@online{037:20190320:apt38:4c7f1d4, author = {@037}, title = {{APT38 DYEPACK FRAMEWORK}}, date = {2019-03-20}, organization = {Github (649)}, url = {https://github.com/649/APT38-DYEPACK}, language = {English}, urldate = {2019-12-17} } @online{0verfl0w:20190115:analyzing:bf3b215, author = {0verfl0w_}, title = {{Analyzing COMmunication in Malware}}, date = {2019-01-15}, organization = {0ffset Blog}, url = {https://0ffset.net/reverse-engineering/analyzing-com-mechanisms-in-malware/}, language = {English}, urldate = {2020-01-06} } @online{0verfl0w:20190205:revisiting:8e39d7e, author = {0verfl0w_}, title = {{Revisiting Hancitor in Depth}}, date = {2019-02-05}, organization = {0ffset Blog}, url = {https://0ffset.net/reverse-engineering/malware-analysis/reversing-hancitor-again/}, language = {English}, urldate = {2020-01-06} } @online{0verfl0w:20190313:analysing:1f83706, author = {0verfl0w_}, title = {{Analysing ISFB – The First Loader}}, date = {2019-03-13}, organization = {0ffset Blog}, url = {https://0ffset.net/reverse-engineering/malware-analysis/analysing-isfb-loader/}, language = {English}, urldate = {2020-01-10} } @online{0verfl0w:20190525:analyzing:84874ea, author = {0verfl0w_}, title = {{Analyzing ISFB – The Second Loader}}, date = {2019-05-25}, organization = {0ffset Blog}, url = {https://0ffset.net/reverse-engineering/malware-analysis/analyzing-isfb-second-loader/}, language = {English}, urldate = {2020-01-13} } @online{0verfl0w:20190531:defeating:eb0994e, author = {0verfl0w_}, title = {{Defeating Commercial and Custom Packers like a Pro - VMProtect, ASPack, PECompact, and more}}, date = {2019-05-31}, organization = {Youtube (0verfl0w_)}, url = {https://www.youtube.com/watch?v=N4f2e8Mygag}, language = {English}, urldate = {2020-01-08} } @online{0verfl0w:20190708:analyzing:b984acf, author = {0verfl0w_}, title = {{Analyzing KSL0T (Turla’s Keylogger), Part 2 – Reupload}}, date = {2019-07-08}, organization = {0ffset Blog}, url = {https://0ffset.net/reverse-engineering/malware-analysis/analyzing-turlas-keylogger-2/}, language = {English}, urldate = {2020-01-10} } @online{0verfl0w:20190708:analyzing:f246b28, author = {0verfl0w_}, title = {{Analyzing KSL0T (Turla’s Keylogger), Part 1 – Reupload}}, date = {2019-07-08}, organization = {0ffset Blog}, url = {https://0ffset.net/reverse-engineering/malware-analysis/analyzing-turlas-keylogger-1/}, language = {English}, urldate = {2020-01-06} } @online{0verfl0w:20200607:dealing:b50665d, author = {0verfl0w_}, title = {{Dealing with Obfuscated Macros, Statically - NanoCore}}, date = {2020-06-07}, organization = {Zero2Automated Blog}, url = {https://zero2auto.com/2020/06/07/dealing-with-obfuscated-macros/}, language = {English}, urldate = {2020-06-11} } @online{0x09al:20181020:dropboxc2c:bf05a34, author = {0x09AL}, title = {{DropboxC2C}}, date = {2018-10-20}, url = {https://github.com/0x09AL/DropboxC2C}, language = {English}, urldate = {2020-03-06} } @online{0x0:20191221:shamoon:eb1828b, author = {Myrtus 0x0}, title = {{Shamoon 2012 Complete Analysis}}, date = {2019-12-21}, organization = {MalwareInDepth}, url = {https://malwareindepth.com/shamoon-2012/}, language = {English}, urldate = {2020-01-12} } @online{0x0:20200404:nanocore:6649008, author = {Myrtus 0x0}, title = {{Nanocore & CypherIT}}, date = {2020-04-04}, organization = {MalwareInDepth}, url = {https://malwareindepth.com/defeating-nanocore-and-cypherit/}, language = {English}, urldate = {2020-04-07} } @online{0xebfe:20130330:fooled:88d133a, author = {0xEBFE}, title = {{Fooled by Andromeda}}, date = {2013-03-30}, organization = {0xEBFE Blog about life}, url = {http://www.0xebfe.net/blog/2013/03/30/fooled-by-andromeda/}, language = {English}, urldate = {2019-07-27} } @online{0xffff0800:20181114:amadey:e362501, author = {0xffff0800}, title = {{Tweet on Amadey C2}}, date = {2018-11-14}, organization = {Twitter (@0xffff0800)}, url = {https://twitter.com/0xffff0800/status/1062948406266642432}, language = {English}, urldate = {2020-01-07} } @online{0xffff0800:20190222:pe:ea39c56, author = {0xffff0800}, title = {{Tweet on PE}}, date = {2019-02-22}, organization = {Twitter}, url = {https://twitter.com/i/web/status/1099147896950185985}, language = {English}, urldate = {2020-01-08} } @online{0xffff0800:20190302:opjerusalm:4743e08, author = {@0xffff0800}, title = {{Tweet on #OpJerusalm Ransomware}}, date = {2019-03-02}, organization = {Twitter (@0xffff0800)}, url = {https://twitter.com/0xffff0800/status/1102078898320302080}, language = {English}, urldate = {2019-07-08} } @online{0xthreatintel:20201212:reversing:945a5b8, author = {0xthreatintel}, title = {{Reversing QakBot [ TLP: White]}}, date = {2020-12-12}, organization = {Medium 0xthreatintel}, url = {https://0xthreatintel.medium.com/reversing-qakbot-tlp-white-d1b8b37ad8e7}, language = {English}, urldate = {2020-12-14} } @online{0xthreatintel:20201215:reversing:eddc936, author = {0xthreatintel}, title = {{Reversing Conti Ransomware}}, date = {2020-12-15}, organization = {Medium 0xthreatintel}, url = {https://0xthreatintel.medium.com/reversing-conti-ransomware-bfce15019e74}, language = {English}, urldate = {2020-12-15} } @online{1d8:20200713:remcos:531702d, author = {1d8}, title = {{Remcos RAT Macro Dropper Doc}}, date = {2020-07-13}, organization = {Github (1d8)}, url = {https://github.com/1d8/analyses/blob/master/RemcosDocDropper.MD}, language = {English}, urldate = {2020-07-16} } @online{20140313:20140313:energy:8736af5, author = {2014-03-13}, title = {{Energy Watering Hole Attack Used LightsOut Exploit Kit}}, date = {2014-03-13}, organization = {Threatpost}, url = {https://threatpost.com/energy-watering-hole-attack-used-lightsout-exploit-kit/104772/}, language = {English}, urldate = {2020-01-08} } @online{360:20180712:blue:ca92dea, author = {360}, title = {{Blue Pork Mushroom (APT-C-12) targeted attack technical details revealed}}, date = {2018-07-12}, organization = {360 Threat Intelligence}, url = {https://mp.weixin.qq.com/s/S-hiGFNC6WXGrkjytAVbpA}, language = {Chinese}, urldate = {2020-04-06} } @online{360:20180921:poison:d1cab92, author = {Qihoo 360}, title = {{Poison Ivy Group and the Cyberespionage Campaign Against Chinese Military and Goverment}}, date = {2018-09-21}, organization = {Qihoo 360 Technology}, url = {http://blogs.360.cn/post/APT_C_01_en.html}, language = {English}, urldate = {2019-11-29} } @online{360:20181205:operation:65a4907, author = {360}, title = {{Operation Poison Needles - APT Group Attacked the Polyclinic of the Presidential Administration of Russia, Exploiting a Zero-day}}, date = {2018-12-05}, organization = {360}, url = {http://blogs.360.cn/post/PoisonNeedles_CVE-2018-15982_EN}, language = {English}, urldate = {2020-01-06} } @online{360:20190228:urlzone:e1814da, author = {360威胁情报中心}, title = {{URLZone: Analysis of Suspected Attacks Against Japanese Hi-Tech Enterprise Employees}}, date = {2019-02-28}, organization = {Weixin}, url = {https://mp.weixin.qq.com/s/NRytT94ne5gKN31CSLq6GA}, language = {Chinese}, urldate = {2019-11-27} } @online{360:20200302:cia:d88b9c9, author = {Qihoo 360}, title = {{The CIA Hacking Group (APT-C-39) Conducts Cyber-Espionage Operation on China's Critical Industries for 11 Years}}, date = {2020-03-02}, organization = {Qihoo 360 Technology}, url = {http://blogs.360.cn/post/APT-C-39_CIA_EN.html}, language = {English}, urldate = {2020-03-03} } @online{360:20200406:darkhotel:78f0a7f, author = {Qihoo 360}, title = {{The DarkHotel (APT-C-06) Attacked Chinese Institutions Abroad via Exploiting SangFor VPN Vulnerability}}, date = {2020-04-06}, organization = {360.cn}, url = {https://blogs.360.cn/post/APT_Darkhotel_attacks_during_coronavirus_pandemic.html}, language = {English}, urldate = {2020-04-07} } @online{360:20200828:sneak:bc0fea4, author = {360威胁情报中心}, title = {{The "sneak camera" in mobile pornography software}}, date = {2020-08-28}, organization = {360 Core Security}, url = {https://blogs.360.cn/post/shou-ji-se-qing-ruan-jian-zhong-de-tou-pai-zhe.html}, language = {English}, urldate = {2020-09-06} } @online{360:20201026:aptc44:a336bf6, author = {360}, title = {{北非狐(APT-C-44)攻击活动揭露}}, date = {2020-10-26}, organization = {360 Core Security}, url = {https://blogs.360.cn/post/APT-C-44.html}, language = {Chinese}, urldate = {2020-11-09} } @online{360:20201030:aptc35:0c53f1a, author = {360}, title = {{肚脑虫组织( APT-C-35)疑似针对巴基斯坦军事人员的最新攻击活动}}, date = {2020-10-30}, organization = {360 Core Security}, url = {https://blogs.360.cn/post/APT-C-35_target_at_armed_forces_in_Pakistan.html}, language = {Chinese}, urldate = {2020-11-02} } @online{360:20201204:domestic:4c457ee, author = {360}, title = {{Domestic Kitten组织(APT-C-50)针对中东地区反政府群体的监控活动}}, date = {2020-12-04}, organization = {360 Core Security}, url = {https://blogs.360.cn/post/APT-C-50.html}, language = {Chinese}, urldate = {2020-12-17} } @online{360quake:20201218:solarwinds:1b22539, author = {360Quake}, title = {{SolarWinds失陷服务器测绘分析报告}}, date = {2020-12-18}, organization = {360Quake}, url = {https://www.anquanke.com/post/id/226029}, language = {Chinese}, urldate = {2020-12-23} } @online{3xp0rt:20200405:lets:fb49d9f, author = {3xp0rt}, title = {{Let's check: Sorano Stealer}}, date = {2020-04-05}, url = {https://3xp0rt.xyz/lpmkikVic}, language = {English}, urldate = {2020-05-20} } @online{3xp0rt:20200407:decompiled:83e10aa, author = {3xp0rt}, title = {{Decompiled SoranoStealer}}, date = {2020-04-07}, organization = {Github (3xp0rt)}, url = {https://github.com/3xp0rt/SoranoStealer}, language = {English}, urldate = {2020-05-20} } @online{3xp0rt:20200624:new:6b725c2, author = {3xp0rt}, title = {{Tweet on new version of TaurusStealer (v1.4)}}, date = {2020-06-24}, organization = {Twitter (@3xp0rtblog)}, url = {https://twitter.com/3xp0rtblog/status/1275746149719252992}, language = {English}, urldate = {2020-06-24} } @online{3xp0rt:20200814:osiris:5de6596, author = {3xp0rt}, title = {{Tweet on Osiris}}, date = {2020-08-14}, organization = {Twitter (@3xp0rtblog)}, url = {https://twitter.com/3xp0rtblog/status/1294157781415743488}, language = {English}, urldate = {2020-08-18} } @online{3xp0rt:20200906:of:b1e77c3, author = {3xp0rt}, title = {{Tweet and description of NixScare Stealer}}, date = {2020-09-06}, organization = {Twitter (@3xp0rtblog)}, url = {https://twitter.com/3xp0rtblog/status/1302584919592501248}, language = {English}, urldate = {2020-09-15} } @online{3xp0rt:20201027:fickerstealer:b890340, author = {3xp0rt}, title = {{Tweet on FickerStealer}}, date = {2020-10-27}, organization = {Twitter (@3xp0rtblog)}, url = {https://twitter.com/3xp0rtblog/status/1321209656774135810}, language = {English}, urldate = {2020-12-03} } @online{3xp0rt:20201106:hunter:90ca7c9, author = {3xp0rt}, title = {{Tweet on Hunter Stealer}}, date = {2020-11-06}, organization = {Twitter (@3xp0rtblog)}, url = {https://twitter.com/3xp0rtblog/status/1324800226381758471}, language = {English}, urldate = {2020-11-12} } @online{3xp0rt:20201126:xenon:83af8c2, author = {3xp0rt}, title = {{Tweet on Xenon Stealer}}, date = {2020-11-26}, organization = {Twitter (@3xp0rtblog)}, url = {https://twitter.com/3xp0rtblog/status/1331974232192987142}, language = {English}, urldate = {2020-12-03} } @online{3xp0rt:20201230:alfonso:d99501e, author = {3xp0rt}, title = {{Tweet on Alfonso Stealer}}, date = {2020-12-30}, organization = {Twitter (@3xp0rtblog)}, url = {https://twitter.com/3xp0rtblog/status/1344352253294104576}, language = {English}, urldate = {2021-01-11} } @online{42:20171027:tracking:bde654e, author = {Unit 42}, title = {{Tracking Subaat: Targeted Phishing Attack Leads to Threat Actor’s Repository}}, date = {2017-10-27}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/10/unit42-tracking-subaat-targeted-phishing-attacks-point-leader-threat-actors-repository/}, language = {English}, urldate = {2019-12-20} } @online{42:20190222:new:7bda906, author = {Unit 42}, title = {{New BabyShark Malware Targets U.S. National Security Think Tanks}}, date = {2019-02-22}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/}, language = {English}, urldate = {2020-01-07} } @online{42:20190312:operation:3610bc8, author = {Unit 42}, title = {{Operation Comando: How to Run a Cheap and Effective Credit Card Business}}, date = {2019-03-12}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/operation-comando-or-how-to-run-a-cheap-and-effective-credit-card-business/}, language = {English}, urldate = {2019-10-23} } @online{42:20191202:imminent:462e901, author = {Unit 42}, title = {{Imminent Monitor – a RAT Down Under}}, date = {2019-12-02}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/imminent-monitor-a-rat-down-under/}, language = {English}, urldate = {2020-01-06} } @online{42:20201214:threat:032b92d, author = {Unit 42}, title = {{Threat Brief: SolarStorm and SUNBURST Customer Coverage}}, date = {2020-12-14}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/}, language = {English}, urldate = {2020-12-15} } @online{42:20201223:timeline:466b51a, author = {Unit 42}, title = {{A Timeline Perspective of the SolarStorm Supply-Chain Attack}}, date = {2020-12-23}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/solarstorm-supply-chain-attack-timeline}, language = {English}, urldate = {2020-12-26} } @online{471:20200331:revil:0e5226a, author = {Intel 471}, title = {{REvil Ransomware-as-a-Service – An analysis of a ransomware affiliate operation}}, date = {2020-03-31}, organization = {Intel 471}, url = {https://blog.intel471.com/2020/03/31/revil-ransomware-as-a-service-an-analysis-of-a-ransomware-affiliate-operation/}, language = {English}, urldate = {2020-04-01} } @online{471:20200414:understanding:ca95961, author = {Intel 471}, title = {{Understanding the relationship between Emotet, Ryuk and TrickBot}}, date = {2020-04-14}, organization = {Intel 471}, url = {https://blog.intel471.com/2020/04/14/understanding-the-relationship-between-emotet-ryuk-and-trickbot/}, language = {English}, urldate = {2020-04-26} } @online{471:20200521:brief:048d164, author = {Intel 471}, title = {{A brief history of TA505}}, date = {2020-05-21}, organization = {Intel 471}, url = {https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/}, language = {English}, urldate = {2020-05-23} } @online{471:20200708:irans:0bc8398, author = {Intel 471}, title = {{Iran’s domestic espionage: Lessons from recent data leaks}}, date = {2020-07-08}, organization = {Intel 471}, url = {https://blog.intel471.com/2020/07/08/irans-domestic-espionage-lessons-from-recent-data-leaks/}, language = {English}, urldate = {2020-07-11} } @online{471:20200715:flowspec:683a5a1, author = {Intel 471}, title = {{Flowspec – TA505’s bulletproof hoster of choice}}, date = {2020-07-15}, organization = {Intel 471}, url = {https://blog.intel471.com/2020/07/15/flowspec-ta505s-bulletproof-hoster-of-choice/}, language = {English}, urldate = {2020-07-16} } @online{471:20200812:prioritizing:83e5896, author = {Intel 471}, title = {{Prioritizing “critical” vulnerabilities: A threat intelligence perspective}}, date = {2020-08-12}, organization = {Intel 471}, url = {https://blog.intel471.com/2020/08/12/prioritizing-critical-vulnerabilities-a-threat-intelligence-perspective/}, language = {English}, urldate = {2020-08-14} } @online{471:20200916:partners:c65839f, author = {Intel 471}, title = {{Partners in crime: North Koreans and elite Russian-speaking cybercriminals}}, date = {2020-09-16}, organization = {Intel 471}, url = {https://public.intel471.com/blog/partners-in-crime-north-koreans-and-elite-russian-speaking-cybercriminals/}, language = {English}, urldate = {2020-09-23} } @online{471:20201015:that:2d4b495, author = {Intel 471}, title = {{That was quick: Trickbot is back after disruption attempts}}, date = {2020-10-15}, organization = {Intel 471}, url = {https://public.intel471.com/blog/trickbot-online-emotet-microsoft-cyber-command-disruption-attempts/}, language = {English}, urldate = {2020-10-15} } @online{471:20201020:global:570e26f, author = {Intel 471}, title = {{Global Trickbot disruption operation shows promise}}, date = {2020-10-20}, organization = {Intel 471}, url = {https://public.intel471.com/blog/global-trickbot-disruption-operation-shows-promise/}, language = {English}, urldate = {2020-10-21} } @online{471:20201028:alleged:46a2bb1, author = {Intel 471}, title = {{Alleged REvil member spills details on group’s ransomware operations}}, date = {2020-10-28}, organization = {Intel 471}, url = {https://public.intel471.com/blog/revil-ransomware-interview-russian-osint-100-million/}, language = {English}, urldate = {2020-11-02} } @online{471:20201110:trickbot:5db76db, author = {Intel 471}, title = {{Trickbot down, but is it out?}}, date = {2020-11-10}, organization = {Intel 471}, url = {https://public.intel471.com/blog/trickbot-update-november-2020-bazar-loader-microsoft/}, language = {English}, urldate = {2020-11-11} } @online{471:20201116:ransomwareasaservice:11a5a8b, author = {Intel 471}, title = {{Ransomware-as-a-service: The pandemic within a pandemic}}, date = {2020-11-16}, organization = {Intel 471}, url = {https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/}, language = {English}, urldate = {2020-11-17} } @online{471:20201123:heres:1435e96, author = {Intel 471}, title = {{Here’s what happens after a business gets hit with ransomware}}, date = {2020-11-23}, organization = {Intel 471}, url = {https://intel471.com/blog/how-to-recover-from-a-ransomware-attack/}, language = {English}, urldate = {2020-12-17} } @online{471:20201201:steal:db9aadd, author = {Intel 471}, title = {{Steal, then strike: Access merchants are first clues to future ransomware attacks}}, date = {2020-12-01}, organization = {Intel 471}, url = {https://intel471.com/blog/ransomware-attack-access-merchants-infostealer-escrow-service/}, language = {English}, urldate = {2020-12-17} } @online{471:20201210:no:9fd2ae1, author = {Intel 471}, title = {{No pandas, just people: The current state of China’s cybercrime underground}}, date = {2020-12-10}, organization = {Intel 471}, url = {https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/}, language = {English}, urldate = {2020-12-10} } @online{471:20201216:intel471s:f245d05, author = {Intel 471}, title = {{Intel471's full statement on their knowledge of SolarWinds and the cybercriminal underground}}, date = {2020-12-16}, organization = {Intel 471}, url = {https://twitter.com/Intel471Inc/status/1339233255741120513}, language = {English}, urldate = {2020-12-17} } @online{471:20201218:ta505s:8fb97af, author = {Intel 471}, title = {{TA505’s modified loader means new attack campaign could be coming}}, date = {2020-12-18}, organization = {Intel 471}, url = {https://intel471.com/blog/ta505-get2-loader-malware-december-2020/}, language = {English}, urldate = {2020-12-19} } @online{51ddh4r7h4:20180820:advanced:9eb6e5c, author = {51ddh4r7h4}, title = {{Advanced Brazilian Malware Analysis}}, date = {2018-08-20}, organization = {ReversingMinds' Blog}, url = {http://reversingminds-blog.logdown.com/posts/7807545-analysis-of-advanced-brazilian-banker-malware}, language = {English}, urldate = {2020-01-13} } @online{5loyd:20171103:trochilus:964b44c, author = {5loyd}, title = {{Trochilus}}, date = {2017-11-03}, organization = {Github (5loyd)}, url = {https://github.com/5loyd/trochilus/}, language = {English}, urldate = {2020-01-08} } @online{9b:20180627:latest:5770e87, author = {9b}, title = {{Latest observed JS payload used for APT32 profiling}}, date = {2018-06-27}, organization = {Github (9b)}, url = {https://gist.github.com/9b/141a5c7ab8b4280901722e2cd931b7ef}, language = {English}, urldate = {2020-01-09} } @online{:2010:trojandownloaderw32chyminea:30597d8, author = {_}, title = {{Trojan-Downloader:W32/Chymine.A}}, date = {2010}, organization = {F-Secure}, url = {https://www.f-secure.com/v-descs/trojan-downloader_w32_chymine_a.shtml}, language = {English}, urldate = {2019-09-22} } @online{:20130203:forum:e9bf784, author = {小男孩}, title = {{Forum Post: GetPwd_K8 one-click to get the plain text password of the system login user based on French ...}}, date = {2013-02-03}, url = {https://ihonker.org/thread-1504-1-1.html}, language = {Chinese}, urldate = {2020-01-23} } @online{:20131217:bebloh:dcd1f5f, author = {}, title = {{Bebloh – a well-known banking Trojan with noteworthy innovations}}, date = {2013-12-17}, organization = {Gdata}, url = {https://www.gdatasoftware.com/blog/2013/12/23978-bebloh-a-well-known-banking-trojan-with-noteworthy-innovations}, language = {English}, urldate = {2019-10-28} } @online{:20141022:cryakl:aaecc86, author = {Артём Семенченко and Федор Синицын and Татьяна Куликова}, title = {{Шифровальщик Cryakl или Фантомас разбушевался}}, date = {2014-10-22}, organization = {Kaspersky Labs}, url = {https://securelist.ru/shifrovalshhik-cryakl-ili-fantomas-razbushevalsya/24070/}, language = {Russian}, urldate = {2019-12-16} } @techreport{:20170225:silent:5a11e12, author = {Kyoung-Ju Kwak (郭炅周)}, title = {{Silent RIFLE: Response Against Advanced Threat}}, date = {2017-02-25}, institution = {Financial Security Institute}, url = {https://hackcon.org/uploads/327/05%20-%20Kwak.pdf}, language = {English}, urldate = {2020-03-04} } @online{:20180602:hidden:674cfb9, author = {安全豹}, title = {{"Hidden Bee" strikes: Kingsoft Internet Security intercepts the world's first bootkit-level mining botnet (Part 1)}}, date = {2018-06-02}, organization = {Freebuf}, url = {https://www.freebuf.com/column/174581.html}, language = {Chinese}, urldate = {2020-01-13} } @online{:20180726:analysis:66722b6, author = {奇安信威胁情报中心 | 事件追踪}, title = {{Analysis of the latest attack activities of APT-C-35}}, date = {2018-07-26}, url = {https://ti.360.net/blog/articles/latest-activity-of-apt-c-35/}, language = {Chinese}, urldate = {2020-01-08} } @online{:20181005:post:4890d7d, author = {_}, title = {{Post 0x17.2: Analyzing Turla’s Keylogger}}, date = {2018-10-05}, url = {https://0ffset.wordpress.com/2018/10/05/post-0x17-2-turla-keylogger/}, language = {English}, urldate = {2019-07-27} } @online{:20181225:bittertapt17:faf6bde, author = {腾讯电脑管家}, title = {{BITTER/T-APT-17 reports on the latest attacks on sensitive agencies such as military, nuclear, and government agencies in China}}, date = {2018-12-25}, organization = {Tencent}, url = {https://www.freebuf.com/articles/database/192726.html}, language = {Chinese}, urldate = {2020-03-02} } @online{:20190124:excel:2dd401c, author = {事件追踪}, title = {{Excel 4.0 Macro Utilized by TA505 to Target Financial Institutions Recently}}, date = {2019-01-24}, organization = {奇安信威胁情报中心}, url = {https://ti.360.net/blog/articles/excel-4.0-macro-utilized-by-ta505-to-target-financial-institutions-recently-en/}, language = {English}, urldate = {2019-12-02} } @online{:20190214:suspected:25adc45, author = {奇安信威胁情报中心}, title = {{Suspected Molerats New Attack in the Middle East}}, date = {2019-02-14}, organization = {360.cn}, url = {https://ti.360.net/blog/articles/suspected-molerats-new-attack-in-the-middle-east/}, language = {Chinese}, urldate = {2019-10-12} } @online{:20190214:suspected:5df65f1, author = {事件追踪}, title = {{Suspected Molerats' New Attack in the Middle East}}, date = {2019-02-14}, organization = {奇安信威胁情报中心}, url = {https://ti.360.net/blog/articles/suspected-molerats-new-attack-in-the-middle-east-en/}, language = {English}, urldate = {2020-01-07} } @online{:20190306:taidoor:651efa6, author = {NTT セキュリティ and ジャパン株式会社}, title = {{Taidoor を用いた標的型攻撃}}, date = {2019-03-06}, organization = {Unit CANARY}, url = {https://www.nttsecurity.com/docs/librariesprovider3/resources/taidoor%E3%82%92%E7%94%A8%E3%81%84%E3%81%9F%E6%A8%99%E7%9A%84%E5%9E%8B%E6%94%BB%E6%92%83%E8%A7%A3%E6%9E%90%E3%83%AC%E3%83%9D%E3%83%BC%E3%83%88_v1}, language = {English}, urldate = {2020-01-13} } @online{:20190319:aptc27:6ab4857, author = {奇安信威胁情报中心}, title = {{APT-C-27 (Goldmouse): Suspected Target Attack against the Middle East with WinRAR Exploit}}, date = {2019-03-19}, url = {https://ti.360.net/blog/articles/apt-c-27-(goldmouse):-suspected-target-attack-against-the-middle-east-with-winrar-exploit-en/}, language = {English}, urldate = {2019-10-26} } @online{:20190813::eae3d10, author = {奇安信威胁情报中心}, title = {{洞察人性:一起利用政治人物桃色丑闻的诱饵攻击活动披露}}, date = {2019-08-13}, url = {https://wemp.app/posts/80ab2b2d-4e0e-4960-94b7-4d452a06fd38?utm_source=latest-posts}, language = {Chinese}, urldate = {2020-01-13} } @online{:20200723::adadd32, author = {AhnLab ASEC 분석팀}, title = {{국내 인터넷 커뮤니티 사이트에서 악성코드 유포 (유틸리티 위장)}}, date = {2020-07-23}, organization = {AhnLab}, url = {https://asec.ahnlab.com/1360}, language = {Korean}, urldate = {2020-07-30} } @online{:20200816:wastedlocker:4210f22, author = {谷川哲司}, title = {{WastedLocker IoC collection}}, date = {2020-08-16}, organization = {Hatena Blog}, url = {https://ioc.hatenablog.com/entry/2020/08/16/132853}, language = {Japanese}, urldate = {2020-10-02} } @online{:20200819:njrat:a8e3234, author = {AhnLab ASEC 분석팀}, title = {{국내 유명 웹하드를 통해 유포되는 njRAT 악성코드}}, date = {2020-08-19}, organization = {AhnLab}, url = {https://asec.ahnlab.com/1369}, language = {Korean}, urldate = {2020-08-25} } @online{a:2016:cyber:140f384, author = {Monnappa K A}, title = {{CYBER ATTACK IMPERSONATING IDENTITY OF INDIAN THINK TANK TO TARGET CENTRAL BUREAU OF INVESTIGATION (CBI) AND POSSIBLY INDIAN ARMY OFFICIALS}}, date = {2016}, organization = {Cysinfo}, url = {https://cysinfo.com/cyber-attack-targeting-cbi-and-possibly-indian-army-officials}, language = {English}, urldate = {2020-01-07} } @online{a:20180910:turla:c92b687, author = {Monnappa K A}, title = {{turla gazer backdoor code injection & winlogon shell persistence}}, date = {2018-09-10}, organization = {Youtube ( Monnappa K A)}, url = {https://www.youtube.com/watch?v=Pvzhtjl86wc}, language = {English}, urldate = {2020-01-13} } @online{a:20190513:chacha:840508a, author = {Amigo A}, title = {{ChaCha Ransomware}}, date = {2019-05-13}, url = {https://id-ransomware.blogspot.com/2019/05/chacha-ransomware.html}, language = {Russian}, urldate = {2019-12-02} } @online{a:20200411:rhino:c3d7b04, author = {Amigo A}, title = {{Rhino Ransomware}}, date = {2020-04-11}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/04/rhino-ransomware.html}, language = {Russian}, urldate = {2020-05-18} } @online{a:20201016:geofenced:8c31198, author = {Cassandra A. and Proofpoint Threat Research Team}, title = {{Geofenced Amazon Japan Credential Phishing Volumes Rival Emotet}}, date = {2020-10-16}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/geofenced-amazon-japan-credential-phishing-volumes-rival-emotet}, language = {English}, urldate = {2020-10-23} } @online{abbasi:20180716:danabot:08d5942, author = {Fahim Abbasi}, title = {{DanaBot Riding Fake MYOB Invoice Emails}}, date = {2018-07-16}, organization = {SpiderLabs Blog}, url = {https://www.trustwave.com/Resources/SpiderLabs-Blog/DanaBot-Riding-Fake-MYOB-Invoice-Emails/}, language = {English}, urldate = {2020-01-10} } @online{abbati:20161108:analysis:374eea4, author = {Amaud Abbati}, title = {{Analysis of IOS.GUIINJECT Adware Library}}, date = {2016-11-08}, organization = {SentinelOne}, url = {https://sentinelone.com/blogs/analysis-ios-guiinject-adware-library/}, language = {English}, urldate = {2020-01-08} } @online{abbati:20170823:cs:1ecb9bb, author = {Arnaud Abbati}, title = {{CS: Go Hacks for Mac – OSX.Pwnet.A}}, date = {2017-08-23}, organization = {SentinelOne}, url = {https://sentinelone.com/blog/osx-pwnet-a-csgo-hack-and-sneaky-miner/}, language = {English}, urldate = {2019-08-07} } @online{abbati:20171128:osxcpumeaner:23f69f0, author = {Arnaud Abbati}, title = {{OSX.CPUMEANER: New Cryptocurrency Mining Trojan Targets MacOS}}, date = {2017-11-28}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/osx-cpumeaner-miner-trojan-software-pirates/}, language = {English}, urldate = {2019-12-05} } @online{abel:20180720:malware:62e1c9e, author = {Robert Abel}, title = {{Malware author ‘Anarchy’ builds 18,000-strong Huawei router botnet}}, date = {2018-07-20}, url = {https://www.scmagazine.com/malware-author-anarchy-builds-18000-strong-huawei-router-botnet/article/782395/}, language = {English}, urldate = {2019-11-27} } @online{abrams:20160214:padcrypt:626523d, author = {Lawrence Abrams}, title = {{PadCrypt: The first ransomware with Live Support Chat and an Uninstaller}}, date = {2016-02-14}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/padcrypt-the-first-ransomware-with-live-support-chat-and-an-uninstaller/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20160408:cryptohost:d0f5780, author = {Lawrence Abrams}, title = {{CryptoHost Decrypted: Locks files in a password protected RAR File}}, date = {2016-04-08}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/cryptohost-decrypted-locks-files-in-a-password-protected-rar-file/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20160722:stampado:207584f, author = {Lawrence Abrams}, title = {{Stampado Ransomware campaign decrypted before it Started}}, date = {2016-07-22}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/stampado-ransomware-campaign-decrypted-before-it-started/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20160908:philadelphia:18b2e18, author = {Lawrence Abrams}, title = {{The Philadelphia Ransomware offers a Mercy Button for Compassionate Criminals}}, date = {2016-09-08}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/the-philadelphia-ransomware-offers-a-mercy-button-for-compassionate-criminals/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20160928:introducing:f09b941, author = {Lawrence Abrams}, title = {{Introducing Her Royal Highness, the Princess Locker Ransomware}}, date = {2016-09-28}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/introducing-her-royal-highness-the-princess-locker-ransomware/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20160930:hacked:760d56c, author = {Lawrence Abrams}, title = {{Hacked Steam accounts spreading Remote Access Trojan}}, date = {2016-09-30}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/hacked-steam-accounts-spreading-remote-access-trojan/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20161027:indev:79b8937, author = {Lawrence Abrams}, title = {{In-Dev Ransomware forces you do to Survey before unlocking Computer}}, date = {2016-10-27}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20161115:cryptoluck:19599ea, author = {Lawrence Abrams}, title = {{CryptoLuck Ransomware being Malvertised via RIG-E Exploit Kits}}, date = {2016-11-15}, organization = {Bleeping Computer}, url = {http://www.bleepingcomputer.com/news/security/cryptoluck-ransomware-being-malvertised-via-rig-e-exploit-kits/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20170119:new:b020afc, author = {Lawrence Abrams}, title = {{New Satan Ransomware available through a Ransomware as a Service.}}, date = {2017-01-19}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-satan-ransomware-available-through-a-ransomware-as-a-service-/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20170207:erebus:2328bb9, author = {Lawrence Abrams}, title = {{Erebus Ransomware Utilizes a UAC Bypass and Request a $90 Ransom Payment}}, date = {2017-02-07}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/erebus-ransomware-utilizes-a-uac-bypass-and-request-a-90-ransom-payment/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20170315:revenge:b047d2f, author = {Lawrence Abrams}, title = {{Revenge Ransomware, a CryptoMix Variant, Being Distributed by RIG Exploit Kit}}, date = {2017-03-15}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/revenge-ransomware-a-cryptomix-variant-being-distributed-by-rig-exploit-kit/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20170816:locky:7445bd0, author = {Lawrence Abrams}, title = {{Locky Ransomware switches to the Lukitus extension for Encrypted Files}}, date = {2017-08-16}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/locky-ransomware-switches-to-the-lukitus-extension-for-encrypted-files/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20170816:synccrypt:c8d0c48, author = {Lawrence Abrams}, title = {{SyncCrypt Ransomware Hides Inside JPG Files, Appends .KK Extension}}, date = {2017-08-16}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/synccrypt-ransomware-hides-inside-jpg-files-appends-kk-extension/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20170825:new:a2d73b9, author = {Lawrence Abrams}, title = {{New Arena Crysis Ransomware Variant Released}}, date = {2017-08-25}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-arena-crysis-ransomware-variant-released/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20170828:new:4c237c7, author = {Lawrence Abrams}, title = {{New Nuclear BTCWare Ransomware Released (Updated)}}, date = {2017-08-28}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-nuclear-btcware-ransomware-released-updated/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20171031:oni:b366161, author = {Lawrence Abrams}, title = {{ONI Ransomware Used in Month-Long Attacks Against Japanese Companies}}, date = {2017-10-31}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/oni-ransomware-used-in-month-long-attacks-against-japanese-companies/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20171213:work:d439b4b, author = {Lawrence Abrams}, title = {{WORK Cryptomix Ransomware Variant Released}}, date = {2017-12-13}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/work-cryptomix-ransomware-variant-released/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20171222:new:eadbe96, author = {Lawrence Abrams}, title = {{New .DOC GlobeImposter Ransomware Variant Malspam Campaign Underway}}, date = {2017-12-22}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-doc-globeimposter-ransomware-variant-malspam-campaign-underway/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20180121:evrial:5df289b, author = {Lawrence Abrams}, title = {{Evrial Trojan Switches Bitcoin Addresses Copied to Windows Clipboard}}, date = {2018-01-21}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/evrial-trojan-switches-bitcoin-addresses-copied-to-windows-clipboard/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20180126:velso:4b06608, author = {Lawrence Abrams}, title = {{The Velso Ransomware Being Manually Installed by Attackers}}, date = {2018-01-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/the-velso-ransomware-being-manually-installed-by-attackers/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20180129:gandcrab:9e003f9, author = {Lawrence Abrams}, title = {{GandCrab Ransomware Distributed by Exploit Kits, Appends GDCB Extension}}, date = {2018-01-29}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-distributed-by-exploit-kits-appends-gdcb-extension/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20180208:gandcrab:40fb494, author = {Lawrence Abrams}, title = {{GandCrab Ransomware Being Distributed Via Malspam Disguised as Receipts}}, date = {2018-02-08}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-being-distributed-via-malspam-disguised-as-receipts/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20180209:black:85fdc3c, author = {Lawrence Abrams}, title = {{Black Ruby Ransomware Skips Victims in Iran and Adds a Miner for Good Measure}}, date = {2018-02-09}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/black-ruby-ransomware-skips-victims-in-iran-and-adds-a-miner-for-good-measure/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20180209:dexcrypt:a7d1f62, author = {Lawrence Abrams}, title = {{DexCrypt MBRLocker Demands 30 Yuan To Gain Access to Computer}}, date = {2018-02-09}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/dexcrypt-mbrlocker-demands-30-yuan-to-gain-access-to-computer/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20180226:thanatos:546a986, author = {Lawrence Abrams}, title = {{Thanatos Ransomware Is First to Use Bitcoin Cash. Messes Up Encryption}}, date = {2018-02-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/thanatos-ransomware-is-first-to-use-bitcoin-cash-messes-up-encryption/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20180323:avcrypt:edb1b07, author = {Lawrence Abrams}, title = {{The AVCrypt Ransomware Tries To Uninstall Your AV Software}}, date = {2018-03-23}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/the-avcrypt-ransomware-tries-to-uninstall-your-av-software/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20180514:stalinlocker:5c9f91e, author = {Lawrence Abrams}, title = {{StalinLocker Deletes Your Files Unless You Enter the Right Code}}, date = {2018-05-14}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/stalinlocker-deletes-your-files-unless-you-enter-the-right-code/}, language = {English}, urldate = {2020-03-02} } @online{abrams:20180626:thanatos:bbe20fc, author = {Lawrence Abrams}, title = {{Thanatos Ransomware Decryptor Released by the Cisco Talos Group}}, date = {2018-06-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/thanatos-ransomware-decryptor-released-by-the-cisco-talos-group/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20180912:feedify:7beba8a, author = {Lawrence Abrams}, title = {{Feedify Hacked with Magecart Information Stealing Script}}, date = {2018-09-12}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/feedify-hacked-with-magecart-information-stealing-script/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20180914:kraken:643744c, author = {Lawrence Abrams}, title = {{Kraken Cryptor Ransomware Masquerading as SuperAntiSpyware Security Program}}, date = {2018-09-14}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/kraken-cryptor-ransomware-masquerading-as-superantispyware-security-program/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20181001:roaming:3a9e1c5, author = {Lawrence Abrams}, title = {{Roaming Mantis Group Testing Coinhive Miner Redirects on iPhones}}, date = {2018-10-01}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/roaming-mantis-group-testing-coinhive-miner-redirects-on-iphones/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20181113:hookads:ef89e4e, author = {Lawrence Abrams}, title = {{HookAds Malvertising Installing Malware via the Fallout Exploit Kit}}, date = {2018-11-13}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/hookads-malvertising-installing-malware-via-the-fallout-exploit-kit/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20181119:visiondirect:6c2560e, author = {Lawrence Abrams}, title = {{VisionDirect Data Breach Caused by MageCart Attack}}, date = {2018-11-19}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/visiondirect-data-breach-caused-by-magecart-attack/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20190104:how:8932d09, author = {Lawrence Abrams}, title = {{How to Decrypt the Aurora Ransomware with AuroraDecrypter}}, date = {2019-01-04}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/ransomware/decryptor/how-to-decrypt-the-aurora-ransomware-with-auroradecrypter/}, language = {English}, urldate = {2019-12-17} } @online{abrams:20190115:djvu:a8b1d06, author = {Lawrence Abrams}, title = {{Djvu Ransomware Spreading New .TRO Variant Through Cracks & Adware Bundles}}, date = {2019-01-15}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/djvu-ransomware-spreading-new-tro-variant-through-cracks-and-adware-bundles/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20190117:blackrouter:2e83ebf, author = {Lawrence Abrams}, title = {{BlackRouter Ransomware Promoted as a RaaS by Iranian Developer}}, date = {2019-01-17}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/blackrouter-ransomware-promoted-as-a-raas-by-iranian-developer/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20190305:cryptomix:33e7eac, author = {Lawrence Abrams}, title = {{CryptoMix Clop Ransomware Says It's Targeting Networks, Not Computers}}, date = {2019-03-05}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/cryptomix-clop-ransomware-says-its-targeting-networks-not-computers/}, language = {English}, urldate = {2020-01-13} } @online{abrams:20190426:closer:ba13483, author = {Lawrence Abrams}, title = {{A Closer Look at the RobbinHood Ransomware}}, date = {2019-04-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/a-closer-look-at-the-robbinhood-ransomware/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20190601:gandcrab:cb581e3, author = {Lawrence Abrams}, title = {{GandCrab Ransomware Shutting Down After Claiming to Earn $2 Billion}}, date = {2019-06-01}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-shutting-down-after-claiming-to-earn-25-billion/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20190613:pylocky:15be611, author = {Lawrence Abrams}, title = {{pyLocky Decryptor Released by French Authorities}}, date = {2019-06-13}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/pylocky-decryptor-released-by-french-authorities/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20190719:elusive:153c1b0, author = {Lawrence Abrams}, title = {{Elusive MegaCortex Ransomware Found - Here is What We Know}}, date = {2019-07-19}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/elusive-megacortex-ransomware-found-here-is-what-we-know/}, language = {English}, urldate = {2020-01-15} } @online{abrams:20190906:lilocked:4042feb, author = {Lawrence Abrams}, title = {{Lilocked Ransomware Actively Targeting Servers and Web Sites}}, date = {2019-09-06}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/lilocked-ransomware-actively-targeting-servers-and-web-sites/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20190911:ryuk:8a18715, author = {Lawrence Abrams}, title = {{Ryuk Related Malware Steals Confidential Military, Financial Files}}, date = {2019-09-11}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ryuk-related-malware-steals-confidential-military-financial-files/}, language = {English}, urldate = {2019-12-20} } @online{abrams:20190917:tflower:31c9072, author = {Lawrence Abrams}, title = {{TFlower Ransomware - The Latest Attack Targeting Businesses}}, date = {2019-09-17}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/tflower-ransomware-the-latest-attack-targeting-businesses/}, language = {English}, urldate = {2019-10-15} } @online{abrams:20191010:nemty:319e3b7, author = {Lawrence Abrams}, title = {{Nemty Ransomware Decryptor Released, Recover Files for Free}}, date = {2019-10-10}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/nemty-ransomware-decryptor-released-recover-files-for-free/}, language = {English}, urldate = {2020-01-09} } @online{abrams:20191025:new:f7feebd, author = {Lawrence Abrams}, title = {{New FuxSocy Ransomware Impersonates the Notorious Cerber}}, date = {2019-10-25}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-fuxsocy-ransomware-impersonates-the-notorious-cerber/}, language = {English}, urldate = {2020-01-13} } @online{abrams:20191105:new:14b4aaf, author = {Lawrence Abrams}, title = {{New Megacortex Ransomware Changes Windows Passwords, Threatens to Publish Data}}, date = {2019-11-05}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-megacortex-ransomware-changes-windows-passwords-threatens-to-publish-data/}, language = {English}, urldate = {2020-01-07} } @online{abrams:20191121:allied:a3d69d7, author = {Lawrence Abrams}, title = {{Allied Universal Breached by Maze Ransomware, Stolen Data Leaked}}, date = {2019-11-21}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/allied-universal-breached-by-maze-ransomware-stolen-data-leaked/}, language = {English}, urldate = {2020-01-08} } @online{abrams:20191202:facebook:5630b4e, author = {Lawrence Abrams}, title = {{Facebook Ads Manager Targeted by New Info-Stealing Trojan}}, date = {2019-12-02}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/facebook-ads-manager-targeted-by-new-info-stealing-trojan/}, language = {English}, urldate = {2020-02-26} } @online{abrams:20191211:maze:acb23da, author = {Lawrence Abrams}, title = {{Maze Ransomware Behind Pensacola Cyberattack, $1M Ransom Demand}}, date = {2019-12-11}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/maze-ransomware-behind-pensacola-cyberattack-1m-ransom-demand/}, language = {English}, urldate = {2020-01-09} } @online{abrams:20191212:another:77246f4, author = {Lawrence Abrams}, title = {{Another Ransomware Will Now Publish Victims' Data If Not Paid}}, date = {2019-12-12}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/another-ransomware-will-now-publish-victims-data-if-not-paid/}, language = {English}, urldate = {2020-01-05} } @online{abrams:20191215:ryuk:74f6eab, author = {Lawrence Abrams}, title = {{Ryuk Ransomware Likely Behind New Orleans Cyberattack}}, date = {2019-12-15}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ryuk-ransomware-likely-behind-new-orleans-cyberattack/}, language = {English}, urldate = {2020-01-13} } @online{abrams:20191223:fbi:7c11cf8, author = {Lawrence Abrams}, title = {{FBI Issues Alert For LockerGoga and MegaCortex Ransomware}}, date = {2019-12-23}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/fbi-issues-alert-for-lockergoga-and-megacortex-ransomware/}, language = {English}, urldate = {2020-01-08} } @online{abrams:20191224:maze:33a4e28, author = {Lawrence Abrams}, title = {{Maze Ransomware Releases Files Stolen from City of Pensacola}}, date = {2019-12-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/maze-ransomware-releases-files-stolen-from-city-of-pensacola/}, language = {English}, urldate = {2020-02-13} } @online{abrams:20191226:ryuk:acc2284, author = {Lawrence Abrams}, title = {{Ryuk Ransomware Stops Encrypting Linux Folders}}, date = {2019-12-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ryuk-ransomware-stops-encrypting-linux-folders/}, language = {English}, urldate = {2020-01-08} } @online{abrams:20200108:snake:aaf992f, author = {Lawrence Abrams}, title = {{SNAKE Ransomware Is the Next Threat Targeting Business Networks}}, date = {2020-01-08}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/snake-ransomware-is-the-next-threat-targeting-business-networks/}, language = {English}, urldate = {2020-01-12} } @online{abrams:20200109:sodinokibi:c0204cc, author = {Lawrence Abrams}, title = {{Sodinokibi Ransomware Says Travelex Will Pay, One Way or Another}}, date = {2020-01-09}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-says-travelex-will-pay-one-way-or-another/}, language = {English}, urldate = {2020-01-13} } @online{abrams:20200111:sodinokibi:8fe0ebe, author = {Lawrence Abrams}, title = {{Sodinokibi Ransomware Publishes Stolen Data for the First Time}}, date = {2020-01-11}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-publishes-stolen-data-for-the-first-time/}, language = {English}, urldate = {2020-01-20} } @online{abrams:20200114:ryuk:b2e47fa, author = {Lawrence Abrams}, title = {{Ryuk Ransomware Uses Wake-on-Lan To Encrypt Offline Devices}}, date = {2020-01-14}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ryuk-ransomware-uses-wake-on-lan-to-encrypt-offline-devices/}, language = {English}, urldate = {2020-01-15} } @online{abrams:20200114:united:a309baa, author = {Lawrence Abrams}, title = {{United Nations Targeted With Emotet Malware Phishing Attack}}, date = {2020-01-14}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/united-nations-targeted-with-emotet-malware-phishing-attack/}, language = {English}, urldate = {2020-01-20} } @online{abrams:20200116:trickbot:ed6fdb3, author = {Lawrence Abrams}, title = {{TrickBot Now Uses a Windows 10 UAC Bypass to Evade Detection}}, date = {2020-01-16}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/trickbot-now-uses-a-windows-10-uac-bypass-to-evade-detection/}, language = {English}, urldate = {2020-01-20} } @online{abrams:20200118:new:4ad3c25, author = {Lawrence Abrams}, title = {{New Jersey Synagogue Suffers Sodinokibi Ransomware Attack}}, date = {2020-01-18}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-jersey-synagogue-suffers-sodinokibi-ransomware-attack/}, language = {English}, urldate = {2020-01-22} } @online{abrams:20200121:bitpylock:ded9871, author = {Lawrence Abrams}, title = {{BitPyLock Ransomware Now Threatens to Publish Stolen Data}}, date = {2020-01-21}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/bitpylock-ransomware-now-threatens-to-publish-stolen-data/}, language = {English}, urldate = {2020-01-22} } @online{abrams:20200123:trickbot:5ca7827, author = {Lawrence Abrams}, title = {{TrickBot Now Steals Windows Active Directory Credentials}}, date = {2020-01-23}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/trickbot-now-steals-windows-active-directory-credentials/}, language = {English}, urldate = {2020-01-27} } @online{abrams:20200124:new:05d5a6a, author = {Lawrence Abrams}, title = {{New Ryuk Info Stealer Targets Government and Military Secrets}}, date = {2020-01-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-ryuk-info-stealer-targets-government-and-military-secrets/}, language = {English}, urldate = {2020-02-03} } @online{abrams:20200128:ragnarok:713a314, author = {Lawrence Abrams}, title = {{Ragnarok Ransomware Targets Citrix ADC, Disables Windows Defender}}, date = {2020-01-28}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ragnarok-ransomware-targets-citrix-adc-disables-windows-defender/}, language = {English}, urldate = {2020-01-28} } @online{abrams:20200129:malware:920dc7e, author = {Lawrence Abrams}, title = {{Malware Tries to Trump Security Software With POTUS Impeachment}}, date = {2020-01-29}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/malware-tries-to-trump-security-software-with-potus-impeachment/}, language = {English}, urldate = {2020-02-03} } @online{abrams:20200130:trickbot:22db786, author = {Lawrence Abrams}, title = {{TrickBot Uses a New Windows 10 UAC Bypass to Launch Quietly}}, date = {2020-01-30}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly/}, language = {English}, urldate = {2020-02-03} } @online{abrams:20200205:mailto:3027008, author = {Lawrence Abrams}, title = {{Mailto (NetWalker) Ransomware Targets Enterprise Networks}}, date = {2020-02-05}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/mailto-netwalker-ransomware-targets-enterprise-networks/}, language = {English}, urldate = {2020-02-11} } @online{abrams:20200206:ransomware:8b6a606, author = {Lawrence Abrams}, title = {{Ransomware Exploits GIGABYTE Driver to Kill AV Processes}}, date = {2020-02-06}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ransomware-exploits-gigabyte-driver-to-kill-av-processes/}, language = {English}, urldate = {2020-02-13} } @online{abrams:20200213:parallax:9842604, author = {Lawrence Abrams}, title = {{Parallax RAT: Common Malware Payload After Hacker Forums Promotion}}, date = {2020-02-13}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/parallax-rat-common-malware-payload-after-hacker-forums-promotion/}, language = {English}, urldate = {2020-04-01} } @online{abrams:20200225:doppelpaymer:9ca20ab, author = {Lawrence Abrams}, title = {{DoppelPaymer Ransomware Launches Site to Post Victim's Data}}, date = {2020-02-25}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/doppelpaymer-ransomware-launches-site-to-post-victims-data/}, language = {English}, urldate = {2020-02-26} } @online{abrams:20200226:sodinokibi:7d730ac, author = {Lawrence Abrams}, title = {{Sodinokibi Ransomware May Tip NASDAQ on Attacks to Hurt Stock Prices}}, date = {2020-02-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-may-tip-nasdaq-on-attacks-to-hurt-stock-prices/}, language = {English}, urldate = {2020-03-02} } @online{abrams:20200302:new:e4cb07c, author = {Lawrence Abrams}, title = {{New PwndLocker Ransomware Targeting U.S. Cities, Enterprises}}, date = {2020-03-02}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-pwndlocker-ransomware-targeting-us-cities-enterprises/}, language = {English}, urldate = {2020-03-02} } @online{abrams:20200303:ransomware:8be6fa7, author = {Lawrence Abrams}, title = {{Ransomware Attackers Use Your Cloud Backups Against You}}, date = {2020-03-03}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ransomware-attackers-use-your-cloud-backups-against-you/}, language = {English}, urldate = {2020-03-04} } @online{abrams:20200304:ryuk:31f2ce0, author = {Lawrence Abrams}, title = {{Ryuk Ransomware Attacked Epiq Global Via TrickBot Infection}}, date = {2020-03-04}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ryuk-ransomware-attacked-epiq-global-via-trickbot-infection/}, language = {English}, urldate = {2020-03-09} } @online{abrams:20200305:pwndlocker:d9b200a, author = {Lawrence Abrams}, title = {{PwndLocker Ransomware Gets Pwned: Decryption Now Available}}, date = {2020-03-05}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/pwndlocker-ransomware-gets-pwned-decryption-now-available/}, language = {English}, urldate = {2020-03-05} } @online{abrams:20200307:ransomware:f839049, author = {Lawrence Abrams}, title = {{Ransomware Threatens to Reveal Company's 'Dirty' Secrets}}, date = {2020-03-07}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ransomware-threatens-to-reveal-companys-dirty-secrets/}, language = {English}, urldate = {2020-03-11} } @online{abrams:20200317:new:d6fa158, author = {Lawrence Abrams}, title = {{New Nefilim Ransomware Threatens to Release Victims' Data}}, date = {2020-03-17}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-nefilim-ransomware-threatens-to-release-victims-data/}, language = {English}, urldate = {2020-03-19} } @online{abrams:20200319:redline:5966456, author = {Lawrence Abrams}, title = {{RedLine Info-Stealing Malware Spread by Folding@home Phishing}}, date = {2020-03-19}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/redline-info-stealing-malware-spread-by-folding-home-phishing/}, language = {English}, urldate = {2020-03-22} } @online{abrams:20200321:netwalker:5d2936c, author = {Lawrence Abrams}, title = {{Netwalker Ransomware Infecting Users via Coronavirus Phishing}}, date = {2020-03-21}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/netwalker-ransomware-infecting-users-via-coronavirus-phishing/}, language = {English}, urldate = {2020-03-22} } @online{abrams:20200324:three:fb92d03, author = {Lawrence Abrams}, title = {{Three More Ransomware Families Create Sites to Leak Stolen Data}}, date = {2020-03-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/}, language = {English}, urldate = {2020-03-26} } @online{abrams:20200411:sodinokibi:82f9f79, author = {Lawrence Abrams}, title = {{Sodinokibi Ransomware to stop taking Bitcoin to hide money trail}}, date = {2020-04-11}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-to-stop-taking-bitcoin-to-hide-money-trail/}, language = {English}, urldate = {2020-04-26} } @online{abrams:20200418:it:bb2d626, author = {Lawrence Abrams}, title = {{IT services giant Cognizant suffers Maze Ransomware cyber attack}}, date = {2020-04-18}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/it-services-giant-cognizant-suffers-maze-ransomware-cyber-attack/}, language = {English}, urldate = {2020-04-20} } @online{abrams:20200424:bazarbackdoor:86afc50, author = {Lawrence Abrams}, title = {{BazarBackdoor: TrickBot gang’s new stealthy network-hacking malware}}, date = {2020-04-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/bazarbackdoor-trickbot-gang-s-new-stealthy-network-hacking-malware/}, language = {English}, urldate = {2020-05-02} } @online{abrams:20200608:new:c1f97ec, author = {Lawrence Abrams}, title = {{New Avaddon Ransomware launches in massive smiley spam campaign}}, date = {2020-06-08}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-avaddon-ransomware-launches-in-massive-smiley-spam-campaign/}, language = {English}, urldate = {2020-06-10} } @online{abrams:20200622:indiabulls:ce0fcdb, author = {Lawrence Abrams}, title = {{Indiabulls Group hit by CLOP Ransomware, gets 24h leak deadline}}, date = {2020-06-22}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/indiabulls-group-hit-by-clop-ransomware-gets-24h-leak-deadline/}, language = {English}, urldate = {2020-06-23} } @online{abrams:20200626:new:d6e2d17, author = {Lawrence Abrams}, title = {{New Ransom X Ransomware used in Texas TxDOT cyberattack}}, date = {2020-06-26}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/new-ransom-x-ransomware-used-in-texas-txdot-cyberattack/}, language = {English}, urldate = {2020-07-11} } @online{abrams:20200626:ransom:9e453cd, author = {Lawrence Abrams}, title = {{Ransom .exx notes}}, date = {2020-06-26}, organization = {Github (Bleeping)}, url = {https://github.com/Bleeping/Ransom.exx}, language = {English}, urldate = {2020-07-11} } @online{abrams:20200711:trickbot:7e70ad3, author = {Lawrence Abrams}, title = {{TrickBot malware mistakenly warns victims that they are infected}}, date = {2020-07-11}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/trickbot-malware-mistakenly-warns-victims-that-they-are-infected/}, language = {English}, urldate = {2020-07-15} } @online{abrams:20200713:new:a9e2a62, author = {Lawrence Abrams}, title = {{New AgeLocker Ransomware uses Googler's utility to encrypt files}}, date = {2020-07-13}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/new-agelocker-ransomware-uses-googlers-utility-to-encrypt-files/}, language = {English}, urldate = {2020-07-15} } @online{abrams:20200720:emotettrickbot:a8e84d2, author = {Lawrence Abrams}, title = {{Emotet-TrickBot malware duo is back infecting Windows machines}}, date = {2020-07-20}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/emotet-trickbot-malware-duo-is-back-infecting-windows-machines/}, language = {English}, urldate = {2020-07-21} } @online{abrams:20200821:darkside:3ebbc35, author = {Lawrence Abrams}, title = {{DarkSide: New targeted ransomware demands million dollar ransoms}}, date = {2020-08-21}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/darkside-new-targeted-ransomware-demands-million-dollar-ransoms/}, language = {English}, urldate = {2020-08-24} } @online{abrams:20200825:ryuk:fbd5d99, author = {Lawrence Abrams}, title = {{Ryuk successor Conti Ransomware releases data leak site}}, date = {2020-08-25}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/ryuk-successor-conti-ransomware-releases-data-leak-site/}, language = {English}, urldate = {2020-08-26} } @online{abrams:20200826:suncrypt:426964e, author = {Lawrence Abrams}, title = {{SunCrypt Ransomware sheds light on the Maze ransomware cartel}}, date = {2020-08-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/suncrypt-ransomware-sheds-light-on-the-maze-ransomware-cartel/}, language = {English}, urldate = {2020-08-27} } @online{abrams:20200917:maze:81b8c38, author = {Lawrence Abrams}, title = {{Maze ransomware now encrypts via virtual machines to evade detection}}, date = {2020-09-17}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/maze-ransomware-now-encrypts-via-virtual-machines-to-evade-detection/}, language = {English}, urldate = {2020-09-21} } @online{abrams:20200923:agelocker:1826fc8, author = {Lawrence Abrams}, title = {{AgeLocker ransomware targets QNAP NAS devices, steals data}}, date = {2020-09-23}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/agelocker-ransomware-targets-qnap-nas-devices-steals-data/}, language = {English}, urldate = {2020-09-25} } @online{abrams:20200923:government:bf7b212, author = {Lawrence Abrams}, title = {{Government software provider Tyler Technologies hit by ransomware}}, date = {2020-09-23}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/government-software-provider-tyler-technologies-hit-by-ransomware/}, language = {English}, urldate = {2020-10-02} } @online{abrams:20200924:mount:0456f2a, author = {Lawrence Abrams}, title = {{Mount Locker ransomware joins the multi-million dollar ransom game}}, date = {2020-09-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/mount-locker-ransomware-joins-the-multi-million-dollar-ransom-game/}, language = {English}, urldate = {2020-10-02} } @online{abrams:20201016:thunderx:7e8ece8, author = {Lawrence Abrams}, title = {{ThunderX Ransomware rebrands as Ranzy Locker, adds data leak site}}, date = {2020-10-16}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/thunderx-ransomware-rebrands-as-ranzy-locker-adds-data-leak-site/}, language = {English}, urldate = {2020-10-23} } @online{abrams:20201020:barnes:f210b39, author = {Lawrence Abrams}, title = {{Barnes & Noble hit by Egregor ransomware, strange data leaked}}, date = {2020-10-20}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/barnes-and-noble-hit-by-egregor-ransomware-strange-data-leaked/}, language = {English}, urldate = {2020-10-23} } @online{abrams:20201022:french:6d52e19, author = {Lawrence Abrams}, title = {{French IT giant Sopra Steria hit by Ryuk ransomware}}, date = {2020-10-22}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/french-it-giant-sopra-steria-hit-by-ryuk-ransomware/}, language = {English}, urldate = {2020-10-26} } @online{abrams:20201023:new:b9a8801, author = {Lawrence Abrams}, title = {{New RAT malware gets commands via Discord, has ransomware feature}}, date = {2020-10-23}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-rat-malware-gets-commands-via-discord-has-ransomware-feature/}, language = {English}, urldate = {2020-10-27} } @online{abrams:20201027:steelcase:25f66a9, author = {Lawrence Abrams}, title = {{Steelcase furniture giant hit by Ryuk ransomware attack}}, date = {2020-10-27}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/steelcase-furniture-giant-hit-by-ryuk-ransomware-attack/}, language = {English}, urldate = {2020-10-28} } @online{abrams:20201029:hacking:c8d5379, author = {Lawrence Abrams}, title = {{Hacking group is targeting US hospitals with Ryuk ransomware}}, date = {2020-10-29}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/hacking-group-is-targeting-us-hospitals-with-ryuk-ransomware/}, language = {English}, urldate = {2020-11-02} } @online{abrams:20201029:maze:f90b399, author = {Lawrence Abrams}, title = {{Maze ransomware is shutting down its cybercrime operation}}, date = {2020-10-29}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/maze-ransomware-is-shutting-down-its-cybercrime-operation/}, language = {English}, urldate = {2020-11-02} } @online{abrams:20201103:new:819bca9, author = {Lawrence Abrams}, title = {{New RegretLocker ransomware targets Windows virtual machines}}, date = {2020-11-03}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/new-regretlocker-ransomware-targets-windows-virtual-machines/}, language = {English}, urldate = {2020-11-06} } @online{abrams:20201105:capcom:e0ff215, author = {Lawrence Abrams}, title = {{Capcom hit by Ragnar Locker ransomware, 1TB allegedly stolen}}, date = {2020-11-05}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/capcom-hit-by-ragnar-locker-ransomware-1tb-allegedly-stolen/}, language = {English}, urldate = {2020-11-06} } @online{abrams:20201105:japanese:0221abc, author = {Lawrence Abrams}, title = {{Japanese game dev Capcom hit by cyberattack, business impacted}}, date = {2020-11-05}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/japanese-game-dev-capcom-hit-by-cyberattack-business-impacted/}, language = {English}, urldate = {2020-11-06} } @online{abrams:20201109:laptop:fa3207d, author = {Lawrence Abrams}, title = {{Laptop maker Compal hit by ransomware, $17 million demanded}}, date = {2020-11-09}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/laptop-maker-compal-hit-by-ransomware-17-million-demanded/}, language = {English}, urldate = {2020-11-11} } @online{abrams:20201113:darkside:82cdb5f, author = {Lawrence Abrams}, title = {{DarkSide ransomware is creating a secure data leak service in Iran}}, date = {2020-11-13}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/darkside-ransomware-is-creating-a-secure-data-leak-service-in-iran/}, language = {English}, urldate = {2020-11-18} } @online{abrams:20201114:retail:f5192ae, author = {Lawrence Abrams}, title = {{Retail giant Cencosud hit by Egregor Ransomware attack, stores impacted}}, date = {2020-11-14}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/retail-giant-cencosud-hit-by-egregor-ransomware-attack-stores-impacted/}, language = {English}, urldate = {2020-11-19} } @online{abrams:20201118:revil:fda480b, author = {Lawrence Abrams}, title = {{REvil ransomware hits Managed.com hosting provider, 500K ransom}}, date = {2020-11-18}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/revil-ransomware-hits-managedcom-hosting-provider-500k-ransom/}, language = {English}, urldate = {2020-11-19} } @online{abrams:20201119:mount:0294998, author = {Lawrence Abrams}, title = {{Mount Locker ransomware now targets your TurboTax tax returns}}, date = {2020-11-19}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/mount-locker-ransomware-now-targets-your-turbotax-tax-returns/}, language = {English}, urldate = {2020-11-23} } @online{abrams:20201120:lightbot:473b7c3, author = {Lawrence Abrams}, title = {{LightBot: TrickBot’s new reconnaissance malware for high-value targets}}, date = {2020-11-20}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/lightbot-trickbot-s-new-reconnaissance-malware-for-high-value-targets/}, language = {English}, urldate = {2020-11-23} } @online{abrams:20201203:kmart:0795c86, author = {Lawrence Abrams}, title = {{Kmart nationwide retailer suffers a ransomware attack}}, date = {2020-12-03}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/kmart-nationwide-retailer-suffers-a-ransomware-attack/}, language = {English}, urldate = {2020-12-08} } @online{abrams:20201203:ransomware:186759f, author = {Lawrence Abrams}, title = {{Ransomware gang says they stole 2 million credit cards from E-Land}}, date = {2020-12-03}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ransomware-gang-says-they-stole-2-million-credit-cards-from-e-land/}, language = {English}, urldate = {2020-12-08} } @online{abrams:20201204:largest:43455f7, author = {Lawrence Abrams}, title = {{Largest global staffing agency Randstad hit by Egregor ransomware}}, date = {2020-12-04}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/largest-global-staffing-agency-randstad-hit-by-egregor-ransomware/}, language = {English}, urldate = {2020-12-08} } @online{abrams:20201204:metro:3350ee7, author = {Lawrence Abrams}, title = {{Metro Vancouver's transit system hit by Egregor ransomware}}, date = {2020-12-04}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/metro-vancouvers-transit-system-hit-by-egregor-ransomware/}, language = {English}, urldate = {2020-12-08} } @online{abrams:20201207:foxconn:307c147, author = {Lawrence Abrams}, title = {{Foxconn electronics giant hit by ransomware, $34 million ransom}}, date = {2020-12-07}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/foxconn-electronics-giant-hit-by-ransomware-34-million-ransom/}, language = {English}, urldate = {2020-12-08} } @online{abrams:20201213:intels:ae85240, author = {Lawrence Abrams}, title = {{Intel's Habana Labs hacked by Pay2Key ransomware, data stolen}}, date = {2020-12-13}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/intels-habana-labs-hacked-by-pay2key-ransomware-data-stolen/}, language = {English}, urldate = {2020-12-14} } @online{abrams:20201216:fireeye:d24dc6f, author = {Lawrence Abrams}, title = {{FireEye, Microsoft create kill switch for SolarWinds backdoor}}, date = {2020-12-16}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/fireeye-microsoft-create-kill-switch-for-solarwinds-backdoor/}, language = {English}, urldate = {2020-12-17} } @online{abrams:20201219:solarwinds:0129ee8, author = {Lawrence Abrams}, title = {{The SolarWinds cyberattack: The hack, the victims, and what we know}}, date = {2020-12-19}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/the-solarwinds-cyberattack-the-hack-the-victims-and-what-we-know/}, language = {English}, urldate = {2020-12-19} } @online{abrams:20201221:trucking:2b6b278, author = {Lawrence Abrams}, title = {{Trucking giant Forward Air hit by new Hades ransomware gang}}, date = {2020-12-21}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/trucking-giant-forward-air-hit-by-new-hades-ransomware-gang/}, language = {English}, urldate = {2020-12-23} } @online{abrams:20201228:home:5e0aaf7, author = {Lawrence Abrams}, title = {{Home appliance giant Whirlpool hit in Nefilim ransomware attack}}, date = {2020-12-28}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/home-appliance-giant-whirlpool-hit-in-nefilim-ransomware-attack/}, language = {English}, urldate = {2021-01-01} } @online{abrams:20210106:hackers:638f09c, author = {Lawrence Abrams}, title = {{Hackers start exploiting the new backdoor in Zyxel devices}}, date = {2021-01-06}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/hackers-start-exploiting-the-new-backdoor-in-zyxel-devices/}, language = {English}, urldate = {2021-01-11} } @online{abusech:20130118:feodo:5354db0, author = {abuse.ch}, title = {{Feodo Tracker}}, date = {2013-01-18}, organization = {abuse.ch}, url = {https://feodotracker.abuse.ch/?filter=version_e}, language = {English}, urldate = {2020-01-13} } @online{abusech:2018:feodo:3a9a017, author = {abuse.ch}, title = {{Feodo Tracker}}, date = {2018}, organization = {abuse.ch}, url = {https://feodotracker.abuse.ch/}, language = {English}, urldate = {2019-11-17} } @online{abuseio:20190504:abuseio:d5062ca, author = {Abuse.io}, title = {{Abuse.io Report - Lockergoga}}, date = {2019-05-04}, organization = {Abuse.io}, url = {https://www.abuse.io/lockergoga.txt}, language = {English}, urldate = {2020-01-07} } @online{acalvio:20180613:lateral:ab17115, author = {Team Acalvio}, title = {{Lateral Movement Technique Employed by Hidden Cobra}}, date = {2018-06-13}, organization = {Acalvio}, url = {https://www.acalvio.com/lateral-movement-technique-employed-by-hidden-cobra/}, language = {English}, urldate = {2020-01-13} } @online{accenture:2018:hogfish:4bd6290, author = {Accenture}, title = {{HOGFISH REDLEAVES CAMPAIGN}}, date = {2018}, organization = {Accenture}, url = {http://blog.alyac.co.kr/1853}, language = {English}, urldate = {2020-01-06} } @online{ackerman:20181221:overruled:74ac7b4, author = {Geoff Ackerman and Rick Cole and Andrew Thompson and Alex Orleans and Nick Carr}, title = {{OVERRULED: Containing a Potentially Destructive Adversary}}, date = {2018-12-21}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html}, language = {English}, urldate = {2019-12-20} } @online{ackerman:20190821:taking:3b8daac, author = {Pascal Ackerman}, title = {{Taking a Closer Look at the LookBack Malware Campaign – Part 1}}, date = {2019-08-21}, organization = {Threatgen}, url = {https://threatgen.com/taking-a-closer-look-at-the-lookback-malware-campaign-part-1/}, language = {English}, urldate = {2020-01-13} } @online{acsc:20200523:summary:32bbf2b, author = {Australian Cyber Security Centre (ACSC)}, title = {{Summary of Tradecraft Trends for 2019-20: Tactics, Techniques and Procedures Used to Target Australian Networks}}, date = {2020-05-23}, organization = {Australian Cyber Security Centre}, url = {https://www.cyber.gov.au/threats/summary-of-tradecraft-trends-for-2019-20-tactics-techniques-and-procedures-used-to-target-australian-networks}, language = {English}, urldate = {2020-05-23} } @techreport{acsc:20200618:advisory:ed0f53c, author = {Australian Cyber Security Centre (ACSC)}, title = {{Advisory 2020-008: Copy-Paste Compromises –tactics, techniques and procedures used to target multiple Australian networks}}, date = {2020-06-18}, institution = {Australian Cyber Security Centre}, url = {https://www.cyber.gov.au/sites/default/files/2020-06/ACSC-Advisory-2020-008-Copy-Paste-Compromises.pdf}, language = {English}, urldate = {2020-06-19} } @online{acsc:20201112:biotech:edf0f4a, author = {Australian Cyber Security Centre (ACSC)}, title = {{Biotech research firm Miltenyi Biotec hit by ransomware, data leaked}}, date = {2020-11-12}, organization = {Australian Cyber Security Centre}, url = {https://www.cyber.gov.au/acsc/view-all-content/alerts/sdbbot-targeting-health-sector}, language = {English}, urldate = {2020-11-18} } @online{action09:20181116:c0ld:89e6c06, author = {Action09}, title = {{(C)0ld Case : From Aerospace to China’s interests.