = {2019-12-20} } @online{gatlan:20191018:maze:fb2c4b6, author = {Sergiu Gatlan}, title = {{Maze Ransomware Now Delivered by Spelevo Exploit Kit}}, date = {2019-10-18}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/maze-ransomware-now-delivered-by-spelevo-exploit-kit/}, language = {English}, urldate = {2019-12-17} } @online{gatlan:20191118:linux:3b44951, author = {Sergiu Gatlan}, title = {{Linux, Windows Users Targeted With New ACBackdoor Malware}}, date = {2019-11-18}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/linux-windows-users-targeted-with-new-acbackdoor-malware/}, language = {English}, urldate = {2020-01-13} } @online{gatlan:20191209:snatch:04dbbf3, author = {Sergiu Gatlan}, title = {{Snatch Ransomware Reboots to Windows Safe Mode to Bypass AV Tools}}, date = {2019-12-09}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/snatch-ransomware-reboots-to-windows-safe-mode-to-bypass-av-tools/}, language = {English}, urldate = {2020-01-07} } @online{gatlan:20200110:sodinokibi:73cbf66, author = {Sergiu Gatlan}, title = {{Sodinokibi Ransomware Hits New York Airport Systems}}, date = {2020-01-10}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-hits-new-york-airport-systems/}, language = {English}, urldate = {2020-01-20} } @online{gatlan:20200123:sodinokibi:86b1d46, author = {Sergiu Gatlan}, title = {{Sodinokibi Ransomware Threatens to Publish Data of Automotive Group}}, date = {2020-01-23}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-threatens-to-publish-data-of-automotive-group/}, language = {English}, urldate = {2020-01-23} } @online{gatlan:20200207:ta505:7a8e5a2, author = {Sergiu Gatlan}, title = {{TA505 Hackers Behind Maastricht University Ransomware Attack}}, date = {2020-02-07}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ta505-hackers-behind-maastricht-university-ransomware-attack/}, language = {English}, urldate = {2020-02-13} } @online{gatlan:20200330:banking:9d302f2, author = {Sergiu Gatlan}, title = {{Banking Malware Spreading via COVID-19 Relief Payment Phishing}}, date = {2020-03-30}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/banking-malware-spreading-via-covid-19-relief-payment-phishing/}, language = {English}, urldate = {2020-04-01} } @online{gatlan:20200403:microsoft:c12a844, author = {Sergiu Gatlan}, title = {{Microsoft: Emotet Took Down a Network by Overheating All Computers}}, date = {2020-04-03}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/microsoft-emotet-took-down-a-network-by-overheating-all-computers/}, language = {English}, urldate = {2020-04-08} } @online{gatlan:20200414:ragnarlocker:2a77ec4, author = {Sergiu Gatlan}, title = {{RagnarLocker ransomware hits EDP energy giant, asks for €10M}}, date = {2020-04-14}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ragnarlocker-ransomware-hits-edp-energy-giant-asks-for-10m/}, language = {English}, urldate = {2020-04-16} } @online{gatlan:20200616:chipmaker:0e801b8, author = {Sergiu Gatlan}, title = {{Chipmaker MaxLinear reports data breach after Maze Ransomware attack}}, date = {2020-06-16}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/chipmaker-maxlinear-reports-data-breach-after-maze-ransomware-attack/}, language = {English}, urldate = {2020-06-17} } @online{gatlan:20200626:admin:044ef9a, author = {Sergiu Gatlan}, title = {{Admin of carding portal behind $568M in losses pleads guilty}}, date = {2020-06-26}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/admin-of-carding-portal-behind-568m-in-losses-pleads-guilty/}, language = {English}, urldate = {2020-06-29} } @online{gatlan:20200630:evilquest:b90c9ad, author = {Sergiu Gatlan}, title = {{EvilQuest wiper uses ransomware cover to steal files from Macs}}, date = {2020-06-30}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/evilquest-wiper-uses-ransomware-cover-to-steal-files-from-macs/}, language = {English}, urldate = {2020-07-01} } @online{gatlan:20200724:garmin:05d9247, author = {Sergiu Gatlan}, title = {{Garmin outage caused by confirmed WastedLocker ransomware attack}}, date = {2020-07-24}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/garmin-outage-caused-by-confirmed-wastedlocker-ransomware-attack/}, language = {English}, urldate = {2020-07-30} } @online{gatlan:20200728:emotet:37429c5, author = {Sergiu Gatlan}, title = {{Emotet malware now steals your email attachments to attack contacts}}, date = {2020-07-28}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/emotet-malware-now-steals-your-email-attachments-to-attack-contacts/}, language = {English}, urldate = {2020-07-30} } @online{gavriel:20180103:new:34da39b, author = {Hod Gavriel}, title = {{New LockPoS Malware Injection Technique}}, date = {2018-01-03}, organization = {Cyberbit}, url = {https://www.cyberbit.com/new-lockpos-malware-injection-technique/}, language = {English}, urldate = {2019-11-28} } @online{gavriel:20180411:new:9ed9a94, author = {Hod Gavriel and Boris Erbesfeld}, title = {{New ‘Early Bird’ Code Injection Technique Discovered}}, date = {2018-04-11}, organization = {Cyberbit}, url = {https://www.cyberbit.com/new-early-bird-code-injection-technique-discovered/}, language = {English}, urldate = {2020-08-21} } @online{gavriel:20180806:backswap:f13384a, author = {Hod Gavriel and Boris Erbesfeld}, title = {{BackSwap Banker Malware Hides Inside Replicas of Legitimate Programs}}, date = {2018-08-06}, organization = {Cyberbit}, url = {https://www.cyberbit.com/backswap-banker-malware-hides-inside-replicas-of-legitimate-programs/}, language = {English}, urldate = {2020-08-21} } @online{gavriel:20180814:latest:7df6364, author = {Hod Gavriel}, title = {{Latest Trickbot Variant has New Tricks Up Its Sleeve}}, date = {2018-08-14}, organization = {Cyberbit}, url = {https://www.cyberbit.com/latest-trickbot-variant-has-new-tricks-up-its-sleeve/}, language = {English}, urldate = {2020-08-21} } @online{gavriel:20190130:new:6e4ec87, author = {Hod Gavriel}, title = {{New Ursnif Malware Variant – a Stunning Matryoshka (Матрёшка)}}, date = {2019-01-30}, organization = {Cyberbit}, url = {https://www.cyberbit.com/new-ursnif-malware-variant/}, language = {English}, urldate = {2020-08-21} } @online{gavriel:20190612:formbook:8dc2df9, author = {Hod Gavriel}, title = {{Formbook Research Hints Large Data Theft Attack Brewing}}, date = {2019-06-12}, organization = {Cyberbit}, url = {https://www.cyberbit.com/formbook-research-hints-large-data-theft-attack-brewing/}, language = {English}, urldate = {2020-08-21} } @online{gavriel:20190813:hawkeye:379a3e4, author = {Hod Gavriel}, title = {{HawkEye Malware Changes Keylogging Technique}}, date = {2019-08-13}, organization = {Cyberbit}, url = {https://www.cyberbit.com/hawkeye-malware-keylogging-technique/}, language = {English}, urldate = {2020-08-21} } @online{gavriel:20191121:dtrack:fe6fbbc, author = {Hod Gavriel}, title = {{Dtrack: In-depth analysis of APT on a nuclear power plant}}, date = {2019-11-21}, organization = {Cyberbit}, url = {https://www.cyberbit.com/dtrack-apt-malware-found-in-nuclear-power-plant/}, language = {English}, urldate = {2020-08-21} } @techreport{gazer:201708:gazing:b454362, author = {Gazing at Gazer and Turla’s new second stage backdoor}, title = {{Gazing at Gazer Turla’s new second stage backdoor}}, date = {2017-08}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf}, language = {English}, urldate = {2020-01-08} } @online{gbrindisi:20160323:gozi:aa28233, author = {gbrindisi}, title = {{Gozi ISFB Sourceccode}}, date = {2016-03-23}, organization = {Github (gbrindisi)}, url = {https://github.com/gbrindisi/malware/tree/master/windows/gozi-isfb}, language = {English}, urldate = {2020-01-13} } @online{gdata:20180629:where:6b57825, author = {G-Data}, title = {{Where we go, we don't need files: Analysis of fileless malware "Rozena"}}, date = {2018-06-29}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/2018/06/30862-fileless-malware-rozena}, language = {English}, urldate = {2020-01-13} } @online{gdata:20190509:strange:2e58aae, author = {G-Data}, title = {{Strange Bits: HTML Smuggling and GitHub Hosted Malware}}, date = {2019-05-09}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/2019/05/31695-strange-bits-smuggling-malware-github}, language = {English}, urldate = {2019-12-10} } @online{ge:20110909:bios:c162598, author = {Livian Ge}, title = {{BIOS Threat is Showing up Again!}}, date = {2011-09-09}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/bios-threat-showing-again}, language = {English}, urldate = {2019-12-10} } @online{geenens:20180201:jenx:8b824f5, author = {Pascal Geenens}, title = {{JenX – Los Calvos de San Calvicie}}, date = {2018-02-01}, organization = {Radware Blog}, url = {https://blog.radware.com/security/2018/02/jenx-los-calvos-de-san-calvicie/}, language = {English}, urldate = {2019-07-10} } @techreport{geffner:20130719:endtoend:0b46196, author = {Jason Geffner}, title = {{End-to-End Analysis of a Domain Generating Algorithm Malware Family}}, date = {2013-07-19}, institution = {BlackHat}, url = {https://media.blackhat.com/us-13/US-13-Geffner-End-To-End-Analysis-of-a-Domain-Generating-Algorithm-Malware-Family-WP.pdf}, language = {English}, urldate = {2020-01-13} } @techreport{gemini:20200707:full:283dfdd, author = {GEMINI}, title = {{Full list of all the 570+ sites that the Keeper gang hacked since April 2017}}, date = {2020-07-07}, institution = {}, url = {https://geminiadvisory.io/wp-content/uploads/2020/07/Appendix-C-1.pdf}, language = {English}, urldate = {2020-07-08} } @online{gemini:20200707:keeper:b2f882b, author = {GEMINI}, title = {{"Keeper" Magecart Group Infects 570 Sites}}, date = {2020-07-07}, url = {https://geminiadvisory.io/keeper-magecart-group-infects-570-sites/}, language = {English}, urldate = {2020-07-08} } @online{generale:20150413:analyzing:2a4956d, author = {CERT Societe Generale}, title = {{Analyzing Gootkit's persistence mechanism (new ASEP inside!)}}, date = {2015-04-13}, organization = {CERT Societe Generale}, url = {http://blog.cert.societegenerale.com/2015/04/analyzing-gootkits-persistence-mechanism.html}, language = {English}, urldate = {2020-01-13} } @online{genheimer:20190728:third:ede6ba2, author = {Marius Genheimer}, title = {{Third time's the charm? Analysing WannaCry samples}}, date = {2019-07-28}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/third-times-the-charm-analysing-wannacry-samples.html}, language = {English}, urldate = {2020-03-27} } @online{genheimer:20190730:picking:cea78ea, author = {Marius Genheimer}, title = {{Picking Locky}}, date = {2019-07-30}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/picking-locky.html}, language = {English}, urldate = {2020-03-27} } @online{genheimer:20190731:tfw:3fa5aba, author = {Marius Genheimer}, title = {{TFW Ransomware is only your side hustle...}}, date = {2019-07-31}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/tfw-ransomware-is-only-your-side-hustle.html}, language = {English}, urldate = {2020-01-10} } @online{genheimer:20190810:germanwipers:96d9745, author = {Marius Genheimer}, title = {{GermanWiper's big Brother? GandGrab's kid ? Sodinokibi!}}, date = {2019-08-10}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/germanwipers-big-brother-gandgrabs-kid-sodinokibi.html}, language = {English}, urldate = {2020-03-27} } @online{genheimer:20190907:malicious:37195ec, author = {Marius Genheimer}, title = {{Malicious RATatouille}}, date = {2019-09-07}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/malicious-ratatouille.html}, language = {English}, urldate = {2020-03-27} } @online{genheimer:20190924:return:f85ef19, author = {Marius Genheimer}, title = {{Return of the Mummy - Welcome back, Emotet}}, date = {2019-09-24}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/return-of-the-mummy-welcome-back-emotet.html}, language = {English}, urldate = {2020-03-27} } @online{genheimer:20191002:nicht:20adbf8, author = {Marius Genheimer}, title = {{Nicht so goot - Breaking down Gootkit and Jasper (+ FTCODE)}}, date = {2019-10-02}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/nicht-so-goot-breaking-down-gootkit-and-jasper-ftcode.html}, language = {English}, urldate = {2020-03-27} } @online{genheimer:20191026:earnquickbtcwithhiddentearmp4:b77f350, author = {Marius Genheimer}, title = {{Earn-quick-BTC-with-Hiddentear.mp4 / About Open Source Ransomware}}, date = {2019-10-26}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/earn-quick-btc-with-hiddentearmp4-about-open-source-ransomware.html}, language = {English}, urldate = {2020-03-27} } @online{genheimer:20191029:osiris:55e249f, author = {Marius Genheimer}, title = {{Osiris, the god of afterlife...and banking malware?!}}, date = {2019-10-29}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/osiris-the-god-of-afterlifeand-banking-malware.html}, language = {English}, urldate = {2020-03-27} } @online{genheimer:20191105:try:3aafee6, author = {Marius Genheimer}, title = {{Try not to stare - MedusaLocker at a glance}}, date = {2019-11-05}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/try-not-to-stare-medusalocker-at-a-glance.html}, language = {English}, urldate = {2020-03-27} } @online{genheimer:20191119:quick:b7c4538, author = {Marius Genheimer}, title = {{Quick and painless - Reversing DeathRansom / "Wacatac"}}, date = {2019-11-19}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/quick-and-painless-reversing-deathransom-wacatac.html}, language = {English}, urldate = {2020-03-27} } @online{genheimer:20191202:god:79aa57d, author = {Marius Genheimer}, title = {{God save the Queen [...] 'cause Ransom is money - SaveTheQueen Encryptor}}, date = {2019-12-02}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/god-save-the-queen-cause-ransom-is-money-savethequeen-encryptor.html}, language = {English}, urldate = {2020-03-27} } @online{genheimer:20191211:projectexe:72f2c37, author = {Marius Genheimer}, title = {{A "Project.exe" that should have stayed in a drawer - MZRevenge / MaMo434376}}, date = {2019-12-11}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/a-projectexe-that-should-have-stayed-in-a-drawer-mzrevenge-mamo434376.html}, language = {English}, urldate = {2020-03-27} } @online{genheimer:20191214:another:7c9c60a, author = {Marius Genheimer}, title = {{Another one for the collection - Mespinoza (Pysa) Ransomware}}, date = {2019-12-14}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/another-one-for-the-collection-mespinoza-pysa-ransomware.html}, language = {English}, urldate = {2020-01-26} } @online{genheimer:20191223:i:516e8d0, author = {Marius Genheimer}, title = {{I literally can't think of a fitting pun - MrDec Ransomware}}, date = {2019-12-23}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/i-literally-cant-think-of-a-fitting-pun-mrdec-ransomware.html}, language = {English}, urldate = {2020-03-27} } @online{genheimer:20200102:nice:266b137, author = {Marius Genheimer}, title = {{"Nice decorating. Let me guess, Satan?" - Dot / MZP Ransomware}}, date = {2020-01-02}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/nice-decorating-let-me-guess-satan-dot-mzp-ransomware.html}, language = {English}, urldate = {2020-03-27} } @online{genheimer:20200109:not:187b390, author = {Marius Genheimer}, title = {{Not so nice after all - Afrodita Ransomware}}, date = {2020-01-09}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/not-so-nice-after-all-afrodita-ransomware.html}, language = {English}, urldate = {2020-03-27} } @online{genheimer:20200123:opposite:b471c6b, author = {Marius Genheimer}, title = {{The Opposite of Fileless Malware - NodeJS Ransomware}}, date = {2020-01-23}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/the-opposite-of-fileless-malware-nodejs-ransomware.html}, language = {English}, urldate = {2020-03-27} } @online{genheimer:20200318:why:545326b, author = {Marius Genheimer}, title = {{Why would you even bother?! - JavaLocker}}, date = {2020-03-18}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/why-would-you-even-bother-javalocker.html}, language = {English}, urldate = {2020-03-27} } @online{genheimer:20200320:jamba:9d5bb76, author = {Marius Genheimer}, title = {{Jamba Superdeal: Helo Sir, you want to buy mask? - Corona Safety Mask SMS Scam}}, date = {2020-03-20}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/jamba-superdeal-helo-sir-you-want-to-buy-mask-corona-safety-mask-sms-scam.html}, language = {English}, urldate = {2020-03-27} } @online{genheimer:20200413:blame:b258b2b, author = {Marius Genheimer}, title = {{The Blame Game - About False Flags and overwritten MBRs}}, date = {2020-04-13}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/the-blame-game-about-false-flags-and-overwritten-mbrs.html}, language = {English}, urldate = {2020-04-15} } @online{genheimer:20200617:deicer:de78cca, author = {Marius Genheimer}, title = {{deICEr: A Go tool for extracting config from IcedID second stage Loaders}}, date = {2020-06-17}, organization = {Github (f0wl)}, url = {https://github.com/f0wl/deICEr}, language = {English}, urldate = {2020-06-18} } @online{georgia:20200901:us:69ac101, author = {U.S. Embassy in Georgia}, title = {{U.S. Embassy statement on September 1, 2020 cyberattack against Georgian Ministry of Health}}, date = {2020-09-01}, organization = {U.S. Embassy in Georgia}, url = {https://ge.usembassy.gov/u-s-embassy-statement-on-september-1-2020-cyberattack-against-georgian-ministry-of-health/}, language = {English}, urldate = {2020-09-06} } @online{georgiev:20191011:7:a4962f1, author = {Roman Georgiev}, title = {{За российскими дипломатами 7 лет следят с помощью шпионского ПО}}, date = {2019-10-11}, organization = {c news}, url = {https://safe.cnews.ru/news/top/2019-10-11_za_rossijskimi_diplomatami}, language = {Russian}, urldate = {2019-11-29} } @online{gheorghe:20160705:new:8f65d0c, author = {Alexandra Gheorghe}, title = {{New Backdoor Allows Full Access to Mac Systems, Bitdefender Warns}}, date = {2016-07-05}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2016/07/new-mac-backdoor-nukes-os-x-systems/}, language = {English}, urldate = {2020-01-08} } @online{giagone:20171120:cobalt:fb5c2ed, author = {Ronnie Giagone and Lenart Bermejo and Fyodor Yarochkin}, title = {{Cobalt Strikes Again: Spam Runs Use Macros and CVE-2017-8759 Exploit Against Russian Banks}}, date = {2017-11-20}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/cobalt-spam-runs-use-macros-cve-2017-8759-exploit/}, language = {English}, urldate = {2019-10-29} } @online{giang:20191104:nemty:6f237c6, author = {Nguyen Hoang Giang and Eduardo Altares and Muhammad Hasib Latif}, title = {{Nemty Ransomware Expands Its Reach, Also Delivered by Trik Botnet}}, date = {2019-11-04}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/nemty-ransomware-trik-botnet}, language = {English}, urldate = {2020-06-02} } @online{giang:20200330:emotet:6034d14, author = {Nguyen Hoang Giang and Mingwei Zhang}, title = {{Emotet: Dangerous Malware Keeps on Evolving}}, date = {2020-03-30}, organization = {Symantec}, url = {https://medium.com/threat-intel/emotet-dangerous-malware-keeps-on-evolving-ac84aadbb8de}, language = {English}, urldate = {2020-04-01} } @online{gibb:20180410:icedid:f1a3ff2, author = {Ross Gibb and Daphne Galme and Michael Gorelik}, title = {{IcedID Banking Trojan Teams up with Ursnif/Dreambot for Distribution}}, date = {2018-04-10}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2018/04/icedid-banking-trojan.html}, language = {English}, urldate = {2019-12-17} } @online{gillespie:20160811:smrss32:0f85a72, author = {Michael Gillespie}, title = {{Smrss32 (.encrypted) Ransomware Help & Support - _HOW_TO_Decrypt.bmp}}, date = {2016-08-11}, organization = {BleepingComputer Forums}, url = {https://www.bleepingcomputer.com/forums/t/623132/smrss32-encrypted-ransomware-help-support-how-to-decryptbmp/}, language = {English}, urldate = {2019-07-09} } @online{gillespie:20180306:cryakl:4a313ab, author = {Michael Gillespie}, title = {{Tweet on Cryakl}}, date = {2018-03-06}, organization = {Twitter (@demonslay335)}, url = {https://twitter.com/demonslay335/status/971164798376468481}, language = {English}, urldate = {2020-01-07} } @online{gillespie:20181117:analyzing:7ff3264, author = {Michael Gillespie}, title = {{Analyzing Ransomware - Reversing Basic .NET Ransomware}}, date = {2018-11-17}, organization = {Youtube (Demonslay335)}, url = {https://www.youtube.com/watch?v=7gCU31ScJgk}, language = {English}, urldate = {2020-01-08} } @online{gillespie:20181117:analyzing:ecd5641, author = {Michael Gillespie}, title = {{Analyzing Ransomware - Beginner Static Analysis}}, date = {2018-11-17}, organization = {Youtube (Demonslay335)}, url = {https://www.youtube.com/watch?v=9nuo-AGg4p4}, language = {English}, urldate = {2020-02-27} } @online{gillespie:20200923:ironcat:12f0892, author = {Michael Gillespie}, title = {{Tweet on Ironcat (Sodinokibi imposter)}}, date = {2020-09-23}, organization = {Twitter (@demonslay335)}, url = {https://twitter.com/demonslay335/status/1308827693312548864}, language = {English}, urldate = {2020-09-24} } @online{ginty:20200821:pinchy:24fe21a, author = {Steve Ginty}, title = {{Pinchy Spider: Ransomware Infrastructure Connected to Dark Web Marketplace}}, date = {2020-08-21}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/3315064b}, language = {English}, urldate = {2020-09-01} } @online{ginty:20201014:wellmarked:9176303, author = {Steve Ginty and Jon Gross}, title = {{A Well-Marked Trail: Journeying through OceanLotus's Infrastructure}}, date = {2020-10-14}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/f0320980}, language = {English}, urldate = {2020-10-23} } @online{giuliani:20110913:mebromi:2d33f8d, author = {Marco Giuliani}, title = {{Mebromi: the first BIOS rootkit in the wild}}, date = {2011-09-13}, organization = {Webroot}, url = {https://www.webroot.com//blog/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/}, language = {English}, urldate = {2020-01-08} } @online{gleicher:20200922:removing:8fe26cd, author = {Nathaniel Gleicher}, title = {{Removing Coordinated Inauthentic Behavior}}, date = {2020-09-22}, organization = {Facebook}, url = {https://about.fb.com/news/2020/09/removing-coordinated-inauthentic-behavior-china-philippines/}, language = {English}, urldate = {2020-09-24} } @online{gleicher:20200924:removing:595f9bf, author = {Nathaniel Gleicher}, title = {{Removing Coordinated Inauthentic Behavior}}, date = {2020-09-24}, organization = {Facebook}, url = {https://about.fb.com/news/2020/09/removing-coordinated-inauthentic-behavior-russia/}, language = {English}, urldate = {2020-09-25} } @online{global:20150917:dukes:5dc47f5, author = {F-Secure Global}, title = {{The Dukes: 7 Years Of Russian Cyber-Espionage}}, date = {2015-09-17}, organization = {F-Secure}, url = {https://www.zdnet.com/article/source-code-of-iranian-cyber-espionage-tools-leaked-on-telegram/}, language = {English}, urldate = {2020-01-09} } @online{global:20171027:big:916374a, author = {F-Secure Global}, title = {{The big difference with Bad Rabbit}}, date = {2017-10-27}, organization = {F-Secure}, url = {https://labsblog.f-secure.com/2017/10/27/the-big-difference-with-bad-rabbit/}, language = {English}, urldate = {2020-01-07} } @online{global:20190328:analysis:8b788ab, author = {F-Secure Global}, title = {{Analysis of ShadowHammer ASUS Attack First Stage Payload}}, date = {2019-03-28}, organization = {F-Secure}, url = {https://countercept.com/blog/analysis-shadowhammer-asus-attack-first-stage-payload/}, language = {English}, urldate = {2020-01-08} } @online{glyer:20200325:this:0bc322f, author = {Christopher Glyer and Dan Perez and Sarah Jones and Steve Miller}, title = {{This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits}}, date = {2020-03-25}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html}, language = {English}, urldate = {2020-04-14} } @online{goet:20200110:hitchhikers:03fefe9, author = {Maarten Goet}, title = {{A hitchhikers guide to the cybersecurity galaxy}}, date = {2020-01-10}, organization = {Youtube (Azure Thursday)}, url = {https://www.youtube.com/watch?v=fBFm2fiEPTg}, language = {English}, urldate = {2020-06-16} } @online{golak:20190625:icedid:0a3e153, author = {Dawid Golak}, title = {{IcedID aka #Bokbot Analysis with Ghidra}}, date = {2019-06-25}, url = {https://medium.com/@dawid.golak/icedid-aka-bokbot-analysis-with-ghidra-560e3eccb766}, language = {English}, urldate = {2019-12-02} } @online{gold:20140122:iran:b9a3b8e, author = {Steve Gold}, title = {{Iran and Russia blamed for state-sponsored espionage}}, date = {2014-01-22}, organization = {SC Magazine}, url = {https://web.archive.org/web/20140129192702/https://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/}, language = {English}, urldate = {2020-06-08} } @techreport{goldberg:201509:variant:0121be8, author = {Yakov Goldberg and Maayan Fishelov}, title = {{A Variant of the Network Worm Win32 Allaple has been Spotted in the Wild}}, date = {2015-09}, institution = {Trapx Security}, url = {https://trapx.com/wp-content/uploads/2017/08/White_Paper_TrapX_AllapleWorm.pdf}, language = {English}, urldate = {2019-11-16} } @online{goldberg:20180606:operation:64e4fac, author = {Daniel Goldberg and Ofri Ziv and Mor Matal}, title = {{Operation Prowli: Monetizing 40,000 Victim Machines}}, date = {2018-06-06}, organization = {Guardicore}, url = {https://www.guardicore.com/2018/06/operation-prowli-traffic-manipulation-cryptocurrency-mining/}, language = {English}, urldate = {2019-10-14} } @online{goldencrown:20040415:mydoom:38c5e17, author = {Matt Goldencrown}, title = {{MyDoom is Your Doom: An Analysis of the MyDoom Virus}}, date = {2004-04-15}, organization = {SANS GIAC}, url = {https://www.giac.org/paper/gcih/568/mydoom-dom-anlysis-mydoom-virus/106069}, language = {English}, urldate = {2019-11-26} } @online{goliate:20150818:ransomware:be29cd4, author = {goliate}, title = {{ransomware open-sources}}, date = {2015-08-18}, organization = {Github (goliate)}, url = {https://github.com/goliate/hidden-tear}, language = {English}, urldate = {2020-01-13} } @online{golovanov:20170404:atmitch:1ed35bc, author = {Sergey Golovanov}, title = {{ATMitch: remote administration of ATMs}}, date = {2017-04-04}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/sas/77918/atmitch-remote-administration-of-atms/}, language = {English}, urldate = {2019-12-20} } @online{golovin:20200706:pig:c3a73df, author = {Igor Golovin and Anton Kivva}, title = {{Pig in a poke: smartphone adware}}, date = {2020-07-06}, organization = {Kaspersky Labs}, url = {https://securelist.com/pig-in-a-poke-smartphone-adware/97607/}, language = {English}, urldate = {2020-07-08} } @online{gomez:20130207:ladyboyle:5927b00, author = {J. Gomez and Thoufique Haq}, title = {{LadyBoyle Comes to Town with a New Exploit}}, date = {2013-02-07}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2013/02/lady-boyle-comes-to-town-with-a-new-exploit.html}, language = {English}, urldate = {2019-12-20} } @online{goodin:20110914:malware:c1e8db0, author = {Dan Goodin}, title = {{Malware burrows deep into computer BIOS to escape AV}}, date = {2011-09-14}, organization = {The Register}, url = {http://www.theregister.co.uk/2011/09/14/bios_rootkit_discovered/}, language = {English}, urldate = {2020-01-06} } @online{goodin:20150216:how:4e36cde, author = {Dan Goodin}, title = {{How “omnipotent” hackers tied to NSA hid for 14 years—and were found at last}}, date = {2015-02-16}, organization = {Ars Technica}, url = {https://arstechnica.com/information-technology/2015/02/how-omnipotent-hackers-tied-to-the-nsa-hid-for-14-years-and-were-found-at-last/}, language = {English}, urldate = {2019-12-06} } @online{goodin:20150415:elite:eaaea2d, author = {Dan Goodin}, title = {{Elite cyber crime group strikes back after attack by rival APT gang}}, date = {2015-04-15}, organization = {Ars Technica}, url = {http://arstechnica.com/security/2015/04/elite-cyber-crime-group-strikes-back-after-attack-by-rival-apt-gang/}, language = {English}, urldate = {2019-11-29} } @online{goodin:20170118:newly:2b58256, author = {Dan Goodin}, title = {{Newly discovered Mac malware found in the wild also works well on Linux}}, date = {2017-01-18}, organization = {Ars Technica}, url = {https://arstechnica.com/security/2017/01/newly-discovered-mac-malware-may-have-circulated-in-the-wild-for-2-years/}, language = {English}, urldate = {2020-01-13} } @online{goodin:20170725:perverse:998aed8, author = {Dan Goodin}, title = {{“Perverse” malware infecting hundreds of Macs remained undetected for years}}, date = {2017-07-25}, organization = {Ars Technica}, url = {https://arstechnica.com/security/2017/07/perverse-malware-infecting-hundreds-of-macs-remained-undetected-for-years/}, language = {English}, urldate = {2020-01-13} } @online{goodin:20180418:tens:ad8fd3a, author = {Dan Goodin}, title = {{Tens of thousands of Facebook accounts compromised in days by malware}}, date = {2018-04-18}, organization = {Ars Technica}, url = {https://arstechnica.com/information-technology/2018/04/tens-of-thousands-of-facebook-accounts-compromised-in-days-by-malware/}, language = {English}, urldate = {2019-11-23} } @online{goodin:20190606:google:f1f32d4, author = {Dan Goodin}, title = {{Google confirms that advanced backdoor came preinstalled on Android devices}}, date = {2019-06-06}, organization = {Ars Technica}, url = {https://arstechnica.com/information-technology/2019/06/google-confirms-2017-supply-chain-attack-that-sneaked-backdoor-on-android-devices/}, language = {English}, urldate = {2020-01-13} } @online{goody:20190111:nasty:3c872d4, author = {Kimberly Goody and Jeremy Kennelly and Jaideep Natu and Christopher Glyer}, title = {{A Nasty Trick: From Credential Theft Malware to Business Disruption}}, date = {2019-01-11}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html}, language = {English}, urldate = {2019-12-20} } @online{goody:20200507:navigating:7147cb7, author = {Kimberly Goody and Jeremy Kennelly and Joshua Shilko}, title = {{Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents}}, date = {2020-05-07}, organization = {FireEye Inc}, url = {https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html}, language = {English}, urldate = {2020-05-11} } @online{goody:20200521:navigating:a2eae5f, author = {Kimberly Goody and Jeremy Kennelly}, title = {{Navigating MAZE: Analysis of a Rising Ransomware Threat}}, date = {2020-05-21}, organization = {BrightTALK (FireEye)}, url = {https://www.brighttalk.com/webcast/7451/408167/navigating-maze-analysis-of-a-rising-ransomware-threat}, language = {English}, urldate = {2020-06-05} } @online{gordon:20200720:what:b88e81f, author = {Daniel Gordon}, title = {{What even is Winnti?}}, date = {2020-07-20}, organization = {Risky.biz}, url = {https://risky.biz/whatiswinnti/}, language = {English}, urldate = {2020-08-18} } @online{gorelik:20170427:iranian:4ab7f08, author = {Michael Gorelik}, title = {{Iranian Fileless Attack Infiltrates Israeli Organizations}}, date = {2017-04-27}, organization = {Morphisec}, url = {https://blog.morphisec.com/iranian-fileless-cyberattack-on-israel-word-vulnerability}, language = {English}, urldate = {2020-07-30} } @online{gorelik:20170427:iranian:827f6f3, author = {Michael Gorelik}, title = {{Iranian Fileless Attack Infiltrates Israeli Organizations}}, date = {2017-04-27}, organization = {Morphisec}, url = {http://blog.morphisec.com/iranian-fileless-cyberattack-on-israel-word-vulnerability}, language = {English}, urldate = {2019-12-04} } @online{gorelik:20170609:fin7:3b251c4, author = {Michael Gorelik}, title = {{FIN7 Takes Another Bite at the Restaurant Industry}}, date = {2017-06-09}, organization = {Morphisec}, url = {http://blog.morphisec.com/fin7-attacks-restaurant-industry}, language = {English}, urldate = {2019-12-04} } @online{gorelik:20170609:fin7:3be08a2, author = {Michael Gorelik}, title = {{FIN7 Takes Another Bite at the Restaurant Industry}}, date = {2017-06-09}, organization = {Morphisec}, url = {https://blog.morphisec.com/fin7-attacks-restaurant-industry}, language = {English}, urldate = {2020-09-04} } @online{gorelik:20170918:morphisec:501cc93, author = {Michael Gorelik}, title = {{Morphisec Discovers CCleaner Backdoor Saving Millions of Avast Users}}, date = {2017-09-18}, organization = {Morphisec}, url = {http://blog.morphisec.com/morphisec-discovers-ccleaner-backdoor}, language = {English}, urldate = {2020-01-08} } @online{gorelik:20171013:fin7:36ef13a, author = {Michael Gorelik}, title = {{FIN7 Dissected: Hackers Accelerate Pace of Innovation}}, date = {2017-10-13}, organization = {Morphisec}, url = {https://blog.morphisec.com/fin7-attack-modifications-revealed}, language = {English}, urldate = {2020-09-04} } @online{gorelik:20171013:fin7:d52a75d, author = {Michael Gorelik}, title = {{FIN7 Dissected: Hackers Accelerate Pace of Innovation}}, date = {2017-10-13}, organization = {Morphisec}, url = {http://blog.morphisec.com/fin7-attack-modifications-revealed}, language = {English}, urldate = {2019-11-29} } @online{gorelik:20181008:cobalt:dece0e0, author = {Michael Gorelik}, title = {{Cobalt Group 2.0}}, date = {2018-10-08}, organization = {Morphisec}, url = {https://blog.morphisec.com/cobalt-gang-2.0}, language = {English}, urldate = {2020-01-05} } @online{gorelik:20181121:fin7:02ad475, author = {Michael Gorelik}, title = {{FIN7 Not Finished – Morphisec Spots New Campaign}}, date = {2018-11-21}, organization = {mor}, url = {http://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign}, language = {English}, urldate = {2020-01-08} } @online{gorelik:20181221:fin7:d71e1b0, author = {Michael Gorelik}, title = {{FIN7 Not Finished - Morphisec Spots New Campaign}}, date = {2018-12-21}, organization = {Morphisec}, url = {https://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign}, language = {English}, urldate = {2020-09-04} } @online{gorelik:20190227:new:5296a0b, author = {Michael Gorelik and Alon Groisman}, title = {{New Global Cyber Attack on Point of Sale Sytem}}, date = {2019-02-27}, organization = {Morphisec}, url = {http://blog.morphisec.com/new-global-attack-on-point-of-sale-systems}, language = {English}, urldate = {2020-01-09} } @online{gorelik:20200228:trickbot:678683b, author = {Michael Gorelik}, title = {{Trickbot Delivery Method Gets a New Upgrade Focusing on Windows 10}}, date = {2020-02-28}, organization = {Morphisec}, url = {https://blog.morphisec.com/trickbot-delivery-method-gets-a-new-upgrade-focusing-on-windows}, language = {English}, urldate = {2020-03-03} } @online{gorelik:20200616:crystalbit:1906ecc, author = {Michael Gorelik}, title = {{CrystalBit / Apple Double DLL Hijack -- From fraudulent software bundle downloads to an evasive miner raging campaign}}, date = {2020-06-16}, organization = {Morphisec}, url = {https://blog.morphisec.com/crystalbit-apple-double-dll-hijack}, language = {English}, urldate = {2020-06-16} } @online{gostev:20120528:flame:4aa29b8, author = {Alexander Gostev}, title = {{The Flame: Questions and Answers}}, date = {2012-05-28}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-flame-questions-and-answers-51/34344/}, language = {English}, urldate = {2020-01-06} } @online{gostev:20140312:agentbtz:8f1988f, author = {Alexander Gostev}, title = {{Agent.btz: a Source of Inspiration?}}, date = {2014-03-12}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/virus-watch/58551/agent-btz-a-source-of-inspiration/}, language = {English}, urldate = {2019-12-20} } @online{gottesman:20151006:moker:1b8240a, author = {Yotam Gottesman}, title = {{MOKER, PART 1: DISSECTING A NEW APT UNDER THE MICROSCOPE}}, date = {2015-10-06}, organization = {enSilo}, url = {https://breakingmalware.com/malware/moker-part-1-dissecting-a-new-apt-under-the-microscope/}, language = {English}, urldate = {2020-01-07} } @online{gottesman:20151006:moker:ed878d9, author = {Yotam Gottesman}, title = {{MOKER: A NEW APT DISCOVERED WITHIN A SENSITIVE NETWORK}}, date = {2015-10-06}, organization = {enSilo}, url = {http://blog.ensilo.com/moker-a-new-apt-discovered-within-a-sensitive-network}, language = {English}, urldate = {2019-07-09} } @online{gottesman:20151008:moker:4a42451, author = {Yotam Gottesman}, title = {{MOKER, PART 2: CAPABILITIES}}, date = {2015-10-08}, organization = {enSilo}, url = {https://breakingmalware.com/malware/moker-part-2-capabilities/}, language = {English}, urldate = {2020-01-08} } @online{govcertch:20150911:analysing:e00b8ce, author = {GovCERT.ch}, title = {{Analysing a new eBanking Trojan called Fobber}}, date = {2015-09-11}, organization = {GovCERT.ch}, url = {https://www.govcert.admin.ch/blog/12/analysing-a-new-ebanking-trojan-called-fobber}, language = {English}, urldate = {2019-11-29} } @techreport{govcertch:20150911:fobber:a23b812, author = {GovCERT.ch}, title = {{Fobber Analysis}}, date = {2015-09-11}, institution = {GovCERT.ch}, url = {http://www.govcert.admin.ch/downloads/whitepapers/govcertch_fobber_analysis.pdf}, language = {English}, urldate = {2019-12-17} } @techreport{govcertch:20160523:case:b6612e9, author = {GovCERT.ch}, title = {{APT Case RUAG - Technical Report}}, date = {2016-05-23}, institution = {MELANI GovCERT}, url = {https://www.melani.admin.ch/dam/melani/de/dokumente/2016/technical%20report%20ruag.pdf.download.pdf/Report_Ruag-Espionage-Case.pdf}, language = {English}, urldate = {2019-12-17} } @online{govcertch:20170130:sage:022d593, author = {GovCERT.ch}, title = {{Sage 2.0 comes with IP Generation Algorithm (IPGA)}}, date = {2017-01-30}, organization = {GovCERT.ch}, url = {https://www.govcert.admin.ch/blog/27/saga-2.0-comes-with-ip-generation-algorithm-ipga}, language = {English}, urldate = {2019-11-29} } @online{govcertch:20170803:retefe:07f6df3, author = {GovCERT.ch}, title = {{The Retefe Saga}}, date = {2017-08-03}, organization = {GovCERT.ch}, url = {https://www.govcert.admin.ch/blog/33/the-retefe-saga}, language = {English}, urldate = {2020-01-13} } @online{govcertch:20181108:reversing:87c494c, author = {GovCERT.ch}, title = {{Reversing Retefe}}, date = {2018-11-08}, organization = {GovCERT.ch}, url = {https://www.govcert.admin.ch/blog/35/reversing-retefe}, language = {English}, urldate = {2019-11-21} } @online{govcertch:20190509:severe:2767782, author = {GovCERT.ch}, title = {{Severe Ransomware Attacks Against Swiss SMEs}}, date = {2019-05-09}, organization = {GovCERT.ch}, url = {https://www.govcert.admin.ch/blog/36/severe-ransomware-attacks-against-swiss-smes}, language = {English}, urldate = {2019-07-11} } @online{govcertch:20190514:rise:8fd8ef4, author = {GovCERT.ch}, title = {{The Rise of Dridex and the Role of ESPs}}, date = {2019-05-14}, organization = {GovCERT.ch}, url = {https://www.govcert.admin.ch/blog/28/the-rise-of-dridex-and-the-role-of-esps}, language = {English}, urldate = {2020-01-09} } @online{govcertch:20190925:trickbot:8346dd7, author = {GovCERT.ch}, title = {{Trickbot - An analysis of data collected from the botnet}}, date = {2019-09-25}, organization = {GovCERT.ch}, url = {https://www.govcert.ch/blog/37/trickbot-an-analysis-of-data-collected-from-the-botnet}, language = {English}, urldate = {2020-01-08} } @online{govcertch:20200220:analysis:18301ef, author = {GovCERT.ch}, title = {{Analysis of an Unusual HawkEye Sample}}, date = {2020-02-20}, organization = {GovCERT.ch}, url = {https://www.govcert.ch/blog/analysis-of-an-unusual-hawkeye-sample/}, language = {English}, urldate = {2020-02-20} } @online{graff:20170321:inside:dc89cf2, author = {Garrett M. Graff}, title = {{Inside the Hunt for Russia's Most Notorious Hacker}}, date = {2017-03-21}, organization = {Wired}, url = {https://www.wired.com/?p=2171700}, language = {English}, urldate = {2020-01-13} } @online{graff:20171104:how:7a25415, author = {Garrett M. Graff}, title = {{How the FBI Took Down Russia's Spam King—And His Massive Botnet}}, date = {2017-11-04}, organization = {Wired}, url = {https://www.wired.com/2017/04/fbi-took-russias-spam-king-massive-botnet/}, language = {English}, urldate = {2019-12-03} } @online{graham:20161229:some:111da12, author = {Robert Graham}, title = {{Some notes on IoCs}}, date = {2016-12-29}, organization = {Errata Security}, url = {https://blog.erratasec.com/2016/12/some-notes-on-iocs.html}, language = {English}, urldate = {2020-01-06} } @online{graham:20170629:nonpetya:c470dd8, author = {Robert Graham}, title = {{NonPetya: no evidence it was a "smokescreen"}}, date = {2017-06-29}, url = {http://blog.erratasec.com/2017/06/nonpetya-no-evidence-it-was-smokescreen.html}, language = {English}, urldate = {2020-01-07} } @techreport{grandy:20200924:offensive:8c9687e, author = {Matt Grandy and Joe Leon}, title = {{Offensive Maldocs in 2020}}, date = {2020-09-24}, institution = {Github (FortyNorthSecurity)}, url = {https://github.com/FortyNorthSecurity/Presentations/blob/master/Offensive%20Maldocs%20in%202020.pdf}, language = {English}, urldate = {2020-09-25} } @online{grange:20141209:blue:63864e2, author = {Waylon Grange}, title = {{Blue Coat Exposes “The Inception Framework”; Very Sophisticated, Layered Malware Attack Targeted at Military, Diplomats, and Bus}}, date = {2014-12-09}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/blue-coat-exposes-inception-framework-very-sophisticated-layered-malware-attack-targeted-milit}, language = {English}, urldate = {2019-12-20} } @online{grange:20170418:hajime:b2ed231, author = {Waylon Grange}, title = {{Hajime worm battles Mirai for control of the Internet of Things}}, date = {2017-04-18}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/hajime-worm-battles-mirai-control-internet-things}, language = {English}, urldate = {2019-12-06} } @online{grange:20200713:anchordns:d83e6f5, author = {Waylon Grange}, title = {{Anchor_dns malware goes cross platform}}, date = {2020-07-13}, organization = {Stage 2 Security}, url = {https://medium.com/stage-2-security/anchor-dns-malware-family-goes-cross-platform-d807ba13ca30}, language = {English}, urldate = {2020-07-16} } @online{graziano:20170130:eyepyramid:a15d7c0, author = {Mariano Graziano and Paul Rascagnères}, title = {{EyePyramid: An Archaeological Journey}}, date = {2017-01-30}, organization = {Cisco}, url = {http://blog.talosintel.com/2017/01/Eye-Pyramid.html}, language = {English}, urldate = {2019-11-22} } @online{great:20120717:madi:ddf85da, author = {GReAT}, title = {{The Madi Campaign – Part I}}, date = {2012-07-17}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-madi-campaign-part-i-5/33693/}, language = {English}, urldate = {2019-12-20} } @online{great:20120726:madi:d4f911e, author = {GReAT}, title = {{The Madi Campaign – Part II}}, date = {2012-07-26}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-madi-campaign-part-ii-53/33701/}, language = {English}, urldate = {2019-12-20} } @online{great:20120816:shamoon:143efb8, author = {GReAT}, title = {{Shamoon the Wiper – Copycats at Work}}, date = {2012-08-16}, organization = {Kaspersky Labs}, url = {https://securelist.com/shamoon-the-wiper-copycats-at-work/}, language = {English}, urldate = {2019-12-20} } @online{great:20130114:red:ac55753, author = {GReAT}, title = {{"Red October" Diplomatic Cyber Attacks Investigation}}, date = {2013-01-14}, organization = {Kaspersky Labs}, url = {https://securelist.com/red-october-diplomatic-cyber-attacks-investigation/36740/}, language = {English}, urldate = {2020-04-06} } @techreport{great:20130320:teamspy:10e8000, author = {GReAT}, title = {{The ‘TeamSpy’ Story -Abusing TeamViewer in Cyberespionage Campaigns}}, date = {2013-03-20}, institution = {Kaspersky Labs}, url = {https://d2538mqrb7brka.cloudfront.net/wp-content/uploads/sites/43/2018/03/20134928/theteamspystory_final_t2.pdf}, language = {English}, urldate = {2020-01-08} } @online{great:20130320:teamspy:2e6f353, author = {GReAT}, title = {{The TeamSpy Crew Attacks – Abusing TeamViewer for Cyberespionage}}, date = {2013-03-20}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/incidents/35520/the-teamspy-crew-attacks-abusing-teamviewer-for-cyberespionage-8/}, language = {English}, urldate = {2019-12-20} } @online{great:20130411:winnti:b1c0d83, author = {GReAT}, title = {{Winnti. More than just a game}}, date = {2013-04-11}, organization = {Kaspersky Labs}, url = {https://securelist.com/winnti-more-than-just-a-game/37029/}, language = {English}, urldate = {2019-12-20} } @online{great:20130411:winnti:f53a759, author = {GReAT}, title = {{Winnti FAQ. More Than Just a Game}}, date = {2013-04-11}, organization = {Kaspersky Labs}, url = {https://securelist.com/winnti-faq-more-than-just-a-game/57585/}, language = {English}, urldate = {2019-12-20} } @techreport{great:201304:winnti:c8e6f40, author = {GReAT}, title = {{Winnti - More than just a game}}, date = {2013-04}, institution = {Kaspersky Labs}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/20134508/winnti-more-than-just-a-game-130410.pdf}, language = {English}, urldate = {2019-07-11} } @online{great:20130604:kaspersky:070481d, author = {GReAT}, title = {{Kaspersky Lab Uncovers ‘Operation NetTraveler,’ a Global Cyberespionage Campaign Targeting Government-Affiliated Organizations and Research Institutes}}, date = {2013-06-04}, organization = {Kaspersky Labs}, url = {https://www.kaspersky.com/about/press-releases/2013_kaspersky-lab-uncovers--operation-nettraveler--a-global-cyberespionage-campaign-targeting-government-affiliated-organizations-and-research-institutes}, language = {English}, urldate = {2020-01-13} } @online{great:20130604:nettraveler:a9ac0f1, author = {GReAT}, title = {{“NetTraveler is Running!” – Red Star APT Attacks Compromise High-Profile Victims}}, date = {2013-06-04}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/35936/nettraveler-is-running-red-star-apt-attacks-compromise-high-profile-victims/}, language = {English}, urldate = {2019-12-20} } @online{great:20130925:icefog:7f2dd2b, author = {GReAT}, title = {{The Icefog APT: A Tale of Cloak and Three Daggers}}, date = {2013-09-25}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-icefog-apt-a-tale-of-cloak-and-three-daggers/57331/}, language = {English}, urldate = {2019-12-20} } @online{great:20140210:caretomask:1aa235f, author = {GReAT}, title = {{The Careto/Mask APT: Frequently Asked Questions}}, date = {2014-02-10}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-caretomask-apt-frequently-asked-questions/58254/}, language = {English}, urldate = {2019-12-20} } @online{great:20140807:epic:ba080b6, author = {GReAT}, title = {{The Epic Turla Operation}}, date = {2014-08-07}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-epic-turla-operation/65545/}, language = {English}, urldate = {2019-12-20} } @online{great:20140807:epic:f8b0803, author = {GReAT}, title = {{The Epic Turla Operation}}, date = {2014-08-07}, organization = {Kaspersky Labs}, url = {https://securelist.com/analysis/publications/65545/the-epic-turla-operation/}, language = {English}, urldate = {2019-12-20} } @online{great:20140820:el:c4534ec, author = {GReAT}, title = {{“El Machete”}}, date = {2014-08-20}, organization = {Kaspersky Labs}, url = {https://securelist.com/el-machete/66108/}, language = {English}, urldate = {2019-12-20} } @online{great:20141110:darkhotel:19e4934, author = {GReAT}, title = {{The Darkhotel APT}}, date = {2014-11-10}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-darkhotel-apt/66779/}, language = {English}, urldate = {2019-12-20} } @online{great:20141110:darkhotel:b1f9560, author = {GReAT}, title = {{The Darkhotel APT}}, date = {2014-11-10}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/66779/the-darkhotel-apt/}, language = {English}, urldate = {2019-12-20} } @online{great:20141210:cloud:ccb4794, author = {GReAT}, title = {{Cloud Atlas: RedOctober APT is back in style}}, date = {2014-12-10}, organization = {Kaspersky Labs}, url = {https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/}, language = {English}, urldate = {2019-12-20} } @online{great:20150216:equation:7b95c72, author = {GReAT}, title = {{Equation: The Death Star of Malware Galaxy}}, date = {2015-02-16}, organization = {Kaspersky Labs}, url = {https://securelist.com/equation-the-death-star-of-malware-galaxy/68750/#_1}, language = {English}, urldate = {2019-12-20} } @online{great:20150216:equation:ad81ead, author = {GReAT}, title = {{Equation: The Death Star of Malware Galaxy}}, date = {2015-02-16}, organization = {Kaspersky Labs}, url = {https://securelist.com/equation-the-death-star-of-malware-galaxy/68750/}, language = {English}, urldate = {2019-12-20} } @online{great:201502:carbanak:1b262fc, author = {GReAT}, title = {{Carbanak APT: The Great Bank Robbery}}, date = {2015-02}, organization = {Kaspersky SAS}, url = {https://app.box.com/s/p7qzcury97tuwk26694uutujwqmwqyhe}, language = {English}, urldate = {2020-05-18} } @techreport{great:201502:carbanak:22f5e49, author = {GReAT}, title = {{CARBANAK APTTHE GREAT BANK ROBBERY}}, date = {2015-02}, institution = {Kaspersky Labs}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064518/Carbanak_APT_eng.pdf}, language = {English}, urldate = {2020-01-06} } @techreport{great:201502:desert:0826d08, author = {GReAT}, title = {{The Desert Falcons Targeted Attacks}}, date = {2015-02}, institution = {Kaspersky Labs}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064309/The-Desert-Falcons-targeted-attacks.pdf}, language = {English}, urldate = {2020-04-06} } @online{great:20150306:animals:f15e26a, author = {GReAT}, title = {{Animals in the APT Farm}}, date = {2015-03-06}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/69114/animals-in-the-apt-farm/}, language = {English}, urldate = {2019-12-20} } @online{great:20150311:inside:28cec3e, author = {GReAT}, title = {{Inside the EquationDrug Espionage Platform}}, date = {2015-03-11}, organization = {Kaspersky Labs}, url = {https://securelist.com/inside-the-equationdrug-espionage-platform/69203/}, language = {English}, urldate = {2019-12-20} } @online{great:20150610:mystery:c1ef5c2, author = {GReAT}, title = {{The Mystery of Duqu 2.0: a sophisticated cyberespionage actor returns}}, date = {2015-06-10}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/}, language = {English}, urldate = {2020-03-09} } @online{great:20150708:wild:4e853a7, author = {GReAT}, title = {{Wild Neutron – Economic espionage threat actor returns with new tricks}}, date = {2015-07-08}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/}, language = {English}, urldate = {2019-12-20} } @online{great:20150708:wild:ee7c858, author = {GReAT}, title = {{Wild Neutron – Economic espionage threat actor returns with new tricks}}, date = {2015-07-08}, organization = {Kaspersky Labs}, url = {https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/}, language = {English}, urldate = {2019-12-20} } @online{great:20150810:darkhotels:3c831d5, author = {GReAT}, title = {{Darkhotel’s attacks in 2015}}, date = {2015-08-10}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/71713/darkhotels-attacks-in-2015/}, language = {English}, urldate = {2019-12-20} } @online{great:20151204:sofacy:664b5a8, author = {GReAT}, title = {{Sofacy APT hits high profile targets with updated toolset}}, date = {2015-12-04}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/}, language = {English}, urldate = {2019-12-20} } @online{great:20151204:sofacy:b437b35, author = {GReAT}, title = {{Sofacy APT hits high profile targets with updated toolset}}, date = {2015-12-04}, organization = {Kaspersky Labs}, url = {https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/}, language = {English}, urldate = {2020-08-30} } @online{great:20160128:blackenergy:3c2a914, author = {GReAT}, title = {{BlackEnergy APT Attacks in Ukraine employ spearphishing with Word documents}}, date = {2016-01-28}, organization = {Kaspersky Labs}, url = {https://securelist.com/blackenergy-apt-attacks-in-ukraine-employ-spearphishing-with-word-documents/73440/}, language = {English}, urldate = {2019-12-20} } @online{great:20160208:aptstyle:5b3a24e, author = {GReAT and Computer Incidents Investigation Department}, title = {{APT-style bank robberies increase with Metel, GCMAN and Carbanak 2.0 attacks}}, date = {2016-02-08}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-style-bank-robberies-increase-with-metel-gcman-and-carbanak-2-0-attacks/73638/}, language = {English}, urldate = {2019-12-20} } @online{great:20160209:poseidon:61725f7, author = {GReAT}, title = {{Poseidon Group: a Targeted Attack Boutique specializing in global cyber-espionage}}, date = {2016-02-09}, organization = {Kaspersky Labs}, url = {https://securelist.com/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/73673/}, language = {English}, urldate = {2019-12-20} } @online{great:20160427:freezer:13a8a66, author = {GReAT}, title = {{Freezer Paper around Free Meat (Repackaging Open Source BeEF for Tracking and More)}}, date = {2016-04-27}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/software/74503/freezer-paper-around-free-meat/}, language = {English}, urldate = {2019-10-18} } @online{great:20160427:freezer:bec7033, author = {GReAT}, title = {{Freezer Paper around Free Meat}}, date = {2016-04-27}, organization = {Kaspersky Labs}, url = {https://securelist.com/freezer-paper-around-free-meat/74503/}, language = {English}, urldate = {2019-12-20} } @online{great:20160517:atm:f05ffb9, author = {GReAT and Olga Kochetova and Alexey Osipov}, title = {{ATM infector}}, date = {2016-05-17}, organization = {Kaspersky Labs}, url = {https://securelist.com/atm-infector/74772/}, language = {English}, urldate = {2019-12-20} } @online{great:20160525:cve20152545:7006bff, author = {GReAT}, title = {{CVE-2015-2545: overview of current threats}}, date = {2016-05-25}, organization = {Kaspersky Labs}, url = {https://securelist.com/analysis/publications/74828/cve-2015-2545-overview-of-current-threats/}, language = {English}, urldate = {2019-12-20} } @online{great:20160708:dropping:273c1df, author = {GReAT}, title = {{The Dropping Elephant – aggressive cyber-espionage in the Asian region}}, date = {2016-07-08}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-dropping-elephant-actor/75328/}, language = {English}, urldate = {2019-12-20} } @online{great:20160808:projectsauron:503a441, author = {GReAT}, title = {{ProjectSauron: top level cyber-espionage platform covertly extracts encrypted government comms}}, date = {2016-08-08}, organization = {Kaspersky Labs}, url = {https://securelist.com/analysis/publications/75533/faq-the-projectsauron-apt/}, language = {English}, urldate = {2019-12-20} } @techreport{great:20160909:projectsauron:9114f84, author = {GReAT}, title = {{THE PROJECTSAURON APT}}, date = {2016-09-09}, institution = {Kaspersky Labs}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07190154/The-ProjectSauron-APT_research_KL.pdf}, language = {English}, urldate = {2019-11-02} } @online{great:20160929:teamxrat:880e95a, author = {GReAT and Anton Ivanov and Fedor Sinitsyn}, title = {{TeamXRat: Brazilian cybercrime meets ransomware}}, date = {2016-09-29}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/76153/teamxrat-brazilian-cybercrime-meets-ransomware/}, language = {English}, urldate = {2019-12-20} } @online{great:20170112:eyepyramid:18aa9df, author = {GReAT}, title = {{The “EyePyramid” attacks}}, date = {2017-01-12}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/incidents/77098/the-eyepyramid-attacks/}, language = {English}, urldate = {2019-12-20} } @online{great:20170221:newish:1c13271, author = {GReAT}, title = {{New(ish) Mirai Spreader Poses New Risks}}, date = {2017-02-21}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/77621/newish-mirai-spreader-poses-new-risks/}, language = {English}, urldate = {2019-12-20} } @techreport{great:20170307:from:3af6ed0, author = {GReAT}, title = {{FROM SHAMOON TO STONEDRILL: Wipers attacking Saudi organizations and beyond}}, date = {2017-03-07}, institution = {Kaspersky Labs}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180722/Report_Shamoon_StoneDrill_final.pdf}, language = {English}, urldate = {2020-01-15} } @online{great:20170403:lazarus:033fcf7, author = {GReAT}, title = {{Lazarus under the Hood}}, date = {2017-04-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/lazarus-under-the-hood/77908/}, language = {English}, urldate = {2019-12-20} } @online{great:20170403:lazarus:689432c, author = {GReAT}, title = {{Lazarus under the Hood}}, date = {2017-04-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/sas/77908/lazarus-under-the-hood/}, language = {English}, urldate = {2019-12-20} } @online{great:20170411:unraveling:8be3efd, author = {GReAT}, title = {{Unraveling the Lamberts Toolkit}}, date = {2017-04-11}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/77990/unraveling-the-lamberts-toolkit/}, language = {English}, urldate = {2019-12-20} } @online{great:20170512:wannacry:b24b188, author = {GReAT}, title = {{WannaCry ransomware used in widespread attacks all over the world}}, date = {2017-05-12}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/}, language = {English}, urldate = {2019-12-20} } @online{great:20170627:schroedingers:43c7e28, author = {GReAT}, title = {{Schroedinger’s Pet(ya)}}, date = {2017-06-27}, organization = {Kaspersky Labs}, url = {https://securelist.com/schroedingers-petya/78870/}, language = {English}, urldate = {2019-12-20} } @online{great:20170630:from:d91b457, author = {GReAT}, title = {{From BlackEnergy to ExPetr}}, date = {2017-06-30}, organization = {Kaspersky Labs}, url = {https://securelist.com/from-blackenergy-to-expetr/78937/}, language = {English}, urldate = {2019-12-20} } @online{great:20170815:shadowpad:3d5b9a0, author = {GReAT}, title = {{ShadowPad in corporate networks}}, date = {2017-08-15}, organization = {Kaspersky Labs}, url = {https://securelist.com/shadowpad-in-corporate-networks/81432/}, language = {English}, urldate = {2019-12-20} } @online{great:20170830:introducing:80a9653, author = {GReAT}, title = {{Introducing WhiteBear}}, date = {2017-08-30}, organization = {Kaspersky Labs}, url = {https://securelist.com/introducing-whitebear/81638/}, language = {English}, urldate = {2019-12-20} } @online{great:20171016:blackoasis:b447418, author = {GReAT}, title = {{BlackOasis APT and new targeted attacks leveraging zero-day exploit}}, date = {2017-10-16}, organization = {Kaspersky Labs}, url = {https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/}, language = {English}, urldate = {2019-12-20} } @online{great:20171101:silence:b22eae0, author = {GReAT}, title = {{Silence – a new Trojan attacking financial organizations}}, date = {2017-11-01}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-silence/83009/}, language = {English}, urldate = {2019-12-20} } @online{great:20180220:slice:0f910f7, author = {GReAT}, title = {{A Slice of 2017 Sofacy Activity}}, date = {2018-02-20}, organization = {Kaspersky Labs}, url = {https://securelist.com/a-slice-of-2017-sofacy-activity/83930/}, language = {English}, urldate = {2019-12-20} } @online{great:20180308:devils:3373375, author = {GReAT}, title = {{The devil’s in the Rich header}}, date = {2018-03-08}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-devils-in-the-rich-header/84348/}, language = {English}, urldate = {2019-12-20} } @online{great:20180308:olympicdestroyer:79780c9, author = {GReAT}, title = {{OlympicDestroyer is here to trick the industry}}, date = {2018-03-08}, organization = {Kaspersky Labs}, url = {https://securelist.com/olympicdestroyer-is-here-to-trick-the-industry/84295/}, language = {English}, urldate = {2019-12-20} } @online{great:20180309:masha:636eab4, author = {GReAT}, title = {{Masha and these Bears - 2018 Sofacy Activity}}, date = {2018-03-09}, organization = {Kaspersky Labs}, url = {https://securelist.com/masha-and-these-bears/84311/}, language = {English}, urldate = {2020-08-28} } @techreport{great:201803:icefog:2e293e6, author = {GReAT}, title = {{The 'Icefog' APT: A Tale of Cloak and Three Daggers}}, date = {2018-03}, institution = {Kaspersky Labs}, url = {https://d2538mqrb7brka.cloudfront.net/wp-content/uploads/sites/43/2018/03/20133739/icefog.pdf}, language = {English}, urldate = {2020-01-13} } @online{great:20180412:operation:fdc83bc, author = {GReAT}, title = {{Operation Parliament, who is doing what?}}, date = {2018-04-12}, organization = {Kaspersky Labs}, url = {https://securelist.com/operation-parliament-who-is-doing-what/85237/}, language = {English}, urldate = {2019-12-20} } @online{great:20180412:trends:babf7f6, author = {GReAT}, title = {{APT Trends report Q1 2018}}, date = {2018-04-12}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q1-2018/85280/}, language = {English}, urldate = {2020-01-08} } @online{great:20180524:vpnfilter:cb1c89f, author = {GReAT}, title = {{VPNFilter EXIF to C2 mechanism analysed}}, date = {2018-05-24}, organization = {Kaspersky Labs}, url = {https://securelist.com/vpnfilter-exif-to-c2-mechanism-analysed/85721/}, language = {English}, urldate = {2019-12-20} } @online{great:20180619:hades:99ff28a, author = {GReAT}, title = {{Hades, the actor behind Olympic Destroyer is still alive}}, date = {2018-06-19}, organization = {Kaspersky Labs}, url = {https://securelist.com/olympic-destroyer-is-still-alive/86169/}, language = {English}, urldate = {2019-12-20} } @online{great:20180710:trends:4651c7b, author = {GReAT}, title = {{APT Trends Report Q2 2018}}, date = {2018-07-10}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2018/86487/}, language = {English}, urldate = {2019-12-20} } @online{great:20180821:dark:430988e, author = {GReAT}, title = {{Dark Tequila Añejo}}, date = {2018-08-21}, organization = {Kaspersky Labs}, url = {https://securelist.com/dark-tequila-anejo/87528/}, language = {English}, urldate = {2019-12-20} } @online{great:20180823:operation:c1011d3, author = {GReAT}, title = {{Operation AppleJeus: Lazarus hits cryptocurrency exchange with fake installer and macOS malware}}, date = {2018-08-23}, organization = {Kaspersky Labs}, url = {https://securelist.com/operation-applejeus/87553/}, language = {English}, urldate = {2019-12-20} } @online{great:20180910:luckymouse:e309805, author = {GReAT}, title = {{LuckyMouse signs malicious NDISProxy driver with certificate of Chinese IT company}}, date = {2018-09-10}, organization = {Kaspersky Labs}, url = {https://securelist.com/luckymouse-ndisproxy-driver/87914/}, language = {English}, urldate = {2019-12-20} } @online{great:20181004:shedding:5f22310, author = {GReAT}, title = {{Shedding Skin – Turla’s Fresh Faces}}, date = {2018-10-04}, organization = {Kaspersky Labs}, url = {https://securelist.com/shedding-skin-turlas-fresh-faces/88069/}, language = {English}, urldate = {2020-02-27} } @online{great:20181010:muddywater:12992b3, author = {GReAT}, title = {{MuddyWater expands operations}}, date = {2018-10-10}, organization = {Kaspersky Labs}, url = {https://securelist.com/muddywater/88059/}, language = {English}, urldate = {2019-12-20} } @online{great:20181015:octopusinfested:1f464bf, author = {GReAT}, title = {{Octopus-infested seas of Central Asia}}, date = {2018-10-15}, organization = {Kaspersky Labs}, url = {https://securelist.com/octopus-infested-seas-of-central-asia/88200/}, language = {English}, urldate = {2019-12-20} } @online{great:20190111:zebrocy:671fed1, author = {GReAT}, title = {{A Zebrocy Go Downloader}}, date = {2019-01-11}, organization = {Kaspersky Labs}, url = {https://securelist.com/a-zebrocy-go-downloader/89419/}, language = {English}, urldate = {2019-12-20} } @online{great:20190311:predatory:63ab818, author = {GReAT}, title = {{A predatory tale: Who’s afraid of the thief?}}, date = {2019-03-11}, organization = {Kaspersky Labs}, url = {https://securelist.com/a-predatory-tale/89779}, language = {English}, urldate = {2019-12-20} } @online{great:20190325:operation:c4bf341, author = {GReAT and AMR}, title = {{Operation ShadowHammer}}, date = {2019-03-25}, organization = {Kaspersky Labs}, url = {https://securelist.com/operation-shadowhammer/89992/}, language = {English}, urldate = {2019-12-20} } @online{great:20190326:cryptocurrency:c95b701, author = {GReAT}, title = {{Cryptocurrency businesses still being targeted by Lazarus}}, date = {2019-03-26}, organization = {Kaspersky Labs}, url = {https://securelist.com/cryptocurrency-businesses-still-being-targeted-by-lazarus/90019/}, language = {English}, urldate = {2019-12-20} } @online{great:20190328:return:be8d0b5, author = {GReAT}, title = {{The return of the BOM}}, date = {2019-03-28}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-return-of-the-bom/90065/}, language = {English}, urldate = {2019-12-20} } @online{great:20190423:operation:20b8f83, author = {GReAT and AMR}, title = {{Operation ShadowHammer: a high-profile supply chain attack}}, date = {2019-04-23}, organization = {Kaspersky Labs}, url = {https://securelist.com/operation-shadowhammer-a-high-profile-supply-chain-attack/90380/}, language = {English}, urldate = {2019-12-20} } @online{great:20190513:scarcruft:eb8bb1c, author = {GReAT}, title = {{ScarCruft continues to evolve, introduces Bluetooth harvester}}, date = {2019-05-13}, organization = {Kaspersky Labs}, url = {https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/}, language = {English}, urldate = {2019-12-20} } @online{great:20190603:zebrocys:25be7a9, author = {GReAT}, title = {{Zebrocy’s Multilanguage Malware Salad}}, date = {2019-06-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/zebrocys-multilanguage-malware-salad/90680/}, language = {English}, urldate = {2019-12-20} } @online{great:20190626:viceleaker:7145f5f, author = {GReAT}, title = {{ViceLeaker Operation: mobile espionage targeting Middle East}}, date = {2019-06-26}, organization = {Kaspersky Labs}, url = {https://securelist.com/fanning-the-flames-viceleaker-operation/90877/}, language = {English}, urldate = {2019-12-20} } @online{great:20190710:new:f1277c3, author = {GReAT and AMR}, title = {{New FinSpy iOS and Android implants revealed ITW}}, date = {2019-07-10}, organization = {Kaspersky Labs}, url = {https://securelist.com/new-finspy-ios-and-android-implants-revealed-itw/91685/}, language = {English}, urldate = {2019-12-20} } @online{great:20190801:trends:5e25d5b, author = {GReAT}, title = {{APT trends report Q2 2019}}, date = {2019-08-01}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2019/91897/}, language = {English}, urldate = {2020-08-13} } @online{great:20190812:recent:3a35688, author = {GReAT}, title = {{Recent Cloud Atlas activity}}, date = {2019-08-12}, organization = {Kaspersky Labs}, url = {https://securelist.com/recent-cloud-atlas-activity/92016/}, language = {English}, urldate = {2019-12-20} } @online{great:20190829:fully:a86ed11, author = {GReAT}, title = {{Fully equipped Spying Android RAT from Brazil: BRATA}}, date = {2019-08-29}, organization = {Kaspersky Labs}, url = {https://securelist.com/spying-android-rat-from-brazil-brata/92775/}, language = {English}, urldate = {2019-12-20} } @online{great:20191003:compfun:fd13b9e, author = {GReAT}, title = {{COMpfun successor Reductor infects files on the fly to compromise TLS traffic}}, date = {2019-10-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/compfun-successor-reductor/93633/}, language = {English}, urldate = {2020-01-08} } @online{great:20191128:revengehotels:4fd8ea9, author = {GReAT}, title = {{RevengeHotels: cybercrime targeting hotel front desks worldwide}}, date = {2019-11-28}, organization = {Kaspersky Labs}, url = {https://securelist.com/revengehotels/95229/}, language = {English}, urldate = {2020-01-09} } @online{great:20200108:operation:ea445d5, author = {GReAT}, title = {{Operation AppleJeus Sequel}}, date = {2020-01-08}, organization = {Kaspersky Labs}, url = {https://securelist.com/operation-applejeus-sequel/95596/}, language = {English}, urldate = {2020-01-13} } @online{great:20200508:naikons:f1646a6, author = {GReAT}, title = {{Naikon’s Aria}}, date = {2020-05-08}, organization = {Kaspersky Labs}, url = {https://securelist.com/naikons-aria/96899/}, language = {English}, urldate = {2020-07-06} } @online{great:20200514:compfun:eda09d1, author = {GReAT}, title = {{COMpfun authors spoof visa application with HTTP status-based Trojan}}, date = {2020-05-14}, organization = {Kaspersky Labs}, url = {https://securelist.com/compfun-http-status-based-trojan/96874/}, language = {English}, urldate = {2020-05-14} } @online{great:20200603:cycldek:ed9a830, author = {GReAT and Mark Lechtik and Giampaolo Dedola}, title = {{Cycldek: Bridging the (air) gap}}, date = {2020-06-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/cycldek-bridging-the-air-gap/97157/}, language = {English}, urldate = {2020-06-03} } @online{great:20200714:tetrade:c97f76a, author = {GReAT}, title = {{The Tetrade: Brazilian banking malware goes global}}, date = {2020-07-14}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-tetrade-brazilian-banking-malware/97779/}, language = {English}, urldate = {2020-07-15} } @online{great:20200722:mata:591e184, author = {GReAT}, title = {{MATA: Multi-platform targeted malware framework}}, date = {2020-07-22}, organization = {Kaspersky Labs}, url = {https://securelist.com/mata-multi-platform-targeted-malware-framework/97746/}, language = {English}, urldate = {2020-07-23} } @online{great:20200729:trends:6810325, author = {GReAT}, title = {{APT trends report Q2 2020}}, date = {2020-07-29}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2020/97937/}, language = {English}, urldate = {2020-07-30} } @online{great:20200910:overview:f751b73, author = {GReAT}, title = {{An overview of targeted attacks and APTs on Linux}}, date = {2020-09-10}, organization = {Kaspersky Labs}, url = {https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/}, language = {English}, urldate = {2020-10-05} } @online{greenberg:20170920:ccleaner:3590e9c, author = {Andy Greenberg}, title = {{The CCleaner Malware Fiasco Targeted at Least 18 Specific Tech Firms}}, date = {2017-09-20}, organization = {Wired}, url = {https://www.wired.com/story/ccleaner-malware-targeted-tech-firms}, language = {English}, urldate = {2019-12-16} } @online{greenberg:20171024:new:5359735, author = {Andy Greenberg}, title = {{New Ransomware Linked to NotPetya Sweeps Russia and Ukraine}}, date = {2017-10-24}, organization = {Wired}, url = {https://www.wired.com/story/badrabbit-ransomware-notpetya-russia-ukraine/}, language = {English}, urldate = {2020-01-06} } @online{greenberg:20171109:he:5442358, author = {Andy Greenberg}, title = {{He Perfected a Password-Hacking Tool—Then the Russians Came Calling}}, date = {2017-11-09}, organization = {Wired}, url = {https://www.wired.com/story/how-mimikatz-became-go-to-hacker-tool/}, language = {English}, urldate = {2020-01-08} } @online{greenberg:20191017:untold:c257d22, author = {Andy Greenberg}, title = {{The Untold Story of the 2018 Olympics Cyberattack, the Most Deceptive Hack in History}}, date = {2019-10-17}, organization = {Wired}, url = {https://www.wired.com/story/untold-story-2018-olympics-destroyer-cyberattack/}, language = {English}, urldate = {2020-01-13} } @online{greenberg:20200528:nsa:c35f45e, author = {Andy Greenberg}, title = {{NSA: Russia's Sandworm Hackers Have Hijacked Mail Servers}}, date = {2020-05-28}, organization = {Wired}, url = {https://www.wired.com/story/nsa-sandworm-exim-mail-server-warning/}, language = {English}, urldate = {2020-05-29} } @online{greenberg:20200716:iranian:4cc83df, author = {Andy Greenberg}, title = {{Iranian Spies Accidentally Leaked Videos of Themselves Hacking}}, date = {2020-07-16}, organization = {Wired}, url = {https://www.wired.com/story/iran-apt35-hacking-video/}, language = {English}, urldate = {2020-07-16} } @online{greenberg:20200724:russias:689bbb1, author = {Andy Greenberg}, title = {{Russia's GRU Hackers Hit US Government and Energy Targets}}, date = {2020-07-24}, organization = {Wired}, url = {https://www.wired.com/story/russia-fancy-bear-us-hacking-campaign-government-energy/}, language = {English}, urldate = {2020-07-30} } @online{greenberg:20201001:russias:3440982, author = {Andy Greenberg}, title = {{Russia’s Fancy Bear Hackers Likely Penetrated a US Federal Agency}}, date = {2020-10-01}, organization = {Wired}, url = {https://www.wired.com/story/russias-fancy-bear-hack-us-federal-agency/}, language = {English}, urldate = {2020-10-05} } @online{greenberg:20201019:us:89aec2c, author = {Andy Greenberg}, title = {{US Indicts Sandworm, Russia's Most Destructive Cyberwar Unit}}, date = {2020-10-19}, organization = {Wired}, url = {https://www.wired.com/story/us-indicts-sandworm-hackers-russia-cyberwar-unit/}, language = {English}, urldate = {2020-10-19} } @online{greminger:20150618:so:28825c8, author = {Slavo Greminger}, title = {{So Long, and Thanks for All the Domains}}, date = {2015-06-18}, organization = {SWITCH Security Blog}, url = {https://securityblog.switch.ch/2015/06/18/so-long-and-thanks-for-all-the-domains/}, language = {English}, urldate = {2019-07-11} } @online{griffin:20160808:monsoon:ac7eb5b, author = {Nicholas Griffin}, title = {{MONSOON - Analysis Of An APT Campaign}}, date = {2016-08-08}, organization = {Forcepoint}, url = {https://www.forcepoint.com/blog/x-labs/monsoon-analysis-apt-campaign}, language = {English}, urldate = {2020-04-06} } @online{griffin:20160922:zeus:94d0df7, author = {Nicholas Griffin}, title = {{Zeus Delivered by DELoader to Defraud Customers of Canadian Banks}}, date = {2016-09-22}, organization = {Forcepoint}, url = {https://www.forcepoint.com/blog/security-labs/zeus-delivered-deloader-defraud-customers-canadian-banks}, language = {English}, urldate = {2020-01-13} } @online{griffin:20160928:highly:c9c3359, author = {Nicholas Griffin}, title = {{Highly Evasive Code Injection Awaits User Interaction Before Delivering Malware}}, date = {2016-09-28}, organization = {Forcepoint}, url = {https://www.forcepoint.com/blog/security-labs/highly-evasive-code-injection-awaits-user-interaction-delivering-malware}, language = {English}, urldate = {2020-01-09} } @online{griffin:20170117:carbanak:68e7e00, author = {Nicholas Griffin}, title = {{Carbanak Group uses Google for malware command-and-control}}, date = {2017-01-17}, organization = {Forcepoint}, url = {https://www.forcepoint.com/blog/x-labs/carbanak-group-uses-google-malware-command-and-control}, language = {English}, urldate = {2020-05-27} } @online{grill:20170313:detecting:b90625c, author = {Bernhard Grill and Megan Ruthven and Xin Zhao}, title = {{Detecting and eliminating Chamois, a fraud botnet on Android}}, date = {2017-03-13}, organization = {Google}, url = {https://android-developers.googleblog.com/2017/03/detecting-and-eliminating-chamois-fraud.html}, language = {English}, urldate = {2020-01-06} } @online{groisman:20190301:threat:aaf612e, author = {Alon Groisman}, title = {{Threat Alert: AVE Maria infostealer on the rise}}, date = {2019-03-01}, organization = {Morphisec}, url = {http://blog.morphisec.com/threat-alert-ave-maria-infostealer-on-the-rise-with-new-stealthier-delivery}, language = {English}, urldate = {2020-01-09} } @online{grooten:20180427:gravityrat:40749fa, author = {Martijn Grooten}, title = {{GravityRAT malware takes your system's temperature}}, date = {2018-04-27}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/blog/2018/04/gravityrat-malware-takes-your-systems-temperature/}, language = {English}, urldate = {2020-01-13} } @online{gross:20150513:cylance:57a5597, author = {Jon Gross}, title = {{Cylance SPEAR Team: A Threat Actor Resurfaces}}, date = {2015-05-13}, organization = {Cylance}, url = {https://blog.cylance.com/spear-a-threat-actor-resurfaces}, language = {English}, urldate = {2019-10-15} } @techreport{gross:20160223:operation:424641b, author = {Jon Gross and Cylance SPEAR Team}, title = {{Operation Dust Storm}}, date = {2016-02-23}, institution = {Cylance}, url = {https://www.cylance.com/content/dam/cylance/pdfs/reports/Op_Dust_Storm_Report.pdf}, language = {English}, urldate = {2020-01-09} } @online{gross:20170227:deception:3690880, author = {Jon Gross}, title = {{The Deception Project: A New Japanese-Centric Threat}}, date = {2017-02-27}, organization = {Cylance}, url = {https://threatvector.cylance.com/en_us/home/the-deception-project-a-new-japanese-centric-threat.html}, language = {English}, urldate = {2020-01-09} } @online{gross:20170227:deception:c424a01, author = {Jon Gross}, title = {{The Deception Project: A New Japanese-Centric Threat}}, date = {2017-02-27}, organization = {Threat Vector}, url = {https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html}, language = {English}, urldate = {2020-01-05} } @online{gross:20200819:riskiq:94e5ccf, author = {Jon Gross and Cory Kennedy}, title = {{RiskIQ Adventures in Cookie Land - Part 1}}, date = {2020-08-19}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/5fe2da7f}, language = {English}, urldate = {2020-09-23} } @online{gross:20200916:riskiq:da4b864, author = {Jon Gross}, title = {{RiskIQ: Adventures in Cookie Land - Part 2}}, date = {2020-09-16}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/56fa1b2f}, language = {English}, urldate = {2020-09-23} } @online{gross:20200930:diving:8e26441, author = {Jon Gross}, title = {{Diving Into DONOT's Mobile Rabbit Hole}}, date = {2020-09-30}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/6f60db72}, language = {English}, urldate = {2020-10-04} } @online{group:20161009:siteintel:906676a, author = {SITE Intelligence Group}, title = {{SiteIntel: Cyber Caliphate Army}}, date = {2016-10-09}, url = {https://ent.siteintelgroup.com/index.php?option=com_customproperties&view=search&task=tag&bind_to_category=content:37&tagId=697}, language = {English}, urldate = {2020-05-27} } @online{group:20181113:chinese:6141b55, author = {Insikt Group}, title = {{Chinese Threat Actor TEMP.Periscope Targets UK-Based Engineering Company Using Russian APT Techniques}}, date = {2018-11-13}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/chinese-threat-actor-tempperiscope/}, language = {English}, urldate = {2020-01-13} } @techreport{group:20190206:apt10:74d18e7, author = {Insikt Group and Rapid7}, title = {{APT10 Targeted Norwegian MSP and US Companies in Sustained Campaign}}, date = {2019-02-06}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2019-0206.pdf}, language = {English}, urldate = {2019-12-17} } @techreport{group:20190206:apt10:9c61d0b, author = {Insikt Group and Rapid7}, title = {{APT10 Targeted NorwegianMSP and US Companies in Sustained Campaign}}, date = {2019-02-06}, institution = {Recorded Future}, url = {http://go.recordedfuture.com/hubfs/reports/cta-2019-0206.pdf}, language = {English}, urldate = {2020-01-06} } @techreport{group:20200123:european:c3ca9e3, author = {Insikt Group}, title = {{European Energy Sector Organization Targeted by PupyRAT Malware in Late 2019}}, date = {2020-01-23}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2020-0123.pdf}, language = {English}, urldate = {2020-01-27} } @online{group:20200312:swallowing:b1becb5, author = {Insikt Group}, title = {{Swallowing the Snake’s Tail: Tracking Turla Infrastructure}}, date = {2020-03-12}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/turla-apt-infrastructure/}, language = {English}, urldate = {2020-03-13} } @techreport{group:20200610:new:fbd9342, author = {Insikt Group®}, title = {{New Ransomware-as-a-Service Tool ‘Thanos’ Shows Connections to ‘Hakbit}}, date = {2020-06-10}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2020-0610.pdf}, language = {English}, urldate = {2020-06-11} } @online{group:20200615:striking:8fdf4bb, author = {Exploit Development Group}, title = {{Striking Back at Retired Cobalt Strike: A look at a legacy vulnerability}}, date = {2020-06-15}, organization = {NCC Group}, url = {https://research.nccgroup.com/2020/06/15/striking-back-at-retired-cobalt-strike-a-look-at-a-legacy-vulnerability/}, language = {English}, urldate = {2020-06-16} } @techreport{group:20200729:chinese:1929fcd, author = {Insikt Group}, title = {{Chinese State-sponsored Group RedDelta Targets the Vatican and Catholic Organizations}}, date = {2020-07-29}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2020-0728.pdf}, language = {English}, urldate = {2020-07-30} } @techreport{group:20200903:russianrelated:448f739, author = {Insikt Group®}, title = {{Russian-related Threats to the 2020 U.S. Presidential Election}}, date = {2020-09-03}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2020-0903.pdf}, language = {English}, urldate = {2020-09-06} } @techreport{group:20200915:back:2c78a6f, author = {Insikt Group®}, title = {{Back Despite Disruption: RedDelta Resumes Operations}}, date = {2020-09-15}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2020-0915.pdf}, language = {English}, urldate = {2020-09-16} } @techreport{group:20201016:banking:bcbd283, author = {Insikt Group®}, title = {{Banking Web Injects Are Top Cyber Threat For Financial Sector}}, date = {2020-10-16}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2020-1016.pdf}, language = {English}, urldate = {2020-10-23} } @techreport{groupib:201603:buhtrap:65fd758, author = {Group-IB}, title = {{BUHTRAP: The Evolution of Targetted Attacks Against Financial Instituitions}}, date = {2016-03}, institution = {Group-IB}, url = {https://www.group-ib.com/brochures/gib-buhtrap-report.pdf}, language = {English}, urldate = {2020-01-12} } @online{groupib:2016:cron:ef29ee9, author = {Group-IB}, title = {{Cron has fallen}}, date = {2016}, organization = {Group-IB}, url = {http://blog.group-ib.com/cron}, language = {English}, urldate = {2020-01-13} } @techreport{groupib:20180522:anunak:97d0646, author = {Group-IB and Fox-IT}, title = {{Anunak: APT against financial institutions}}, date = {2018-05-22}, institution = {Group-IB}, url = {https://www.group-ib.com/resources/threat-research/Anunak_APT_against_financial_institutions.pdf}, language = {English}, urldate = {2020-01-06} } @online{groupib:20180905:silence:6886d17, author = {Group-IB}, title = {{Silence: Moving into the Darkside}}, date = {2018-09-05}, organization = {Group-IB}, url = {https://www.group-ib.com/blog/silence}, language = {English}, urldate = {2019-12-18} } @online{groupib:20190328:groupib:e9956d2, author = {Group-IB and Pavel Krylov and Rustam Mirkasymov}, title = {{Group-IB uncovers Android Trojan named «Gustuff» capable of targeting more than 100 global banking apps, cryptocurrency and marketplace applications}}, date = {2019-03-28}, organization = {Group-IB}, url = {https://www.group-ib.com/media/gustuff/}, language = {English}, urldate = {2019-07-09} } @online{groupib:201908:attacks:9da5611, author = {Group-IB}, title = {{Attacks by Silence}}, date = {2019-08}, organization = {Group-IB}, url = {https://www.group-ib.com/resources/threat-research/silence.html}, language = {English}, urldate = {2020-01-07} } @techreport{groupib:201908:silence:1845381, author = {Group-IB}, title = {{Silence 2.0 - Going Global}}, date = {2019-08}, institution = {Group-IB}, url = {https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf}, language = {English}, urldate = {2019-12-17} } @online{grozev:20200505:who:bd9d865, author = {Christo Grozev}, title = {{Who Is Dmitry Badin, The GRU Hacker Indicted By Germany Over The Bundestag Hacks?}}, date = {2020-05-05}, organization = {Bellingcat}, url = {https://www.bellingcat.com/news/2020/05/05/who-is-dmitry-badin-the-gru-hacker-indicted-by-germany-over-the-bundestag-hacks/}, language = {English}, urldate = {2020-05-05} } @online{grujars:20191213:squad:437183d, author = {GrujaRS}, title = {{Tweet on Squad Ransomware}}, date = {2019-12-13}, organization = {Twitter (@GrujaRS)}, url = {https://twitter.com/GrujaRS/status/1205566219971125249}, language = {English}, urldate = {2020-01-08} } @online{grujars:20191227:yarraq:bdde865, author = {GrujaRS}, title = {{Tweet on Yarraq Ransomware}}, date = {2019-12-27}, organization = {Twitter (@GrujaRS)}, url = {https://twitter.com/GrujaRS/status/1210541690349662209}, language = {English}, urldate = {2020-01-13} } @online{grujars:20200322:new:d94c371, author = {GrujaRS}, title = {{New #VHD (virtual hard disk)#Ransomware extension .vhd!}}, date = {2020-03-22}, url = {https://twitter.com/GrujaRS/status/1241657443282825217}, language = {English}, urldate = {2020-03-27} } @online{grujars:20200427:about:54c4b58, author = {GrujaRS}, title = {{Tweet about spotting goCryptoLocker in the wild}}, date = {2020-04-27}, organization = {Twitter (@GrujaRS)}, url = {https://twitter.com/GrujaRS/status/1254657823478353920}, language = {English}, urldate = {2020-04-28} } @online{grunzweig:20121213:dexter:339a8fd, author = {Josh Grunzweig}, title = {{The Dexter Malware: Getting Your Hands Dirty}}, date = {2012-12-13}, organization = {SpiderLabs Blog}, url = {https://www.trustwave.com/Resources/SpiderLabs-Blog/The-Dexter-Malware--Getting-Your-Hands-Dirty/}, language = {English}, urldate = {2020-01-06} } @online{grunzweig:20130508:alina:4b70c89, author = {Josh Grunzweig}, title = {{Alina: Casting a Shadow on POS}}, date = {2013-05-08}, organization = {SpiderLabs Blog}, url = {https://www.trustwave.com/Resources/SpiderLabs-Blog/Alina--Casting-a-Shadow-on-POS/}, language = {English}, urldate = {2020-01-09} } @online{grunzweig:20130517:alina:f668aaf, author = {Josh Grunzweig}, title = {{Alina: Following The Shadow Part 1}}, date = {2013-05-17}, organization = {Trustwave}, url = {https://www.trustwave.com/Resources/SpiderLabs-Blog/Alina--Following-The-Shadow-Part-1/}, language = {English}, urldate = {2019-12-17} } @online{grunzweig:20130603:alina:2c8f3e9, author = {Josh Grunzweig}, title = {{Alina: Following The Shadow Part 2}}, date = {2013-06-03}, organization = {Trustwave}, url = {https://www.trustwave.com/Resources/SpiderLabs-Blog/Alina--Following-The-Shadow-Part-2/}, language = {English}, urldate = {2019-12-17} } @online{grunzweig:20131209:curious:8c64525, author = {Josh Grunzweig}, title = {{The Curious Case of the Malicious IIS Module}}, date = {2013-12-09}, organization = {Trustwave}, url = {https://www.trustwave.com/Resources/SpiderLabs-Blog/The-Curious-Case-of-the-Malicious-IIS-Module/}, language = {English}, urldate = {2019-12-04} } @online{grunzweig:20140715:unit:0cf98cb, author = {Josh Grunzweig}, title = {{Unit 42 Technical Analysis: Seaduke}}, date = {2014-07-15}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/}, language = {English}, urldate = {2020-08-19} } @online{grunzweig:20150319:findpos:87059f2, author = {Josh Grunzweig}, title = {{FindPOS: New POS Malware Family Discovered}}, date = {2015-03-19}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2015/03/findpos-new-pos-malware-family-discovered/}, language = {English}, urldate = {2019-12-20} } @online{grunzweig:20151009:latest:c328965, author = {Josh Grunzweig}, title = {{Latest TeslaCrypt Ransomware Borrows Code From Carberp Trojan}}, date = {2015-10-09}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2015/10/latest-teslacrypt-ransomware-borrows-code-from-carberp-trojan/}, language = {English}, urldate = {2019-12-20} } @online{grunzweig:20160122:new:f7cb504, author = {Josh Grunzweig and Bryan Lee}, title = {{New Attacks Linked to C0d0so0 Group}}, date = {2016-01-22}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2016/01/new-attacks-linked-to-c0d0s0-group/}, language = {English}, urldate = {2019-12-20} } @online{grunzweig:20160311:powersniff:ca6c14f, author = {Josh Grunzweig and Brandon Levene}, title = {{PowerSniff Malware Used in Macro-based Attacks}}, date = {2016-03-11}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/powersniff-malware-used-in-macro-based-attacks/}, language = {English}, urldate = {2020-01-08} } @online{grunzweig:20160314:digital:b6ddc60, author = {Josh Grunzweig and Robert Falcone and Bryan Lee}, title = {{Digital Quartermaster Scenario Demonstrated in Attacks Against the Mongolian Government}}, date = {2016-03-14}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2016/03/digital-quartermaster-scenario-demonstrated-in-attacks-against-the-mongolian-government/}, language = {English}, urldate = {2019-12-20} } @online{grunzweig:20160502:prince:bd368e1, author = {Josh Grunzweig}, title = {{Prince of Persia Hashes}}, date = {2016-05-02}, organization = {Github (pan-unit42)}, url = {https://github.com/pan-unit42/iocs/blob/master/prince_of_persia/hashes.csv}, language = {English}, urldate = {2020-01-08} } @online{grunzweig:20160524:new:d1cd669, author = {Josh Grunzweig and Mike Scott and Bryan Lee}, title = {{New Wekby Attacks Use DNS Requests As Command and Control Mechanism}}, date = {2016-05-24}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/}, language = {English}, urldate = {2019-12-20} } @online{grunzweig:20160708:investigating:576bb94, author = {Josh Grunzweig}, title = {{Investigating the LuminosityLink Remote Access Trojan Configuration}}, date = {2016-07-08}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2016/07/unit42-investigating-the-luminositylink-remote-access-trojan-configuration/}, language = {English}, urldate = {2019-12-20} } @online{grunzweig:20160816:aveo:6f3cf5c, author = {Josh Grunzweig and Robert Falcone}, title = {{Aveo Malware Family Targets Japanese Speaking Users}}, date = {2016-08-16}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2016/08/unit42-aveo-malware-family-targets-japanese-speaking-users/}, language = {English}, urldate = {2019-12-20} } @online{grunzweig:20161004:oilrig:2e3b9e0, author = {Josh Grunzweig and Robert Falcone}, title = {{OilRig Malware Campaign Updates Toolset and Expands Targets}}, date = {2016-10-04}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/}, language = {English}, urldate = {2019-10-22} } @online{grunzweig:20161004:oilrig:72c4b0e, author = {Josh Grunzweig and Robert Falcone}, title = {{OilRig Malware Campaign Updates Toolset and Expands Targets}}, date = {2016-10-04}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/}, language = {English}, urldate = {2019-12-20} } @online{grunzweig:20170105:dragonok:2b228f2, author = {Josh Grunzweig}, title = {{DragonOK Updates Toolset and Targets Multiple Geographic Regions}}, date = {2017-01-05}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/}, language = {English}, urldate = {2019-12-17} } @online{grunzweig:20170105:dragonok:f5f73f6, author = {Josh Grunzweig}, title = {{DragonOK Updates Toolset and Targets Multiple Geographic Regions}}, date = {2017-01-05}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2017/01/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/}, language = {English}, urldate = {2019-12-20} } @online{grunzweig:20170315:nexuslogger:5530c6b, author = {Josh Grunzweig}, title = {{NexusLogger: A New Cloud-based Keylogger Enters the Market}}, date = {2017-03-15}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2017/03/unit42-nexuslogger-new-cloud-based-keylogger-enters-market/}, language = {English}, urldate = {2019-12-20} } @online{grunzweig:20170420:cardinal:dbe903e, author = {Josh Grunzweig}, title = {{Cardinal RAT Active for Over Two Years}}, date = {2017-04-20}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2017/04/unit42-cardinal-rat-active-two-years/?adbsc=social71702736&adbid=855028404965433346&adbpl=tw&adbpr=4487645412}, language = {English}, urldate = {2019-12-20} } @online{grunzweig:20170928:threat:835bf8e, author = {Josh Grunzweig and Robert Falcone}, title = {{Threat Actors Target Government of Belarus Using CMSTAR Trojan}}, date = {2017-09-28}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/09/unit42-threat-actors-target-government-belarus-using-cmstar-trojan}, language = {English}, urldate = {2019-12-20} } @online{grunzweig:20171110:new:12fdedb, author = {Josh Grunzweig and Jen Miller-Osborn}, title = {{New Malware with Ties to SunOrcal Discovered}}, date = {2017-11-10}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/}, language = {English}, urldate = {2019-12-20} } @online{grunzweig:20180126:tophat:42d9f5d, author = {Josh Grunzweig}, title = {{The TopHat Campaign: Attacks Within The Middle East Region Using Popular Third-Party Services}}, date = {2018-01-26}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/01/unit42-the-tophat-campaign-attacks-within-the-middle-east-region-using-popular-third-party-services/}, language = {English}, urldate = {2019-12-20} } @online{grunzweig:20180417:squirtdanger:86b0da6, author = {Josh Grunzweig and Brandon Levene and Kyle Wilhoit and Pat Litke}, title = {{SquirtDanger: The Swiss Army Knife Malware from Veteran Malware Author TheBottle}}, date = {2018-04-17}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/04/unit42-squirtdanger-swiss-army-knife-malware-veteran-malware-author-thebottle/}, language = {English}, urldate = {2019-12-20} } @online{grunzweig:20180927:new:d33c053, author = {Josh Grunzweig and Bryan Lee}, title = {{New KONNI Malware attacking Eurasia and Southeast Asia}}, date = {2018-09-27}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/}, language = {English}, urldate = {2019-12-20} } @online{grunzweig:20181001:nokki:b458c95, author = {Josh Grunzweig}, title = {{NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT}}, date = {2018-10-01}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/}, language = {English}, urldate = {2019-12-20} } @online{grunzweig:20190225:multiple:5d7b857, author = {Josh Grunzweig and Brittany Ash}, title = {{Multiple ArtraDownloader Variants Used by BITTER to Target Pakistan}}, date = {2019-02-25}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/multiple-artradownloader-variants-used-by-bitter-to-target-pakistan/}, language = {English}, urldate = {2019-12-10} } @online{grunzweig:20191129:fractured:65257b7, author = {Josh Grunzweig and Kyle Wilhoit}, title = {{The Fractured Block Campaign: CARROTBAT Used to Deliver Malware Targeting Southeast Asia}}, date = {2019-11-29}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-the-fractured-block-campaign-carrotbat-malware-used-to-deliver-malware-targeting-southeast-asia/}, language = {English}, urldate = {2020-01-12} } @online{gu:20171030:coin:5a1f004, author = {Jason Gu and Veo Zhang and Seven Shen}, title = {{Coin Miner Mobile Malware Returns, Hits Google Play}}, date = {2017-10-30}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/coin-miner-mobile-malware-returns-hits-google-play/}, language = {English}, urldate = {2019-12-24} } @techreport{gu:2019:vine:df5dbfb, author = {Lion Gu and Bowen Pan}, title = {{A vine climbing over the Great Firewall: A long-term attack against China}}, date = {2019}, institution = {Virus Bulletin}, url = {https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-GuPan.pdf}, language = {English}, urldate = {2020-01-08} } @online{guardicore:20200630:botnet:9a0cb16, author = {Guardicore}, title = {{Botnet Encyclopedia}}, date = {2020-06-30}, organization = {Guardicore}, url = {https://www.guardicore.com/botnet-encyclopedia/}, language = {English}, urldate = {2020-07-02} } @online{guarino:20190614:houdini:d6c63fa, author = {Nick Guarino and Aaron Riley}, title = {{Houdini Worm Transformed in New Phishing Attack}}, date = {2019-06-14}, organization = {Cofense}, url = {https://cofense.com/houdini-worm-transformed-new-phishing-attack/}, language = {English}, urldate = {2020-01-08} } @online{guarnieri:20130607:keyboy:58ebd77, author = {Claudio Guarnieri and Mark Schloesser}, title = {{KeyBoy, Targeted Attacks against Vietnam and India}}, date = {2013-06-07}, organization = {Rapid7 Labs}, url = {https://blog.rapid7.com/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india/}, language = {English}, urldate = {2019-12-20} } @online{guarnieri:20150619:digital:6c1a11b, author = {Claudio Guarnieri}, title = {{Digital Attack on German Parliament: Investigative Report on the Hack of the Left Party Infrastructure in Bundestag}}, date = {2015-06-19}, organization = {Netzpolitik.org}, url = {https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/}, language = {English}, urldate = {2020-01-10} } @techreport{guarnieri:201608:iran:d15568e, author = {Claudio Guarnieri and Collin Anderson}, title = {{Iran and the Soft Warfor Internet Dominance}}, date = {2016-08}, institution = {Black Hat}, url = {https://www.blackhat.com/docs/us-16/materials/us-16-Guarnieri-Iran-And-The-Soft-War-For-Internet-Dominance-wp.pdf}, language = {English}, urldate = {2019-11-26} } @online{guarnieri:20170206:ikittens:b5486bb, author = {Claudio Guarnieri and Collin Anderson}, title = {{iKittens: Iranian Actor Resurfaces with Malware for Mac (MacDownloader)}}, date = {2017-02-06}, organization = {Iran Threats}, url = {https://iranthreats.github.io/resources/macdownloader-macos-malware/}, language = {English}, urldate = {2020-01-09} } @online{gubi:20181017:emergence:670b6fd, author = {Israel Gubi}, title = {{The Emergence of the New Azorult 3.3}}, date = {2018-10-17}, organization = {Check Point}, url = {https://research.checkpoint.com/the-emergence-of-the-new-azorult-3-3/}, language = {English}, urldate = {2020-01-07} } @online{gubi:20190709:2019:38d9134, author = {Israel Gubi}, title = {{The 2019 Resurgence of Smokeloader}}, date = {2019-07-09}, organization = {Check Point}, url = {https://research.checkpoint.com/2019-resurgence-of-smokeloader/}, language = {English}, urldate = {2020-01-10} } @online{guerrerosaade:20171224:turla:dd95598, author = {Juan Andrés Guerrero-Saade}, title = {{Tweet on Turla Penquin}}, date = {2017-12-24}, organization = {Twitter (@juanandres_gs)}, url = {https://twitter.com/juanandres_gs/status/944741575837528064}, language = {English}, urldate = {2020-01-06} } @techreport{guerrerosaade:201803:penquins:1c6305e, author = {Juan Andrés Guerrero-Saade and Costin Raiu and Daniel Moore and Thomas Rid}, title = {{Penquin's Moonlit Maze}}, date = {2018-03}, institution = {Kaspersky Labs}, url = {https://securelist.com/files/2017/04/Penquins_Moonlit_Maze_PDF_eng.pdf}, language = {English}, urldate = {2019-11-25} } @online{guerrerosaade:20180626:redalpha:58724c7, author = {Juan Andrés Guerrero-Saade and Sanil Chohan}, title = {{RedAlpha: New Campaigns Discovered Targeting the Tibetan Community}}, date = {2018-06-26}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/redalpha-cyber-campaigns/}, language = {English}, urldate = {2020-01-07} } @techreport{guerrerosaade:20180626:redalpha:c7f1df0, author = {Juan Andrés Guerrero-Saade and Sanil Chohan}, title = {{RedAlpha: New Campaigns Discovered Targeting theTibetan Community}}, date = {2018-06-26}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2018-0626.pdf}, language = {English}, urldate = {2020-01-09} } @techreport{guerrerosaade:20190409:flame:4ce4c10, author = {Juan Andrés Guerrero-Saade and Silas Cutler}, title = {{Flame 2.0: Risen from the Ashes}}, date = {2019-04-09}, institution = {Chronicle Security}, url = {https://storage.googleapis.com/chronicle-research/Flame%202.0%20Risen%20from%20the%20Ashes.pdf}, language = {English}, urldate = {2020-01-08} } @techreport{guerrerosaade:20190409:oldest:062ea25, author = {Juan Andrés Guerrero-Saade and Silas Cutler}, title = {{The Oldest Stuxnet Component Dials Up}}, date = {2019-04-09}, institution = {Chronicle Security}, url = {https://storage.googleapis.com/chronicle-research/STUXSHOP%20Stuxnet%20Dials%20In%20.pdf}, language = {English}, urldate = {2019-12-04} } @online{guerrerosaade:20200422:nazar:0c5eef8, author = {Juan Andrés Guerrero-Saade}, title = {{Nazar: A Lost Amulet}}, date = {2020-04-22}, organization = {EpicTurla}, url = {https://www.epicturla.com/blog/the-lost-nazar}, language = {English}, urldate = {2020-05-05} } @online{guerrerosaade:20200526:acidbox:06edc14, author = {Juan Andrés Guerrero-Saade}, title = {{ACIDBOX Clustering}}, date = {2020-05-26}, organization = {EpicTurla}, url = {https://www.epicturla.com/blog/acidbox-clustering}, language = {English}, urldate = {2020-06-29} } @online{guerrerosaade:20200528:sysinturla:8cad820, author = {Juan Andrés Guerrero-Saade}, title = {{SysInTURLA}}, date = {2020-05-28}, organization = {EpicTurla}, url = {https://www.epicturla.com/blog/sysinturla}, language = {English}, urldate = {2020-05-29} } @online{guertin:20200109:pha:deb82eb, author = {Alec Guertin and Vadim Kotov}, title = {{PHA Family Highlights: Bread (and Friends)}}, date = {2020-01-09}, organization = {Google}, url = {https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html}, language = {English}, urldate = {2020-01-20} } @online{guillois:20200729:sodinokibi:6d76347, author = {Nicolas Guillois}, title = {{Sodinokibi / REvil Malware Analysis}}, date = {2020-07-29}, organization = {AmosSys}, url = {https://blog.amossys.fr/sodinokibi-malware-analysis.html}, language = {English}, urldate = {2020-08-31} } @online{guinet:20200829:emulating:45c0c16, author = {Adrien Guinet}, title = {{Emulating NotPetya bootloader with Miasm}}, date = {2020-08-29}, organization = {Aguinet}, url = {https://aguinet.github.io//blog/2020/08/29/miasm-bootloader.html}, language = {English}, urldate = {2020-09-04} } @online{guirakhoo:20200312:how:cf2276f, author = {Alex Guirakhoo}, title = {{How cybercriminals are taking advantage of COVID-19: Scams, fraud, and misinformation}}, date = {2020-03-12}, organization = {Digital Shadows}, url = {https://www.digitalshadows.com/blog-and-research/how-cybercriminals-are-taking-advantage-of-covid-19-scams-fraud-misinformation/}, language = {English}, urldate = {2020-03-19} } @online{gull:20190810:select:56061b1, author = {Omer Gull}, title = {{SELECT code_execution FROM * USING SQLite;}}, date = {2019-08-10}, organization = {Check Point}, url = {https://research.checkpoint.com/2019/select-code_execution-from-using-sqlite/}, language = {English}, urldate = {2020-02-09} } @online{gutierrez:20121220:trojanstabuniq:3e7b380, author = {Fred Gutierrez}, title = {{Trojan.Stabuniq Found on Financial Institution Servers}}, date = {2012-12-20}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/trojanstabuniq-found-financial-institution-servers}, language = {English}, urldate = {2020-01-10} } @online{h4ck:20141108:review:85ad7e4, author = {H4ck}, title = {{Review of jSpy a RAT from jSpy.net}}, date = {2014-11-08}, organization = {How-To-Hack.net}, url = {https://how-to-hack.net/hacking-guides/review-of-jspy-rat-jspy-net/}, language = {English}, urldate = {2019-07-31} } @online{h:20200316:new:60f8c3d, author = {Jeremy H and Axel F and Proofpoint Threat Insight Team}, title = {{New RedLine Stealer Distributed Using Coronavirus-themed Email Campaign}}, date = {2020-03-16}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/new-redline-stealer-distributed-using-coronavirus-themed-email-campaign}, language = {English}, urldate = {2020-03-17} } @online{hackdig:20160217:russian:41104f7, author = {HackDig}, title = {{Russian Police Prevented Massive Banking Sector Cyber Attack}}, date = {2016-02-17}, url = {http://webcache.googleusercontent.com/search?q=cache:TWoHHzH9gU0J:en.hackdig.com/02/39538.htm}, language = {English}, urldate = {2020-06-03} } @online{hackdig:20200812:antiys:0d7e73e, author = {HackDig}, title = {{Antiy's analysis report on the recent APT attacks against the Green Spot organization}}, date = {2020-08-12}, url = {http://www.hackdig.com/08/hack-107672.htm}, language = {Chinese}, urldate = {2020-08-14} } @online{hacker:20171011:more:9040492, author = {Wraith Hacker}, title = {{More info on 'Evolved DNSMessenger'}}, date = {2017-10-11}, organization = {Wraith Hacker Blog}, url = {http://wraithhacker.com/2017/10/11/more-info-on-evolved-dnsmessenger/}, language = {English}, urldate = {2019-10-12} } @online{hacks4pancakes:20170628:why:8053178, author = {hacks4pancakes}, title = {{Why NotPetya Kept Me Awake (& You Should Worry Too)}}, date = {2017-06-28}, url = {https://tisiphone.net/2017/06/28/why-notpetya-kept-me-awake-you-should-worry-too/}, language = {English}, urldate = {2020-01-09} } @online{hacquebord:20151022:pawn:8231722, author = {Feike Hacquebord}, title = {{Pawn Storm Targets MH17 Investigation Team}}, date = {2015-10-22}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-targets-mh17-investigation-team/}, language = {English}, urldate = {2020-01-10} } @online{hacquebord:20191212:more:a1e84b7, author = {Feike Hacquebord and Cedric Pernet and Kenney Lu}, title = {{More than a Dozen Obfuscated APT33 Botnets Used for Extreme Narrow Targeting}}, date = {2019-12-12}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/more-than-a-dozen-obfuscated-apt33-botnets-used-for-extreme-narrow-targeting/}, language = {English}, urldate = {2020-01-13} } @techreport{hacquebord:20200311:pawn:d7ef8ae, author = {Feike Hacquebord}, title = {{Pawn Storm in 2019: A Year of Scanning and Credential Phishing on High-Profile Targets}}, date = {2020-03-11}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/white_papers/wp-pawn-storm-in-2019.pdf}, language = {English}, urldate = {2020-03-19} } @online{hada:20201015:pandas:962b364, author = {Hiroki Hada}, title = {{Panda’s New Arsenal: Part 1 Tmanger}}, date = {2020-10-15}, organization = {NTT Security}, url = {https://insight-jp.nttsecurity.com/post/102gi9b/pandas-new-arsenal-part-1-tmanger}, language = {Japanese}, urldate = {2020-10-19} } @online{hadar:20180116:globeimposter:6a2afda, author = {Alon Hadar}, title = {{GlobeImposter Ransomware}}, date = {2018-01-16}, organization = {enSilo}, url = {https://blog.ensilo.com/globeimposter-ransomware-technical}, language = {English}, urldate = {2019-07-09} } @online{hahn:20161027:procleanerexe:bde4a80, author = {Karsten Hahn}, title = {{Tweet on procleaner.exe}}, date = {2016-10-27}, organization = {Twitter (@struppigel)}, url = {https://twitter.com/struppigel/status/791535679905927168}, language = {English}, urldate = {2019-11-26} } @online{hahn:20161218:unlock92:31d2259, author = {Karsten Hahn}, title = {{Tweet on Unlock92 Ransomware}}, date = {2016-12-18}, organization = {Twitter (@struppigel)}, url = {https://twitter.com/struppigel/status/810753660737073153}, language = {English}, urldate = {2020-01-07} } @online{hahn:20161219:cryptoblock:cd82b17, author = {Karsten Hahn}, title = {{Tweet on CryptoBlock}}, date = {2016-12-19}, organization = {Twitter (@struppigel)}, url = {https://twitter.com/struppigel/status/810770490491043840}, language = {English}, urldate = {2020-01-06} } @online{hahn:20161221:manifestus:d86e48c, author = {Karsten Hahn}, title = {{Tweet on Manifestus Ransomware}}, date = {2016-12-21}, organization = {Twitter (@struppigel)}, url = {https://twitter.com/struppigel/status/811587154983981056}, language = {English}, urldate = {2020-01-13} } @online{hahn:20161224:derialock:4ab9ba7, author = {Karsten Hahn}, title = {{Tweet on DeriaLock}}, date = {2016-12-24}, organization = {Twitter (@struppigel)}, url = {https://twitter.com/struppigel/status/812601286088597505}, language = {English}, urldate = {2019-11-26} } @online{hahn:20161224:kokokrypt:fb647ed, author = {Karsten Hahn}, title = {{Tweet on KoKoKrypt}}, date = {2016-12-24}, organization = {Twitter (@struppigel)}, url = {https://twitter.com/struppigel/status/812726545173401600}, language = {English}, urldate = {2020-01-08} } @online{hahn:20170105:comradecircle:246172d, author = {Karsten Hahn}, title = {{Tweet on ComradeCircle Ransomware}}, date = {2017-01-05}, organization = {Twitter (@struppigel)}, url = {https://twitter.com/struppigel/status/816926371867926528}, language = {English}, urldate = {2020-01-13} } @online{hahn:20170118:spora:43d64d0, author = {Karsten Hahn}, title = {{Spora - the Shortcut Worm that is also a Ransomware}}, date = {2017-01-18}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/2017/01/29442-spora-worm-and-ransomware}, language = {English}, urldate = {2019-10-15} } @online{hahn:20171203:malware:b8a77b5, author = {Karsten Hahn}, title = {{Malware Analysis - ROKRAT Unpacking from Injected Shellcode}}, date = {2017-12-03}, url = {https://www.youtube.com/watch?v=uoBQE5s2ba4}, language = {English}, urldate = {2020-01-12} } @online{hahn:20180109:hiddentear:372b79c, author = {Karsten Hahn}, title = {{Tweet on HiddenTear Sample}}, date = {2018-01-09}, organization = {Twitter (@struppigel)}, url = {https://twitter.com/struppigel/status/950787783353884672}, language = {English}, urldate = {2019-12-04} } @online{hahn:20190520:yggdrasil:5a23fde, author = {Karsten Hahn}, title = {{Tweet on Yggdrasil / CinaRAT}}, date = {2019-05-20}, organization = {Twitter (@struppigel)}, url = {https://twitter.com/struppigel/status/1130455143504318466}, language = {English}, urldate = {2020-01-13} } @online{hahn:20191121:stop:a5c8118, author = {Karsten Hahn and Stefan Karpenstein}, title = {{STOP Ransomware: Finger weg von illegalen Software-Downloads}}, date = {2019-11-21}, organization = {G Data}, url = {https://www.gdata.de/blog/1970/01/-35391-finger-weg-von-illegalen-software-downloads}, language = {English}, urldate = {2020-01-10} } @online{hahn:20200206:40000:3a0d792, author = {Karsten Hahn}, title = {{40,000 CryptBot Downloads per Day: Bitbucket Abused as Malware Slinger}}, date = {2020-02-06}, organization = {Gdata}, url = {https://www.gdatasoftware.com/blog/2020/02/35802-bitbucket-abused-as-malware-slinger}, language = {English}, urldate = {2020-04-02} } @online{hahn:20200402:pekraut:479527e, author = {Karsten Hahn}, title = {{Pekraut - German RAT starts gnawing}}, date = {2020-04-02}, organization = {Gdata}, url = {https://www.gdatasoftware.com/blog/2020/04/35849-pekraut-german-rat-starts-gnawing}, language = {English}, urldate = {2020-04-06} } @online{hahn:20200616:new:124c3d1, author = {Karsten Hahn}, title = {{New Java STRRAT ships with .crimson ransomware module}}, date = {2020-06-16}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/strrat-crimson}, language = {English}, urldate = {2020-06-16} } @online{hahn:20200624:discordtokenstealer:2b4cc58, author = {Karsten Hahn}, title = {{Tweet on DiscordTokenStealer}}, date = {2020-06-24}, organization = {Twitter (@struppigel)}, url = {https://twitter.com/struppigel/status/1275731035184156675}, language = {English}, urldate = {2020-06-24} } @online{hahn:20200901:dll:2af82dc, author = {Karsten Hahn}, title = {{DLL Fixer leads to Cyrat Ransomware}}, date = {2020-09-01}, organization = {Gdata}, url = {https://www.gdatasoftware.com/blog/cyrat-ransomware}, language = {English}, urldate = {2020-09-01} } @online{hahn:20201021:trat:389d7f3, author = {Karsten Hahn}, title = {{T-RAT 2.0: Malware control via smartphone}}, date = {2020-10-21}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/trat-control-via-smartphone}, language = {English}, urldate = {2020-10-23} } @online{haigh:20200707:configuring:a0cb3d9, author = {Matthew Haigh and Trevor Haskell}, title = {{Configuring a Windows Domain to Dynamically Analyze an Obfuscated Lateral Movement Tool}}, date = {2020-07-07}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/07/configuring-windows-domain-dynamically-analyze-obfuscated-lateral-movement-tool.html}, language = {English}, urldate = {2020-08-18} } @online{hajime:20180328:quick:2874046, author = {Hajime}, title = {{Quick summary about the Port 8291 scan}}, date = {2018-03-28}, organization = {Netlab}, url = {https://blog.netlab.360.com/quick-summary-port-8291-scan-en/}, language = {English}, urldate = {2020-01-07} } @techreport{hajime:20200117:operation:ef488fd, author = {Takai Hajime}, title = {{Operation Bitter Biscuit}}, date = {2020-01-17}, institution = {NTT Security}, url = {https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_3_takai_jp.pdf}, language = {Japanese}, urldate = {2020-07-20} } @online{hall:20201015:moobots:2aaf302, author = {Chris Hall}, title = {{Moobot's Cloud Migration}}, date = {2020-10-15}, organization = {lacework}, url = {https://www.lacework.com/moobots-cloud-migration/}, language = {English}, urldate = {2020-10-23} } @online{hamacher:20191221:how:9d026a8, author = {Adriana Hamacher}, title = {{How ransomware exploded in the age of Bitcoin}}, date = {2019-12-21}, organization = {Decrypt}, url = {https://decrypt.co/15394/how-ransomware-exploded-in-the-age-of-btc}, language = {English}, urldate = {2020-01-13} } @online{hamada:20160725:patchwork:77fa6bb, author = {Joji Hamada}, title = {{Patchwork cyberespionage group expands targets from governments to wide range of industries}}, date = {2016-07-25}, organization = {Symantec}, url = {http://www.symantec.com/connect/blogs/patchwork-cyberespionage-group-expands-targets-governments-wide-range-industries}, language = {English}, urldate = {2020-01-13} } @online{hamdan:20200929:getting:c01923a, author = {Kareem Hamdan and Lucas Miller}, title = {{Getting the Bacon from the Beacon}}, date = {2020-09-29}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/}, language = {English}, urldate = {2020-10-05} } @online{hamzeloofard:20200131:new:5d058ea, author = {Shahab Hamzeloofard}, title = {{New wave of PlugX targets Hong Kong}}, date = {2020-01-31}, organization = {Avira}, url = {https://insights.oem.avira.com/new-wave-of-plugx-targets-hong-kong/}, language = {English}, urldate = {2020-02-10} } @online{han:20171120:android:c3f825c, author = {Inhee Han}, title = {{Android Malware Appears Linked to Lazarus Cybercrime Group}}, date = {2017-11-20}, organization = {McAfee}, url = {https://securingtomorrow.mcafee.com/mcafee-labs/android-malware-appears-linked-to-lazarus-cybercrime-group/#sf174581990}, language = {English}, urldate = {2019-12-17} } @online{hanel:20190110:big:7e10bdf, author = {Alexander Hanel}, title = {{Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware}}, date = {2019-01-10}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/}, language = {English}, urldate = {2019-12-20} } @online{hanel:20191101:wizard:a34a09e, author = {Alexander Hanel and Brett Stone-Gross}, title = {{WIZARD SPIDER Adds New Features to Ryuk for Targeting Hosts on LAN}}, date = {2019-11-01}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/wizard-spider-adds-new-feature-to-ryuk-ransomware/}, language = {English}, urldate = {2019-12-20} } @online{hao:20191109:apt34:550c673, author = {Mina Hao}, title = {{APT34 Event Analysis Report}}, date = {2019-11-09}, organization = {NSFOCUS}, url = {https://nsfocusglobal.com/apt34-event-analysis-report/}, language = {English}, urldate = {2020-03-09} } @online{haoming:20181129:analysis:6192262, author = {haoming}, title = {{Analysis Report of the Xorddos Malware Family}}, date = {2018-11-29}, organization = {NSFOCUS}, url = {https://blog.nsfocusglobal.com/threats/vulnerability-analysis/analysis-report-of-the-xorddos-malware-family/}, language = {English}, urldate = {2020-01-06} } @online{haoming:20181206:satan:69932c8, author = {haoming}, title = {{SATAN variant analysis & handling guide}}, date = {2018-12-06}, organization = {NSFOCUS}, url = {http://blog.nsfocusglobal.com/categories/trend-analysis/satan-variant-analysis-handling-guide/}, language = {English}, urldate = {2019-10-15} } @online{haq:20130924:now:3cc13be, author = {Thoufique Haq and Ned Moran}, title = {{Now You See Me - H-worm by Houdini}}, date = {2013-09-24}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2013/09/now-you-see-me-h-worm-by-houdini.html}, language = {English}, urldate = {2019-12-20} } @online{haq:20131031:know:e772ee9, author = {Thoufique Haq and Ned Moran}, title = {{Know Your Enemy: Tracking A Rapidly Evolving APT Actor}}, date = {2013-10-31}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2013/10/know-your-enemy-tracking-a-rapidly-evolving-apt-actor.html}, language = {English}, urldate = {2019-12-20} } @techreport{haq:20140930:operation:ce4e85c, author = {Thoufique Haq and Ned Moran and Sai Vashisht and Mike Scott}, title = {{OPERATION QUANTUM ENTANGLEMENT}}, date = {2014-09-30}, institution = {FireEye}, url = {https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf}, language = {English}, urldate = {2020-01-08} } @online{harakhavik:20190620:danabot:238fce9, author = {Yaroslav Harakhavik and Aliaksandr Chailytko}, title = {{DanaBot Demands a Ransom Payment}}, date = {2019-06-20}, organization = {Check Point}, url = {https://research.checkpoint.com/danabot-demands-a-ransom-payment/}, language = {English}, urldate = {2020-01-07} } @online{harakhavik:20200203:warzone:18606cf, author = {Yaroslav Harakhavik}, title = {{Warzone: Behind the enemy lines}}, date = {2020-02-03}, organization = {Check Point Research}, url = {https://research.checkpoint.com/2020/warzone-behind-the-enemy-lines/}, language = {English}, urldate = {2020-02-03} } @online{harbison:20180413:say:920b109, author = {Mike Harbison and Simon Conant}, title = {{Say “Cheese”: WebMonitor RAT Comes with C2-as-a-Service (C2aaS)}}, date = {2018-04-13}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/04/unit42-say-cheese-webmonitor-rat-comes-c2-service-c2aas/}, language = {English}, urldate = {2019-12-20} } @online{harbison:20180713:upatre:8d5e804, author = {Mike Harbison and Brittany Ash}, title = {{Upatre Continued to Evolve with new Anti-Analysis Techniques}}, date = {2018-07-13}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/}, language = {English}, urldate = {2019-12-20} } @online{hardy:20170427:advanced:d1d61c4, author = {Colin Hardy}, title = {{Advanced Banload Analysis}}, date = {2017-04-27}, organization = {ColinGuru}, url = {https://colin.guru/index.php?title=Advanced_Banload_Analysis}, language = {English}, urldate = {2019-12-10} } @online{harley:20110302:tdl4:9071c3f, author = {David Harley}, title = {{TDL4 and Glupteba: Piggyback PiggyBugs}}, date = {2011-03-02}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2011/03/02/tdl4-and-glubteba-piggyback-piggybugs/}, language = {English}, urldate = {2019-11-14} } @online{harley:20110714:cycbot:9e18833, author = {David Harley}, title = {{Cycbot: Ready to Ride}}, date = {2011-07-14}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2011/07/14/cycbot-ready-to-ride/}, language = {English}, urldate = {2019-11-14} } @online{harmon:20190731:systembc:d98f03c, author = {Kade Harmon and Kafeine and Dennis Schwarz and Proofpoint Threat Insight Team}, title = {{SystemBC is like Christmas in July for SOCKS5 Malware and Exploit Kits}}, date = {2019-07-31}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/systembc-christmas-july-socks5-malware-and-exploit-kits}, language = {English}, urldate = {2019-12-20} } @online{harpaz:20180215:trickbots:2cf1b53, author = {Ophir Harpaz and Magal Baz and Limor Kessem}, title = {{TrickBot’s Cryptocurrency Hunger: Tricking the Bitcoin Out of Wallets}}, date = {2018-02-15}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/trickbots-cryptocurrency-hunger-tricking-the-bitcoin-out-of-wallets/}, language = {English}, urldate = {2020-01-06} } @online{harpaz:20200401:vollgar:b10972a, author = {Ophir Harpaz}, title = {{THE VOLLGAR CAMPAIGN: MS-SQL SERVERS UNDER ATTACK}}, date = {2020-04-01}, organization = {Guardicore}, url = {https://www.guardicore.com/2020/04/vollgar-ms-sql-servers-under-attack/}, language = {English}, urldate = {2020-04-07} } @online{harpaz:20200819:fritzfrog:c2548e5, author = {Ophir Harpaz}, title = {{FritzFrog: A New Generation Of Peer-To-Peer Botnets}}, date = {2020-08-19}, organization = {Guardicore}, url = {https://www.guardicore.com/2020/08/fritzfrog-p2p-botnet-infects-ssh-servers/}, language = {English}, urldate = {2020-08-19} } @online{haruyama:20190904:cb:7c71995, author = {Takahiro Haruyama}, title = {{CB TAU Threat Intelligence Notification: Winnti Malware 4.0}}, date = {2019-09-04}, organization = {CarbonBlack}, url = {https://www.carbonblack.com/2019/09/04/cb-tau-threat-intelligence-notification-winnti-malware-4-0/}, language = {English}, urldate = {2019-12-17} } @techreport{haruyama:20191024:defeating:4016e1f, author = {Takahiro Haruyama}, title = {{Defeating APT10 Compiler-level Obfuscations}}, date = {2019-10-24}, institution = {Carbon Black}, url = {https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-Haruyama.pdf}, language = {English}, urldate = {2020-03-03} } @online{haruyama:20200220:threat:aa4ef11, author = {Takahiro Haruyama}, title = {{Threat Analysis: Active C2 Discovery Using Protocol Emulation Part2 (Winnti 4.0)}}, date = {2020-02-20}, organization = {Carbon Black}, url = {https://www.carbonblack.com/2020/02/20/threat-analysis-active-c2-discovery-using-protocol-emulation-part2-winnti-4-0/}, language = {English}, urldate = {2020-02-21} } @online{hasbini:20150928:gaza:0c6e96e, author = {Mohamad Amin Hasbini and Ghareeb Saad}, title = {{Gaza cybergang, where’s your IR team?}}, date = {2015-09-28}, organization = {Kaspersky Labs}, url = {https://securelist.com/gaza-cybergang-wheres-your-ir-team/72283/}, language = {English}, urldate = {2019-12-20} } @online{hasbini:20160817:operation:9bfa7d2, author = {Mohamad Amin Hasbini}, title = {{Operation Ghoul: targeted attacks on industrial and engineering organizations}}, date = {2016-08-17}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/75718/operation-ghoul-targeted-attacks-on-industrial-and-engineering-organizations/}, language = {English}, urldate = {2019-12-20} } @online{hasbini:20171030:gaza:7c531cc, author = {Mohamad Amin Hasbini and Ghareeb Saad}, title = {{Gaza Cybergang – updated activity in 2017:}}, date = {2017-10-30}, organization = {Kaspersky Labs}, url = {https://securelist.com/gaza-cybergang-updated-2017-activity/82765/}, language = {English}, urldate = {2019-12-20} } @online{haschek:20200608:a1:b166c86, author = {Christian Haschek}, title = {{The A1 Telekom Austria Hack}}, date = {2020-06-08}, organization = {Christian Haschek's Blog}, url = {https://blog.haschek.at/2020/the-a1-telekom-hack.html}, language = {English}, urldate = {2020-06-11} } @online{hasegawa:20191029:threat:180cf21, author = {Tatsuya Hasegawa}, title = {{Threat Spotlight: Neshta File Infector Endures}}, date = {2019-10-29}, organization = {Cylance}, url = {https://threatvector.cylance.com/en_us/home/threat-spotlight-neshta-file-infector-endures.html}, language = {English}, urldate = {2019-11-16} } @online{hasherezade:20150713:revisiting:391fe73, author = {hasherezade}, title = {{Revisiting The Bunitu Trojan}}, date = {2015-07-13}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2015/07/revisiting-the-bunitu-trojan/}, language = {English}, urldate = {2019-12-20} } @online{hasherezade:20150819:inside:1828f15, author = {hasherezade}, title = {{Inside Neutrino botnet builder}}, date = {2015-08-19}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2015/08/inside-neutrino-botnet-builder/}, language = {English}, urldate = {2019-12-20} } @online{hasherezade:20151104:technical:abd2b27, author = {hasherezade}, title = {{A Technical Look At Dyreza}}, date = {2015-11-04}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2015/11/a-technical-look-at-dyreza/}, language = {English}, urldate = {2019-12-20} } @online{hasherezade:20160202:dma:5d599e2, author = {hasherezade}, title = {{DMA Locker: New Ransomware, But No Reason To Panic}}, date = {2016-02-02}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/02/dma-locker-a-new-ransomware-but-no-reason-to-panic/}, language = {English}, urldate = {2019-12-20} } @online{hasherezade:20160209:dma:1fe0c43, author = {hasherezade}, title = {{DMA Locker Strikes Back}}, date = {2016-02-09}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/02/dma-locker-strikes-back/}, language = {English}, urldate = {2019-12-20} } @online{hasherezade:20160301:look:fe35696, author = {hasherezade}, title = {{Look Into Locky Ransomware}}, date = {2016-03-01}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/03/look-into-locky/}, language = {English}, urldate = {2019-12-20} } @online{hasherezade:20160311:cerber:f1fb954, author = {hasherezade}, title = {{Cerber ransomware: new, but mature}}, date = {2016-03-11}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/03/cerber-ransomware-new-but-mature/}, language = {English}, urldate = {2019-12-20} } @online{hasherezade:20160324:maktub:fbe0f56, author = {hasherezade}, title = {{Maktub Locker – Beautiful And Dangerous}}, date = {2016-03-24}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/03/maktub-locker-beautiful-and-dangerous/}, language = {English}, urldate = {2019-12-20} } @online{hasherezade:20160506:7ev3n:6b6cfb1, author = {hasherezade}, title = {{7ev3n ransomware turning ‘HONE$T’}}, date = {2016-05-06}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/05/7ev3n-ransomware/}, language = {English}, urldate = {2019-12-20} } @online{hasherezade:20160519:petya:25c555f, author = {hasherezade}, title = {{Petya and Mischa – Ransomware Duet (Part 1)}}, date = {2016-05-19}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/05/petya-and-mischa-ransomware-duet-p1/}, language = {English}, urldate = {2019-12-20} } @online{hasherezade:20160523:dma:352692f, author = {hasherezade}, title = {{DMA Locker 4.0: Known ransomware preparing for a massive distribution}}, date = {2016-05-23}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/05/dma-locker-4-0-known-ransomware-preparing-for-a-massive-distribution/}, language = {English}, urldate = {2019-12-20} } @online{hasherezade:20161117:princess:378c704, author = {hasherezade}, title = {{Princess Locker decryptor}}, date = {2016-11-17}, organization = {hasherezade's 1001 nights}, url = {https://hshrzd.wordpress.com/2016/11/17/princess-locker-decryptor/}, language = {English}, urldate = {2020-01-10} } @online{hasherezade:20170614:unpacking:a820fac, author = {hasherezade}, title = {{Unpacking YoungLotus malware}}, date = {2017-06-14}, organization = {Youtube (hasherezade)}, url = {https://www.youtube.com/watch?v=AUGxYhE_CUY}, language = {English}, urldate = {2020-01-06} } @online{hasherezade:20171215:unpacking:8c8d58c, author = {hasherezade}, title = {{Unpacking Magniber ransomware with PE-sieve (former: 'hook_finder')}}, date = {2017-12-15}, url = {https://www.youtube.com/watch?v=lqWJaaofNf4}, language = {English}, urldate = {2019-10-23} } @online{hasherezade:20171230:unpacking:5477bb2, author = {hasherezade}, title = {{Unpacking TrickBot with PE-sieve}}, date = {2017-12-30}, organization = {Youtube (hasherezade)}, url = {https://www.youtube.com/watch?v=lTywPmZEU1A}, language = {English}, urldate = {2020-01-06} } @online{hasherezade:201801:coin:7ef1583, author = {hasherezade}, title = {{A coin miner with a “Heaven’s Gate”}}, date = {2018-01}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2018/01/a-coin-miner-with-a-heavens-gate/amp/}, language = {English}, urldate = {2019-12-04} } @online{hasherezade:20180223:avzhan:299cc86, author = {hasherezade}, title = {{Avzhan DDoS bot dropped by Chinese drive-by attack}}, date = {2018-02-23}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2018/02/avzhan-ddos-bot-dropped-by-chinese-drive-by-attack/}, language = {English}, urldate = {2019-12-20} } @online{hasherezade:20180301:blast:6bec8e3, author = {hasherezade}, title = {{Blast from the past: stowaway Virut delivered with Chinese DDoS bot}}, date = {2018-03-01}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2018/03/blast-from-the-past-stowaway-virut-delivered-with-chinese-ddos-bot/}, language = {English}, urldate = {2019-12-20} } @online{hasherezade:20180319:unpacking:150cdac, author = {hasherezade}, title = {{Unpacking Ursnif}}, date = {2018-03-19}, url = {https://www.youtube.com/watch?v=jlc7Ahp8Iqg}, language = {English}, urldate = {2019-12-24} } @online{hasherezade:20180331:deobfuscating:39c1be0, author = {hasherezade}, title = {{Deobfuscating TrickBot's strings with libPeConv}}, date = {2018-03-31}, organization = {Youtube (hasherezade)}, url = {https://www.youtube.com/watch?v=KMcSAlS9zGE}, language = {English}, urldate = {2020-01-13} } @online{hasherezade:20180726:hidden:76d28ed, author = {hasherezade and Jérôme Segura}, title = {{‘Hidden Bee’ miner delivered via improved drive-by download toolkit}}, date = {2018-07-26}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2018/07/hidden-bee-miner-delivered-via-improved-drive-by-download-toolkit/}, language = {English}, urldate = {2019-10-21} } @online{hasherezade:20181112:whats:e44d5f3, author = {hasherezade}, title = {{What’s new in TrickBot? Deobfuscating elements}}, date = {2018-11-12}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/malware-threat-analysis/2018/11/whats-new-trickbot-deobfuscating-elements/}, language = {English}, urldate = {2019-12-20} } @online{hasherezade:20190321:unpacking:8c38703, author = {hasherezade}, title = {{Unpacking Baldr stealer}}, date = {2019-03-21}, organization = {Youtube (hasherezade)}, url = {https://www.youtube.com/watch?v=E2V4kB_gtcQ}, language = {English}, urldate = {2019-07-11} } @online{hasherezade:20190406:unpacking:dc6a1be, author = {hasherezade}, title = {{Unpacking ISFB (including the custom 'PX' format)}}, date = {2019-04-06}, organization = {Youtube (hasherezade)}, url = {https://www.youtube.com/watch?v=KvOpNznu_3w}, language = {English}, urldate = {2019-11-29} } @online{hasherezade:20190531:hidden:14f8a1c, author = {hasherezade}, title = {{Hidden Bee: Let’s go down the rabbit hole}}, date = {2019-05-31}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2019/05/hidden-bee-lets-go-down-the-rabbit-hole/}, language = {English}, urldate = {2019-12-20} } @online{hasherezade:20190724:deep:c7d1aed, author = {hasherezade}, title = {{A deep dive into Phobos ransomware}}, date = {2019-07-24}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2019/07/a-deep-dive-into-phobos-ransomware/}, language = {English}, urldate = {2020-01-13} } @online{hasherezade:20190815:hidden:d93c104, author = {hasherezade}, title = {{The Hidden Bee infection chain, part 1: the stegano pack}}, date = {2019-08-15}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2019/08/the-hidden-bee-infection-chain-part-1-the-stegano-pack/}, language = {English}, urldate = {2019-12-20} } @techreport{hasherezade:20200521:silent:95b5ce7, author = {hasherezade and prsecurity}, title = {{The “Silent Night” Zloader/Zbot}}, date = {2020-05-21}, institution = {Malwarebytes}, url = {https://resources.malwarebytes.com/files/2020/05/The-Silent-Night-Zloader-Zbot_Final.pdf}, language = {English}, urldate = {2020-05-23} } @online{hassold:20180326:silent:9ce69cd, author = {Crane Hassold}, title = {{Silent Librarian: More to the Story of the Iranian Mabna Institute Indictment}}, date = {2018-03-26}, organization = {PhishLabs}, url = {https://info.phishlabs.com/blog/silent-librarian-more-to-the-story-of-the-iranian-mabna-institute-indictment}, language = {English}, urldate = {2020-01-07} } @online{hassold:20180405:silent:288fac9, author = {Crane Hassold}, title = {{Silent Librarian University Attacks Continue Unabated in Days Following Indictment}}, date = {2018-04-05}, organization = {PhishLabs}, url = {https://info.phishlabs.com/blog/silent-librarian-university-attacks-continue-unabated-in-days-following-indictment}, language = {English}, urldate = {2019-10-23} } @online{haughom:20180806:reversing:8b4d9cf, author = {James Haughom}, title = {{Reversing Cerber - RaaS}}, date = {2018-08-06}, organization = {rinse and REpeat analysis}, url = {https://rinseandrepeatanalysis.blogspot.com/2018/08/reversing-cerber-raas.html}, language = {English}, urldate = {2020-01-08} } @online{haughom:20200310:iqy:1844f48, author = {James Haughom}, title = {{IQY files and Paradise Ransomware}}, date = {2020-03-10}, organization = {Lastline}, url = {https://www.lastline.com/labsblog/iqy-files-and-paradise-ransomware/}, language = {English}, urldate = {2020-06-17} } @online{haughom:20200602:evolution:3286d87, author = {James Haughom and Stefano Ortolani}, title = {{Evolution of Excel 4.0 Macro Weaponization}}, date = {2020-06-02}, organization = {Lastline Labs}, url = {https://www.lastline.com/labsblog/evolution-of-excel-4-0-macro-weaponization/}, language = {English}, urldate = {2020-06-03} } @online{hausding:20170707:94:4d1e639, author = {Michael Hausding}, title = {{94 .ch & .li domain names hijacked and used for drive-by}}, date = {2017-07-07}, organization = {SWITCH Security Blog}, url = {https://securityblog.switch.ch/2017/07/07/94-ch-li-domain-names-hijacked-and-used-for-drive-by/}, language = {English}, urldate = {2020-01-07} } @online{hausknecht:20200722:github:82e2b88, author = {Ryan Hausknecht}, title = {{Github Repository for PowerZure}}, date = {2020-07-22}, organization = {Github (hausec)}, url = {https://github.com/hausec/PowerZure}, language = {English}, urldate = {2020-08-18} } @online{hawley:20190129:apt39:926a2a1, author = {Sarah Hawley and Ben Read and Cristiana Brafman-Kittner and Nalani Fraser and Andrew Thompson and Yuri Rozhansky and Sanaz Yashar}, title = {{APT39: An Iranian Cyber Espionage Group Focused on Personal Information}}, date = {2019-01-29}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html}, language = {English}, urldate = {2019-12-20} } @online{hayashi:20130430:linuxcdorked:5456e0a, author = {Kaoru Hayashi and Joseph Bingham and Takayoshi Nakayama}, title = {{Linux.Cdorked}}, date = {2013-04-30}, organization = {Symantec}, url = {https://www.symantec.com/security-center/writeup/2013-050214-5501-99}, language = {English}, urldate = {2019-12-06} } @online{hayashi:20160509:krbanker:c59923f, author = {Kaoru Hayashi and Vicky Ray}, title = {{KRBanker Targets South Korea Through Adware and Exploit Kits}}, date = {2016-05-09}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2016/05/unit42-krbanker-targets-south-korea-through-adware-and-exploit-kits-2/}, language = {English}, urldate = {2019-12-20} } @online{hayashi:20160915:mile:302680e, author = {Kaoru Hayashi}, title = {{MILE TEA: Cyber Espionage Campaign Targets Asia Pacific Businesses and Government Agencies}}, date = {2016-09-15}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2016/09/mile-tea-cyber-espionage-campaign-targets-asia-pacific-businesses-and-government-agencies/}, language = {English}, urldate = {2019-12-20} } @online{hayashi:20170215:banking:c5e917c, author = {Kaoru Hayashi}, title = {{Banking Trojans: Ursnif Global Distribution Networks Identified}}, date = {2017-02-15}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/}, language = {English}, urldate = {2019-10-25} } @online{hayashi:20170725:tick:d89ab89, author = {Kaoru Hayashi}, title = {{“Tick” Group Continues Attacks}}, date = {2017-07-25}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/07/unit42-tick-group-continues-attacks/}, language = {English}, urldate = {2019-12-20} } @online{hayashi:20180731:bisonal:2ca3a6b, author = {Kaoru Hayashi and Vicky Ray}, title = {{Bisonal Malware Used in Attacks Against Russia and South Korea}}, date = {2018-07-31}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/}, language = {English}, urldate = {2019-12-20} } @online{hayashi:20180731:bisonal:8ca9ce6, author = {Kaoru Hayashi and Vicky Ray}, title = {{Bisonal Malware Used in Attacks Against Russia and South Korea}}, date = {2018-07-31}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-bisonal-malware-used-attacks-russia-south-korea/}, language = {English}, urldate = {2020-07-20} } @online{hazmalware:20161227:analysis:4038ecb, author = {Hazmalware}, title = {{ANALYSIS OF AUGUST STEALER MALWARE}}, date = {2016-12-27}, url = {https://hazmalware.blogspot.de/2016/12/analysis-of-august-stealer-malware.html}, language = {English}, urldate = {2019-11-22} } @online{hazum:20200709:new:5e06825, author = {Aviran Hazum and Bogdan Melnykov and Israel Wernik}, title = {{New Joker variant hits Google Play with an old trick}}, date = {2020-07-09}, organization = {Checkpoint}, url = {https://research.checkpoint.com/2020/new-joker-variant-hits-google-play-with-an-old-trick/}, language = {English}, urldate = {2020-07-11} } @techreport{heal:2018:complete:96388ed, author = {Quick Heal}, title = {{The Complete story of EMOTET Most prominent Malware of 2018}}, date = {2018}, institution = {Quick Heal}, url = {https://quickheal.co.in/documents/technical-paper/Whitepaper_HowToPM.pdf}, language = {English}, urldate = {2020-01-13} } @online{hegel:20170711:winnti:e03c673, author = {Tom Hegel and Nate Marx}, title = {{Winnti (LEAD/APT17) Evolution - Going Open Source}}, date = {2017-07-11}, organization = {401 TRG}, url = {https://401trg.pw/winnti-evolution-going-open-source/}, language = {English}, urldate = {2019-12-18} } @online{hegel:20171016:update:9033e56, author = {Tom Hegel}, title = {{An Update on Winnti (LEAD/APT17)}}, date = {2017-10-16}, organization = {401TRG}, url = {https://401trg.pw/an-update-on-winnti/}, language = {English}, urldate = {2019-08-05} } @online{hegel:20180503:burning:2837854, author = {Tom Hegel}, title = {{Burning Umbrella: An Intelligence Report on the Winnti Umbrella and Associated State-Sponsored Attackers}}, date = {2018-05-03}, organization = {ProtectWise}, url = {https://401trg.com/burning-umbrella/}, language = {English}, urldate = {2019-10-15} } @online{heinemeyer:20200402:catching:b7f137d, author = {Max Heinemeyer}, title = {{Catching APT41 exploiting a zero-day vulnerability}}, date = {2020-04-02}, organization = {Darktrace}, url = {https://www.darktrace.com/en/blog/catching-apt-41-exploiting-a-zero-day-vulnerability/}, language = {English}, urldate = {2020-04-13} } @online{helling:20200516:high:cf7dadf, author = {Robert Helling}, title = {{High Performance Hackers}}, date = {2020-05-16}, organization = {atdotde}, url = {https://atdotde.blogspot.com/2020/05/high-performance-hackers.html}, language = {English}, urldate = {2020-05-18} } @online{henderson:20180711:chinese:f0f3cbc, author = {Scott Henderson and Steve Miller and Dan Perez and Marcin Siedlarz and Ben Wilson and Ben Read}, title = {{Chinese Espionage Group TEMP.Periscope Targets Cambodia Ahead of July 2018 Elections and Reveals Broad Operations Globally}}, date = {2018-07-11}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2018/07/chinese-espionage-group-targets-cambodia-ahead-of-elections.html}, language = {English}, urldate = {2019-12-20} } @online{henderson:20200422:vietnamese:d9dc0db, author = {Scott Henderson and Gabby Roncone and Sarah Jones and John Hultquist and Ben Read}, title = {{Vietnamese Threat Actors APT32 Targeting Wuhan Government and Chinese Ministry of Emergency Management in Latest Example of COVID-19 Related Espionage}}, date = {2020-04-22}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/04/apt32-targeting-chinese-government-in-covid-19-related-espionage.html}, language = {English}, urldate = {2020-04-26} } @online{henkel:20200818:decrypt:e395f6d, author = {Mario Henkel}, title = {{Decrypt MassLogger 2.4.0.0 configuration}}, date = {2020-08-18}, organization = {Medium mariohenkel}, url = {https://medium.com/@mariohenkel/decrypt-masslogger-2-4-0-0-configuration-eff3ee0720a7}, language = {English}, urldate = {2020-08-18} } @online{henkel:20200903:decrypting:16cd7a9, author = {Mario Henkel}, title = {{Decrypting AgentTesla strings and config}}, date = {2020-09-03}, organization = {Medium mariohenkel}, url = {https://medium.com/@mariohenkel/decrypting-agenttesla-strings-and-config-b9000b18c996?sk=fcead9538516eeb3daa7b53cb537f6f4}, language = {English}, urldate = {2020-09-03} } @online{henkel:20200910:decrypting:2bcb10d, author = {Mario Henkel}, title = {{Decrypting NanoCore config and dump all plugins}}, date = {2020-09-10}, organization = {Medium mariohenkel}, url = {https://medium.com/@mariohenkel/decrypting-nanocore-config-and-dump-all-plugins-f4944bfaba52}, language = {English}, urldate = {2020-09-10} } @online{heppner:20170227:betabot:68ba19f, author = {Ted Heppner}, title = {{Betabot: Configuration Data Extraction}}, date = {2017-02-27}, organization = {Sophos}, url = {https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/BetaBot.pdf?la=en}, language = {English}, urldate = {2020-01-13} } @online{herman:20200207:magecart:185b67b, author = {Jordan Herman}, title = {{Magecart Group 12’s Latest: Actors Behind Attacks on Olympics Ticket Re-sellers Deftly Swapped Domains to Continue Campaign}}, date = {2020-02-07}, organization = {RiskIQ}, url = {https://www.riskiq.com/blog/labs/magecart-group-12-olympics/}, language = {English}, urldate = {2020-02-09} } @online{herman:20200609:misconfigured:75c6908, author = {Jordan Herman}, title = {{Misconfigured Amazon S3 Buckets Continue to be a Launchpad for Malicious Code}}, date = {2020-06-09}, organization = {RiskIQ}, url = {https://www.riskiq.com/blog/labs/misconfigured-s3-buckets/}, language = {English}, urldate = {2020-06-10} } @online{herman:20200902:inter:93b8c50, author = {Jordan Herman}, title = {{The Inter Skimmer Kit}}, date = {2020-09-02}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/30f22a00}, language = {English}, urldate = {2020-09-04} } @online{hern:20170703:notpetya:ba6bc6c, author = {Alex Hern}, title = {{'NotPetya' malware attacks could warrant retaliation, says Nato affiliated-researcher}}, date = {2017-07-03}, organization = {The Guardian}, url = {https://www.theguardian.com/technology/2017/jul/03/notpetya-malware-attacks-ukraine-warrant-retaliation-nato-researcher-tomas-minarik}, language = {English}, urldate = {2019-07-11} } @online{hernandez:20170622:new:a5cf2c6, author = {Erye Hernandez and Danny Tsechansky}, title = {{The New and Improved macOS Backdoor from OceanLotus}}, date = {2017-06-22}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/06/unit42-new-improved-macos-backdoor-oceanlotus/}, language = {English}, urldate = {2019-12-20} } @online{hernandez:20200529:phishers:2759c33, author = {Elmer Hernandez}, title = {{Phishers Cast a Wider Net in the African Banking Sector}}, date = {2020-05-29}, organization = {Cofense}, url = {https://cofense.com/phishers-cast-wider-net-african-banking-sector/}, language = {English}, urldate = {2020-06-02} } @techreport{herr:20200729:breaking:d37db04, author = {Trey Herr and June Lee and William Loomis and Stewart Scott}, title = {{BREAKING TRUST: Shades of Crisis Across an Insecure Software Supply Chain}}, date = {2020-07-29}, institution = {Atlantic Council}, url = {https://www.atlanticcouncil.org/wp-content/uploads/2020/07/Breaking-trust-Shades-of-crisis-across-an-insecure-software-supply-chain.pdf}, language = {English}, urldate = {2020-08-05} } @online{herwig:20190224:measurement:01d44af, author = {Stephen Herwig and Katura Harvey and George Hughey and Richard Roberts and Dave Levin}, title = {{Measurement and Analysis of Hajime, a Peer-to-peer IoT Botnet}}, date = {2019-02-24}, organization = {NDSS}, url = {https://par.nsf.gov/servlets/purl/10096257}, language = {English}, urldate = {2020-10-12} } @online{herzog:20181014:godzilla:0f2194a, author = {Ben Herzog}, title = {{Godzilla Loader and the Long Tail of Malware}}, date = {2018-10-14}, organization = {Check Point}, url = {https://research.checkpoint.com/godzilla-loader-and-the-long-tail-of-malware/}, language = {English}, urldate = {2020-01-09} } @online{herzog:20190520:malware:dac1524, author = {Ben Herzog}, title = {{Malware Against the C Monoculture}}, date = {2019-05-20}, organization = {Check Point}, url = {https://research.checkpoint.com/malware-against-the-c-monoculture/}, language = {English}, urldate = {2019-10-14} } @online{hfiref0x:20150328:uacme:f1b9f62, author = {hfiref0x}, title = {{UACME}}, date = {2015-03-28}, organization = {Github (hfiref0x)}, url = {https://github.com/hfiref0x/UACME}, language = {English}, urldate = {2020-01-06} } @online{hfiref0x:20190419:tdl:31ca191, author = {hfiref0x}, title = {{TDL (Turla Driver Loader) Repository}}, date = {2019-04-19}, organization = {Github (hfiref0x)}, url = {https://github.com/hfiref0x/TDL}, language = {English}, urldate = {2020-01-08} } @online{hfiref0x:20200120:dustman:70f16bf, author = {hfiref0x}, title = {{Dustman APT: Art of Copy-Paste}}, date = {2020-01-20}, organization = {The Vault Blog}, url = {https://swapcontext.blogspot.com/2020/01/dustman-apt-art-of-copy-paste.html}, language = {English}, urldate = {2020-01-22} } @online{higgins:20151013:prolific:0b6089c, author = {Kelly Jackson Higgins}, title = {{Prolific Cybercrime Gang Favors Legit Login Credentials}}, date = {2015-10-13}, organization = {DARKReading}, url = {https://www.darkreading.com/analytics/prolific-cybercrime-gang-favors-legit-login-credentials/d/d-id/1322645?}, language = {English}, urldate = {2020-01-10} } @online{higgins:20160209:chinese:1d80f84, author = {Kelly Jackson Higgins}, title = {{Chinese Cyberspies Pivot To Russia In Wake Of Obama-Xi Pact}}, date = {2016-02-09}, organization = {DARKReading}, url = {http://www.darkreading.com/endpoint/chinese-cyberspies-pivot-to-russia-in-wake-of-obama-xi-pact/d/d-id/1324242}, language = {English}, urldate = {2020-01-09} } @online{higgins:20190924:iranian:4966d90, author = {Kelly Jackson Higgins}, title = {{Iranian Government Hackers Target US Veterans}}, date = {2019-09-24}, organization = {DARKReading}, url = {https://www.darkreading.com/threat-intelligence/iranian-government-hackers-target-us-veterans/d/d-id/1335897}, language = {English}, urldate = {2020-03-22} } @online{hilt:20160914:bksod:f75ef88, author = {Stephen Hilt and William Gamazo Sanchez}, title = {{BkSoD by Ransomware: HDDCryptor Uses Commercial Tools to Encrypt Network Shares and Lock HDDs}}, date = {2016-09-14}, organization = {Trend Micro}, url = {http://blog.trendmicro.com/trendlabs-security-intelligence/bksod-by-ransomware-hddcryptor-uses-commercial-tools-to-encrypt-network-shares-and-lock-hdds/}, language = {English}, urldate = {2020-01-09} } @online{hilt:20170824:malicious:7a258f4, author = {Stephen Hilt and Lord Alfred Remorin}, title = {{Malicious Chrome Extensions Stealing Roblox In-Game Currency, Sending Cookies via Discord}}, date = {2017-08-24}, organization = {Trend Micro}, url = {http://blog.trendmicro.com/trendlabs-security-intelligence/malicous-chrome-extensions-stealing-roblox-game-currency-sending-cookies-via-discord/}, language = {English}, urldate = {2019-12-16} } @online{hinchliffe:20170831:updated:fd02a16, author = {Alex Hinchliffe and Jen Miller-Osborn}, title = {{Updated KHRAT Malware Used in Cambodia Attacks}}, date = {2017-08-31}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/08/unit42-updated-khrat-malware-used-in-cambodia-attacks/}, language = {English}, urldate = {2019-12-20} } @online{hinchliffe:20180313:henbox:4d61efe, author = {Alex Hinchliffe and Mike Harbison and Jen Miller-Osborn and Tom Lancaster}, title = {{HenBox: The Chickens Come Home to Roost}}, date = {2018-03-13}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/}, language = {English}, urldate = {2020-01-09} } @online{hinchliffe:20190226:farseer:62554e3, author = {Alex Hinchliffe and Mike Harbison}, title = {{Farseer: Previously Unknown Malware Family bolsters the Chinese armoury}}, date = {2019-02-26}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/farseer-previously-unknown-malware-family-bolsters-the-chinese-armoury/}, language = {English}, urldate = {2020-01-08} } @online{hinchliffe:20191003:pkplug:4a43ea5, author = {Alex Hinchliffe}, title = {{PKPLUG: Chinese Cyber Espionage Group Attacking Asia}}, date = {2019-10-03}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/pkplug_chinese_cyber_espionage_group_attacking_asia/}, language = {English}, urldate = {2020-01-07} } @online{hinchliffe:20200302:pulling:35771e7, author = {Alex Hinchliffe}, title = {{Pulling the PKPLUG: the adversary playbook for the long-standing espionage activity of a Chinese nation-state adversary}}, date = {2020-03-02}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-pulling-pkplug-adversary-playbook-long-standing-espionage-activity-chinese-nation-state-adversary/}, language = {English}, urldate = {2020-03-02} } @techreport{hines:20040130:mydoomb:1946152, author = {Eric S. Hines}, title = {{MyDoom.B Worm Analysis}}, date = {2004-01-30}, institution = {Applied Watch Technologies}, url = {http://ivanlef0u.fr/repo/madchat/vxdevl/papers/analysis/mydoom_b_analysis.pdf}, language = {English}, urldate = {2019-10-14} } @online{hirani:20190110:global:a53ec6a, author = {Muks Hirani and Sarah Jones and Ben Read}, title = {{Global DNS Hijacking Campaign: DNS Record Manipulation at Scale}}, date = {2019-01-10}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html}, language = {English}, urldate = {2019-12-20} } @online{hiroaki:20190827:ta505:9bcbff1, author = {Hara Hiroaki and Jaromír Hořejší and Loseway Lu}, title = {{TA505 At It Again: Variety is the Spice of ServHelper and FlawedAmmyy}}, date = {2019-08-27}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/ta505-at-it-again-variety-is-the-spice-of-servhelper-and-flawedammyy/}, language = {English}, urldate = {2019-11-27} } @online{hjelmvik:20141027:full:83d84ee, author = {Erik Hjelmvik}, title = {{Full Disclosure of Havex Trojans}}, date = {2014-10-27}, organization = {Netresec}, url = {http://www.netresec.com/?page=Blog&month=2014-10&post=Full-Disclosure-of-Havex-Trojans}, language = {English}, urldate = {2019-11-29} } @online{hk:20200429:gazorp:3aef446, author = {Fred HK}, title = {{Gazorp - Thieving from thieves}}, date = {2020-04-29}, organization = {FR3D.HK}, url = {https://fr3d.hk/blog/gazorp-thieving-from-thieves}, language = {English}, urldate = {2020-05-06} } @online{hk:20200810:diamondfox:d2a194b, author = {Fred HK}, title = {{DiamondFox - Bank Robbers will be replaced}}, date = {2020-08-10}, organization = {FR3D.HK}, url = {https://fr3d.hk/blog/diamondfox-bank-robbers-will-be-replaced}, language = {English}, urldate = {2020-08-12} } @online{hladik:20200730:obscured:41a50f3, author = {Joseph Hladik and Josh Fleischer}, title = {{Obscured by Clouds: Insights into Office 365 Attacks and How Mandiant Managed Defense Investigates}}, date = {2020-07-30}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/07/insights-into-office-365-attacks-and-how-managed-defense-investigates.html}, language = {English}, urldate = {2020-08-05} } @online{hoej:20161226:alphabet:3e422a6, author = {Jaromír Hořejší}, title = {{Tweet on Alphabet Ransomware}}, date = {2016-12-26}, organization = {Twitter (@JaromirHorejsi)}, url = {https://twitter.com/JaromirHorejsi/status/813714602466877440}, language = {English}, urldate = {2019-10-15} } @online{hoej:20161227:adamlocker:9266526, author = {Jaromír Hořejší}, title = {{Tweet on AdamLocker}}, date = {2016-12-27}, organization = {Twitter (@JaromirHorejsi)}, url = {https://twitter.com/JaromirHorejsi/status/813712587997249536}, language = {English}, urldate = {2020-01-10} } @online{hoej:20161227:shelllocker:e32df2e, author = {Jaromír Hořejší}, title = {{Tweet on ShellLocker}}, date = {2016-12-27}, organization = {Twitter (JaromirHorejsi)}, url = {https://twitter.com/JaromirHorejsi/status/813726714228604928}, language = {English}, urldate = {2019-12-10} } @online{hoej:20161227:venuslocker:0a9196a, author = {Jaromír Hořejší}, title = {{Tweet on VenusLocker}}, date = {2016-12-27}, organization = {Twitter (@JaromirHorejsi)}, url = {https://twitter.com/JaromirHorejsi/status/813690129088937984}, language = {English}, urldate = {2020-01-09} } @online{hoej:20170102:new:adaeda4, author = {Jaromír Hořejší}, title = {{Tweet on new ransomware}}, date = {2017-01-02}, organization = {Twitter (JaromirHorejsi)}, url = {https://twitter.com/JaromirHorejsi/status/815949909648150528}, language = {English}, urldate = {2019-12-04} } @online{hoej:20170102:ransomware:d94c3dd, author = {Jaromír Hořejší}, title = {{Tweet on Ransomware}}, date = {2017-01-02}, organization = {Twitter (JaromirHorejsi)}, url = {https://twitter.com/JaromirHorejsi/status/815861135882780673}, language = {English}, urldate = {2020-01-09} } @online{hoej:20170103:red:ed15894, author = {Jaromír Hořejší}, title = {{Tweet on Red Alert}}, date = {2017-01-03}, organization = {Twitter (@JaromirHorejsi)}, url = {https://twitter.com/JaromirHorejsi/status/816237293073797121}, language = {English}, urldate = {2020-01-09} } @online{hoej:20170106:cockblocker:90b91b4, author = {Jaromír Hořejší}, title = {{Tweet on Cockblocker Ransomware}}, date = {2017-01-06}, organization = {Twitter (JaromirHorejsi)}, url = {https://twitter.com/JaromirHorejsi/status/817311664391524352}, language = {English}, urldate = {2020-01-08} } @online{hoej:20170109:virustotal:0db44ac, author = {Jaromír Hořejší}, title = {{Tweet on Virustotal Sample}}, date = {2017-01-09}, organization = {Twitter (@JaromirHorejsi)}, url = {https://twitter.com/JaromirHorejsi/status/818369717371027456}, language = {English}, urldate = {2020-01-05} } @online{hoej:20170622:filecoder:ac5445f, author = {Jaromír Hořejší}, title = {{Tweet on Filecoder}}, date = {2017-06-22}, organization = {Twitter (@JaromirHorejsi)}, url = {https://twitter.com/JaromirHorejsi/status/877811773826641920}, language = {English}, urldate = {2020-01-13} } @online{hoej:20171005:syscon:48eb01a, author = {Jaromír Hořejší}, title = {{SYSCON Backdoor Uses FTP as a C&C Channel}}, date = {2017-10-05}, organization = {Trend Micro}, url = {http://blog.trendmicro.com/trendlabs-security-intelligence/syscon-backdoor-uses-ftp-as-a-cc-channel/}, language = {English}, urldate = {2019-10-14} } @online{hoej:20180312:campaign:00eb661, author = {Jaromír Hořejší}, title = {{Campaign Possibly Connected to “MuddyWater” Surfaces in the Middle East and Central Asia}}, date = {2018-03-12}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/campaign-possibly-connected-muddywater-surfaces-middle-east-central-asia/}, language = {English}, urldate = {2020-01-13} } @online{hoej:20180314:tropic:352cf22, author = {Jaromír Hořejší and Joey Chen and Joseph C. Chen}, title = {{Tropic Trooper’s New Strategy}}, date = {2018-03-14}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/}, language = {English}, urldate = {2020-01-09} } @online{hoej:20180404:new:16fe860, author = {Jaromír Hořejší}, title = {{New MacOS Backdoor Linked to OceanLotus Found}}, date = {2018-04-04}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/}, language = {English}, urldate = {2020-01-13} } @online{hoej:20180821:supply:d426e6b, author = {Jaromír Hořejší and Joseph C. Chen and Kawabata Kohei and Kenney Lu}, title = {{Supply Chain Attack Operation Red Signature Targets South Korean Organizations}}, date = {2018-08-21}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/supply-chain-attack-operation-red-signature-targets-south-korean-organizations/}, language = {English}, urldate = {2020-01-06} } @online{hoej:20190904:glupteba:230e916, author = {Jaromír Hořejší and Joseph C. Chen}, title = {{Glupteba Campaign Hits Network Routers and Updates C&C Servers with Data from Bitcoin Transactions}}, date = {2019-09-04}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/glupteba-campaign-hits-network-routers-and-updates-cc-servers-with-data-from-bitcoin-transactions/}, language = {English}, urldate = {2020-01-10} } @techreport{hoej:20191001:new:4a49a90, author = {Jaromír Hořejší and Joseph C. Chen}, title = {{New Fileless Botnet Novter Distributed by KovCoreG Malvertising Campaign}}, date = {2019-10-01}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/Tech-Brief-New-Fileless-Botnet-Novter-Distributed-by-KovCoreG-Malvertising-Campaign.pdf}, language = {English}, urldate = {2019-12-18} } @online{hoej:20191001:new:feb95a9, author = {Jaromír Hořejší and Joseph C. Chen}, title = {{New Fileless Botnet Novter Distributed by KovCoreG Malvertising