}}, date = {2018-11-16}, organization = {CyberThreatIntelligence Blog}, url = {https://cyberthreatintelligenceblog.wordpress.com/2018/11/16/c0ld-case-from-aerospace-to-chinas-interests/}, language = {English}, urldate = {2020-01-07} } @online{actiondan:20180219:intro:0d978b0, author = {ActionDan}, title = {{Intro to Using GScript for Red Teams}}, date = {2018-02-19}, url = {http://lockboxx.blogspot.com/2018/02/intro-to-using-gscript-for-red-teams.html}, language = {English}, urldate = {2019-12-20} } @online{adair:20161109:powerduke:335bceb, author = {Steven Adair}, title = {{PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs}}, date = {2016-11-09}, organization = {Volexity}, url = {https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/}, language = {English}, urldate = {2019-12-24} } @online{adair:20201106:oceanlotus:f7b11ac, author = {Steven Adair and Thomas Lancaster and Volexity Threat Research}, title = {{OceanLotus: Extending Cyber Espionage Operations Through Fake Websites}}, date = {2020-11-06}, organization = {Volexity}, url = {https://www.volexity.com/blog/2020/11/06/oceanlotus-extending-cyber-espionage-operations-through-fake-websites/}, language = {English}, urldate = {2020-11-09} } @online{adamitis:20181105:persian:5adf8c2, author = {Danny Adamitis and Warren Mercer and Paul Rascagnères and Vitor Ventura and Eric Kuhla}, title = {{Persian Stalker pillages Iranian users of Instagram and Telegram}}, date = {2018-11-05}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2018/11/persian-stalker.html}, language = {English}, urldate = {2019-11-27} } @online{adamitis:20190417:dns:0146532, author = {Danny Adamitis and David Maynor and Warren Mercer and Matthew Olney and Paul Rascagnères}, title = {{DNS Hijacking Abuses Trust In Core Internet Service}}, date = {2019-04-17}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2019/04/seaturtle.html}, language = {English}, urldate = {2020-01-09} } @online{adamitis:20190520:recent:4bb543f, author = {Danny Adamitis and David Maynor and Kendall McKay}, title = {{Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques}}, date = {2019-05-20}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2019/05/recent-muddywater-associated-blackwater.html}, language = {English}, urldate = {2020-01-07} } @online{adamitis:20190709:sea:62515b8, author = {Danny Adamitis and Paul Rascagnères}, title = {{Sea Turtle Keeps on Swimming}}, date = {2019-07-09}, organization = {Talos Intelligence}, url = {https://blog.talosintelligence.com/2019/07/sea-turtle-keeps-on-swimming.html}, language = {English}, urldate = {2020-06-08} } @online{adamitis:20190911:autumn:8bec4cb, author = {Danny Adamitis and Elizabeth Wharton}, title = {{Autumn Aperture}}, date = {2019-09-11}, organization = {Prevailion}, url = {https://blog.prevailion.com/2019/09/autumn-aperture-report.html}, language = {English}, urldate = {2020-06-08} } @online{adamitis:20200107:summer:637a53f, author = {Danny Adamitis}, title = {{Summer Mirage}}, date = {2020-01-07}, organization = {Prevailion}, url = {https://blog.prevailion.com/2020/01/summer-mirage.html}, language = {English}, urldate = {2020-01-12} } @online{adamitis:20200206:triune:ada8ad3, author = {Danny Adamitis}, title = {{The Triune Threat: MasterMana Returns}}, date = {2020-02-06}, organization = {Prevailion}, url = {https://blog.prevailion.com/2020/02/the-triune-threat-mastermana-returns.html}, language = {English}, urldate = {2020-04-13} } @online{adamitis:20200506:phantom:2a752f7, author = {Danny Adamitis}, title = {{Phantom in the Command Shell}}, date = {2020-05-06}, organization = {Prevailion}, url = {https://blog.prevailion.com/2020/05/phantom-in-command-shell5.html}, language = {English}, urldate = {2020-05-07} } @online{adamitis:20200605:gh0st:849c227, author = {Danny Adamitis}, title = {{The Gh0st Remains the Same}}, date = {2020-06-05}, organization = {Prevailion}, url = {https://blog.prevailion.com/2020/06/the-gh0st-remains-same8.html}, language = {English}, urldate = {2020-06-08} } @online{adamov:20170502:targeted:31454f7, author = {Alexander Adamov}, title = {{Targeted attack against the Ukrainian military}}, date = {2017-05-02}, url = {https://nioguard.blogspot.de/2017/05/targeted-attack-against-ukrainian.html}, language = {English}, urldate = {2019-12-17} } @techreport{adams:20161207:trickbot:fc3427c, author = {Joshua Adams}, title = {{The TrickBot Evolution}}, date = {2016-12-07}, institution = {Botconf}, url = {https://www.botconf.eu/wp-content/uploads/2016/11/2016-LT09-TrickBot-Adams.pdf}, language = {English}, urldate = {2020-01-09} } @online{admin001:20191120:shadow:49b26ff, author = {admin001}, title = {{Shadow of the Circle Hovering Over Central Asia - The Golden Eagle (APT-C-34) Organizing Attack Revealed}}, date = {2019-11-20}, organization = {360}, url = {http://blogs.360.cn/post/APT-C-34_Golden_Falcon.html}, language = {English}, urldate = {2020-01-10} } @techreport{advisory:20200528:sandworm:d509ae5, author = {Cybersecurity Advisory}, title = {{Sandworm Actors Exploiting Vulnerability in EXIM Mail Transfer Agent}}, date = {2020-05-28}, institution = {National Security Agency}, url = {https://media.defense.gov/2020/May/28/2002306626/-1/-1/0/CSA%20Sandworm%20Actors%20Exploiting%20Vulnerability%20in%20Exim%20Transfer%20Agent%2020200528.pdf}, language = {English}, urldate = {2020-05-29} } @online{affairs:20140202:us:872a22b, author = {Office of Public Affairs}, title = {{U.S. Leads Multi-National Action Against “Gameover Zeus” Botnet and “Cryptolocker” Ransomware, Charges Botnet Administrator}}, date = {2014-02-02}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/us-leads-multi-national-action-against-gameover-zeus-botnet-and-cryptolocker-ransomware}, language = {English}, urldate = {2020-01-08} } @online{affairs:20170328:russian:e9c593c, author = {Office of Public Affairs}, title = {{Russian Citizen Pleads Guilty for Involvement in Global Botnet Conspiracy}}, date = {2017-03-28}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/russian-citizen-pleads-guilty-involvement-global-botnet-conspiracy}, language = {English}, urldate = {2020-01-07} } @online{affairs:20180523:justice:806d785, author = {Office of Public Affairs}, title = {{Justice Department Announces Actions to Disrupt Advanced Persistent Threat 28 Botnet of Infected Routers and Network Storage Devices}}, date = {2018-05-23}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/justice-department-announces-actions-disrupt-advanced-persistent-threat-28-botnet-infected}, language = {English}, urldate = {2020-01-06} } @online{affairs:20180906:north:9b30dd0, author = {Office of Public Affairs}, title = {{North Korean Regime-Backed Programmer Charged With Conspiracy to Conduct Multiple Cyber Attacks and Intrusions}}, date = {2018-09-06}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/north-korean-regime-backed-programmer-charged-conspiracy-conduct-multiple-cyber-attacks-and}, language = {English}, urldate = {2020-01-07} } @online{affairs:20181128:two:9032b25, author = {Office of Public Affairs}, title = {{Two Iranian Men Indicted for Deploying Ransomware to Extort Hospitals, Municipalities, and Public Institutions, Causing Over $30 Million in Losses}}, date = {2018-11-28}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/two-iranian-men-indicted-deploying-ransomware-extort-hospitals-municipalities-and-public}, language = {English}, urldate = {2020-01-08} } @online{affairs:20190213:former:3518c47, author = {Office of Public Affairs}, title = {{Former U.S. Counterintelligence Agent Charged With Espionage on Behalf of Iran; Four Iranians Charged With a Cyber Campaign Targeting Her Former Colleagues}}, date = {2019-02-13}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/former-us-counterintelligence-agent-charged-espionage-behalf-iran-four-iranians-charged-cyber}, language = {English}, urldate = {2019-10-14} } @online{affairs:20190411:two:8ce139a, author = {Office of Public Affairs}, title = {{Two Romanian Cybercriminals Convicted of All 21 Counts Relating to Infecting Over 400,000 Victim Computers with Malware and Stealing Millions of Dollars}}, date = {2019-04-11}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/two-romanian-cybercriminals-convicted-all-21-counts-relating-infecting-over-400000-victim}, language = {English}, urldate = {2019-10-13} } @online{affairs:20190516:goznym:714f938, author = {Office of Public Affairs}, title = {{GozNym Cyber-Criminal Network Operating out of Europe Targeting American Entities Dismantled in International Operation}}, date = {2019-05-16}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/goznym-cyber-criminal-network-operating-out-europe-targeting-american-entities-dismantled}, language = {English}, urldate = {2020-01-08} } @techreport{ag:20201215:greetings:a5b59d9, author = {HvS-Consulting AG}, title = {{Greetings from Lazarus Anatomy of a cyber espionage campaign}}, date = {2020-12-15}, institution = {HvS-Consulting AG}, url = {https://www.hvs-consulting.de/media/downloads/ThreatReport-Lazarus.pdf}, language = {English}, urldate = {2020-12-16} } @online{agency:20191025:qsnatch:9631c95, author = {Finnish Transport & Communications Agency}, title = {{QSnatch - Malware designed for QNAP NAS devices}}, date = {2019-10-25}, organization = {Finnish Transport & Communications Agency}, url = {https://www.kyberturvallisuuskeskus.fi/en/news/qsnatch-malware-designed-qnap-nas-devices}, language = {English}, urldate = {2020-01-10} } @techreport{agency:20200813:russian:c0ae2d5, author = {National Security Agency and Federal Bureau of Investigation}, title = {{Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware}}, date = {2020-08-13}, institution = {National Security Agency}, url = {https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF}, language = {English}, urldate = {2020-08-14} } @techreport{agency:202008:finspy:9de4cba, author = {Defensive Lab Agency}, title = {{FinSpy Android Technical Analysis}}, date = {2020-08}, institution = {Defensive Lab Agency}, url = {https://raw.githubusercontent.com/DefensiveLabAgency/FinSpy-for-Android/master/20200806_finspy_android_analysis_public_release.pdf}, language = {English}, urldate = {2020-10-02} } @techreport{agency:20201020:chinese:73ad10e, author = {National Security Agency}, title = {{Chinese State-Sponsored Actors Exploit Publicly Known Vulnerabilities}}, date = {2020-10-20}, institution = {National Security Agency}, url = {https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF}, language = {English}, urldate = {2020-10-23} } @online{agman:20200817:uncover:948e868, author = {Yaniv Agman}, title = {{Uncover Malware Payload Executions Automatically with Tracee}}, date = {2020-08-17}, organization = {Aqua}, url = {https://blog.aquasec.com/ebpf-container-tracing-malware-detection}, language = {English}, urldate = {2020-08-21} } @techreport{ahinkaya:20200828:cerberus:5575c7b, author = {Ali Rıza Şahinkaya and Can Atakan Işık and Rıdvan Ethem Canavar}, title = {{Cerberus Banking Trojan Analysis}}, date = {2020-08-28}, institution = {CYBER WISE}, url = {https://www.biznet.com.tr/wp-content/uploads/2020/08/Cerberus.pdf}, language = {English}, urldate = {2020-09-03} } @online{ahinkaya:20200831:cerberus:ecd6606, author = {Ali Rıza Şahinkaya and Can Atakan Işık and Rıdvan Ethem Canavar}, title = {{Cerberus Banking Trojan Research}}, date = {2020-08-31}, organization = {Github (ics-iot-bootcamp)}, url = {https://github.com/ics-iot-bootcamp/cerberus_research}, language = {English}, urldate = {2020-09-21} } @online{ahl:20130807:breaking:aff06e9, author = {Ian Ahl and Tony Lee and Dennis Hanzlik}, title = {{Breaking Down the China Chopper Web Shell - Part I}}, date = {2013-08-07}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html}, language = {English}, urldate = {2019-12-20} } @online{ahl:20170606:privileges:9598d5f, author = {Ian Ahl}, title = {{Privileges and Credentials: Phished at the Request of Counsel}}, date = {2017-06-06}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html}, language = {English}, urldate = {2019-12-20} } @online{ahn:20190304:kimsuky:e84d908, author = {Chang-Yong Ahn}, title = {{Kimsuky}}, date = {2019-03-04}, organization = {AhnLab}, url = {https://www.ahnlab.com/kr/site/securityinfo/secunews/secuNewsView.do?menu_dist=2&curPage=1&seq=28102}, language = {Korean}, urldate = {2019-10-23} } @online{ahnlab:20180330:magniber:5d13799, author = {AhnLab}, title = {{Magniber}}, date = {2018-03-30}, organization = {AhnLab}, url = {http://asec.ahnlab.com/1124}, language = {English}, urldate = {2019-07-09} } @techreport{ahnlab:20180623:full:dced6a4, author = {AhnLab}, title = {{Full Discloser of Andariel, A Subgroup of Lazarus Threat Group}}, date = {2018-06-23}, institution = {AhnLab}, url = {https://global.ahnlab.com/global/upload/download/techreport/[AhnLab]Andariel_a_Subgroup_of_Lazarus%20(3).pdf}, language = {English}, urldate = {2019-12-24} } @techreport{ahnlab:20180625:asec:dcc35cb, author = {AhnLab}, title = {{ASEC Report vol. 91 (2018)}}, date = {2018-06-25}, institution = {AhnLab}, url = {http://image.ahnlab.com/file_upload/asecissue_files/ASEC%20REPORT_vol.91.pdf}, language = {Korean}, urldate = {2020-01-10} } @techreport{ahnlab:20190221:operation:3e3c720, author = {AhnLab}, title = {{Operation Kabar Cobra}}, date = {2019-02-21}, institution = {AhnLab}, url = {http://download.ahnlab.com/kr/site/library/%5bAnalysis_Report%5dOperation_Kabar_Cobra.pdf}, language = {Korean}, urldate = {2019-12-02} } @techreport{ahnlab:20200302:analysis:c0c47c3, author = {AhnLab}, title = {{Analysis Report: MyKings Botnet}}, date = {2020-03-02}, institution = {AhnLab}, url = {http://download.ahnlab.com/kr/site/library/[AhnLab]Analysis%20Report_MyKings%20Botnet.pdf}, language = {Korean}, urldate = {2020-03-04} } @online{ahnlab:20200406:shadow:450342b, author = {AhnLab}, title = {{Shadow Force behind normal certificate reveals seven years}}, date = {2020-04-06}, organization = {AhnLab}, url = {https://www.ahnlab.com/kr/site/securityinfo/secunews/secuNewsView.do?curPage=1&menu_dist=2&seq=29129}, language = {Korean}, urldate = {2020-05-18} } @online{aime:20200323:fin7:66bea6f, author = {Félix Aime and Yury Namestnikov}, title = {{Fin7 APT: how billion dollar crime ring remains active after leaders’ arrest}}, date = {2020-03-23}, organization = {Kaspersky Labs}, url = {https://www.brighttalk.com/webcast/15591/382191/fin7-apt-how-billion-dollar-crime-ring-remains-active-after-leaders-arrest}, language = {English}, urldate = {2020-04-07} } @online{ajjan:20130305:russian:4bb6a48, author = {Anand Ajjan}, title = {{Russian ransomware takes advantage of Windows PowerShell}}, date = {2013-03-05}, organization = {Sophos Naked Security}, url = {https://nakedsecurity.sophos.com/2013/03/05/russian-ransomware-windows-powershell/}, language = {English}, urldate = {2020-01-27} } @techreport{akamai:20160404:threat:14239df, author = {Akamai}, title = {{Threat Advisory: “BillGates” Botnet}}, date = {2016-04-04}, institution = {Akamai}, url = {https://www.akamai.com/kr/ko/multimedia/documents/state-of-the-internet/bill-gates-botnet-threat-advisory.pdf}, language = {English}, urldate = {2020-01-07} } @techreport{akamai:20161001:kaitenstd:40de1e6, author = {Akamai}, title = {{Kaiten/STD router DDoS Malware}}, date = {2016-10-01}, institution = {Akamai}, url = {https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/kaiten-std-router-ddos-malware-threat-advisory.pdf}, language = {English}, urldate = {2020-01-08} } @techreport{akamei:20171016:upnproxy:044596d, author = {Akamei}, title = {{UPnProxy: Blackhat Proxies via NAT Injections}}, date = {2017-10-16}, institution = {Akamai}, url = {https://www.akamai.com/uk/en/multimedia/documents/white-paper/upnproxy-blackhat-proxies-via-nat-injections-white-paper.pdf}, language = {English}, urldate = {2019-12-10} } @techreport{akbanov:201901:wannacry:60d302c, author = {Maxat Akbanov and Vassilios G. Vassilakis and Michael D. Logothetis}, title = {{WannaCry Ransomware: Analysis of Infection, Persistence, Recovery Prevention and Propagation Mechanisms}}, date = {2019-01}, institution = {Journal of Telecommunications and Information Technology}, url = {https://www.il-pib.pl/czasopisma/JTIT/2019/1/113.pdf}, language = {English}, urldate = {2021-01-11} } @online{albassam:20160816:equation:e185e6b, author = {Mustafa Al-Bassam}, title = {{Equation Group firewall operations catalogue}}, date = {2016-08-16}, url = {https://musalbas.com/blog/2016/08/16/equation-group-firewall-operations-catalogue.html}, language = {English}, urldate = {2019-11-20} } @online{albors:20151216:nemucod:b1c1305, author = {Josep Albors}, title = {{Nemucod malware spreads ransomware Teslacrypt around the world}}, date = {2015-12-16}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2015/12/16/nemucod-malware-spreads-ransomware-teslacrypt-around-world/}, language = {English}, urldate = {2019-11-14} } @online{alert:20191203:threat:f7b8cb6, author = {Red Alert}, title = {{THREAT ACTOR TARGETING HONG KONG PRO-DEMOCRACY FIGURES}}, date = {2019-12-03}, organization = {NSHC}, url = {https://redalert.nshc.net/2019/12/03/threat-actor-targeting-hong-kong-activists}, language = {English}, urldate = {2020-06-03} } @techreport{alert:201912:cybercrime:b12d39c, author = {Visa Security Alert}, title = {{Cybercrime Groups (FIN8) Targeting Fuel Dispenser Merchants}}, date = {2019-12}, institution = {VISA}, url = {https://usa.visa.com/dam/VCOM/global/support-legal/documents/cybercrime-groups-targeting-fuel-dispenser-merchants.pdf}, language = {English}, urldate = {2020-07-23} } @techreport{alert:202008:baka:586781b, author = {Visa Security Alert}, title = {{‘Baka’ JavaScript Skimmer Identified}}, date = {2020-08}, institution = {VISA}, url = {https://usa.visa.com/content/dam/VCOM/global/support-legal/documents/visa-security-alert-baka-javascript-skimmer.pdf}, language = {English}, urldate = {2020-09-06} } @techreport{alert:20200925:visa:3bac371, author = {Visa Security Alert}, title = {{Visa Security Alert: New Malware Samples identified in Point-of-Sale Compromises}}, date = {2020-09-25}, institution = {VISA}, url = {https://usa.visa.com/dam/VCOM/global/support-legal/documents/new-pos-malware-samples.pdf}, language = {English}, urldate = {2020-10-05} } @online{alessandroz:20200914:lazagne:b0b9e44, author = {AlessandroZ}, title = {{The LaZagne Project !!!}}, date = {2020-09-14}, organization = {Github (AlessandroZ)}, url = {https://github.com/AlessandroZ/LaZagne}, language = {English}, urldate = {2020-10-28} } @online{alexuiop1337:20190731:github:215c261, author = {Alexuiop1337}, title = {{Github Repository for SoranoStealer}}, date = {2019-07-31}, organization = {Github (Alexuiop1337)}, url = {https://github.com/Alexuiop1337/SoranoStealer}, language = {English}, urldate = {2020-01-06} } @online{algayar:20171224:lilyofthevalley:40d90c1, author = {Mustapha Algayar}, title = {{LilyOfTheValley Repository}}, date = {2017-12-24}, organization = {Github (LilyOfTheValley)}, url = {https://github.com/En14c/LilyOfTheValley}, language = {English}, urldate = {2020-01-10} } @online{alguacil:201911:vb2019:a565e76, author = {Alexandre Mundo Alguacil and John Fokker}, title = {{VB2019 paper: Different ways to cook a crab: GandCrab ransomware-as-a-service (RaaS) analysed in depth}}, date = {2019-11}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2019/11/vb2019-paper-different-ways-cook-crab-gandcrab-ransomware-service-raas-analysed-indepth/}, language = {English}, urldate = {2020-01-08} } @online{alienvault:20190801:hexane:3d63fd0, author = {AlienVault}, title = {{Hexane Targeting Oil and Gas}}, date = {2019-08-01}, organization = {AlienVault OTX}, url = {https://otx.alienvault.com/pulse/5d4301edb3f3406ac01acc0f}, language = {English}, urldate = {2019-11-28} } @online{alintanahin:20140702:kivars:4fe6877, author = {Kervin Alintanahin and Ronnie Giagone}, title = {{KIVARS With Venom: Targeted Attacks Upgrade with 64-bit “Support”}}, date = {2014-07-02}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/kivars-with-venom-targeted-attacks-upgrade-with-64-bit-support/}, language = {English}, urldate = {2020-06-19} } @techreport{alintanahin:20150513:operation:a90911a, author = {Kervin Alintanahin}, title = {{Operation Tropic Trooper}}, date = {2015-05-13}, institution = {Trend Micro}, url = {http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-tropic-trooper.pdf}, language = {English}, urldate = {2020-01-06} } @online{allievi:20141028:threat:a302fbd, author = {Andrea Allievi and Douglas Goddard and Shaun Hurley and Alain Zidouemba}, title = {{Threat Spotlight: Group 72, Opening the ZxShell}}, date = {2014-10-28}, organization = {Cisco}, url = {https://blogs.cisco.com/security/talos/opening-zxshell}, language = {English}, urldate = {2019-10-15} } @online{allievi:20150320:threat:2f200b6, author = {Andrea Allievi and Ben Baker and Nick Biasini and JJ Cummings and Douglas Goddard and William Largent and Angel Villegas and Alain Zidouemba}, title = {{Threat Spotlight: PoSeidon, A Deep Dive Into Point of Sale Malware}}, date = {2015-03-20}, organization = {Cisco Talos}, url = {https://blogs.cisco.com/security/talos/poseidon}, language = {English}, urldate = {2020-01-13} } @online{allievi:20150427:threat:3754b13, author = {Andrea Allievi and Earl Carter and Emmanuel Tacheau}, title = {{Threat Spotlight: TeslaCrypt – Decrypt It Yourself}}, date = {2015-04-27}, organization = {Cisco Talos}, url = {https://blogs.cisco.com/security/talos/teslacrypt}, language = {English}, urldate = {2019-10-15} } @online{alonso:20170224:hunting:073d36e, author = {Angel Alonso}, title = {{Hunting Retefe with Splunk - some interesting points}}, date = {2017-02-24}, organization = {Some stuff about security.. Blog}, url = {http://blog.angelalonso.es/2017/02/hunting-retefe-with-splunk-some24.html}, language = {English}, urldate = {2020-01-06} } @online{alonsoparrizas:20151028:reversing:92cdf4f, author = {Angel Alonso-Parrizas}, title = {{Reversing the C2C HTTP Emmental communication}}, date = {2015-10-28}, url = {http://blog.angelalonso.es/2015/10/reversing-c2c-http-emmental.html}, language = {English}, urldate = {2019-12-05} } @online{alonsoparrizas:20151103:reversing:762708a, author = {Angel Alonso-Parrizas}, title = {{Reversing the SMS C&C protocol of Emmental (1st part - understanding the code)}}, date = {2015-11-03}, url = {http://blog.angelalonso.es/2015/11/reversing-sms-c-protocol-of-emmental.html}, language = {English}, urldate = {2019-10-14} } @techreport{alperovitch:20140224:art:df5650c, author = {Dmitri Alperovitch}, title = {{The Art of Attribution Identifying and Pursuing your Cyber Adversaries}}, date = {2014-02-24}, institution = {RSA Conference}, url = {https://docs.huihoo.com/rsaconference/usa-2014/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries-final.pdf}, language = {English}, urldate = {2020-04-06} } @online{alperovitch:20140707:deep:63e59f7, author = {Dmitri Alperovitch}, title = {{Deep in Thought: Chinese Targeting of National Security Think Tanks}}, date = {2014-07-07}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/deep-thought-chinese-targeting-national-security-think-tanks/}, language = {English}, urldate = {2019-12-20} } @online{alperovitch:20141014:crowdstrike:9be6684, author = {Dmitri Alperovitch}, title = {{CrowdStrike Discovers Use of 64-bit Zero-Day Privilege Escalation Exploit (CVE-2014-4113) by Hurricane Panda}}, date = {2014-10-14}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/}, language = {English}, urldate = {2020-06-03} } @online{alperovitch:20150413:cyber:93796f8, author = {Dmitri Alperovitch}, title = {{Cyber Deterrence in Action? A story of one long HURRICANE PANDA campaign}}, date = {2015-04-13}, organization = {CrowdStrike}, url = {http://www.crowdstrike.com/blog/cyber-deterrence-in-action-a-story-of-one-long-hurricane-panda-campaign/}, language = {English}, urldate = {2019-12-20} } @online{alperovitch:20150413:cyber:9cee61c, author = {Dmitri Alperovitch}, title = {{Cyber Deterrence in Action? A story of one long HURRICANE PANDA campaign}}, date = {2015-04-13}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/cyber-deterrence-in-action-a-story-of-one-long-hurricane-panda-campaign/}, language = {English}, urldate = {2020-06-03} } @online{alperovitch:20160615:bears:604c1d9, author = {Dmitri Alperovitch}, title = {{Bears in the Midst: Intrusion into the Democratic National Committee}}, date = {2016-06-15}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/}, language = {English}, urldate = {2019-12-20} } @online{altheide:20201021:media:fce4b18, author = {Cory Altheide and DAnon and Sam S. and Proofpoint Threat Research Team}, title = {{Media Coverage Doesn’t Deter Actor From Threatening Democratic Voters}}, date = {2020-10-21}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/media-coverage-doesnt-deter-actor-threatening-democratic-voters}, language = {English}, urldate = {2020-10-26} } @online{althouse:20201117:easily:172bd6d, author = {John Althouse}, title = {{Easily Identify Malicious Servers on the Internet with JARM}}, date = {2020-11-17}, organization = {Salesforce Engineering}, url = {https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a}, language = {English}, urldate = {2020-12-03} } @online{alvares:20200622:comparative:270905b, author = {Marcos Alvares}, title = {{Comparative analysis between Bindiff and Diaphora - Patched Smokeloader Study Case}}, date = {2020-06-22}, organization = {security.neurolabs}, url = {http://security.neurolabs.club/2020/04/diffing-malware-samples-using-bindiff.html}, language = {English}, urldate = {2020-06-24} } @online{alvarez:20121203:compromised:1e6dcb7, author = {Raul Alvarez}, title = {{Compromised library}}, date = {2012-12-03}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2012/12/compromised-library}, language = {English}, urldate = {2019-12-17} } @online{alvarez:20140718:birds:9f9e509, author = {Raul Alvarez}, title = {{Bird's nest}}, date = {2014-07-18}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2014/08/bird-s-nest}, language = {English}, urldate = {2019-11-28} } @online{alyac:20190131:lazarus:bbb47f8, author = {Alyac}, title = {{Lazarus APT Organization Attacks with Operation Extreme Job}}, date = {2019-01-31}, organization = {ESTsecurity}, url = {https://blog.alyac.co.kr/2105}, language = {Korean}, urldate = {2019-10-21} } @online{alyac:20190327:lazarus:2172304, author = {Alyac}, title = {{라자루스(Lazarus) 그룹, 이스라엘 군수업체 대상 APT 역습}}, date = {2019-03-27}, url = {https://blog.alyac.co.kr/m/2219}, language = {Korean}, urldate = {2020-07-15} } @online{alyac:20190327:lazarus:df092d7, author = {Alyac}, title = {{Lazarus Group APT Counterattack Against Israeli Military}}, date = {2019-03-27}, organization = {ESTsecurity}, url = {https://blog.alyac.co.kr/2219}, language = {Korean}, urldate = {2020-06-29} } @online{alyac:20190610:special:f4e2a26, author = {Alyac}, title = {{[Special Report] APT Campaign 'Konni' & 'Kimsuky' Organizations Found in Common}}, date = {2019-06-10}, organization = {ESTsecurity}, url = {https://blog.alyac.co.kr/2347}, language = {Korean}, urldate = {2020-03-17} } @online{alyac:20190627:lazarus:9afc51d, author = {Alyac}, title = {{Lazarus APT Group attacks with a malicious '진실겜.xls' via the Telegram messenger}}, date = {2019-06-27}, organization = {ESTsecurity}, url = {https://blog.alyac.co.kr/2388}, language = {Korean}, urldate = {2020-03-17} } @techreport{alyac:20200330:spy:e23215b, author = {Alyac}, title = {{The 'Spy Cloud' Operation: Geumseong121 group carries out the APT attack disguising the evidence of North Korean defection}}, date = {2020-03-30}, institution = {EST Security}, url = {https://blog.alyac.co.kr/attachment/cfile8.uf@9977CF405E81A09B1C4CE2.pdf}, language = {English}, urldate = {2020-04-07} } @online{alyac:20200725:special:ca84b90, author = {Alyac}, title = {{[Special Report] Thallium Group sued by Microsoft in the US, threatens 'Fake Striker' APT campaign against South Korea}}, date = {2020-07-25}, organization = {ESTsecurity}, url = {https://blog.alyac.co.kr/3120}, language = {Korean}, urldate = {2020-07-30} } @online{alyac:20201016:thallium:aff8d61, author = {Alyac}, title = {{탈륨조직의 국내 암호화폐 지갑 펌웨어로 위장한 다차원 APT 공격 분석출처 ( THALLIUM)}}, date = {2020-10-16}, organization = {Alyac}, url = {https://blog.alyac.co.kr/3310}, language = {Korean}, urldate = {2020-10-23} } @online{alyac:20201021:zloader:d78b7b7, author = {Alyac}, title = {{ZLoader 악성코드, 사업 정지 경고로 위장해 유포중}}, date = {2020-10-21}, organization = {Alyac}, url = {https://blog.alyac.co.kr/3322}, language = {Korean}, urldate = {2020-10-29} } @online{alyac:20201104:apt:668b6b4, author = {Alyac}, title = {{북한 연계 해킹조직 탈륨, 미국 대선 예측 언론 문서로 위장한 APT 공격 수행 출처}}, date = {2020-11-04}, organization = {ESTsecurity}, url = {https://blog.alyac.co.kr/3352}, language = {Korean}, urldate = {2020-11-04} } @online{alyac:20201112:blue:68c4df2, author = {Alyac}, title = {{北 연계 탈륨조직, '블루 에스티메이트(Blue Estimate)' APT 캠페인 지속}}, date = {2020-11-12}, organization = {ESTsecurity}, url = {https://blog.alyac.co.kr/3368}, language = {Korean}, urldate = {2020-11-18} } @online{alyac:20201215:goldstar:c592b26, author = {Alyac}, title = {{Goldstar 121 organization proceeds with HWP OLE-based APT attack}}, date = {2020-12-15}, organization = {EST Security}, url = {https://blog.alyac.co.kr/3451}, language = {Korean}, urldate = {2020-12-16} } @online{alyac:20201217:thallium:d04a7df, author = {Alyac}, title = {{Thallium organization attacks domestic blockchain company with documents of non-delinquency confirmation}}, date = {2020-12-17}, organization = {EST Security}, url = {https://blog.alyac.co.kr/3458}, language = {Korean}, urldate = {2020-12-18} } @online{alyac:20210103:thallium:cad0add, author = {Alyac}, title = {{Thallium organization exploits private stock investment messenger to attack software supply chain}}, date = {2021-01-03}, organization = {EST Security}, url = {https://blog.alyac.co.kr/3489}, language = {Korean}, urldate = {2021-01-10} } @online{alyushin:20150914:shade:3558938, author = {Victor Alyushin and Fedor Sinitsyn}, title = {{The Shade Encryptor: a Double Threat}}, date = {2015-09-14}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-shade-encryptor-a-double-threat/72087/}, language = {English}, urldate = {2019-12-20} } @online{amawaka:20200310:apt40:2199052, author = {Asuna Amawaka}, title = {{APT40 goes from Template Injections to OLE-Linkings for payload delivery}}, date = {2020-03-10}, organization = {insomniacs(Medium)}, url = {https://medium.com/insomniacs/apt40-goes-from-template-injections-to-ole-linkings-for-payload-delivery-99eb43170a97}, language = {English}, urldate = {2020-04-16} } @online{amawaka:20200315:dad:5cad035, author = {Asuna Amawaka}, title = {{Dad! There’s A Rat In Here!}}, date = {2020-03-15}, organization = {insomniacs(Medium)}, url = {https://medium.com/insomniacs/dad-theres-a-rat-in-here-e3729b65bf7a}, language = {English}, urldate = {2020-04-16} } @online{amawaka:20200506:shadows:889fc47, author = {Asuna Amawaka}, title = {{Shadows with a chance of BlackNix}}, date = {2020-05-06}, organization = {Medium Asuna Amawaka}, url = {https://medium.com/insomniacs/shadows-with-a-chance-of-blacknix-badc0f2f41cb}, language = {English}, urldate = {2020-06-12} } @online{amr:20190410:project:460b6e5, author = {AMR and GReAT}, title = {{Project TajMahal – a sophisticated new APT framework}}, date = {2019-04-10}, organization = {Kaspersky Labs}, url = {https://securelist.com/project-tajmahal/90240/}, language = {English}, urldate = {2019-12-20} } @online{amr:20190925:ransomware:ec80bad, author = {AMR}, title = {{Ransomware: two pieces of good news}}, date = {2019-09-25}, organization = {Kaspersky Labs}, url = {https://securelist.com/ransomware-two-pieces-of-good-news/93355/}, language = {English}, urldate = {2020-01-08} } @online{amr:20191101:chrome:4c689f4, author = {AMR and GReAT}, title = {{Chrome 0-day exploit CVE-2019-13720 used in Operation WizardOpium}}, date = {2019-11-01}, organization = {Kaspersky Labs}, url = {https://securelist.com/chrome-0-day-exploit-cve-2019-13720-used-in-operation-wizardopium/94866/}, language = {English}, urldate = {2020-01-08} } @online{amr:20191210:windows:1a5c25d, author = {AMR and GReAT}, title = {{Windows 0-day exploit CVE-2019-1458 used in Operation WizardOpium}}, date = {2019-12-10}, organization = {Kaspersky Labs}, url = {https://securelist.com/windows-0-day-exploit-cve-2019-1458-used-in-operation-wizardopium/95432}, language = {English}, urldate = {2020-05-05} } @online{amr:20200305:mokes:698295f, author = {AMR}, title = {{Mokes and Buerak distributed under the guise of security certificates}}, date = {2020-03-05}, organization = {Kaspersky Labs}, url = {https://securelist.com/mokes-and-buerak-distributed-under-the-guise-of-security-certificates/96324/}, language = {English}, urldate = {2020-03-09} } @online{amrthabet:20110909:stuxnet:07c5348, author = {AmrThabet}, title = {{Stuxnet Malware Analysis Paper}}, date = {2011-09-09}, organization = {CodeProject}, url = {https://www.codeproject.com/articles/246545/stuxnet-malware-analysis-paper}, language = {English}, urldate = {2020-11-13} } @online{analysis:20170314:rig:56f3334, author = {Broad Analysis}, title = {{Rig Exploit Kit via the EiTest delivers CryptoShield/REVENGE ransomware}}, date = {2017-03-14}, organization = {Broad Analysis}, url = {http://www.broadanalysis.com/2017/03/14/rig-exploit-kit-via-the-eitest-delivers-cryptoshieldrevenge-ransomware/}, language = {English}, urldate = {2020-01-07} } @online{analysis:20190412:rig:0230572, author = {Analysis}, title = {{Rig Exploit Kit delivers Bunitu Malware}}, date = {2019-04-12}, organization = {BroadAnalysis}, url = {https://broadanalysis.com/2019/04/12/rig-exploit-kit-delivers-bunitu-malware/}, language = {English}, urldate = {2020-01-10} } @online{anand:20200521:blox:14090c1, author = {Chetan Anand}, title = {{Blox Tales #6: Subpoena-Themed Phishing With CAPTCHA Redirect}}, date = {2020-05-21}, organization = {Armorblox}, url = {https://www.armorblox.com/blog/blox-tales-6-subpoena-themed-phishing-with-captcha-redirect/}, language = {English}, urldate = {2020-05-23} } @online{anbalagan:20200605:new:9f3abf8, author = {Gayathri Anbalagan}, title = {{New Campaign Abusing StackBlitz Tool to Host Phishing Pages}}, date = {2020-06-05}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/new-campaign-abusing-stackblitz-tool-host-phishing-pages}, language = {English}, urldate = {2020-08-05} } @online{ancarani:20201120:detecting:79afa40, author = {Riccardo Ancarani}, title = {{Detecting Cobalt Strike Default Modules via Named Pipe Analysis}}, date = {2020-11-20}, organization = {F-Secure Labs}, url = {https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis}, language = {English}, urldate = {2020-11-23} } @online{ancel:20150930:when:ed6915f, author = {Benoît Ancel}, title = {{When ELF.BillGates met Windows}}, date = {2015-09-30}, organization = {ThisIsSecurity}, url = {https://thisissecurity.stormshield.com/2015/09/30/when-elf-billgates-met-windows/}, language = {English}, urldate = {2020-01-13} } @online{ancel:20161020:nexter91:909eaee, author = {Benoît Ancel}, title = {{Tweet on nexter91 Panel}}, date = {2016-10-20}, organization = {Twitter (@benkow_)}, url = {https://twitter.com/benkow_/status/789006720668405760}, language = {English}, urldate = {2020-01-07} } @online{ancel:20170227:spambot:b40e584, author = {Benoît Ancel}, title = {{Spambot safari #2 - Online Mail System}}, date = {2017-02-27}, organization = {Benkow Lab}, url = {https://benkowlab.blogspot.fr/2017/02/spambot-safari-2-online-mail-system.html}, language = {English}, urldate = {2020-01-09} } @online{ancel:20170816:quick:e3a37c1, author = {Benoît Ancel}, title = {{Quick look at another Alina fork: XBOT-POS}}, date = {2017-08-16}, organization = {Benkow Lab}, url = {https://benkowlab.blogspot.de/2017/08/quick-look-at-another-alina-fork-xbot.html}, language = {English}, urldate = {2020-01-10} } @online{ancel:20170829:from:7ef6dac, author = {Benoît Ancel}, title = {{From Onliner Spambot to millions of email's lists and credentials}}, date = {2017-08-29}, organization = {Benkow Lab}, url = {https://benkowlab.blogspot.com/2017/08/from-onliner-spambot-to-millions-of.html}, language = {English}, urldate = {2020-01-06} } @online{ancel:20190607:zeusaction:5977152, author = {Benoît Ancel}, title = {{Tweet on ZeusAction hashes}}, date = {2019-06-07}, organization = {Twitter (@benkow_)}, url = {https://twitter.com/benkow_/status/1136983062699487232}, language = {English}, urldate = {2020-01-06} } @techreport{ancel:2019:dreambot:e29023e, author = {Benoît Ancel and Peter Kruse}, title = {{Dreambot Business overview 2019}}, date = {2019}, institution = {CSIS}, url = {http://benkow.cc/DreambotSAS19.pdf}, language = {English}, urldate = {2019-12-10} } @online{ancel:20200207:installcapital:23b3760, author = {Benoît Ancel}, title = {{InstallCapital — When AdWare Becomes Pay-per-Install Cyber-Crime}}, date = {2020-02-07}, organization = {Medium CSIS Techblog}, url = {https://medium.com/csis-techblog/installcapital-when-adware-becomes-pay-per-install-cyber-crime-15516249a451}, language = {English}, urldate = {2020-02-09} } @online{ancel:20200501:end:939414e, author = {Benoît Ancel}, title = {{The end of Dreambot? Obituary for a loved piece of Gozi.