Campaign}}, date = {2019-10-01}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/new-fileless-botnet-novter-distributed-by-kovcoreg-malvertising-campaign/}, language = {English}, urldate = {2019-10-15} } @techreport{hoej:20200311:operation:782b803, author = {Jaromír Hořejší and Joseph Chen}, title = {{Operation Overtrap Targets Japanese Online Banking Users Via Bottle Exploit Kit and Brand-New Cinobi Banking Trojan: Technical Brief}}, date = {2020-03-11}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/pdf/Tech%20Brief_Operation%20Overtrap%20Targets%20Japanese%20Online%20Banking%20Users.pdf}, language = {English}, urldate = {2020-03-11} } @online{hoej:20200311:operation:f03d64e, author = {Jaromír Hořejší and Joseph Chen}, title = {{Operation Overtrap Targets Japanese Online Banking Users Via Bottle Exploit Kit and Brand-New Cinobi Banking Trojan}}, date = {2020-03-11}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/operation-overtrap-targets-japanese-online-banking-users-via-bottle-exploit-kit-and-brand-new-cinobi-banking-trojan/}, language = {English}, urldate = {2020-03-11} } @techreport{hoej:20201003:earth:688aaf8, author = {Jaromír Hořejší and Daniel Lunghi and Cedric Pernet and Kazuki Fujisawa}, title = {{Earth Akhlut: Exploring the Tools, Tactics, and Procedures of an Advanced Threat Actor Operating a Large Infrastructure}}, date = {2020-10-03}, institution = {Trend Micro}, url = {https://vblocalhost.com/uploads/VB2020-Lunghi-Horejsi.pdf}, language = {English}, urldate = {2020-10-06} } @online{hoffman:20141125:curious:57f7b6a, author = {Nick Hoffman}, title = {{Curious Korlia}}, date = {2014-11-25}, organization = {Adventures in Security}, url = {https://securitykitten.github.io/2014/11/25/curious-korlia.html}, language = {English}, urldate = {2019-10-18} } @online{hoffman:20141126:getmypass:5028f5e, author = {Nick Hoffman}, title = {{Getmypass Point of Sale Malware}}, date = {2014-11-26}, url = {https://securitykitten.github.io/2014/11/26/getmypass-point-of-sale-malware.html}, language = {English}, urldate = {2020-01-08} } @online{hoffman:20141201:lusypos:3df4156, author = {Nick Hoffman}, title = {{LusyPOS and Tor}}, date = {2014-12-01}, organization = {SecurityKitten Blog}, url = {https://securitykitten.github.io/2014/12/01/lusypos-and-tor.html}, language = {English}, urldate = {2019-08-07} } @online{hoffman:20150108:getmypass:1fa4beb, author = {Nick Hoffman}, title = {{Getmypass Point of Sale Malware Update}}, date = {2015-01-08}, organization = {SecurityKitten Blog}, url = {https://securitykitten.github.io/2015/01/08/getmypass-point-of-sale-malware-update.html}, language = {English}, urldate = {2019-07-10} } @online{hoffman:20150111:mozart:025c466, author = {Nick Hoffman}, title = {{The Mozart RAM Scraper}}, date = {2015-01-11}, organization = {Security Kitten Blog}, url = {https://securitykitten.github.io/2015/01/11/the-mozart-ram-scraper.html}, language = {English}, urldate = {2020-01-06} } @online{hoffman:20150714:bernhardpos:c1e10e7, author = {Nick Hoffman}, title = {{BernhardPOS}}, date = {2015-07-14}, url = {https://securitykitten.github.io/2015/07/14/bernhardpos.html}, language = {English}, urldate = {2020-01-08} } @online{hoffman:20151116:introducing:eed78d1, author = {Nick Hoffman}, title = {{Introducing LogPOS}}, date = {2015-11-16}, url = {https://securitykitten.github.io/2015/11/16/logpos-new-point-of-sale-malware-using-mailslots.html}, language = {English}, urldate = {2020-01-07} } @online{hoffman:20161115:scanpos:4f3423a, author = {Nick Hoffman}, title = {{ScanPOS, new POS malware being distributed by Kronos}}, date = {2016-11-15}, url = {https://securitykitten.github.io/2016/11/15/scanpos.html}, language = {English}, urldate = {2020-01-08} } @online{hoffman:20161128:klrd:dc173ab, author = {Nick Hoffman}, title = {{The KLRD Keylogger}}, date = {2016-11-28}, organization = {SecurityKitten Blog}, url = {https://securitykitten.github.io/2016/11/28/the-klrd-keylogger.html}, language = {English}, urldate = {2020-01-08} } @online{hoffman:20161214:mikey:300fbdb, author = {Nick Hoffman}, title = {{MiKey - A Linux keylogger}}, date = {2016-12-14}, organization = {Adventures in Security}, url = {https://securitykitten.github.io/2016/12/14/mikey.html}, language = {English}, urldate = {2020-01-08} } @techreport{hoffman:20170215:deep:37a8ef5, author = {Nick Hoffman and Jeremy Humble}, title = {{Deep Dive on the DragonOK Rambo Backdoor}}, date = {2017-02-15}, institution = {Morphick}, url = {https://github.com/m0n0ph1/APT_CyberCriminal_Campagin_Collections-1/blob/master/2017/2017.02.15.deep-dive-dragonok-rambo-backdoor/Deep%20Dive%20on%20the%20DragonOK%20Rambo%20Backdoor%20_%20Morphick%20Cyber%20Security.pdf}, language = {English}, urldate = {2020-04-08} } @online{hoffman:20170215:rambo:fef31fe, author = {Nick Hoffman}, title = {{The Rambo Backdoor}}, date = {2017-02-15}, organization = {Adventures in Security}, url = {https://securitykitten.github.io/2017/02/15/the-rambo-backdoor.html}, language = {English}, urldate = {2020-01-10} } @techreport{holban:201805:mtrends:b30aba2, author = {Anca Holban}, title = {{M-Trends May 2018: From the field}}, date = {2018-05}, institution = {FireEye}, url = {https://mkd-cirt.mk/wp-content/uploads/2018/08/20181009_3_1_M-Trends2018-May-2018-compressed.pdf}, language = {English}, urldate = {2020-01-06} } @online{holland:20190719:analysis:06a9a1c, author = {Alex Holland}, title = {{An Analysis of L0rdix RAT, Panel and Builder}}, date = {2019-07-19}, organization = {HP}, url = {https://www.bromium.com/an-analysis-of-l0rdix-rat-panel-and-builder/}, language = {English}, urldate = {2020-01-07} } @online{holland:20190801:decrypting:3885751, author = {Alex Holland}, title = {{Decrypting L0rdix RAT’s C2}}, date = {2019-08-01}, organization = {Bromium}, url = {https://www.bromium.com/decrypting-l0rdix-rats-c2/}, language = {English}, urldate = {2020-01-07} } @online{holland:20190903:deobfuscating:22e33f3, author = {Alex Holland}, title = {{Deobfuscating Ostap: TrickBot’s 34,000 Line JavaScript Downloader}}, date = {2019-09-03}, organization = {Bromium}, url = {https://www.bromium.com/deobfuscating-ostap-trickbots-javascript-downloader/}, language = {English}, urldate = {2020-01-06} } @online{holland:20190905:l0rdix:2472b65, author = {Alex Holland}, title = {{l0rdix C2 traffic decryptor}}, date = {2019-09-05}, organization = {Github (cryptogramfan)}, url = {https://github.com/cryptogramfan/Malware-Analysis-Scripts/blob/master/decrypt_l0rdix_c2.py}, language = {English}, urldate = {2020-01-13} } @online{holland:20190912:ostap:9374bd2, author = {Alex Holland}, title = {{Ostap Deobfuscation script}}, date = {2019-09-12}, organization = {Github (cryptogramfan)}, url = {https://github.com/cryptogramfan/Malware-Analysis-Scripts/blob/master/deobfuscate_ostap.py}, language = {English}, urldate = {2020-01-06} } @online{holland:20200621:investigating:1dc98a0, author = {Alex Holland}, title = {{Investigating Threats in HP Sure Controller 4.2: TVRAT}}, date = {2020-06-21}, organization = {Bromium}, url = {https://threatresearch.ext.hp.com/investigating-threats-in-hp-sure-controller-4-2/}, language = {English}, urldate = {2020-07-11} } @online{holland:20200701:aggah:7dd38ba, author = {Alex Holland}, title = {{Aggah Campaign’s Latest Tactics: Victimology, PowerPoint Dropper and Cryptocurrency Stealer}}, date = {2020-07-01}, organization = {HP}, url = {https://threatresearch.ext.hp.com/aggah-campaigns-latest-tactics-victimology-powerpoint-dropper-and-cryptocurrency-stealer/}, language = {English}, urldate = {2020-07-17} } @techreport{honeywell:202006:usb:0b58405, author = {Honeywell}, title = {{USB Security-Myths vs. Reality}}, date = {2020-06}, institution = {}, url = {http://honeywellprocess.blob.core.windows.net/public/Marketing/White-Paper-USB-Security-Myths-vs-Reality.pdf}, language = {English}, urldate = {2020-07-15} } @online{hopfengetraenk:20190525:fasdisassembler:aed58f5, author = {Hopfengetraenk}, title = {{Fas-Disassembler for Visuallisp 0.8}}, date = {2019-05-25}, organization = {Github (Hopfengetraenk)}, url = {https://github.com/Hopfengetraenk/Fas-Disasm}, language = {English}, urldate = {2020-01-13} } @techreport{hork:20191206:demystifying:1285ddd, author = {Juraj Horňák and Jakub Souček}, title = {{Demystifying banking trojans from Latin America}}, date = {2019-12-06}, institution = {Botconf}, url = {https://www.botconf.eu/wp-content/uploads/2019/12/B2019-Soucek-Hornak-DemystifyingBankingTrojansFromLatinAmerica.pdf}, language = {English}, urldate = {2020-05-05} } @online{hosseini:20170718:ten:600fd92, author = {Ashkan Hosseini}, title = {{Ten process injection techniques: A technical survey of common and trending process injection techniques}}, date = {2017-07-18}, organization = {Elastic}, url = {https://www.elastic.co/de/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process}, language = {English}, urldate = {2020-07-15} } @online{hosseini:20170718:ten:af036b3, author = {Ashkan Hosseini}, title = {{Ten process injection techniques: A technical survey of common and trending process injection techniques}}, date = {2017-07-18}, organization = {Elastic}, url = {https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process}, language = {English}, urldate = {2020-07-15} } @online{hosseini:20170718:ten:fa1e393, author = {Ashkan Hosseini}, title = {{Ten Process Injection Techniques: A Technical Survey of Common and Trending Process Injection Techniques}}, date = {2017-07-18}, organization = {Endgame}, url = {https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process}, language = {English}, urldate = {2020-01-09} } @online{hpp:20200507:ruhruniversitt:7991318, author = {hpp}, title = {{Ruhr-Universität Bochum meldet Computerangriff}}, date = {2020-05-07}, organization = {Der Spiegel}, url = {https://www.spiegel.de/netzwelt/web/ruhr-uni-bochum-offenbar-opfer-von-computerangriff-a-c42754cc-72dc-4d34-8b58-bb0008619c05?utm_source=dlvr.it&utm_medium=twitter#ref=rss}, language = {English}, urldate = {2020-07-06} } @online{hrka:20191126:stantinko:0fbdd59, author = {Vladislav Hrčka}, title = {{Stantinko botnet adds cryptomining to its pool of criminal activities}}, date = {2019-11-26}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/11/26/stantinko-botnet-adds-cryptomining-criminal-activities/}, language = {English}, urldate = {2020-01-12} } @online{hrka:20200319:stantinkos:b6a60f8, author = {Vladislav Hrčka}, title = {{Stantinko’s new cryptominer features unique obfuscation techniques}}, date = {2020-03-19}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/03/19/stantinko-new-cryptominer-unique-obfuscation-techniques/}, language = {English}, urldate = {2020-03-26} } @online{hrka:20200807:stadeo:9fc4787, author = {Vladislav Hrčka}, title = {{Stadeo: Deobfuscating Stantinko and more}}, date = {2020-08-07}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/08/07/stadeo-deobfuscating-stantinko-and-more/}, language = {English}, urldate = {2020-08-14} } @online{hromcov:20180607:invisimole:5c5f0ed, author = {Zuzana Hromcová}, title = {{InvisiMole: Surprisingly equipped spyware, undercover since 2013}}, date = {2018-06-07}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/}, language = {English}, urldate = {2019-11-14} } @online{hromcov:20190708:malicious:f712ebc, author = {Zuzana Hromcová}, title = {{Malicious campaign targets South Korean users with backdoor‑laced torrents}}, date = {2019-07-08}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/}, language = {English}, urldate = {2019-11-14} } @online{hromcov:20190718:okrum:3841a95, author = {Zuzana Hromcová}, title = {{Okrum: Ke3chang group targets diplomatic missions}}, date = {2019-07-18}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/07/18/okrum-ke3chang-targets-diplomatic-missions/}, language = {English}, urldate = {2019-11-14} } @online{hromcov:20190814:in:4da809c, author = {Zuzana Hromcová}, title = {{In the Balkans, businesses are under fire from a double‑barreled weapon}}, date = {2019-08-14}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/08/14/balkans-businesses-double-barreled-weapon/}, language = {English}, urldate = {2019-11-14} } @online{hromcov:20191010:eset:70f9671, author = {Zuzana Hromcová}, title = {{ESET discovers Attor, a spy platform with curious GSM fingerprinting}}, date = {2019-10-10}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/10/10/eset-discovers-attor-spy-platform}, language = {English}, urldate = {2020-04-06} } @online{hromcov:20191010:eset:d4155ed, author = {Zuzana Hromcová}, title = {{ESET discovers Attor, a spy platform with curious GSM fingerprinting}}, date = {2019-10-10}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/10/10/eset-discovers-attor-spy-platform/}, language = {English}, urldate = {2020-02-13} } @techreport{hromcov:201910:at:3b4754e, author = {Zuzana Hromcová}, title = {{AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM}}, date = {2019-10}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Attor.pdf}, language = {English}, urldate = {2020-01-13} } @techreport{hromcov:20200608:invisimole:70a4dc1, author = {Zuzana Hromcová and Anton Cherepanov}, title = {{InvisiMole: The Hidden Part of the Story - Unearthing InvisiMole's Espionage Toolset and Strategic Cooperations}}, date = {2020-06-08}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf}, language = {English}, urldate = {2020-06-29} } @online{hromcov:20200618:digging:285d02f, author = {Zuzana Hromcová and Anton Cherepanov}, title = {{Digging up InvisiMole’s hidden arsenal}}, date = {2020-06-18}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/06/18/digging-up-invisimole-hidden-arsenal/}, language = {English}, urldate = {2020-06-29} } @online{hron:20200925:fresh:41ed4d0, author = {Martin Hron}, title = {{The Fresh Smell of ransomed coffee}}, date = {2020-09-25}, organization = {Avast Decoded}, url = {https://decoded.avast.io/martinhron/the-fresh-smell-of-ransomed-coffee/}, language = {English}, urldate = {2020-09-25} } @online{hsu:20200624:lucifer:5fc044c, author = {Ken Hsu and Durgesh Sangvikar and Zhibin Zhang and Chris Navarrete}, title = {{Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices}}, date = {2020-06-24}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware/}, language = {English}, urldate = {2020-06-24} } @online{hsu:20201014:two:aa1efb9, author = {Ken Hsu and Yue Guan and Vaibhav Singhal and Qi Deng}, title = {{Two New IoT Vulnerabilities Identified with Mirai Payloads}}, date = {2020-10-14}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/iot-vulnerabilities-mirai-payloads/}, language = {English}, urldate = {2020-10-23} } @online{huang:20170705:security:8819459, author = {Kevin Y. Huang}, title = {{Security 101: The Impact of Cryptocurrency-Mining Malware}}, date = {2017-07-05}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/security-101-the-impact-of-cryptocurrency-mining-malware}, language = {English}, urldate = {2020-01-07} } @online{hulcoop:20161117:its:b644801, author = {Adam Hulcoop and Matt Brooks and Etienne Maynier and John Scott-Railton and Masashi Crete-Nishihata}, title = {{It’s Parliamentary - KeyBoy and the targeting of the Tibetan Community}}, date = {2016-11-17}, organization = {CitizenLab}, url = {https://citizenlab.ca/2016/11/parliament-keyboy/}, language = {English}, urldate = {2019-07-11} } @online{hultquist:20190416:spear:a0125cb, author = {John Hultquist and Ben Read and Oleg Bondarenko and Chi-en Shen}, title = {{Spear Phishing Campaign Targets Ukraine Government and Military; Infrastructure Reveals Potential Link to So-Called Luhansk People's Republic}}, date = {2019-04-16}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/04/spear-phishing-campaign-targets-ukraine-government.html}, language = {English}, urldate = {2019-12-20} } @online{humphrey:20180612:cve20178570:4d94250, author = {Ben Humphrey}, title = {{CVE-2017-8570 RTF and the Sisfader RAT}}, date = {2018-06-12}, organization = {NCC Group}, url = {https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/june/cve-2017-8750-rtf-and-the-sisfader-rat/}, language = {English}, urldate = {2020-01-07} } @online{humphrey:20181122:turla:de7f30a, author = {Ben Humphrey}, title = {{Turla PNG Dropper is back}}, date = {2018-11-22}, organization = {nccgroup}, url = {https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/}, language = {English}, urldate = {2019-11-21} } @online{hungenberg:20191106:emotet:1605954, author = {Thomas Hungenberg}, title = {{Emotet, Trickbot, Ryuk – ein explosiver Malware-Cocktail}}, date = {2019-11-06}, organization = {Heise Security}, url = {https://www.heise.de/security/artikel/Emotet-Trickbot-Ryuk-ein-explosiver-Malware-Cocktail-4573848.html}, language = {German}, urldate = {2020-01-06} } @online{hunter:20181120:l0rdix:bf0024c, author = {Ben Hunter}, title = {{L0RDIX: MULTIPURPOSE ATTACK TOOL}}, date = {2018-11-20}, organization = {enSilo}, url = {https://blog.ensilo.com/l0rdix-attack-tool}, language = {English}, urldate = {2019-12-17} } @online{hunter:20190524:uncovering:7d8776e, author = {Ben Hunter}, title = {{Uncovering new Activity by APT10}}, date = {2019-05-24}, organization = {enSilo}, url = {https://blog.ensilo.com/uncovering-new-activity-by-apt10}, language = {English}, urldate = {2020-01-13} } @online{hunter:20200701:ekans:46605bc, author = {Ben Hunter and Fred Gutierrez}, title = {{EKANS Ransomware Targeting OT ICS Systems}}, date = {2020-07-01}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/ekans-ransomware-targeting-ot-ics-systems}, language = {English}, urldate = {2020-07-06} } @online{huntley:20201016:how:baafd73, author = {Shane Huntley and Google Threat Analysis Group}, title = {{How we're tackling evolving online threats}}, date = {2020-10-16}, organization = {Google}, url = {https://blog.google/threat-analysis-group/how-were-tackling-evolving-online-threats}, language = {English}, urldate = {2020-10-23} } @techreport{huq:201409:pos:e79a593, author = {Numaan Huq}, title = {{PoS RAM Scraper Malware}}, date = {2014-09}, institution = {Wired}, url = {https://www.wired.com/wp-content/uploads/2014/09/wp-pos-ram-scraper-malware.pdf}, language = {English}, urldate = {2020-01-07} } @online{huq:20160919:untangling:daa62bd, author = {Numaan Huq}, title = {{Untangling the Ripper ATM Malware}}, date = {2016-09-19}, organization = {Trend Micro}, url = {http://blog.trendmicro.com/trendlabs-security-intelligence/untangling-ripper-atm-malware/}, language = {English}, urldate = {2019-11-26} } @online{hurk:20191010:nemty:3be8553, author = {Frank van den Hurk}, title = {{Nemty update: decryptors for Nemty 1.5 and 1.6}}, date = {2019-10-10}, organization = {Tesorion}, url = {https://www.tesorion.nl/nemty-update-decryptors-for-nemty-1-5-and-1-6/}, language = {English}, urldate = {2019-10-23} } @online{hurley:20170703:notpetya:1453645, author = {Shaun Hurley and Karan Sood}, title = {{NotPetya Technical Analysis Part II: Further Findings and Potential for MBR Recovery}}, date = {2017-07-03}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/petrwrap-technical-analysis-part-2-further-findings-and-potential-for-mbr-recovery/}, language = {English}, urldate = {2019-12-20} } @online{hurley:20190103:digging:5219f6d, author = {Shaun Hurley and James Scalise}, title = {{Digging into BokBot’s Core Module}}, date = {2019-01-03}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/digging-into-bokbots-core-module/}, language = {English}, urldate = {2019-12-20} } @online{hurley:20190321:interception:7e57329, author = {Shaun Hurley and James Scalise}, title = {{Interception: Dissecting BokBot’s “Man in the Browser”}}, date = {2019-03-21}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/bokbots-man-in-the-browser-overview/}, language = {English}, urldate = {2019-12-20} } @online{hurley:20200501:many:22ed72c, author = {Shaun Hurley}, title = {{The Many Paths Through Maze}}, date = {2020-05-01}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/maze-ransomware-deobfuscation/}, language = {English}, urldate = {2020-05-05} } @online{huss:20151111:abaddonpos:ca72c4c, author = {Darien Huss}, title = {{AbaddonPOS: A new point of sale threat linked to Vawtrak}}, date = {2015-11-11}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/AbaddonPOS-A-New-Point-Of-Sale-Threat-Linked-To-Vawtrak}, language = {English}, urldate = {2019-12-20} } @online{huss:20160128:exploring:7f85d44, author = {Darien Huss}, title = {{Exploring Bergard: Old Malware with New Tricks}}, date = {2016-01-28}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks}, language = {English}, urldate = {2019-12-20} } @techreport{huss:20160301:operation:65330f0, author = {Darien Huss}, title = {{Operation Transparent Tribe}}, date = {2016-03-01}, institution = {Proofpoint}, url = {https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf}, language = {English}, urldate = {2019-12-02} } @online{huss:20170202:oops:ea454d5, author = {Darien Huss and Pierre T and Axel F and Proofpoint Staff}, title = {{Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX}}, date = {2017-02-02}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx}, language = {English}, urldate = {2019-12-20} } @online{huss:20170817:turla:b519667, author = {Darien Huss}, title = {{Turla APT actor refreshes KopiLuwak JavaScript backdoor for use in G20-themed attack}}, date = {2017-08-17}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/turla-apt-actor-refreshes-kopiluwak-javascript-backdoor-use-g20-themed-attack}, language = {English}, urldate = {2019-12-20} } @online{huss:20170825:operation:87e2e2b, author = {Darien Huss and Matthew Mesa}, title = {{Operation RAT Cook: Chinese APT actors use fake Game of Thrones leaks as lures}}, date = {2017-08-25}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/operation-rat-cook-chinese-apt-actors-use-fake-game-thrones-leaks-lures}, language = {English}, urldate = {2019-12-20} } @techreport{huss:20171219:north:b2da03e, author = {Darien Huss}, title = {{North Korea Bitten by Bitcoin Bug}}, date = {2017-12-19}, institution = {Proofpoint}, url = {https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf}, language = {English}, urldate = {2019-10-18} } @online{huss:20171219:north:e5ef6da, author = {Darien Huss}, title = {{North Korea Bitten by Bitcoin Bug: Financially motivated campaigns reveal new dimension of the Lazarus Group}}, date = {2017-12-19}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/north-korea-bitten-bitcoin-bug-financially-motivated-campaigns-reveal-new}, language = {English}, urldate = {2019-12-20} } @techreport{huss:20180129:north:438b45d, author = {Darien Huss}, title = {{North Korea Bitten by Bitcoin Bug}}, date = {2018-01-29}, institution = {Proofpoint}, url = {https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug-180129.pdf}, language = {English}, urldate = {2020-01-05} } @online{hussey:20200625:golden:51322e2, author = {Brian Hussey}, title = {{The Golden Tax Department and the Emergence of GoldenSpy Malware}}, date = {2020-06-25}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-golden-tax-department-and-the-emergence-of-goldenspy-malware/}, language = {English}, urldate = {2020-06-26} } @online{hussey:20200630:goldenspy:1ecdff8, author = {Brian Hussey}, title = {{GoldenSpy: Chapter Two - The Uninstaller}}, date = {2020-06-30}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/goldenspy-chapter-two-the-uninstaller/}, language = {English}, urldate = {2020-07-02} } @online{hussey:20200702:goldenspy:31c222a, author = {Brian Hussey}, title = {{GoldenSpy Chapter 3: New and Improved Uninstaller}}, date = {2020-07-02}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/goldenspy-chapter-3-new-and-improved-uninstaller/}, language = {English}, urldate = {2020-07-15} } @online{hussey:20200714:goldenspy:a870540, author = {Brian Hussey}, title = {{GoldenSpy Chapter 4: GoldenHelper Malware Embedded in Official Golden Tax Software}}, date = {2020-07-14}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/goldenspy-chapter-4-goldenhelper-malware-embedded-in-official-golden-tax-software/}, language = {English}, urldate = {2020-07-15} } @online{huynh:20200806:bypassing:83c2a87, author = {Nhan Huynh}, title = {{Bypassing MassLogger Anti-Analysis — a Man-in-the-Middle Approach}}, date = {2020-08-06}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/08/bypassing-masslogger-anti-analysis-man-in-the-middle-approach.html}, language = {English}, urldate = {2020-08-12} } @online{hybridanalysis:20150413:sqlconnt1exe:86539cc, author = {Hybrid-Analysis}, title = {{sqlconnt1.exe}}, date = {2015-04-13}, organization = {Hybrid-Analysis}, url = {https://www.hybrid-analysis.com/sample/5d631d77401615d53f3ce3dbc2bfee5d934602dc35d488aa7cebf9b3ff1c4816?environmentId=2}, language = {English}, urldate = {2020-01-13} } @online{hybridanalysis:20180208:analysis:70d43bc, author = {Hybrid-Analysis}, title = {{Analysis Run}}, date = {2018-02-08}, organization = {Hybrid-Analysis}, url = {https://www.hybrid-analysis.com/sample/dfc56a704b5e031f3b0d2d0ea1d06f9157758ad950483b44ac4b77d33293cb38?environmentId=100}, language = {English}, urldate = {2020-01-08} } @online{hydro:20190416:cyber:ada48a4, author = {Norsk Hydro}, title = {{The cyber attack rescue operation in Hydro Toulouse}}, date = {2019-04-16}, organization = {Youtube (Norsk Hydro)}, url = {https://www.youtube.com/watch?v=o6eEN0mUakM}, language = {English}, urldate = {2020-01-13} } @online{hyppnen:20110828:windows:e9fb853, author = {Mikko Hyppönen}, title = {{Windows Remote Desktop Worm "Morto" Spreading}}, date = {2011-08-28}, organization = {F-Secure}, url = {https://www.f-secure.com/weblog/archives/00002227.html}, language = {English}, urldate = {2019-07-11} } @online{idf:20170205:hamas:b96235f, author = {IDF}, title = {{Hamas Uses Fake Facebook Profiles to Target Israeli Soldiers}}, date = {2017-02-05}, organization = {IDF}, url = {https://www.idf.il/en/minisites/hamas/hamas-uses-fake-facebook-profiles-to-target-israeli-soldiers/}, language = {English}, urldate = {2019-12-31} } @online{ii:20181220:with:8e827ba, author = {Augusto Remillano II and Mark Vicente}, title = {{With Mirai Comes Miori: IoT Botnet Delivered via ThinkPHP Remote Code Execution Exploit}}, date = {2018-12-20}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/with-mirai-comes-miori-iot-botnet-delivered-via-thinkphp-remote-code-execution-exploit/}, language = {English}, urldate = {2019-11-29} } @online{ii:20190507:cve20193396:42de798, author = {Augusto Remillano II and Robert Malagad}, title = {{CVE-2019-3396 Redux: Confluence Vulnerability Exploited to Deliver Cryptocurrency Miner With Rootkit}}, date = {2019-05-07}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/cve-2019-3396-redux-confluence-vulnerability-exploited-to-deliver-cryptocurrency-miner-with-rootkit/}, language = {English}, urldate = {2020-01-13} } @online{ii:20200622:xorddos:d41d1a7, author = {Augusto Remillano II}, title = {{XORDDoS, Kaiji Botnet Malware Variants Target Exposed Docker Servers}}, date = {2020-06-22}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers/}, language = {English}, urldate = {2020-06-24} } @online{ii:20200908:exposed:baa98d4, author = {Augusto Remillano II}, title = {{Exposed Docker Server Abused to Drop Cryptominer, DDoS Bot}}, date = {2020-09-08}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/20/i/exposed-docker-server-abused-to-drop-cryptominer-ddos-bot-.html}, language = {English}, urldate = {2020-09-23} } @online{ilascu:20180822:turla:b3753aa, author = {Ionut Ilascu}, title = {{Turla Outlook Backdoor Uses Clever Tactics for Stealth and Persistence}}, date = {2018-08-22}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/turla-outlook-backdoor-uses-clever-tactics-for-stealth-and-persistence/}, language = {English}, urldate = {2019-12-20} } @online{ilascu:20180830:cobalt:a5490e1, author = {Ionut Ilascu}, title = {{Cobalt Hacking Group Tests Banks In Russia and Romania}}, date = {2018-08-30}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/cobalt-hacking-group-tests-banks-in-russia-and-romania/}, language = {English}, urldate = {2019-12-20} } @online{ilascu:20180905:windows:8d74121, author = {Ionut Ilascu}, title = {{Windows Task Scheduler Zero Day Exploited by Malware}}, date = {2018-09-05}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/windows-task-scheduler-zero-day-exploited-by-malware/}, language = {English}, urldate = {2019-12-20} } @online{ilascu:20180907:domestic:18a5d5c, author = {Ionut Ilascu}, title = {{Domestic Kitten APT Operates in Silence Since 2016}}, date = {2018-09-07}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/domestic-kitten-apt-operates-in-silence-since-2016/}, language = {English}, urldate = {2019-12-20} } @online{ilascu:20180911:british:392218c, author = {Ionut Ilascu}, title = {{British Airways Fell Victim To Card Scraping Attack}}, date = {2018-09-11}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/british-airways-fell-victim-to-card-scraping-attack/}, language = {English}, urldate = {2019-12-20} } @online{ilascu:20180927:apt28:12917be, author = {Ionut Ilascu}, title = {{APT28 Uses LoJax, First UEFI Rootkit Seen in the Wild}}, date = {2018-09-27}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/apt28-uses-lojax-first-uefi-rootkit-seen-in-the-wild/}, language = {English}, urldate = {2019-12-20} } @online{ilascu:20181001:report:67e6316, author = {Ionut Ilascu}, title = {{Report Ties North Korean Attacks to New Malware, Linked by Word Macros}}, date = {2018-10-01}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/report-ties-north-korean-attacks-to-new-malware-linked-by-word-macros/}, language = {English}, urldate = {2019-12-20} } @online{ilascu:20181009:magecart:fc6ccf4, author = {Ionut Ilascu}, title = {{Magecart Group Compromises Plugin Used in Thousands of Stores, Makes Rookie Mistake}}, date = {2018-10-09}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/magecart-group-compromises-plugin-used-in-thousands-of-stores-makes-rookie-mistake/}, language = {English}, urldate = {2019-12-20} } @online{ilascu:20181121:magecart:e366b8b, author = {Ionut Ilascu}, title = {{MageCart Group Sabotages Rival to Ruin Data and Reputation}}, date = {2018-11-21}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/magecart-group-sabotages-rival-to-ruin-data-and-reputation/}, language = {English}, urldate = {2019-12-20} } @online{ilascu:20181207:netbooks:a99cef1, author = {Ionut Ilascu}, title = {{Netbooks, RPis, & Bash Bunny Gear - Attacking Banks from the Inside}}, date = {2018-12-07}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/netbooks-rpis-and-bash-bunny-gear-attacking-banks-from-the-inside/}, language = {English}, urldate = {2019-12-20} } @online{ilascu:20190107:gandcrab:8167b7f, author = {Ionut Ilascu}, title = {{GandCrab Operators Use Vidar Infostealer as a Forerunner}}, date = {2019-01-07}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/gandcrab-operators-use-vidar-infostealer-as-a-forerunner/}, language = {English}, urldate = {2019-12-20} } @online{ilascu:20190110:ta505:12f4881, author = {Ionut Ilascu}, title = {{TA505 Group Adopts New ServHelper Backdoor and FlawedGrace RAT}}, date = {2019-01-10}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ta505-group-adopts-new-servhelper-backdoor-and-flawedgrace-rat/}, language = {English}, urldate = {2019-12-20} } @online{ilascu:20190123:new:113a751, author = {Ionut Ilascu}, title = {{New Anatova Ransomware Supports Modules for Extra Functionality}}, date = {2019-01-23}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-anatova-ransomware-supports-modules-for-extra-functionality/}, language = {English}, urldate = {2019-12-20} } @online{ilascu:20190130:new:5c2d8da, author = {Ionut Ilascu}, title = {{New LockerGoga Ransomware Allegedly Used in Altran Attack}}, date = {2019-01-30}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-lockergoga-ransomware-allegedly-used-in-altran-attack/}, language = {English}, urldate = {2019-12-20} } @online{ilascu:20190222:cr1ptt0r:990b8aa, author = {Ionut Ilascu}, title = {{Cr1ptT0r Ransomware Infects D-Link NAS Devices, Targets Embedded Systems}}, date = {2019-02-22}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/cr1ptt0r-ransomware-infects-d-link-nas-devices-targets-embedded-systems/}, language = {English}, urldate = {2019-12-20} } @online{ilascu:20190303:op:89fdbdd, author = {Ionut Ilascu}, title = {{Op 'Sharpshooter' Connected to North Korea's Lazarus Group}}, date = {2019-03-03}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/op-sharpshooter-connected-to-north-koreas-lazarus-group/}, language = {English}, urldate = {2019-12-20} } @online{ilascu:20190626:new:3ea2210, author = {Ionut Ilascu}, title = {{New Silex Malware Trashes IoT Devices Using Default Passwords}}, date = {2019-06-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-silex-malware-trashes-iot-devices-using-default-passwords/}, language = {English}, urldate = {2020-01-08} } @online{ilascu:20190806:new:a045b9f, author = {Ionut Ilascu}, title = {{New Echobot Botnet Variant Uses Over 50 Exploits to Propagate}}, date = {2019-08-06}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-echobot-botnet-variant-uses-over-50-exploits-to-propagate/}, language = {English}, urldate = {2019-12-20} } @online{ilascu:20190826:new:20f0561, author = {Ionut Ilascu}, title = {{New Nemty Ransomware May Spread via Compromised RDP Connections}}, date = {2019-08-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-nemty-ransomware-may-spread-via-compromised-rdp-connections/}, language = {English}, urldate = {2020-01-07} } @online{ilascu:20190830:look:9a976c7, author = {Ionut Ilascu}, title = {{A Look Inside the Highly Profitable Sodinokibi Ransomware Business}}, date = {2019-08-30}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/a-look-inside-the-highly-profitable-sodinokibi-ransomware-business/}, language = {English}, urldate = {2019-12-20} } @online{ilascu:20190903:nemty:459166a, author = {Ionut Ilascu}, title = {{Nemty Ransomware Gets Distribution from RIG Exploit Kit}}, date = {2019-09-03}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/nemty-ransomware-gets-distribution-from-rig-exploit-kit/}, language = {English}, urldate = {2020-01-08} } @online{ilascu:20190908:fake:3f0addd, author = {Ionut Ilascu}, title = {{Fake PayPal Site Spreads Nemty Ransomware}}, date = {2019-09-08}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/fake-paypal-site-spreads-nemty-ransomware/}, language = {English}, urldate = {2020-01-13} } @online{ilascu:20191115:new:533f0a6, author = {Ionut Ilascu}, title = {{New NextCry Ransomware Encrypts Data on NextCloud Linux Servers}}, date = {2019-11-15}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-nextcry-ransomware-encrypts-data-on-nextcloud-linux-servers/}, language = {English}, urldate = {2020-01-06} } @online{ilascu:20200106:sodinokibi:1feb8a3, author = {Ionut Ilascu}, title = {{Sodinokibi Ransomware Hits Travelex, Demands $3 Million}}, date = {2020-01-06}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-hits-travelex-demands-3-million/}, language = {English}, urldate = {2020-01-13} } @online{ilascu:20200526:new:5905063, author = {Ionut Ilascu}, title = {{New [F]Unicorn ransomware hits Italy via fake COVID-19 infection map}}, date = {2020-05-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-f-unicorn-ransomware-hits-italy-via-fake-covid-19-infection-map/}, language = {English}, urldate = {2020-06-08} } @online{ilascu:20200528:michigan:a52712f, author = {Ionut Ilascu}, title = {{Michigan State University network breached in ransomware attack}}, date = {2020-05-28}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/michigan-state-university-network-breached-in-ransomware-attack/}, language = {English}, urldate = {2020-05-29} } @online{ilascu:20200608:honda:59ddaf6, author = {Ionut Ilascu}, title = {{Honda investigates possible ransomware attack, networks impacted}}, date = {2020-06-08}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/honda-investigates-possible-ransomware-attack-networks-impacted/}, language = {English}, urldate = {2020-06-10} } @online{ilascu:20200613:black:f18a453, author = {Ionut Ilascu}, title = {{Black Kingdom ransomware hacks networks with Pulse VPN flaws}}, date = {2020-06-13}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/black-kingdom-ransomware-hacks-networks-with-pulse-vpn-flaws/}, language = {English}, urldate = {2020-06-16} } @online{ilascu:20200623:ryuk:c63b0c6, author = {Ionut Ilascu}, title = {{Ryuk ransomware deployed two weeks after Trickbot infection}}, date = {2020-06-23}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ryuk-ransomware-deployed-two-weeks-after-trickbot-infection/}, language = {English}, urldate = {2020-06-30} } @online{ilascu:20200731:gandcrab:f2cd6ef, author = {Ionut Ilascu}, title = {{GandCrab ransomware operator arrested in Belarus}}, date = {2020-07-31}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-operator-arrested-in-belarus/}, language = {English}, urldate = {2020-08-05} } @online{ilgayev:20200827:old:8859e51, author = {Alex Ilgayev}, title = {{An Old Bot’s Nasty New Tricks: Exploring Qbot’s Latest Attack Methods}}, date = {2020-08-27}, organization = {Checkpoint}, url = {https://research.checkpoint.com/2020/exploring-qbots-latest-attack-methods/}, language = {English}, urldate = {2020-08-31} } @online{imano:20110311:trojankoredos:414e359, author = {Shunichi Imano}, title = {{Trojan.Koredos Comes with an Unwelcomed Surprise}}, date = {2011-03-11}, organization = {Symantec}, url = {https://web.archive.org/web/20131123012339/https://www.symantec.com/connect/blogs/trojankoredos-comes-unwelcomed-surprise}, language = {English}, urldate = {2020-04-21} } @online{imano:20110311:trojankoredos:c3aa3c6, author = {Shunichi Imano}, title = {{Trojan.Koredos Comes with an Unwelcomed Surprise}}, date = {2011-03-11}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/trojankoredos-comes-unwelcomed-surprise}, language = {English}, urldate = {2020-01-10} } @online{ims0rry:20171230:analysis:f221c40, author = {ims0rry}, title = {{Analysis DarkSky Botnet}}, date = {2017-12-30}, organization = {Telegra.ph blog}, url = {http://telegra.ph/Analiz-botneta-DarkSky-12-30}, language = {English}, urldate = {2020-01-08} } @techreport{inc:20190508:2019:3c20a3b, author = {Verizon Communications Inc.}, title = {{2019 Data Breach Investigations Report}}, date = {2019-05-08}, institution = {Verizon Communications Inc.}, url = {https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf}, language = {English}, urldate = {2020-05-10} } @online{incibe:20200408:ransomware:61b8c41, author = {INCIBE}, title = {{Ransomware NetWalker: análisis y medidas preventivas}}, date = {2020-04-08}, organization = {INCIBE-CERT}, url = {https://www.incibe-cert.es/blog/ransomware-netwalker-analisis-y-medidas-preventivas}, language = {Spanish}, urldate = {2020-04-14} } @online{inglot:2017:attacker:3af6c23, author = {Bart Inglot and Byrne Ghavalas}, title = {{ATTACKER ANTICS: Illustrations of Ingenuity}}, date = {2017}, organization = {FireEye}, url = {https://ruxcon.org.au/assets/2017/slides/bart-RuxCon-Presentation.pptx}, language = {English}, urldate = {2020-01-08} } @online{inocencio:20140829:new:43a114a, author = {Rhena Inocencio}, title = {{New BlackPOS Malware Emerges in the Wild, Targets Retail Accounts}}, date = {2014-08-29}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/new-blackpos-malware-emerges-in-the-wild-targets-retail-accounts/}, language = {English}, urldate = {2020-01-10} } @online{inocencio:20141113:bashlite:647137b, author = {Rhena Inocencio}, title = {{BASHLITE Affects Devices Running on BusyBox}}, date = {2014-11-13}, organization = {Trend Micro}, url = {http://blog.trendmicro.com/trendlabs-security-intelligence/bashlite-affects-devices-running-on-busybox/}, language = {English}, urldate = {2019-07-10} } @online{insaneforensics:20200823:dispatches:0a019d4, author = {Insane-Forensics}, title = {{Dispatches from Drovorub: Network Threat Hunting for Russia GRU GTsSS' Malware at Scale}}, date = {2020-08-23}, organization = {Github (Insane-Forensics)}, url = {https://github.com/Insane-Forensics/drovorub-hunt}, language = {English}, urldate = {2020-08-25} } @online{insights:20200406:mcafee:7fdc3d4, author = {McAfee Insights}, title = {{McAfee Insights: Vicious Panda: The COVID Campaign}}, date = {2020-04-06}, organization = {McAfee}, url = {https://kc.mcafee.com/corporate/index?page=content&id=KB92636&locale=en_US}, language = {English}, urldate = {2020-05-14} } @online{institute:20110419:tdss:9ffae6b, author = {Infosec Institute}, title = {{TDSS part 1: The x64 Dollar Question}}, date = {2011-04-19}, organization = {InfoSec Institute}, url = {http://resources.infosecinstitute.com/tdss4-part-1/}, language = {English}, urldate = {2020-01-06} } @online{institute:20200228:profiling:ebaa39b, author = {Financial Security Institute}, title = {{Profiling of TA505 Threat Group That Continues to Attack the Financial Sector}}, date = {2020-02-28}, organization = {Financial Security Institute}, url = {https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do}, language = {English}, urldate = {2020-02-28} } @techreport{intelligence:201405:into:e8ffc24, author = {ASERT Threat Intelligence}, title = {{Into the Light of Day:Uncovering Ongoing and Historical Point of Sale Malware and Attack Campaigns}}, date = {2014-05}, institution = {Arbor Networks}, url = {http://pages.arbornetworks.com/rs/arbor/images/ASERT%20Threat%20Intelligence%20Brief%202014-06%20Uncovering%20PoS%20Malware%20and%20Attack%20Campaigns.pdf}, language = {English}, urldate = {2020-01-06} } @techreport{intelligence:201507:hammertoss:9275999, author = {FireEye Threat Intelligence}, title = {{HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group}}, date = {2015-07}, institution = {FireEye}, url = {https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf}, language = {English}, urldate = {2019-10-23} } @online{intelligence:20151201:chinabased:8836a81, author = {FireEye Threat Intelligence}, title = {{China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets}}, date = {2015-12-01}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html}, language = {English}, urldate = {2019-12-20} } @online{intelligence:20160128:centerpos:551f13b, author = {FireEye Threat Intelligence}, title = {{CenterPOS: An Evolving POS Threat}}, date = {2016-01-28}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2016/01/centerpos_an_evolvi.html}, language = {English}, urldate = {2019-12-20} } @online{intelligence:20170212:lazarus:dd99beb, author = {BAE Systems Applied Intelligence}, title = {{Lazarus & Watering-hole attacks}}, date = {2017-02-12}, organization = {BAE Systems}, url = {https://baesystemsai.blogspot.com/2017/02/lazarus-watering-hole-attacks.html}, language = {English}, urldate = {2020-01-06} } @online{intelligence:20170406:apt10:08847cf, author = {FireEye iSIGHT Intelligence}, title = {{APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat}}, date = {2017-04-06}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html}, language = {English}, urldate = {2019-12-20} } @online{intelligence:20181023:triton:95a881f, author = {FireEye Intelligence}, title = {{TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers}}, date = {2018-10-23}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html}, language = {English}, urldate = {2019-12-20} } @online{intelligence:20190313:tefosteal:24e56c1, author = {Microsoft Security Intelligence}, title = {{Tweet on Tefosteal}}, date = {2019-03-13}, organization = {Twitter (@WDSecurity)}, url = {https://twitter.com/WDSecurity/status/1105990738993504256}, language = {English}, urldate = {2020-01-05} } @online{intelligence:20190315:flash:c7544fd, author = {Threat Intelligence}, title = {{Flash Bulletin: Emotet Epoch 1 Changes its C2 Communication}}, date = {2019-03-15}, organization = {Cofense}, url = {https://cofense.com/flash-bulletin-emotet-epoch-1-changes-c2-communication/}, language = {English}, urldate = {2019-10-23} } @online{intelligence:20190509:toptier:004045c, author = {Advanced Intelligence}, title = {{Top-Tier Russian Hacking Collective Claims Breaches of Three Major Anti-Virus Companies}}, date = {2019-05-09}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/blog/top-tier-russian-hacking-collective-claims-breaches-of-three-major-anti-virus-companies}, language = {English}, urldate = {2020-01-09} } @online{intelligence:20200519:netwalker:4681272, author = {Advanced Intelligence and Bridgit Sullivan and Daniel Frey}, title = {{NetWalker Ransomware Group Enters Advanced Targeting “Game”}}, date = {2020-05-19}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/post/netwalker-ransomware-group-enters-advanced-targeting-game}, language = {English}, urldate = {2020-05-23} } @online{intelligence:20200520:operation:7f6282e, author = {PT ESC Threat Intelligence}, title = {{Operation TA505: how we analyzed new tools from the creators of the Dridex trojan, Locky ransomware, and Neutrino botnet}}, date = {2020-05-20}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505/}, language = {English}, urldate = {2020-06-05} } @online{intelligence:20200604:covid19:45fa7ba, author = {PT ESC Threat Intelligence}, title = {{COVID-19 and New Year greetings: an investigation into the tools and methods used by the Higaisa group}}, date = {2020-06-04}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/covid-19-and-new-year-greetings-the-higaisa-group/}, language = {English}, urldate = {2020-06-05} } @online{intelligence:20200616:cobalt:2071fd2, author = {PT ESC Threat Intelligence}, title = {{Cobalt: tactics and tools update}}, date = {2020-06-16}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/cobalt_upd_ttps/}, language = {English}, urldate = {2020-06-16} } @online{intelligence:20200617:thread:b4b74d5, author = {Microsoft Security Intelligence}, title = {{A tweet thread on TA505 using CAPTCHA to avoid detection and infecting victims with FlawedGrace}}, date = {2020-06-17}, organization = {Twitter (@MsftSecIntel)}, url = {https://twitter.com/MsftSecIntel/status/1273359829390655488}, language = {English}, urldate = {2020-06-18} } @online{intelligence:20200710:dark:a29ccb4, author = {Advanced Intelligence}, title = {{The Dark Web of Intrigue: How REvil Used the Underground Ecosystem to Form an Extortion Cartel}}, date = {2020-07-10}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/post/the-dark-web-of-intrigue-how-revil-used-the-underground-ecosystem-to-form-an-extortion-cartel}, language = {English}, urldate = {2020-07-13} } @online{intelligence:20200825:apt:0ad132f, author = {Qi'anxin Threat Intelligence}, title = {{南亚APT组织“透明部落”在移动端上与对手的较量}}, date = {2020-08-25}, organization = {Qianxin}, url = {https://www.secrss.com/articles/24995}, language = {Chinese}, urldate = {2020-08-25} } @online{intelligence:20200827:anubis:e53422c, author = {Microsoft Security Intelligence}, title = {{Tweet on Anubis Stealer}}, date = {2020-08-27}, organization = {Twitter (@MsftSecIntel)}, url = {https://twitter.com/MsftSecIntel/status/1298752223321546754}, language = {English}, urldate = {2020-09-01} } @techreport{intelligence:20200930:china:9e6570a, author = {House Permanent Select Committee on Intelligence}, title = {{The China Deep Dive: A Report on the Intelligence Community’s Capabilities and Competencies with Respect to the People’s Republic of China}}, date = {2020-09-30}, institution = {House Permanent Select Committee on Intelligence}, url = {https://intelligence.house.gov/uploadedfiles/hpsci_china_deep_dive_redacted_summary_9.29.20.pdf}, language = {English}, urldate = {2020-10-04} } @online{intelligence:20201006:ta505:a34d957, author = {Microsoft Security Intelligence}, title = {{Tweet on TA505 threat actor exploiting Zerologon (CVE-2020-1472) Vulnerability}}, date = {2020-10-06}, organization = {Twitter (@MsftSecIntel)}, url = {https://twitter.com/MsftSecIntel/status/1313598440719355904}, language = {English}, urldate = {2020-10-08} } @online{international:20170301:how:fb75ef9, author = {FraudWatch International}, title = {{How Does the Trickbot Malware Work?}}, date = {2017-03-01}, organization = {FraudWatch International}, url = {https://blog.fraudwatchinternational.com/malware/trickbot-malware-works}, language = {English}, urldate = {2020-01-08} } @online{international:20180515:pakistan:c41a7ec, author = {Amnesty International}, title = {{PAKISTAN: HUMAN RIGHTS UNDER SURVEILLANCE}}, date = {2018-05-15}, organization = {Amnesty International}, url = {https://www.amnesty.org/en/documents/asa33/8366/2018/en/}, language = {English}, urldate = {2019-11-28} } @online{international:20200615:india:2e4e60b, author = {Amnesty International}, title = {{India: Human Rights Defenders Targeted by a Coordinated Spyware Operation}}, date = {2020-06-15}, organization = {Amnesty International}, url = {https://www.amnesty.org/en/latest/research/2020/06/india-human-rights-defenders-targeted-by-a-coordinated-spyware-operation/}, language = {English}, urldate = {2020-06-16} } @online{international:20200925:germanmade:49d85d3, author = {Amnesty International}, title = {{German-made FinSpy spyware found in Egypt, and Mac and Linux versions revealed}}, date = {2020-09-25}, organization = {Amnesty International}, url = {https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/}, language = {English}, urldate = {2020-09-25} } @online{intezer:20190920:russian:27d9f67, author = {Intezer}, title = {{Russian Cybercrime Group FullofDeep Behind QNAPCrypt Ransomware Campaigns}}, date = {2019-09-20}, organization = {Intezer}, url = {https://www.intezer.com/blog-russian-cybercrime-group-fullofdeep-behind-qnapcrypt-ransomware-campaigns/}, language = {English}, urldate = {2020-01-08} } @online{intezer:20200806:gosh:f982c3c, author = {Intezer}, title = {{Tweet on GOSH}}, date = {2020-08-06}, organization = {Twitter (@IntezerLabs)}, url = {https://twitter.com/IntezerLabs/status/1291355808811409408}, language = {English}, urldate = {2020-08-18} } @online{intezerlabs:20200511:ldpreload:b3e622b, author = {Twitter (IntezerLabs)}, title = {{Tweet on LD-PRELOAD userland rootkit}}, date = {2020-05-11}, organization = {Intezer}, url = {https://twitter.com/IntezerLabs/status/1259818964848386048}, language = {English}, urldate = {2020-05-18} } @online{intrusiontruth:20170509:apt3:4014a9f, author = {Intrusiontruth}, title = {{APT3 is Boyusec, a Chinese Intelligence Contractor}}, date = {2017-05-09}, organization = {Intrusiontruth}, url = {https://intrusiontruth.wordpress.com/2017/05/09/apt3-is-boyusec-a-chinese-intelligence-contractor/}, language = {English}, urldate = {2020-01-07} } @online{intrusiontruth:20190724:apt17:6b9a666, author = {Intrusiontruth}, title = {{APT17 is run by the Jinan bureau of the Chinese Ministry of State Security}}, date = {2019-07-24}, organization = {Intrusiontruth}, url = {https://intrusiontruth.wordpress.com/2019/07/24/apt17-is-run-by-the-jinan-bureau-of-the-chinese-ministry-of-state-security/}, language = {English}, urldate = {2020-04-21} } @online{intrusiontruth:20200109:what:bc9bc31, author = {Intrusiontruth}, title = {{What is the Hainan Xiandun Technology Development Company?}}, date = {2020-01-09}, organization = {Intrusiontruth}, url = {https://intrusiontruth.wordpress.com/2020/01/09/what-is-the-hainan-xiandun-technology-development-company}, language = {English}, urldate = {2020-04-16} } @online{intrusiontruth:20200110:who:32afb65, author = {Intrusiontruth}, title = {{Who is Mr Gu?