}}, date = {2020-05-01}, organization = {CSIS}, url = {https://medium.com/csis-techblog/the-end-of-dreambot-a-loved-piece-of-gozi-24cc9bfc8122}, language = {English}, urldate = {2020-05-05} } @online{anderson:20170612:bahamut:9810646, author = {Collin Anderson}, title = {{Bahamut, Pursuing a Cyber Espionage Actor in the Middle East}}, date = {2017-06-12}, organization = {Bellingcat}, url = {https://www.bellingcat.com/news/mena/2017/06/12/bahamut-pursuing-cyber-espionage-actor-middle-east/}, language = {English}, urldate = {2020-01-13} } @online{anderson:20171027:bahamut:e17abf8, author = {Collin Anderson}, title = {{Bahamut Revisited, More Cyber Espionage in the Middle East and South Asia}}, date = {2017-10-27}, organization = {Bellingcat}, url = {https://www.bellingcat.com/resources/case-studies/2017/10/27/bahamut-revisited-cyber-espionage-middle-east-south-asia/}, language = {English}, urldate = {2020-01-06} } @online{anderson:20180104:irans:dcad15c, author = {Collin Anderson and Karim Sadjapour}, title = {{Iran’s Cyber Ecosystem: Who Are the Threat Actors?}}, date = {2018-01-04}, organization = {Carnegie Endowment for International Peace}, url = {https://carnegieendowment.org/2018/01/04/iran-s-cyber-ecosystem-who-are-threat-actors-pub-75140}, language = {English}, urldate = {2020-04-25} } @online{anderson:20180703:iranian:8f4a4d5, author = {Collin Anderson}, title = {{Tweet on Iranian Malware}}, date = {2018-07-03}, organization = {Twitter (@CDA)}, url = {https://twitter.com/CDA/status/1014144988454772736}, language = {English}, urldate = {2020-09-21} } @online{anderson:20200820:revealing:7a1da00, author = {Chad Anderson}, title = {{Revealing REvil Ransomware With DomainTools and Maltego}}, date = {2020-08-20}, organization = {DomainTools}, url = {https://www.domaintools.com/resources/blog/revealing-revil-ransomware-with-domaintools-and-maltego}, language = {English}, urldate = {2020-08-24} } @online{andonov:20151207:thriving:196c5eb, author = {Dimiter Andonov and William Ballenthin and Nalani Fraser and Will Matson and Jay Taylor}, title = {{Thriving Beyond The Operating System: Financial Threat Group Targets Volume Boot Record}}, date = {2015-12-07}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2015/12/fin1-targets-boot-record.html}, language = {English}, urldate = {2020-04-21} } @online{andrewjess:20191213:python:8af049c, author = {@AndrewJess}, title = {{Стиллер паролей на python с отправкой на почту}}, date = {2019-12-13}, url = {https://habr.com/en/sandbox/135410/}, language = {Russian}, urldate = {2020-03-04} } @techreport{andriesse:201310:highly:bc65090, author = {Dennis Andriesse and Christian Rossow and Brett Stone-Gross and Daniel Plohmann and Herbert Bos}, title = {{Highly Resilient Peer-to-Peer Botnets Are Here: An Analysis of Gameover Zeus}}, date = {2013-10}, institution = {MALWARE Conference}, url = {http://www.syssec-project.eu/m/page-media/3/zeus_malware13.pdf}, language = {English}, urldate = {2020-01-08} } @online{ang:20180426:necurs:83d08fc, author = {Miguel Ang}, title = {{Necurs Evolves to Evade Spam Detection via Internet Shortcut File}}, date = {2018-04-26}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/necurs-evolves-to-evade-spam-detection-via-internet-shortcut-file/}, language = {English}, urldate = {2020-01-10} } @online{ang:20200428:loki:169b27e, author = {Miguel Ang}, title = {{Loki Info Stealer Propagates through LZH Files}}, date = {2020-04-28}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/loki-info-stealer-propagates-through-lzh-files}, language = {English}, urldate = {2020-08-14} } @online{anishell:20110603:anishell:6870af0, author = {Ani-Shell}, title = {{Ani-Shell}}, date = {2011-06-03}, organization = {Sourceforge}, url = {http://ani-shell.sourceforge.net/}, language = {English}, urldate = {2020-01-13} } @techreport{anomali:20171102:country:853fdd8, author = {Anomali}, title = {{Country Profile: Russian Federation}}, date = {2017-11-02}, institution = {Anomali}, url = {https://www.anomali.com/files/white-papers/russian-federation-country-profile.pdf}, language = {English}, urldate = {2020-09-23} } @online{anonymous:20170210:rebranding:877e1bd, author = {Anonymous}, title = {{Rebranding iSpy Keylogger: Gear Informer}}, date = {2017-02-10}, organization = {Wapack Labs}, url = {https://wapacklabs.blogspot.ch/2017/02/rebranding-ispy-keylogger-gear-informer.html}, language = {English}, urldate = {2020-01-07} } @online{anonymous:20201216:paste:a02ef52, author = {Anonymous}, title = {{Paste of subdomain & DGA domain names used in SolarWinds attack}}, date = {2020-12-16}, organization = {Pastebin}, url = {https://pastebin.com/6EDgCKxd}, language = {English}, urldate = {2021-01-13} } @techreport{anssi:20190326:informations:7965c3d, author = {ANSSI}, title = {{INFORMATIONS CONCERNANTLES RANÇONGICIELSLOCKERGOGA ET RYUK}}, date = {2019-03-26}, institution = {ANSSI}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2019-ACT-005.pdf}, language = {French}, urldate = {2020-01-10} } @techreport{anssi:20190725:analysis:9df2d22, author = {ANSSI}, title = {{ANALYSIS OF THE AMCACHE}}, date = {2019-07-25}, institution = {ANSSI}, url = {https://www.ssi.gouv.fr/uploads/2019/01/anssi-coriin_2019-analysis_amcache.pdf}, language = {English}, urldate = {2020-12-08} } @techreport{anssi:20200129:tat:3d59e6e, author = {ANSSI}, title = {{État de la menace rançongiciel}}, date = {2020-01-29}, institution = {ANSSI}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf}, language = {English}, urldate = {2020-02-03} } @online{antenucci:20190327:psixbot:9e1a258, author = {Stefano Antenucci and Antonio Parata}, title = {{PsiXBot: The Evolution Of A Modular .NET Bot}}, date = {2019-03-27}, organization = {Fox-IT}, url = {https://blog.fox-it.com/2019/03/27/psixbot-the-evolution-of-a-modular-net-bot/}, language = {English}, urldate = {2019-10-12} } @online{antil:20190912:innfirat:22e8987, author = {Sahil Antil and Rohit Chaturvedi}, title = {{InnfiRAT: A new RAT aiming for your cryptocurrency and more}}, date = {2019-09-12}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/innfirat-new-rat-aiming-your-cryptocurrency-and-more}, language = {English}, urldate = {2020-01-10} } @online{antivirnews:20110120:beschreibung:678e455, author = {antivirnews}, title = {{Beschreibung des Virus Backdoor.Win32. Buterat.afj}}, date = {2011-01-20}, url = {http://antivirnews.blogspot.com/2011/01/backdoorwin32-buteratafj.html}, language = {Russian}, urldate = {2020-01-10} } @online{anton:20200602:hunting:5aa320f, author = {Anton}, title = {{Hunting Malicious Macros}}, date = {2020-06-02}, organization = {Pwntario Blog}, url = {https://blog.pwntario.com/team-posts/antons-posts/hunting-malicious-macros#first}, language = {English}, urldate = {2020-06-03} } @online{anubhav:20160923:hancitor:220140e, author = {Ankit Anubhav and Dileep Kumar Jallepalli}, title = {{Hancitor (AKA Chanitor) observed using multiple attack approaches}}, date = {2016-09-23}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2016/09/hancitor_aka_chanit.html}, language = {English}, urldate = {2019-12-20} } @online{anubhav:20180718:huawai:e28ad1e, author = {Ankit Anubhav}, title = {{Tweet on Huawai Router Hacker Anarchy}}, date = {2018-07-18}, organization = {Twitter (@anit_anubhav)}, url = {https://twitter.com/ankit_anubhav/status/1019647993547550720}, language = {English}, urldate = {2020-01-13} } @techreport{anubislabs:20151015:dridex:4dafca8, author = {AnubisLabs}, title = {{Dridex: Chasing a botnet from the inside}}, date = {2015-10-15}, institution = {BitSight}, url = {https://cdn2.hubspot.net/hubfs/507516/ANB_MIR_Dridex_PRv7_final.pdf}, language = {English}, urldate = {2020-08-06} } @online{anurag:20200405:trojan:2bb6584, author = {Anurag}, title = {{Trojan Agent Tesla – Malware Analysis}}, date = {2020-04-05}, organization = {MalwrAnalysis}, url = {https://malwr-analysis.com/2020/04/05/trojan-agent-tesla-malware-analysis/}, language = {English}, urldate = {2020-04-08} } @online{anurag:20200622:njrat:381c066, author = {Anurag}, title = {{njRat Malware Analysis}}, date = {2020-06-22}, url = {https://malwr-analysis.com/2020/06/21/njrat-malware-analysis/}, language = {English}, urldate = {2020-06-22} } @online{anxin:20190116:latest:60776ef, author = {Qi Anxin}, title = {{Latest Target Attack of DarkHydruns Group Against Middle East}}, date = {2019-01-16}, organization = {360.cn}, url = {https://ti.360.net/blog/articles/latest-target-attack-of-darkhydruns-group-against-middle-east-en/}, language = {English}, urldate = {2019-12-15} } @online{anyrun:20180208:anyrun:611fc13, author = {ANY.RUN}, title = {{ANY.RUN analysis of MBRLock}}, date = {2018-02-08}, organization = {ANY.RUN}, url = {https://app.any.run/tasks/0a7e643f-7562-4575-b8a5-747bd6b5f02d}, language = {English}, urldate = {2020-01-13} } @online{anyrun:20180321:bandios:cd8a14c, author = {ANY.RUN}, title = {{Tweet on Bandios / Colony}}, date = {2018-03-21}, organization = {Twitter (@anyrun_app)}, url = {https://twitter.com/anyrun_app/status/976385355384590337}, language = {English}, urldate = {2020-01-07} } @online{anyrun:20190719:anyrun:890dfc0, author = {ANY.RUN}, title = {{ANY.RUN analysis on URL}}, date = {2019-07-19}, organization = {ANY.RUN}, url = {https://app.any.run/tasks/ea024149-8e83-41c0-b0ed-32ec38dea4a6/}, language = {English}, urldate = {2020-01-08} } @online{anyrun:20190924:anyrun:649c085, author = {ANY.RUN}, title = {{ANY.RUN analysis on unidentified sample}}, date = {2019-09-24}, organization = {ANY.RUN}, url = {https://app.any.run/tasks/4e48bcbf-015b-4a57-bb98-50f9531ff37a}, language = {English}, urldate = {2020-01-13} } @online{apra:20200929:cobaltstrikescan:ab5f221, author = {Apra}, title = {{CobaltStrikeScan}}, date = {2020-09-29}, organization = {Github (Apr4h)}, url = {https://github.com/Apr4h/CobaltStrikeScan}, language = {English}, urldate = {2020-10-05} } @online{aprozper:20180322:ghostminer:711cbd2, author = {Asaf Aprozper and Gal Bitensky}, title = {{GhostMiner: Cryptomining Malware Goes Fileless}}, date = {2018-03-22}, organization = {Minerva}, url = {https://blog.minerva-labs.com/ghostminer-cryptomining-malware-goes-fileless}, language = {English}, urldate = {2020-01-07} } @online{aprozper:20190128:azorult:78563e2, author = {Asaf Aprozper and Gal Bitensky}, title = {{AZORult: Now, as A Signed “Google Update”}}, date = {2019-01-28}, organization = {Minerva Labs}, url = {https://blog.minerva-labs.com/azorult-now-as-a-signed-google-update}, language = {English}, urldate = {2019-12-04} } @online{apvrille:20170315:teardown:76fb758, author = {Axelle Apvrille}, title = {{Teardown of a Recent Variant of Android/Ztorg (Part 1)}}, date = {2017-03-15}, organization = {Fortinet}, url = {https://blog.fortinet.com/2017/03/15/teardown-of-a-recent-variant-of-android-ztorg-part-1}, language = {English}, urldate = {2019-12-10} } @online{apvrille:20170315:teardown:e3c30e6, author = {Axelle Apvrille}, title = {{Teardown of Android/Ztorg (Part 2)}}, date = {2017-03-15}, organization = {Fortinet}, url = {http://blog.fortinet.com/2017/03/08/teardown-of-android-ztorg-part-2}, language = {English}, urldate = {2019-12-24} } @online{apvrille:20200918:locating:56e0b57, author = {Axelle Apvrille}, title = {{Locating the Trojan inside an infected COVID-19 contact tracing app}}, date = {2020-09-18}, organization = {Medium cryptax}, url = {https://medium.com/@cryptax/locating-the-trojan-inside-an-infected-covid-19-contact-tracing-app-21e23f90fbfe}, language = {English}, urldate = {2020-09-25} } @online{apvrille:20200925:into:cf7b514, author = {Axelle Apvrille}, title = {{Into Android Meterpreter and how the malware launches it - part 2}}, date = {2020-09-25}, organization = {Medium cryptax}, url = {https://medium.com/@cryptax/into-android-meterpreter-and-how-the-malware-launches-it-part-2-ef5aad2ebf12}, language = {English}, urldate = {2020-09-25} } @online{apvrille:20201213:decrypting:ee8b00f, author = {Axelle Apvrille}, title = {{Decrypting strings with a JEB script}}, date = {2020-12-13}, organization = {Medium (Cryptax)}, url = {https://cryptax.medium.com/decrypting-strings-with-a-jeb-script-1af522fa4979}, language = {English}, urldate = {2020-12-19} } @online{apvrille:20201215:unpacking:af6a6ee, author = {Axelle Apvrille}, title = {{Unpacking an Android malware with Dexcalibur and JEB}}, date = {2020-12-15}, organization = {Medium (Cryptax)}, url = {https://cryptax.medium.com/unpacking-an-android-malware-with-dexcalibur-and-jeb-59bdd905d4a7}, language = {English}, urldate = {2020-12-19} } @online{aquilino:20130715:signed:013bd1d, author = {Broderick Aquilino}, title = {{Signed Mac Malware Using Right-to-Left Override Trick}}, date = {2013-07-15}, organization = {F-Secure}, url = {https://archive.f-secure.com/weblog/archives/00002576.html}, language = {English}, urldate = {2020-05-19} } @online{aquino:20140306:siesta:9a574bc, author = {Maharlito Aquino}, title = {{The Siesta Campaign: A New Targeted Attack Awakens}}, date = {2014-03-06}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/the-siesta-campaign-a-new-targeted-attack-awakens/}, language = {English}, urldate = {2020-01-13} } @online{ar6s:2019:rat:f0a6a2f, author = {Ar6s}, title = {{[RAT] DARK TRACK ALIEN 4.1}}, date = {2019}, organization = {Cracked.to Forum}, url = {https://cracked.to/Thread-Release-RAT-Dark-track-alien-4-1}, language = {English}, urldate = {2020-01-07} } @online{arada:20130924:osxleveragea:ba6e883, author = {Eduardo De La Arada}, title = {{OSX/Leverage.a Analysis}}, date = {2013-09-24}, organization = {AT&T}, url = {https://www.alienvault.com/blogs/labs-research/osx-leveragea-analysis}, language = {English}, urldate = {2020-01-13} } @online{archcloud:20201126:tracking:46717fb, author = {ArchCloud}, title = {{Tracking Cryptocurrency Malware in The Homelab}}, date = {2020-11-26}, organization = {Arch Cloud Labs}, url = {https://www.archcloudlabs.com/projects/tracking_cryptominer_domains/}, language = {English}, urldate = {2020-12-03} } @techreport{archer:20190531:qealler:2d73860, author = {Jeff Archer}, title = {{Qealler Unloaded}}, date = {2019-05-31}, institution = {Github (jeFF0Falltrades)}, url = {https://github.com/jeFF0Falltrades/Malware-Writeups/blob/master/Qealler/Qealler-Unloaded.pdf}, language = {English}, urldate = {2019-12-17} } @online{archer:20190815:micropsia:8ed52a1, author = {Jeff Archer}, title = {{MICROPSIA (APT-C-23)}}, date = {2019-08-15}, organization = {Github (jeFF0Falltrades)}, url = {https://github.com/jeFF0Falltrades/IoCs/blob/master/APT/micropsia_apt_c_23.md}, language = {English}, urldate = {2019-12-10} } @online{archer:20190914:wsh:103aefa, author = {Jeff Archer}, title = {{WSH RAT (A variant of H-Worm/Houdini)}}, date = {2019-09-14}, organization = {Github (jeFF0Falltrades)}, url = {https://github.com/jeFF0Falltrades/IoCs/blob/master/Broadbased/wsh_rat.md}, language = {English}, urldate = {2020-01-06} } @online{archer:20191103:dtrack:de46ce3, author = {Jeff Archer}, title = {{DTrack}}, date = {2019-11-03}, organization = {Github (jeFF0Falltrades)}, url = {https://github.com/jeFF0Falltrades/IoCs/blob/master/APT/dtrack_lazarus_group.md}, language = {English}, urldate = {2019-12-18} } @online{archer:20191205:poshc2:3066e19, author = {Jeff Archer}, title = {{PoshC2 (specifically as used by APT33)}}, date = {2019-12-05}, organization = {Github (jeFF0Falltrades)}, url = {https://github.com/jeFF0Falltrades/IoCs/blob/master/APT/poshc2_apt_33.md}, language = {English}, urldate = {2020-01-06} } @online{archer:20200211:metamorfo:663ae17, author = {Jeff Archer}, title = {{Metamorfo (aka Casbaneiro)}}, date = {2020-02-11}, organization = {Github (jeFF0Falltrades)}, url = {https://github.com/jeFF0Falltrades/IoCs/blob/master/Broadbased/metamorfo.md}, language = {English}, urldate = {2020-02-11} } @online{archer:20201213:highly:9fe1728, author = {Andrew Archer and Doug Bienstock and Chris DiGiamo and Glenn Edwards and Nick Hornick and Alex Pennino and Andrew Rector and Scott Runnels and Eric Scales and Nalani Fraiser and Sarah Jones and John Hultquist and Ben Read and Jon Leathery and Fred House and Dileep Jallepalli and Michael Sikorski and Stephen Eckels and William Ballenthin and Jay Smith and Alex Berry and Nick Richard and Isif Ibrahima and Dan Perez and Marcin Siedlarz and Ben Withnell and Barry Vengerik and Nicole Oppenheim and Ian Ahl and Andrew Thompson and Matt Dunwoody and Evan Reese and Steve Miller and Alyssa Rahman and John Gorman and Lennard Galang and Steve Stone and Nick Bennett and Matthew McWhirt and Mike Burns and Omer Baig and Nick Carr and Christopher Glyer and Ramin Nafisi and Microsoft}, title = {{Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor}}, date = {2020-12-13}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html}, language = {English}, urldate = {2020-12-19} } @online{arkbird:20200817:short:a510811, author = {Arkbird}, title = {{Short twitter thread with analysis on Loup ATM malware}}, date = {2020-08-17}, organization = {Twitter (@Arkbird_SOLG)}, url = {https://twitter.com/Arkbird_SOLG/status/1295396936896438272}, language = {English}, urldate = {2020-08-25} } @online{arkbird:20200903:development:cf8dd7d, author = {Arkbird}, title = {{Tweet on development in more_eggs}}, date = {2020-09-03}, organization = {Twitter (@Arkbird_SOLG)}, url = {https://twitter.com/Arkbird_SOLG/status/1301536930069278727}, language = {English}, urldate = {2020-09-15} } @online{arkbird:20200911:discovery:99adb88, author = {Arkbird}, title = {{Tweet on discovery of a sample}}, date = {2020-09-11}, organization = {Twitter (@Arkbird_SOLG)}, url = {https://twitter.com/Arkbird_SOLG/status/1304187749373800455}, language = {English}, urldate = {2020-10-21} } @online{arkbirdsolg:20200505:operation:448dc4a, author = {@Arkbird_SOLG}, title = {{Operation Flash Cobra}}, date = {2020-05-05}, organization = {Github (StrangerealIntel)}, url = {https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/North%20Korea/APT/Lazarus/2020-05-05/Analysis.md}, language = {English}, urldate = {2020-05-07} } @online{arkbirdsolg:20200622:ftcode:1f79b62, author = {Twitter (@Arkbird_SOLG)}, title = {{FTcode targets European countries}}, date = {2020-06-22}, organization = {Github (StrangerealIntel)}, url = {https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/Unknown/2020-06-22/Analysis.md}, language = {English}, urldate = {2020-06-24} } @online{armelli:20200708:named:c581e3d, author = {Matthew Armelli and Stuart Caudill and John Patrick Dees and Max Egar and Jennifer Keltz and Lan Pelekis and John Sakellariadis and Vipratap Vikram Singh and Katherine von Ofenheim and Neal Pollard}, title = {{Named But Hardly Shamed: What is the Impact of Information Disclosures on an APT Operations?}}, date = {2020-07-08}, organization = {COLUMBIA | SIPA}, url = {https://sipa.columbia.edu/file/12461/download?token=o5TRWZnI}, language = {English}, urldate = {2020-07-13} } @techreport{army:20200724:atp:37eeefe, author = {Department of the Army}, title = {{ATP 7-100.2: North Korean Tactics}}, date = {2020-07-24}, institution = {Department of the Army}, url = {https://armypubs.army.mil/epubs/DR_pubs/DR_a/ARN30043-ATP_7-100.2-000-WEB-2.pdf}, language = {English}, urldate = {2020-08-20} } @online{arndt:20200924:zloader:ad8bf21, author = {Jamie Arndt}, title = {{zLoader XLM Update: Macro code and behavior change}}, date = {2020-09-24}, organization = {Click All the Things! Blog}, url = {https://clickallthethings.wordpress.com/2020/09/21/zloader-xlm-update-macro-code-and-behavior-change/}, language = {English}, urldate = {2020-09-25} } @online{arneson:20190124:cisco:58d9a8f, author = {John Arneson}, title = {{Cisco AMP tracks new campaign that delivers Ursnif}}, date = {2019-01-24}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2019/01/amp-tracks-ursnif.html}, language = {English}, urldate = {2019-10-12} } @online{arntz:20171031:analyzing:9d5c49e, author = {Pieter Arntz}, title = {{Analyzing malware by API calls}}, date = {2017-10-31}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2017/10/analyzing-malware-by-api-calls/}, language = {English}, urldate = {2019-12-20} } @online{arntz:20200710:threat:f64cac0, author = {Pieter Arntz}, title = {{Threat spotlight: WastedLocker, customized ransomware}}, date = {2020-07-10}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-spotlight/2020/07/threat-spotlight-wastedlocker-customized-ransomware/}, language = {English}, urldate = {2020-07-15} } @online{arntz:20200813:chrome:2120054, author = {Pieter Arntz}, title = {{Chrome extensions that lie about their permissions}}, date = {2020-08-13}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/puppum/2020/08/chrome-extensions-that-lie-about-their-permissions/}, language = {English}, urldate = {2020-08-14} } @online{arntz:20201215:threat:8286d80, author = {Pieter Arntz}, title = {{Threat profile: Egregor ransomware is making a name for itself}}, date = {2020-12-15}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/ransomware/2020/12/threat-profile-egregor-ransomware-is-making-a-name-for-itself/}, language = {English}, urldate = {2021-01-11} } @online{aronov:20150723:analysis:0162f34, author = {Igor Aronov}, title = {{An Analysis of the Qadars Banking Trojan}}, date = {2015-07-23}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/an-analysis-of-the-qadars-trojan/}, language = {English}, urldate = {2020-01-10} } @online{arsene:20160808:possibly:55e5441, author = {Liviu Arsene}, title = {{Possibly Italy-Born Android RAT Reported in China, Find Bitdefender Researchers}}, date = {2016-08-08}, organization = {Bitdefender}, url = {https://hotforsecurity.bitdefender.com/blog/possibly-italy-born-android-rat-reported-in-china-find-bitdefender-researchers-16264.html}, language = {English}, urldate = {2020-01-06} } @online{arsene:20171026:keranger:a908ea4, author = {Liviu Arsene}, title = {{Keranger: the first “in-the-wild” ransomware for Macs. But certainly not the last}}, date = {2017-10-26}, organization = {Macworld}, url = {https://www.macworld.com/article/3234650/macs/keranger-the-first-in-the-wild-ransomware-for-macs-but-certainly-not-the-last.html}, language = {English}, urldate = {2020-01-08} } @online{arsene:20200107:hold:b9c1aa4, author = {Liviu Arsene}, title = {{Hold My Beer Mirai – Spinoff Named ‘LiquorBot’ Incorporates Cryptomining}}, date = {2020-01-07}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2020/01/hold-my-beer-mirai-spinoff-named-liquorbot-incorporates-cryptomining/}, language = {English}, urldate = {2020-01-13} } @techreport{arsene:20200318:new:2d895da, author = {Liviu Arsene and Radu Tudorica and Alexandru Maximciuc and Cristina Vatamanu}, title = {{New TrickBot Module Bruteforces RDP Connections, Targets Select Telecommunication Services in US and Hong Kong}}, date = {2020-03-18}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/316/Bitdefender-Whitepaper-TrickBot-en-EN-interactive.pdf}, language = {English}, urldate = {2020-03-19} } @online{arsene:20200320:5:46813c6, author = {Liviu Arsene}, title = {{5 Times More Coronavirus-themed Malware Reports during March}}, date = {2020-03-20}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter}, language = {English}, urldate = {2020-03-26} } @online{arsene:20200325:new:51ce027, author = {Liviu Arsene}, title = {{New Router DNS Hijacking Attacks Abuse Bitbucket to Host Infostealer}}, date = {2020-03-25}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2020/03/new-router-dns-hijacking-attacks-abuse-bitbucket-to-host-infostealer/}, language = {English}, urldate = {2020-03-30} } @online{arsene:20200326:android:946032b, author = {Liviu Arsene}, title = {{Android Apps and Malware Capitalize on Coronavirus}}, date = {2020-03-26}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2020/03/android-apps-and-malware-capitalize-on-coronavirus}, language = {English}, urldate = {2020-03-26} } @online{arsene:20200513:global:6217d6f, author = {Liviu Arsene}, title = {{Global Ransomware and Cyberattacks on Healthcare Spike during Pandemic}}, date = {2020-05-13}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2020/05/global-ransomware-and-cyberattacks-on-healthcare-spike-during-pandemic/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter}, language = {English}, urldate = {2020-07-06} } @techreport{arsene:20200521:iranian:d9e1468, author = {Liviu Arsene and Bogdan Rusu}, title = {{Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia}}, date = {2020-05-21}, institution = {Bitdefender}, url = {https://bitdefender.com/files/News/CaseStudies/study/332/Bitdefender-Whitepaper-Chafer-creat4491-en-EN-interactive.pdf}, language = {English}, urldate = {2020-05-23} } @techreport{arsene:20200630:strongpity:ed365fb, author = {Liviu Arsene and Radu Tudorica and Cristina Vatamanu and Alexandru Maximciuc}, title = {{StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure}}, date = {2020-06-30}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf}, language = {English}, urldate = {2020-06-30} } @techreport{arsene:20200820:more:a98fa7e, author = {Liviu Arsene and Victor Vrabie and Bogdan Rusu and Alexandru Maximciuc and Cristina Vatamanu}, title = {{More Evidence of APT Hackers-for-Hire Usedfor Industrial Espionage}}, date = {2020-08-20}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/365/Bitdefender-PR-Whitepaper-APTHackers-creat4740-en-EN-GenericUse.pdf}, language = {English}, urldate = {2020-08-27} } @online{arsene:20201123:trickbot:bcf3c42, author = {Liviu Arsene and Radu Tudorica}, title = {{TrickBot is Dead. Long Live TrickBot!}}, date = {2020-11-23}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2020/11/trickbot-is-dead-long-live-trickbot/}, language = {English}, urldate = {2020-11-25} } @online{arzamendi:20180118:arc:384a9b0, author = {Pete Arzamendi and Matt Bing and Kirk Soluk}, title = {{The ARC of Satori}}, date = {2018-01-18}, organization = {NetScout}, url = {https://www.arbornetworks.com/blog/asert/the-arc-of-satori/}, language = {English}, urldate = {2019-11-29} } @techreport{asd:20181214:investigationreport:6eda856, author = {ASD}, title = {{Investigationreport: Compromise of an Australian companyvia their Managed Service Provider}}, date = {2018-12-14}, institution = {Australian Cyber Security Centre}, url = {https://www.cyber.gov.au/sites/default/files/2019-03/msp_investigation_report.pdf}, language = {English}, urldate = {2020-03-11} } @online{asec:20171016:operation:68f1182, author = {ASEC}, title = {{Operation Bitter Biscuit}}, date = {2017-10-16}, organization = {AhnLab}, url = {http://asec.ahnlab.com/tag/Operation%20Bitter%20Biscuit}, language = {Korean}, urldate = {2020-01-13} } @techreport{asec:20191010:asec:6452cd4, author = {ASEC}, title = {{ASEC Report Vol. 96}}, date = {2019-10-10}, institution = {AhnLab}, url = {https://global.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.96_ENG.pdf}, language = {English}, urldate = {2020-01-13} } @online{ash:20180626:rancor:99f5616, author = {Brittany Ash and Josh Grunzweig and Tom Lancaster}, title = {{RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families}}, date = {2018-06-26}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/}, language = {English}, urldate = {2019-12-20} } @online{ash:20180626:rancor:cc2a967, author = {Brittany Ash and Josh Grunzweig and Tom Lancaster}, title = {{RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families}}, date = {2018-06-26}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/}, language = {English}, urldate = {2019-12-18} } @online{ashford:20180802:three:1fa3b70, author = {Warwick Ashford}, title = {{Three Carbanak cyber heist gang members arrested}}, date = {2018-08-02}, organization = {ComputerWeekly}, url = {https://www.computerweekly.com/news/252446153/Three-Carbanak-cyber-heist-gang-members-arrested}, language = {English}, urldate = {2020-01-10} } @online{ashman:20190605:upgraded:519af7d, author = {Ofir Ashman}, title = {{Upgraded JasperLoader Infecting Machines with New Targets & Functional Improvements: What You Need to Know}}, date = {2019-06-05}, organization = {ThreatStop}, url = {https://blog.threatstop.com/upgraded-jasperloader-infecting-machines}, language = {English}, urldate = {2020-01-08} } @online{ashton:20200621:maersk:5121522, author = {Gavin Ashton}, title = {{Maersk, me & notPetya}}, date = {2020-06-21}, organization = {GVNSHTN}, url = {https://gvnshtn.com/maersk-me-notpetya/}, language = {English}, urldate = {2020-08-18} } @online{asinovsky:20200618:ginp:724e3ef, author = {Pavel Asinovsky}, title = {{Ginp Malware Operations are on the Rise, Aiming to Expand in Turkey}}, date = {2020-06-18}, organization = {IBM Security}, url = {https://securityintelligence.com/posts/ginp-malware-operations-rising-expansions-turkey/}, language = {English}, urldate = {2020-06-19} } @online{askar:20190830:github:81bb2c2, author = {Askar}, title = {{Github Repository of Octopus}}, date = {2019-08-30}, organization = {Github (mhaskar)}, url = {https://github.com/mhaskar/Octopus}, language = {English}, urldate = {2021-01-04} } @online{askar:20200726:inmemory:5556cad, author = {Askar}, title = {{In-Memory shellcode decoding to evade AVs/EDRs}}, date = {2020-07-26}, organization = {Shells.System blog}, url = {https://shells.systems/in-memory-shellcode-decoding-to-evade-avs/}, language = {English}, urldate = {2020-07-30} } @online{asoltanei:20200331:infected:eaa940e, author = {Oana Asoltanei and Alin Mihai Barbatei and Ioan-Septimiu Dinulica}, title = {{Infected Zoom Apps for Android Target Work-From-Home Users}}, date = {2020-03-31}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2020/03/infected-zoom-apps-for-android-target-work-from-home-users}, language = {English}, urldate = {2020-04-07} } @techreport{asoltanei:20200619:bitterapt:2e8e1d2, author = {Oana Asoltanei and Denis Cosmin Nutiu and Alin Mihai Barbatei}, title = {{BitterAPT Revisited: the Untold Evolution of an Android Espionage Tool}}, date = {2020-06-19}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/352/Bitdefender-PR-Whitepaper-BitterAPT-creat4571-en-EN-GenericUse.pdf}, language = {English}, urldate = {2020-06-21} } @online{asoltanei:20201008:fake:88db68e, author = {Oana Asoltanei and Elena Flondor and Alin Mihai Barbatei and Liviu Aarsene}, title = {{Fake Users Rave but Real Users Rant as Apps on Google Play Deal Aggressive Adware}}, date = {2020-10-08}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2020/10/fake-users-rave-but-real-users-rant-as-apps-on-google-play-deal-aggressive-adware/}, language = {English}, urldate = {2020-10-12} } @online{asrar:201901:destructive:f4cc200, author = {Irfan Asrar}, title = {{Destructive Attack "Dustman" Technical Report}}, date = {2019-01}, organization = {LinkedIn Irfan Asrar}, url = {https://www.linkedin.com/posts/iasrar_dustman-report-in-english-activity-6619216346083393537-NV1z/}, language = {English}, urldate = {2020-01-13} } @online{asrar:20200104:dustman:8df5168, author = {Irfan Asrar}, title = {{Tweet on Dustman}}, date = {2020-01-04}, organization = {Twitter (@Irfan_Asrar)}, url = {https://twitter.com/Irfan_Asrar/status/1213544175355908096}, language = {English}, urldate = {2020-01-09} } @online{assante:20151230:current:342c55e, author = {Michael J. Assante}, title = {{Current Reporting on the Cyber Attack in Ukraine Resulting in Power Outage}}, date = {2015-12-30}, organization = {SANS}, url = {https://ics.sans.org/blog/2015/12/30/current-reporting-on-the-cyber-attack-in-ukraine-resulting-in-power-outage}, language = {English}, urldate = {2019-12-17} } @online{aswanda:20180622:formbook:ce3c98b, author = {Aswanda}, title = {{FormBook stealer: Data theft made easy}}, date = {2018-06-22}, organization = {InQuest}, url = {http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/}, language = {English}, urldate = {2020-01-09} } @online{attck:2019:admin338:c8e4d93, author = {MITRE ATT&CK}, title = {{Group description: admin@338}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0018/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:apt1:9f69f1f, author = {MITRE ATT&CK}, title = {{Group description: APT1}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0006/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:apt28:f03c2bd, author = {MITRE ATT&CK}, title = {{Group description: APT28}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0007/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:apt37:b488fef, author = {MITRE ATT&CK}, title = {{Group description: APT37}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0067/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:apt39:573abf3, author = {MITRE ATT&CK}, title = {{Group description: APT39}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0087/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:blackoasis:ceb12ff, author = {MITRE ATT&CK}, title = {{Group description: BlackOasis}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0063/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:bronze:b7965ff, author = {MITRE ATT&CK}, title = {{Group description: BRONZE BUTLER}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0060/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:carbanak:0e2fe5c, author = {MITRE ATT&CK}, title = {{Group description: Carbanak}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0008/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:charming:f900c21, author = {MITRE ATT&CK}, title = {{Group description: Charming Kitten}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0058/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:cleaver:ac864e2, author = {MITRE ATT&CK}, title = {{Group description: Cleaver}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0003/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:cobalt:0e0496e, author = {MITRE ATT&CK}, title = {{Group description: Cobalt Group}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0080/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:copykittens:a691b76, author = {MITRE ATT&CK}, title = {{Group description: CopyKittens}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0052/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:dark:01cd067, author = {MITRE ATT&CK}, title = {{Group description: Dark Caracal}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0070/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:darkhotel:eab9170, author = {MITRE ATT&CK}, title = {{Group description: Darkhotel}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0012/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:darkhydrus:b9db207, author = {MITRE ATT&CK}, title = {{Group description: DarkHydrus}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0079/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:deep:7220dc2, author = {MITRE ATT&CK}, title = {{Group description: Deep Panda}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0009/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:dragonfly:c84141f, author = {MITRE ATT&CK}, title = {{Group description: Dragonfly}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0035/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:dragonok:f2cc4fa, author = {MITRE ATT&CK}, title = {{Group description: DragonOK}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0017/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:dust:699660d, author = {MITRE ATT&CK}, title = {{Group description: Dust Storm}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0031/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:elderwood:581a3e4, author = {MITRE ATT&CK}, title = {{Group description: Elderwood}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0066/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:equation:8b2ae74, author = {MITRE ATT&CK}, title = {{Group description: Equation}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0020/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:fin10:ae5d375, author = {MITRE ATT&CK}, title = {{Group description: FIN10}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0051/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:fin4:dd68444, author = {MITRE ATT&CK}, title = {{Group description: FIN4}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0085/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:fin5:48f7065, author = {MITRE ATT&CK}, title = {{Group description: FIN5}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0053/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:fin6:791eaef, author = {MITRE ATT&CK}, title = {{Group description: FIN6}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0037/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:fin7:be45dfe, author = {MITRE ATT&CK}, title = {{Group description: FIN7}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0046/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:fin8:2b2b924, author = {MITRE ATT&CK}, title = {{Group description: FIN8}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0061}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:gamaredon:982ecc4, author = {MITRE ATT&CK}, title = {{Group description: Gamaredon Group}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0047/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:gcman:23384a0, author = {MITRE ATT&CK}, title = {{Group description: GCMAN}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0036/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:gorgon:f7c9936, author = {MITRE ATT&CK}, title = {{Group description: Gorgon Group}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0078/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:group5:fcdeaa8, author = {MITRE ATT&CK}, title = {{Group description: Group5}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0043/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:honeybee:9d1ffa6, author = {MITRE ATT&CK}, title = {{Group description: Honeybee}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0072/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:ke3chang:89a4a35, author = {MITRE ATT&CK}, title = {{Group description: Ke3chang}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0004/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:lazarus:a298c2f, author = {MITRE ATT&CK}, title = {{Group description: Lazarus Group}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0032/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:leafminer:c73518e, author = {MITRE ATT&CK}, title = {{Group description: Leafminer}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0077/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:leviathan:249223a, author = {MITRE ATT&CK}, title = {{Group description: Leviathan}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0065/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:lotus:98bf87a, author = {MITRE ATT&CK}, title = {{Group description: Lotus Blossom}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0030/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:magic:f2f07ab, author = {MITRE ATT&CK}, title = {{Group description: Magic Hound}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0059/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:menupass:8fde950, author = {MITRE ATT&CK}, title = {{Group description: menuPass}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0045/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:moafee:021312c, author = {MITRE ATT&CK}, title = {{Group description: Moafee}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0002/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:molerats:9927c33, author = {MITRE ATT&CK}, title = {{Group description: Molerats}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0021/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:muddywater:b990d10, author = {MITRE ATT&CK}, title = {{Group description: MuddyWater}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0069/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:naikon:f6661ca, author = {MITRE ATT&CK}, title = {{Group description: Naikon}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0019/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:neodymium:2979fa4, author = {MITRE ATT&CK}, title = {{Group description: NEODYMIUM}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0055/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:night:45c6d39, author = {MITRE ATT&CK}, title = {{Group description: Night Dragon}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0014/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:oilrig:40b5deb, author = {MITRE ATT&CK}, title = {{Group description: OilRig}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0049/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:orangeworm:7b6180d, author = {MITRE ATT&CK}, title = {{Group description: Orangeworm}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0071/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:patchwork:b9fa9e1, author = {MITRE ATT&CK}, title = {{Group description: Patchwork}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0040/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:pittytiger:9fde514, author = {MITRE ATT&CK}, title = {{Group description: PittyTiger}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0011/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:platinum:7fbd5ec, author = {MITRE ATT&CK}, title = {{Group description: PLATINUM}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0068/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:poseidon:9c4e9d2, author = {MITRE ATT&CK}, title = {{Group description: Poseidon Group}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0033/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:promethium:845588e, author = {MITRE ATT&CK}, title = {{Group description: PROMETHIUM}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0056/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:putter:db997a2, author = {MITRE ATT&CK}, title = {{Group description: Putter Panda}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0024/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:rancor:d326bb1, author = {MITRE ATT&CK}, title = {{Group description: Rancor}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0075/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:rtm:24fd219, author = {MITRE ATT&CK}, title = {{Group description: RTM}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0048/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:sandworm:2c635f5, author = {MITRE ATT&CK}, title = {{Group description: Sandworm Team}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0034/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:scarlet:c7d064d, author = {MITRE ATT&CK}, title = {{Group description: Scarlet Mimic}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0029/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:sowbug:1065fa1, author = {MITRE ATT&CK}, title = {{Group description: Sowbug}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0054/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:stealth:5d9f9cd, author = {MITRE ATT&CK}, title = {{Group description: Stealth Falcon}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0038/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:stolen:1489d7d, author = {MITRE ATT&CK}, title = {{Group description: Stolen Pencil}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0086/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:strider:e8991a7, author = {MITRE ATT&CK}, title = {{Group description: Strider}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0041/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:suckfly:686a402, author = {MITRE ATT&CK}, title = {{Group description: Suckfly}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0039/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:ta459:3a8408d, author = {MITRE ATT&CK}, title = {{Group description: TA459}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0062/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:taidoor:e2e9ac3, author = {MITRE ATT&CK}, title = {{Group description: Taidoor}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0015/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:tempveles:c62b7f7, author = {MITRE ATT&CK}, title = {{Group description: TEMP.Veles}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0088/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:threat:739dbdd, author = {MITRE ATT&CK}, title = {{Group description: Threat Group-3390}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0027/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:thrip:b7cf7c3, author = {MITRE ATT&CK}, title = {{Group description: Thrip}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0076/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:tool:5022816, author = {MITRE ATT&CK}, title = {{Tool description: NanHaiShu}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/software/S0228/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:tool:ae50919, author = {MITRE ATT&CK}, title = {{Tool description: BUBBLEWRAP}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/software/S0043/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:tool:aef0372, author = {MITRE ATT&CK}, title = {{Tool description: HALFBAKED}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/software/S0151/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:tool:e80f843, author = {MITRE ATT&CK}, title = {{Tool description: ELMER}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/software/S0064}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:tool:ebc79ce, author = {MITRE ATT&CK}, title = {{Tool description: BLACKCOFFEE}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/software/S0069/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:tool:fd89dda, author = {MITRE ATT&CK}, title = {{Tool description: China Chopper}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/software/S0020/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:tropic:0324452, author = {MITRE ATT&CK}, title = {{Group description: Tropic Trooper}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0081/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:turla:6c3dec8, author = {MITRE ATT&CK}, title = {{Group description: Turla}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0010/}, language = {English}, urldate = {2019-12-20} } @online{attck:2019:winnti:ad3b350, author = {MITRE ATT&CK}, title = {{Group description: Winnti Group}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0044/}, language = {English}, urldate = {2019-12-20} } @online{attck:20210106:attck:841bad7, author = {MITRE ATT&CK}, title = {{ATT&CK Navigator layer for UNC2452}}, date = {2021-01-06}, organization = {MITRE}, url = {https://mitre-attack.github.io/attack-navigator/#layerURL=https://raw.githubusercontent.com/center-for-threat-informed-defense/public-resources/master/solorigate/UNC2452.json}, language = {English}, urldate = {2021-01-11} } @online{atweeteruser:20190726:malware:dce6863, author = {a_tweeter_user}, title = {{Tweet on Malware}}, date = {2019-07-26}, organization = {Twitter (@a_tweeter_user)}, url = {https://twitter.com/a_tweeter_user/status/1154764787823316993}, language = {English}, urldate = {2020-01-08} } @online{authos:20160320:hidden:151e4e4, author = {Tripwire Guest Authos}, title = {{Hidden Tear Project: Forbidden Fruit Is the Sweetest}}, date = {2016-03-20}, organization = {Tripwire}, url = {https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/hidden-tear-project-forbidden-fruit-is-the-sweetest/}, language = {English}, urldate = {2020-01-08} } @online{avast:20171220:video:4c6aaa5, author = {Avast}, title = {{Video about Catelites Bot - Airbank Example}}, date = {2017-12-20}, organization = {YouTube}, url = {https://www.youtube.com/watch?v=1LOy0ZyjEOk}, language = {English}, urldate = {2020-01-07} } @online{avast:2018:hide:cd78bb0, author = {Avast}, title = {{Hide 'N Seek}}, date = {2018}, organization = {Avast}, url = {https://threatlabs.avast.com/botnet}, language = {English}, urldate = {2019-12-17} } @online{aydinbas:20190502:formbook:d1ef715, author = {Johann Aydinbas}, title = {{FormBook - Hiding in plain sight}}, date = {2019-05-02}, organization = {Usual Suspect RE}, url = {https://usualsuspect.re/article/formbook-hiding-in-plain-sight}, language = {English}, urldate = {2020-01-13} } @techreport{ayers:20191113:through:70cc3b3, author = {Jen Ayers and Jason Rivera}, title = {{Through the Eyes of the Adversary}}, date = {2019-11-13}, institution = {CrowdStrike}, url = {https://na.eventscloud.com/file_uploads/6568237bca6dc156e5c5557c5989e97c_CrowdStrikeFal.Con2019_ThroughEyesOfAdversary_J.Ayers.pdf}, language = {English}, urldate = {2020-03-22} } @online{b:20200815:doublefantasy:6c843b6, author = {Adrien B}, title = {{Tweet on DoubleFantasy}}, date = {2020-08-15}, organization = {Twitter (@Int2e_)}, url = {https://twitter.com/Int2e_/status/1294565186939092994}, language = {English}, urldate = {2020-08-18} } @online{babaee:20200908:automated:eb3272c, author = {Hamidreza Babaee}, title = {{Automated dynamic import resolving using binary emulation}}, date = {2020-09-08}, organization = {Lopqto's Adventures}, url = {https://lopqto.me/posts/automated-dynamic-import-resolving}, language = {English}, urldate = {2020-09-09} } @online{babe:201904:analyzing:3a404ff, author = {Cafe Babe}, title = {{Analyzing Emotet with Ghidra — Part 1}}, date = {2019-04}, url = {https://medium.com/@0xd0cf11e/analyzing-emotet-with-ghidra-part-1-4da71a5c8d69}, language = {English}, urldate = {2019-12-06} } @online{baca:20200326:would:a184711, author = {Alejandro Baca and Rodel Mendrez}, title = {{Would You Exchange Your Security for a Gift Card?}}, date = {2020-03-26}, organization = {SpiderLabs Blog}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/would-you-exchange-your-security-for-a-gift-card/}, language = {English}, urldate = {2020-03-30} } @techreport{backdoor:201803:oceanlotus:a2c3636, author = {OceanLotus: Old techniques, new backdoor}, title = {{OceanLotus: Old techniques, new backdoor}}, date = {2018-03}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2018/03/ESET_OceanLotus.pdf}, language = {English}, urldate = {2020-01-07} } @online{bacurio:20160621:curious:8607f46, author = {Floser Bacurio and Roland Dela Paz}, title = {{The Curious Case of an Unknown Trojan Targeting German-Speaking Users}}, date = {2016-06-21}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/the-curious-case-of-an-unknown-trojan-targeting-german-speaking-users.html}, language = {English}, urldate = {2020-01-08} } @online{bacurio:20170214:remcos:e924c55, author = {Floser Bacurio and Joie Salvio}, title = {{REMCOS: A New RAT In The Wild}}, date = {2017-02-14}, organization = {Fortinet}, url = {https://blog.fortinet.com/2017/02/14/remcos-a-new-rat-in-the-wild-2}, language = {English}, urldate = {2020-01-09} } @online{bacurio:20171207:peculiar:e4c095f, author = {Floser Bacurio and Joie Salvio}, title = {{A Peculiar Case of Orcus RAT Targeting Bitcoin Investors}}, date = {2017-12-07}, organization = {Fortinet}, url = {https://blog.fortinet.com/2017/12/07/a-peculiar-case-of-orcus-rat-targeting-bitcoin-investors}, language = {English}, urldate = {2020-01-08} } @online{bader:20150112:dga:b961e18, author = {Johannes Bader}, title = {{The DGA of Shiotob}}, date = {2015-01-12}, url = {https://www.johannesbader.ch/2015/01/the-dga-of-shiotob/}, language = {English}, urldate = {2019-12-19} } @online{bader:20150210:dga:2ff5cf7, author = {Johannes Bader}, title = {{The DGA of Banjori}}, date = {2015-02-10}, organization = {Johannes Bader's Blog}, url = {https://www.johannesbader.ch/2015/02/the-dga-of-banjori/}, language = {English}, urldate = {2020-01-07} } @online{bader:20150306:dga:3673443, author = {Johannes Bader}, title = {{The DGA of DirCrypt}}, date = {2015-03-06}, url = {https://www.johannesbader.ch/2015/03/the-dga-of-dircrypt/}, language = {English}, urldate = {2019-11-28} } @online{bader:20150310:dga:4409507, author = {Johannes Bader}, title = {{The DGA of Pykspa}}, date = {2015-03-10}, organization = {Johannes Bader Blog}, url = {https://www.johannesbader.ch/2015/03/the-dga-of-pykspa/}, language = {English}, urldate = {2019-12-19} } @online{bader:20150522:dga:9ba1744, author = {Johannes Bader}, title = {{The DGA of Ranbyus}}, date = {2015-05-22}, organization = {Johannes Bader Blog}, url = {https://www.johannesbader.ch/2015/05/the-dga-of-ranbyus/}, language = {English}, urldate = {2020-01-06} } @online{bader:20150610:win32upatrebi:36ea1eb, author = {Johannes Bader}, title = {{Win32/Upatre.BI - Part One}}, date = {2015-06-10}, url = {https://johannesbader.ch/2015/06/Win32-Upatre-BI-Part-1-Unpacking/}, language = {English}, urldate = {2019-12-02} } @online{bader:20150719:faulty:e287eee, author = {Johannes Bader}, title = {{The Faulty Precursor of Pykspa's DGA}}, date = {2015-07-19}, organization = {Johannes Bader Blog}, url = {https://www.johannesbader.ch/2015/07/pykspas-inferior-dga-version/}, language = {English}, urldate = {2020-01-09} } @online{bader:20160110:dga:cb8a5e5, author = {Johannes Bader}, title = {{The DGA in Alureon/DNSChanger}}, date = {2016-01-10}, url = {https://www.johannesbader.ch/2016/01/the-dga-in-alureon-dnschanger/}, language = {English}, urldate = {2019-12-17} } @online{bader:20160221:phorpiex:ab65d87, author = {Johannes Bader}, title = {{Phorpiex - An IRC worm}}, date = {2016-02-21}, organization = {Johannes Bader Blog}, url = {https://www.johannesbader.ch/2016/02/phorpiex/}, language = {English}, urldate = {2020-01-06} } @online{bader:20160224:dga:735ff10, author = {Johannes Bader}, title = {{The DGA of Qakbot.T}}, date = {2016-02-24}, organization = {Johannes Bader Blog}, url = {https://www.johannesbader.ch/2016/02/the-dga-of-qakbot/}, language = {English}, urldate = {2020-01-06} } @online{bader:20160306:dga:fe673b7, author = {Johannes Bader}, title = {{The DGA of PadCrypt}}, date = {2016-03-06}, url = {https://johannesbader.ch/2016/03/the-dga-of-padcrypt/}, language = {English}, urldate = {2019-12-06} } @online{bader:20160412:dga:469d85e, author = {Johannes Bader}, title = {{The DGA of Qadars v3}}, date = {2016-04-12}, url = {https://www.johannesbader.ch/2016/04/the-dga-of-qadars/}, language = {English}, urldate = {2019-07-11} } @online{bader:20170725:dridex:44f64d8, author = {Johannes Bader}, title = {{Dridex Loot}}, date = {2017-07-25}, organization = {Github (viql)}, url = {https://viql.github.io/dridex/}, language = {English}, urldate = {2020-01-07} } @online{bader:20180429:new:b8e7b59, author = {Johannes Bader}, title = {{The new Domain Generation Algorithm of Nymaim}}, date = {2018-04-29}, url = {https://johannesbader.ch/2018/04/the-new-domain-generation-algorithm-of-nymaim/}, language = {English}, urldate = {2020-01-07} } @online{bader:20190708:dga:0c56ba3, author = {Johannes Bader}, title = {{The DGA of Pitou}}, date = {2019-07-08}, url = {https://johannesbader.ch/2019/07/the-dga-of-pitou/}, language = {English}, urldate = {2020-01-10} } @online{bader:20191112:dga:0a1d2c8, author = {Johannes Bader}, title = {{The DGA of QSnatch}}, date = {2019-11-12}, organization = {Johannes Bader Blog}, url = {https://bin.re/blog/the-dga-of-qsnatch/}, language = {English}, urldate = {2020-01-13} } @online{bader:20200123:dga:129802e, author = {Johannes Bader}, title = {{The DGA of a Monero Miner Downloader}}, date = {2020-01-23}, organization = {Johannes Bader's Blog}, url = {https://johannesbader.ch/blog/the-dga-of-a-monero-miner-downloader/}, language = {English}, urldate = {2020-01-27} } @online{bader:20200426:dga:edd448c, author = {Johannes Bader}, title = {{The DGA of Zloader}}, date = {2020-04-26}, organization = {Johannes Bader's Blog}, url = {https://johannesbader.ch/blog/the-dga-of-zloader/}, language = {English}, urldate = {2020-04-26} } @online{bader:20200714:domain:51498ab, author = {Johannes Bader}, title = {{The Domain Generation Algorithm of BazarBackdoor}}, date = {2020-07-14}, organization = {Johannes Bader's Blog}, url = {https://johannesbader.ch/blog/the-dga-of-bazarbackdoor/}, language = {English}, urldate = {2020-07-15} } @online{bader:20200715:defective:3a3721f, author = {Johannes Bader}, title = {{The Defective Domain Generation Algorithm of BazarBackdoor}}, date = {2020-07-15}, organization = {Johannes Bader's Blog}, url = {https://johannesbader.ch/blog/the-buggy-dga-of-bazarbackdoor/}, language = {English}, urldate = {2020-07-15} } @online{bader:20201216:next:a8f5998, author = {Johannes Bader}, title = {{Next Version of the Bazar Loader DGA}}, date = {2020-12-16}, organization = {Johannes Bader's Blog}, url = {https://johannesbader.ch/blog/next-version-of-the-bazarloader-dga/}, language = {English}, urldate = {2020-12-16} } @techreport{bailey:201601:matryoshka:3c7753f, author = {Michael Bailey}, title = {{MATRYOSHKA MINING}}, date = {2016-01}, institution = {FireEye}, url = {https://www2.fireeye.com/rs/848-DID-242/images/wp-mandiant-matryoshka-mining.pdf}, language = {English}, urldate = {2019-11-27} } @online{bailey:20190422:carbanak:c94c9f1, author = {Michael Bailey and James T. Bennett}, title = {{CARBANAK Week Part One: A Rare Occurrence}}, date = {2019-04-22}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-one-a-rare-occurrence.html}, language = {English}, urldate = {2019-12-20} } @online{bailey:20190423:carbanak:cbe986c, author = {Michael Bailey and James T. Bennett}, title = {{CARBANAK Week Part Two: Continuing the CARBANAK Source Code Analysis}}, date = {2019-04-23}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-two-continuing-source-code-analysis.html}, language = {English}, urldate = {2019-12-20} } @online{bailey:20200208:reversing:b033cdc, author = {Michael Bailey}, title = {{Reversing the Gophe SPambot: Confronting COM Code and Surmounting STL Snags}}, date = {2020-02-08}, organization = {FireEye}, url = {https://github.com/strictlymike/presentations/tree/master/2020/2020.02.08_BSidesHuntsville}, language = {English}, urldate = {2020-10-05} } @online{bailey:20200407:thinking:7ee19d0, author = {Michael Bailey}, title = {{Thinking Outside the Bochs: Code Grafting to Unpack Malware in Emulation}}, date = {2020-04-07}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/04/code-grafting-to-unpack-malware-in-emulation.html}, language = {English}, urldate = {2020-05-05} } @online{baird:20170320:necurs:ee5da07, author = {Sean Baird and Edmund Brumaghin and Earl Carter and Jaeson Schultz}, title = {{Necurs Diversifies Its Portfolio}}, date = {2017-03-20}, organization = {Cisco Talos}, url = {http://blog.talosintelligence.com/2017/03/necurs-diversifies.html}, language = {English}, urldate = {2020-01-07} } @online{bajak:20201023:report:7bb3ff0, author = {Frank Bajak}, title = {{Report: Ransomware disables Georgia county election database}}, date = {2020-10-23}, organization = {AP News}, url = {https://apnews.com/article/virus-outbreak-elections-georgia-voting-2020-voting-c191f128b36d1c0334c9d0b173daa18c}, language = {English}, urldate = {2020-11-02} } @online{baker:20150318:feds:e9fe961, author = {Mike Baker}, title = {{Feds warned Premera about security flaws before breach}}, date = {2015-03-18}, organization = {Seattle Times}, url = {https://www.seattletimes.com/business/local-business/feds-warned-premera-about-security-flaws-before-breach/}, language = {English}, urldate = {2020-01-10} } @online{baker:20150504:threat:726f1f2, author = {Ben Baker and Alex Chiu}, title = {{Threat Spotlight: Rombertik – Gazing Past the Smoke, Mirrors, and Trapdoors}}, date = {2015-05-04}, organization = {Cisco Talos}, url = {http://blogs.cisco.com/security/talos/rombertik}, language = {English}, urldate = {2020-01-06} } @online{baker:20161207:floki:69ffd12, author = {Ben Baker and Edmund Brumaghin and Mariano Graziano and Jonas Zaddach}, title = {{Floki Bot Strikes, Talos and Flashpoint Respond}}, date = {2016-12-07}, organization = {Cisco Talos}, url = {http://blog.talosintel.com/2016/12/flokibot-collab.html#more}, language = {English}, urldate = {2020-01-09} } @online{baker:20180703:smoking:067be1f, author = {Ben Baker and Holger Unterbrink}, title = {{Smoking Guns - Smoke Loader learned new tricks}}, date = {2018-07-03}, organization = {Talos Intelligence}, url = {https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html}, language = {English}, urldate = {2019-10-14} } @online{baker:20200706:wastedlocker:f33e129, author = {Ben Baker and Edmund Brumaghin and JJ Cummings and Arnaud Zobec}, title = {{WastedLocker Goes "Big-Game Hunting" in 2020}}, date = {2020-07-06}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/07/wastedlocker-emerges.html}, language = {English}, urldate = {2020-07-07} } @online{ballenthin:20200117:404:cc95f5f, author = {William Ballenthin and Josh Madeley}, title = {{404 Exploit Not Found: Vigilante Deploying Mitigation for Citrix NetScaler Vulnerability While Maintaining Backdoor}}, date = {2020-01-17}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/01/vigilante-deploying-mitigation-for-citrix-netscaler-vulnerability-while-maintaining-backdoor.html}, language = {English}, urldate = {2020-01-17} } @online{bambenek:20160502:osint:54b6791, author = {John Bambenek}, title = {{OSINT Feed}}, date = {2016-05-02}, organization = {John Bambenek}, url = {http://osint.bambenekconsulting.com/feeds/}, language = {English}, urldate = {2020-01-06} } @online{bambenek:20190207:inside:2a18c89, author = {John Bambenek}, title = {{An Inside Look at the Infrastructure Behind the Russian APT Gamaredon Group}}, date = {2019-02-07}, organization = {ThreatStop}, url = {https://blog.threatstop.com/russian-apt-gamaredon-group}, language = {English}, urldate = {2020-01-06} } @online{bancal:20200130:cyber:0a267d4, author = {Damien Bancal}, title = {{Cyber attaque à l’encontre des serveurs de Bouygues Construction}}, date = {2020-01-30}, organization = {ZATAZ}, url = {https://www.zataz.com/cyber-attaque-a-lencontre-des-serveurs-de-bouygues-construction/}, language = {French}, urldate = {2020-02-03} } @online{banksecurity:20190601:new:3ddfbf1, author = {Bank_Security}, title = {{New ATM Malware NVISOSPIT}}, date = {2019-06-01}, organization = {Twitter (@Bank_Security)}, url = {https://twitter.com/Bank_Security/status/1134850646413385728}, language = {English}, urldate = {2019-11-17} } @online{bansal:20201216:list:aa0388d, author = {R. Bansal}, title = {{List of domain infrastructure including DGA domain used by UNC2452}}, date = {2020-12-16}, organization = {Twitter (@0xrb)}, url = {https://twitter.com/0xrb/status/1339199268146442241}, language = {English}, urldate = {2020-12-17} } @online{bao:20200707:cobalt:cf80aa8, author = {Ladislav Bačo}, title = {{Cobalt Strike stagers used by FIN6}}, date = {2020-07-07}, organization = {MWLab}, url = {https://malwarelab.eu/posts/fin6-cobalt-strike/}, language = {English}, urldate = {2020-07-11} } @online{bar:20160502:prince:7769673, author = {Tomer Bar and Simon Conant}, title = {{Prince of Persia: Infy Malware Active In Decade of Targeted Attacks}}, date = {2016-05-02}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/}, language = {English}, urldate = {2020-01-06} } @online{bar:20160502:prince:8b14d7f, author = {Tomer Bar and Simon Conant}, title = {{Prince of Persia: Infy Malware Active In Decade of Targeted Attacks}}, date = {2016-05-02}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2016/05/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/}, language = {English}, urldate = {2019-12-20} } @online{bar:20160502:prince:cfd5940, author = {Tomer Bar and Simon Conant}, title = {{Prince of Persia: Infy Malware Active In Decade of Targeted Attacks}}, date = {2016-05-02}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2016/05/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/}, language = {English}, urldate = {2020-04-06} } @online{bar:20160628:prince:b1d2cdd, author = {Tomer Bar and Lior Efraim and Simon Conant}, title = {{Prince of Persia – Game Over}}, date = {2016-06-28}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2016/06/unit42-prince-of-persia-game-over/}, language = {English}, urldate = {2019-10-28} } @online{bar:20170405:targeted:49e76a6, author = {Tomer Bar and Tom Lancaster}, title = {{Targeted Attacks in the Middle East Using KASPERAGENT and MICROPSIA}}, date = {2017-04-05}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-targeted-attacks-middle-east-using-kasperagent-micropsia/}, language = {English}, urldate = {2019-12-10} } @online{bar:20170405:targeted:feb4b54, author = {Tomer Bar and Tom Lancaster}, title = {{Targeted Attacks in the Middle East Using KASPERAGENT and MICROPSIA}}, date = {2017-04-05}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2017/04/unit42-targeted-attacks-middle-east-using-kasperagent-micropsia/}, language = {English}, urldate = {2019-12-20} } @online{bar:20170801:prince:db6038a, author = {Tomer Bar and Simon Conant}, title = {{Prince of Persia – Ride the Lightning: Infy returns as “Foudre”}}, date = {2017-08-01}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/08/unit42-prince-persia-ride-lightning-infy-returns-foudre/}, language = {English}, urldate = {2019-12-20} } @online{bar:20170801:prince:e7d5542, author = {Tomer Bar and Simon Conant}, title = {{Prince of Persia – Ride the Lightning: Infy returns as “Foudre”}}, date = {2017-08-01}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-prince-persia-ride-lightning-infy-returns-foudre/}, language = {English}, urldate = {2020-01-08} } @online{barabosch:20200114:inside:2187ad3, author = {Thomas Barabosch}, title = {{Inside of CL0P’s ransomware operation}}, date = {2020-01-14}, organization = {Telekom}, url = {https://www.telekom.com/en/blog/group/article/inside-of-cl0p-s-ransomware-operation-615824}, language = {English}, urldate = {2021-01-14} } @online{barabosch:20200203:dissecting:c1a6bca, author = {Thomas Barabosch}, title = {{Dissecting Emotet – Part 1}}, date = {2020-02-03}, organization = {Telekom}, url = {https://www.telekom.com/en/blog/group/article/cybersecurity-dissecting-emotet-part-one-592612}, language = {English}, urldate = {2020-02-07} } @online{barabosch:20200306:dissecting:809bc54, author = {Thomas Barabosch}, title = {{Dissecting Emotet - Part 2}}, date = {2020-03-06}, organization = {Telekom}, url = {https://www.telekom.com/en/blog/group/article/cybersecurity-dissecting-emotet-part-two-596128}, language = {English}, urldate = {2020-03-09} } @online{barabosch:20200326:ta505s:24d9805, author = {Thomas Barabosch}, title = {{TA505's Box of Chocolate - On Hidden Gems packed with the TA505 Packer}}, date = {2020-03-26}, organization = {Telekom}, url = {https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672}, language = {English}, urldate = {2020-03-27} } @online{barabosch:20200514:lolsnif:c7a2736, author = {Thomas Barabosch}, title = {{LOLSnif – Tracking Another Ursnif-Based Targeted Campaign}}, date = {2020-05-14}, organization = {Telekom}, url = {https://www.telekom.com/en/blog/group/article/lolsnif-tracking-another-ursnif-based-targeted-campaign-600062}, language = {English}, urldate = {2020-05-14} } @online{barabosch:20200616:ta505:619f2c6, author = {Thomas Barabosch}, title = {{TA505 returns with a new bag of tricks}}, date = {2020-06-16}, organization = {Telekom}, url = {https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-returns-with-a-new-bag-of-tricks-602104}, language = {English}, urldate = {2020-06-18} } @online{barabosch:20201006:eager:54da318, author = {Thomas Barabosch}, title = {{Eager Beaver: A Short Overview of the Restless Threat Actor TA505}}, date = {2020-10-06}, organization = {Telekom}, url = {https://www.telekom.com/en/blog/group/article/eager-beaver-a-short-overview-of-the-restless-threat-actor-ta505-609546}, language = {English}, urldate = {2020-10-08} } @online{barabosch:20201217:smokeloader:937c780, author = {Thomas Barabosch}, title = {{Smokeloader is still alive and kickin’ – A new way to encrypt CC server URLs}}, date = {2020-12-17}, organization = {Telekom}, url = {https://www.telekom.com/en/blog/group/article/a-new-way-to-encrypt-cc-server-urls-614886}, language = {English}, urldate = {2020-12-18} } @online{barabosch:20201223:detect:bd873bc, author = {Thomas Barabosch}, title = {{Detect RC4 in (malicious) binaries}}, date = {2020-12-23}, organization = {0xC0DECAFE}, url = {https://0xc0decafe.com/2020/12/23/detect-rc4-in-malicious-binaries}, language = {English}, urldate = {2020-12-26} } @online{barabosch:20201228:never:f7e93aa, author = {Thomas Barabosch}, title = {{Never upload ransomware samples to the Internet}}, date = {2020-12-28}, organization = {0xC0DECAFE}, url = {https://0xc0decafe.com/2020/12/28/never-upload-ransomware-samples-to-the-internet/}, language = {English}, urldate = {2021-01-01} } @online{barabosch:20210108:malware:27c7ee2, author = {Thomas Barabosch}, title = {{The malware analyst’s guide to aPLib decompression}}, date = {2021-01-08}, organization = {0xC0DECAFE}, url = {https://0xc0decafe.com/malware-analysts-guide-to-aplib-decompression/}, language = {English}, urldate = {2021-01-11} } @online{baranov:20121212:analysis:6e76df4, author = {Artem Baranov}, title = {{Analysis of VirTool:WinNT/Exforel.A rootkit}}, date = {2012-12-12}, url = {https://artemonsecurity.blogspot.com/2012/12/analysis-of-virtoolwinntexforela-rootkit.html}, language = {English}, urldate = {2020-09-25} } @online{baranov:20161003:remsec:3877dab, author = {Artem Baranov}, title = {{Remsec driver analysis}}, date = {2016-10-03}, url = {https://artemonsecurity.blogspot.com/2016/10/remsec-driver-analysis.html}, language = {English}, urldate = {2020-03-28} } @online{baranov:20161010:remsec:9ed5754, author = {Artem Baranov}, title = {{Remsec driver analysis - Part 2}}, date = {2016-10-10}, url = {https://artemonsecurity.blogspot.com/2016/10/remsec-driver-analysis-part-2.html}, language = {English}, urldate = {2020-03-28} } @online{baranov:20161011:remsec:02eae63, author = {Artem Baranov}, title = {{Remsec driver analysis - Part 3}}, date = {2016-10-11}, url = {https://artemonsecurity.blogspot.com/2016/10/remsec-driver-analysis-part-3.html}, language = {English}, urldate = {2020-03-28} } @online{baranov:20170113:finfisher:436b89e, author = {Artem Baranov}, title = {{Finfisher rootkit analysis}}, date = {2017-01-13}, url = {https://artemonsecurity.blogspot.de/2017/01/finfisher-rootkit-analysis.html}, language = {English}, urldate = {2019-11-26} } @online{baranov:20170330:equationdrug:7255a48, author = {Artem Baranov}, title = {{EquationDrug rootkit analysis (mstcp32.sys)}}, date = {2017-03-30}, url = {http://artemonsecurity.blogspot.com/2017/03/equationdrug-rootkit-analysis-mstcp32sys.html}, language = {English}, urldate = {2020-01-07} } @online{baranov:20170413:stuxnet:c221f57, author = {Artem Baranov}, title = {{Stuxnet drivers: detailed analysis}}, date = {2017-04-13}, organization = {A blog about rootkits research and the Windows kernel}, url = {http://artemonsecurity.blogspot.de/2017/04/stuxnet-drivers-detailed-analysis.html}, language = {English}, urldate = {2020-01-08} } @online{barbehenn:20201029:threat:de33a6d, author = {Brittany Barbehenn and Doel Santos and Brad Duncan}, title = {{Threat Assessment: Ryuk Ransomware and Trickbot Targeting U.S. Healthcare and Public Health Sector}}, date = {2020-10-29}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/ryuk-ransomware/}, language = {English}, urldate = {2020-11-02} } @online{barboza:20181229:malware:d5d8d0d, author = {Tony Barboza and Meg James and Emily Alpert Reyes}, title = {{Malware attack disrupts delivery of L.A. Times and Tribune papers across the U.S.