}}, date = {2020-01-10}, organization = {Intrusiontruth}, url = {https://intrusiontruth.wordpress.com/2020/01/10/who-is-mr-gu}, language = {English}, urldate = {2020-04-16} } @online{intrusiontruth:20200113:who:e54190c, author = {Intrusiontruth}, title = {{Who else works for this cover company network?}}, date = {2020-01-13}, organization = {Intrusiontruth}, url = {https://intrusiontruth.wordpress.com/2020/01/13/who-else-works-for-this-cover-company-network}, language = {English}, urldate = {2020-04-16} } @online{intrusiontruth:20200114:who:a06a6c3, author = {Intrusiontruth}, title = {{Who is Mr Ding?}}, date = {2020-01-14}, organization = {Intrusiontruth}, url = {https://intrusiontruth.wordpress.com/2020/01/14/who-is-mr-ding}, language = {English}, urldate = {2020-04-16} } @online{intrusiontruth:20200115:hainan:093f6f2, author = {Intrusiontruth}, title = {{Hainan Xiandun Technology Company is APT40}}, date = {2020-01-15}, organization = {Intrusiontruth}, url = {https://intrusiontruth.wordpress.com/2020/01/15/hainan-xiandun-technology-company-is-apt40}, language = {English}, urldate = {2020-04-16} } @online{ipj:20160920:hackers:fae1710, author = {ipj and kl}, title = {{Hackers lurking, parliamentarians told}}, date = {2016-09-20}, organization = {Deutsche Welle}, url = {https://www.dw.com/en/hackers-lurking-parliamentarians-told/a-19564630}, language = {English}, urldate = {2020-09-15} } @online{iris:20191209:new:cc73a24, author = {IBM IRIS}, title = {{New Destructive Wiper “ZeroCleare” Targets Energy Sector in the Middle East}}, date = {2019-12-09}, organization = {IBM Security}, url = {https://www.ibm.com/downloads/cas/OAJ4VZNJ}, language = {English}, urldate = {2020-01-09} } @online{iris:20200616:cloud:e15a0d5, author = {IBM Security X-Force® Incident Responseand Intelligence Services (IRIS)}, title = {{Cloud ThreatLandscape Report 2020}}, date = {2020-06-16}, organization = {IBM}, url = {https://www.ibm.com/downloads/cas/Z81AVOY7}, language = {English}, urldate = {2020-06-17} } @online{irmer:20150217:angry:d09af85, author = {Jan Širmer}, title = {{Angry Android hacker hides Xbot malware in popular application icons}}, date = {2015-02-17}, organization = {Avast}, url = {https://blog.avast.com/2015/02/17/angry-android-hacker-hides-xbot-malware-in-popular-application-icons/}, language = {English}, urldate = {2019-12-24} } @online{irmer:20191023:spoofing:369e661, author = {Jan Širmer and Luigino Camastra and Adolf Středa}, title = {{Spoofing in the reeds with Rietspoof}}, date = {2019-10-23}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-spoofing-reeds-rietspoof/}, language = {English}, urldate = {2020-01-27} } @online{ishikawa:20171218:relationship:fb13bae, author = {Yoshihiro Ishikawa}, title = {{Relationship between PlugX and attacker group "DragonOK"}}, date = {2017-12-18}, organization = {LAC}, url = {https://www.lac.co.jp/lacwatch/people/20171218_001445.html}, language = {Japanese}, urldate = {2019-11-22} } @online{ishikawa:20180521:confirmed:ad336b5, author = {Yoshihiro Ishikawa}, title = {{Confirmed new attacks by APT attacker group menuPass (APT10)}}, date = {2018-05-21}, organization = {LAC}, url = {https://www.lac.co.jp/lacwatch/people/20180521_001638.html}, language = {Japanese}, urldate = {2019-10-27} } @techreport{ishikawa:20181201:lets:73b0c60, author = {Yoshihiro Ishikawa and Shinichi Nagano}, title = {{Let's go with a Go RAT!}}, date = {2018-12-01}, institution = {Botconf}, url = {https://www.botconf.eu/wp-content/uploads/2018/12/2018-Y-Ishikawa-S-Nagano-Lets-go-with-a-Go-RAT-_final.pdf}, language = {English}, urldate = {2020-04-28} } @online{ishimaru:20150820:new:0b39f40, author = {Suguru Ishimaru}, title = {{New activity of the Blue Termite APT}}, date = {2015-08-20}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/71876/new-activity-of-the-blue-termite-apt/}, language = {English}, urldate = {2019-12-20} } @online{ishimaru:20150820:new:d553aa4, author = {Suguru Ishimaru}, title = {{New activity of the Blue Termite APT}}, date = {2015-08-20}, organization = {Kaspersky Labs}, url = {https://securelist.com/new-activity-of-the-blue-termite-apt/71876/}, language = {English}, urldate = {2019-12-20} } @online{ishimaru:20180416:roaming:42ebd00, author = {Suguru Ishimaru}, title = {{Roaming Mantis uses DNS hijacking to infect Android smartphones}}, date = {2018-04-16}, organization = {Kaspersky Labs}, url = {https://securelist.com/roaming-mantis-uses-dns-hijacking-to-infect-android-smartphones/85178/}, language = {English}, urldate = {2019-12-20} } @online{ishimaru:20180518:roaming:3e5185f, author = {Suguru Ishimaru}, title = {{Roaming Mantis dabbles in mining and phishing multilingually}}, date = {2018-05-18}, organization = {Kaspersky Labs}, url = {https://securelist.com/roaming-mantis-dabbles-in-mining-and-phishing-multilingually/85607/}, language = {English}, urldate = {2019-12-20} } @techreport{ishimaru:2019:roaming:23097da, author = {Suguru Ishimaru and Manabu Niseki and Hiroaki Ogawa}, title = {{Roaming Mantis: an Anatomy of a DNS Hijacking Campaign}}, date = {2019}, institution = {Kaspersky Labs}, url = {https://hitcon.org/2019/CMT/slide-files/d2_s1_r1.pdf}, language = {English}, urldate = {2020-01-09} } @online{ishimaru:20200227:roaming:3e14d12, author = {Suguru Ishimaru}, title = {{Roaming Mantis, part V: Distributed in 2019 using SMiShing and enhanced anti-researcher techniques}}, date = {2020-02-27}, organization = {Kaspersky Labs}, url = {https://securelist.com/roaming-mantis-part-v/96250/}, language = {English}, urldate = {2020-03-02} } @techreport{istrate:2015:new:254e212, author = {Cristian Istrate and Andrei Ardelean and Claudiu Cobliș and Marius Tivadar}, title = {{New Pacifier APT Components Point to Russian-Linked Turla Group}}, date = {2015}, institution = {Bitdefender}, url = {https://pdfhost.io/v/F0@QElMu2_MacProStorage_2017FinalBitdefenderWhitepaperNetrepserA4en_ENBitdefenderWhitepaperNetrepserA4en_ENindd.pdf}, language = {English}, urldate = {2020-01-08} } @online{it:20160615:mofang:59e7ad3, author = {Fox IT}, title = {{Mofang: A politically motivated information stealing adversary}}, date = {2016-06-15}, organization = {Fox-IT}, url = {https://blog.fox-it.com/2016/06/15/mofang-a-politically-motivated-information-stealing-adversary/}, language = {English}, urldate = {2019-11-27} } @online{it:20190226:identifying:689104d, author = {Fox IT}, title = {{Identifying Cobalt Strike team servers in the wild}}, date = {2019-02-26}, organization = {Fox-IT}, url = {https://blog.fox-it.com/2019/02/26/identifying-cobalt-strike-team-servers-in-the-wild/}, language = {English}, urldate = {2020-10-25} } @online{it:20190226:supreme:d4cad36, author = {dfir it!}, title = {{The Supreme Backdoor Factory}}, date = {2019-02-26}, organization = {dfir it!}, url = {https://dfir.it/blog/2019/02/26/the-supreme-backdoor-factory/}, language = {English}, urldate = {2020-01-06} } @online{it:20191219:operation:64c0cd9, author = {Fox IT}, title = {{Operation Wocao : Shining a light on one of China’s hidden hacking groups}}, date = {2019-12-19}, organization = {Fox-IT}, url = {https://www.fox-it.com/nl/actueel/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/}, language = {English}, urldate = {2020-01-07} } @online{ita:20200807:new:c2e5979, author = {CSIRT ITA}, title = {{New Phishing-As-A-Service framework}}, date = {2020-08-07}, organization = {CSIRT Italia}, url = {https://csirt.gov.it/contenuti/phishing-as-a-service-framework}, language = {Italian}, urldate = {2020-08-10} } @online{ivanov:20140301:chewbacca:5c7ac17, author = {Ivo Ivanov}, title = {{ChewBacca – A TOR Based POS Malware}}, date = {2014-03-01}, organization = {Vinsula}, url = {http://vinsula.com/2014/03/01/chewbacca-tor-based-pos-malware/}, language = {English}, urldate = {2019-11-26} } @online{ivanov:20161003:polyglot:6fe8657, author = {Anton Ivanov and Orkhan Mamedov and Fedor Sinitsyn}, title = {{Polyglot – the fake CTB-locker}}, date = {2016-10-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/76182/polyglot-the-fake-ctb-locker/}, language = {English}, urldate = {2019-12-20} } @online{ivanov:20161020:rotorcrypt:2bfa6f3, author = {Andrew Ivanov}, title = {{RotorCrypt (RotoCrypt) Ransomware Tar Ransomware}}, date = {2016-10-20}, url = {https://id-ransomware.blogspot.com/2016/10/rotorcrypt-ransomware.html}, language = {Russian}, urldate = {2019-11-23} } @online{ivanov:20170314:petrwrap:646653c, author = {Anton Ivanov and Fedor Sinitsyn}, title = {{PetrWrap: the new Petya-based ransomware used in targeted attacks}}, date = {2017-03-14}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/77762/petrwrap-the-new-petya-based-ransomware-used-in-targeted-attacks/}, language = {English}, urldate = {2019-12-20} } @online{ivanov:20170424:xpan:018ead2, author = {Anton Ivanov and Fabio Assolini and Fedor Sinitsyn and Santiago Pontiroli}, title = {{XPan, I am your father}}, date = {2017-04-24}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/78110/xpan-i-am-your-father/}, language = {English}, urldate = {2019-12-20} } @online{ivanov:20170628:expetrpetyanotpetya:903b1fc, author = {Anton Ivanov and Orkhan Mamedov}, title = {{ExPetr/Petya/NotPetya is a Wiper, Not Ransomware}}, date = {2017-06-28}, organization = {Kaspersky Labs}, url = {https://securelist.com/expetrpetyanotpetya-is-a-wiper-not-ransomware/78902/}, language = {English}, urldate = {2019-12-20} } @online{ivanov:20170809:return:124e8c1, author = {Anton Ivanov and Orkhan Mamedov}, title = {{The return of Mamba ransomware}}, date = {2017-08-09}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-return-of-mamba-ransomware/79403/}, language = {English}, urldate = {2019-12-20} } @online{ivanov:20171027:xiaoba:16e3621, author = {Andrew Ivanov}, title = {{XiaoBa Ransomware}}, date = {2017-10-27}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2017/10/xiaoba-ransomware.html}, language = {Russian}, urldate = {2020-03-19} } @online{ivanov:20171202:scarabey:802d653, author = {Andrew Ivanov}, title = {{Scarabey Ransomware}}, date = {2017-12-02}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2017/12/scarabey-ransomware.html}, language = {Russian}, urldate = {2019-12-17} } @online{ivanov:20180208:mbrlock:2c9f6d5, author = {Andrew Ivanov}, title = {{MBRlock Ransomware}}, date = {2018-02-08}, organization = {ID Ransomware}, url = {http://id-ransomware.blogspot.com.tr/2018/02/mbrlock-hax-ransomware.html}, language = {Russian}, urldate = {2019-12-17} } @online{ivanov:20180507:synack:2a41ea0, author = {Anton Ivanov and Fedor Sinitsyn and Orkhan Mamedov}, title = {{SynAck targeted ransomware uses the Doppelgänging technique}}, date = {2018-05-07}, organization = {Kaspersky Labs}, url = {https://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/}, language = {English}, urldate = {2019-12-20} } @online{ivanov:20180914:rektware:836d8ac, author = {Andrew Ivanov}, title = {{Rektware Ransomware}}, date = {2018-09-14}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2018/09/rektware-ransomware.html}, language = {Russian}, urldate = {2020-03-22} } @online{ivanov:20190203:maoloa:52e7c7f, author = {Andrew Ivanov}, title = {{Maoloa Ransomware}}, date = {2019-02-03}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2019/02/maoloa-ransomware.html}, language = {English}, urldate = {2019-11-28} } @online{ivanov:20190703:lilocked:0eb5e17, author = {Andrew Ivanov}, title = {{Lilocked Ransomware}}, date = {2019-07-03}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2019/07/lilu-lilocked-ransomware.html}, language = {Russian}, urldate = {2019-12-17} } @online{ivanov:20190905:netwalker:902cacb, author = {Andrew Ivanov}, title = {{Netwalker Ransomware}}, date = {2019-09-05}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2019/09/koko-ransomware.html}, language = {Russian}, urldate = {2020-03-22} } @online{ivanov:20191004:scarecrow:0d5bfe4, author = {Andrew Ivanov}, title = {{ScareCrow Ransomware}}, date = {2019-10-04}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2019/10/scarecrow-ransomware.html}, language = {Russian}, urldate = {2020-08-05} } @online{ivanov:20191011:mespinoza:e9cd17e, author = {Andrew Ivanov}, title = {{Mespinoza Ransomware}}, date = {2019-10-11}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2019/10/mespinoza-ransomware.html}, language = {English}, urldate = {2020-03-26} } @online{ivanov:20191015:medusalocker:132bb68, author = {Andrew Ivanov}, title = {{MedusaLocker Ransomware}}, date = {2019-10-15}, url = {http://id-ransomware.blogspot.com/2019/10/medusalocker-ransomware.html}, language = {English}, urldate = {2020-01-07} } @online{ivanov:20191019:abcd:06360d3, author = {Andrew Ivanov}, title = {{ABCD Ransomware LockBit Ransomware}}, date = {2019-10-19}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/search?q=lockbit}, language = {Russian}, urldate = {2020-03-28} } @online{ivanov:20191020:infodot:47e0fd2, author = {Andrew Ivanov}, title = {{InfoDot Ransomware}}, date = {2019-10-20}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2019/10/infodot-ransomware.html}, language = {Russian}, urldate = {2020-04-01} } @online{ivanov:20191023:pwndlocker:d776ac5, author = {Andrew Ivanov}, title = {{PwndLocker Ransomware}}, date = {2019-10-23}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2019/10/pwndlocker-ransomware.html}, language = {Russian}, urldate = {2020-03-03} } @online{ivanov:20191025:hdmr:de88a6d, author = {Andrew Ivanov}, title = {{HDMR, GO-SPORT}}, date = {2019-10-25}, url = {http://id-ransomware.blogspot.com/2019/10/hdmr-ransomware.html}, language = {Russian}, urldate = {2020-01-08} } @online{ivanov:20191104:hakbit:473fb88, author = {Andrew Ivanov}, title = {{Hakbit Ransomware}}, date = {2019-11-04}, organization = {ID Ransomware}, url = {http://id-ransomware.blogspot.com/2019/11/hakbit-ransomware.html}, language = {Russian}, urldate = {2020-01-10} } @online{ivanov:20191113:antefrigus:ad4c113, author = {Andrew Ivanov}, title = {{AnteFrigus Ransomware}}, date = {2019-11-13}, organization = {ID Ransomware}, url = {http://id-ransomware.blogspot.com/2019/11/antefrigus-ransomware.html}, language = {English}, urldate = {2020-01-08} } @online{ivanov:20191119:wacatac:c1815bb, author = {Andrew Ivanov}, title = {{Tweet on Wacatac Ransomware}}, date = {2019-11-19}, organization = {Twitter (@Amigo_A_)}, url = {https://twitter.com/Amigo_A_/status/1196898012645220354}, language = {English}, urldate = {2020-01-08} } @online{ivanov:20191119:wacatac:e257783, author = {Andrew Ivanov}, title = {{Wacatac Ransomware}}, date = {2019-11-19}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2019/11/wacatac-ransomware.html}, language = {Russian}, urldate = {2020-01-08} } @online{ivanov:20191122:turkstatik:ada70a9, author = {Andrew Ivanov}, title = {{TurkStatik Ransomware}}, date = {2019-11-22}, url = {http://id-ransomware.blogspot.com/2019/10/fuxsocy-encryptor-ransomware.html}, language = {English}, urldate = {2019-11-28} } @online{ivanov:20191219:chernolocker:1d71ebd, author = {Andrew Ivanov}, title = {{ChernoLocker Ransomware}}, date = {2019-12-19}, url = {https://id-ransomware.blogspot.com/2019/12/chernolocker-ransomware.html}, language = {Russian}, urldate = {2020-01-26} } @online{ivanov:20191231:cuba:53a177c, author = {Andrew Ivanov}, title = {{Cuba Ransomware}}, date = {2019-12-31}, url = {https://id-ransomware.blogspot.com/2019/12/cuba-ransomware.html}, language = {Russian}, urldate = {2020-06-11} } @online{ivanov:20200109:ako:79016d7, author = {Andrew Ivanov}, title = {{Ako, MedusaReborn}}, date = {2020-01-09}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/01/ako-ransomware.html}, language = {English}, urldate = {2020-05-18} } @online{ivanov:20200123:shlayer:945a5b8, author = {Anton Ivanov and Mikhail Kuzin and Ilya Mogilin}, title = {{Shlayer Trojan attacks one in ten macOS users}}, date = {2020-01-23}, organization = {Kaspersky Labs}, url = {https://securelist.com/shlayer-for-macos/95724/}, language = {English}, urldate = {2020-01-23} } @online{ivanov:20200125:cryptopatronum:4adacea, author = {Andrew Ivanov}, title = {{cryptopatronum ransomware}}, date = {2020-01-25}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/01/cryptopatronum-ransomware.html}, language = {Russian}, urldate = {2020-02-03} } @online{ivanov:20200130:thecursedmurderer:a2a7e72, author = {Andrew Ivanov}, title = {{TheCursedMurderer Ransomware}}, date = {2020-01-30}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/01/thecursedmurderer-ransomware.html}, language = {Russian}, urldate = {2020-02-10} } @online{ivanov:20200201:fct:ba54e92, author = {Andrew Ivanov}, title = {{FCT Ransomware}}, date = {2020-02-01}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/02/fct-ransomware.html}, language = {Russian}, urldate = {2020-02-10} } @online{ivanov:20200203:passlock:a72c982, author = {Andrew Ivanov}, title = {{PassLock Ransomware}}, date = {2020-02-03}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com}, language = {Russian}, urldate = {2020-02-10} } @online{ivanov:20200204:ragnarlocker:7e8d324, author = {Andrew Ivanov}, title = {{RagnarLocker Ransomware}}, date = {2020-02-04}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/02/ragnarlocker-ransomware.html}, language = {Russian}, urldate = {2020-04-15} } @online{ivanov:20200217:gibberish:b003dbc, author = {Andrew Ivanov}, title = {{Gibberish Ransomware}}, date = {2020-02-17}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/02/gibberish-ransomware.html}, language = {Russian}, urldate = {2020-03-22} } @online{ivanov:20200225:blackkingdom:5c73f86, author = {Andrew Ivanov}, title = {{BlackKingdom Ransomware}}, date = {2020-02-25}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/02/blackkingdom-ransomware.html}, language = {Russian}, urldate = {2020-06-16} } @online{ivanov:20200301:cryptodarkrubix:6720abd, author = {Andrew Ivanov}, title = {{CryptoDarkRubix Ransomware}}, date = {2020-03-01}, url = {https://id-ransomware.blogspot.com/2020/03/cryptodarkrubix-ransomware.html}, language = {Russian}, urldate = {2020-07-30} } @online{ivanov:20200307:javalocker:4b44b72, author = {Andrew Ivanov}, title = {{JavaLocker Ransomware}}, date = {2020-03-07}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/03/javalocker-ransomware.html}, language = {Russian}, urldate = {2020-03-22} } @online{ivanov:20200311:coronavirus:1b3c4d6, author = {Andrew Ivanov}, title = {{CoronaVirus Ransomware}}, date = {2020-03-11}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/03/coronavirus-ransomware.html}, language = {Russian}, urldate = {2020-03-22} } @online{ivanov:20200312:teslarvng:0ab7628, author = {Andrew Ivanov}, title = {{Teslarvng Ransomware Yakuza Ransomware}}, date = {2020-03-12}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/03/teslarvng-ransomware.html}, language = {Russian}, urldate = {2020-03-27} } @online{ivanov:20200314:nefilim:329ccf1, author = {Andrew Ivanov}, title = {{Nefilim Ransomware}}, date = {2020-03-14}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/03/nefilim-ransomware.html}, language = {English}, urldate = {2020-03-22} } @online{ivanov:20200314:rekensom:1e0a54a, author = {Andrew Ivanov}, title = {{RekenSom Ransomware}}, date = {2020-03-14}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/03/rekensom-ransomware.html}, language = {Russian}, urldate = {2020-03-22} } @online{ivanov:20200317:prolock:3aa858f, author = {Andrew Ivanov}, title = {{ProLock Ransomware}}, date = {2020-03-17}, url = {https://id-ransomware.blogspot.com/2020/03/prolock-ransomware.html}, language = {Russian}, urldate = {2020-04-06} } @online{ivanov:20200318:sekhmet:0463cdb, author = {Andrew Ivanov}, title = {{Sekhmet Ransomware}}, date = {2020-03-18}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/03/sekhmet-ransomware.html}, language = {Russian}, urldate = {2020-03-28} } @online{ivanov:20200324:kekw:ef9d6a6, author = {Andrew Ivanov}, title = {{KEKW Ransomware KEKW-Locker Ransomware}}, date = {2020-03-24}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/03/kekw-ransomware.html}, language = {Russian}, urldate = {2020-03-28} } @online{ivanov:20200331:wannaren:0ab1946, author = {Andrew Ivanov}, title = {{WannaRen Ransomware}}, date = {2020-03-31}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/03/wannaren-ransomware.html}, language = {Russian}, urldate = {2020-04-20} } @online{ivanov:20200401:jeno:379b0a1, author = {Andrew Ivanov}, title = {{Jeno Ransomware}}, date = {2020-04-01}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/04/jeno-ransomware.html}, language = {Russian}, urldate = {2020-04-20} } @online{ivanov:20200410:void:3b7f0d1, author = {Andrew Ivanov}, title = {{Void Ransomware}}, date = {2020-04-10}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/04/void-voidcrypt-ransomware.html}, language = {Russian}, urldate = {2020-04-13} } @online{ivanov:20200419:sadogo:0a661a2, author = {Andrew Ivanov}, title = {{Sadogo Ransomware}}, date = {2020-04-19}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/04/sadogo-ransomware.html}, language = {Russian}, urldate = {2020-04-20} } @online{ivanov:20200426:gocryptolocker:116e256, author = {Andrew Ivanov}, title = {{goCryptoLocker}}, date = {2020-04-26}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/04/gocryptolocker-ransomware.html}, language = {Russian}, urldate = {2020-05-02} } @online{ivanov:20200617:ransomexx:ab0e087, author = {Andrew Ivanov}, title = {{RansomEXX Ransomware}}, date = {2020-06-17}, url = {https://id-ransomware.blogspot.com/2020/06/ransomexx-ransomware.html}, language = {Russian}, urldate = {2020-07-08} } @online{ivanov:20200707:silentdeath:fed1f53, author = {Andrew Ivanov}, title = {{SilentDeath Ransomware}}, date = {2020-07-07}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/07/silentdeath-ransomware.html}, language = {Russian}, urldate = {2020-08-05} } @online{ivanov:20200716:fastwind:5e4367c, author = {Andrew Ivanov}, title = {{FastWind Ransomware}}, date = {2020-07-16}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/07/fastwind-ransomware.html}, language = {Russian}, urldate = {2020-08-05} } @online{ivanov:20200818:thunderx:0d8f847, author = {Andrew Ivanov}, title = {{ThunderX Ransomware}}, date = {2020-08-18}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/08/thunderx-ransomware.html}, language = {English}, urldate = {2020-09-15} } @online{ivanov:20200825:cyrat:62cd54c, author = {Andrew Ivanov}, title = {{Cyrat Ransomware}}, date = {2020-08-25}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/08/cyrat-ransomware.html}, language = {English}, urldate = {2020-09-01} } @online{ivanov:20200830:z3:21024c4, author = {Andrew Ivanov}, title = {{Z3 Ransomware}}, date = {2020-08-30}, url = {https://id-ransomware.blogspot.com/2020/08/z3-ransomware.html}, language = {Russian}, urldate = {2020-09-15} } @online{ivanov:20200831:xp10:f6f0110, author = {Andrew Ivanov}, title = {{XP10 Ransomware}}, date = {2020-08-31}, url = {https://id-ransomware.blogspot.com/2020/08/xp10-ransomware.html}, language = {Russian}, urldate = {2020-09-15} } @online{j:20181218:scumbag:720cb3c, author = {Lokesh J}, title = {{Scumbag Combo: Agent Tesla and XpertRAT}}, date = {2018-12-18}, organization = {K7 Security}, url = {https://labs.k7computing.com/?p=15672}, language = {English}, urldate = {2020-01-06} } @online{jackson:20070320:gozi:701fe90, author = {Don Jackson}, title = {{Gozi Trojan}}, date = {2007-03-20}, organization = {Secureworks}, url = {https://www.secureworks.com/research/gozi}, language = {English}, urldate = {2020-01-10} } @online{jackson:20141219:unrelenting:f3f3ccf, author = {Don Jackson}, title = {{The unrelenting evolution of Vawtrak}}, date = {2014-12-19}, organization = {PhishLabs}, url = {https://info.phishlabs.com/blog/the-unrelenting-evolution-of-vawtrak}, language = {English}, urldate = {2019-11-04} } @online{jacquais:20180109:bestkorea:94b6c7a, author = {Jacquais}, title = {{BestKorea}}, date = {2018-01-09}, url = {https://github.com/Jacquais/BestKorea}, language = {English}, urldate = {2020-03-13} } @online{jallepalli:20190326:winrar:dff4878, author = {Dileep Kumar Jallepalli}, title = {{WinRAR Zero-day Abused in Multiple Campaigns}}, date = {2019-03-26}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/03/winrar-zero-day-abused-in-multiple-campaigns.html}, language = {English}, urldate = {2019-12-20} } @online{james:20111026:tsunami:7815511, author = {Peter James}, title = {{Tsunami Backdoor Can Be Used for Denial of Service Attacks}}, date = {2011-10-26}, organization = {Intego}, url = {https://www.intego.com/mac-security-blog/tsunami-backdoor-can-be-used-for-denial-of-service-attacks}, language = {English}, urldate = {2019-10-25} } @online{jamesinthebox:20181001:dga:c78b3d8, author = {James_inthe_box}, title = {{Tweet on DGA using TLD xyz}}, date = {2018-10-01}, organization = {Twitter (@James_inthe_box)}, url = {https://twitter.com/James_inthe_box/status/1046844087469391872}, language = {English}, urldate = {2020-01-08} } @online{jamesinthebox:20200512:himera:39130f2, author = {James_inthe_box}, title = {{Tweet on Himera Loader}}, date = {2020-05-12}, organization = {Twitter (@James_inthe_box)}, url = {https://twitter.com/James_inthe_box/status/1260191589789392898}, language = {English}, urldate = {2020-05-18} } @online{jamesinthebox:20200814:echelon:699dd29, author = {James_inthe_box}, title = {{Tweet on Echelon Stealer}}, date = {2020-08-14}, organization = {Twitter (@James_inthe_box)}, url = {https://twitter.com/James_inthe_box/status/1294088216807534593}, language = {English}, urldate = {2020-08-14} } @online{jameswt:20200525:fuckunicorn:8136f92, author = {JamesWT}, title = {{Tweet on FuckUnicorn instance of HiddenTear}}, date = {2020-05-25}, organization = {Twitter (@JAMESWT_MHT)}, url = {https://twitter.com/JAMESWT_MHT/status/1264828072001495041}, language = {English}, urldate = {2020-06-08} } @online{jamie:20200331:lokibot:f927742, author = {Jamie}, title = {{LokiBot: Getting Equation Editor Shellcode}}, date = {2020-03-31}, organization = {Click All the Things! Blog}, url = {https://clickallthethings.wordpress.com/2020/03/31/lokibot-getting-equation-editor-shellcode/}, language = {English}, urldate = {2020-04-07} } @online{jamie:20200619:zloader:dd6729d, author = {Jamie}, title = {{zloader: VBA, R1C1 References, and Other Tomfoolery}}, date = {2020-06-19}, organization = {Click All the Things! Blog}, url = {https://clickallthethings.wordpress.com/2020/06/19/zloader-vba-r1c1-references-and-other-tomfoolery/}, language = {English}, urldate = {2020-06-21} } @online{jansen:20200902:machine:2a2ed0a, author = {Joost Jansen}, title = {{Machine learning from idea to reality: a PowerShell case study}}, date = {2020-09-02}, organization = {Fox-IT}, url = {https://blog.fox-it.com/2020/09/02/machine-learning-from-idea-to-reality-a-powershell-case-study/}, language = {English}, urldate = {2020-09-03} } @online{jarvis:20131218:cryptolocker:a15fe52, author = {Keith Jarvis}, title = {{CryptoLocker Ransomware}}, date = {2013-12-18}, organization = {Secureworks}, url = {https://www.secureworks.com/research/cryptolocker-ransomware}, language = {English}, urldate = {2019-11-27} } @online{jazi:20200416:new:6b7cb7a, author = {Hossein Jazi}, title = {{New AgentTesla variant steals WiFi credentials}}, date = {2020-04-16}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/cybercrime/2020/04/new-agenttesla-variant-steals-wifi-credentials/}, language = {English}, urldate = {2020-04-16} } @online{jazi:20200506:new:7723083, author = {Hossein Jazi and Thomas Reed and Jérôme Segura}, title = {{New Mac variant of Lazarus Dacls RAT distributed via Trojanized 2FA app}}, date = {2020-05-06}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2020/05/new-mac-variant-of-lazarus-dacls-rat-distributed-via-trojanized-2fa-app/}, language = {English}, urldate = {2020-05-07} } @online{jazi:20200603:new:96bf302, author = {Hossein Jazi and Jérôme Segura}, title = {{New LNK attack tied to Higaisa APT discovered}}, date = {2020-06-03}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/}, language = {English}, urldate = {2020-06-05} } @online{jazi:20200617:multistage:6358f3f, author = {Hossein Jazi and Jérôme Segura}, title = {{Multi-stage APT attack drops Cobalt Strike using Malleable C2 feature}}, date = {2020-06-17}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2020/06/multi-stage-apt-attack-drops-cobalt-strike-using-malleable-c2-feature/}, language = {English}, urldate = {2020-06-19} } @online{jazi:20200721:chinese:da6a239, author = {Hossein Jazi and Jérôme Segura}, title = {{Chinese APT group targets India and Hong Kong using new variant of MgBot malware}}, date = {2020-07-21}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2020/07/chinese-apt-group-targets-india-and-hong-kong-using-new-variant-of-mgbot-malware/}, language = {English}, urldate = {2020-07-22} } @online{jazi:20201006:release:11f16dc, author = {Hossein Jazi and Jérôme Segura}, title = {{Release the Kraken: Fileless APT attack abuses Windows Error Reporting service}}, date = {2020-10-06}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service}, language = {English}, urldate = {2020-10-08} } @online{jedynak:20170104:technical:9cf0ab7, author = {Jarosław Jedynak}, title = {{Technical analysis of CryptoMix/CryptFile2 ransomware}}, date = {2017-01-04}, organization = {CERT.PL}, url = {https://www.cert.pl/en/news/single/technical-analysis-of-cryptomixcryptfile2-ransomware/}, language = {English}, urldate = {2020-01-13} } @online{jedynak:20170130:nymaim:d5553e6, author = {Jarosław Jedynak}, title = {{Nymaim revisited}}, date = {2017-01-30}, organization = {CERT.PL}, url = {https://www.cert.pl/en/news/single/nymaim-revisited/}, language = {English}, urldate = {2020-01-09} } @online{jedynak:20170214:sage:c9187b1, author = {Jarosław Jedynak}, title = {{Sage 2.0 analysis}}, date = {2017-02-14}, organization = {CERT.PL}, url = {https://www.cert.pl/en/news/single/sage-2-0-analysis/}, language = {English}, urldate = {2020-01-13} } @online{jedynak:20170530:mole:868f8ea, author = {Jarosław Jedynak}, title = {{Mole ransomware: analysis and decryptor}}, date = {2017-05-30}, organization = {CERT.PL}, url = {https://www.cert.pl/en/news/single/mole-ransomware-analysis-and-decryptor/}, language = {English}, urldate = {2019-12-17} } @online{jedynak:20171019:deeper:f2e50ae, author = {Jarosław Jedynak}, title = {{A deeper look at Tofsee modules}}, date = {2017-10-19}, organization = {CERT.PL}, url = {https://www.cert.pl/en/news/single/a-deeper-look-at-tofsee-modules/}, language = {English}, urldate = {2020-01-06} } @online{jeff0falltrades:20200610:frat:6a40185, author = {jeFF0Falltrades and James_inthe_box and _re_fox}, title = {{FRat Reporting, YARA, and IoCs}}, date = {2020-06-10}, url = {https://github.com/jeFF0Falltrades/IoCs/blob/master/Broadbased/frat.md}, language = {English}, urldate = {2020-06-12} } @online{jennings:20170417:python:d5a3654, author = {Luke Jennings}, title = {{Python script for decoding DOUBLEPULSAR}}, date = {2017-04-17}, organization = {Github (countercept)}, url = {https://github.com/countercept/doublepulsar-c2-traffic-decryptor}, language = {English}, urldate = {2020-01-08} } @techreport{jiang:20150910:hangul:2e0fc13, author = {Genwei Jiang and Josiah Kimble}, title = {{Hangul Word Processor (HWP)Zero-Day: possible ties to North Korean threat actors}}, date = {2015-09-10}, institution = {FireEye}, url = {https://www.fireeye.com/content/dam/fireeye-www/global/en/blog/threat-research/FireEye_HWP_ZeroDay.pdf}, language = {English}, urldate = {2020-01-13} } @online{jiang:20151216:eps:3db357c, author = {Genwei Jiang and Dan Caselden and Ryann Winters}, title = {{The EPS Awakens}}, date = {2015-12-16}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2015/12/the_eps_awakens.html}, language = {English}, urldate = {2019-12-20} } @online{jiayu:20180124:mykings:63bef87, author = {JiaYu}, title = {{MyKings: A massively multiple botnet}}, date = {2018-01-24}, url = {http://blog.netlab.360.com/mykings-the-botnet-behind-multiple-active-spreading-botnets/}, language = {Chinese}, urldate = {2019-11-20} } @online{jiayu:20201006:heh:48e69cc, author = {JiaYu}, title = {{HEH, a new IoT P2P Botnet going after weak telnet services}}, date = {2020-10-06}, organization = {360 netlab}, url = {https://blog.netlab.360.com/heh-an-iot-p2p-botnet/}, language = {English}, urldate = {2020-10-07} } @online{jin:20190117:malware:f880151, author = {Xingyu Jin and Claud Xiao}, title = {{Malware Used by “Rocke” Group Evolves to Evade Detection by Cloud Security Products}}, date = {2019-01-17}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/malware-used-by-rocke-group-evolves-to-evade-detection-by-cloud-security-products/}, language = {English}, urldate = {2020-01-07} } @online{jinye:20191217:lazarus:f97fffd, author = {Jinye and GenShen Ye}, title = {{Lazarus Group uses Dacls RAT to attack Linux platform}}, date = {2019-12-17}, organization = {Netlab}, url = {https://blog.netlab.360.com/dacls-the-dual-platform-rat/}, language = {Chinese}, urldate = {2020-01-07} } @online{jinye:20200523:new:20aa28f, author = {Jinye}, title = {{New activity of DoubleGuns Group, control hundreds of thousands of bots via public cloud service}}, date = {2020-05-23}, organization = {360 netlab}, url = {https://blog.netlab.360.com/shuangqiang/}, language = {English}, urldate = {2020-05-26} } @online{jnok:20190128:russia:579f446, author = {Juraj Jánošík}, title = {{Russia hit by new wave of ransomware spam}}, date = {2019-01-28}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/01/28/russia-hit-new-wave-ransomware-spam/}, language = {English}, urldate = {2019-11-14} } @online{joe:20170127:deep:d365b7e, author = {Joe}, title = {{Deep Analysis of Android Ransom Charger}}, date = {2017-01-27}, organization = {Joe's Security}, url = {http://blog.joesecurity.org/2017/01/deep-analysis-of-android-ransom-charger.html}, language = {English}, urldate = {2020-01-08} } @online{joe:20181118:cozybear:4801301, author = {Joe}, title = {{CozyBear – In from the Cold?}}, date = {2018-11-18}, organization = {Stranded on Pylos Blog}, url = {https://pylos.co/2018/11/18/cozybear-in-from-the-cold/}, language = {English}, urldate = {2020-01-09} } @online{johannes:20170131:malicious:ed4f2fb, author = {Johannes}, title = {{Malicious Office files using fileless UAC bypass to drop KEYBASE malware}}, date = {2017-01-31}, organization = {SANS ISC InfoSec Forums}, url = {https://isc.sans.edu/forums/diary/Malicious+Office+files+using+fileless+UAC+bypass+to+drop+KEYBASE+malware/22011/}, language = {English}, urldate = {2020-01-08} } @online{johnson:20130219:apt1:ee9c94f, author = {A L Johnson}, title = {{APT1: Q&A on Attacks by the Comment Crew}}, date = {2013-02-19}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=f1265df5-6e5e-4fcc-9828-d4ddbbafd3d7&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } @online{johnson:20150713:forkmeiamfamous:64957d9, author = {A L Johnson}, title = {{“Forkmeiamfamous”: Seaduke, latest weapon in the Duke armory}}, date = {2015-07-13}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=6ab66701-25d7-4685-ae9d-93d63708a11c&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-08-19} } @online{johnson:20151026:duuzer:e87f194, author = {A L Johnson}, title = {{Duuzer back door Trojan targets South Korea to take over computers}}, date = {2015-10-26}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5b9850b9-0fdd-48a9-b595-9234207ae7df&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } @online{johnson:20160222:russian:cc3bc7b, author = {A L Johnson}, title = {{Russian bank employees received fake job offers in targeted email attack}}, date = {2016-02-22}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=8e498912-44f8-4ea0-ac50-4544f0fedd6c&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } @online{johnson:20160808:strider:49d9d44, author = {A L Johnson}, title = {{Strider: Cyberespionage group turns eye of Sauron on targets}}, date = {2016-08-08}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=ce2df4da-afe9-4a24-b28c-0fb3ba671d95&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } @online{johnson:20161130:shamoon:50feb7c, author = {A L Johnson}, title = {{Shamoon: Back from the dead and destructive as ever}}, date = {2016-11-30}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=ad6f8259-2bb4-4f7f-b8e1-710b35a4cbed&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } @online{johnson:20170212:attackers:c338fa3, author = {A L Johnson}, title = {{Attackers target dozens of global banks with new malware}}, date = {2017-02-12}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/attackers-target-dozens-global-banks-new-malware}, language = {English}, urldate = {2020-04-21} } @online{johnson:20170227:shamoon:0188f39, author = {A L Johnson}, title = {{Shamoon: Multi-staged destructive attacks limited to specific targets}}, date = {2017-02-27}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5758557d-6e3a-4174-90f3-fa92a712ecd9&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } @online{johnson:20170410:longhorn:811e6dc, author = {A L Johnson}, title = {{Longhorn: Tools used by cyberespionage group linked to Vault 7}}, date = {2017-04-10}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7ca2e331-2209-46a8-9e60-4cb83f9602de&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } @online{johnson:20171214:attackers:6b0be76, author = {Blake Johnson and Dan Caban and Marina Krotofil and Dan Scali and Nathan Brubaker and Christopher Glyer}, title = {{Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure}}, date = {2017-12-14}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html}, language = {English}, urldate = {2019-12-20} } @online{johnson:20180515:swedish:47c0265, author = {Simon Johnson and Olof Swahnberg and Niklas Pollard and Hugh Lawson}, title = {{Swedish sports body says anti-doping unit hit by hacking attack}}, date = {2018-05-15}, organization = {Reuters}, url = {https://www.reuters.com/article/us-sweden-doping/swedish-sports-body-says-anti-doping-unit-hit-by-hacking-attack-idUSKCN1IG2GN}, language = {English}, urldate = {2019-12-10} } @techreport{jones:20160426:new:78ff145, author = {Jason Jones}, title = {{New Poison Ivy Activity Targeting Myanmar, Asian Countries}}, date = {2016-04-26}, institution = {Github (CyberMonitor)}, url = {https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/blob/master/2016/2016.04.26.New_Poison_Ivy_Activity_Targeting_Myanmar_Asian_Countries/New%20Poison%20Ivy%20Activity%20Targeting%20Myanmar%2C%20Asian%20Countries.pdf}, language = {English}, urldate = {2019-12-17} } @online{joven:20160603:cooking:a48c0f8, author = {Rommel Abraham D Joven}, title = {{Cooking Up Autumn (Herbst) Ransomware}}, date = {2016-06-03}, organization = {Fortinet}, url = {https://blog.fortinet.com/2016/06/03/cooking-up-autumn-herbst-ransomware}, language = {English}, urldate = {2020-01-08} } @online{joven:20170609:macransom:56a318d, author = {Rommel Joven and Wayne Chin Yick Low}, title = {{MacRansom: Offered as Ransomware as a Service}}, date = {2017-06-09}, organization = {Fortinet}, url = {https://blog.fortinet.com/2017/06/09/macransom-offered-as-ransomware-as-a-service}, language = {English}, urldate = {2020-01-05} } @online{joven:20180517:wicked:913857a, author = {Rommel Joven and Kenny Yang}, title = {{A Wicked Family of Bots}}, date = {2018-05-17}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/a-wicked-family-of-bots.html}, language = {English}, urldate = {2020-01-05} } @online{joven:20190627:inter:2cde728, author = {Rommel Joven}, title = {{Inter: Skimmer For All}}, date = {2019-06-27}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/inter-skimmer-for-all.html}, language = {English}, urldate = {2020-01-10} } @online{jpcert:20160216:banking:43d5789, author = {JPCert}, title = {{Banking Trojan “Citadel” Returns}}, date = {2016-02-16}, organization = {JPCERT/CC}, url = {http://blog.jpcert.or.jp/2016/02/banking-trojan--27d6.html}, language = {English}, urldate = {2019-12-19} } @online{jpcertcc:20180731:scanner:d1757d9, author = {JPCERT/CC}, title = {{Scanner for CobaltStrike}}, date = {2018-07-31}, organization = {Github (JPCERTCC)}, url = {https://github.com/JPCERTCC/aa-tools/blob/master/cobaltstrikescan.py}, language = {English}, urldate = {2020-01-13} } @online{jpcertcc:20191210:updated:86aee30, author = {JPCERT/CC}, title = {{[Updated] Alert Regarding Emotet Malware Infection}}, date = {2019-12-10}, organization = {JPCERT/CC}, url = {https://www.jpcert.or.jp/english/at/2019/at190044.html}, language = {English}, urldate = {2020-01-09} } @online{jr0driguezb:20181009:malware:89b0393, author = {JR0driguezB}, title = {{Malware Configs - Pandabanker}}, date = {2018-10-09}, organization = {Github (JR0driguezB)}, url = {https://github.com/JR0driguezB/malware_configs/tree/master/PandaBanker}, language = {English}, urldate = {2020-01-07} } @online{jr:20151102:shifu:700438c, author = {Floser Bacurio Jr. and Wayne Low}, title = {{Shifu – the rise of a self-destructive banking trojan}}, date = {2015-11-02}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2015/11/shifu-rise-self-destructive-banking-trojan}, language = {English}, urldate = {2020-01-09} } @online{jr:20160829:german:f88cef5, author = {Floser Bacurio Jr. and Joie Salvio}, title = {{German Speakers Targeted by SPAM Leading to Ozone RAT}}, date = {2016-08-29}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/german-speakers-targeted-by-spam-leading-to-ozone-rat.html}, language = {English}, urldate = {2020-01-13} } @online{jullian:20180112:analyzing:572a942, author = {Rémi Jullian}, title = {{Analyzing an Agent Tesla campaign: from a word document to the attacker credentials}}, date = {2018-01-12}, organization = {Stormshield}, url = {https://thisissecurity.stormshield.com/2018/01/12/agent-tesla-campaign/}, language = {English}, urldate = {2019-07-10} } @online{jullian:20180329:indepth:badef63, author = {Rémi Jullian}, title = {{In-depth Formbook malware analysis – Obfuscation and process injection}}, date = {2018-03-29}, organization = {Stormshield}, url = {https://thisissecurity.stormshield.com/2018/03/29/in-depth-formbook-malware-analysis-obfuscation-and-process-injection/}, language = {English}, urldate = {2020-01-10} } @techreport{jullian:20181205:formbook:40cf2ad, author = {Rémi Jullian}, title = {{FORMBOOK In-depth malware analysis}}, date = {2018-12-05}, institution = {Botconf}, url = {https://www.botconf.eu/wp-content/uploads/2018/12/2018-R-Jullian-In-depth-Formbook-Malware-Analysis.pdf}, language = {English}, urldate = {2019-12-17} } @online{jurez:20171121:new:828279e, author = {Oscar Juárez}, title = {{New banking malware in Brazil - XPCTRA RAT ANALYSIS}}, date = {2017-11-21}, organization = {bugaroo}, url = {https://www.buguroo.com/en/blog/bank-malware-in-brazil-xpctra-rat-analysis}, language = {English}, urldate = {2020-01-08} } @online{jursa:20200520:ghostdns:43190d5, author = {David Jursa and Simi Musilova and Jan Rubín and Alexej Savčin}, title = {{GhostDNS Source Code Leaked}}, date = {2020-05-20}, organization = {Avast Decoded}, url = {https://decoded.avast.io/simonamusilova/ghostdns-source-code-leaked/}, language = {English}, urldate = {2020-05-23} } @online{justice:20170410:justice:f1767d7, author = {US Department of Justice}, title = {{Justice Department Announces Actions to Dismantle Kelihos Botnet}}, date = {2017-04-10}, organization = {US Department of Justice}, url = {https://www.justice.gov/opa/pr/justice-department-announces-actions-dismantle-kelihos-botnet-0}, language = {English}, urldate = {2019-12-03} } @online{justice:20180110:phillip:d3877cf, author = {U.S. Department of Justice}, title = {{Phillip Durachinsky Indictment}}, date = {2018-01-10}, url = {https://www.documentcloud.org/documents/4346338-Phillip-Durachinsky-Indictment.html}, language = {English}, urldate = {2019-12-24} } @online{justice:20180323:nine:51457d0, author = {United States Department of Justice}, title = {{Nine Iranians Charged With Conducting Massive Cyber Theft Campaign on Behalf of the Islamic Revolutionary Guard Corps}}, date = {2018-03-23}, organization = {United States Department of Justice}, url = {https://www.justice.gov/usao-sdny/pr/nine-iranians-charged-conducting-massive-cyber-theft-campaign-behalf-islamic}, language = {English}, urldate = {2019-10-23} } @online{justice:20180323:nine:51c3fd6, author = {Department of Justice}, title = {{Nine Iranians Charged With Conducting Massive Cyber Theft Campaign on Behalf of the Islamic Revolutionary Guard Corps}}, date = {2018-03-23}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/nine-iranians-charged-conducting-massive-cyber-theft-campaign-behalf-islamic-revolutionary}, language = {English}, urldate = {2019-12-17} } @online{justice:20180618:joshua:7362ccc, author = {Department of Justice}, title = {{Joshua Adam Schulte Charged with the Unauthorized Disclosure of Classified Information and Other Offenses Relating to the Theft of Classified Material from the Central Intelligence Agency}}, date = {2018-06-18}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/joshua-adam-schulte-charged-unauthorized-disclosure-classified-information-and-other-offenses}, language = {English}, urldate = {2019-11-26} } @online{justice:20181212:indictment:d897f0c, author = {US Department of Justice}, title = {{Indictment against Andrey Turchin aka fxmsp}}, date = {2018-12-12}, organization = {US Department of Justice}, url = {https://www.justice.gov/usao-wdwa/press-release/file/1292541/download}, language = {English}, urldate = {2020-07-08} } @online{justice:20200626:russian:276b274, author = {Department of Justice}, title = {{Russian National (Aleksei Burkov, Cardplanet) Sentenced to Prison for Operating Websites Devoted to Fraud and Malicious Cyber Activities}}, date = {2020-06-26}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/russian-national-sentenced-prison-operating-websites-devoted-fraud-and-malicious-cyber}, language = {English}, urldate = {2020-06-29} } @online{justice:20200731:malware:f004207, author = {Department of Justice}, title = {{Malware Author Pleads Guilty for Role in Transnational Cybercrime Organization Responsible for more than $568 Million in Losses}}, date = {2020-07-31}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/malware-author-pleads-guilty-role-transnational-cybercrime-organization-responsible-more-568}, language = {English}, urldate = {2020-08-05} } @online{justice:20200813:global:fd1a7c6, author = {Department of Justice}, title = {{Global Disruption of Three Terror Finance Cyber-Enabled Campaigns}}, date = {2020-08-13}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/global-disruption-three-terror-finance-cyber-enabled-campaigns}, language = {English}, urldate = {2020-08-14} } @online{justice:20200916:seven:d4591b9, author = {Department of Justice}, title = {{Seven International Cyber Defendants, Including “Apt41” Actors, Charged In Connection With Computer Intrusion Campaigns Against More Than 100 Victims Globally}}, date = {2020-09-16}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer}, language = {English}, urldate = {2020-09-18} } @online{justice:20201007:92:fa152b9, author = {Department of Justice}, title = {{92 domain names that were unlawfully used by Iran’s Islamic Revolutionary Guard Corps (IRGC) to engage in a global disinformation campaign}}, date = {2020-10-07}, organization = {Department of Justice}, url = {https://www.justice.gov/usao-ndca/press-release/file/1325981/download}, language = {English}, urldate = {2020-10-12} } @online{justice:20201007:united:b364424, author = {Department of Justice}, title = {{United States Seizes Domain Names Used by Iran’s Islamic Revolutionary Guard Corps}}, date = {2020-10-07}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/united-states-seizes-domain-names-used-iran-s-islamic-revolutionary-guard-corps}, language = {English}, urldate = {2020-10-12} } @online{justice:20201015:officials:b340951, author = {Department of Justice}, title = {{Officials Announce International Operation Targeting Transnational Criminal Organization QQAAZZ that Provided Money Laundering Services to High-Level Cybercriminals}}, date = {2020-10-15}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/officials-announce-international-operation-targeting-transnational-criminal-organization}, language = {English}, urldate = {2020-10-23} } @online{justice:20201020:six:8e508cd, author = {Department of Justice}, title = {{Six Russian GRU Officers Charged in Connection with Worldwide Deployment of Destructive Malware and Other Disruptive Actions in Cyberspace}}, date = {2020-10-20}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/press-release/file/1328521/download}, language = {English}, urldate = {2020-10-23} } @online{justin:20181217:apt39:6e13cad, author = {Justin}, title = {{Tweet on APT39}}, date = {2018-12-17}, organization = {Twitter (@MJDutch)}, url = {https://twitter.com/MJDutch/status/1074820959784321026?s=19}, language = {English}, urldate = {2020-01-08} } @online{jw:20200325:trickbot:17b0dc3, author = {JW}, title = {{Trickbot to Ryuk in Two Hours}}, date = {2020-03-25}, organization = {Wilbur Security}, url = {https://www.wilbursecurity.com/2020/03/trickbot-to-ryuk-in-two-hours/}, language = {English}, urldate = {2020-03-26} } @online{k:20110130:gpcode:53d8cac, author = {Steven K}, title = {{GpCode Ransomware 2010 Simple Analysis}}, date = {2011-01-30}, url = {http://www.xylibox.com/2011/01/gpcode-ransomware-2010-simple-analysis.html}, language = {English}, urldate = {2019-12-24} } @techreport{k:2018:in:87e5693, author = {Taha K.}, title = {{IN THE TRAILS OF WINDSHIFTAPT}}, date = {2018}, institution = {DarkMatter}, url = {https://gsec.hitb.org/materials/sg2018/D1%20COMMSEC%20-%20In%20the%20Trails%20of%20WINDSHIFT%20APT%20-%20Taha%20Karim.pdf}, language = {English}, urldate = {2020-01-08} } @online{kadiev:20101220:end:0a62065, author = {Alexei Kadiev}, title = {{End of the Line for the Bredolab Botnet?}}, date = {2010-12-20}, organization = {Kaspersky Labs}, url = {https://securelist.com/end-of-the-line-for-the-bredolab-botnet/36335/}, language = {English}, urldate = {2019-12-20} } @online{kafeine:20120816:inside:5dd3a54, author = {Kafeine}, title = {{Inside Upas Kit (1.0.1.1) aka Rombrast C&C - Botnet Control Panel}}, date = {2012-08-16}, organization = {Malware Don't Need Coffee}, url = {https://malware.dontneedcoffee.com/2012/08/inside-upas-kit1.0.1.1.html}, language = {English}, urldate = {2020-01-10} } @online{kafeine:20121129:inside:cff4761, author = {Kafeine}, title = {{Inside view of Lyposit aka (for its friends) Lucky LOCKER}}, date = {2012-11-29}, organization = {Malware Don't Need Coffee}, url = {http://malware.dontneedcoffee.com/2012/11/inside-view-of-lyposit-aka-for-its.html}, language = {English}, urldate = {2019-12-18} } @online{kafeine:20130521:unveiling:1b90bcf, author = {Kafeine}, title = {{Unveiling the Locker Bomba (aka Lucky Locker v0.6 aka Lyposit/Adneukine)}}, date = {2013-05-21}, organization = {Malware Don't Need Coffee}, url = {http://malware.dontneedcoffee.com/2013/05/unveiling-locker-bomba-aka-lucky-locker.html}, language = {English}, urldate = {2020-01-10} } @online{kafeine:20140618:neutrino:a72cb23, author = {Kafeine}, title = {{Neutrino Bot (aka MS:Win32/Kasidet)}}, date = {2014-06-18}, organization = {Malware Don't Need Coffee}, url = {http://malware.dontneedcoffee.com/2014/06/neutrino-bot-aka-kasidet.html}, language = {English}, urldate = {2020-01-10} } @online{kafeine:20150304:new:0c67206, author = {Kafeine}, title = {{New crypto ransomware in town : CryptoFortress}}, date = {2015-03-04}, organization = {Malware Don't Need Coffee}, url = {http://malware.dontneedcoffee.com/2015/03/cryptofortress-teeraca-aka.html}, language = {English}, urldate = {2019-11-29} } @online{kafeine:20170515:adylkuzz:c94b40e, author = {Kafeine}, title = {{Adylkuzz Cryptocurrency Mining Malware Spreading for Weeks Via EternalBlue/DoublePulsar}}, date = {2017-05-15}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/adylkuzz-cryptocurrency-mining-malware-spreading-for-weeks-via-eternalblue-doublepulsar}, language = {English}, urldate = {2019-12-20} } @online{kafeine:20170620:adgholas:8ca8d57, author = {Kafeine}, title = {{AdGholas Malvertising Campaign Using Astrum EK to Deliver Mole Ransomware}}, date = {2017-06-20}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/adgholas-malvertising-campaign-using-astrum-ek-deliver-mole-ransomware}, language = {English}, urldate = {2019-12-20} } @online{kafeine:20171016:coalabot:28f848f, author = {Kafeine}, title = {{CoalaBot: http Ddos Bot}}, date = {2017-10-16}, organization = {Malware Don't Need Coffee}, url = {https://malware.dontneedcoffee.com/2017/10/coalabot-http-ddos-bot.html}, language = {English}, urldate = {2020-01-10} } @online{kafeine:20171019:apt28:927b889, author = {Kafeine and Pierre T}, title = {{APT28 racing to exploit CVE-2017-11292 Flash vulnerability before patches are deployed}}, date = {2017-10-19}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/apt28-racing-exploit-cve-2017-11292-flash-vulnerability-patches-are-deployed}, language = {English}, urldate = {2019-12-20} } @online{kafeine:20180131:smominru:5a6c554, author = {Kafeine}, title = {{Smominru Monero mining botnet making millions for operators}}, date = {2018-01-31}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-making-millions-operators}, language = {English}, urldate = {2019-12-20} } @online{kafeine:20190203:fallout:00a924c, author = {Kafeine}, title = {{Tweet on Fallout Exploit Kit}}, date = {2019-02-03}, organization = {Twitter (@kafeine)}, url = {https://twitter.com/kafeine/status/1092000556598677504}, language = {English}, urldate = {2020-01-07} } @online{kafeine:20190722:brushaloader:487137c, author = {Kafeine and Proofpoint Threat Insight Team}, title = {{BrushaLoader still sweeping up victims one year later}}, date = {2019-07-22}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/brushaloader-still-sweeping-victims-one-year-later}, language = {English}, urldate = {2019-12-20} } @online{kafka:20170921:new:8bcb309, author = {Filip Kafka}, title = {{New FinFisher surveillance campaigns: Internet providers involved?}}, date = {2017-09-21}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/09/21/new-finfisher-surveillance-campaigns/}, language = {English}, urldate = {2019-11-14} } @online{kafka:20171208:strongpity2:116d419, author = {Filip Kafka}, title = {{StrongPity2 spyware replaces FinFisher in MitM campaign – ISP involved?}}, date = {2017-12-08}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/12/08/strongpity-like-spyware-replaces-finfisher/}, language = {English}, urldate = {2019-11-14} } @techreport{kafka:20180124:esets:246a0d4, author = {Filip Kafka}, title = {{ESET’S GUIDE TODEOBFUSCATING AND DEVIRTUALIZING FINFISHER}}, date = {2018-01-24}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2018/01/WP-FinFisher.pdf}, language = {English}, urldate = {2020-01-13} } @online{kafka:20180309:new:9d79d4b, author = {Filip Kafka}, title = {{New traces of Hacking Team in the wild}}, date = {2018-03-09}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/03/09/new-traces-hacking-team-wild/}, language = {English}, urldate = {2019-11-14} } @online{kafka:201901:vb2018:7d81852, author = {Filip Kafka}, title = {{VB2018 paper: From Hacking Team to hacked team to...?}}, date = {2019-01}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2019/01/vb2018-paper-hacking-team-hacked-team/}, language = {English}, urldate = {2020-01-13} } @online{kai5263499:20170222:bella:2b93625, author = {kai5263499}, title = {{Bella: A pure python, post-exploitation, data mining tool and remote administration tool for macOS.}}, date = {2017-02-22}, organization = {Github (kai5263499)}, url = {https://github.com/kai5263499/Bella}, language = {English}, urldate = {2020-01-06} } @online{kajiloti:20191112:purelocker:9d8244d, author = {Michael Kajiloti}, title = {{PureLocker: New Ransomware-as-a-Service Being Used in Targeted Attacks Against Servers}}, date = {2019-11-12}, organization = {Intezer}, url = {https://www.intezer.com/blog-purelocker-ransomware-being-used-in-targeted-attacks-against-servers/}, language = {English}, urldate = {2020-01-13} } @online{kajiloti:20200330:fantastic:c01db60, author = {Michael Kajiloti}, title = {{Fantastic payloads and where we find them}}, date = {2020-03-30}, organization = {Intezer}, url = {https://intezer.com/blog/intezer-analyze/fantastic-payloads-and-where-we-find-them}, language = {English}, urldate = {2020-04-07} } @online{kamluk:20140114:icefog:bc79c50, author = {Vitaly Kamluk and Igor Soumenkov and Costin Raiu}, title = {{The Icefog APT Hits US Targets With Java Backdoor}}, date = {2014-01-14}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-icefog-apt-hits-us-targets-with-java-backdoor/58209/}, language = {English}, urldate = {2019-12-20} } @online{kan:20170417:new:6eb33c6, author = {Michael Kan}, title = {{New NSA leak may expose its bank spying, Windows exploits}}, date = {2017-04-17}, organization = {CSO Online}, url = {https://www.csoonline.com/article/3190055/new-nsa-leak-may-expose-its-bank-spying-windows-exploits.html}, language = {English}, urldate = {2019-12-24} } @techreport{karim:20190408:trails:83a8378, author = {Taha Karim}, title = {{Trails of WindShift}}, date = {2019-04-08}, institution = {SANS Cyber Security Summit}, url = {https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1554718868.pdf}, language = {English}, urldate = {2020-01-20} } @online{karim:20191210:new:b423605, author = {Taha Karim}, title = {{New macOS Bundlore Loader Analysis}}, date = {2019-12-10}, organization = {Confiant}, url = {https://blog.confiant.com/new-macos-bundlore-loader-analysis-ca16d19c058c}, language = {English}, urldate = {2020-01-07} } @online{karim:20200713:internet:be95d1e, author = {Taha Karim}, title = {{Internet Explorer CVE-2019–1367 Exploitation — part 1}}, date = {2020-07-13}, organization = {Confiant}, url = {https://blog.confiant.com/internet-explorer-cve-2019-1367-exploitation-part-1-7ff08b7dcc8b}, language = {English}, urldate = {2020-07-15} } @online{karim:20200713:internet:d7f7dd7, author = {Taha Karim}, title = {{Internet Explorer CVE-2019–1367 In the wild Exploitation - prelude}}, date = {2020-07-13}, organization = {Confiant}, url = {https://blog.confiant.com/internet-explorer-cve-2019-1367-in-the-wild-exploitation-prelude-ef546f19cd30}, language = {English}, urldate = {2020-07-15} } @online{karim:20200714:internet:a2f6f67, author = {Taha Karim}, title = {{Internet Explorer CVE-2019–1367 Exploitation — part 3}}, date = {2020-07-14}, organization = {Confiant}, url = {https://blog.confiant.com/internet-explorer-cve-2019-1367-exploitation-part-3-a92d3011b38}, language = {English}, urldate = {2020-07-15} } @online{karmi:20200104:look:441fa96, author = {Doron Karmi}, title = {{A Look Into Konni 2019 Campaign}}, date = {2020-01-04}, organization = {Medium d-hunter}, url = {https://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b}, language = {English}, urldate = {2020-01-17} } @online{karpin:20161107:little:598f939, author = {Julia Karpin and Shaul Vilkomir-Preisman and Anna Dorfman}, title = {{Little Trickbot Growing Up: New Campaign}}, date = {2016-11-07}, organization = {F5 Labs}, url = {https://f5.com/labs/articles/threat-intelligence/malware/little-trickbot-growing-up-new-campaign-24412}, language = {English}, urldate = {2020-01-06} } @online{karpin:20180711:tackling:b80ad4a, author = {Julia Karpin}, title = {{Tackling Gootkit's Traps}}, date = {2018-07-11}, organization = {F5}, url = {https://www.f5.com/labs/articles/threat-intelligence/tackling-gootkit-s-traps}, language = {English}, urldate = {2019-12-17} } @techreport{karve:201608:diving:6f604b3, author = {Sanchit Karve and Guilherme Venere and Mark Olea}, title = {{DIVING INTO PINKSLIPBOT’S LATEST CAMPAIGN}}, date = {2016-08}, institution = {Intel Security}, url = {https://www.virusbulletin.com/uploads/pdf/magazine/2016/VB2016-Karve-etal.pdf}, language = {English}, urldate = {2019-11-27} } @online{kaspersky:20060626:erpresser:6c57dc7, author = {Kaspersky}, title = {{Erpresser}}, date = {2006-06-26}, organization = {Kaspersky Labs}, url = {https://de.securelist.com/analysis/59479/erpresser/}, language = {German}, urldate = {2020-01-08} } @online{kaspersky:20120717:kaspersky:bbbf635, author = {Kaspersky}, title = {{Kaspersky Lab and Seculert Announce ‘Madi,’ a Newly Discovered Cyber-Espionage Campaign in the Middle East}}, date = {2012-07-17}, organization = {Kaspersky Labs}, url = {https://www.kaspersky.com/about/press-releases/2012_kaspersky-lab-and-seculert-announce--madi--a-newly-discovered-cyber-espionage-campaign-in-the-middle-east}, language = {English}, urldate = {2019-12-10} } @techreport{kaspersky:201402:unveiling:4e5e91c, author = {Kaspersky}, title = {{Unveiling “Careto” - The Masked APT}}, date = {2014-02}, institution = {Kaspersky Labs}, url = {https://d2538mqrb7brka.cloudfront.net/wp-content/uploads/sites/43/2018/03/20133638/unveilingthemask_v1.0.pdf}, language = {English}, urldate = {2019-10-12} } @online{kaspersky:20140827:nettraveler:5469ce3, author = {Kaspersky}, title = {{NetTraveler Gets a Makeover for 10th Anniversary}}, date = {2014-08-27}, organization = {Kaspersky Labs}, url = {https://www.kaspersky.com/about/press-releases/2014_nettraveler-gets-a-makeover-for-10th-anniversary}, language = {English}, urldate = {2020-01-13} } @techreport{kaspersky:201502:equation:3c079fb, author = {Kaspersky}, title = {{Equation Group: Questions and Answers}}, date = {2015-02}, institution = {Kaspersky Labs}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064459/Equation_group_questions_and_answers.pdf}, language = {English}, urldate = {2020-01-08} } @techreport{kaspersky:20170307:from:2d853ae, author = {Kaspersky}, title = {{From Shamoon to Stonedrill}}, date = {2017-03-07}, institution = {Kaspersky Labs}, url = {https://securelist.com/files/2017/03/Report_Shamoon_StoneDrill_final.pdf}, language = {English}, urldate = {2020-01-09} } @online{kaspersky:20170501:crouching:a5be2eb, author = {Kaspersky}, title = {{Crouching Yeti (Energetic Bear) Malware}}, date = {2017-05-01}, organization = {Kaspersky Labs}, url = {https://www.kaspersky.com/resource-center/threats/crouching-yeti-energetic-bear-malware-threat}, language = {English}, urldate = {2020-01-10} } @online{kaspersky:20180717:return:1dcb99e, author = {Kaspersky}, title = {{The return of Fantomas, or how we deciphered Cryakl}}, date = {2018-07-17}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-return-of-fantomas-or-how-we-deciphered-cryakl/86511/}, language = {English}, urldate = {2019-12-20} } @online{kaspersky:20190520:video:148e81f, author = {Kaspersky}, title = {{Video: Operation ShadowHammer: Costin Raiu and Vitaly Kamlyuk at #TheSAS2019}}, date = {2019-05-20}, organization = {YouTube}, url = {https://www.youtube.com/watch?v=T5wPwvLrBYU}, language = {English}, urldate = {2020-01-08} } @online{kaspersky:20191029:shadedecryptor:4a5e5f4, author = {Kaspersky}, title = {{ShadeDecryptor tool}}, date = {2019-10-29}, organization = {Kaspersky Labs}, url = {https://support.kaspersky.com/13059}, language = {English}, urldate = {2020-01-09} } @online{kaspersky:20191211:story:d54a08a, author = {Kaspersky}, title = {{Story of the year 2019: Cities under ransomware siege}}, date = {2019-12-11}, organization = {Kaspersky Labs}, url = {https://securelist.com/story-of-the-year-2019-cities-under-ransomware-siege/95456/}, language = {English}, urldate = {2020-01-13} } @online{kaspersky:20200423:look:4e5d7ab, author = {Kaspersky}, title = {{A look at the ATM/PoS malware landscape from 2017-2019}}, date = {2020-04-23}, organization = {Kaspersky Labs}, url = {https://securelist.com/atm-pos-malware-landscape-2017-2019/96750/}, language = {English}, urldate = {2020-04-26} } @online{kasslin:20071101:spam:8c0c4cd, author = {Kimmo Kasslin and Elia Florio}, title = {{Spam from the kernel}}, date = {2007-11-01}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2007/11/spam-kernel}, language = {English}, urldate = {2020-05-04} } @online{kasza:20161025:houdinis:d57d422, author = {Anthony Kasza}, title = {{Houdini’s Magic Reappearance}}, date = {2016-10-25}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-houdinis-magic-reappearance/}, language = {English}, urldate = {2019-11-17} } @online{kasza:20161025:houdinis:f8fba8f, author = {Anthony Kasza}, title = {{Houdini’s Magic Reappearance}}, date = {2016-10-25}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2016/10/unit42-houdinis-magic-reappearance/?adbsc=social67221546&adbid=790972447373668352&adbpl=tw&adbpr=4487645412}, language = {English}, urldate = {2019-12-20} } @online{kasza:20170227:gamaredon:322eb5f, author = {Anthony Kasza and Dominik Reichel}, title = {{The Gamaredon Group Toolset Evolution}}, date = {2017-02-27}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/}, language = {English}, urldate = {2019-12-20} } @online{kasza:20170227:gamaredon:3d28d34, author = {Anthony Kasza and Dominik Reichel}, title = {{The Gamaredon Group Toolset Evolution}}, date = {2017-02-27}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution/}, language = {English}, urldate = {2020-01-09} } @online{kasza:20170227:gamaredon:a88c3f8, author = {Anthony Kasza and Dominik Reichel}, title = {{The Gamaredon Group Toolset Evolution}}, date = {2017-02-27}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution}, language = {English}, urldate = {2019-12-20} } @online{kasza:20170407:blockbuster:0e430d3, author = {Anthony Kasza and Micah Yates}, title = {{The Blockbuster Sequel}}, date = {2017-04-07}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2017/04/unit42-the-blockbuster-sequel/}, language = {English}, urldate = {2019-12-20} } @online{kasza:20170814:blockbuster:79266d5, author = {Anthony Kasza}, title = {{The Blockbuster Saga Continues}}, date = {2017-08-14}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/08/unit42-blockbuster-saga-continues/}, language = {English}, urldate = {2019-12-20} } @online{kasza:20171120:operation:0bc8efe, author = {Anthony Kasza and Juan Cortes and Micah Yates}, title = {{Operation Blockbuster Goes Mobile}}, date = {2017-11-20}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-operation-blockbuster-goes-mobile/}, language = {English}, urldate = {2019-12-24} } @online{kate:20200119:bayworld:2cc2212, author = {kate}, title = {{BayWorld event, Cyber Attack Against Foreign Trade Industry}}, date = {2020-01-19}, organization = {360}, url = {https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/}, language = {English}, urldate = {2020-02-03} } @online{kate:20200509:clodcore:6e24986, author = {kate}, title = {{ClodCore: A malware family that delivers mining modules through cloud control}}, date = {2020-05-09}, organization = {360 Total Security}, url = {https://blog.360totalsecurity.com/en/clodcore-a-malware-family-that-delivers-mining-modules-through-cloud-control/}, language = {English}, urldate = {2020-05-18} } @online{kate:20200514:vendetta:06e3cde, author = {kate}, title = {{Vendetta - new threat actor from Europe}}, date = {2020-05-14}, organization = {360 Total Security}, url = {https://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/}, language = {English}, urldate = {2020-05-18} } @online{kate:20200925:aptc43:15a3501, author = {kate}, title = {{APT-C-43 steals Venezuelan military secrets to provide intelligence support for the reactionaries - HpReact campaign}}, date = {2020-09-25}, organization = {360 Total Security}, url = {https://blog.360totalsecurity.com/en/apt-c-43-steals-venezuelan-military-secrets-to-provide-intelligence-support-for-the-reactionaries-hpreact-campaign/}, language = {English}, urldate = {2020-10-02} } @online{kate:20201014:secret:814bae5, author = {kate}, title = {{Secret Stealing Trojan Active in Brazil Releases the New Framework SolarSys}}, date = {2020-10-14}, organization = {360 Total Security}, url = {https://blog.360totalsecurity.com/en/secret-stealing-trojan-active-in-brazil-releases-the-new-framework-solarsys/}, language = {English}, urldate = {2020-10-23} } @online{katsuki:20120820:crisis:60cb26b, author = {Takashi Katsuki}, title = {{Crisis for Windows Sneaks onto Virtual Machines}}, date = {2012-08-20}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/crisis-windows-sneaks-virtual-machines}, language = {English}, urldate = {2020-01-10} } @online{katsuki:20121116:malware:9268919, author = {Takashi Katsuki}, title = {{Malware Targeting Windows 8 Uses Google Docs}}, date = {2012-11-16}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/malware-targeting-windows-8-uses-google-docs}, language = {English}, urldate = {2020-01-10} } @online{kawaii:20191022:new:0d66066, author = {Jagaimo Kawaii}, title = {{New PatchWork Spearphishing Attack}}, date = {2019-10-22}, organization = {Lab52}, url = {https://lab52.io/blog/new-patchwork-campaign-against-pakistan/}, language = {English}, urldate = {2020-01-13} } @online{kawaii:20200113:apt27:4c2f818, author = {Jagaimo Kawaii}, title = {{APT27 ZxShell RootKit module updates}}, date = {2020-01-13}, organization = {Lab52}, url = {https://lab52.io/blog/apt27-rootkit-updates/}, language = {English}, urldate = {2020-01-13} } @online{kawaii:20200602:mustang:2cf125a, author = {Jagaimo Kawaii}, title = {{Mustang Panda Recent Activity: Dll-Sideloading trojans with temporal C2 servers}}, date = {2020-06-02}, organization = {Lab52}, url = {https://lab52.io/blog/mustang-panda-recent-activity-dll-sideloading-trojans-with-temporal-c2-servers/}, language = {English}, urldate = {2020-06-03} } @online{kawaii:20200826:twisted:b91cfb5, author = {Jagaimo Kawaii}, title = {{A twisted malware infection chain}}, date = {2020-08-26}, organization = {Lab52}, url = {https://lab52.io/blog/a-twisted-malware-infection-chain/}, language = {English}, urldate = {2020-08-31} } @online{kayal:20191002:domestic:f400298, author = {Aseel Kayal and Lotem Finkelstein}, title = {{Domestic Kitten: an Iranian surveillance program}}, date = {2019-10-02}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/conference/vb2019/abstracts/domestic-kitten-iranian-surveillance-program}, language = {English}, urldate = {2020-01-09} } @online{kazantsev:20200504:atm:20ca401, author = {Anatoly Kazantsev}, title = {{ATM malware targets Wincor and Diebold ATMs}}, date = {2020-05-04}, organization = {Avira}, url = {https://insights.oem.avira.com/atm-malware-targets-wincor-and-diebold-atms/}, language = {English}, urldate = {2020-05-18} } @online{kb:20170203:zeus:02a798a, author = {Manuel K.-B.}, title = {{Zeus Panda Webinjects: a case study}}, date = {2017-02-03}, url = {https://cyber.wtf/2017/02/03/zeus-panda-webinjects-a-case-study/}, language = {English}, urldate = {2019-11-22} } @online{kb:20170313:zeus:9a4fbcd, author = {Manuel K.-B.}, title = {{Zeus Panda Webinjects: Don’t trust your eyes}}, date = {2017-03-13}, url = {https://cyber.wtf/2017/03/13/zeus-panda-webinjects-dont-trust-your-eyes/}, language = {English}, urldate = {2020-01-13} } @online{keller:20170512:global:2ee68f6, author = {Holger Keller}, title = {{Global WannaCry ransomware outbreak uses known NSA exploits}}, date = {2017-05-12}, organization = {Emsisoft}, url = {http://blog.emsisoft.com/2017/05/12/wcry-ransomware-outbreak/}, language = {English}, urldate = {2019-12-10} } @techreport{kellermann:20200528:modern:8155ea4, author = {Tom Kellermann and Ryan Murphy}, title = {{Modern Bank Heists 3.0}}, date = {2020-05-28}, institution = {VMWare Carbon Black}, url = {https://cdn.www.carbonblack.com/wp-content/uploads/2020/05/VMWCB-Report-Modern-Bank-Heists-2020.pdf}, language = {English}, urldate = {2020-05-29} } @online{kelly:20141020:orcarat:236c19f, author = {Dan Kelly and Tom Lancaster}, title = {{OrcaRAT - A whale of a tale}}, date = {2014-10-20}, organization = {PWC}, url = {http://pwc.blogs.com/cyber_security_updates/2014/10/orcarat-a-whale-of-a-tale.html}, language = {English}, urldate = {2019-11-24} } @online{kenefick:20180910:closer:b2e9b2a, author = {Ian Kenefick}, title = {{A Closer Look at the Locky Poser, PyLocky Ransomware}}, date = {2018-09-10}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/a-closer-look-at-the-locky-poser-pylocky-ransomware/}, language = {English}, urldate = {2020-01-13} } @online{kenin:20171219:brickerbot:4cbdce8, author = {Simon Kenin}, title = {{BrickerBot mod_plaintext Analysis}}, date = {2017-12-19}, organization = {Trustwave}, url = {https://www.trustwave.com/Resources/SpiderLabs-Blog/BrickerBot-mod_plaintext-Analysis/}, language = {English}, urldate = {2020-01-08} } @online{kenin:20190314:attacker:807e3e6, author = {Simon Kenin}, title = {{Attacker Tracking Users Seeking Pakistani Passport}}, date = {2019-03-14}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/attacker-tracking-users-seeking-pakistani-passport/}, language = {English}, urldate = {2020-10-02} } @online{kennedy:20191006:go:82e5c38, author = {Joakim Kennedy}, title = {{Go under the hood: Eris Ransomware}}, date = {2019-10-06}, organization = {Playhouse}, url = {https://lekstu.ga/posts/go-under-the-hood-eris/}, language = {English}, urldate = {2020-01-10} } @online{kennedy:20200810:anomali:241a19b, author = {Joakim Kennedy and Rory Gould}, title = {{Anomali Threat Research Releases First Public Analysis of Smaug Ransomware as a Service}}, date = {2020-08-10}, organization = {Anomali}, url = {https://www.anomali.com/blog/anomali-threat-research-releases-first-public-analysis-of-smaug-ransomware-as-a-service}, language = {English}, urldate = {2020-09-15} } @online{kent:20161220:backdoorpralice:4bbc640, author = {Nolan Kent}, title = {{Backdoor.Pralice}}, date = {2016-12-20}, organization = {Symantec}, url = {https://www.symantec.com/security-center/writeup/2016-122104-0203-99}, language = {English}, urldate = {2019-07-09} } @online{kerner:20170406:chinese:81730df, author = {Sean Michael Kerner}, title = {{Chinese Nation-State Hackers Target U.S in Operation TradeSecret}}, date = {2017-04-06}, organization = {eWeek}, url = {https://www.eweek.com/security/chinese-nation-state-hackers-target-u.s-in-operation-tradesecret}, language = {English}, urldate = {2020-01-08} } @online{kerr:20180213:stopping:14ebecf, author = {Devon Kerr}, title = {{Stopping Olympic Destroyer: New Process Injection Insights}}, date = {2018-02-13}, organization = {Endgame}, url = {https://www.endgame.com/blog/technical-blog/stopping-olympic-destroyer-new-process-injection-insights}, language = {English}, urldate = {2020-01-08} } @online{kersten:20190216:emotet:7cb0628, author = {Max Kersten}, title = {{Emotet droppers}}, date = {2019-02-16}, organization = {Max Kersten's Blog}, url = {https://maxkersten.nl/binary-analysis-course/malware-analysis/emotet-droppers/}, language = {English}, urldate = {2020-01-09} } @online{kersten:20191014:corona:60d807b, author = {Max Kersten}, title = {{Corona DDoS bot}}, date = {2019-10-14}, organization = {Max Kersten's Blog}, url = {https://maxkersten.nl/binary-analysis-course/malware-analysis/corona-ddos-bot/}, language = {English}, urldate = {2020-01-13} } @online{kersten:20200120:ticket:ad7af1c, author = {Max Kersten}, title = {{Ticket resellers infected with a credit card skimmer}}, date = {2020-01-20}, organization = {Max Kersten's Blog}, url = {https://maxkersten.nl/2020/01/20/ticket-resellers-infected-with-a-credit-card-skimmer/}, language = {English}, urldate = {2020-01-27} } @online{kersten:20200217:following:07470c1, author = {Max Kersten}, title = {{Following the tracks of MageCart 12}}, date = {2020-02-17}, organization = {Max Kersten's Blog}, url = {https://maxkersten.nl/2020/02/17/following-the-tracks-of-magecart-12/}, language = {English}, urldate = {2020-02-20} } @online{kersten:20200224:closing:9d39fcf, author = {Max Kersten}, title = {{Closing in on MageCart 12}}, date = {2020-02-24}, organization = {Max Kersten's Blog}, url = {https://maxkersten.nl/2020/02/24/closing-in-on-magecart-12/}, language = {English}, urldate = {2020-02-25} } @online{kersten:20200326:azorult:5d5ee1f, author = {Max Kersten}, title = {{Azorult loader stages}}, date = {2020-03-26}, organization = {Max Kersten's Blog}, url = {https://maxkersten.nl/binary-analysis-course/malware-analysis/azorult-loader-stages/}, language = {English}, urldate = {2020-03-26} } @online{kersten:20200414:emotet:ec18d45, author = {Max Kersten}, title = {{Emotet JavaScript downloader}}, date = {2020-04-14}, url = {https://maxkersten.nl/binary-analysis-course/malware-analysis/emotet-javascript-downloader/}, language = {English}, urldate = {2020-04-14} } @online{kersten:20200826:rezer0v4:3bc357a, author = {Max Kersten}, title = {{ReZer0v4 loader}}, date = {2020-08-26}, organization = {Max Kersten's Blog}, url = {https://maxkersten.nl/binary-analysis-course/malware-analysis/rezer0v4-loader/}, language = {English}, urldate = {2020-08-27} } @online{kersten:20200917:automatic:8b19414, author = {Max Kersten}, title = {{Automatic ReZer0 payload and configuration extraction}}, date = {2020-09-17}, organization = {Max Kersten's Blog}, url = {https://maxkersten.nl/binary-analysis-course/analysis-scripts/automatic-rezer0-payload-and-configuration-extraction/}, language = {English}, urldate = {2020-09-18} } @online{keshet:20161109:tricks:c3ab510, author = {Lior Keshet}, title = {{Tricks of the Trade: A Deeper Look Into TrickBot’s Machinations}}, date = {2016-11-09}, url = {https://securityintelligence.com/tricks-of-the-trade-a-deeper-look-into-trickbots-machinations/}, language = {English}, urldate = {2019-10-17} } @online{keshet:20170104:exposing:fd0938e, author = {Lior Keshet}, title = {{Exposing an AV-Disabling Driver Just in Time for Lunch}}, date = {2017-01-04}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/exposing-av-disabling-drivers-just-in-time-for-lunch/}, language = {English}, urldate = {2020-01-10} } @online{keshet:20170110:client:5352952, author = {Lior Keshet and Limor Kessem}, title = {{Client Maximus: New Remote Overlay Malware Highlights Rising Malcode Sophistication in Brazil}}, date = {2017-01-10}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/client-maximus-new-remote-overlay-malware-highlights-rising-malcode-sophistication-in-brazil/}, language = {English}, urldate = {2020-01-07} } @online{kessem:20130807:thieves:f60d69b, author = {Limor Kessem}, title = {{Thieves Reaching for Linux—”Hand of Thief” Trojan Targets Linux #INTH3WILD}}, date = {2013-08-07}, organization = {RSA}, url = {https://web.archive.org/web/20130815040638/https://blogs.rsa.com/thieves-reaching-for-linux-hand-of-thief-trojan-targets-linux-inth3wild/}, language = {English}, urldate = {2020-03-02} } @online{kessem:20150812:tinba:250e880, author = {Limor Kessem}, title = {{Tinba Trojan Sets Its Sights on Romania}}, date = {2015-08-12}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/tinba-trojan-sets-its-sights-on-romania/}, language = {English}, urldate = {2020-01-06} } @online{kessem:20150831:shifu:389070d, author = {Limor Kessem and Ilya Kolmanovich and Denis Laskov}, title = {{Shifu: ‘Masterful’ New Banking Trojan Is Attacking 14 Japanese Banks}}, date = {2015-08-31}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/shifu-masterful-new-banking-trojan-is-attacking-14-japanese-banks/}, language = {English}, urldate = {2020-10-23} } @online{kessem:20160414:meet:16351ef, author = {Limor Kessem and Lior Keshet}, title = {{Meet GozNym: The Banking Malware Offspring of Gozi ISFB and Nymaim}}, date = {2016-04-14}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/meet-goznym-the-banking-malware-offspring-of-gozi-isfb-and-nymaim/}, language = {English}, urldate = {2020-01-06} } @online{kessem:20160708:gootkit:ed75518, author = {Limor Kessem}, title = {{GootKit: Bobbing and Weaving to Avoid Prying Eyes}}, date = {2016-07-08}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/gootkit-bobbing-and-weaving-to-avoid-prying-eyes/}, language = {English}, urldate = {2020-01-07} } @online{kessem:20160816:brazil:0bc05a3, author = {Limor Kessem and Denis Laskov and Ziv Eli}, title = {{Brazil Can’t Catch a Break: After Panda Comes the Sphinx}}, date = {2016-08-16}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/brazil-cant-catch-a-break-after-panda-comes-the-sphinx/}, language = {English}, urldate = {2020-01-08} } @online{kessem:20160920:meanwhile:7b7a093, author = {Limor Kessem and Hanan Natan and Denis Laskov}, title = {{Meanwhile in Britain, Qadars v3 Hardens Evasion, Targets 18 UK Banks}}, date = {2016-09-20}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/meanwhile-britain-qadars-v3-hardens-evasion-targets-18-uk-banks/}, language = {English}, urldate = {2019-12-17} } @online{kessem:20170126:around:eaefc0c, author = {Limor Kessem}, title = {{Around the World With Zeus Sphinx: From Canada to Australia and Back}}, date = {2017-01-26}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/around-the-world-with-zeus-sphinx-from-canada-to-australia-and-back/}, language = {English}, urldate = {2020-01-07} } @online{kessem:20170328:nukebot:2b33bbb, author = {Limor Kessem and Ilya Kolmanovich}, title = {{The NukeBot Trojan, a Bruised Ego and a Surprising Source Code Leak}}, date = {2017-03-28}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/the-nukebot-trojan-a-bruised-ego-and-a-surprising-source-code-leak/}, language = {English}, urldate = {2020-01-05} } @online{kessem:20170615:zeus:7c4b8e4, author = {Limor Kessem}, title = {{Zeus Sphinx Pushes Empty Configuration Files — What Has the Sphinx Got Cooking?}}, date = {2017-06-15}, url = {https://securityintelligence.com/zeus-sphinx-pushes-empty-configuration-files-what-has-the-sphinx-got-cooking/}, language = {English}, urldate = {2019-12-02} } @online{kessem:20170727:after:10c4ba5, author = {Limor Kessem and Shachar Gritzman}, title = {{After Big Takedown Efforts, 20 More BankBot Mobile Malware Apps Make It Into Google Play}}, date = {2017-07-27}, organization = {Security Intelligence}, url = {https://securityintelligence.com/after-big-takedown-efforts-20-more-bankbot-mobile-malware-apps-make-it-into-google-play/}, language = {English}, urldate = {2019-12-06} } @online{kessem:20171011:trickbot:57ebc20, author = {Limor Kessem}, title = {{TrickBot Takes to Latin America, Continues to Expand Its Global Reach}}, date = {2017-10-11}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/trickbot-takes-to-latin-america-continues-to-expand-its-global-reach/}, language = {English}, urldate = {2020-01-08} } @online{kessem:20171113:new:bb937fd, author = {Limor Kessem and Maor Wiesen and Tal Darsan and Tomer Agayev}, title = {{New Banking Trojan IcedID Discovered by IBM X-Force Research}}, date = {2017-11-13}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/}, language = {English}, urldate = {2019-11-27} } @online{kessem:20180822:backswap:73c04f5, author = {Limor Kessem}, title = {{BackSwap Malware Now Targets Six Banks in Spain}}, date = {2018-08-22}, organization = {IBM}, url = {https://securityintelligence.com/backswap-malware-now-targets-six-banks-in-spain/}, language = {English}, urldate = {2019-12-20} } @online{kessem:20180904:camubot:d0c8b12, author = {Limor Kessem and Maor Wiesen}, title = {{CamuBot: New Financial Malware Targets Brazilian Banking Customers}}, date = {2018-09-04}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/camubot-new-financial-malware-targets-brazilian-banking-customers/}, language = {English}, urldate = {2020-01-13} } @online{kessem:20190516:goznym:cb4a177, author = {Limor Kessem}, title = {{GozNym Closure Comes in the Shape of a Europol and DOJ Arrest Operation}}, date = {2019-05-16}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/posts/goznym-closure-comes-in-the-shape-of-a-europol-and-doj-arrest-operation/}, language = {English}, urldate = {2019-12-05} } @online{khandelwal:20200608:red:ff4aae7, author = {Shantanu Khandelwal}, title = {{Red Team: Using SharpChisel to exfil internal network}}, date = {2020-06-08}, organization = {Medium shantanukhande}, url = {https://medium.com/@shantanukhande/red-team-using-sharpchisel-to-exfil-internal-network-e1b07ed9b49}, language = {English}, urldate = {2020-08-18} } @online{khanse:20170301:poorly:1107be6, author = {Anand Khanse}, title = {{Poorly coded Lamdelin Lockscreen Ransomware lets you in using Alt+F4}}, date = {2017-03-01}, organization = {The Windows Club}, url = {http://news.thewindowsclub.com/poorly-coded-lamdelin-lockscreen-ransomware-alt-f4-88576/}, language = {English}, urldate = {2019-07-09} } @online{kharouni:20100121:sasfis:8634992, author = {Loucif Kharouni}, title = {{SASFIS Fizzles in the Background}}, date = {2010-01-21}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/sasfis-fizzles-in-the-background/}, language = {English}, urldate = {2019-12-18} } @techreport{kharouni:20141027:operation:1b13f15, author = {Loucif Kharouni and Feike Hacquebord and Numaan Huq and Jim Gogolinski and Fernando Mercês and Alfred Remorin and Douglas Otis}, title = {{Operation Pawn Storm: Using Decoys to Evade Detection}}, date = {2014-10-27}, institution = {Trend Micro}, url = {https://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-pawn-storm.pdf}, language = {English}, urldate = {2020-09-15} } @techreport{kharouni:201410:operation:f1d1705, author = {Loucif Kharouni and Feike Hacquebord and Numaan Huq and Jim Gogolinski and Fernando Mercês and Alfred Remorin and Douglas Otis}, title = {{Operation Pawn Storm: Using Decoys to Evade Detection}}, date = {2014-10}, institution = {Trend Micro}, url = {http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-pawn-storm.pdf}, language = {English}, urldate = {2019-11-28} } @online{khasaia:20170717:wmighost:20b59d3, author = {Lasha Khasaia}, title = {{WMIGhost / Wimmie - WMI malware}}, date = {2017-07-17}, organization = {Secrary Blog}, url = {https://secrary.com/ReversingMalware/WMIGhost/}, language = {English}, urldate = {2019-12-24} } @online{khasaia:20180319:reversing:f6a3e7c, author = {Lasha Khasaia}, title = {{Reversing iBank Trojan [Injection Phase]}}, date = {2018-03-19}, organization = {Secrary}, url = {https://secrary.com/ReversingMalware/iBank/}, language = {English}, urldate = {2019-10-29} } @online{khasaia:20180628:brief:d854824, author = {Lasha Khasaia}, title = {{A Brief Overview of the AMMYY RAT Downloader}}, date = {2018-06-28}, organization = {Secrary Blog}, url = {https://secrary.com/ReversingMalware/AMMY_RAT_Downloader/}, language = {English}, urldate = {2020-01-13} } @online{kim:20180720:cyberattack:ac7f5e4, author = {Jack Kim}, title = {{Cyberattack on Singapore health database steals details of 1.5 million, including PM}}, date = {2018-07-20}, organization = {Reuters}, url = {https://www.reuters.com/article/us-singapore-cyberattack/cyberattack-on-singapore-health-database-steals-details-of-1-5-million-including-pm-idUSKBN1KA14J}, language = {English}, urldate = {2020-01-08} } @techreport{kim:20191004:kimsuky:5780914, author = {Jaeki Kim and Kyoung-ju Kwak and Min-Chang Jang}, title = {{Kimsuky group: tracking the king of the spear-phishing}}, date = {2019-10-04}, institution = {Virus Bulletin}, url = {https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-Kim.pdf}, language = {English}, urldate = {2020-09-23} } @online{kim:20200310:kimsuky:f634a21, author = {Jaeki Kim and Kyoung-Ju Kwak (郭炅周) and Min-Chang Jang}, title = {{Kimsuky group: tracking the king of the spear phishing}}, date = {2020-03-10}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-kimsuky-group-tracking-king-spearphishing/}, language = {English}, urldate = {2020-09-23} } @online{kimayong:20180213:new:b8d70e2, author = {Paul Kimayong}, title = {{New Gootkit Banking Trojan variant pushes the limits on evasive behavior}}, date = {2018-02-13}, organization = {Juniper}, url = {https://forums.juniper.net/t5/Security-Now/New-Gootkit-Banking-Trojan-variant-pushes-the-limits-on-evasive/ba-p/319055}, language = {English}, urldate = {2019-12-10} } @online{kimayong:20180521:nukebot:dcd8985, author = {Paul Kimayong}, title = {{Nukebot Banking Trojan targeting people in France}}, date = {2018-05-21}, organization = {Juniper}, url = {https://forums.juniper.net/t5/Threat-Research/Nukebot-Banking-Trojan-targeting-people-in-France/ba-p/326702}, language = {English}, urldate = {2019-11-22} } @online{kimayong:20190926:masad:0f8ea5a, author = {Paul Kimayong}, title = {{Masad Stealer: Exfiltrating using Telegram}}, date = {2019-09-26}, organization = {Juniper}, url = {https://blogs.juniper.net/en-us/threat-research/masad-stealer-exfiltrating-using-telegram}, language = {English}, urldate = {2020-09-03} } @online{kimayong:20200618:covid19:4bb5511, author = {Paul Kimayong}, title = {{COVID-19 and FMLA Campaigns used to install new IcedID banking malware}}, date = {2020-06-18}, organization = {Juniper}, url = {https://blogs.juniper.net/en-us/threat-research/covid-19-and-fmla-campaigns-used-to-install-new-icedid-banking-malware}, language = {English}, urldate = {2020-06-23} } @online{kimayong:20200812:icedid:b40f8b4, author = {Paul Kimayong}, title = {{IcedID Campaign Strikes Back}}, date = {2020-08-12}, organization = {Juniper}, url = {https://blogs.juniper.net/en-us/threat-research/iceid-campaign-strikes-back}, language = {English}, urldate = {2020-08-27} } @online{kimayong:20201005:new:739309f, author = {Paul Kimayong}, title = {{New pastebin-like service used in multiple malware campaigns}}, date = {2020-10-05}, organization = {Juniper}, url = {https://blogs.juniper.net/en-us/threat-research/new-pastebin-like-service-used-in-multiple-malware-campaigns}, language = {English}, urldate = {2020-10-07} } @online{kimberly:20110804:analysis:fcb91de, author = {Kimberly}, title = {{Analysis of ngrBot}}, date = {2011-08-04}, organization = {Stop Malvertising Rootkits}, url = {http://stopmalvertising.com/rootkits/analysis-of-ngrbot.html}, language = {English}, urldate = {2019-12-04} } @online{kimberly:20120420:analysis:6fe646f, author = {Kimberly}, title = {{Analysis of DarkMegi aka NpcDark}}, date = {2012-04-20}, organization = {StopMalvertising}, url = {http://stopmalvertising.com/rootkits/analysis-of-darkmegi-aka-npcdark.html}, language = {English}, urldate = {2020-01-09} } @online{kimberly:20140427:analysis:a034e60, author = {Kimberly}, title = {{Analysis of the Predator Pain Keylogger}}, date = {2014-04-27}, organization = {StopMalvertising}, url = {http://stopmalvertising.com/malware-reports/analysis-of-the-predator-pain-keylogger.html}, language = {English}, urldate = {2019-11-24} } @online{kimberly:20140716:mini:58ac768, author = {Kimberly}, title = {{Mini Analysis of the TinyBanker Tinba}}, date = {2014-07-16}, organization = {StopMalvertising}, url = {http://stopmalvertising.com/malware-reports/mini-analysis-of-the-tinybanker-tinba.html}, language = {English}, urldate = {2020-01-08} } @online{kimberly:20140831:introduction:eb2cc6b, author = {Kimberly}, title = {{Introduction to the ZeroLocker ransomware}}, date = {2014-08-31}, organization = {StopMalvertising}, url = {http://stopmalvertising.com/malware-reports/introduction-to-the-zerolocker-ransomware.html}, language = {English}, urldate = {2020-01-13} } @online{kimberly:20191010:malware:032ed3c, author = {Kimberly}, title = {{Tweet on Malware Sample}}, date = {2019-10-10}, organization = {Twitter (@StopMalvertisin)}, url = {https://twitter.com/StopMalvertisin/status/1182505434231398401}, language = {English}, urldate = {2020-01-10} } @online{kino:20200220:lodeinfo:9842ab1, author = {Kota Kino}, title = {{日本国内の組織を狙ったマルウエアLODEINFO}}, date = {2020-02-20}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/ja/2020/02/LODEINFO.html}, language = {Japanese}, urldate = {2020-02-27} } @online{kino:20200611:lodeinfo:104e43a, author = {Kota Kino}, title = {{マルウエアLODEINFOの進化 (Evolution of Malware LODEINFO)}}, date = {2020-06-11}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/ja/2020/06/LODEINFO-2.html}, language = {Japanese}, urldate = {2020-06-12} } @online{kirk:20110726:spyeye:a7ad044, author = {Jeremy Kirk}, title = {{SpyEye Trojan defeating online banking defenses}}, date = {2011-07-26}, organization = {Computerworld}, url = {https://www.computerworld.com/article/2509482/spyeye-trojan-defeating-online-banking-defenses.html}, language = {English}, urldate = {2020-01-13} } @online{kirk:20120104:spyeye:3ecb013, author = {Jeremy Kirk}, title = {{SpyEye Malware Borrows Zeus Trick to Mask Fraud}}, date = {2012-01-04}, organization = {PCWorld}, url = {https://www.pcworld.com/article/247252/spyeye_malware_borrows_zeus_trick_to_mask_fraud.html}, language = {English}, urldate = {2020-01-08} } @online{kirk:20160221:source:dfeba08, author = {Jeremy Kirk}, title = {{Source code for powerful Android banking malware is leaked}}, date = {2016-02-21}, url = {https://www.pcworld.com/article/3035725/source-code-for-powerful-android-banking-malware-is-leaked.html}, language = {English}, urldate = {2019-10-29} } @online{kivva:20160606:everyone:ee770c6, author = {Anton Kivva}, title = {{Everyone sees not what they want to see}}, date = {2016-06-06}, organization = {Kaspersky Labs}, url = {https://securelist.com/everyone-sees-not-what-they-want-to-see/74997/}, language = {English}, urldate = {2019-12-20} } @online{kiwi:20110428:un:4c39d1d, author = {Gentil Kiwi}, title = {{Un observateur d’événements aveugle…}}, date = {2011-04-28}, url = {http://blog.gentilkiwi.com/securite/un-observateur-evenements-aveugle}, language = {English}, urldate = {2020-01-07} } @online{kiyotaka:20180329:chessmaster:c48e1c0, author = {Tamada Kiyotaka and MingYen Hsieh}, title = {{ChessMaster Adds Updated Tools to Its Arsenal}}, date = {2018-03-29}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-adds-updated-tools-to-its-arsenal/}, language = {English}, urldate = {2020-01-08} } @techreport{kiyotaka:20200117:is:969ff38, author = {Tamada Kiyotaka and Keita Yamazaki and You Nakatsuru}, title = {{Is It Wrong to Try to Find APT Techniques in Ransomware Attack?}}, date = {2020-01-17}, institution = {Secureworks}, url = {https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf}, language = {English}, urldate = {2020-04-06} } @online{klason:20180809:bokbot:499f316, author = {Alfred Klason}, title = {{Bokbot: The (re)birth of a banker}}, date = {2018-08-09}, organization = {Fox-IT}, url = {https://blog.fox-it.com/2018/08/09/bokbot-the-rebirth-of-a-banker/}, language = {English}, urldate = {2019-12-20} } @online{klein:20120215:merchant:b6f5565, author = {Amit Klein}, title = {{Merchant of Fraud Returns: Shylock Polymorphic Financial Malware Infections on the Rise}}, date = {2012-02-15}, organization = {Security Intelligence}, url = {https://securityintelligence.com/merchant-of-fraud-returns-shylock-polymorphic-financial-malware-infections-on-the-rise/}, language = {English}, urldate = {2019-11-23} } @online{kleinhen:20190603:code:3634038, author = {Derek Kleinhen}, title = {{Code Analysis of Basic Cryptomining Malware}}, date = {2019-06-03}, organization = {Kindred Security}, url = {https://kindredsec.com/2019/06/03/code-analysis-of-basic-cryptomining-malware/}, language = {English}, urldate = {2020-01-06} } @techreport{kleinhen:20191210:swort:ab1b863, author = {Derek Kleinhen}, title = {{Swort PowerShell Stager Analysis}}, date = {2019-12-10}, institution = {Github (itsKindred)}, url = {https://github.com/itsKindred/malware-analysis-writeups/blob/master/swrort-dropper/swrort-stager-analysis.pdf}, language = {English}, urldate = {2020-01-10} } @techreport{kleinhen:20191224:bashar:944cfdf, author = {Derek Kleinhen}, title = {{Bashar Bachir Infection Chain Analysis}}, date = {2019-12-24}, institution = {Github (itsKindred)}, url = {https://github.com/itsKindred/malware-analysis-writeups/blob/master/bashar-bachir-chain/bashar-bachir-analysis.pdf}, language = {English}, urldate = {2020-01-10} } @online{kleissner:20130326:behind:d12032a, author = {Peter Kleissner}, title = {{Behind MultiBanker, what the security industry doesn’t tell you and its money mule network}}, date = {2013-03-26}, organization = {Kleissner & Associates}, url = {http://blog.kleissner.org/?p=69}, language = {English}, urldate = {2019-12-20} } @online{kleissner:20130521:news:b67b754, author = {Peter Kleissner}, title = {{News on MultiBanker, features now a jabber p2p functionality}}, date = {2013-05-21}, organization = {Kleissner & Associates}, url = {http://blog.kleissner.org/?p=192}, language = {English}, urldate = {2020-01-08} } @online{kleissner:20150610:pony:2dbaf47, author = {Peter Kleissner}, title = {{Pony + Pkybot + Automated Transfer System = Banker}}, date = {2015-06-10}, organization = {Kleissner & Associates}, url = {http://blog.kleissner.org/?p=788}, language = {English}, urldate = {2020-01-08} } @techreport{kleissner:20151202:sality:791ea01, author = {Peter Kleissner}, title = {{Sality: 2003 - Today}}, date = {2015-12-02}, institution = {Botconf}, url = {https://www.botconf.eu/wp-content/uploads/2015/12/OK-P18-Kleissner-Sality.pdf}, language = {English}, urldate = {2020-01-13} } @online{klijnsma:20151130:inside:801d2d4, author = {Yonathan Klijnsma}, title = {{Inside Braviax/FakeRean: An analysis and history of a FakeAV family}}, date = {2015-11-30}, organization = {0x3A Security}, url = {https://0x3asecurity.wordpress.com/2015/11/30/134260124544/}, language = {English}, urldate = {2019-07-09} } @techreport{klijnsma:20160517:mofang:7035a61, author = {Yonathan Klijnsma and Danny Heppener and Mitchel Sahertian and Krijn de Mik and Maarten van Dantzig and Yun Zheng Hu and Lennart Haagsma and Martin van Hensbergen and Erik de Jong}, title = {{Mofang: A politically motivated information stealing adversary}}, date = {2016-05-17}, institution = {Fox-IT}, url = {https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf}, language = {English}, urldate = {2020-01-09} } @online{klijnsma:20171025:down:8d41ef5, author = {Yonathan Klijnsma}, title = {{Down the Rabbit Hole: Tracking the BadRabbit Ransomware to a Long Ongoing Campaign of Target Selection}}, date = {2017-10-25}, organization = {RiskIQ}, url = {https://www.riskiq.com/blog/labs/badrabbit/}, language = {English}, urldate = {2020-01-10} } @online{klijnsma:20171026:new:8298949, author = {Yonathan Klijnsma}, title = {{New htpRAT Gives Complete Remote Control Capabilities to Chinese Cyber Threat Actors}}, date = {2017-10-26}, organization = {RiskIQ}, url = {https://www.riskiq.com/blog/labs/htprat/}, language = {English}, urldate = {2020-01-09} } @online{klijnsma:20171102:new:d98411c, author = {Yonathan Klijnsma}, title = {{New Insights into Energetic Bear’s Watering Hole Cyber Attacks on Turkish Critical Infrastructure}}, date = {2017-11-02}, organization = {RiskIQ}, url = {https://www.riskiq.com/blog/labs/energetic-bear/}, language = {English}, urldate = {2020-01-13} } @online{klijnsma:20171128:gaffe:7c5097a, author = {Yonathan Klijnsma}, title = {{Gaffe Reveals Full List of Targets in Spear Phishing Attack Using Cobalt Strike Against Financial Institutions}}, date = {2017-11-28}, organization = {RiskIQ}, url = {https://www.riskiq.com/blog/labs/cobalt-strike/}, language = {English}, urldate = {2020-01-13} } @online{klijnsma:20171220:mining:4b3dc11, author = {Yonathan Klijnsma}, title = {{Mining Insights: Infrastructure Analysis of Lazarus Group Cyber Attacks on the Cryptocurrency Industry}}, date = {2017-12-20}, organization = {RiskIQ}, url = {https://www.riskiq.com/blog/labs/lazarus-group-cryptocurrency/}, language = {English}, urldate = {2020-01-13} } @online{klijnsma:20180116:first:9184887, author = {Yonathan Klijnsma}, title = {{First Activities of Cobalt Group in 2018: Spear Phishing Russian Banks}}, date = {2018-01-16}, organization = {RiskIQ}, url = {https://www.riskiq.com/blog/labs/cobalt-group-spear-phishing-russian-banks/}, language = {English}, urldate = {2019-11-26} } @online{klijnsma:20180123:espionage:f3d28b0, author = {Yonathan Klijnsma}, title = {{Espionage Campaign Leverages Spear Phishing, RATs Against Turkish Defense Contractors}}, date = {2018-01-23}, organization = {RiskIQ}, url = {https://www.riskiq.com/blog/labs/spear-phishing-turkish-defense-contractors/}, language = {English}, urldate = {2019-12-24} } @online{klijnsma:20180709:inside:e92fff2, author = {Yonathan Klijnsma and Jordan Herman}, title = {{Inside and Beyond Ticketmaster: The Many Breaches of Magecart}}, date = {2018-07-09}, organization = {RiskIQ}, url = {https://www.riskiq.com/blog/labs/magecart-ticketmaster-breach/}, language = {English}, urldate = {2020-01-12} } @online{klijnsma:20190228:magecart:e2b0173, author = {Yonathan Klijnsma}, title = {{Magecart Group 4: Never Gone, Always Advancing – Professionals In Cybercrime}}, date = {2019-02-28}, organization = {RiskIQ}, url = {https://www.riskiq.com/blog/labs/magecart-group-4-always-advancing/}, language = {English}, urldate = {2020-01-06} } @online{klijnsma:20200318:magecart:2ee4a78, author = {Yonathan Klijnsma}, title = {{Magecart Group 8 Blends into NutriBullet.com Adding To Their Growing List of Victims}}, date = {2020-03-18}, organization = {RiskIQ}, url = {https://www.riskiq.com/blog/labs/magecart-nutribullet/}, language = {English}, urldate = {2020-03-19} } @online{kline:20170810:globe:382859f, author = {Amanda Kline}, title = {{Globe Imposter Ransomware Makes a New Run}}, date = {2017-08-10}, organization = {PhishLabs}, url = {https://info.phishlabs.com/blog/globe-imposter-ransomware-makes-a-new-run}, language = {English}, urldate = {2020-01-07} } @online{klinger:20200526:passive:8d29e47, author = {Konstantin Klinger}, title = {{Passive DNS for Threat Detection & Hunting (Discussing some infrastructure related to APT32)}}, date = {2020-05-26}, organization = {Youtube (GRIMM Cyber)}, url = {https://www.youtube.com/watch?v=ftjDH65kw6E}, language = {English}, urldate = {2020-10-12} } @online{klnai:20130408:banking:20bce4c, author = {Peter Kálnai}, title = {{Banking Trojan Carberp: An Epitaph?