}}, date = {2018-12-29}, organization = {Los Angeles Times}, url = {https://www.latimes.com/local/lanow/la-me-ln-times-delivery-disruption-20181229-story.html}, language = {English}, urldate = {2020-01-10} } @online{barc:20180619:backswap:f0869a4, author = {Hubert Barc}, title = {{Backswap malware analysis}}, date = {2018-06-19}, organization = {CERT.PL}, url = {https://www.cert.pl/en/news/single/backswap-malware-analysis/}, language = {English}, urldate = {2019-12-10} } @online{barker:20201001:duck:edcc017, author = {Dylan Barker and Quinten Bowen and Ryan Campbell}, title = {{Duck Hunting with Falcon Complete: Analyzing a Fowl Banking Trojan, Part 1}}, date = {2020-10-01}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-analyzing-a-fowl-banking-trojan-part-1/}, language = {English}, urldate = {2020-10-07} } @online{barrett:20091029:twoheaded:0032db0, author = {Larry Barrett}, title = {{Two-Headed Trojan Targets Online Banks}}, date = {2009-10-29}, organization = {InternetNews}, url = {http://www.internetnews.com/security/article.php/3846186/TwoHeaded+Trojan+Targets+Online+Banks.htm}, language = {English}, urldate = {2020-01-08} } @online{bartblaze:20141110:thoughts:d7d0d68, author = {BartBlaze}, title = {{Thoughts on Absolute Computrace}}, date = {2014-11-10}, organization = {Blaze's Security Blog}, url = {https://bartblaze.blogspot.de/2014/11/thoughts-on-absolute-computrace.html}, language = {English}, urldate = {2019-11-26} } @online{bartblaze:20150303:c99shell:a7f3a5b, author = {BartBlaze}, title = {{C99Shell not dead}}, date = {2015-03-03}, organization = {Blaze's Security Blog}, url = {https://bartblaze.blogspot.com/2015/03/c99shell-not-dead.html}, language = {English}, urldate = {2020-01-13} } @online{bartblaze:20150925:notes:79b37fe, author = {BartBlaze}, title = {{Notes on Linux/Xor.DDoS}}, date = {2015-09-25}, organization = {Blaze's Security Blog}, url = {https://bartblaze.blogspot.com/2015/09/notes-on-linuxxorddos.html}, language = {English}, urldate = {2020-01-08} } @online{bartblaze:20160202:vipasana:cf5cdd6, author = {BartBlaze}, title = {{Vipasana ransomware new ransom on the block}}, date = {2016-02-02}, organization = {Blaze's Security Blog}, url = {https://bartblaze.blogspot.com/2016/02/vipasana-ransomware-new-ransom-on-block.html}, language = {English}, urldate = {2020-09-15} } @online{bartblaze:20160726:otx:b95458e, author = {BartBlaze}, title = {{OTX Pulse on R980 ransomware}}, date = {2016-07-26}, organization = {AlienVault}, url = {https://otx.alienvault.com/pulse/57976b52b900fe01376feb01/}, language = {English}, urldate = {2020-01-13} } @online{bartblaze:20170824:crystal:16adb4a, author = {BartBlaze}, title = {{Crystal Finance Millennium used to spread malware}}, date = {2017-08-24}, organization = {Blaze's Security Blog}, url = {https://bartblaze.blogspot.com/2017/08/crystal-finance-millennium-used-to.html}, language = {English}, urldate = {2020-02-01} } @online{bartblaze:20171203:notes:53a752f, author = {BartBlaze}, title = {{Notes on Linux/BillGates}}, date = {2017-12-03}, organization = {Blaze's Security Blog}, url = {https://bartblaze.blogspot.com/2017/12/notes-on-linuxbillgates.html}, language = {English}, urldate = {2020-01-13} } @online{bartblaze:20180320:unlock92:863a267, author = {BartBlaze}, title = {{Tweet on Unlock92 Ransomware}}, date = {2018-03-20}, organization = {Twitter (@bartblaze)}, url = {https://twitter.com/bartblaze/status/976188821078462465}, language = {English}, urldate = {2020-01-07} } @online{bartblaze:20180410:maktub:e67ade0, author = {BartBlaze}, title = {{Maktub ransomware: possibly rebranded as Iron}}, date = {2018-04-10}, organization = {Blaze's Security Blog}, url = {https://bartblaze.blogspot.de/2018/04/maktub-ransomware-possibly-rebranded-as.html}, language = {English}, urldate = {2019-07-10} } @online{bartblaze:20180415:this:1eaf3ba, author = {BartBlaze}, title = {{This is Spartacus: new ransomware on the block}}, date = {2018-04-15}, organization = {Blaze's Security Blog}, url = {https://bartblaze.blogspot.com/2018/04/this-is-spartacus-new-ransomware-on.html}, language = {English}, urldate = {2020-01-22} } @online{bartblaze:20180422:satan:04f63e8, author = {BartBlaze}, title = {{Satan ransomware adds EternalBlue exploit}}, date = {2018-04-22}, organization = {Blaze's Security Blog}, url = {https://bartblaze.blogspot.com/2018/04/satan-ransomware-adds-eternalblue.html}, language = {English}, urldate = {2020-01-10} } @online{bartblaze:20200114:satan:4d45ea5, author = {BartBlaze}, title = {{Satan ransomware rebrands as 5ss5c ransomware}}, date = {2020-01-14}, organization = {Blaze's Security Blog}, url = {https://bartblaze.blogspot.com/2020/01/satan-ransomware-rebrands-as-5ss5c.html}, language = {English}, urldate = {2020-01-17} } @online{bartblaze:20200913:cryakl:3d29bf0, author = {BartBlaze}, title = {{Tweet on Cryakl 2.0.0.0}}, date = {2020-09-13}, organization = {Twitter (@bartblaze)}, url = {https://twitter.com/bartblaze/status/1305197264332369920}, language = {English}, urldate = {2020-09-15} } @techreport{bartholomew:20160907:wave:96e9f50, author = {Brian Bartholomew and Juan Andrés Guerrero-Saade}, title = {{Wave Your False Flags! Deception Tactics Muddying Attribution in Targeted Attacks}}, date = {2016-09-07}, institution = {Virus Bulletin}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/10/20114955/Bartholomew-GuerreroSaade-VB2016.pdf}, language = {English}, urldate = {2020-03-13} } @online{bartholomew:20170202:kopiluwak:d5c0245, author = {Brian Bartholomew}, title = {{KopiLuwak: A New JavaScript Payload from Turla}}, date = {2017-02-02}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/77429/kopiluwak-a-new-javascript-payload-from-turla/}, language = {English}, urldate = {2019-12-20} } @online{bartholomew:20191105:dadjoke:81e2a63, author = {Brian Bartholomew}, title = {{DADJOKE}}, date = {2019-11-05}, url = {https://prezi.com/view/jGyAzyy5dTOkDrtwsJi5/}, language = {English}, urldate = {2020-01-07} } @online{bartholomew:20200103:nice:ddc5c57, author = {Brian Bartholomew}, title = {{Nice One, Dad: Dissecting A Rare Malware Used By Leviathan}}, date = {2020-01-03}, organization = {Youtube (BSides Belfast)}, url = {https://www.youtube.com/watch?v=vx9IB88wXSE}, language = {English}, urldate = {2020-01-13} } @online{bary:20200115:analyzing:02aabc4, author = {Guy Bary}, title = {{Analyzing Magecart Malware – From Zero to Hero}}, date = {2020-01-15}, organization = {PerimeterX}, url = {https://www.perimeterx.com/blog/analyzing_magecart_malware_from_zero_to_hero/}, language = {English}, urldate = {2020-01-17} } @online{bashis:20170306:0day:e03d5c7, author = {bashis}, title = {{0-Day: Dahua backdoor Generation 2 and 3}}, date = {2017-03-06}, url = {http://seclists.org/fulldisclosure/2017/Mar/7}, language = {English}, urldate = {2019-12-18} } @online{baskin:20200603:medusa:8d92754, author = {Brian Baskin}, title = {{Medusa Locker Ransomware}}, date = {2020-06-03}, organization = {VMWare Carbon Black}, url = {https://www.carbonblack.com/2020/06/03/tau-threat-analyis-medusa-locker-ransomware/}, language = {English}, urldate = {2020-06-04} } @online{baskin:20200708:tau:4b05a00, author = {Brian Baskin}, title = {{TAU Threat Discovery: Conti Ransomware}}, date = {2020-07-08}, organization = {VMWare Carbon Black}, url = {https://www.carbonblack.com/blog/tau-threat-discovery-conti-ransomware/}, language = {English}, urldate = {2020-07-08} } @online{bassat:20170807:new:d776333, author = {Omri Ben Bassat}, title = {{New Variants of Agent.BTZ/ComRAT Found: The Threat That Hit The Pentagon In 2008 Still Evolving; Part 1/2}}, date = {2017-08-07}, organization = {Intezer}, url = {http://www.intezer.com/new-variants-of-agent-btz-comrat-found/}, language = {English}, urldate = {2019-12-17} } @online{bassat:20170913:new:376f00f, author = {Omri Ben Bassat}, title = {{New Variants of Agent.BTZ/ComRAT Found: The Threat That Hit The Pentagon In 2008 Still Evolving; Part 2/2}}, date = {2017-09-13}, organization = {Intezer}, url = {http://www.intezer.com/new-variants-of-agent-btz-comrat-found-part-2/}, language = {English}, urldate = {2019-12-24} } @online{bassat:20180529:iron:5943a09, author = {Omri Ben Bassat}, title = {{Iron Cybercrime Group Under The Scope}}, date = {2018-05-29}, organization = {Intezer}, url = {https://www.intezer.com/iron-cybercrime-group-under-the-scope-2/}, language = {English}, urldate = {2019-12-05} } @techreport{bataille:201810:hunting:c5ffe40, author = {Adrian Bataille and Matias Bevilacqua}, title = {{Hunting for PLATINUM}}, date = {2018-10}, institution = {FireEye}, url = {https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s01-hunting-for-platinum.pdf}, language = {English}, urldate = {2020-01-07} } @online{batsec:20200811:defending:7710531, author = {batsec}, title = {{Defending Your Malware}}, date = {2020-08-11}, organization = {Dylan Codes Blog}, url = {https://blog.dylan.codes/defending-your-malware/}, language = {English}, urldate = {2020-08-12} } @online{baumgartner:20141103:be2:ea8544a, author = {Kurt Baumgartner and Maria Garnaeva}, title = {{BE2 custom plugins, router abuse, and target profiles}}, date = {2014-11-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/}, language = {English}, urldate = {2019-12-20} } @online{baumgartner:20141208:penquin:afd9ae5, author = {Kurt Baumgartner and Costin Raiu}, title = {{The ‘Penquin’ Turla}}, date = {2014-12-08}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/67962/the-penquin-turla-2/}, language = {English}, urldate = {2019-12-20} } @online{baumgartner:20150217:be2:f7ce288, author = {Kurt Baumgartner and Maria Garnaeva}, title = {{BE2 extraordinary plugins, Siemens targeting, dev fails}}, date = {2015-02-17}, organization = {Kaspersky Labs}, url = {https://securelist.com/be2-extraordinary-plugins-siemens-targeting-dev-fails/68838/}, language = {English}, urldate = {2019-12-20} } @online{baumgartner:20150304:whos:0b8331c, author = {Kurt Baumgartner and Juan Andrés Guerrero-Saade}, title = {{Who’s Really Spreading through the Bright Star?}}, date = {2015-03-04}, organization = {Kaspersky Labs}, url = {https://securelist.com/whos-really-spreading-through-the-bright-star/68978/}, language = {English}, urldate = {2019-12-20} } @online{baumgartner:20150331:sinkholing:7a359b4, author = {Kurt Baumgartner and Costin Raiu}, title = {{Sinkholing Volatile Cedar DGA Infrastructure}}, date = {2015-03-31}, organization = {Kaspersky Labs}, url = {https://securelist.com/sinkholing-volatile-cedar-dga-infrastructure/69421/}, language = {English}, urldate = {2019-12-20} } @online{baumgartner:20150514:naikon:9edea2f, author = {Kurt Baumgartner and Maxim Golovkin}, title = {{The Naikon APT}}, date = {2015-05-14}, organization = {Kaspersky Labs}, url = {https://securelist.com/analysis/publications/69953/the-naikon-apt/}, language = {English}, urldate = {2019-12-20} } @techreport{baumgartner:20150529:msnmm:3d6b500, author = {Kurt Baumgartner and Maxim Golovkin}, title = {{THE MsnMM CAMPAIGNS: The Earliest Naikon APT Campaigns}}, date = {2015-05-29}, institution = {Kaspersky Labs}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf}, language = {English}, urldate = {2020-01-09} } @techreport{baumgartner:201505:msnmm:13a9145, author = {Kurt Baumgartner and Maxim Golovkin}, title = {{The MsnMM Campaigns - The Earliest Naikon APTCampaigns}}, date = {2015-05}, institution = {Kaspersky Labs}, url = {https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/TheNaikonAPT-MsnMM1.pdf}, language = {English}, urldate = {2019-07-11} } @online{baumgartner:20150617:spring:dc116aa, author = {Kurt Baumgartner}, title = {{The Spring Dragon APT}}, date = {2015-06-17}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/70726/the-spring-dragon-apt/}, language = {English}, urldate = {2019-12-20} } @online{baumgartner:20161003:strongpity:d4a8c09, author = {Kurt Baumgartner}, title = {{On the StrongPity Waterhole Attacks Targeting Italian and Belgian Encryption Users}}, date = {2016-10-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/76147/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/}, language = {English}, urldate = {2019-12-20} } @online{baumgartner:20161006:strongpity:898bc2b, author = {Kurt Baumgartner}, title = {{On the StrongPity Waterhole Attacks Targeting Italian and Belgian Encryption Users}}, date = {2016-10-06}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/conference/vb2016/abstracts/last-minute-paper-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users}, language = {English}, urldate = {2020-01-09} } @online{bautista:20190110:pylocky:92bf2fc, author = {Mike Bautista}, title = {{Pylocky Unlocked: Cisco Talos releases PyLocky ransomware decryptor}}, date = {2019-01-10}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2019/01/pylocky-unlocked-cisco-talos-releases.html}, language = {English}, urldate = {2019-10-15} } @online{baz:20170228:dridexs:f72a5ec, author = {Magal Baz and Or Safran}, title = {{Dridex’s Cold War: Enter AtomBombing}}, date = {2017-02-28}, organization = {Security Intelligence}, url = {https://securityintelligence.com/dridexs-cold-war-enter-atombombing/}, language = {English}, urldate = {2019-12-16} } @online{bazally:20161227:pegasus:9fd5170, author = {Max Bazally}, title = {{Pegasus internals: Technical Teardown of the Pegasus malware and Trident exploit chain}}, date = {2016-12-27}, organization = {CCC}, url = {https://media.ccc.de/v/33c3-7901-pegasus_internals}, language = {English}, urldate = {2020-01-08} } @online{beaumont:20190321:how:ecfbbf1, author = {Kevin Beaumont}, title = {{How Lockergoga took down Hydro — ransomware used in targeted attacks aimed at big business}}, date = {2019-03-21}, organization = {DoublePulsar}, url = {https://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880}, language = {English}, urldate = {2019-11-29} } @online{beaumont:20201016:second:197ec38, author = {Kevin Beaumont}, title = {{Second Zerologon attacker seen exploiting internet honeypot}}, date = {2020-10-16}, organization = {Medium Doublepulsar}, url = {https://doublepulsar.com/second-zerologon-attacker-seen-exploiting-internet-honeypot-c7fb074451ef}, language = {English}, urldate = {2020-10-23} } @online{beaumont:20201219:twitter:7b4cb8f, author = {Kevin Beaumont}, title = {{A twitter thread on Azure sentinel hunting queries for detecting UNC2452 activity}}, date = {2020-12-19}, organization = {Twitter (@GossiTheDog)}, url = {https://twitter.com/GossiTheDog/status/1340035657838850048}, language = {English}, urldate = {2020-12-19} } @online{beckman:20171208:gratefulpos:0ba1053, author = {Kent Beckman}, title = {{GratefulPOS credit card stealing malware - just in time for the shopping season}}, date = {2017-12-08}, organization = {RSA}, url = {https://community.rsa.com/community/products/netwitness/blog/2017/12/08/gratefulpos-credit-card-stealing-malware-just-in-time-for-the-shopping-season}, language = {English}, urldate = {2020-01-08} } @online{beek:20201105:operation:ca0ac54, author = {Christiaan Beek and Ryan Sherstobitoff}, title = {{Operation North Star: Behind The Scenes}}, date = {2020-11-05}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-behind-the-scenes/}, language = {English}, urldate = {2020-11-06} } @online{beek:20201217:additional:cd38b54, author = {Christiaan Beek and Cedric Cochin and Raj Samani}, title = {{Additional Analysis into the SUNBURST Backdoor}}, date = {2020-12-17}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/additional-analysis-into-the-sunburst-backdoor/}, language = {English}, urldate = {2020-12-18} } @online{beer:20190829:implant:f25a696, author = {Ian Beer and Project Zero}, title = {{Implant Teardown}}, date = {2019-08-29}, organization = {Google}, url = {https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html}, language = {English}, urldate = {2020-01-06} } @online{beery:20200903:bitcoin:932fb45, author = {Tal Be'ery}, title = {{The Bitcoin Ransomware Detective Strikes Again: The UCSF Case}}, date = {2020-09-03}, organization = {ZenGo}, url = {https://zengo.com/bitcoin-ransomware-detective-ucsf/}, language = {English}, urldate = {2020-09-06} } @online{bekerman:20170329:new:e4007ca, author = {Dima Bekerman}, title = {{New Mirai Variant Launches 54 Hour DDoS Attack against US College}}, date = {2017-03-29}, organization = {Imperva}, url = {https://www.incapsula.com/blog/new-mirai-variant-ddos-us-college.html}, language = {English}, urldate = {2020-01-05} } @online{bencsath:20170103:technical:1c2e81e, author = {Boldizsar Bencsath}, title = {{Technical details on the Fancy Bear Android malware (poprd30.apk)}}, date = {2017-01-03}, organization = {CrySyS Lab}, url = {http://blog.crysys.hu/2017/01/technical-details-on-the-fancy-bear-android-malware-poprd30-apk/}, language = {English}, urldate = {2020-01-09} } @online{bencsath:20170302:update:0e03ee6, author = {Boldizsar Bencsath}, title = {{Update on the Fancy Bear Android malware (poprd30.apk)}}, date = {2017-03-02}, organization = {Laboratory of Cryptography and System Security}, url = {http://blog.crysys.hu/2017/03/update-on-the-fancy-bear-android-malware-poprd30-apk/}, language = {English}, urldate = {2019-10-13} } @techreport{bencsath:201803:territorial:04343bb, author = {Boldizsar Bencsath}, title = {{Territorial Dispute – NSA’s perspective on APT landscape}}, date = {2018-03}, institution = {CrySyS Lab}, url = {https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf}, language = {English}, urldate = {2020-05-07} } @online{benge:20190502:qakbot:8c34660, author = {Ashlee Benge and Nick Randolph}, title = {{Qakbot levels up with new obfuscation techniques}}, date = {2019-05-02}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2019/05/qakbot-levels-up-with-new-obfuscation.html}, language = {English}, urldate = {2019-10-14} } @online{benkow:20140820:command:ec27583, author = {Benkow}, title = {{Command Line Confusion}}, date = {2014-08-20}, organization = {ThisIsSecurity}, url = {https://thisissecurity.stormshield.com/2014/08/20/poweliks-command-line-confusion/}, language = {English}, urldate = {2020-01-07} } @online{bennett:20130213:number:c947ab9, author = {James T. Bennett}, title = {{The Number of the Beast}}, date = {2013-02-13}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2013/02/the-number-of-the-beast.html}, language = {English}, urldate = {2020-04-24} } @online{bennett:20130228:its:1534b7e, author = {James T. Bennett}, title = {{It's a Kind of Magic}}, date = {2013-02-28}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2013/02/its-a-kind-of-magic-1.html}, language = {English}, urldate = {2020-04-24} } @online{bennett:20190424:carbanak:2376f75, author = {James T. Bennett and Michael Bailey}, title = {{CARBANAK Week Part Three: Behind the CARBANAK Backdoor}}, date = {2019-04-24}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-three-behind-the-backdoor.html}, language = {English}, urldate = {2019-12-20} } @online{bennett:20190425:carbanak:be237af, author = {James T. Bennett and Michael Bailey}, title = {{CARBANAK Week Part Four: The CARBANAK Desktop Video Player}}, date = {2019-04-25}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-four-desktop-video-player.html}, language = {English}, urldate = {2019-12-20} } @online{bennett:20201201:using:d19f4ce, author = {James T. Bennett}, title = {{Using Speakeasy Emulation Framework Programmatically to Unpack Malware}}, date = {2020-12-01}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/12/using-speakeasy-emulation-framework-programmatically-to-unpack-malware.html}, language = {English}, urldate = {2020-12-15} } @online{berchem:20170810:weltweite:5df6bfa, author = {Tom Berchem}, title = {{Weltweite Spamwelle verbreitet teuflische Variante des Locky}}, date = {2017-08-10}, organization = {botfrei Blog}, url = {https://blog.botfrei.de/2017/08/weltweite-spamwelle-verbreitet-teufliche-variante-des-locky/}, language = {German}, urldate = {2019-12-10} } @online{berdnikov:20170925:simple:62b80bb, author = {Vasily Berdnikov and Dmitry Karasovsky and Alexey Shulmin}, title = {{A simple example of a complex cyberattack}}, date = {2017-09-25}, organization = {Kaspersky Labs}, url = {https://securelist.com/a-simple-example-of-a-complex-cyberattack/82636/}, language = {English}, urldate = {2019-12-20} } @techreport{berdnikov:20171125:microcin:69e0ae0, author = {Vasily Berdnikov and Dmitry Karasovsky and Alexey Shulmin}, title = {{MICROCIN MALWARE: TECHNICAL DETAILS AND INDICATORS OF COMPROMISE}}, date = {2017-11-25}, institution = {Kaspersky Labs}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07170759/Microcin_Technical_4PDF_eng_final_s.pdf}, language = {English}, urldate = {2020-04-06} } @online{berdnikov:20190313:fourth:98b1131, author = {Vasily Berdnikov and Boris Larin}, title = {{The fourth horseman: CVE-2019-0797 vulnerability}}, date = {2019-03-13}, organization = {Kaspersky Labs}, url = {https://securelist.com/cve-2019-0797-zero-day-vulnerability/89885/}, language = {English}, urldate = {2019-12-20} } @online{bergbom:20180206:danderspritzpeddlecheap:b09bc8f, author = {John Bergbom}, title = {{DanderSpritz/PeddleCheap traffic analysis (Part 1 of 2)}}, date = {2018-02-06}, organization = {Forcepoint}, url = {https://www.forcepoint.com/fr/blog/security-labs/new-whitepaper-danderspritzpeddlecheap-traffic-analysis-part-1-2#}, language = {English}, urldate = {2020-05-07} } @online{bergin:20160520:special:46b3cc4, author = {Tom Bergin and Nathan Layne}, title = {{Special Report: Cyber thieves exploit banks' faith in SWIFT transfer network}}, date = {2016-05-20}, organization = {Reuters}, url = {https://www.reuters.com/article/us-cyber-heist-swift-specialreport-idUSKCN0YB0DD}, language = {English}, urldate = {2019-12-17} } @online{bermejo:20170622:following:7126b3b, author = {Lenart Bermejo and Razor Huang and CH Lei}, title = {{Following the Trail of BlackTech’s Cyber Espionage Campaigns}}, date = {2017-06-22}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/}, language = {English}, urldate = {2019-12-24} } @techreport{bermejo:201706:following:61e6dae, author = {Lenart Bermejo and Razor Huang and CH Lei}, title = {{Following the Trail of BlackTech’s Cyber Espionage Campaigns}}, date = {2017-06}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/appendix-following-the-trail-of-blacktechs-cyber-espionage-campaigns.pdf}, language = {English}, urldate = {2020-01-07} } @online{bermejo:20170717:android:593475f, author = {Lenart Bermejo and Jordan Pan and Cedric Pernet}, title = {{Android Backdoor GhostCtrl can Silently Record Your Audio, Video, and More}}, date = {2017-07-17}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/android-backdoor-ghostctrl-can-silently-record-your-audio-video-and-more/}, language = {English}, urldate = {2020-01-13} } @online{bermejo:20170807:backdoorcarrying:317ebe3, author = {Lenart Bermejo and Ronnie Giagone and Rubio Wu and Fyodor Yarochkin}, title = {{Backdoor-carrying Emails Set Sights on Russian-speaking Businesses}}, date = {2017-08-07}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses/}, language = {English}, urldate = {2020-01-09} } @online{bermejo:20181120:lazarus:1d8d3b3, author = {Lenart Bermejo and Joelson Soares}, title = {{Lazarus Continues Heists, Mounts Attacks on Financial Organizations in Latin America}}, date = {2018-11-20}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-continues-heists-mounts-attacks-on-financial-organizations-in-latin-america/}, language = {English}, urldate = {2020-01-06} } @techreport{bermejo:20201215:finding:f68f005, author = {Lenart Bermejo and Gilbert Sison and Buddy Tancio}, title = {{Finding APTX: Attacks via MITRE TTPs}}, date = {2020-12-15}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/white_papers/wp-finding-APTX-attributing-attacks-via-MITRE-TTPs.pdf}, language = {English}, urldate = {2020-12-17} } @online{berninger:20200528:masked:44cad71, author = {Matthew Berninger}, title = {{The Masked SYNger: Investigating a Traffic Phenomenon}}, date = {2020-05-28}, organization = {Rapid7 Labs}, url = {https://blog.rapid7.com/2020/05/28/the-masked-synger-investigating-a-traffic-phenomenon/}, language = {English}, urldate = {2020-05-29} } @online{best:20150912:stuxnet:c9b43da, author = {Emma Best}, title = {{Stuxnet code}}, date = {2015-09-12}, organization = {Archive-org}, url = {https://archive.org/details/Stuxnet}, language = {English}, urldate = {2020-01-09} } @online{bestuzhev:20201111:targeted:e2e0c3a, author = {Dmitry Bestuzhev and Fedor Sinitsyn}, title = {{Targeted ransomware: it’s not just about encrypting your data! Part 1 - “Old and New Friends”}}, date = {2020-11-11}, organization = {Kaspersky Labs}, url = {https://securelist.com/targeted-ransomware-encrypting-data/99255/}, language = {English}, urldate = {2020-11-11} } @online{beukema:20200622:hijacking:b46d971, author = {Wietze Beukema}, title = {{Hijacking DLLs in Windows}}, date = {2020-06-22}, organization = {wietzebeukema.nl}, url = {https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows}, language = {English}, urldate = {2020-06-24} } @online{beuth:20200617:die:4272009, author = {Patrick Beuth}, title = {{Die erste Cyberwaffe und ihre Folgen}}, date = {2020-06-17}, organization = {Der Spiegel}, url = {https://www.spiegel.de/netzwelt/web/die-erste-cyberwaffe-und-ihre-folgen-a-a0ed08c9-5080-4ac2-8518-ed69347dc147}, language = {German}, urldate = {2020-06-18} } @online{bhat:20160201:tracking:f5fa1f1, author = {Raashid Bhat}, title = {{Tracking the footprints of PushDo Trojan}}, date = {2016-02-01}, organization = {Blueliv}, url = {https://www.blueliv.com/research/tracking-the-footproints-of-pushdo-trojan/}, language = {English}, urldate = {2019-11-20} } @online{bhat:20170222:dissecting:8124914, author = {Raashid Bhat}, title = {{Dissecting the Qadars Banking Trojan}}, date = {2017-02-22}, organization = {PhishLabs}, url = {https://info.phishlabs.com/blog/dissecting-the-qadars-banking-trojan}, language = {English}, urldate = {2019-12-20} } @online{bhat:20180906:dissecting:8c82fb5, author = {Raashid Bhat}, title = {{Dissecting DEloader malware with obfuscation}}, date = {2018-09-06}, organization = {int 0xcc blog}, url = {https://int0xcc.svbtle.com/dissecting-obfuscated-deloader-malware}, language = {English}, urldate = {2020-01-06} } @online{bhat:20180918:taste:e7dd98d, author = {Raashid Bhat}, title = {{A taste of our own medicine: How SmokeLoader is deceiving configuration extraction by using binary code as bait}}, date = {2018-09-18}, organization = {int 0xcc blog}, url = {https://int0xcc.svbtle.com/a-taste-of-our-own-medicine-how-smokeloader-is-deceiving-dynamic-configuration-extraction-by-using-binary-code-as-bait}, language = {English}, urldate = {2020-01-10} } @online{bhat:20190422:dissecting:ffba987, author = {Raashid Bhat}, title = {{Dissecting Emotet’s network communication protocol}}, date = {2019-04-22}, organization = {int 0xcc blog}, url = {https://int0xcc.svbtle.com/dissecting-emotet-s-network-communication-protocol}, language = {English}, urldate = {2020-01-06} } @online{bhat:20190730:practical:d049779, author = {Raashid Bhat}, title = {{Practical Threat Hunting and Incidence Response : A Case of A Pony Malware Infection}}, date = {2019-07-30}, organization = {int 0xcc blog}, url = {https://int0xcc.svbtle.com/practical-threat-hunting-and-incidence-response-a-case-of-a-pony-malware-infection}, language = {English}, urldate = {2020-01-08} } @online{bhat:20200311:emotet:c178008, author = {Raashid Bhat}, title = {{Tweet on Emotet Deobfuscation with Video}}, date = {2020-03-11}, organization = {Twitter (@raashidbhatt)}, url = {https://twitter.com/raashidbhatt/status/1237853549200936960}, language = {English}, urldate = {2020-03-13} } @online{bhat:20200331:emotet:50264e0, author = {Raashid Bhat}, title = {{Emotet Binary Deobfuscation | Coconut Paradise | Episode 1}}, date = {2020-03-31}, organization = {Youtube (Infosec Alpha)}, url = {https://www.youtube.com/watch?v=_mGMJFNJWSk}, language = {English}, urldate = {2020-04-23} } @online{bhat:20200422:flattenthecurve:0bdf5a3, author = {Raashid Bhat}, title = {{FlattenTheCurve - Emotet Control Flow Unflattening | Episode 2}}, date = {2020-04-22}, organization = {Youtube (Infosec Alpha)}, url = {https://www.youtube.com/watch?v=8PHCZdpNKrw}, language = {English}, urldate = {2020-04-23} } @online{biaczak:20200901:characterizing:422e6a1, author = {Piotr Białczak and Wojciech Mazurczyk}, title = {{Characterizing Anomalies in Malware-Generated HTTP Traffic}}, date = {2020-09-01}, url = {https://www.hindawi.com/journals/scn/2020/8848863/}, language = {English}, urldate = {2020-09-03} } @online{biasini:20171024:threat:7bd8515, author = {Nick Biasini}, title = {{Threat Spotlight: Follow the Bad Rabbit}}, date = {2017-10-24}, organization = {Cisco Talos}, url = {http://blog.talosintelligence.com/2017/10/bad-rabbit.html}, language = {English}, urldate = {2019-12-10} } @online{biasini:20180509:gandcrab:50296a6, author = {Nick Biasini and Nick Lister and Christopher Marczewski}, title = {{Gandcrab Ransomware Walks its Way onto Compromised Sites}}, date = {2018-05-09}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2018/05/gandcrab-compromised-sites.html}, language = {English}, urldate = {2019-10-21} } @online{biasini:20190220:combing:bdc059c, author = {Nick Biasini and Edmund Brumaghin and Matthew Molyett}, title = {{Combing Through Brushaloader Amid Massive Detection Uptick}}, date = {2019-02-20}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2019/02/combing-through-brushaloader.html}, language = {English}, urldate = {2019-11-29} } @online{biasini:20190425:jasperloader:ebe50ca, author = {Nick Biasini and Edmund Brumaghin and Andrew Williams}, title = {{JasperLoader Emerges, Targets Italy with Gootkit Banking Trojan}}, date = {2019-04-25}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2019/04/jasperloader-targets-italy.html}, language = {English}, urldate = {2020-01-09} } @online{biasini:20190523:sorpresa:e7cbd9d, author = {Nick Biasini and Edmund Brumaghin}, title = {{Sorpresa! JasperLoader targets Italy with a new bag of tricks}}, date = {2019-05-23}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2019/05/sorpresa-jasperloader.html}, language = {English}, urldate = {2020-01-06} } @online{biasini:20200213:threat:443d687, author = {Nick Biasini and Edmund Brumaghin}, title = {{Threat actors attempt to capitalize on coronavirus outbreak}}, date = {2020-02-13}, organization = {Talos}, url = {https://blog.talosintelligence.com/2020/02/coronavirus-themed-malware.html}, language = {English}, urldate = {2020-03-19} } @online{biasini:20200511:astaroth:f325070, author = {Nick Biasini and Edmund Brumaghin and Nick Lister}, title = {{Astaroth - Maze of obfuscation and evasion reveals dark stealer}}, date = {2020-05-11}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/05/astaroth-analysis.html}, language = {English}, urldate = {2020-05-11} } @online{biasini:20200701:threat:a726b7e, author = {Nick Biasini and Edmund Brumaghin and Mariano Graziano}, title = {{Threat Spotlight: Valak Slithers Its Way Into Manufacturing and Transportation Networks}}, date = {2020-07-01}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/07/valak-emerges.html}, language = {English}, urldate = {2020-08-18} } @online{biasini:20201118:back:178d20d, author = {Nick Biasini and Edmund Brumaghin and Jaeson Schultz}, title = {{Back from vacation: Analyzing Emotet’s activity in 2020}}, date = {2020-11-18}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2020/11/emotet-2020.html}, language = {English}, urldate = {2020-11-19} } @online{biasini:20201214:threat:63acc35, author = {Nick Biasini}, title = {{Threat Advisory: SolarWinds supply chain attack}}, date = {2020-12-14}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/12/solarwinds-supplychain-coverage.html#more}, language = {English}, urldate = {2020-12-19} } @online{bichet:20200414:deobfuscating:d7320ab, author = {Jean Bichet}, title = {{Deobfuscating and hunting for OSTAP, Trickbot’s dropper and best friend}}, date = {2020-04-14}, organization = {Intrinsec}, url = {https://www.intrinsec.com/deobfuscating-hunting-ostap/}, language = {English}, urldate = {2021-01-11} } @online{bichet:20201112:egregor:1ac0eb1, author = {Jean Bichet}, title = {{Egregor – Prolock: Fraternal Twins ?