}}, date = {2013-04-08}, organization = {Avast}, url = {https://blog.avast.com/2013/04/08/carberp_epitaph/}, language = {English}, urldate = {2020-02-25} } @online{klnai:20130722:multisystem:907e0a4, author = {Peter Kálnai}, title = {{Multisystem Trojan Janicab attacks Windows and MacOSX via scripts}}, date = {2013-07-22}, organization = {Avast}, url = {https://blog.avast.com/2013/07/22/multisystem-trojan-janicab-attacks-windows-and-macosx-via-scripts/}, language = {English}, urldate = {2020-05-20} } @online{klnai:20130827:linux:02c05c7, author = {Peter Kálnai}, title = {{Linux Trojan “Hand of Thief” ungloved}}, date = {2013-08-27}, organization = {Avast}, url = {https://blog.avast.com/2013/08/27/linux-trojan-hand-of-thief-ungloved/}, language = {English}, urldate = {2020-03-02} } @online{klnai:20130925:win3264napolar:4f16ddc, author = {Peter Kálnai}, title = {{Win32/64:Napolar: New Trojan shines on the cyber crime-scene}}, date = {2013-09-25}, organization = {Avast}, url = {https://blog.avast.com/2013/09/25/win3264napolar-new-trojan-shines-on-the-cyber-crime-scene/}, language = {English}, urldate = {2020-02-26} } @techreport{klnai:20131029:dissecting:30488b5, author = {Peter Kálnai and Jaromír Hořejší}, title = {{Dissecting Banking Trojan Carberp}}, date = {2013-10-29}, institution = {RSA Conference}, url = {https://web.archive.org/web/20150713145858/http://www.rsaconference.com/writable/presentations/file_upload/ht-t06-dissecting-banking-trojan-carberp_copy1.pdf}, language = {English}, urldate = {2020-02-27} } @online{klnai:20150106:linux:d8e30ec, author = {Peter Kálnai}, title = {{Linux DDoS Trojan hiding itself with an embedded rootkit}}, date = {2015-01-06}, organization = {Avast}, url = {https://blog.avast.com/2015/01/06/linux-ddos-trojan-hiding-itself-with-an-embedded-rootkit/}, language = {English}, urldate = {2020-02-25} } @techreport{klnai:201509:ddos:21c35c6, author = {Peter Kálnai and Jaromír Hořejší}, title = {{DDOS TROJAN: A MALICIOUS CONCEPT THAT CONQUERED THE ELF FORMAT}}, date = {2015-09}, institution = {Virus Bulletin}, url = {https://www.virusbulletin.com/uploads/pdf/conference/vb2015/KalnaiHorejsi-VB2015.pdf}, language = {English}, urldate = {2020-01-08} } @online{klnai:20160101:notes:100f4d8, author = {Peter Kálnai and Jaromír Hořejší}, title = {{Notes on click fraud: American story}}, date = {2016-01-01}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2016/01/paper-notes-click-fraud-american-story/}, language = {English}, urldate = {2020-03-04} } @online{klnai:20161220:new:05597b1, author = {Peter Kálnai and Michal Malík}, title = {{New Linux/Rakos threat: devices and servers under SSH scan (again)}}, date = {2016-12-20}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2016/12/20/new-linuxrakos-threat-devices-servers-ssh-scan/}, language = {English}, urldate = {2019-11-14} } @online{klnai:20161220:new:4044e88, author = {Peter Kálnai and Michal Malík}, title = {{New Linux/Rakos threat: devices and servers under SSH scan (again)}}, date = {2016-12-20}, organization = {ESET Research}, url = {http://www.welivesecurity.com/2016/12/20/new-linuxrakos-threat-devices-servers-ssh-scan/}, language = {English}, urldate = {2019-12-20} } @online{klnai:20170216:demystifying:7ae8785, author = {Peter Kálnai}, title = {{Demystifying targeted malware used against Polish banks}}, date = {2017-02-16}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/02/16/demystifying-targeted-malware-used-polish-banks/}, language = {English}, urldate = {2019-11-14} } @online{klnai:20170928:moneymaking:ac6e685, author = {Peter Kálnai and Michal Poslušný}, title = {{Money‑making machine: Monero‑mining malware}}, date = {2017-09-28}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/09/28/monero-money-mining-malware/}, language = {English}, urldate = {2019-11-14} } @online{klnai:20180403:lazarus:14ff18c, author = {Peter Kálnai and Anton Cherepanov}, title = {{Lazarus KillDisks Central American casino}}, date = {2018-04-03}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/04/03/lazarus-killdisk-central-american-casino/}, language = {English}, urldate = {2019-11-14} } @techreport{klnai:20181003:lazarus:bebf0ad, author = {Peter Kálnai and Michal Poslušný}, title = {{LAZARUS GROUP: A MAHJONG GAME PLAYED WITH DIFFERENT SETS OF TILES}}, date = {2018-10-03}, institution = {Virus Bulletin}, url = {https://www.virusbulletin.com/uploads/pdf/magazine/2018/VB2018-Kalnai-Poslusny.pdf}, language = {English}, urldate = {2020-01-06} } @online{klnai:20200514:mikroceen:b259a8c, author = {Peter Kálnai}, title = {{Mikroceen: Spying backdoor leveraged in high‑profile networks in Central Asia}}, date = {2020-05-14}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/05/14/mikroceen-spying-backdoor-high-profile-networks-central-asia/}, language = {English}, urldate = {2020-05-14} } @online{klopsch:20200322:mustang:56f3768, author = {Andreas Klopsch}, title = {{Mustang Panda joins the COVID-19 bandwagon}}, date = {2020-03-22}, organization = {Malware and Stuff}, url = {https://malwareandstuff.com/mustang-panda-joins-the-covid19-bandwagon/}, language = {English}, urldate = {2020-03-27} } @online{klopsch:20200330:old:ed1f6ef, author = {Andreas Klopsch}, title = {{An old enemy – Diving into QBot part 1}}, date = {2020-03-30}, organization = {Malware and Stuff}, url = {https://malwareandstuff.com/an-old-enemy-diving-into-qbot-part-1/}, language = {English}, urldate = {2020-04-01} } @online{klopsch:20200505:old:84beb5b, author = {Andreas Klopsch}, title = {{An old enemy – Diving into QBot part 3}}, date = {2020-05-05}, organization = {Malware and Stuff}, url = {https://malwareandstuff.com/an-old-enemy-diving-into-qbot-part-3/}, language = {English}, urldate = {2020-05-05} } @online{klopsch:20200524:examining:842b499, author = {Andreas Klopsch}, title = {{Examining Smokeloader’s Anti Hooking technique}}, date = {2020-05-24}, organization = {Malware and Stuff}, url = {https://malwareandstuff.com/examining-smokeloaders-anti-hooking-technique/}, language = {English}, urldate = {2020-05-25} } @online{klopsch:20200610:harmful:c46175f, author = {Andreas Klopsch}, title = {{Harmful Logging - Diving into MassLogger}}, date = {2020-06-10}, organization = {Gdata}, url = {https://www.gdatasoftware.com/blog/2020/06/36129-harmful-logging-diving-into-masslogger}, language = {English}, urldate = {2020-06-10} } @online{klopsch:20200621:upnp:f54abe6, author = {Andreas Klopsch}, title = {{UpnP – Messing up Security since years}}, date = {2020-06-21}, organization = {Malware and Stuff}, url = {https://malwareandstuff.com/upnp-messing-up-security-since-years/}, language = {English}, urldate = {2020-06-22} } @online{klopsch:20200712:deobfuscating:a374688, author = {Andreas Klopsch}, title = {{Deobfuscating DanaBot’s API Hashing}}, date = {2020-07-12}, organization = {Malware and Stuff}, url = {https://malwareandstuff.com/deobfuscating-danabots-api-hashing/}, language = {English}, urldate = {2020-07-15} } @online{kmerolla:20150731:otx:0dc083c, author = {KMEROLLA}, title = {{OTX Pulse on PlugX}}, date = {2015-07-31}, organization = {AlienVault}, url = {https://otx.alienvault.com/pulse/55bbc68e67db8c2d547ae393/}, language = {English}, urldate = {2020-01-08} } @online{knight:20190930:cb:a21cf30, author = {Scott Knight}, title = {{CB Threat Analysis Unit: Technical Analysis of “Crosswalk”}}, date = {2019-09-30}, organization = {vmware}, url = {https://www.carbonblack.com/2019/09/30/cb-threat-analysis-unit-technical-analysis-of-crosswalk/}, language = {English}, urldate = {2020-04-21} } @online{knight:20200326:dukes:df85f94, author = {Scott Knight}, title = {{The Dukes of Moscow}}, date = {2020-03-26}, organization = {VMWare Carbon Black}, url = {https://www.carbonblack.com/2020/03/26/the-dukes-of-moscow/}, language = {English}, urldate = {2020-05-18} } @online{knight:20200416:evolution:39b90c0, author = {Scott Knight}, title = {{The Evolution of Lazarus}}, date = {2020-04-16}, organization = {VMWare Carbon Black}, url = {https://www.carbonblack.com/2020/04/16/vmware-carbon-black-tau-threat-analysis-the-evolution-of-lazarus/}, language = {English}, urldate = {2020-04-17} } @online{knockel:20200507:we:04af3df, author = {Jeffrey Knockel and Christopher Parsons and Lotus Ruan and Ruohan Xiong and Jedidiah Crandall and Ron Deibert}, title = {{We Chat, They Watch: How International Users Unwittingly Build up WeChat’s Chinese Censorship Apparatus}}, date = {2020-05-07}, organization = {The Citizenlab}, url = {https://citizenlab.ca/2020/05/we-chat-they-watch/}, language = {English}, urldate = {2020-05-07} } @online{knowlton:20100825:military:dc8aa06, author = {Brian Knowlton}, title = {{Military Computer Attack Confirmed}}, date = {2010-08-25}, organization = {The New York Times}, url = {https://www.nytimes.com/2010/08/26/technology/26cyber.html}, language = {English}, urldate = {2019-11-29} } @online{knutsen:20171119:iranian:654e55f, author = {ELISE KNUTSEN}, title = {{Iranian agents blackmailed BBC reporter with ‘naked photo’ threats}}, date = {2017-11-19}, organization = {Arab News}, url = {http://www.arabnews.com/node/1195681/media}, language = {English}, urldate = {2019-12-17} } @online{koehl:20200924:microsoft:adbe527, author = {Ben Koehl and Joe Hannon and Microsoft Identity Security Team}, title = {{Microsoft Security—detecting empires in the cloud}}, date = {2020-09-24}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/09/24/gadolinium-detecting-empires-cloud/}, language = {English}, urldate = {2020-09-24} } @online{kohei:20160720:crypmic:b272a4c, author = {Kawabata Kohei}, title = {{CrypMIC Ransomware Wants to Follow CryptXXX’s Footsteps}}, date = {2016-07-20}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/crypmic-ransomware-wants-to-follow-cryptxxx/}, language = {English}, urldate = {2020-01-09} } @online{kolesnikov:20180911:kronososiris:ab69b91, author = {Oleg Kolesnikov and Harshvardhan Parashar}, title = {{KRONOS/Osiris Banking Trojan Attack}}, date = {2018-09-11}, organization = {Securonix}, url = {https://www.securonix.com/securonix-threat-research-kronos-osiris-banking-trojan-attack}, language = {English}, urldate = {2020-01-09} } @online{komarov:20160909:govrat:292ff22, author = {Andrew Komarov}, title = {{GOVRAT V2.0 - Attacking US military and government}}, date = {2016-09-09}, organization = {InfoArmor}, url = {https://www.yumpu.com/en/document/view/55930175/govrat-v20}, language = {English}, urldate = {2019-10-15} } @online{konov:20200925:magento:21a7de0, author = {Krasimir Konov}, title = {{Magento Credit Card Stealing Malware: gstaticapi}}, date = {2020-09-25}, organization = {SUCURI}, url = {https://blog.sucuri.net/2020/09/magento-credit-card-stealing-malware-gstaticapi.html}, language = {English}, urldate = {2020-10-05} } @techreport{kopeytsev:20200528:steganography:8f5230a, author = {Vyacheslav Kopeytsev}, title = {{Steganography in targeted attacks on industrial enterprises}}, date = {2020-05-28}, institution = {Kaspersky Labs}, url = {https://ics-cert.kaspersky.com/media/KASPERSKY_Steganography_in_targeted_attacks_EN.pdf}, language = {English}, urldate = {2020-05-29} } @online{kopriva:20200203:analysis:c531bd3, author = {Jan Kopriva}, title = {{Analysis of a triple-encrypted AZORult downloader}}, date = {2020-02-03}, organization = {SANS ISC}, url = {https://isc.sans.edu/forums/diary/Analysis+of+a+tripleencrypted+AZORult+downloader/25768/}, language = {English}, urldate = {2020-02-10} } @online{korczynski:20190813:state:a4ad074, author = {David Korczynski}, title = {{The state of advanced code injections}}, date = {2019-08-13}, organization = {Adalogics}, url = {https://adalogics.com/blog/the-state-of-advanced-code-injections}, language = {English}, urldate = {2020-01-13} } @online{koren:20161101:ursnif:a5e4fcd, author = {Ariel Koren}, title = {{Ursnif Malware: Deep Technical Dive}}, date = {2016-11-01}, organization = {Ariel Koren's Blog}, url = {https://arielkoren.com/blog/2016/11/01/ursnif-malware-deep-technical-dive/}, language = {English}, urldate = {2020-01-10} } @online{koren:20161102:nymaim:26e076d, author = {Ariel Koren}, title = {{Nymaim Malware: Deep Technical Dive – Adventures in Evasive Malware}}, date = {2016-11-02}, organization = {Ariel Koren's Blog}, url = {https://arielkoren.com/blog/2016/11/02/nymaim-deep-technical-dive-adventures-in-evasive-malware/}, language = {English}, urldate = {2020-01-08} } @online{koriat:20160617:in:f42b6a0, author = {Oren Koriat}, title = {{In The Wild: Mobile Malware Implements New Features}}, date = {2016-06-17}, organization = {Check Point}, url = {https://blog.checkpoint.com/2016/06/17/in-the-wild-mobile-malware-implements-new-features/}, language = {English}, urldate = {2020-01-08} } @online{kosayev:20191007:dissecting:161f586, author = {Uriel Kosayev}, title = {{Dissecting Ardamax Keylogger}}, date = {2019-10-07}, organization = {Medium}, url = {https://medium.com/@MalFuzzer/dissecting-ardamax-keylogger-f33f922d2576}, language = {English}, urldate = {2020-01-05} } @online{kotowicz:20150517:newest:1b5db0b, author = {Maciej Kotowicz}, title = {{Newest addition to a happy family: KBOT}}, date = {2015-05-17}, organization = {CERT.PL}, url = {https://lokalhost.pl/txt/newest_addition_to_happy_family_kbot.17.05.2015.txt}, language = {English}, urldate = {2020-04-06} } @online{kotowicz:20170529:gozi:96e962d, author = {Maciej Kotowicz}, title = {{Gozi Tree}}, date = {2017-05-29}, organization = {Lokalhost.pl}, url = {https://lokalhost.pl/gozi_tree.txt}, language = {English}, urldate = {2020-01-08} } @online{kotowicz:20170702:isfb:2fe662b, author = {Maciej Kotowicz}, title = {{ISFB: Still Live and Kicking}}, date = {2017-07-02}, organization = {CERT.PL}, url = {https://journal.cecyf.fr/ojs/index.php/cybin/article/view/15}, language = {English}, urldate = {2020-01-13} } @techreport{kotowicz:20171006:peering:668c82e, author = {Maciej Kotowicz and Jarosław Jedynak}, title = {{Peering into spam botnets}}, date = {2017-10-06}, institution = {CERT.PL}, url = {https://lokalhost.pl/txt/peering.into.spam.botnets.VirusBulletin2017.pdf}, language = {English}, urldate = {2020-04-06} } @online{kotowicz:20200226:abusing:2a32e8e, author = {Maciej Kotowicz}, title = {{(Ab)using bash-fu to analyze recent Aggah sample}}, date = {2020-02-26}, organization = {MalwareLab.pl}, url = {https://blog.malwarelab.pl/posts/basfu_aggah/}, language = {English}, urldate = {2020-02-27} } @online{kotowicz:20200321:royal:da8fd16, author = {Maciej Kotowicz}, title = {{On the Royal Road}}, date = {2020-03-21}, organization = {MalwareLab.pl}, url = {https://blog.malwarelab.pl/posts/on_the_royal_road/}, language = {English}, urldate = {2020-03-24} } @online{kotowicz:20200423:quick:ce2218e, author = {Maciej Kotowicz}, title = {{Quick look at Nazar backdoor - Capabilities}}, date = {2020-04-23}, organization = {MalwareLab.pl}, url = {https://blog.malwarelab.pl/posts/nazar_eyservice/}, language = {English}, urldate = {2020-05-05} } @online{kotowicz:20200427:quick:e6bf310, author = {Maciej Kotowicz}, title = {{Quick look at Nazar's backdoor - Network Communication}}, date = {2020-04-27}, organization = {MalwareLab.pl}, url = {https://blog.malwarelab.pl/posts/nazar_eyservice_comm/}, language = {English}, urldate = {2020-05-05} } @online{kotowicz:20200515:in:e687019, author = {Maciej Kotowicz}, title = {{In depth analysis of Lazarus validator}}, date = {2020-05-15}, organization = {MalwareLab.pl}, url = {https://blog.malwarelab.pl/posts/lazarus_validator/}, language = {English}, urldate = {2020-05-19} } @online{kotowicz:20200622:venomrat:129ba02, author = {Maciej Kotowicz}, title = {{VenomRAT - new, hackforums grade, reincarnation of QuassarRAT}}, date = {2020-06-22}, organization = {MalwareLab.pl}, url = {https://blog.malwarelab.pl/posts/venom/}, language = {English}, urldate = {2020-06-25} } @online{koustek:20170512:wannacry:ff9bc08, author = {Jakub Křoustek}, title = {{WannaCry ransomware that infected Telefonica and NHS hospitals is spreading aggressively, with over 50,000 attacks so far today}}, date = {2017-05-12}, organization = {Avast}, url = {https://blog.avast.com/ransomware-that-infected-telefonica-and-nhs-hospitals-is-spreading-aggressively-with-over-50000-attacks-so-far-today}, language = {English}, urldate = {2020-01-07} } @online{kovacs:20170719:darkhotel:03c4181, author = {Eduard Kovacs}, title = {{'DarkHotel' APT Uses New Methods to Target Politicians}}, date = {2017-07-19}, organization = {SecurityWeek}, url = {https://www.securityweek.com/darkhotel-apt-uses-new-methods-target-politicians}, language = {English}, urldate = {2020-01-09} } @online{kozy:20141002:occupy:bda8f35, author = {Adam Kozy}, title = {{Occupy Central: The Umbrella Revolution and Chinese Intelligence}}, date = {2014-10-02}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/occupy-central-the-umbrella-revolution-and-chinese-intelligence/}, language = {English}, urldate = {2020-05-11} } @online{kozy:20150223:cyber:d6b26b8, author = {Adam Kozy}, title = {{Cyber Kung-Fu: The Great Firewall Art of DNS Poisoning}}, date = {2015-02-23}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/cyber-kung-fu-great-firewall-art-dns-poisoning/}, language = {English}, urldate = {2020-05-11} } @online{kozy:20150601:rhetoric:365c0d1, author = {Adam Kozy}, title = {{Rhetoric Foreshadows Cyber Activity in the South China Sea}}, date = {2015-06-01}, organization = {CrowdStrike}, url = {http://www.crowdstrike.com/blog/rhetoric-foreshadows-cyber-activity-in-the-south-china-sea/}, language = {English}, urldate = {2019-12-20} } @techreport{kozy:20150806:bringing:a7978d5, author = {Adam Kozy and Johannes Gilger}, title = {{Bringing A Cannon To A Knife Fight}}, date = {2015-08-06}, institution = {CrowdStrike}, url = {https://www.blackhat.com/docs/us-15/materials/us-15-Kozy-Bringing-A-Cannon-To-A-Knife-Fight.pdf}, language = {English}, urldate = {2020-05-11} } @online{kozy:20151230:bringing:616e8d1, author = {Adam Kozy and Johannes Gilger}, title = {{Bringing A Cannon To A Knife Fight}}, date = {2015-12-30}, organization = {CrowdStrike}, url = {https://www.youtube.com/watch?v=wewFYh8pQrY}, language = {English}, urldate = {2020-05-11} } @online{kozy:20171220:end:218a388, author = {Adam Kozy}, title = {{An End to “Smash-and-Grab” and a Move to More Targeted Approaches}}, date = {2017-12-20}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/an-end-to-smash-and-grab-more-targeted-approaches/}, language = {English}, urldate = {2020-05-11} } @online{kozy:20180830:two:7e5235f, author = {Adam Kozy}, title = {{Two Birds, One STONE PANDA}}, date = {2018-08-30}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/two-birds-one-stone-panda/}, language = {English}, urldate = {2020-05-11} } @online{kpn:20200121:ftcode:358aca5, author = {KPN}, title = {{FTCODE: taking over (a portion of) the botnet}}, date = {2020-01-21}, organization = {KPN}, url = {https://www.kpn.com/security-blogs/FTCODE-taking-over-a-portion-of-the-botnet.htm}, language = {English}, urldate = {2020-01-22} } @online{kpn:20200128:tracking:6c628f3, author = {KPN}, title = {{Tracking REvil}}, date = {2020-01-28}, organization = {KPN}, url = {https://www.kpn.com/security-blogs/Tracking-REvil.htm}, language = {English}, urldate = {2020-01-28} } @online{krabs:20180302:analysing:7b1f12f, author = {Mr. Krabs}, title = {{Analysing Remcos RAT’s executable}}, date = {2018-03-02}, organization = {KrabsOnSecurity}, url = {https://krabsonsecurity.com/2018/03/02/analysing-remcos-rats-executable/}, language = {English}, urldate = {2019-07-31} } @online{krabs:20190213:analyzing:404862f, author = {Mr. Krabs}, title = {{Analyzing Amadey – a simple native malware}}, date = {2019-02-13}, organization = {KrabsOnSecurity}, url = {https://krabsonsecurity.com/2019/02/13/analyzing-amadey-a-simple-native-malware/}, language = {English}, urldate = {2020-01-08} } @online{krabs:20190604:taking:be0ac28, author = {Mr. Krabs}, title = {{Taking a look at Baldr stealer}}, date = {2019-06-04}, organization = {KrabsOnSecurity}, url = {https://krabsonsecurity.com/2019/06/04/taking-a-look-at-baldr-stealer/}, language = {English}, urldate = {2019-12-10} } @online{krabs:20191205:buer:9c3cf72, author = {Mr. Krabs}, title = {{Buer Loader, new Russian loader on the market with interesting persistence}}, date = {2019-12-05}, organization = {KrabsOnSecurity}, url = {https://krabsonsecurity.com/2019/12/05/buer-loader-new-russian-loader-on-the-market-with-interesting-persistence/}, language = {English}, urldate = {2020-01-08} } @online{krabs:20200822:bitrat:ce5d899, author = {Mr. Krabs}, title = {{BitRAT – The Latest in Copy-pasted Malware by Incompetent Developers}}, date = {2020-08-22}, organization = {KrabsOnSecurity}, url = {https://krabsonsecurity.com/2020/08/22/bitrat-the-latest-in-copy-pasted-malware-by-incompetent-developers/}, language = {English}, urldate = {2020-08-25} } @online{krabs:20200904:bitrat:bd0d3cd, author = {Mr. Krabs}, title = {{BitRAT pt. 2: Hidden Browser, SOCKS5 proxy, and UnknownProducts Unmasked}}, date = {2020-09-04}, organization = {KrabsOnSecurity}, url = {https://krabsonsecurity.com/2020/09/04/bitrat-pt-2-hidden-browser-socks5-proxy-and-unknownproducts-unmasked/}, language = {English}, urldate = {2020-09-05} } @online{krabs:20201024:gacrux:decf52f, author = {Mr. Krabs}, title = {{Gacrux – a basic C malware with a custom PE loader}}, date = {2020-10-24}, organization = {KrabsOnSecurity}, url = {https://krabsonsecurity.com/2020/10/24/gacrux-a-basic-c-malware-with-a-custom-pe-loader}, language = {English}, urldate = {2020-10-26} } @online{krastev:20180719:killswitch:487a882, author = {Ventsislav Krastev}, title = {{Killswitch File Now Available for GandCrab v4.1.2 Ransomware}}, date = {2018-07-19}, organization = {Sensors Tech Forum}, url = {https://sensorstechforum.com/killswitch-file-now-available-gandcrab-v4-1-2-ransomware/}, language = {English}, urldate = {2020-01-07} } @online{krastev:20180903:lockymap:1e8c9cd, author = {Ventsislav Krastev}, title = {{.lockymap Files Virus (PyLocky Ransomware) – Remove and Restore Data}}, date = {2018-09-03}, organization = {SensorTechForums}, url = {https://sensorstechforum.com/lockymap-files-virus-pylocky-ransomware-remove-restore-data/}, language = {English}, urldate = {2020-01-13} } @online{krasuski:20160902:necurs:d01f298, author = {Adam Krasuski}, title = {{Necurs – hybrid spam botnet}}, date = {2016-09-02}, organization = {CERT.PL}, url = {https://www.cert.pl/en/news/single/necurs-hybrid-spam-botnet/}, language = {English}, urldate = {2019-11-20} } @online{krasuski:20160916:tofsee:79a1d35, author = {Adam Krasuski}, title = {{Tofsee – modular spambot}}, date = {2016-09-16}, organization = {CERT.PL}, url = {https://www.cert.pl/en/news/single/tofsee-en/}, language = {English}, urldate = {2020-01-13} } @techreport{krcert:20200401:operation:d6916ea, author = {KrCERT}, title = {{OPERATION BOOKCODES TTPs #1}}, date = {2020-04-01}, institution = {KISA}, url = {https://www.boho.or.kr/filedownload.do?attach_file_seq=2381&attach_file_id=EpF2381.pdf}, language = {Korean}, urldate = {2020-10-19} } @techreport{krcert:20200629:operation:bbe9f5c, author = {KrCERT}, title = {{OPERATION BOOKCODES TTPs #2}}, date = {2020-06-29}, institution = {KISA}, url = {https://www.boho.or.kr/filedownload.do?attach_file_seq=2455&attach_file_id=EpF2455.pdf}, language = {Korean}, urldate = {2020-10-19} } @techreport{krcert:20200911:analysis:490f2e3, author = {KrCERT}, title = {{Analysis of attacker's strategy of using malicious code}}, date = {2020-09-11}, institution = {KISA}, url = {https://www.boho.or.kr/filedownload.do?attach_file_seq=2517&attach_file_id=EpF2517.pdf}, language = {Korean}, urldate = {2020-09-15} } @online{krebs:20100401:spyeye:d557888, author = {Brian Krebs}, title = {{SpyEye vs. ZeuS Rivalry}}, date = {2010-04-01}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2010/04/spyeye-vs-zeus-rivalry/}, language = {English}, urldate = {2019-11-28} } @online{krebs:20100917:spyeye:92d9e7f, author = {Brian Krebs}, title = {{SpyEye Botnet’s Bogus Billing Feature}}, date = {2010-09-17}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2010/09/spyeye-botnets-bogus-billing-feature/}, language = {English}, urldate = {2019-10-15} } @online{krebs:20110328:microsoft:dab0119, author = {Brian Krebs}, title = {{Microsoft Hunting Rustock Controllers}}, date = {2011-03-28}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2011/03/microsoft-hunting-rustock-controllers/}, language = {English}, urldate = {2019-07-11} } @online{krebs:20110426:spyeye:b9e984e, author = {Brian Krebs}, title = {{SpyEye Targets Opera, Google Chrome Users}}, date = {2011-04-26}, url = {https://krebsonsecurity.com/2011/04/spyeye-targets-opera-google-chrome-users/}, language = {English}, urldate = {2020-01-08} } @online{krebs:20110728:trojan:2335232, author = {Brian Krebs}, title = {{Trojan Tricks Victims Into Transferring Funds}}, date = {2011-07-28}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2011/07/trojan-tricks-victims-into-transfering-funds/}, language = {English}, urldate = {2019-12-20} } @online{krebs:20120919:blog:c9b0499, author = {Brian Krebs}, title = {{Blog Posts on Nitol}}, date = {2012-09-19}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/tag/nitol/}, language = {English}, urldate = {2020-01-13} } @online{krebs:20130118:polish:d1c0560, author = {Brian Krebs}, title = {{Polish Takedown Targets ‘Virut’ Botnet}}, date = {2013-01-18}, url = {https://krebsonsecurity.com/2013/01/polish-takedown-targets-virut-botnet/}, language = {English}, urldate = {2019-12-18} } @online{krebs:20150209:anthem:1631cd7, author = {Brian Krebs}, title = {{Anthem Breach May Have Started in April 2014}}, date = {2015-02-09}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2015/02/anthem-breach-may-have-started-in-april-2014/}, language = {English}, urldate = {2019-11-29} } @online{krebs:20150515:carefirst:2847408, author = {Brian Krebs}, title = {{Carefirst Blue Cross Breach Hits 1.1M}}, date = {2015-05-15}, url = {https://krebsonsecurity.com/2015/05/carefirst-blue-cross-breach-hits-1-1m/}, language = {English}, urldate = {2020-01-05} } @online{krebs:20150615:catching:d4edaea, author = {Brian Krebs}, title = {{Catching Up on the OPM Breach}}, date = {2015-06-15}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2015/06/catching-up-on-the-opm-breach/}, language = {English}, urldate = {2020-01-09} } @online{krebs:20160721:canadian:5c7f22f, author = {Brian Krebs}, title = {{Canadian Man Behind Popular ‘Orcus RAT’}}, date = {2016-07-21}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2016/07/canadian-man-is-author-of-popular-orcus-rat/}, language = {English}, urldate = {2019-07-11} } @online{krebs:20160921:krebsonsecurity:259c3cd, author = {Brian Krebs}, title = {{KrebsOnSecurity Hit With Record DDoS}}, date = {2016-09-21}, url = {https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/}, language = {English}, urldate = {2019-12-18} } @online{krebs:20161001:source:796f0bc, author = {Brian Krebs}, title = {{Source Code for IoT Botnet ‘Mirai’ Released}}, date = {2016-10-01}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/}, language = {English}, urldate = {2019-07-10} } @online{krebs:20170301:ransomware:ead8101, author = {Brian Krebs}, title = {{Ransomware for Dummies: Anyone Can Do It}}, date = {2017-03-01}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2017/03/ransomware-for-dummies-anyone-can-do-it/}, language = {English}, urldate = {2020-01-09} } @online{krebs:20170406:selfproclaimed:542e91e, author = {Brian Krebs}, title = {{Self-Proclaimed ‘Nuclear Bot’ Author Weighs U.S. Job Offer}}, date = {2017-04-06}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/tag/nuclear-bot/}, language = {English}, urldate = {2019-07-27} } @online{krebs:20170512:uk:11a7e5a, author = {Brian Krebs}, title = {{U.K. Hospitals Hit in Widespread Ransomware Attack}}, date = {2017-05-12}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2017/05/u-k-hospitals-hit-in-widespread-ransomware-attack/}, language = {English}, urldate = {2020-01-06} } @online{krebs:20170828:tech:4df59f2, author = {Brian Krebs}, title = {{Tech Firms Team Up to Take Down ‘WireX’ Android DDoS Botnet}}, date = {2017-08-28}, url = {https://krebsonsecurity.com/2017/08/tech-firms-team-up-to-take-down-wirex-android-ddos-botnet/}, language = {English}, urldate = {2019-11-17} } @online{krebs:20171023:reaper:8341031, author = {Brian Krebs}, title = {{Reaper: Calm Before the IoT Security Storm?}}, date = {2017-10-23}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2017/10/reaper-calm-before-the-iot-security-storm}, language = {English}, urldate = {2020-01-10} } @online{krebs:20171127:who:8490729, author = {Brian Krebs}, title = {{WHO WAS THE NSA CONTRACTOR ARRESTED FOR LEAKING THE ‘SHADOW BROKERS’ HACKING TOOLS?}}, date = {2017-11-27}, organization = {Blacklake}, url = {https://blacklakesecurity.com/who-was-the-nsa-contractor-arrested-for-leaking-the-shadow-brokers-hacking-tools/}, language = {English}, urldate = {2019-11-25} } @online{krebs:20171213:mirai:bd2cb74, author = {Brian Krebs}, title = {{Mirai IoT Botnet Co-Authors Plead Guilty}}, date = {2017-12-13}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2017/12/mirai-iot-botnet-co-authors-plead-guilty/}, language = {English}, urldate = {2020-01-08} } @online{krebs:201807:luminositylink:1d9ce64, author = {Brian Krebs}, title = {{‘LuminosityLink RAT’ Author Pleads Guilty}}, date = {2018-07}, url = {https://krebsonsecurity.com/2018/07/luminositylink-rat-author-pleads-guilty/}, language = {English}, urldate = {2019-10-23} } @online{krebs:20180902:alleged:caf0cb2, author = {Brian Krebs}, title = {{Alleged ‘Satori’ IoT Botnet Operator Sought Media Spotlight, Got Indicted}}, date = {2018-09-02}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2018/09/alleged-satori-iot-botnet-operator-sought-media-spotlight-got-indicted/}, language = {English}, urldate = {2020-01-13} } @online{krebs:20190218:deep:0f75439, author = {Brian Krebs}, title = {{A Deep Dive on the Recent Widespread DNS Hijacking Attacks}}, date = {2019-02-18}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/tag/dnspionage/}, language = {English}, urldate = {2019-11-29} } @online{krebs:20190402:canadian:4743d2d, author = {Brian Krebs}, title = {{Canadian Police Raid ‘Orcus RAT’ Author}}, date = {2019-04-02}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2019/04/canadian-police-raid-orcus-rat-author/}, language = {English}, urldate = {2019-12-19} } @online{krebs:20190422:whos:2004970, author = {Brian Krebs}, title = {{Who’s Behind the RevCode WebMonitor RAT?}}, date = {2019-04-22}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2019/04/whos-behind-the-revcode-webmonitor-rat/}, language = {English}, urldate = {2020-01-13} } @online{krebs:20190603:report:e065d06, author = {Brian Krebs}, title = {{Report: No ‘Eternal Blue’ Exploit Found in Baltimore City Ransomware}}, date = {2019-06-03}, url = {https://krebsonsecurity.com/2019/06/report-no-eternal-blue-exploit-found-in-baltimore-city-ransomware/}, language = {English}, urldate = {2019-10-17} } @online{krebs:20190708:whos:54977ab, author = {Brian Krebs}, title = {{Who’s Behind the GandCrab Ransomware?}}, date = {2019-07-08}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2019/07/whos-behind-the-gandcrab-ransomware/}, language = {English}, urldate = {2020-01-07} } @online{krebs:20190715:is:4e715d7, author = {Brian Krebs}, title = {{Is ‘REvil’ the New GandCrab Ransomware?}}, date = {2019-07-15}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2019/07/is-revil-the-new-gandcrab-ransomware/}, language = {English}, urldate = {2020-01-06} } @online{krebs:20191001:mariposa:a422c50, author = {Brian Krebs}, title = {{Mariposa Botnet Author, Darkcode Crime Forum Admin Arrested in Germany}}, date = {2019-10-01}, url = {https://krebsonsecurity.com/2019/10/mariposa-botnet-author-darkcode-crime-forum-admin-arrested-in-germany/}, language = {English}, urldate = {2020-01-10} } @online{krebs:20191216:ransomware:f4d7d8c, author = {Brian Krebs}, title = {{Ransomware Gangs Now Outing Victim Businesses That Don’t Pay Up}}, date = {2019-12-16}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2019/12/ransomware-gangs-now-outing-victim-businesses-that-dont-pay-up/}, language = {English}, urldate = {2020-01-08} } @online{krebs:20191217:nuclear:88151cd, author = {Brian Krebs}, title = {{Nuclear Bot Author Arrested in Sextortion Case}}, date = {2019-12-17}, url = {https://krebsonsecurity.com/2019/12/nuclear-bot-author-arrested-in-sextortion-case/}, language = {English}, urldate = {2020-01-07} } @online{krebs:20200320:case:ae196f4, author = {Brian Krebs}, title = {{The Case for Limiting Your Browser Extensions}}, date = {2020-03-20}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2020/03/the-case-for-limiting-your-browser-extensions/}, language = {English}, urldate = {2020-05-05} } @online{krebs:20200506:europes:2f8ce94, author = {Brian Krebs}, title = {{Europe’s Largest Private Hospital Operator Fresenius Hit by Ransomware}}, date = {2020-05-06}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2020/05/europes-largest-private-hospital-operator-fresenius-hit-by-ransomware}, language = {English}, urldate = {2020-05-13} } @online{krebs:20200511:ransomware:2d96270, author = {Brian Krebs}, title = {{Ransomware Hit ATM Giant Diebold Nixdorf}}, date = {2020-05-11}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2020/05/ransomware-hit-atm-giant-diebold-nixdorf/}, language = {English}, urldate = {2020-05-13} } @online{krebs:20201002:attacks:a6dc6e3, author = {Brian Krebs}, title = {{Attacks Aimed at Disrupting the Trickbot Botnet}}, date = {2020-10-02}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2020/10/attacks-aimed-at-disrupting-the-trickbot-botnet/}, language = {English}, urldate = {2020-10-05} } @online{kremez:20151226:backdoor:4552c35, author = {Vitali Kremez}, title = {{Backdoor: Win32/Hesetox.A: vSkimmer POS Malware Analysis }}, date = {2015-12-26}, organization = {Flashpoint}, url = {http://vkremez.weebly.com/cyber-security/-backdoor-win32hesetoxa-vskimmer-pos-malware-analysis}, language = {English}, urldate = {2019-12-24} } @online{kremez:20170724:lets:8b64c6c, author = {Vitali Kremez}, title = {{Let's Learn: Reversing Credential and Payment Card Information Stealer 'AZORult V2'}}, date = {2017-07-24}, organization = {Vitali Kremez Blog}, url = {http://www.vkremez.com/2017/07/lets-learn-reversing-credential-and.html}, language = {English}, urldate = {2020-01-06} } @online{kremez:20170818:extracted:cdbd2f4, author = {Vitali Kremez}, title = {{Tweet on extracted config from Gootkit}}, date = {2017-08-18}, organization = {Twitter (@VK_intel)}, url = {https://twitter.com/VK_Intel/status/898549340121288704}, language = {English}, urldate = {2020-01-06} } @online{kremez:20171105:lets:c732c05, author = {Vitali Kremez}, title = {{Let's Learn: Lethic Spambot & Survey of Anti-Analysis Techniques}}, date = {2017-11-05}, organization = {Vitali Kremez Blog}, url = {http://www.vkremez.com/2017/11/lets-learn-lethic-spambot-survey-of.html}, language = {English}, urldate = {2020-01-07} } @online{kremez:20171112:lets:4db8d74, author = {Vitali Kremez}, title = {{Let's Learn: Dissecting Golroted Trojan's Process Hollowing Technique & UAC Bypass in HKCU\Environment}}, date = {2017-11-12}, organization = {Vitali Kremez Blog}, url = {http://www.vkremez.com/2017/11/lets-learn-dissecting-golroted-trojans.html}, language = {English}, urldate = {2020-01-06} } @online{kremez:20171121:lets:5fb17b0, author = {Vitali Kremez}, title = {{Let's Learn: Trickbot Socks5 Backconnect Module In Detail}}, date = {2017-11-21}, url = {http://www.vkremez.com/2017/11/lets-learn-trickbot-socks5-backconnect.html}, language = {English}, urldate = {2019-11-22} } @online{kremez:20171122:trickbot:faea11e, author = {Vitali Kremez}, title = {{Trickbot Gang Evolves, Incorporates Account Checking Into Hybrid Attack Model}}, date = {2017-11-22}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/blog/trickbot-account-checking-hybrid-attack-model/}, language = {English}, urldate = {2019-12-10} } @online{kremez:20171213:update:50a1f16, author = {Vitali Kremez}, title = {{Update: Let's Learn: Reversing FIN6 "GratefulPOS" aka "FrameworkPOS" Point-of-Sale Malware in-Depth}}, date = {2017-12-13}, organization = {Vitali Kremez Blog}, url = {http://www.vkremez.com/2017/12/lets-learn-reversing-grateful-point-of.html}, language = {English}, urldate = {2020-01-08} } @online{kremez:20171219:lets:030e09a, author = {Vitali Kremez}, title = {{Let's Learn: Introducing New Trickbot LDAP "DomainGrabber" Module}}, date = {2017-12-19}, organization = {Vitali Kremez Blog}, url = {http://www.vkremez.com/2017/12/lets-learn-introducing-new-trickbot.html}, language = {English}, urldate = {2019-11-23} } @online{kremez:20171227:lets:5c2d27f, author = {Vitali Kremez}, title = {{Let's Learn: Cutlet ATM Malware Internals}}, date = {2017-12-27}, url = {http://www.vkremez.com/2017/12/lets-learn-cutlet-atm-malware-internals.html}, language = {English}, urldate = {2019-07-22} } @online{kremez:20180129:lets:450880d, author = {Vitali Kremez}, title = {{Let's Learn: Dissecting FormBook Infostealer Malware: Crypter & "RunLib.dll"}}, date = {2018-01-29}, organization = {Vitali Kremez Blog}, url = {http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html}, language = {English}, urldate = {2020-01-10} } @online{kremez:20180222:lets:6fd91bb, author = {Vitali Kremez}, title = {{Let's Learn: Deeper Dive into Ramnit Banker "VNC IFSB" Remote Control Module}}, date = {2018-02-22}, url = {http://www.vkremez.com/2018/02/deeper-dive-into-ramnit-banker-vnc-ifsb.html}, language = {English}, urldate = {2019-12-04} } @online{kremez:20180325:lets:070366d, author = {Vitali Kremez}, title = {{Let's Learn: Internals of Iranian-Based Threat Group "Chafer" Malware: Autoit and PowerShell Persistence}}, date = {2018-03-25}, organization = {Vitali Kremez Blog}, url = {https://www.vkremez.com/2018/03/investigating-iranian-threat-group.html}, language = {English}, urldate = {2019-10-13} } @online{kremez:20180403:lets:b45dd50, author = {Vitali Kremez}, title = {{Let's Learn: Trickbot Implements Network Collector Module Leveraging CMD, WMI & LDAP}}, date = {2018-04-03}, organization = {Vitali Kremez Blog}, url = {http://www.vkremez.com/2018/04/lets-learn-trickbot-implements-network.html}, language = {English}, urldate = {2019-07-27} } @online{kremez:20180413:lets:3dd37f4, author = {Vitali Kremez}, title = {{Let's Learn: In-Depth Dive into Gootkit Banker Version 4 Malware Analysis}}, date = {2018-04-13}, organization = {Vitali Kremez Blog}, url = {http://www.vkremez.com/2018/04/lets-learn-in-depth-dive-into-gootkit.html}, language = {English}, urldate = {2019-10-23} } @online{kremez:20180729:lets:8f04eed, author = {Vitali Kremez}, title = {{Let's Learn: In-Depth Reversing of Qakbot "qbot" Banker Part 1}}, date = {2018-07-29}, organization = {Vitali Kremez Blog}, url = {https://www.vkremez.com/2018/07/lets-learn-in-depth-reversing-of-qakbot.html}, language = {English}, urldate = {2020-01-06} } @online{kremez:20180805:lets:489101d, author = {Vitali Kremez}, title = {{Let's Learn: Diving into the Latest "Ramnit" Banker Malware via "sLoad" PowerShell}}, date = {2018-08-05}, organization = {Vitali Kremez Blog}, url = {https://www.vkremez.com/2018/08/lets-learn-in-depth-into-latest-ramnit.html}, language = {English}, urldate = {2020-01-10} } @online{kremez:20180820:lets:d3f938c, author = {Vitali Kremez}, title = {{Let's Learn: Dissecting Panda Banker & Modules: Webinject, Grabber & Keylogger DLL Modules}}, date = {2018-08-20}, organization = {Vitali Kremez Blog}, url = {https://www.vkremez.com/2018/08/lets-learn-dissecting-panda-banker.html}, language = {English}, urldate = {2019-10-23} } @online{kremez:20180825:lets:f8147ab, author = {Vitali Kremez}, title = {{Let's Learn: In-Depth Reversing of Recent Gozi ISFB Banking Malware Version 2.16/2.17 (portion of ISFB v3) & "loader.dll/client.dll"}}, date = {2018-08-25}, url = {https://www.vkremez.com/2018/08/lets-learn-in-depth-reversing-of-recent.html}, language = {English}, urldate = {2019-11-25} } @online{kremez:20180907:lets:8515a2b, author = {Vitali Kremez}, title = {{Let's Learn: Deeper Dive into "IcedID"/"BokBot" Banking Malware: Part 1}}, date = {2018-09-07}, url = {https://www.vkremez.com/2018/09/lets-learn-deeper-dive-into.html}, language = {English}, urldate = {2020-01-08} } @online{kremez:20181031:lets:e59c3f8, author = {Vitali Kremez}, title = {{Let's Learn: Exploring ZeusVM Banking Malware Hooking Engine}}, date = {2018-10-31}, organization = {Vitali Kremez Blog}, url = {https://www.vkremez.com/2018/10/lets-learn-exploring-zeusvm-banking.html}, language = {English}, urldate = {2019-12-24} } @online{kremez:20181105:lets:aed7583, author = {Vitali Kremez}, title = {{Let's Learn: In-Depth Reversing of Hancitor Dropper/Loader: 2016 vs 2018 Malware Progression}}, date = {2018-11-05}, url = {https://www.vkremez.com/2018/11/lets-learn-in-depth-reversing-of.html}, language = {English}, urldate = {2020-01-07} } @online{kremez:20181107:lets:d4ffc27, author = {Vitali Kremez}, title = {{Let’s Learn: Introducing Latest TrickBot Point-of-Sale Finder Module}}, date = {2018-11-07}, url = {https://www.vkremez.com/2018/11/lets-learn-introducing-latest-trickbot.html}, language = {English}, urldate = {2019-11-17} } @online{kremez:20181113:lets:dd6d4d7, author = {Vitali Kremez}, title = {{Let's Learn: Dissect Panda Banking Malware's "libinject" Process Injection Module}}, date = {2018-11-13}, organization = {Vitali Kremez Blog}, url = {http://www.vkremez.com/2018/01/lets-learn-dissect-panda-banking.html}, language = {English}, urldate = {2020-01-13} } @online{kremez:20181127:lets:e9928d7, author = {Vitali Kremez}, title = {{Let's Learn: In-Depth on Sofacy Cannon Loader/Backdoor Review}}, date = {2018-11-27}, organization = {Vitali Kremez Blog}, url = {https://www.vkremez.com/2018/11/lets-learn-in-depth-on-sofacy-canon.html}, language = {English}, urldate = {2020-01-13} } @online{kremez:20181210:lets:f947fb1, author = {Vitali Kremez}, title = {{Let's Learn: Reviewing Sofacy's "Zebrocy" C++ Loader: Advanced Insight}}, date = {2018-12-10}, organization = {Vitali Kremez Blog}, url = {https://www.vkremez.com/2018/12/lets-learn-reviewing-sofacys-zebrocy-c.html}, language = {English}, urldate = {2020-01-09} } @online{kremez:20181221:lets:46e594a, author = {Vitali Kremez}, title = {{Let's Learn: In-Depth on APT28/Sofacy Zebrocy Golang Loader}}, date = {2018-12-21}, url = {https://www.vkremez.com/2018/12/lets-learn-dissecting-apt28sofacy.html}, language = {English}, urldate = {2019-12-24} } @online{kremez:20190107:lets:07f4941, author = {Vitali Kremez}, title = {{Let's Learn: Deeper Dive into Gamaredon Group Pteranodon Implant Version '_512'}}, date = {2019-01-07}, url = {https://www.vkremez.com/2019/01/lets-learn-deeper-dive-into-gamaredon.html}, language = {English}, urldate = {2020-01-07} } @online{kremez:20190115:disclosure:0e74c4e, author = {Vitali Kremez}, title = {{Disclosure of Chilean Redbanc Intrusion Leads to Lazarus Ties}}, date = {2019-01-15}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/blog/disclosure-chilean-redbanc-intrusion-lazarus-ties/}, language = {English}, urldate = {2019-08-08} } @online{kremez:20190117:turla:1eff5e6, author = {Vitali Kremez}, title = {{Tweet on Turla Outlook Backdoor}}, date = {2019-01-17}, organization = {Twitter (@VK_intel)}, url = {https://twitter.com/VK_Intel/status/1085820673811992576}, language = {English}, urldate = {2020-01-13} } @online{kremez:20190328:lets:9a07122, author = {Vitali Kremez}, title = {{Let's Learn: Dissecting Operation ShadowHammer Shellcode Internals in crt_ExitProcess}}, date = {2019-03-28}, organization = {Vitali Kremez Blog}, url = {https://www.vkremez.com/2019/03/lets-learn-dissecting-operation.html}, language = {English}, urldate = {2020-01-10} } @online{kremez:20190413:decoded:c9b46a9, author = {Vitali Kremez}, title = {{Decoded Turla Powershell Implant}}, date = {2019-04-13}, organization = {GitHub}, url = {https://raw.githubusercontent.com/k-vitali/Malware-Misc-RE/master/2019-04-13-Possible-Turla-PowerShell-Implant.ps1}, language = {English}, urldate = {2019-07-11} } @online{kremez:20190425:ransomware:4093d36, author = {Vitali Kremez}, title = {{Tweet on Ransomware}}, date = {2019-04-25}, organization = {Twitter (@VK_intel)}, url = {https://twitter.com/VK_Intel/status/1121440931759128576}, language = {English}, urldate = {2020-01-05} } @online{kremez:20190509:robinhood:187f468, author = {Vitali Kremez}, title = {{RobinHood Ransomware “CoolMaker” Functions Not So Cool}}, date = {2019-05-09}, organization = {Sentinel LABS}, url = {https://www.sentinelone.com/blog/robinhood-ransomware-coolmaker-function-not-cool/}, language = {English}, urldate = {2020-01-06} } @online{kremez:20190604:inside:d633c6f, author = {Vitali Kremez}, title = {{Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vitali Kremez}}, date = {2019-06-04}, organization = {SlideShare}, url = {https://www.slideshare.net/proidea_conferences/inside-cybercrime-groups-harvesting-active-directory-for-fun-and-profit-vitali-kremez}, language = {English}, urldate = {2020-01-13} } @online{kremez:20190619:macho:641b90d, author = {Vitali Kremez}, title = {{Tweet on Mach-O & PE32 Payloads}}, date = {2019-06-19}, organization = {Twitter (@VK_intel)}, url = {https://twitter.com/VK_Intel/status/1141540229951709184}, language = {English}, urldate = {2020-01-07} } @online{kremez:20190712:atm:9918194, author = {Vitali Kremez}, title = {{ATM Malware Pin/PAN Card Offline Skimmer XFSADM}}, date = {2019-07-12}, organization = {Twitter (@VK_intel)}, url = {https://twitter.com/VK_Intel/status/1149454961740255232}, language = {English}, urldate = {2019-11-17} } @online{kremez:20190824:notes:486e04c, author = {Vitali Kremez}, title = {{Notes on Nemty Ransomware}}, date = {2019-08-24}, organization = {Github (k-vitali)}, url = {https://raw.githubusercontent.com/k-vitali/Malware-Misc-RE/master/2019-08-24-nemty-ransomware-notes.vk.raw}, language = {English}, urldate = {2020-01-13} } @online{kremez:20190911:stealeruploader:0d4c48f, author = {Vitali Kremez}, title = {{Tweet on Stealer/Uploader}}, date = {2019-09-11}, organization = {Twitter (@VK_intel)}, url = {https://twitter.com/VK_Intel/status/1171782155581689858}, language = {English}, urldate = {2020-01-07} } @online{kremez:20191011:possible:3be065d, author = {Vitali Kremez}, title = {{Possible Lazarus x86 Malware (AppleJeus)}}, date = {2019-10-11}, organization = {Twitter (@VK_intel)}, url = {https://twitter.com/VK_Intel/status/1182730637016481793}, language = {English}, urldate = {2019-11-23} } @online{kremez:20191017:lets:d41b75a, author = {Vitali Kremez}, title = {{Let's Learn: Dissecting Lazarus Windows x86 Loader Involved in Crypto Trading App Distribution: "snowman" & ADVObfuscator}}, date = {2019-10-17}, url = {https://www.vkremez.com/2019/10/lets-learn-dissecting-lazarus-windows.html}, language = {English}, urldate = {2020-01-08} } @online{kremez:20191024:how:e6d838d, author = {Vitali Kremez}, title = {{How TrickBot Malware Hooking Engine Targets Windows 10 Browsers}}, date = {2019-10-24}, organization = {Sentinel LABS}, url = {https://labs.sentinelone.com/how-trickbot-hooking-engine-targets-windows-10-browsers/}, language = {English}, urldate = {2020-07-03} } @online{kremez:20191105:possible:e2886d4, author = {Vitali Kremez}, title = {{Tweet on Possible Snatch}}, date = {2019-11-05}, organization = {Twitter (@VK_intel)}, url = {https://twitter.com/VK_Intel/status/1191414501297528832}, language = {English}, urldate = {2020-01-08} } @online{kremez:20191202:socelars:8d5d01c, author = {Vitali Kremez}, title = {{Tweet on Socelars Stealer}}, date = {2019-12-02}, organization = {Twitter (@VK_intel)}, url = {https://twitter.com/VK_Intel/status/1201584107928653824}, language = {English}, urldate = {2020-01-17} } @online{kremez:20191210:morphisec:c0fc51c, author = {Vitali Kremez and Joshua Platt and Jason Reaves}, title = {{MORPHISEC DISCOVERS CCLEANER BACKDOOR SAVING MILLIONS OF AVAST USERS}}, date = {2019-12-10}, organization = {Sentinel LABS}, url = {https://labs.sentinelone.com/the-deadly-planeswalker-how-the-trickbot-group-united-high-tech-crimeware-apt/}, language = {English}, urldate = {2020-01-08} } @online{kremez:20200109:toptier:4f8de90, author = {Vitali Kremez and Joshua Platt and Jason Reaves}, title = {{Top-Tier Russian Organized Cybercrime Group Unveils Fileless Stealthy “PowerTrick” Backdoor for High-Value Targets}}, date = {2020-01-09}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/}, language = {English}, urldate = {2020-01-13} } @online{kremez:20200125:extracted:3eb7aef, author = {Vitali Kremez}, title = {{Extracted Config for Ragnarok Ransomware}}, date = {2020-01-25}, organization = {Github (k-vitali)}, url = {https://github.com/k-vitali/Malware-Misc-RE/blob/master/2020-01-26-ragnarok-cfg-vk.notes.raw}, language = {English}, urldate = {2020-01-28} } @online{kremez:20200205:prorussian:4fab984, author = {Vitali Kremez}, title = {{Pro-Russian CyberSpy Gamaredon Intensifies Ukrainian Security Targeting}}, date = {2020-02-05}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/pro-russian-cyberspy-gamaredon-intensifies-ukrainian-security-targeting/}, language = {English}, urldate = {2020-02-09} } @online{kremez:20200227:lets:8b6f2b8, author = {Vitali Kremez}, title = {{Let’s Learn: Inside Parallax RAT Malware: Process Hollowing Injection & Process Doppelgänging API Mix: Part I}}, date = {2020-02-27}, url = {https://www.vkremez.com/2020/02/lets-learn-inside-parallax-rat-malware.html}, language = {English}, urldate = {2020-03-25} } @online{kremez:20200424:trickbot:3773039, author = {Vitali Kremez}, title = {{TrickBot "BazarBackdoor" Process Hollowing Injection Primer}}, date = {2020-04-24}, url = {https://www.vkremez.com/2020/04/lets-learn-trickbot-bazarbackdoor.html}, language = {English}, urldate = {2020-05-02} } @online{kremez:20200519:netwalker:7ad1e7c, author = {Vitali Kremez}, title = {{Netwalker Ransomware - From Static Reverse Engineering to Automatic Extraction}}, date = {2020-05-19}, organization = {zero2auto}, url = {https://zero2auto.com/2020/05/19/netwalker-re/}, language = {English}, urldate = {2020-06-02} } @online{kremez:20200617:signed:f8eecc6, author = {Vitali Kremez and malwrhunterteam}, title = {{Tweet on signed Tinymet payload (V.02) used by TA505}}, date = {2020-06-17}, organization = {Twitter (@VK_intel)}, url = {https://twitter.com/VK_Intel/status/1273292957429510150}, language = {English}, urldate = {2020-06-18} } @online{kremez:20200710:yara:9b51a77, author = {Vitali Kremez and Christiaan Beek and Tom Ueltschi and Hilko Bengen and Jo Johnson and Cooper Quintin and Wyatt Roersma and Tomislav Pericin}, title = {{YARA Rules talks and presentation of REVERSING 2020}}, date = {2020-07-10}, organization = {ReversingLabs}, url = {https://register.reversinglabs.com/reversing2020/session-videos}, language = {English}, urldate = {2020-07-11} } @online{kremez:20200711:trickbot:602fd73, author = {Vitali Kremez}, title = {{TrickBot Group Launches Test Module Alerting on Fraud Activity}}, date = {2020-07-11}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/post/trickbot-group-launches-test-module-alerting-on-fraud-activity}, language = {English}, urldate = {2020-07-13} } @online{kreminchuker:20191218:echobot:2fe9511, author = {Eli Kreminchuker and Maxim Zavodchik and Raymond Pompon}, title = {{Echobot Malware Now up to 71 Exploits, Targeting SCADA}}, date = {2019-12-18}, organization = {F5 Labs}, url = {https://www.f5.com/labs/articles/threat-intelligence/echobot-malware-now-up-to-71-exploits--targeting-scada}, language = {English}, urldate = {2020-01-10} } @online{kreyenberg:20200228:mysterious:ed48f62, author = {Hannah Kreyenberg}, title = {{Mysterious spam campaign: A security analysis}}, date = {2020-02-28}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/security-information/mysterious-spam-campaign/}, language = {English}, urldate = {2020-06-16} } @online{kristal:20200511:anatomy:4ece947, author = {Gal Kristal}, title = {{The Anatomy of an APT Attack and CobaltStrike Beacon’s Encoded Configuration}}, date = {2020-05-11}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/}, language = {English}, urldate = {2020-05-13} } @online{kristal:20200609:cobaltstrikeparser:a023ac8, author = {Gal Kristal}, title = {{CobaltStrikeParser}}, date = {2020-06-09}, organization = {Github (Sentinel-One)}, url = {https://github.com/Sentinel-One/CobaltStrikeParser/blob/master/parse_beacon_config.py}, language = {English}, urldate = {2020-09-15} } @online{kristal:20201019:purple:46e7ffb, author = {Gal Kristal}, title = {{Purple Fox EK | New CVEs, Steganography, and Virtualization Added to Attack Flow}}, date = {2020-10-19}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/purple-fox-ek-new-cves-steganography-and-virtualization-added-to-attack-flow/}, language = {English}, urldate = {2020-10-23} } @online{krueger:20191015:lowkey:aab2f5e, author = {Tobias Krueger}, title = {{LOWKEY: Hunting for the Missing Volume Serial ID}}, date = {2019-10-15}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/10/lowkey-hunting-for-the-missing-volume-serial-id.html}, language = {English}, urldate = {2019-12-10} } @techreport{krysiuk:2013:trojanbamital:1c4d921, author = {Piotr Krysiuk and Vikram Thakur}, title = {{Trojan.Bamital}}, date = {2013}, institution = {Symantec}, url = {https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/trojan-bamital-13-en.pdf}, language = {English}, urldate = {2019-12-24} } @online{kscert:20151105:sphinx:0414ca2, author = {kscert}, title = {{Sphinx Moth: Expanding our knowledge of the “Wild Neutron” / “Morpho” APT}}, date = {2015-11-05}, organization = {Kudelski Security}, url = {https://research.kudelskisecurity.com/2015/11/05/sphinx-moth-expanding-our-knowledge-of-the-wild-neutron-morpho-apt/}, language = {English}, urldate = {2020-01-10} } @online{kubovich:20180703:hamas:372b78f, author = {Yaniv Kubovich}, title = {{Hamas Cyber Ops Spied on Hundreds of Israeli Soldiers Using Fake World Cup, Dating Apps}}, date = {2018-07-03}, organization = {Haaretz}, url = {https://www.haaretz.com/israel-news/hamas-cyber-ops-spied-on-israeli-soldiers-using-fake-world-cup-app-1.6241773}, language = {English}, urldate = {2019-11-29} } @online{kuhn:20190724:guesswho:1b23cb0, author = {John Kuhn}, title = {{GuessWho Ransomware – A Variant of Rapid Ransomware}}, date = {2019-07-24}, organization = {IBM X-Force Exchange}, url = {https://exchange.xforce.ibmcloud.com/collection/GuessWho-Ransomware-A-Variant-of-Rapid-Ransomware-ef226b9792fa4c1e34fa4c587db04145}, language = {English}, urldate = {2020-01-10} } @online{kujawa:20120609:you:c8d15e0, author = {Adam Kujawa}, title = {{You dirty RAT! Part 1: DarkComet}}, date = {2012-06-09}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/}, language = {English}, urldate = {2019-12-20} } @online{kujawa:20120615:you:307c877, author = {Adam Kujawa}, title = {{You Dirty RAT! Part 2 – BlackShades NET}}, date = {2012-06-15}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-2-blackshades-net/}, language = {English}, urldate = {2019-12-20} } @online{kujawa:20120621:blackshades:3002f8a, author = {Adam Kujawa}, title = {{BlackShades in Syria}}, date = {2012-06-21}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2012/06/blackshades-in-syria/}, language = {English}, urldate = {2019-12-20} } @online{kujawa:20121005:dark:192d4aa, author = {Adam Kujawa}, title = {{Dark Comet 2: Electric Boogaloo}}, date = {2012-10-05}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2012/10/dark-comet-2-electric-boogaloo/}, language = {English}, urldate = {2019-12-20} } @online{kujawa:20140530:taking:d9b729e, author = {Adam Kujawa}, title = {{Taking off the Blackshades}}, date = {2014-05-30}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2014/05/taking-off-the-blackshades/}, language = {English}, urldate = {2019-12-20} } @techreport{kujawa:20200210:2020:3fdaf12, author = {Adam Kujawa and Wendy Zamora and Jérôme Segura and Thomas Reed and Nathan Collier and Jovi Umawing and Chris Boyd and Pieter Arntz and David Ruiz}, title = {{2020 State of Malware Report}}, date = {2020-02-10}, institution = {Malwarebytes}, url = {https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf}, language = {English}, urldate = {2020-02-13} } @online{kumar:20170122:russian:a19c81e, author = {Mohit Kumar}, title = {{Russian Hacker behind 'NeverQuest' Malware, Wanted by FBI, Is Arrested in Spain}}, date = {2017-01-22}, organization = {The Hacker News}, url = {http://thehackernews.com/2017/01/neverquest-fbi-hacker.html}, language = {English}, urldate = {2019-12-18} } @online{kumar:20200626:taurus:4d00888, author = {Avinash Kumar and Uday Pratap Singh}, title = {{Taurus: The New Stealer in Town}}, date = {2020-06-26}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/taurus-new-stealer-town}, language = {English}, urldate = {2020-08-13} } @techreport{kumar:202006:mobile:a277975, author = {Apurva Kumar and Christoph Hebeisen and Kristin Del Rosso}, title = {{Mobile APT SurveillanceCampaigns Targeting Uyghurs A collection of long-running Android tooling connected to a Chinese mAPT actor}}, date = {2020-06}, institution = {Lookout}, url = {https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf}, language = {English}, urldate = {2020-07-02} } @online{kumar:20200701:multiyear:5ce3699, author = {Apurva Kumar and Christoph Hebeisen and Kristin Del Rosso}, title = {{Multiyear Surveillance Campaigns Discovered Targeting Uyghurs}}, date = {2020-07-01}, organization = {Lookout}, url = {https://blog.lookout.com/multiyear-surveillance-campaigns-discovered-targeting-uyghurs}, language = {English}, urldate = {2020-07-02} } @online{kumar:20200916:malware:60f39c3, author = {Avinash Kumar and Aditya Sharma}, title = {{Malware Leveraging XML-RPC Vulnerability to Exploit WordPress Sites}}, date = {2020-09-16}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/malware-leveraging-xml-rpc-vulnerability-exploit-wordpress-sites}, language = {English}, urldate = {2020-09-23} } @online{kundaliya:20190411:lazarus:2ad8687, author = {Dev Kundaliya}, title = {{Lazarus rises: Warning over new HOPLIGHT malware linked with North Korea}}, date = {2019-04-11}, organization = {Computing.co.uk}, url = {https://www.computing.co.uk/ctg/news/3074007/lazarus-rises-warning-over-new-hoplight-malware-linked-with-north-korea}, language = {English}, urldate = {2020-01-06} } @online{kundaliya:20191224:warning:6ffa2c8, author = {Dev Kundaliya}, title = {{Warning over LockerGoga and MegaCortex ransomware attacks targeting private industry in western countries}}, date = {2019-12-24}, url = {https://www.computing.co.uk/ctg/news/3084818/warning-over-lockergoga-and-megacortex-ransomware-attacks-targeting-private-industry-in-western-countries}, language = {English}, urldate = {2020-01-06} } @online{kuprins:20190903:analysis:2b5a874, author = {Aleksejs Kuprins}, title = {{Analysis of Joker — A Spy & Premium Subscription Bot on GooglePlay}}, date = {2019-09-03}, organization = {Medium CSIS Techblog}, url = {https://medium.com/csis-techblog/analysis-of-joker-a-spy-premium-subscription-bot-on-googleplay-9ad24f044451}, language = {English}, urldate = {2020-01-06} } @online{kuprins:20200625:roamingmantis:256a9f9, author = {Aleksejs Kuprins}, title = {{The RoamingMantis Group’s Expansion to European Apple Accounts and Android Devices}}, date = {2020-06-25}, organization = {Medium CSIS Techblog}, url = {https://medium.com/csis-techblog/the-roamingmantis-groups-expansion-to-european-apple-accounts-and-android-devices-e6381723c681}, language = {English}, urldate = {2020-06-25} } @online{kuzin:20140710:versatile:0c64d25, author = {Mikhail Kuzin}, title = {{Versatile DDoS Trojan for Linux}}, date = {2014-07-10}, organization = {Kaspersky Labs}, url = {https://securelist.com/versatile-ddos-trojan-for-linux/64361/}, language = {English}, urldate = {2019-12-20} } @online{kuzin:20180720:calisto:09350f7, author = {Mikhail Kuzin and Sergey Zelensky}, title = {{Calisto Trojan for macOS}}, date = {2018-07-20}, organization = {Kaspersky Labs}, url = {https://securelist.com/calisto-trojan-for-macos/86543/}, language = {English}, urldate = {2019-12-20} } @online{kuzmenko:20190618:plurox:14d4e0d, author = {Anton Kuzmenko}, title = {{Plurox: Modular backdoor}}, date = {2019-06-18}, organization = {Kaspersky Labs}, url = {https://securelist.com/plurox-modular-backdoor/91213/}, language = {English}, urldate = {2019-12-20} } @online{kuznetsov:20130314:new:148c189, author = {Igor Kuznetsov and Costin Raiu}, title = {{New Uyghur and Tibetan Themed Attacks Using PDF Exploits}}, date = {2013-03-14}, organization = {Kaspersky Labs}, url = {https://securelist.com/new-uyghur-and-tibetan-themed-attacks-using-pdf-exploits/35465}, language = {English}, urldate = {2020-04-24} } @online{kwiatkowski:20200331:holy:857c397, author = {Ivan Kwiatkowski and Félix Aime and Pierre Delcher}, title = {{Holy water: ongoing targeted water-holing attack in Asia}}, date = {2020-03-31}, organization = {Kaspersky Labs}, url = {https://securelist.com/holy-water-ongoing-targeted-water-holing-attack-in-asia/96311/}, language = {English}, urldate = {2020-04-07} } @online{kwiatkowski:20200728:lazarus:5b1523a, author = {Ivan Kwiatkowski and Pierre Delcher and Félix Aime}, title = {{Lazarus on the hunt for big game}}, date = {2020-07-28}, organization = {Kaspersky Labs}, url = {https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/}, language = {English}, urldate = {2020-07-30} } @online{kwiatkowski:20200824:lifting:fd3c725, author = {Ivan Kwiatkowski and Pierre Delcher and Maher Yamout}, title = {{Lifting the veil on DeathStalker, a mercenary triumvirate}}, date = {2020-08-24}, organization = {Kaspersky Labs}, url = {https://securelist.com/deathstalker-mercenary-triumvirate/98177/}, language = {English}, urldate = {2020-08-25} } @online{kwiatkowski:20201015:iamtheking:1c3917e, author = {Ivan Kwiatkowski and Pierre Delcher and Félix Aime}, title = {{IAmTheKing and the SlothfulMedia malware family}}, date = {2020-10-15}, organization = {Kaspersky Labs}, url = {https://securelist.com/iamtheking-and-the-slothfulmedia-malware-family/99000/}, language = {English}, urldate = {2020-10-16} } @online{laan:20160828:feintcloud:628f6af, author = {Wladimir J. van der Laan}, title = {{FEINTCLOUD}}, date = {2016-08-28}, organization = {Laanwj's Blog}, url = {https://laanwj.github.io/2016/08/28/feintcloud.html}, language = {English}, urldate = {2020-01-13} } @online{laan:20160904:blatsting:26f14e8, author = {Wladimir J. van der Laan}, title = {{BLATSTING Command-and-Control protocol}}, date = {2016-09-04}, organization = {Laanwj's Blog}, url = {https://laanwj.github.io/2016/09/04/blatsting-command-and-control.html}, language = {English}, urldate = {2019-07-11} } @online{laan:20160911:buzzdirection:2f24cce, author = {Wladimir J. van der Laan}, title = {{BUZZDIRECTION: BLATSTING reloaded}}, date = {2016-09-11}, organization = {Laanwj's Blog}, url = {https://laanwj.github.io/2016/09/11/buzzdirection.html}, language = {English}, urldate = {2020-01-08} } @online{laanwj:20160822:blatsting:11dc652, author = {Laanwj}, title = {{BLATSTING FUNKSPIEL}}, date = {2016-08-22}, url = {https://laanwj.github.io/2016/08/22/blatsting.html}, language = {English}, urldate = {2020-01-07} } @online{laanwj:20160901:tadaqueous:c25857a, author = {Laanwj}, title = {{TADAQUEOUS moments}}, date = {2016-09-01}, url = {https://laanwj.github.io/2016/09/01/tadaqueos.html}, language = {English}, urldate = {2020-01-07} } @online{laanwj:20160906:blatsting:67dc773, author = {Laanwj}, title = {{Blatsting C&C Transcript}}, date = {2016-09-06}, url = {https://laanwj.github.io/2016/09/09/blatsting-lp-transcript.html}, language = {English}, urldate = {2019-12-04} } @online{laanwj:20160913:curious:fa20b98, author = {Laanwj}, title = {{The curious case of BLATSTING's RSA implementation}}, date = {2016-09-13}, url = {https://laanwj.github.io/2016/09/13/blatsting-rsa.html}, language = {English}, urldate = {2020-01-09} } @online{laanwj:20160917:few:2572d3c, author = {Laanwj}, title = {{A few notes on SECONDDATE's C&C protocol}}, date = {2016-09-17}, url = {https://laanwj.github.io/2016/09/17/seconddate-cnc.html}, language = {English}, urldate = {2020-01-07} } @online{lab52:20190313:orangeworm:396a091, author = {Lab52}, title = {{ORANGEWORM GROUP – KWAMPIRS ANALYSIS UPDATE}}, date = {2019-03-13}, organization = {Security Art Work}, url = {https://www.securityartwork.es/2019/03/13/orangeworm-group-kwampirs-analysis-update/}, language = {English}, urldate = {2020-01-06} } @online{lab52:20200609:recent:c5c6aa7, author = {Lab52}, title = {{Recent FK_Undead rootkit samples found in the wild}}, date = {2020-06-09}, organization = {Lab52}, url = {https://lab52.io/blog/recent-fk-undead-rootkit-samples-found-in-the-wild/}, language = {English}, urldate = {2020-06-10} } @techreport{lab:20120531:skywiper:5435097, author = {CrySyS Lab}, title = {{sKyWIper (a.k.a. Flame a.k.a. Flamer): A complex malware for targeted attacks}}, date = {2012-05-31}, institution = {CrySyS Lab}, url = {https://www.crysys.hu/publications/files/skywiper.pdf}, language = {English}, urldate = {2020-01-06} } @techreport{lab:20130320:teamspy:d2d8b88, author = {CrySyS Lab}, title = {{TeamSpy –Obshie manevri. Ispolzovat' tolko s razreshenija S-a.}}, date = {2013-03-20}, institution = {CrySyS Lab}, url = {https://www.crysys.hu/publications/files/teamspy.pdf}, language = {English}, urldate = {2020-01-08} } @online{lab:20170404:chasing:b9789da, author = {Kaspersky Lab}, title = {{Chasing Lazarus: A Hunt for the Infamous Hackers to Prevent Large Bank Robberies}}, date = {2017-04-04}, organization = {Kaspersky Labs}, url = {https://www.kaspersky.com/about/press-releases/2017_chasing-lazarus-a-hunt-for-the-infamous-hackers-to-prevent-large-bank-robberies}, language = {English}, urldate = {2019-12-24} } @techreport{lab:201803:lazarus:3fd5ac4, author = {Kaspersky Lab}, title = {{Lazarus under the Hood}}, date = {2018-03}, institution = {Kaspersky Labs}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf}, language = {English}, urldate = {2020-01-07} } @online{lab:20181213:return:786b4e0, author = {Certfa Lab}, title = {{The Return of The Charming Kitten}}, date = {2018-12-13}, organization = {Certfa}, url = {https://blog.certfa.com/posts/the-return-of-the-charming-kitten/}, language = {English}, urldate = {2020-01-13} } @online{lab:20191209:caution:05ff83a, author = {EmsiSoft Malware Lab}, title = {{Caution! Ryuk Ransomware decryptor damages larger files, even if you pay}}, date = {2019-12-09}, organization = {Emsisoft}, url = {https://blog.emsisoft.com/en/35023/bug-in-latest-ryuk-decryptor-may-cause-data-loss/}, language = {English}, urldate = {2020-01-07} } @online{lab:20200130:fake:8ef4342, author = {Certfa Lab}, title = {{Fake Interview: The New Activity of Charming Kitten}}, date = {2020-01-30}, organization = {Certfa Lab}, url = {https://blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/}, language = {English}, urldate = {2020-03-03} } @online{lab:20200505:awaiting:513382e, author = {Security Lab}, title = {{Awaiting the Inevitable Return of Emotet}}, date = {2020-05-05}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/security-information/awaiting-the-inevitable-return-of-emotet/}, language = {English}, urldate = {2020-05-05} } @online{lab:20200519:information:eb0a182, author = {Security Lab}, title = {{Information Stealer Campaign Targeting German HR Contacts}}, date = {2020-05-19}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/security-information/information-stealer-campaign-targeting-german-hr-contacts/}, language = {English}, urldate = {2020-05-29} } @online{lab:20200605:avaddon:399af6f, author = {Security Lab}, title = {{Avaddon: From seeking affiliates to in-the-wild in 2 days}}, date = {2020-06-05}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/security-information/avaddon-from-seeking-affiliates-to-in-the-wild-in-2-days/}, language = {English}, urldate = {2020-06-08} } @online{lab:20200612:trickbot:2bf54ef, author = {Security Lab}, title = {{Trickbot Malspam Leveraging Black Lives Matter as Lure}}, date = {2020-06-12}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/security-information/trickbot-malspam-leveraging-black-lives-matter-as-lure/}, language = {English}, urldate = {2020-07-01} } @online{lab:20200616:qakbot:0353100, author = {Security Lab}, title = {{QakBot malspam leading to ProLock: Nothing personal just business}}, date = {2020-06-16}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/security-information/qakbot-malspam-leading-to-prolock/}, language = {English}, urldate = {2020-07-01} } @online{lab:20200707:clop:12bb60d, author = {Hornetsecurity Security Lab}, title = {{Clop, Clop! It’s a TA505 HTML malspam analysis}}, date = {2020-07-07}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/security-information/clop-clop-ta505-html-malspam-analysis/}, language = {English}, urldate = {2020-07-30} } @online{lab:20200709:servhelper:13899fd, author = {G DATA Security Lab}, title = {{ServHelper: Hidden Miners}}, date = {2020-07-09}, organization = {Gdata}, url = {https://www.gdatasoftware.com/blog/2020/07/36122-hidden-miners}, language = {English}, urldate = {2020-07-16} } @online{lab:20200718:firefox:4293555, author = {Hornetsecurity Security Lab}, title = {{Firefox Send sends Ursnif malware}}, date = {2020-07-18}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/security-information/firefox-send-sends-ursnif-malware/}, language = {English}, urldate = {2020-08-21} } @online{lab:20200720:emotet:f918eaf, author = {Hornetsecurity Security Lab}, title = {{Emotet is back}}, date = {2020-07-20}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/security-information/emotet-is-back/}, language = {English}, urldate = {2020-07-30} } @online{lab:20200731:webshells:4963ea5, author = {Hornetsecurity Security Lab}, title = {{The webshells powering Emotet}}, date = {2020-07-31}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/security-informationen-en/webshells-powering-emotet/}, language = {English}, urldate = {2020-08-21} } @online{lab:20200824:emotet:252c8de, author = {Security Lab}, title = {{Emotet Update increases Downloads}}, date = {2020-08-24}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/security-information/emotet-update-increases-downloads/}, language = {English}, urldate = {2020-08-30} } @online{lab:20201013:bazarloader:9a2d75b, author = {Security Lab}, title = {{BazarLoader Campaign with Fake Termination Emails}}, date = {2020-10-13}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/threat-research/bazarloader-campaign-with-fake-termination-emails/}, language = {English}, urldate = {2020-10-19} } @online{labs:20071022:malwareentwicklung:8050999, author = {Kaspersky Labs}, title = {{Malware-Entwicklung im ersten Halbjahr 2007}}, date = {2007-10-22}, organization = {Kaspersky Labs}, url = {https://de.securelist.com/malware-entwicklung-im-ersten-halbjahr-2007/59574/}, language = {German}, urldate = {2020-03-19} } @online{labs:2009:kaspersky:546f640, author = {Kaspersky Labs}, title = {{Kaspersky Lab analyses new version of Kido (Conficker)}}, date = {2009}, organization = {Kaspersky Labs}, url = {https://www.kaspersky.com/about/press-releases/2009_kaspersky-lab-analyses-new-version-of-kido--conficker}, language = {English}, urldate = {2019-11-25} } @online{labs:20140417:quick:6a0fa31, author = {Nettitude Labs}, title = {{A quick analysis of the latest Shadow Brokers dump}}, date = {2014-04-17}, organization = {Nettitude Labs}, url = {https://labs.nettitude.com/blog/a-quick-analysis-of-the-latest-shadow-brokers-dump/}, language = {English}, urldate = {2019-12-19} } @techreport{labs:20140904:pitou:211eac4, author = {F-Secure Labs}, title = {{PITOU: The "silent" resurrection of the notorious Srizbi kernel spambot}}, date = {2014-09-04}, institution = {F-Secure}, url = {https://www.f-secure.com/documents/996508/1030745/pitou_whitepaper.pdf}, language = {English}, urldate = {2020-01-13} } @online{labs:20141114:onionduke:dc56d5c, author = {F-Secure Labs}, title = {{OnionDuke: APT Attacks Via the Tor Network}}, date = {2014-11-14}, organization = {F-Secure}, url = {https://www.f-secure.com/weblog/archives/00002764.html}, language = {English}, urldate = {2020-01-09} } @online{labs:20150304:you:edeb053, author = {BriMor Labs}, title = {{And you get a POS malware name...and you get a POS malware name....and you get a POS malware name....}}, date = {2015-03-04}, organization = {BriMor Labs}, url = {https://www.brimorlabsblog.com/2015/03/and-you-get-pos-malware-nameand-you-get.html}, language = {English}, urldate = {2019-11-29} } @online{labs:20150805:whos:972f567, author = {Malwarebytes Labs}, title = {{Who’s Behind Your Proxy? Uncovering Bunitu’s Secrets}}, date = {2015-08-05}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2015/08/whos-behind-your-proxy-uncovering-bunitus-secrets/}, language = {English}, urldate = {2019-12-20} } @online{labs:20150917:dukes:767fbef, author = {F-Secure Labs}, title = {{The Dukes: 7 Years Of Russian Cyber-Espionage}}, date = {2015-09-17}, organization = {F-Secure}, url = {https://labsblog.f-secure.com/2015/09/17/the-dukes-7-years-of-russian-cyber-espionage/}, language = {English}, urldate = {2020-01-13} } @online{labs:20160318:teslacrypt:5c7daff, author = {Malwarebytes Labs}, title = {{Teslacrypt Spam Campaign: “Unpaid Issue…”}}, date = {2016-03-18}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/03/teslacrypt-spam-campaign-unpaid-issue/}, language = {English}, urldate = {2019-12-20} } @online{labs:20160401:petya:b3dfd23, author = {Malwarebytes Labs}, title = {{Petya – Taking Ransomware To The Low Level}}, date = {2016-04-01}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/04/petya-ransomware/}, language = {English}, urldate = {2019-12-20} } @online{labs:20160714:untangling:c16cc34, author = {Malwarebytes Labs}, title = {{Untangling Kovter’s persistence methods}}, date = {2016-07-14}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/07/untangling-kovter/}, language = {English}, urldate = {2019-12-20} } @online{labs:20160718:third:4b06b46, author = {Malwarebytes Labs}, title = {{Third time (un)lucky – improved Petya is out}}, date = {2016-07-18}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/07/third-time-unlucky-improved-petya-is-out/}, language = {English}, urldate = {2019-12-20} } @techreport{labs:20160805:nanhaishu:cee830d, author = {F-Secure Labs}, title = {{NANHAISHU: RATing the South China Sea}}, date = {2016-08-05}, institution = {F-Secure}, url = {https://www.f-secure.com/documents/996508/1030745/nanhaishu_whitepaper.pdf}, language = {English}, urldate = {2020-01-13} } @online{labs:20160805:smoke:afada56, author = {Malwarebytes Labs}, title = {{Smoke Loader – downloader with a smokescreen still alive}}, date = {2016-08-05}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/08/smoke-loader-downloader-with-a-smokescreen-still-alive/}, language = {English}, urldate = {2019-12-20} } @online{labs:20160815:shakti:e11f9b7, author = {Malwarebytes Labs}, title = {{Shakti Trojan: Document Thief}}, date = {2016-08-15}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/08/shakti-trojan-stealing-documents/}, language = {English}, urldate = {2019-12-20} } @online{labs:20160825:unpacking:66173f5, author = {Malwarebytes Labs}, title = {{Unpacking the spyware disguised as antivirus}}, date = {2016-08-25}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/08/unpacking-the-spyware-disguised-as-antivirus/}, language = {English}, urldate = {2019-12-20} } @online{labs:201608:shakti:2c08a62, author = {Malwarebytes Labs}, title = {{Shakti Trojan: Technical Analysis}}, date = {2016-08}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/08/shakti-trojan-technical-analysis/amp/}, language = {English}, urldate = {2019-12-19} } @online{labs:20161024:introducing:e59ac27, author = {Malwarebytes Labs}, title = {{Introducing TrickBot, Dyreza’s successor}}, date = {2016-10-24}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/10/trick-bot-dyrezas-successor/}, language = {English}, urldate = {2019-12-20} } @online{labs:20161110:floki:cb97f8d, author = {Malwarebytes Labs}, title = {{Floki Bot and the stealthy dropper}}, date = {2016-11-10}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/11/floki-bot-and-the-stealthy-dropper/}, language = {English}, urldate = {2019-12-20} } @online{labs:20161121:princesslocker:9a8ec57, author = {Malwarebytes Labs}, title = {{PrincessLocker – ransomware with not so royal encryption}}, date = {2016-11-21}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/11/princess-ransomware/}, language = {English}, urldate = {2019-12-20} } @online{labs:20161215:goldeneye:234318b, author = {Malwarebytes Labs}, title = {{Goldeneye Ransomware – the Petya/Mischa combo rebranded}}, date = {2016-12-15}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/12/goldeneye-ransomware-the-petyamischa-combo-rebranded/}, language = {English}, urldate = {2019-12-20} } @online{labs:20170126:zbot:b625eef, author = {Malwarebytes Labs}, title = {{Zbot with legitimate applications on board}}, date = {2017-01-26}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/cybercrime/2017/01/zbot-with-legitimate-applications-on-board/}, language = {English}, urldate = {2019-12-20} } @online{labs:20170131:locky:92db484, author = {Malwarebytes Labs}, title = {{Locky Bart ransomware and backend server analysis}}, date = {2017-01-31}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2017/01/locky-bart-ransomware-and-backend-server-analysis/}, language = {English}, urldate = {2019-12-20} } @online{labs:20170227:new:e13a158, author = {Malwarebytes Labs}, title = {{New Neutrino Bot comes in a protective loader}}, date = {2017-02-27}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2017/02/new-neutrino-bot-comes-in-a-protective-loader/}, language = {English}, urldate = {2019-12-20} } @online{labs:20170310:explained:4186cb4, author = {Malwarebytes Labs}, title = {{Explained: Spora ransomware}}, date = {2017-03-10}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2017/03/spora-ransomware/}, language = {English}, urldate = {2019-12-20} } @online{labs:20170315:vaccinating:751a95c, author = {Minerva Labs}, title = {{Vaccinating against Spora ransomware: a proof-of-concept tool by Minerva}}, date = {2017-03-15}, organization = {Github (MinervaLabsResearch)}, url = {https://github.com/MinervaLabsResearch/SporaVaccination}, language = {English}, urldate = {2019-10-23} } @online{labs:20170317:diamond:67bf9e6, author = {Malwarebytes Labs}, title = {{Diamond Fox – part 1: introduction and unpacking}}, date = {2017-03-17}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2017/03/diamond-fox-p1/}, language = {English}, urldate = {2019-12-20} } @online{labs:20170329:explained:dc19964, author = {Malwarebytes Labs}, title = {{Explained: Sage ransomware}}, date = {2017-03-29}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2017/03/explained-sage-ransomware/}, language = {English}, urldate = {2019-12-20} } @online{labs:20170406:diamond:5788882, author = {Malwarebytes Labs}, title = {{Diamond Fox – part 2: let’s dive in the code}}, date = {2017-04-06}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2017/04/diamond-fox-p2/}, language = {English}, urldate = {2019-12-20} } @online{labs:20170421:elusive:3f45f0e, author = {Malwarebytes Labs}, title = {{Elusive Moker Trojan is back}}, date = {2017-04-21}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2017/04/elusive-moker-trojan/}, language = {English}, urldate = {2019-12-20} } @online{labs:201704:callisto:5e97cb4, author = {F-Secure Labs}, title = {{CALLISTO GROUP}}, date = {2017-04}, organization = {F-Secure}, url = {https://www.f-secure.com/documents/996508/1030745/callisto-group}, language = {English}, urldate = {2019-12-10} } @online{labs:20170629:eternalpetya:bdd5896, author = {Malwarebytes Labs}, title = {{EternalPetya and the lost Salsa20 key}}, date = {2017-06-29}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2017/06/eternalpetya-lost-salsa20-key/}, language = {English}, urldate = {2019-12-20} } @online{labs:20170630:eternalpetya:122fb36, author = {Malwarebytes Labs}, title = {{EternalPetya – yet another stolen piece in the package?}}, date = {2017-06-30}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2017/06/eternalpetya-yet-another-stolen-piece-package/}, language = {English}, urldate = {2019-12-20} } @online{labs:20170712:net:7efe3ac, author = {Malwarebytes Labs}, title = {{A .NET malware abusing legitimate ffmpeg}}, date = {2017-07-12}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2017/07/malware-abusing-ffmpeg/}, language = {English}, urldate = {2019-12-20} } @online{labs:20170714:keeping:0759a8b, author = {Malwarebytes Labs}, title = {{Keeping up with the Petyas: Demystifying the malware family}}, date = {2017-07-14}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/}, language = {English}, urldate = {2019-12-20} } @online{labs:20170724:bye:ffc2434, author = {Malwarebytes Labs}, title = {{Bye, bye Petya! Decryptor for old versions released.}}, date = {2017-07-24}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/malwarebytes-news/2017/07/bye-bye-petya-decryptor-old-versions-released/}, language = {English}, urldate = {2019-12-20} } @online{labs:201707:trickbot:e738eaf, author = {Ring Zero Labs}, title = {{TrickBot Banking Trojan - DOC00039217.doc}}, date = {2017-07}, organization = {Ring Zero Labs}, url = {https://www.ringzerolabs.com/2017/07/trickbot-banking-trojan-doc00039217doc.html}, language = {English}, urldate = {2020-01-10} } @online{labs:20170801:trickbot:222d8bc, author = {Malwarebytes Labs}, title = {{TrickBot comes up with new tricks: attacking Outlook and browsing data}}, date = {2017-08-01}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2017/08/trickbot-comes-with-new-tricks-attacking-outlook-and-browsing-data/}, language = {English}, urldate = {2019-12-20} } @online{labs:20170818:inside:f145bae, author = {Malwarebytes Labs}, title = {{Inside the Kronos malware – part 1}}, date = {2017-08-18}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware/}, language = {English}, urldate = {2019-12-20} } @online{labs:20170829:inside:a4e7a99, author = {Malwarebytes Labs}, title = {{Inside the Kronos malware – part 2}}, date = {2017-08-29}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware-p2/}, language = {English}, urldate = {2019-12-20} } @online{labs:20170926:elaborate:bed9adc, author = {Malwarebytes Labs}, title = {{Elaborate scripting-fu used in espionage attack against Saudi Arabia Government entity}}, date = {2017-09-26}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2017/09/elaborate-scripting-fu-used-in-espionage-attack-against-saudi-arabia-government_entity/}, language = {English}, urldate = {2019-12-20} } @online{labs:20171018:magniber:2ae5250, author = {Malwarebytes Labs}, title = {{Magniber ransomware: exclusively for South Koreans}}, date = {2017-10-18}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2017/10/magniber-ransomware-exclusively-for-south-koreans/}, language = {English}, urldate = {2019-12-20} } @online{labs:20171113:match:b967fde, author = {Obscurity Labs}, title = {{Match Made In The Shadows: Part [3]}}, date = {2017-11-13}, organization = {Obscurity Labs}, url = {https://obscuritylabs.com/blog/2017/11/13/match-made-in-the-shadows-part-3/}, language = {English}, urldate = {2020-05-07} } @online{labs:20171228:pandazeuss:0d9ab97, author = {Spamhaus Malware Labs}, title = {{PandaZeuS’s Christmas Gift: Change in the Encryption scheme}}, date = {2017-12-28}, organization = {Spamhaus}, url = {https://www.spamhaus.org/news/article/771/}, language = {English}, urldate = {2020-01-05} } @online{labs:20180130:gandcrab:86c30cb, author = {Malwarebytes Labs}, title = {{GandCrab ransomware distributed by RIG and GrandSoft exploit kits (updated)}}, date = {2018-01-30}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2018/01/gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits/}, language = {English}, urldate = {2019-12-20} } @online{labs:20180328:indepth:574e8fd, author = {Malwarebytes Labs}, title = {{An in-depth malware analysis of QuantLoader}}, date = {2018-03-28}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2018/03/an-in-depth-malware-analysis-of-quantloader/}, language = {English}, urldate = {2019-12-20} } @online{labs:20180416:smoke:b91b833, author = {Spamhaus Malware Labs}, title = {{Smoke Loader malware improves after Microsoft spoils its Campaign}}, date = {2018-04-16}, organization = {Spamhaus}, url = {https://www.spamhaus.org/news/article/774/smoke-loader-improves-encryption-after-microsoft-spoils-its-campaign}, language = {English}, urldate = {2020-01-08} } @online{labs:20181115:mylobot:4f8ccb3, author = {LabsBlack Lotus Labs}, title = {{Mylobot Continues Global Infections}}, date = {2018-11-15}, organization = {Centurylink}, url = {https://blog.centurylink.com/mylobot-continues-global-infections/}, language = {English}, urldate = {2019-12-24} } @online{labs:20181205:trickbots:b45d588, author = {VIPRE Labs}, title = {{Trickbot’s Tricks}}, date = {2018-12-05}, organization = {VIPRE}, url = {https://labs.vipre.com/trickbots-tricks/}, language = {English}, urldate = {2020-01-09} } @online{labs:20190311:attackers:013804a, author = {Minerva Labs}, title = {{Attackers Insert Themselves into the Email Conversation to Spread Malware}}, date = {2019-03-11}, organization = {Minerva}, url = {https://blog.minerva-labs.com/attackers-insert-themselves-into-the-email-conversation-to-spread-malware}, language = {English}, urldate = {2020-01-08} } @online{labs:20190327:emotet:388559f, author = {Spamhaus Malware Labs}, title = {{Emotet adds a further layer of camouflage}}, date = {2019-03-27}, organization = {Spamhaus}, url = {https://www.spamhaus.org/news/article/783/emotet-adds-a-further-layer-of-camouflage}, language = {English}, urldate = {2020-01-06} } @online{labs:20190409:say:9be09c3, author = {Malwarebytes Labs}, title = {{Say hello to Baldr, a new stealer on the market}}, date = {2019-04-09}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2019/04/say-hello-baldr-new-stealer-market/}, language = {English}, urldate = {2019-12-20} } @online{labs:20190508:fin7:6874fc6, author = {Kaspersky Labs}, title = {{Fin7 hacking group targets more than 130 companies after leaders’ arrest}}, date = {2019-05-08}, organization = {Kaspersky Labs}, url = {https://www.kaspersky.com/about/press-releases/2019_fin7-hacking-group-targets-more-than-130-companies-after-leaders-arrest}, language = {English}, urldate = {2020-03-22} } @online{labs:20191002:mcafee:1a04182, author = {McAfee Labs}, title = {{McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us}}, date = {2019-10-02}, organization = {McAfee}, url = {https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/}, language = {English}, urldate = {2019-12-22} } @online{labs:2019:ransommegacortex:5d35576, author = {Malwarebytes Labs}, title = {{Ransom.Megacortex}}, date = {2019}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/detections/ransom-megacortex/}, language = {English}, urldate = {2020-01-10} } @online{labs:20200125:indonesian:1f0de05, author = {Sanguine Labs}, title = {{Indonesian Magecart hackers arrested}}, date = {2020-01-25}, organization = {Sanguine Security}, url = {https://sansec.io/labs/2020/01/25/magecart-hackers-arrested/}, language = {English}, urldate = {2020-01-27} } @online{labs:20200324:new:88d7b1d, author = {Avira Protection Labs}, title = {{A new technique to analyze FormBook malware infections}}, date = {2020-03-24}, organization = {Avira}, url = {https://insights.oem.avira.com/a-new-technique-to-analyze-formbook-malware-infections/}, language = {English}, urldate = {2020-04-01} } @online{labs:20200328:indepth:9049cf2, author = {Avira Protection Labs}, title = {{In-depth analysis of a Cerberus trojan variant}}, date = {2020-03-28}, organization = {Avira}, url = {https://insights.oem.avira.com/in-depth-analysis-of-a-cerberus-trojan-variant/}, language = {English}, urldate = {2020-04-01} } @online{labs:20200413:new:f16a8b5, author = {Black Lotus Labs}, title = {{New Mozi Malware Family Quietly Amasses IoT Bots}}, date = {2020-04-13}, organization = {Centurylink}, url = {https://blog.centurylink.com/new-mozi-malware-family-quietly-amasses-iot-bots/}, language = {English}, urldate = {2020-04-26} } @techreport{labs:20200521:cybercrime:d38d2da, author = {Malwarebytes Labs}, title = {{Cybercrime tactics and techniques}}, date = {2020-05-21}, institution = {Malwarebytes}, url = {https://resources.malwarebytes.com/files/2020/05/CTNT_Q1_2020_COVID-Report_Final.pdf}, language = {English}, urldate = {2020-06-03} } @online{labs:20200623:new:8b4b4e3, author = {Avira Protection Labs}, title = {{New Mirai variant Aisuru detects Cowrie opensource honeypots}}, date = {2020-06-23}, organization = {Avira}, url = {https://insights.oem.avira.com/new-mirai-variant-aisuru-detects-cowrie-opensource-honeypots/}, language = {English}, urldate = {2020-06-24} } @online{labs:20200701:alina:1c5d0e8, author = {Black Lotus Labs}, title = {{Alina Point of Sale Malware Still Lurking in DNS}}, date = {2020-07-01}, organization = {Centurylink}, url = {https://blog.centurylink.com/alina-point-of-sale-malware-still-lurking-in-dns/}, language = {English}, urldate = {2020-07-06} } @techreport{labs:20200730:spamhaus:038546d, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update Q2 2020}}, date = {2020-07-30}, institution = {Spamhaus}, url = {https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf}, language = {English}, urldate = {2020-07-30} } @online{labs:20200818:lazarus:f2dadaa, author = {F-Secure Labs}, title = {{Lazarus Group: Campaign Targeting the Cryptocurrency Vertical}}, date = {2020-08-18}, organization = {F-Secure Labs}, url = {https://labs.f-secure.com/publications/ti-report-lazarus-group-cryptocurrency-vertical/}, language = {English}, urldate = {2020-08-27} } @online{labs:20201002:appgate:f0b069c, author = {AppGate Labs}, title = {{Appgate Labs Analyzes New Family Of Ransomware - Egregor}}, date = {2020-10-02}, organization = {AppGate}, url = {https://www.appgate.com/news-press/appgate-labs-analyzes-new-family-of-ransomware-egregor}, language = {English}, urldate = {2020-10-05} } @online{labs:20201003:ta505:b03fbee, author = {Avira Protection Labs}, title = {{TA505 targets the Americas in a new campaign}}, date = {2020-10-03}, organization = {Avira}, url = {https://insights.oem.avira.com/ta505-apt-group-targets-americas/}, language = {English}, urldate = {2020-10-05} } @online{labs:20201012:look:7b422f7, author = {Black Lotus Labs}, title = {{A Look Inside The TrickBot Botnet}}, date = {2020-10-12}, organization = {Lumen}, url = {https://blog.lumen.com/a-look-inside-the-trickbot-botnet/}, language = {English}, urldate = {2020-10-12} } @online{labs:20201020:katana:4dc0a7b, author = {Avira Protection Labs}, title = {{Katana: a new variant of the Mirai botnet}}, date = {2020-10-20}, organization = {Avira}, url = {https://prod-blog.avira.com/katana-a-new-variant-of-the-mirai-botnet}, language = {English}, urldate = {2020-10-23} } @online{ladores:20170907:emotet:bf3075c, author = {Don Ladores}, title = {{EMOTET Returns, Starts Spreading via Spam Botnet}}, date = {2017-09-07}, organization = {Trend Micro}, url = {http://blog.trendmicro.com/trendlabs-security-intelligence/emotet-returns-starts-spreading-via-spam-botnet/}, language = {English}, urldate = {2019-11-28} } @online{ladores:20200922:mispadu:8a2a4c1, author = {Don Ladores and Raphael Centeno}, title = {{Mispadu Banking Trojan Resurfaces}}, date = {2020-09-22}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/mispadu-banking-trojan-resurfaces}, language = {English}, urldate = {2020-09-24} } @online{laeb:20200221:exploring:179689d, author = {Raveed Laeb}, title = {{Exploring the Genesis Supply Chain for Fun and Profit: Part 1 – Misadventures in GUIDology}}, date = {2020-02-21}, organization = {KELA}, url = {https://ke-la.com/exploring-the-genesis-supply-chain-for-fun-and-profit/}, language = {English}, urldate = {2020-02-26} } @online{laeb:20201012:kelas:2c54882, author = {Raveed Laeb and Victoria Kivilevich}, title = {{KELA’s 100 Over 100: September 2020 in Network Access Sales}}, date = {2020-10-12}, organization = {KELA}, url = {https://ke-la.com/kelas-100-over-100-september2020-in-network-access-sales/}, language = {English}, urldate = {2020-10-23} } @online{lagrimas:20121009:sasfis:5e95a5a, author = {Dianne Lagrimas}, title = {{SASFIS}}, date = {2012-10-09}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/sasfis}, language = {English}, urldate = {2020-01-08} } @online{lagrimas:20150409:beebone:cd0b76b, author = {Dianne Lagrimas}, title = {{Beebone Botnet Takedown: Trend Micro Solutions}}, date = {2015-04-09}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/151/beebone-botnet-takedown-trend-micro-solutions}, language = {English}, urldate = {2020-08-24} } @online{lahav:20190711:pykspa:9a2e7e7, author = {Lior Lahav}, title = {{Pykspa V2 DHA Updated to Become Selective}}, date = {2019-07-11}, organization = {Akamai}, url = {https://blogs.akamai.com/sitr/2019/07/pykspa-v2-dga-updated-to-become-selective.html}, language = {English}, urldate = {2020-01-06} } @online{lambert:20171004:turla:904593f, author = {John Lambert}, title = {{Tweet on Turla JS backdoor}}, date = {2017-10-04}, organization = {Twitter (@JohnLaTwC)}, url = {https://twitter.com/JohnLaTwC/status/915590893155098629}, language = {English}, urldate = {2019-10-23} } @online{lambert:20180220:evilosx:4d3473b, author = {John Lambert}, title = {{Tweet on EvilOSX}}, date = {2018-02-20}, organization = {Twitter (@JohnLaTwC)}, url = {https://twitter.com/JohnLaTwC/status/966139336436498432}, language = {English}, urldate = {2020-01-09} } @online{lambert:20180408:conminer:79fa45b, author = {John Lambert}, title = {{Tweet on ConMiner WebAssembly}}, date = {2018-04-08}, organization = {Twitter (@JohnLaTwC)}, url = {https://twitter.com/JohnLaTwC/status/983011262731714565}, language = {English}, urldate = {2020-01-13} } @online{lambert:20180408:cryptonight:e09e793, author = {John Lambert}, title = {{Cryptonight currency miner WASM}}, date = {2018-04-08}, organization = {Gist (JohnLaTwC)}, url = {https://gist.github.com/JohnLaTwC/112483eb9aed27dd2184966711c722ec}, language = {English}, urldate = {2019-11-29} } @online{lambert:20190417:unidentified:bae45d7, author = {John Lambert}, title = {{Tweet on an unidentified VBS Backdoor}}, date = {2019-04-17}, organization = {Twitter (JohnLaTwC)}, url = {https://twitter.com/JohnLaTwC/status/1118278148993339392}, language = {English}, urldate = {2019-07-11} } @online{lambert:20190501:frameworkpos:376a823, author = {Tony Lambert}, title = {{FrameworkPOS and the adequate persistent threat}}, date = {2019-05-01}, organization = {Red Canary}, url = {https://redcanary.com/blog/frameworkpos-and-the-adequate-persistent-threat/}, language = {English}, urldate = {2020-01-29} } @online{lambert:20200507:introducing:04e15eb, author = {Tony Lambert}, title = {{Introducing Blue Mockingbird}}, date = {2020-05-07}, organization = {Red Canary}, url = {https://redcanary.com/blog/blue-mockingbird-cryptominer/}, language = {English}, urldate = {2020-06-02} } @online{lambert:20200722:connecting:eb1b19a, author = {Tony Lambert}, title = {{Connecting Kinsing malware to Citrix and SaltStack campaigns}}, date = {2020-07-22}, organization = {Red Canary}, url = {https://redcanary.com/blog/kinsing-malware-citrix-saltstack/}, language = {English}, urldate = {2020-07-30} } @online{lamos:20171218:collaborative:1231f31, author = {Robert Lamos}, title = {{Collaborative Takedown Kills IoT Worm 'Satori'}}, date = {2017-12-18}, organization = {eWeek}, url = {http://www.eweek.com/security/collaborative-takedown-kills-iot-worm-satori}, language = {English}, urldate = {2019-12-20} } @online{lancaster:20140919:malware:b8ce62a, author = {Tom Lancaster}, title = {{Malware microevolution}}, date = {2014-09-19}, organization = {PWC}, url = {http://pwc.blogs.com/cyber_security_updates/2014/09/malware-microevolution.html}, language = {English}, urldate = {2020-01-08} } @online{lancaster:20150427:attacks:8467adc, author = {Tom Lancaster}, title = {{Attacks against Israeli & Palestinian interests}}, date = {2015-04-27}, organization = {PWC}, url = {https://pwc.blogs.com/cyber_security_updates/2015/04/attacks-against-israeli-palestinian-interests.html}, language = {English}, urldate = {2020-01-08} } @online{lancaster:20160928:confucius:24e8de3, author = {Tom Lancaster and Micah Yates}, title = {{Confucius Says…Malware Families Get Further By Abusing Legitimate Websites}}, date = {2016-09-28}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2016/09/unit42-confucius-says-malware-families-get-further-by-abusing-legitimate-websites/}, language = {English}, urldate = {2019-12-20} } @online{lancaster:20170627:paranoid:f933eb4, author = {Tom Lancaster and Esmid Idrizovic}, title = {{Paranoid PlugX}}, date = {2017-06-27}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/06/unit42-paranoid-plugx/}, language = {English}, urldate = {2019-12-20} } @online{lancaster:20171114:muddying:aa0467a, author = {Tom Lancaster}, title = {{Muddying the Water: Targeted Attacks in the Middle East}}, date = {2017-11-14}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/}, language = {English}, urldate = {2020-01-08} } @online{lancaster:20180129:vermin:eea5a83, author = {Tom Lancaster and Juan Cortes}, title = {{VERMIN: Quasar RAT and Custom Malware Used In Ukraine}}, date = {2018-01-29}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/}, language = {English}, urldate = {2019-12-20} } @online{lancaster:20181105:inception:4eb9f99, author = {Tom Lancaster}, title = {{Inception Attackers Target Europe with Year-old Office Vulnerability}}, date = {2018-11-05}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability/}, language = {English}, urldate = {2019-12-20} } @online{lancaster:20190319:cardinal:b75240f, author = {Tom Lancaster and Josh Grunzweig}, title = {{Cardinal RAT Sins Again, Targets Israeli Fin-Tech Firms}}, date = {2019-03-19}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/cardinal-rat-sins-again-targets-israeli-fin-tech-firms/}, language = {English}, urldate = {2020-01-13} } @online{landesman:20130501:linuxcdorked:348acc3, author = {Mary Landesman}, title = {{Linux/CDorked FAQs}}, date = {2013-05-01}, organization = {Cisco}, url = {https://blogs.cisco.com/security/linuxcdorked-faqs}, language = {English}, urldate = {2020-01-09} } @online{landry:20160712:malware:c5d817c, author = {Joseph Landry and Udi Shamir}, title = {{Malware Discovered – SFG: Furtim Malware Analysis}}, date = {2016-07-12}, url = {https://sentinelone.com/blogs/sfg-furtims-parent/}, language = {English}, urldate = {2019-12-05} } @techreport{lanstein:2013:apts:2b30193, author = {Alex Lanstein}, title = {{APTs By The Dozen: Dissecting Advanced Attacks}}, date = {2013}, institution = {FireEye}, url = {https://web.archive.org/web/20130920120931/https:/www.rsaconference.com/writable/presentations/file_upload/cle-t04_final_v1.pdf}, language = {English}, urldate = {2020-08-14} } @online{lanstein:20140325:spear:762baf1, author = {Alex Lanstein and Ned Moran}, title = {{Spear Phishing the News Cycle: APT Actors Leverage Interest in the Disappearance of Malaysian Flight MH 370}}, date = {2014-03-25}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2014/03/spear-phishing-the-news-cycle-apt-actors-leverage-interest-in-the-disappearance-of-malaysian-flight-mh-370.html}, language = {English}, urldate = {2019-12-20} } @online{largent:20180606:vpnfilter:157380d, author = {William Largent}, title = {{VPNFilter Update - VPNFilter exploits endpoints, targets new devices}}, date = {2018-06-06}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2018/06/vpnfilter-update.html?m=1}, language = {English}, urldate = {2019-12-10} } @online{larin:20181212:zeroday:4c8907e, author = {Boris Larin and Vladislav Stolyarov and Anton Ivanov}, title = {{Zero-day in Windows Kernel Transaction Manager (CVE-2018-8611)}}, date = {2018-12-12}, organization = {Kaspersky Labs}, url = {https://securelist.com/zero-day-in-windows-kernel-transaction-manager-cve-2018-8611/89253/}, language = {English}, urldate = {2019-12-20} } @online{larin:20200528:zeroday:e7fee04, author = {Boris Larin and Alexey Kulaev}, title = {{The zero-day exploits of Operation WizardOpium}}, date = {2020-05-28}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-zero-day-exploits-of-operation-wizardopium/97086/}, language = {English}, urldate = {2020-05-29} } @online{larin:20200624:magnitude:90a4a71, author = {Boris Larin}, title = {{Magnitude exploit kit - evolution}}, date = {2020-06-24}, organization = {Kaspersky Labs}, url = {https://securelist.com/magnitude-exploit-kit-evolution/97436/}, language = {English}, urldate = {2020-06-24} } @online{larin:20200812:internet:91fcf4e, author = {Boris Larin}, title = {{Internet Explorer and Windows zero-day exploits used in Operation PowerFall}}, date = {2020-08-12}, organization = {Kaspersky Labs}, url = {https://securelist.com/ie-and-windows-zero-day-operation-powerfall/97976/}, language = {English}, urldate = {2020-08-12} } @online{larin:20200902:operation:e5c12ad, author = {Boris Larin}, title = {{Operation PowerFall: CVE-2020-0986 and variants}}, date = {2020-09-02}, organization = {Kaspersky Labs}, url = {https://securelist.com/operation-powerfall-cve-2020-0986-and-variants/98329/}, language = {English}, urldate = {2020-09-03} } @online{larinier:20180716:sidewinder:cb05fe4, author = {Sébastien Larinier}, title = {{APT Sidewinder: Tricks powershell, Anti Forensics and execution side loading}}, date = {2018-07-16}, organization = {Medium Sebdraven}, url = {https://medium.com/@Sebdraven/apt-sidewinder-tricks-powershell-anti-forensics-and-execution-side-loading-5bc1a7e7c84c}, language = {English}, urldate = {2020-01-13} } @online{larinier:20180731:malicious:571d2df, author = {Sébastien Larinier}, title = {{Malicious document targets Vietnamese officials}}, date = {2018-07-31}, organization = {Medium Sebdraven}, url = {https://medium.com/@Sebdraven/malicious-document-targets-vietnamese-officials-acb3b9d8b80a?}, language = {English}, urldate = {2020-03-04} } @online{larinier:20180802:goblin:0aa8168, author = {Sébastien Larinier}, title = {{Goblin Panda against the Bears}}, date = {2018-08-02}, url = {https://medium.com/@Sebdraven/gobelin-panda-against-the-bears-1f462d00e3a4}, language = {English}, urldate = {2019-07-11} } @online{larinier:20180828:when:0389d90, author = {Sébastien Larinier}, title = {{When a malware is more complex than the paper}}, date = {2018-08-28}, organization = {Medium Sebdraven}, url = {https://medium.com/@Sebdraven/when-a-malware-is-more-complex-than-the-paper-5822fc7ff257}, language = {English}, urldate = {2020-01-13} } @online{larinier:20190202:unpacking:894335d, author = {Sébastien Larinier}, title = {{Unpacking Clop}}, date = {2019-02-02}, organization = {Medium Sebdraven}, url = {https://medium.com/@Sebdraven/unpacking-clop-416b83718e0f}, language = {English}, urldate = {2020-01-06} } @online{larinier:20190502:goblin:a0118b4, author = {Sébastien Larinier}, title = {{Goblin Panda continues to target Vietnam}}, date = {2019-05-02}, organization = {Medium Sebdraven}, url = {https://medium.com/@Sebdraven/goblin-panda-continues-to-target-vietnam-bc2f0f56dcd6}, language = {English}, urldate = {2019-10-23} } @online{larinier:20200207:40:9415c5c, author = {Sébastien Larinier}, title = {{APT 40 in Malaysia}}, date = {2020-02-07}, organization = {Medium Sebdraven}, url = {https://medium.com/@Sebdraven/apt-40-in-malaysia-61ed9c9642e9}, language = {English}, urldate = {2020-02-09} } @online{larinier:20200320:new:3da1211, author = {Sébastien Larinier}, title = {{New version of chinoxy backdoor using COVID19 alerts document lure}}, date = {2020-03-20}, organization = {Medium Sebdraven}, url = {https://medium.com/@Sebdraven/new-version-of-chinoxy-backdoor-using-covid19-document-lure-8