}}, date = {2020-11-12}, organization = {Intrinsec}, url = {https://www.intrinsec.com/egregor-prolock/}, language = {English}, urldate = {2020-11-23} } @online{biermann:20201008:hanois:3f2def5, author = {Kai Biermann and Thi Do Nguyen and Hakan Tanriverdi and Maximilian Zierer}, title = {{Hanois Hacker}}, date = {2020-10-08}, organization = {ZEIT Online}, url = {https://www.zeit.de/politik/deutschland/2020-10/cyberspionage-vietnam-hackerangriffe-deutschland-bmw-verfassungsschutz-oceanlotus-apt32/komplettansicht}, language = {German}, urldate = {2020-10-12} } @techreport{bilodeau:201403:operation:40b7f42, author = {Olivier Bilodeau and Pierre-Marc Bureau and Joan Calvet and Alexis Dorais-Joncas and Marc-Etienne M.Léveillé and Benjamin Vanheuverzwijn}, title = {{OPERATION WINDIGO}}, date = {2014-03}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf}, language = {English}, urldate = {2020-01-08} } @online{bing:20170418:shadow:f8c81a6, author = {Chris Bing}, title = {{Shadow Brokers leaks show U.S. spies successfully hacked Russian, Iranian targets}}, date = {2017-04-18}, organization = {CyberScoop}, url = {https://www.cyberscoop.com/nsa-shadow-brokers-leaks-iran-russia-optimusprime-stoicsurgeon/}, language = {English}, urldate = {2020-01-12} } @online{bing:20180320:kasperskys:9cf65c1, author = {Chris Bing and Patrick Howell O'Neill}, title = {{Kaspersky's 'Slingshot' report burned an ISIS-focused intelligence operation}}, date = {2018-03-20}, organization = {CyberScoop}, url = {https://www.cyberscoop.com/kaspersky-slingshot-isis-operation-socom-five-eyes/}, language = {English}, urldate = {2019-07-11} } @online{bing:20201023:exclusive:00afa85, author = {Christopher Bing and Jack Stubbs}, title = {{Exclusive: 'Dumb mistake' exposed Iranian hand behind fake Proud Boys U.S. election emails - sources}}, date = {2020-10-23}, organization = {Reuters}, url = {https://www.reuters.com/article/us-usa-election-cyber-iran-exclusive/exclusive-dumb-mistake-exposed-iranian-hand-behind-fake-proud-boy-u-s-election-emails-sources-idUSKBN2772YL}, language = {English}, urldate = {2020-10-26} } @online{bing:20201023:exclusive:9ffe805, author = {Christopher Bing}, title = {{Exclusive: National Guard called in to thwart cyberattack in Louisiana weeks before election}}, date = {2020-10-23}, organization = {Reuters}, url = {https://www.reuters.com/article/us-usa-election-cyber-louisiana-exclusiv/exclusive-national-guard-called-in-to-thwart-cyberattack-in-louisiana-weeks-before-election-idUSKBN27823F}, language = {English}, urldate = {2020-10-27} } @online{bing:20201029:building:ceeb50f, author = {Christopher Bing and Joseph Menn}, title = {{Building wave of ransomware attacks strike U.S. hospitals}}, date = {2020-10-29}, organization = {Reuters}, url = {https://www.reuters.com/article/usa-healthcare-cyber-idUSKBN27E0EP}, language = {English}, urldate = {2020-11-02} } @online{bing:20201213:suspected:81b53a9, author = {Christopher Bing}, title = {{Suspected Russian hackers spied on U.S. Treasury emails - sources}}, date = {2020-12-13}, organization = {Reuters}, url = {https://www.reuters.com/article/us-usa-cyber-treasury-exclsuive/suspected-russian-hackers-spied-on-u-s-treasury-emails-sources-idUSKBN28N0PG}, language = {English}, urldate = {2020-12-14} } @techreport{biradar:20150120:reversing:8a25caf, author = {Basavaraj K. Biradar}, title = {{Reversing the Inception APT malware}}, date = {2015-01-20}, institution = {Blue Coat}, url = {https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/Inception_APT_Analysis_Bluecoat.pdf}, language = {English}, urldate = {2020-04-21} } @online{bishopfox:20190117:sliver:915fc7e, author = {BishopFox}, title = {{Sliver Implant Framework}}, date = {2019-01-17}, organization = {Github (BishopFox)}, url = {https://github.com/BishopFox/sliver}, language = {English}, urldate = {2020-01-07} } @techreport{bissell:2018:latest:1c1fba4, author = {Kelly Bissell and Joshua Ray and Uwe Kissman and Ryan LaSalle and Gareth Russell}, title = {{LATEST CYBER ESPIONAGE MALWARE ATTACKS}}, date = {2018}, institution = {Accenture Security}, url = {https://www.accenture.com/t00010101T000000Z__w__/gb-en/_acnmedia/PDF-46/Accenture-Security-Elise-Threat-Analysis.pdf}, language = {English}, urldate = {2020-01-08} } @techreport{bitdefender:20151217:apt28:fca586f, author = {Bitdefender}, title = {{APT28 Under the Scope: A Journey into Exfiltrating Intelligence and Government Information}}, date = {2015-12-17}, institution = {Bitdefender}, url = {https://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender_In-depth_analysis_of_APT28%E2%80%93The_Political_Cyber-Espionage.pdf}, language = {English}, urldate = {2020-01-09} } @techreport{bitdefender:20160630:pacifier:2b7078c, author = {Bitdefender}, title = {{Pacifier APT}}, date = {2016-06-30}, institution = {Bitdefender}, url = {http://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf}, language = {English}, urldate = {2020-01-13} } @techreport{bitdefender:20160630:pacifier:642af11, author = {Bitdefender}, title = {{Pacifier APT}}, date = {2016-06-30}, institution = {Bitdefender}, url = {https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf}, language = {English}, urldate = {2020-01-08} } @techreport{bitdefender:20160630:pacifier:cbcb081, author = {Bitdefender}, title = {{Pacifier APT}}, date = {2016-06-30}, institution = {Bitdefender}, url = {https://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender-Whitepaper-PAC-A4-en_EN1.pdf}, language = {English}, urldate = {2020-01-09} } @techreport{bitdefender:20170221:dissecting:eec4e1f, author = {Bitdefender}, title = {{Dissecting the APT28 Mac OS X Payload}}, date = {2017-02-21}, institution = {Bitdefender}, url = {https://download.bitdefender.com/resources/files/News/CaseStudies/study/143/Bitdefender-Whitepaper-APT-Mac-A4-en-EN-web.pdf}, language = {English}, urldate = {2020-01-10} } @techreport{bitdefender:20190604:blueprint:ce0583c, author = {Bitdefender}, title = {{An APT Blueprint: Gaining New Visibility into Financial Threats}}, date = {2019-06-04}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf}, language = {English}, urldate = {2019-12-18} } @techreport{bitdefender:20191029:close:30321a7, author = {Bitdefender}, title = {{A close look at Fallout Exploit Kit and Raccoon Stealer}}, date = {2019-10-29}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/289/Bitdefender-WhitePaper-Fallout.pdf}, language = {English}, urldate = {2020-01-09} } @online{bitensky:20170518:uiwix:4cc9aa8, author = {Gal Bitensky}, title = {{UIWIX – Evasive Ransomware Exploiting ETERNALBLUE}}, date = {2017-05-18}, organization = {Minerva}, url = {https://www.minerva-labs.com/post/uiwix-evasive-ransomware-exploiting-eternalblue}, language = {English}, urldate = {2020-01-08} } @online{bitensky:20180517:analyzing:c25d2ac, author = {Gal Bitensky}, title = {{Analyzing an AZORult Attack – Evasion in a Cloak of Multiple Layers}}, date = {2018-05-17}, organization = {Minerva Labs}, url = {https://blog.minerva-labs.com/puffstealer-evasion-in-a-cloak-of-multiple-layers}, language = {English}, urldate = {2019-10-14} } @online{bitsofbinary:20201211:macos:a00d112, author = {Twitter (@BitsOfBinary)}, title = {{Tweet on macOS Manuscypt samples}}, date = {2020-12-11}, organization = {PWC UK}, url = {https://twitter.com/BitsOfBinary/status/1337330286787518464}, language = {English}, urldate = {2020-12-14} } @online{bizeul:20140711:eye:3cb48c1, author = {David Bizeul and Ivan Fontarensky and Ronan Mouchoux and Fabien Perigaud and Cedric Pernet}, title = {{The Eye of the Tiger}}, date = {2014-07-11}, organization = {Airbus}, url = {http://blog.airbuscybersecurity.com/post/2014/07/The-Eye-of-the-Tiger2}, language = {English}, urldate = {2019-11-25} } @online{bizeul:20140711:eye:bdaf0a0, author = {David Bizeul and Ivan Fontarensky and Ronan Mouchoux and Fabien Perigaud and Cedric Pernet}, title = {{The Eye of the Tiger}}, date = {2014-07-11}, organization = {Airbus}, url = {http://blog.cassidiancybersecurity.com/post/2014/07/The-Eye-of-the-Tiger2}, language = {English}, urldate = {2019-11-29} } @online{bkmsft:20190724:apt17:8b88bcb, author = {Ben K (bkMSFT)}, title = {{Tweet on APT17}}, date = {2019-07-24}, organization = {Twitter (@bkMSFT)}, url = {https://twitter.com/bkMSFT/status/1153994428949749761}, language = {English}, urldate = {2020-01-07} } @online{bkmsft:20191203:zirconium:c025731, author = {Ben K (bkMSFT)}, title = {{Tweet on ZIRCONIUM alias for APT31}}, date = {2019-12-03}, organization = {Twitter (@bkMSFT)}, url = {https://twitter.com/bkMSFT/status/1201876664667582466}, language = {English}, urldate = {2020-06-16} } @online{black:20180703:iranian:2e94ec4, author = {Samantha Black}, title = {{Iranian APT Charming Kitten impersonates ClearSky, the security firm that uncovered its campaigns}}, date = {2018-07-03}, organization = {Cyware}, url = {https://cyware.com/news/iranian-apt-charming-kitten-impersonates-clearsky-the-security-firm-that-uncovered-its-campaigns-7fea0b4f}, language = {English}, urldate = {2020-01-08} } @online{blackhacker511:20190104:github:e7e5d16, author = {BlackHacker511}, title = {{Github Repository: BlackNET}}, date = {2019-01-04}, organization = {Github (BlackHacker511)}, url = {https://github.com/FarisCode511/BlackNET/}, language = {English}, urldate = {2020-07-13} } @online{blackhacker511:20191123:blackworm:9cf1955, author = {BlackHacker511}, title = {{BlackWorm v6.0 Black Ninja}}, date = {2019-11-23}, organization = {Github (BlackHacker511)}, url = {https://github.com/BlackHacker511/BlackWorm}, language = {English}, urldate = {2020-01-13} } @techreport{blackorbird:20191205:apt32:0afe4e7, author = {blackorbird}, title = {{APT32 Report}}, date = {2019-12-05}, institution = {Github (blackorbird)}, url = {https://github.com/blackorbird/APT_REPORT/blob/master/Oceanlotus/apt32_report_2019.pdf}, language = {Japanese}, urldate = {2020-01-10} } @online{blackorbird:20200408:wannaren:8da1d44, author = {blackorbird}, title = {{Tweet on WannaRen}}, date = {2020-04-08}, organization = {Twitter (@blackorbird)}, url = {https://twitter.com/blackorbird/status/1247834024711577601}, language = {English}, urldate = {2020-05-05} } @techreport{blaich:20180118:dark:31c31f6, author = {Andrew Blaich and Apurva Kumar and Jeremy Richards and Michael Flossman and Cooper Quintin and Eva Galperin}, title = {{Dark Caracal: Cyber-espionage at a Global Scal}}, date = {2018-01-18}, institution = {Lookout}, url = {https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf}, language = {English}, urldate = {2020-06-08} } @online{blasco:20120702:sykipot:09eeec7, author = {Jaime Blasco}, title = {{Sykipot is back}}, date = {2012-07-02}, organization = {AT&T}, url = {https://www.alienvault.com/blogs/labs-research/sykipot-is-back}, language = {English}, urldate = {2019-12-18} } @online{blasco:20130321:new:511f1a7, author = {Jaime Blasco}, title = {{New Sykipot developments}}, date = {2013-03-21}, organization = {AT&T}, url = {https://www.alienvault.com/open-threat-exchange/blog/new-sykipot-developments}, language = {English}, urldate = {2020-01-12} } @online{blasco:20140828:scanbox:a0cc92a, author = {Jaime Blasco}, title = {{Scanbox: A Reconnaissance Framework Used with Watering Hole Attacks}}, date = {2014-08-28}, organization = {AT&T}, url = {https://www.alienvault.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks}, language = {English}, urldate = {2019-12-06} } @online{blasco:20190402:xwo:11817a2, author = {Jaime Blasco and Chris Doman}, title = {{Xwo - A Python-based bot scanner}}, date = {2019-04-02}, organization = {AT&T}, url = {https://www.alienvault.com/blogs/labs-research/xwo-a-python-based-bot-scanner}, language = {English}, urldate = {2020-01-06} } @online{blasi:20200922:darkside:67c758a, author = {Stefano De Blasi}, title = {{DarkSide: The New Ransomware Group Behind Highly Targeted Attacks}}, date = {2020-09-22}, organization = {Digital Shadows}, url = {https://www.digitalshadows.com/blog-and-research/darkside-the-new-ransomware-group-behind-highly-targeted-attacks/}, language = {English}, urldate = {2020-11-17} } @online{blazier:20201218:quirk:fe216c8, author = {Nick Blazier and Jesse Kipp}, title = {{A quirk in the SUNBURST DGA algorithm}}, date = {2020-12-18}, organization = {Cloudflare}, url = {https://blog.cloudflare.com/a-quirk-in-the-sunburst-dga-algorithm/}, language = {English}, urldate = {2020-12-18} } @online{bleepingcomputer:20170417:remove:4727489, author = {BleepingComputer}, title = {{Remove Search.searchetan.com Chrome New Tab Page}}, date = {2017-04-17}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/virus-removal/remove-search-searchetan.com-chrome-new-tab-page}, language = {English}, urldate = {2020-01-06} } @online{blog:20081124:iwormnuwarw:424455b, author = {NoVirusThanks Blog}, title = {{I-Worm/Nuwar.W + Rustock.E Variant – Analysis}}, date = {2008-11-24}, organization = {NoVirusThanks Blog}, url = {http://blog.novirusthanks.org/2008/11/i-wormnuwarw-rustocke-variant-analysis/}, language = {English}, urldate = {2019-10-15} } @online{blog:20170413:decrypting:c59a1bd, author = {Koodous Blog}, title = {{Decrypting Bankbot communications.}}, date = {2017-04-13}, organization = {Koodous}, url = {http://blog.koodous.com/2017/04/decrypting-bankbot-communications.html}, language = {English}, urldate = {2019-08-07} } @online{blog:20200904:navigating:75404a6, author = {Quosec Blog}, title = {{Navigating QakBot samples with grap}}, date = {2020-09-04}, organization = {QuoSec GmbH}, url = {https://blog.quosec.net/posts/grap_qakbot_navigation/}, language = {English}, urldate = {2020-11-09} } @online{blog:20200910:grap:d2f055d, author = {Quosec Blog}, title = {{grap: Automating QakBot strings decryption}}, date = {2020-09-10}, organization = {QuoSec GmbH}, url = {https://blog.quosec.net/posts/grap_qakbot_strings/}, language = {English}, urldate = {2020-11-09} } @techreport{blueliv:20151026:chasing:975ef1a, author = {Blueliv}, title = {{Chasing cybercrime: network insights of Dyre and Dridex Trojan bankers}}, date = {2015-10-26}, institution = {Blueliv}, url = {https://www.blueliv.com/downloads/documentation/reports/Network_insights_of_Dyre_and_Dridex_Trojan_bankers.pdf}, language = {English}, urldate = {2020-01-13} } @techreport{blueliv:201609:chasing:1c02f62, author = {Blueliv}, title = {{Chasing Cybercrime: Network insights into Vawtrak v2}}, date = {2016-09}, institution = {Blueliv}, url = {https://www.blueliv.com/downloads/network-insights-into-vawtrak-v2.pdf}, language = {English}, urldate = {2020-01-07} } @online{blueliv:20171006:trickbot:a2a9ac8, author = {Blueliv}, title = {{TrickBot banking trojan using EFLAGS as an anti-hook technique}}, date = {2017-10-06}, organization = {Blueliv}, url = {https://www.blueliv.com/research/trickbot-banking-trojan-using-eflags-as-an-anti-hook-technique/}, language = {English}, urldate = {2020-01-08} } @techreport{blueliv:201807:necurs:652cee2, author = {Blueliv}, title = {{Necurs Malware Overview}}, date = {2018-07}, institution = {Blueliv}, url = {https://www.blueliv.com/wp-content/uploads/2018/07/Blueliv-Necurs-report-2017.pdf}, language = {English}, urldate = {2019-12-10} } @online{bobritsky:20201118:stopping:e5c486b, author = {Eddy Bobritsky}, title = {{Stopping BuerLoader With Minerva Lab's Hostile Environment Simulation module}}, date = {2020-11-18}, organization = {Minerva Labs}, url = {https://blog.minerva-labs.com/stopping-buerloader}, language = {English}, urldate = {2020-11-19} } @online{bocereg:20200924:apps:88b3497, author = {Alexandra Bocereg and Oana Asoltanei and Ioan-Septimiu Dinulica and Bogdan Botezatu}, title = {{Apps on Google Play Tainted with Cerberus Banker Malware}}, date = {2020-09-24}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2020/09/apps-on-google-play-tainted-with-cerberus-banker-malware/}, language = {English}, urldate = {2020-10-13} } @online{boczan:20180605:evolution:372e566, author = {Tamas Boczan}, title = {{The Evolution of GandCrab Ransomware}}, date = {2018-06-05}, organization = {VMRay}, url = {http://www.vmray.com/cyber-security-blog/gandcrab-ransomware-evolution-analysis/}, language = {English}, urldate = {2019-11-20} } @online{boczan:20190625:analyzing:fe5a161, author = {Tamas Boczan}, title = {{Analyzing Ursnif’s Behavior Using a Malware Sandbox}}, date = {2019-06-25}, organization = {VMRay}, url = {https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/}, language = {English}, urldate = {2019-12-17} } @online{boddy:20170615:trickbot:6eb1db4, author = {Sara Boddy and Jesse Smith and Doron Voolf}, title = {{Trickbot Expands Global Targets Beyond Banks and Payment Processors to CRMs}}, date = {2017-06-15}, organization = {F5}, url = {https://f5.com/labs/articles/threat-intelligence/malware/trickbot-expands-global-targets-beyond-banks-and-payment-processors-to-crms}, language = {English}, urldate = {2019-12-24} } @online{boguslavskiy:20200715:inside:f9b95b1, author = {Yelisey Boguslavskiy and Samantha van de Ven}, title = {{Inside REvil Extortionist “Machine”: Predictive Insights}}, date = {2020-07-15}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/post/inside-revil-extortionist-machine-predictive-insights}, language = {English}, urldate = {2020-07-16} } @online{bohio:20150319:analyzing:eac298c, author = {Muhammad Junaid Bohio}, title = {{Analyzing a Backdoor/Bot forthe MIPS Platform}}, date = {2015-03-19}, url = {https://www.sans.org/reading-room/whitepapers/malicious/analyzing-backdoor-bot-mips-platform-35902}, language = {English}, urldate = {2020-09-21} } @online{boldewin:20181231:fastcashmalwaredissected:d72e332, author = {Frank Boldewin}, title = {{FastCashMalwareDissected}}, date = {2018-12-31}, organization = {Github Repository}, url = {https://github.com/fboldewin/FastCashMalwareDissected/}, language = {English}, urldate = {2019-07-10} } @online{boldewin:20190328:javadispcash:8899167, author = {Frank Boldewin}, title = {{Tweet on JavaDispCash}}, date = {2019-03-28}, organization = {Twitter (@r3c0nst)}, url = {https://twitter.com/r3c0nst/status/1111254169623674882}, language = {English}, urldate = {2020-01-06} } @online{boldewin:20190601:atm:7c1d0c2, author = {Frank Boldewin}, title = {{Tweet on ATM Malware NVISOSPIT}}, date = {2019-06-01}, organization = {Twitter (@r3c0nst)}, url = {https://twitter.com/r3c0nst/status/1135606944427905025}, language = {English}, urldate = {2019-11-26} } @online{boldewin:20190710:xfs:aa523ad, author = {Frank Boldewin}, title = {{Tweet on XFS ATM malware}}, date = {2019-07-10}, organization = {Twitter (@r3c0nst)}, url = {https://twitter.com/r3c0nst/status/1149043362244308992}, language = {English}, urldate = {2020-01-06} } @online{boldewin:20190828:atm:b393cb8, author = {Frank Boldewin}, title = {{Tweet on ATM Malware}}, date = {2019-08-28}, organization = {Twitter (@r3c0nst)}, url = {https://twitter.com/r3c0nst/status/1166773324548063232}, language = {English}, urldate = {2019-12-05} } @online{boldewin:20191129:libertad:974f5d8, author = {Frank Boldewin}, title = {{Libertad y gloria - A Mexican cyber heist story - CyberCrimeCon19 Singapore}}, date = {2019-11-29}, organization = {Github (fboldewin)}, url = {https://github.com/fboldewin/Libertad-y-gloria---A-Mexican-cyber-heist-story---CyberCrimeCon19-Singapore}, language = {English}, urldate = {2019-12-17} } @online{boldewin:20200227:dispcashbr:7dda1c8, author = {Frank Boldewin}, title = {{Tweet on DispCashBR}}, date = {2020-02-27}, organization = {Twitter (@r3c0nst)}, url = {https://twitter.com/r3c0nst/status/1232944566208286720}, language = {English}, urldate = {2020-02-27} } @online{boldewin:20200817:loup:c8e43e4, author = {Frank Boldewin}, title = {{Tweet on Loup}}, date = {2020-08-17}, organization = {Twitter (@r3c0nst)}, url = {https://twitter.com/r3c0nst/status/1295275546780327936}, language = {English}, urldate = {2020-08-17} } @techreport{boldewin:20201127:when:9697611, author = {Frank Boldewin}, title = {{When ransomware hits an ATM giant - The Diebold Nixdorf case dissected}}, date = {2020-11-27}, institution = {Fiducia & GAD IT AG}, url = {https://raw.githubusercontent.com/fboldewin/When-ransomware-hits-an-ATM-giant---The-Diebold-Nixdorf-case-dissected/main/When%20ransomware%20hits%20an%20ATM%20giant%20-%20The%20Diebold%20Nixdorf%20case%20dissected%20-%20Group-IB%20CyberCrimeCon2020.pdf}, language = {English}, urldate = {2020-12-01} } @online{bone:20200617:detecting:be87469, author = {Rob Bone}, title = {{Detecting PoshC2 – Indicators of Compromise}}, date = {2020-06-17}, organization = {Nettitude Labs}, url = {https://labs.nettitude.com/blog/detecting-poshc2-indicators-of-compromise/}, language = {English}, urldate = {2020-06-18} } @online{bonfa:20101115:tracing:4f23185, author = {Giuseppe Bonfa}, title = {{Tracing the Crimeware Origins by Reversing Injected Code}}, date = {2010-11-15}, organization = {Infosec}, url = {http://resources.infosecinstitute.com/zeroaccess-malware-part-4-tracing-the-crimeware-origins-by-reversing-injected-code/}, language = {English}, urldate = {2020-01-05} } @online{bonfa:20101116:zeroaccess:14293db, author = {Giuseppe Bonfa}, title = {{ZEROACCESS MALWARE - PART 3: The Device Driver Process Injection Rootkit}}, date = {2010-11-16}, url = {http://resources.infosecinstitute.com/zeroaccess-malware-part-3-the-device-driver-process-injection-rootkit/}, language = {English}, urldate = {2020-01-08} } @online{bonfa:20101120:kernelmode:b6d039e, author = {Giuseppe Bonfa}, title = {{The Kernel-Mode Device Driver Stealth Rootkit}}, date = {2010-11-20}, organization = {InfoSec Institute}, url = {http://resources.infosecinstitute.com/zeroaccess-malware-part-2-the-kernel-mode-device-driver-stealth-rootkit/}, language = {English}, urldate = {2020-01-13} } @online{bonfa:201011:zeroaccess:fd02426, author = {Giuseppe Bonfa}, title = {{ZEROACCESS MALWARE - PART 1: De-Obfuscating and Reversing the User-Mode Agent Dropper}}, date = {2010-11}, organization = {InfoSec Institute}, url = {http://resources.infosecinstitute.com/step-by-step-tutorial-on-reverse-engineering-malware-the-zeroaccessmaxsmiscer-crimeware-rootkit/}, language = {English}, urldate = {2019-12-17} } @online{borders:20190329:exodus:e3044af, author = {Security without Borders}, title = {{Exodus: New Android Spyware Made in Italy}}, date = {2019-03-29}, organization = {Security Without Borders}, url = {https://securitywithoutborders.org/blog/2019/03/29/exodus.html}, language = {English}, urldate = {2019-07-09} } @techreport{boris:20141113:computer:290f01d, author = {Ivanov Boris}, title = {{Computer Forensic Investigation of mobile Banking Trojan}}, date = {2014-11-13}, institution = {ZeroNights}, url = {http://2014.zeronights.ru/assets/files/slides/ivanovb-zeronights.pdf}, language = {English}, urldate = {2019-11-27} } @online{borja:20200914:analysis:36d3fee, author = {Aprilyn Borja and Abraham Camba and Khristoffer Jocson and Ryan Maglaque and Gilbert Sison and Jay Yaneza}, title = {{Analysis of a Convoluted Attack Chain Involving Ngrok}}, date = {2020-09-14}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/20/i/analysis-of-a-convoluted-attack-chain-involving-ngrok.html}, language = {English}, urldate = {2020-09-23} } @online{boscovich:20120913:microsoft:da601a2, author = {Richard Domingues Boscovich}, title = {{Microsoft Disrupts the Emerging Nitol Botnet Being Spread through an Unsecure Supply Chain}}, date = {2012-09-13}, organization = {Microsoft}, url = {https://blogs.technet.microsoft.com/microsoft_blog/2012/09/13/microsoft-disrupts-the-emerging-nitol-botnet-being-spread-through-an-unsecure-supply-chain/}, language = {English}, urldate = {2020-01-13} } @online{botezatu:20170505:inside:0cff0e6, author = {Bogdan Botezatu and Alexandru Maximciuc and Cristina Vatamanu and Adrian Schipur}, title = {{Inside Netrepser – a JavaScript-based Targeted Attack}}, date = {2017-05-05}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2017/05/inside-netrepser-a-javascript-based-targeted-attack/}, language = {English}, urldate = {2020-01-08} } @online{botezatu:20180124:new:f993782, author = {Bogdan Botezatu}, title = {{New Hide ‘N Seek IoT Botnet using custom-built Peer-to-Peer communication spotted in the wild}}, date = {2018-01-24}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2018/01/new-hide-n-seek-iot-botnet-using-custom-built-peer-to-peer-communication-spotted-in-the-wild/}, language = {English}, urldate = {2020-01-08} } @online{botezatu:20180413:radrat:e2bc7ad, author = {Bogdan Botezatu and Eduard Budaca}, title = {{RadRAT: An all-in-one toolkit for complex espionage ops}}, date = {2018-04-13}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2018/04/radrat-an-all-in-one-toolkit-for-complex-espionage-ops/}, language = {English}, urldate = {2020-01-09} } @online{botezatu:20180507:hide:0fd8d9a, author = {Bogdan Botezatu}, title = {{Hide and Seek IoT Botnet resurfaces with new tricks, persistence}}, date = {2018-05-07}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2018/05/hide-and-seek-iot-botnet-resurfaces-with-new-tricks-persistence/}, language = {English}, urldate = {2020-01-06} } @online{botezatu:20181025:gandcrab:4e85fe9, author = {Bogdan Botezatu}, title = {{GandCrab Ransomware decryption tool}}, date = {2018-10-25}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2018/02/gandcrab-ransomware-decryption-tool-available-for-free/}, language = {English}, urldate = {2020-01-10} } @online{botezatu:20190219:new:21079a9, author = {Bogdan Botezatu}, title = {{New GandCrab v5.1 Decryptor Available Now}}, date = {2019-02-19}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2019/02/new-gandcrab-v5-1-decryptor-available-now/}, language = {English}, urldate = {2019-10-15} } @online{botezatu:20190416:inside:8302b5d, author = {Bogdan Botezatu and Cristofor Ochinca and Andrei Ardelean}, title = {{Inside Scranos – A Cross Platform, Rootkit-Enabled Spyware Operation}}, date = {2019-04-16}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2019/04/inside-scranos-a-cross-platform-rootkit-enabled-spyware-operation/}, language = {English}, urldate = {2019-12-18} } @online{botezatu:20190617:good:c24ed06, author = {Bogdan Botezatu}, title = {{Good riddance, GandCrab! We’re still fixing the mess you left behind}}, date = {2019-06-17}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2019/06/good-riddance-gandcrab-were-still-fixing-the-mess-you-left-behind}, language = {English}, urldate = {2020-01-10} } @techreport{botezatu:20190625:scranos:13c5096, author = {Bogdan Botezatu and Andrei Ardelean and Cristofor Ochinca and Cristian Alexandru and Istrate and Claudiu Stefan Coblis}, title = {{Scranos Revisited – Rethinking persistence to keep established network alive}}, date = {2019-06-25}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/271/Bitdefender-Whitepaper-Scranos-2.pdf}, language = {English}, urldate = {2020-01-08} } @online{bousseaden:20200625:close:be8a8b2, author = {Samir Bousseaden and Daniel Stepanic}, title = {{A close look at the advanced techniques used in a Malaysian-focused APT campaign}}, date = {2020-06-25}, organization = {Elastic}, url = {https://www.elastic.co/blog/advanced-techniques-used-in-malaysian-focused-apt-campaign}, language = {English}, urldate = {2020-06-25} } @online{boutin:20131218:qadars:98a9a63, author = {Jean-Ian Boutin}, title = {{Qadars – a banking Trojan with the Netherlands in its sights}}, date = {2013-12-18}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2013/12/18/qadars-a-banking-trojan-with-the-netherlands-in-its-sights/}, language = {English}, urldate = {2019-11-14} } @online{boutin:20150409:operation:077f5fe, author = {Jean-Ian Boutin}, title = {{Operation Buhtrap, the trap for Russian accountants}}, date = {2015-04-09}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2015/04/09/operation-buhtrap/}, language = {English}, urldate = {2019-11-14} } @online{boutin:20151111:operation:baffed9, author = {Jean-Ian Boutin}, title = {{Operation Buhtrap malware distributed via ammyy.com}}, date = {2015-11-11}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2015/11/11/operation-buhtrap-malware-distributed-via-ammyy-com/}, language = {English}, urldate = {2020-01-08} } @online{boutin:20170606:turlas:f9b4935, author = {Jean-Ian Boutin}, title = {{Turla’s watering hole campaign: An updated Firefox extension abusing Instagram}}, date = {2017-06-06}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/06/06/turlas-watering-hole-campaign-updated-firefox-extension-abusing-instagram/}, language = {English}, urldate = {2019-11-14} } @online{boutin:20181105:bluehat:65f6d65, author = {Jean-Ian Boutin and Frédéric Vachon}, title = {{BlueHat v18 || First STRONTIUM UEFI Rootkit Unveiled}}, date = {2018-11-05}, organization = {Youtube (MSRC)}, url = {https://www.youtube.com/watch?v=VeoXT0nEcFU}, language = {English}, urldate = {2019-12-17} } @online{boutin:20190711:buhtrap:ec174bc, author = {Jean-Ian Boutin}, title = {{Buhtrap group uses zero‑day in latest espionage campaigns}}, date = {2019-07-11}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/07/11/buhtrap-zero-day-espionage-campaigns/}, language = {English}, urldate = {2019-11-14} } @online{boutin:20200611:gamaredon:14a96c2, author = {Jean-Ian Boutin}, title = {{Gamaredon group grows its game}}, date = {2020-06-11}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/}, language = {English}, urldate = {2020-06-11} } @online{boutin:20201012:eset:a7eeb51, author = {Jean-Ian Boutin}, title = {{ESET takes part in global operation to disrupt Trickbot}}, date = {2020-10-12}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/10/12/eset-takes-part-global-operation-disrupt-trickbot/}, language = {English}, urldate = {2020-10-12} } @online{brackmann:20200709:threat:dc4f44e, author = {Pascal Brackmann}, title = {{Threat Bulletin: Dissecting GuLoader’s Evasion Techniques}}, date = {2020-07-09}, organization = {VMRay}, url = {https://www.vmray.com/cyber-security-blog/guloader-evasion-techniques-threat-bulletin/}, language = {English}, urldate = {2021-01-10} } @online{brad:20180117:reviewing:49ad844, author = {brad}, title = {{Reviewing the spam filters: Malspam pushing Gozi-ISFB}}, date = {2018-01-17}, organization = {SANS ISC}, url = {https://isc.sans.edu/forums/diary/Reviewing+the+spam+filters+Malspam+pushing+GoziISFB/23245}, language = {English}, urldate = {2019-12-20} } @online{brady:20190117:pond:572e6e8, author = {Matthew Brady}, title = {{Pond Loach delivers BadCake malware}}, date = {2019-01-17}, organization = {Accenture}, url = {https://www.accenture.com/us-en/blogs/blogs-pond-loach-delivers-badcake-malware}, language = {English}, urldate = {2020-03-03} } @online{brandt:20190503:megacortex:fc2d16b, author = {Andrew Brandt}, title = {{“MegaCortex” ransomware wants to be The One}}, date = {2019-05-03}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2019/05/03/megacortex-ransomware-wants-to-be-the-one/}, language = {English}, urldate = {2019-11-27} } @online{brandt:20200206:living:811742c, author = {Andrew Brandt and Mark Loman}, title = {{Living off another land: Ransomware borrows vulnerable driver to remove security software}}, date = {2020-02-06}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2020/02/06/living-off-another-land-ransomware-borrows-vulnerable-driver-to-remove-security-software/}, language = {English}, urldate = {2020-02-13} } @online{brandt:20200624:glupteba:fc4095d, author = {Andrew Brandt}, title = {{Glupteba malware hides in plain sight}}, date = {2020-06-24}, organization = {Sophos Labs}, url = {https://news.sophos.com/en-us/2020/06/24/glupteba-report/?cmp=30728}, language = {English}, urldate = {2020-06-24} } @online{brandt:20200729:emotets:cb1de9b, author = {Andrew Brandt}, title = {{Emotet’s return is the canary in the coal mine}}, date = {2020-07-29}, organization = {Sophos Labs}, url = {https://news.sophos.com/en-us/2020/07/28/emotets-return-is-the-canary-in-the-coal-mine/?cmp=30728}, language = {English}, urldate = {2020-07-30} } @online{brandt:20200917:maze:714f603, author = {Andrew Brandt and Peter Mackenzie}, title = {{Maze attackers adopt Ragnar Locker virtual machine technique}}, date = {2020-09-17}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2020/09/17/maze-attackers-adopt-ragnar-locker-virtual-machine-technique/}, language = {English}, urldate = {2020-09-21} } @online{brandt:20200924:emaildelivered:742cfe6, author = {Andrew Brandt and Andrew O'Donnell and Fraser Howard}, title = {{Email-delivered MoDi RAT attack pastes PowerShell commands}}, date = {2020-09-24}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2020/09/24/email-delivered-modi-rat-attack-pastes-powershell-commands}, language = {English}, urldate = {2020-09-25} } @techreport{brave:20180515:human:b4396ac, author = {Brave}, title = {{HUMAN RIGHTS UNDER SURVEILLANCE DIGITAL THREATS AGAINST HUMAN RIGHTS DEFENDERS IN PAKISTAN}}, date = {2018-05-15}, institution = {Amnesty International}, url = {https://www.amnesty.org/download/Documents/ASA3383662018ENGLISH.PDF}, language = {English}, urldate = {2019-12-10} } @online{breach:20200130:tracking:bfa4550, author = {Under The Breach}, title = {{Tracking Down REvil’s “Lalartu” by utilizing multiple OSINT methods}}, date = {2020-01-30}, organization = {Under The Breach}, url = {https://medium.com/@underthebreach/tracking-down-revils-lalartu-by-utilizing-multiple-osint-methods-2bf3a6c65a80}, language = {English}, urldate = {2020-01-31} } @online{breakdown:20170403:shadow:962f78d, author = {Malware Breakdown}, title = {{Shadow Server Domains Leading to RIG Exploit Kit Dropping Smoke Loader}}, date = {2017-04-03}, organization = {Malware Breakdown}, url = {https://malwarebreakdown.com/2017/04/03/shadow-server-domains-leads-to-rig-exploit-kit-dropping-smoke-loader-which-downloads-neutrino-bot-aka-kasidet/}, language = {English}, urldate = {2019-12-18} } @online{breakdown:20170724:seamless:7e55e6a, author = {Malware Breakdown}, title = {{The Seamless Campaign Drops Ramnit. Follow-up Malware: AZORult Stealer, Smoke Loader, etc.}}, date = {2017-07-24}, organization = {Malware Breakdown}, url = {https://malwarebreakdown.com/2017/07/24/the-seamless-campaign-drops-ramnit-follow-up-malware-azorult-stealer-smoke-loader-etc/}, language = {English}, urldate = {2020-01-10} } @online{breakdown:20170823:seamless:3a2c794, author = {Malware Breakdown}, title = {{The Seamless Campaign Isn’t Losing Any Steam}}, date = {2017-08-23}, url = {https://malwarebreakdown.com/2017/08/23/the-seamless-campaign-isnt-losing-any-steam/}, language = {English}, urldate = {2019-12-04} } @online{breakdown:20170911:re:5d563f4, author = {Malware Breakdown}, title = {{“Re: Details” Malspam Downloads CoreBot Banking Trojan}}, date = {2017-09-11}, organization = {Malware Breakdown}, url = {https://malwarebreakdown.com/2017/09/11/re-details-malspam-downloads-corebot-banking-trojan/}, language = {English}, urldate = {2020-01-08} } @online{breakdown:20180321:fobos:15877e7, author = {Malware Breakdown}, title = {{Fobos Malvertising Campaign Delivers Bunitu Proxy Trojan via RIG EK}}, date = {2018-03-21}, organization = {Malware Breakdown Blog}, url = {https://malwarebreakdown.com/2018/03/21/fobos-malvertising-campaign-delivers-bunitu-proxy-trojan-via-rig-ek/}, language = {English}, urldate = {2019-10-13} } @online{breen:20140505:vt:121e664, author = {Kevin Breen}, title = {{VT Comments Page on Blue Banana Sample}}, date = {2014-05-05}, url = {https://www.virustotal.com/gui/file/60faab36491e07f10bf6a3ebe66ed9238459b2af7e36118fccd50583728141a4/community}, language = {English}, urldate = {2020-10-13} } @techreport{breitenbacher:20200617:operation:7969e3a, author = {Dominik Breitenbacher and Kaspars Osis}, title = {{Operation In(ter)ception: Targeted Attacks against European Aerospace and Military Companies}}, date = {2020-06-17}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_Operation_Interception.pdf}, language = {English}, urldate = {2020-06-17} } @online{brenner:20170626:how:b5978ec, author = {Bill Brenner}, title = {{How Spora ransomware tries to fool antivirus}}, date = {2017-06-26}, organization = {Sophos}, url = {https://nakedsecurity.sophos.com/2017/06/26/how-spora-ransomware-tries-to-fool-antivirus/}, language = {English}, urldate = {2019-10-14} } @online{brewster:20140807:sophisticated:5f484c8, author = {Tom Brewster}, title = {{Sophisticated 'Turla' hackers spying on European governments, say researchers}}, date = {2014-08-07}, organization = {The Guardian}, url = {https://www.theguardian.com/technology/2014/aug/07/turla-hackers-spying-governments-researcher-kaspersky-symantec}, language = {English}, urldate = {2020-01-05} } @online{brewster:20170215:inside:8b5faed, author = {Thomas Brewster}, title = {{Inside OilRig -- Tracking Iran's Busiest Hacker Crew On Its Global Rampage}}, date = {2017-02-15}, organization = {Forbes}, url = {https://www.forbes.com/sites/thomasbrewster/2017/02/15/oilrig-iran-hackers-cyberespionage-us-turkey-saudi-arabia/#56749aa2468a}, language = {English}, urldate = {2020-01-13} } @online{brewster:20170504:behind:4da1ded, author = {Thomas Brewster}, title = {{Behind The Mystery Of Russia's 'Dyre' Hackers Who Stole Millions From American Business}}, date = {2017-05-04}, organization = {Forbes}, url = {https://www.forbes.com/sites/thomasbrewster/2017/05/04/dyre-hackers-stealing-millions-from-american-coporates}, language = {English}, urldate = {2020-01-09} } @online{brewster:20170727:with:b21b072, author = {Thomas Brewster}, title = {{With Fake News And Femmes Fatales, Iran's Spies Learn To Love Facebook}}, date = {2017-07-27}, organization = {Forbes}, url = {https://www.forbes.com/sites/thomasbrewster/2017/07/27/iran-hackers-oilrig-use-fake-personas-on-facebook-linkedin-for-cyberespionage/}, language = {English}, urldate = {2020-01-07} } @online{brewster:20180830:hackers:d006ceb, author = {Thomas Brewster}, title = {{Hackers Are Exposing An Apple Mac Weakness In Middle East Espionage}}, date = {2018-08-30}, organization = {Forbes}, url = {https://www.forbes.com/sites/thomasbrewster/2018/08/30/apple-mac-loophole-breached-in-middle-east-hacks/}, language = {English}, urldate = {2019-11-26} } @online{bromiley:20161007:attacking:0d71422, author = {Matt Bromiley and Preston Lewis}, title = {{Attacking the Hospitality and Gaming Industries: Tracking an Attacker Around the World in 7 Years}}, date = {2016-10-07}, organization = {FireEye}, url = {https://www.youtube.com/watch?v=fevGZs0EQu8}, language = {English}, urldate = {2020-04-17} } @online{bromiley:20190718:hard:7a6144e, author = {Matt Bromiley and Noah Klapprodt and Nick Schroeder and Jessica Rocchio}, title = {{Hard Pass: Declining APT34’s Invite to Join Their Professional Network}}, date = {2019-07-18}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html}, language = {English}, urldate = {2019-12-20} } @online{brook:20120725:new:67f3d60, author = {Chris Brook}, title = {{New and Improved Madi Spyware Campaign Continues}}, date = {2012-07-25}, organization = {Threatpost}, url = {https://threatpost.com/new-and-improved-madi-spyware-campaign-continues-072512/76849/}, language = {English}, urldate = {2019-12-17} } @online{brook:20160425:attackers:61e599a, author = {Chris Brook}, title = {{Attackers Behind GozNym Trojan Set Sights on Europe}}, date = {2016-04-25}, organization = {Threat Post}, url = {https://threatpost.com/attackers-behind-goznym-trojan-set-sights-on-europe/117647/}, language = {English}, urldate = {2019-11-23} } @online{brook:20160823:goznym:29466b9, author = {Chris Brook}, title = {{GozNym Banking Trojan Targeting German Banks}}, date = {2016-08-23}, organization = {Threatpost}, url = {https://threatpost.com/goznym-banking-trojan-targeting-german-banks/120075/}, language = {English}, urldate = {2020-01-08} } @online{brook:20171114:iceid:5a074d2, author = {Chris Brook}, title = {{IceID Banking Trojan Targeting Banks, Payment Card Providers, E-Commerce Sites}}, date = {2017-11-14}, organization = {Digital Guardian}, url = {https://digitalguardian.com/blog/iceid-banking-trojan-targeting-banks-payment-card-providers-e-commerce-sites}, language = {English}, urldate = {2019-07-10} } @online{brooks:20200602:malware:bc0b560, author = {Casey Brooks}, title = {{tweet on malware called dnstunnel RAT}}, date = {2020-06-02}, organization = {Twitter (@DrunkBinary)}, url = {https://twitter.com/DrunkBinary/status/1267568386516692992}, language = {English}, urldate = {2020-06-05} } @techreport{brooks:20201210:open:5c64c56, author = {Casey Brooks and Selena Larson}, title = {{Open Source Intelligence}}, date = {2020-12-10}, institution = {Dragos}, url = {https://f.hubspotusercontent10.net/hubfs/5943619/Whitepaper-Downloads/Dragos-OSINT-Framework.pdf}, language = {English}, urldate = {2021-01-01} } @online{brown:20181025:new:7234825, author = {Sophia Brown}, title = {{New sLoad malware downloader being leveraged by APT group TA554 to spread Ramnit}}, date = {2018-10-25}, url = {https://cyware.com/news/new-sload-malware-downloader-being-leveraged-by-apt-group-ta554-to-spread-ramnit-7d03f2d9}, language = {English}, urldate = {2019-11-22} } @online{brown:20181211:new:fa1fc12, author = {Sophia Brown}, title = {{New Satan ransomware variant ‘Lucky’ exposes 10 server-side vulnerabilities}}, date = {2018-12-11}, organization = {Cyware}, url = {https://cyware.com/news/new-satan-ransomware-variant-lucky-exposes-10-server-side-vulnerabilities-070afbd2}, language = {English}, urldate = {2020-01-07} } @online{brown:20200507:detecting:5059f43, author = {Jesse Brown}, title = {{Detecting COR_PROFILER manipulation for persistence}}, date = {2020-05-07}, organization = {Red Canary}, url = {https://redcanary.com/blog/cor_profiler-for-persistence/}, language = {English}, urldate = {2020-06-02} } @online{brubaker:20200715:financially:f217555, author = {Nathan Brubaker and Daniel Kapellmann Zafra and Keith Lunden and Ken Proska and Corey Hildebrandt}, title = {{Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families}}, date = {2020-07-15}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html}, language = {English}, urldate = {2020-07-16} } @online{brumaghin:20160711:when:0155a0a, author = {Edmund Brumaghin and Warren Mercer}, title = {{When Paying Out Doesn't Pay Off}}, date = {2016-07-11}, organization = {Talos}, url = {http://blog.talosintel.com/2016/07/ranscam.html}, language = {English}, urldate = {2020-01-09} } @online{brumaghin:20170502:covert:32e078f, author = {Edmund Brumaghin and Colin Grady}, title = {{Covert Channels and Poor Decisions: The Tale of DNSMessenger}}, date = {2017-05-02}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2017/03/dnsmessenger.html}, language = {English}, urldate = {2019-11-26} } @online{brumaghin:20170918:ccleanup:5ba0369, author = {Edmund Brumaghin and Ross Gibb and Warren Mercer and Matthew Molyett and Craig Williams}, title = {{CCleanup: A Vast Number of Machines at Risk}}, date = {2017-09-18}, organization = {Cisco Talos}, url = {http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html}, language = {English}, urldate = {2020-01-08} } @online{brumaghin:20170920:ccleaner:e034063, author = {Edmund Brumaghin and Earl Carter and Warren Mercer and Matthew Molyett and Matthew Olney and Paul Rascagnères and Craig Williams}, title = {{CCleaner Command and Control Causes Concern}}, date = {2017-09-20}, organization = {Cisco Talos}, url = {http://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html}, language = {English}, urldate = {2020-01-06} } @online{brumaghin:20171011:spoofed:9f0fc69, author = {Edmund Brumaghin and Colin Grady and Dave Maynor and @Simpo13}, title = {{Spoofed SEC Emails Distribute Evolved DNSMessenger}}, date = {2017-10-11}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2017/10/dnsmessenger-sec-campaign.html}, language = {English}, urldate = {2020-01-09} } @online{brumaghin:20171102:poisoning:c00599d, author = {Edmund Brumaghin and Earl Carter and Emmanuel Tacheau}, title = {{Poisoning the Well: Banking Trojan Targets Google Search Results}}, date = {2017-11-02}, organization = {Talos}, url = {http://blog.talosintelligence.com/2017/11/zeus-panda-campaign.html}, language = {English}, urldate = {2019-11-21} } @online{brumaghin:20180306:gozi:6146f77, author = {Edmund Brumaghin and Holger Unterbrink and Adam Weller}, title = {{Gozi ISFB Remains Active in 2018, Leverages "Dark Cloud" Botnet For Distribution}}, date = {2018-03-06}, organization = {Cisco Talos}, url = {http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html}, language = {English}, urldate = {2019-12-17} } @online{brumaghin:20180626:files:661b639, author = {Edmund Brumaghin and Earl Carter and Andrew Williams}, title = {{Files Cannot Be Decrypted? Challenge Accepted. Talos Releases ThanatosDecryptor}}, date = {2018-06-26}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2018/06/ThanatosDecryptor.html}, language = {English}, urldate = {2020-01-09} } @online{brumaghin:20180822:picking:925912d, author = {Edmund Brumaghin and Holger Unterbrink and Eric Kuhla and Lilia Gonzalez Medina}, title = {{Picking Apart Remcos Botnet-In-A-Box}}, date = {2018-08-22}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2018/08/picking-apart-remcos.html}, language = {English}, urldate = {2019-10-23} } @online{brumaghin:20180926:vpnfilter:343892a, author = {Edmund Brumaghin}, title = {{VPNFilter III: More Tools for the Swiss Army Knife of Malware}}, date = {2018-09-26}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2018/09/vpnfilter-part-3.html}, language = {English}, urldate = {2019-12-17} } @online{brumaghin:20181108:metamorfo:d12fe7e, author = {Edmund Brumaghin and Warren Mercer and Paul Rascagnères and Vitor Ventura}, title = {{Metamorfo Banking Trojan Keeps Its Sights on Brazil}}, date = {2018-11-08}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2018/11/metamorfo-brazilian-campaigns.html}, language = {English}, urldate = {2020-01-06} } @online{brumaghin:20190130:fake:3499d4e, author = {Edmund Brumaghin and Paul Rascagnères and Jungsoo An}, title = {{Fake Cisco Job Posting Targets Korean Candidates}}, date = {2019-01-30}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2019/01/fake-korean-job-posting.html}, language = {English}, urldate = {2020-01-10} } @online{brumaghin:20190415:new:bf931b1, author = {Edmund Brumaghin and Holger Unterbrink}, title = {{New HawkEye Reborn Variant Emerges Following Ownership Change}}, date = {2019-04-15}, organization = {Talos}, url = {https://blog.talosintelligence.com/2019/04/hawkeye-reborn.html}, language = {English}, urldate = {2020-01-09} } @online{brumaghin:20190715:sweed:9725699, author = {Edmund Brumaghin}, title = {{SWEED: Exposing years of Agent Tesla campaigns}}, date = {2019-07-15}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2019/07/sweed-agent-tesla.html}, language = {English}, urldate = {2020-01-08} } @online{brumaghin:20190828:rat:dadd9c5, author = {Edmund Brumaghin and Holger Unterbrink}, title = {{RAT Ratatouille: Backdooring PCs with leaked RATs}}, date = {2019-08-28}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2019/08/rat-ratatouille-revrat-orcus.html}, language = {English}, urldate = {2020-01-13} } @online{brumaghin:20190926:divergent:2d282a0, author = {Edmund Brumaghin}, title = {{Divergent: "Fileless" NodeJS Malware Burrows Deep Within the Host}}, date = {2019-09-26}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2019/09/divergent-analysis.html}, language = {English}, urldate = {2019-10-24} } @online{brumaghin:20200423:threat:4f7f840, author = {Edmund Brumaghin and Amit Raut}, title = {{Threat Spotlight: MedusaLocker}}, date = {2020-04-23}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/04/medusalocker.html}, language = {English}, urldate = {2020-04-26} } @online{bryant:20190213:hunting:8c671bf, author = {Josh Bryant and Robert Falcone}, title = {{Hunting Webshells: Tracking TwoFace - SANS Threat Hunting Summit 2018}}, date = {2019-02-13}, organization = {Youtube (SANS Digital Forensics & Incident Response)}, url = {https://www.youtube.com/watch?v=GjquFKa4afU}, language = {English}, urldate = {2020-01-13} } @techreport{bryant:20190708:hunting:7ce53d5, author = {Josh M. Bryant and Robert Falcone}, title = {{Hunting Webshells: Tracking TwoFace}}, date = {2019-07-08}, institution = {SANS}, url = {https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1536345486.pdf}, language = {English}, urldate = {2020-01-09} } @online{bsi:20201020:die:0683ad4, author = {BSI}, title = {{Die Lage der IT-Sicherheit in Deutschland 2020}}, date = {2020-10-20}, organization = {Bundesamt für Sicherheit in der Informationstechnik}, url = {https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2020.pdf?__blob=publicationFile&v=2}, language = {German}, urldate = {2020-10-21} } @online{buchka:20160303:attack:fa7a7ba, author = {Nikita Buchka and Mikhail Kuzin}, title = {{Attack on Zygote: a new twist in the evolution of mobile threats}}, date = {2016-03-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/attack-on-zygote-a-new-twist-in-the-evolution-of-mobile-threats/74032/}, language = {English}, urldate = {2019-12-20} } @online{buchka:20161228:switcher:a2408dd, author = {Nikita Buchka}, title = {{Switcher: Android joins the ‘attack-the-router’ club}}, date = {2016-12-28}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/mobile/76969/switcher-android-joins-the-attack-the-router-club/}, language = {English}, urldate = {2019-12-20} } @online{buchka:20171218:jack:5842578, author = {Nikita Buchka and Anton Kivva and Dmitry Galov}, title = {{Jack of all trades}}, date = {2017-12-18}, organization = {Kaspersky Labs}, url = {https://securelist.com/jack-of-all-trades/83470/}, language = {English}, urldate = {2019-12-20} } @online{buchka:20180116:skygofree:4e0990c, author = {Nikita Buchka and Alexey Firsh}, title = {{Skygofree: Following in the footsteps of HackingTeam}}, date = {2018-01-16}, organization = {Kaspersky Labs}, url = {https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/}, language = {English}, urldate = {2019-12-20} } @online{bucket:20140330:ioc:053d0b0, author = {IOC Bucket}, title = {{IOC Bucket for Putter Panda}}, date = {2014-03-30}, organization = {IOC Bucket}, url = {https://www.iocbucket.com/iocs/7f7999ab7f223409ea9ea10cff82b064ce2a1a31}, language = {English}, urldate = {2020-01-09} } @online{budd:20150916:operation:7889703, author = {Christopher Budd}, title = {{Operation Iron Tiger: Attackers Shift from East Asia to the United States}}, date = {2015-09-16}, organization = {Trend Micro}, url = {http://newsroom.trendmicro.com/blog/operation-iron-tiger-attackers-shift-east-asia-united-states}, language = {English}, urldate = {2019-12-17} } @techreport{buggenhout:2014:history:049d4d1, author = {Erik Van Buggenhout}, title = {{A history of ATM violence}}, date = {2014}, institution = {nviso}, url = {http://www.isg.rhul.ac.uk/dl/weekendconference2014/slides/Erik_VanBuggenhout.pdf}, language = {English}, urldate = {2020-01-08} } @online{bukhteyev:20180805:ramnits:1268bad, author = {Alexey Bukhteyev}, title = {{Ramnit’s Network of Proxy Servers}}, date = {2018-08-05}, organization = {Check Point}, url = {https://research.checkpoint.com/ramnits-network-proxy-servers/}, language = {English}, urldate = {2020-01-09} } @online{bukhteyev:20191119:phorpiex:50c2cb1, author = {Alexey Bukhteyev}, title = {{Phorpiex Breakdown}}, date = {2019-11-19}, organization = {Check Point}, url = {https://research.checkpoint.com/2019/phorpiex-breakdown/}, language = {English}, urldate = {2020-01-06} } @online{bunce:20190815:gootkit:1052b18, author = {Daniel Bunce}, title = {{Gootkit Banking Trojan | Deep Dive into Anti-Analysis Features}}, date = {2019-08-15}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/gootkit-banking-trojan-deep-dive-anti-analysis-features/}, language = {English}, urldate = {2019-12-20} } @online{bunce:20190815:gootkit:480c7e8, author = {Daniel Bunce}, title = {{Gootkit Banking Trojan | Deep Dive into Anti-Analysis Features}}, date = {2019-08-15}, organization = {Sentinel LABS}, url = {https://labs.sentinelone.com/gootkit-banking-trojan-deep-dive-anti-analysis-features/}, language = {English}, urldate = {2020-06-18} } @online{bunce:20190829:gootkit:b379f2c, author = {Daniel Bunce}, title = {{Gootkit Banking Trojan | Part 2: Persistence & Other Capabilities}}, date = {2019-08-29}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/gootkit-banking-trojan-persistence-other-capabilities/}, language = {English}, urldate = {2020-01-08} } @online{bunce:20200622:unpacking:8a02d84, author = {Daniel Bunce}, title = {{Unpacking Visual Basic Packers – IcedID}}, date = {2020-06-22}, organization = {zero2auto}, url = {https://zero2auto.com/2020/06/22/unpacking-visual-basic-packers/}, language = {English}, urldate = {2020-06-24} } @online{bunce:20200820:dbatloadermodiloader:6cccf7e, author = {Daniel Bunce}, title = {{DBatLoader/ModiLoader Analysis – First Stage}}, date = {2020-08-20}, organization = {Zero2Automated Blog}, url = {https://zero2auto.com/2020/08/20/dbatloader-modiloader-first-stage/}, language = {English}, urldate = {2020-08-25} } @techreport{bundeskriminalamt:20200821:mgliche:fbbf1b2, author = {Bundeskriminalamt}, title = {{Mögliche Cyberspionage mittels der Schadsoftware GOLDENSPY}}, date = {2020-08-21}, institution = {Bundeskriminalamt}, url = {https://www.bka.de/SharedDocs/Downloads/DE/IhreSicherheit/Warnhinweise/WarnhinweisGOLDENSPY.pdf}, language = {German}, urldate = {2020-08-27} } @online{buonopane:20190201:information:2fbf14a, author = {Paul Buonopane}, title = {{Information about lnkr5, malware distributed via Chrome extensions}}, date = {2019-02-01}, organization = {Github (Zenexer)}, url = {https://github.com/Zenexer/lnkr}, language = {English}, urldate = {2020-05-05} } @online{buonopane:20190201:lnkr:f79885e, author = {Paul Buonopane}, title = {{LNKR - Extension analysis - Flash Playlist}}, date = {2019-02-01}, organization = {Github (Zenexer)}, url = {https://github.com/Zenexer/lnkr/blob/master/recon/extensions/fanagokoaogopceablgmpndejhedkjjb/README.md}, language = {English}, urldate = {2020-05-05} } @online{burbage:20180416:rat:3c30776, author = {Paul Burbage and Mike Mimoso}, title = {{RAT Gone Rogue: Meet ARS VBS Loader}}, date = {2018-04-16}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/blog/meet-ars-vbs-loader/}, language = {English}, urldate = {2019-12-17} } @online{burbage:20180912:malware:5b7d58a, author = {Paul Burbage and Mike Mimoso}, title = {{Malware Campaign Targeting Jaxx Cryptocurrency Wallet Users Shut Down}}, date = {2018-09-12}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/blog/malware-campaign-targets-jaxx-cryptocurrency-wallet-users/}, language = {English}, urldate = {2020-01-08} } @online{burbage:20181102:new:4781b19, author = {Paul Burbage}, title = {{Tweet on New Stealer}}, date = {2018-11-02}, organization = {Twitter (@hexlax)}, url = {https://twitter.com/hexlax/status/1058356670835908610}, language = {English}, urldate = {2020-01-07} } @online{burbage:20191228:tale:2e5f361, author = {Paul Burbage}, title = {{The Tale of the Pija-Droid Firefinch}}, date = {2019-12-28}, url = {https://medium.com/@paul.k.burbage/the-tale-of-the-pija-droid-firefinch-4d304fde5ca2}, language = {English}, urldate = {2020-02-14} } @online{burchard:20200528:berlin:c5c42b4, author = {Hans von der Burchard and Laurens Cerulus}, title = {{Berlin seeks sanctions against Russian hackers over Bundestag cyberattack}}, date = {2020-05-28}, organization = {POLITICO}, url = {https://www.politico.eu/article/berlin-sanctions-against-russian-hacker-bundestag-cyberattack-angela-merkel-gru/}, language = {English}, urldate = {2020-05-29} } @online{bureau:20121218:malicious:c863bcf, author = {Pierre-Marc Bureau}, title = {{Malicious Apache module used for content injection: Linux/Chapro.A}}, date = {2012-12-18}, organization = {ESET Research}, url = {http://blog.eset.com/2012/12/18/malicious-apache-module-used-for-content-injection-linuxchapro-a}, language = {English}, urldate = {2019-12-20} } @online{bureau:20130426:linuxcdorkeda:ab3e321, author = {Pierre-Marc Bureau}, title = {{Linux/Cdorked.A: New Apache backdoor being used in the wild to serve Blackhole}}, date = {2013-04-26}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/}, language = {English}, urldate = {2019-11-14} } @online{bureau:20130925:win32napolar:aba54b1, author = {Pierre-Marc Bureau}, title = {{Win32/Napolar – A new bot on the block}}, date = {2013-09-25}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2013/09/25/win32napolar-a-new-bot-on-the-block/}, language = {English}, urldate = {2019-11-14} } @online{bureau:20140318:operation:1b1bd17, author = {Pierre-Marc Bureau}, title = {{Operation Windigo – the vivisection of a large Linux server‑side credential‑stealing malware campaign}}, date = {2014-03-18}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2014/03/18/operation-windigo-the-vivisection-of-a-large-linux-server-side-credential-stealing-malware-campaign/}, language = {English}, urldate = {2019-11-14} } @online{bureau:20200305:vietnam:23ec4c0, author = {Microstep Intelligence Bureau}, title = {{Vietnam National Background APT organization "Sea Lotus" used the topic of the epidemic to attack our government agencies}}, date = {2020-03-05}, organization = {Microstep Intelligence Bureau}, url = {https://m.threatbook.cn/detail/2527}, language = {Chinese}, urldate = {2020-04-26} } @online{burgess:20200821:evolution:6d5c407, author = {Josh Burgess and Steve Ginty}, title = {{The Evolution of Ransomware & Pinchy Spider's Shot at the Title}}, date = {2020-08-21}, organization = {Vimeo (RiskIQ)}, url = {https://vimeo.com/449849549}, language = {English}, urldate = {2020-08-25} } @techreport{burgess:20201209:from:1811e9c, author = {Josh Burgess and Jason Rivera}, title = {{From Zero to SixtyThe Story of North Korea’s Rapid Ascent to Becoming a Global Cyber Superpower}}, date = {2020-12-09}, institution = {CrowdStrike}, url = {https://i.blackhat.com/eu-20/Wednesday/eu-20-Rivera-From-Zero-To-Sixty-The-Story-Of-North-Koreas-Rapid-Ascent-To-Becoming-A-Global-Cyber-Superpower.pdf}, language = {English}, urldate = {2020-12-11} } @online{burt:20190327:new:9ba6b3b, author = {Tom Burt}, title = {{New steps to protect customers from hacking}}, date = {2019-03-27}, organization = {Microsoft}, url = {https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/}, language = {English}, urldate = {2020-01-13} } @online{burt:20200310:new:251948a, author = {Tom Burt}, title = {{New action to disrupt world’s largest online criminal network}}, date = {2020-03-10}, organization = {Microsoft}, url = {https://blogs.microsoft.com/on-the-issues/2020/03/10/necurs-botnet-cyber-crime-disrupt/}, language = {English}, urldate = {2020-03-11} } @online{burt:20200707:microsoft:3300f46, author = {Tom Burt}, title = {{Microsoft takes legal action against COVID-19-related cybercrime}}, date = {2020-07-07}, organization = {Microsoft}, url = {https://blogs.microsoft.com/on-the-issues/2020/07/07/digital-crimes-unit-covid-19-cybercrime/}, language = {English}, urldate = {2020-07-08} } @online{burt:20200910:new:ec117be, author = {Tom Burt}, title = {{New cyberattacks targeting U.S. elections}}, date = {2020-09-10}, organization = {Microsoft}, url = {https://blogs.microsoft.com/on-the-issues/2020/09/10/cyberattacks-us-elections-trump-biden/}, language = {English}, urldate = {2020-09-10} } @online{burt:20201012:new:045c1c3, author = {Tom Burt}, title = {{New action to combat ransomware ahead of U.S. elections}}, date = {2020-10-12}, organization = {Microsoft}, url = {https://blogs.microsoft.com/on-the-issues/2020/10/12/trickbot-ransomware-cyberthreat-us-elections/}, language = {English}, urldate = {2020-10-12} } @online{burt:20201020:update:12549c2, author = {Tom Burt}, title = {{An update on disruption of Trickbot}}, date = {2020-10-20}, organization = {Microsoft}, url = {https://blogs.microsoft.com/on-the-issues/2020/10/20/trickbot-ransomware-disruption-update/}, language = {English}, urldate = {2020-10-23} } @online{burt:20201028:cyberattacks:89b0105, author = {Tom Burt}, title = {{Cyberattacks target international conference attendees (APT35/PHOSPHORUS)}}, date = {2020-10-28}, organization = {Microsoft}, url = {https://blogs.microsoft.com/on-the-issues/2020/10/28/cyberattacks-phosphorus-t20-munich-security-conference/}, language = {English}, urldate = {2020-10-29} } @online{burt:20201105:gitpaste12:a3f5e87, author = {Alex Burt and Trevor Pott}, title = {{Gitpaste-12: a new worming botnet with reverse shell capability spreading via GitHub and Pastebin}}, date = {2020-11-05}, organization = {Juniper}, url = {https://blogs.juniper.net/en-us/threat-research/gitpaste-12}, language = {English}, urldate = {2020-11-09} } @online{burt:20201113:cyberattacks:d848567, author = {Tom Burt}, title = {{Cyberattacks targeting health care must stop}}, date = {2020-11-13}, organization = {Microsoft}, url = {https://blogs.microsoft.com/on-the-issues/2020/11/13/health-care-cyberattacks-covid-19-paris-peace-forum/}, language = {English}, urldate = {2020-11-18} } @online{burt:20201221:cyber:23a768f, author = {Tom Burt}, title = {{Cyber Mercenaries Don’t Deserve Immunity}}, date = {2020-12-21}, organization = {Microsoft}, url = {https://blogs.microsoft.com/on-the-issues/2020/12/21/cyber-immunity-nso/}, language = {English}, urldate = {2020-12-23} } @online{bushidotoken:20200509:turkey:a764ff0, author = {BushidoToken}, title = {{Turkey targeted by Cerberus and Anubis Android banking Trojan campaigns}}, date = {2020-05-09}, organization = {BushidoToken}, url = {https://bushidotoken.blogspot.com/2020/05/turkey-targeted-by-cerberus-and-anubis.html}, language = {English}, urldate = {2020-05-13} } @online{bushidotoken:20200528:ozh:d9cd398, author = {BushidoToken}, title = {{Tweet on OZH RAT}}, date = {2020-05-28}, organization = {Twitter (@BushidoToken)}, url = {https://twitter.com/BushidoToken/status/1266075992679948289}, language = {English}, urldate = {2020-05-29} } @online{bushidotoken:20200614:deepdive:3a375ca, author = {BushidoToken}, title = {{Deep-dive: The DarkHotel APT}}, date = {2020-06-14}, organization = {BushidoToken}, url = {https://blog.bushidotoken.net/2020/06/deep-dive-darkhotel-apt.html}, language = {English}, urldate = {2020-06-16} } @online{bustami:20181213:powersing:2a7b1db, author = {Mo Bustami}, title = {{POWERSING - From LNK Files To Janicab Through YouTube & Twitter}}, date = {2018-12-13}, organization = {Security 0wnage}, url = {https://sec0wn.blogspot.com/2018/12/powersing-from-lnk-files-to-janicab.html}, language = {English}, urldate = {2020-08-25} } @online{byers:20200908:ghostdnsbusters:9531dcd, author = {Nick Byers and Manabu Niseki and CERT-BR}, title = {{GhostDNSbusters: Illuminating GhostDNS Infrastructure}}, date = {2020-09-08}, organization = {Team Cymru}, url = {https://team-cymru.com/2020/09/08/ghostdnsbusters/}, language = {English}, urldate = {2020-09-15} } @online{byteatlas:20150415:knowledge:0d028a7, author = {ByteAtlas}, title = {{Knowledge Fragment: Bruteforcing Andromeda Configuration Buffers}}, date = {2015-04-15}, url = {https://byte-atlas.blogspot.ch/2015/04/kf-andromeda-bruteforcing.html}, language = {English}, urldate = {2020-01-07} } @online{byteraptors:20200603:wizardopium:b83073d, author = {ByteRaptors}, title = {{The WizardOpium LPE: Exploiting CVE-2019-1458}}, date = {2020-06-03}, organization = {ByteRaptors Blog}, url = {https://byteraptors.github.io/windows/exploitation/2020/06/03/exploitingcve2019-1458.html}, language = {English}, urldate = {2020-06-12} } @online{c0d3inj3ct:20180524:javascript:af29dab, author = {c0d3inj3cT}, title = {{JavaScript based Bot using Github C&C}}, date = {2018-05-24}, organization = {pwncode.io blog}, url = {http://www.pwncode.io/2018/05/javascript-based-bot-using-github-c.html}, language = {English}, urldate = {2020-05-23} } @online{c0d3inj3ct:20191224:unpacking:3102f76, author = {c0d3inj3cT}, title = {{Unpacking Payload used in Bottle EK}}, date = {2019-12-24}, organization = {pwncode.io blog}, url = {http://www.pwncode.io/2019/12/unpacking-payload-used-in-bottle-ek.html}, language = {English}, urldate = {2020-03-11} } @online{c0d3inj3ct:20191225:blacknet:80468eb, author = {c0d3inj3cT}, title = {{BlackNet RAT - When you leave the Panel unprotected}}, date = {2019-12-25}, organization = {pwncode.io blog}, url = {http://www.pwncode.io/2019/12/blacknet-rat-when-you-leave-panel.html}, language = {English}, urldate = {2020-03-11} } @online{c4i:20170216:breaking:b65439a, author = {IDF C4I and Ido Naor}, title = {{Breaking The Weakest Link Of The Strongest Chain}}, date = {2017-02-16}, organization = {Kaspersky Labs}, url = {https://securelist.com/breaking-the-weakest-link-of-the-strongest-chain/77562/}, language = {English}, urldate = {2019-12-20} } @online{c4i:20170216:breaking:cc7bead, author = {IDF C4I and Ido Naor}, title = {{Breaking The Weakest Link Of The Strongest Chain}}, date = {2017-02-16}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/}, language = {English}, urldate = {2019-12-20} } @online{c:20200608:tau:f5b25ff, author = {A C}, title = {{TAU Threat Analysis: Hakbit Ransomware}}, date = {2020-06-08}, organization = {VMWare Carbon Black}, url = {https://www.carbonblack.com/2020/06/08/tau-threat-analysis-hakbit-ransomware/}, language = {English}, urldate = {2020-06-10} } @online{c:20200615:tau:c60e41f, author = {A C}, title = {{TAU Threat Analysis: Relations to Hakbit Ransomware}}, date = {2020-06-15}, organization = {VMWare Carbon Black}, url = {https://www.carbonblack.com/2020/06/15/tau-threat-analysis-relations-to-hakbit-ransomware/}, language = {English}, urldate = {2020-06-16} } @online{caban:20180707:youve:b02f5ff, author = {Dan Caban and Muks Hirani}, title = {{You’ve Got Mail!}}, date = {2018-07-07}, organization = {Youtube (SteelCon)}, url = {https://www.youtube.com/watch?time_continue=1333&v=1CGAmjAV8nI}, language = {English}, urldate = {2020-01-08} } @online{cadieux:20190430:sodinokibi:d04e315, author = {Pierre Cadieux and Colin Grady and Jaeson Schultz and Matt Valites}, title = {{Sodinokibi ransomware exploits WebLogic Server vulnerability}}, date = {2019-04-30}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html}, language = {English}, urldate = {2019-12-17} } @online{calvet:20150305:casper:be062ed, author = {Joan Calvet}, title = {{Casper Malware: After Babar and Bunny, Another Espionage Cartoon}}, date = {2015-03-05}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2015/03/05/casper-malware-babar-bunny-another-espionage-cartoon/}, language = {English}, urldate = {2019-11-14} } @online{camacho:20201218:negasteal:e5b291f, author = {Matthew Camacho and Raphael Centeno and Junestherry Salvador}, title = {{Negasteal Uses Hastebin for Fileless Delivery of Crysis Ransomware}}, date = {2020-12-18}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/negasteal-uses-hastebin-for-fileless-delivery-of-crysis-ransomware}, language = {English}, urldate = {2020-12-26} } @online{camastra:20190220:spoofing:f2e825b, author = {Luigino Camastra and Jan Širmer and Adolf Středa and Lukáš Obrdlík}, title = {{Spoofing in the reeds with Rietspoof}}, date = {2019-02-20}, organization = {Avast Decoded}, url = {https://decoded.avast.io/threatintel/spoofing-in-the-reeds-with-rietspoof/}, language = {English}, urldate = {2020-01-06} } @online{camastra:20200514:planted:03eab5a, author = {Luigino Camastra}, title = {{APT Group Planted Backdoors Targeting High Profile Networks in Central Asia}}, date = {2020-05-14}, organization = {Avast Decoded}, url = {https://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia/}, language = {English}, urldate = {2020-05-14} } @online{camastra:20201209:targeting:952844f, author = {Luigino Camastra and Igor Morgenstern}, title = {{APT Group Targeting Governmental Agencies in East Asia}}, date = {2020-12-09}, organization = {Avast Decoded}, url = {https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/}, language = {English}, urldate = {2020-12-10} } @online{camba:20121009:bkdrsarhusta:92d2b93, author = {Abraham Latimer Camba}, title = {{BKDR_SARHUST.A}}, date = {2012-10-09}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/bkdr_sarhust.a}, language = {English}, urldate = {2020-01-05} } @online{camba:20130227:bkdrrarstone:8c1d7b2, author = {Abraham Camba}, title = {{BKDR_RARSTONE: New RAT to Watch Out For}}, date = {2013-02-27}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/bkdr_rarstone-new-rat-to-watch-out-for/}, language = {English}, urldate = {2020-01-08} } @online{camba:20201120:weaponizing:e15699d, author = {Abraham Camba and Bren Matthew Ebriega and Gilbert Sison}, title = {{Weaponizing Open Source Software for Targeted Attacks}}, date = {2020-11-20}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/20/k/weaponizing-open-source-software-for-targeted-attacks.html}, language = {English}, urldate = {2020-11-23} } @online{cameron:20170915:welp:8da10de, author = {Dell Cameron}, title = {{Welp, Vevo Just Got Hacked}}, date = {2017-09-15}, url = {https://gizmodo.com/welp-vevo-just-got-hacked-1813390834}, language = {English}, urldate = {2019-10-17} } @online{cameron:20181030:us:45da6b7, author = {Dell Cameron}, title = {{U.S. Indicts Chinese Hacker-Spies in Conspiracy to Steal Aerospace Secrets}}, date = {2018-10-30}, organization = {Gizmodo}, url = {https://gizmodo.com/u-s-indicts-chinese-hacker-spies-in-conspiracy-to-stea-1830111695}, language = {English}, urldate = {2019-11-27} } @online{camichel:20190309:retefe:3414337, author = {Corsin Camichel}, title = {{retefe: Artefacts from various retefe campaigns}}, date = {2019-03-09}, organization = {Github (cocaman)}, url = {https://github.com/cocaman/retefe}, language = {English}, urldate = {2020-01-13} } @online{camichel:20190523:analysing:9a4f909, author = {Corsin Camichel}, title = {{Analysing "Retefe" with Sysmon and Splunk}}, date = {2019-05-23}, organization = {Vulnerability.ch Blog}, url = {https://vulnerability.ch/2019/05/analysing-retefe-with-sysmon-and-splunk/}, language = {English}, urldate = {2019-07-09} } @online{camichel:20200512:absent:f352502, author = {Corsin Camichel}, title = {{Tweet on AbSent Loader}}, date = {2020-05-12}, organization = {Twitter (@cocaman)}, url = {https://twitter.com/cocaman/status/1260069549069733888}, language = {English}, urldate = {2020-05-15} } @online{camichel:20201101:observed:abb75ee, author = {Corsin Camichel}, title = {{Observed Malware Campaigns – October 2020}}, date = {2020-11-01}, organization = {Vulnerability.ch Blog}, url = {https://vulnerability.ch/2020/11/observed-malware-campaigns-october-2020/}, language = {English}, urldate = {2020-11-02} } @online{campbell:20190502:2019:1fe00f6, author = {Bryan Campbell and Proofpoint Threat Insight Team}, title = {{2019: The Return of Retefe}}, date = {2019-05-02}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/2019-return-retefe}, language = {English}, urldate = {2019-12-20} } @online{campbell:20190926:new:d228362, author = {Bryan Campbell and Jeremy Hedges and Proofpoint Threat Insight Team}, title = {{New WhiteShadow downloader uses Microsoft SQL to retrieve malware}}, date = {2019-09-26}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware}, language = {English}, urldate = {2020-02-26} } @online{campbell:20191114:ta2101:e79f6fb, author = {Bryan Campbell and Proofpoint Threat Insight Team}, title = {{TA2101 plays government imposter to distribute malware to German, Italian, and US organizations}}, date = {2019-11-14}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/ta2101-plays-government-imposter-distribute-malware-german-italian-and-us}, language = {English}, urldate = {2019-11-27} } @online{campbell:20200608:analysis:500f9fe, author = {Ryan Campbell}, title = {{Analysis of Valak Maldoc}}, date = {2020-06-08}, organization = {Security Soup Blog}, url = {https://security-soup.net/analysis-of-valak-maldoc/}, language = {English}, urldate = {2020-06-08} } @online{campbell:20201106:quick:741d84a, author = {Ryan Campbell}, title = {{Quick Post: Spooky New PowerShell Obfuscation in Emotet Maldocs}}, date = {2020-11-06}, organization = {Security Soup Blog}, url = {https://security-soup.net/quick-post-spooky-new-powershell-obfuscation-in-emotet-maldocs/}, language = {English}, urldate = {2020-11-09} } @online{can:20190313:n:bfbaff0, author = {Ahmet Bilal Can}, title = {{N Ways to Unpack Mobile Malware}}, date = {2019-03-13}, organization = {Pentest Blog}, url = {https://pentest.blog/n-ways-to-unpack-mobile-malware/}, language = {English}, urldate = {2020-01-09} } @online{can:20190718:android:5097363, author = {Ahmet Bilal Can}, title = {{Android Malware Analysis : Dissecting Hydra Dropper}}, date = {2019-07-18}, url = {https://pentest.blog/android-malware-analysis-dissecting-hydra-dropper/}, language = {English}, urldate = {2019-12-05} } @techreport{canada:2011:snowglobe:2cf6813, author = {CSE Canada}, title = {{SNOWGLOBE: From Discovery to Attribution}}, date = {2011}, institution = {Spiegel Online}, url = {http://www.spiegel.de/media/media-35683.pdf}, language = {English}, urldate = {2019-12-17} } @online{canary:20200617:threat:3a7f962, author = {Red Canary}, title = {{Threat Detection: Blue Mockingbird}}, date = {2020-06-17}, organization = {Youtube (Red Canary)}, url = {https://www.youtube.com/watch?v=6t_E8KOmZSs}, language = {English}, urldate = {2020-06-19} } @online{canary:20201204:yellow:1633ca2, author = {Red Canary}, title = {{Yellow Cockatoo: Search engine redirects, in-memory remote access trojan, and more}}, date = {2020-12-04}, organization = {Red Canary}, url = {https://redcanary.com/blog/yellow-cockatoo/}, language = {English}, urldate = {2020-12-08} } @online{cannell:20130725:zeroaccess:4853854, author = {Joshua Cannell}, title = {{ZeroAccess uses Self-Debugging}}, date = {2013-07-25}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2013/07/zeroaccess-anti-debug-uses-debugger/}, language = {English}, urldate = {2019-12-20} } @online{cannell:20130801:sophos:404c6a5, author = {Joshua Cannell}, title = {{Sophos Discovers ZeroAccess Using RLO}}, date = {2013-08-01}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2013/08/sophos-discovers-zeroaccess-using-rlo/}, language = {English}, urldate = {2019-12-20} } @online{cannell:20130926:new:428977b, author = {Joshua Cannell}, title = {{New Solarbot Malware Debuts, Creator Publicly Advertising}}, date = {2013-09-26}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2013/09/new-solarbot-malware-debuts-creator-publicly-advertising/}, language = {English}, urldate = {2019-12-20} } @online{cannings:20160616:sakula:cece262, author = {David Cannings}, title = {{Sakula: an adventure in DLL planting}}, date = {2016-06-16}, organization = {NCC Group}, url = {https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2016/june/sakula-an-adventure-in-dll-planting/?page=1}, language = {English}, urldate = {2020-01-06} } @online{cannings:20170403:investigation:7deb188, author = {Rich Cannings and Jason Woloz and Neel Mehta and Ken Bodzak and Wentao Chang and Megan Ruthven}, title = {{An investigation of Chrysaor Malware on Android}}, date = {2017-04-03}, organization = {Google}, url = {https://android-developers.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html}, language = {English}, urldate = {2019-12-17} } @online{cannings:20170403:investigation:8de942a, author = {Rich Cannings and Jason Woloz and Neel Mehta and Ken Bodzak and Wentao Chang and Megan Ruthven}, title = {{An Investigation of Chrysaor Malware on Android}}, date = {2017-04-03}, organization = {Google}, url = {https://security.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html}, language = {English}, urldate = {2020-01-08} } @online{cannings:20170403:technical:e27583c, author = {David Cannings}, title = {{Technical Notes on RedLeaves}}, date = {2017-04-03}, organization = {Github (nccgroup)}, url = {https://github.com/nccgroup/Cyber-Defence/tree/master/Technical%20Notes/Red%20Leaves}, language = {English}, urldate = {2020-01-06} } @online{cannon:20171207:new:035f809, author = {Vincent Cannon and Nalani Fraser and Yogesh Londhe and Manish Sardiwal and Nick Richard and Jacqueline O’Leary}, title = {{New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit}}, date = {2017-12-07}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html}, language = {English}, urldate = {2019-12-20} } @online{cao:20200324:operation:89da9bd, author = {Elliot Cao and Joseph Chen and William Gamazo Sanchez and Lilang Wu and Ecular Xu}, title = {{Operation Poisoned News: Hong Kong Users Targeted With Mobile Malware via Local News Links}}, date = {2020-03-24}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/operation-poisoned-news-hong-kong-users-targeted-with-mobile-malware-via-local-news-links/}, language = {English}, urldate = {2020-03-25} } @techreport{cao:20200324:technical:dc23839, author = {Elliot Cao and Joseph Chen and William Gamazo Sanchez and Lilang Wu and Ecular Xu}, title = {{Technical Brief: Operation Poisoned News: Hong Kong Users Targeted with Mobile Malware via Local News Links}}, date = {2020-03-24}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/Tech-Brief-Operation-Poisoned-News-Hong-Kong-Users-Targeted-with-Mobile-Malware-via-Local-News-Links.pdf}, language = {English}, urldate = {2020-03-25} } @online{capilla:20161121:android:5150467, author = {Sergi Àlvarez i Capilla}, title = {{Android malware analysis with Radare: Dissecting the Triada Trojan}}, date = {2016-11-21}, organization = {NowSecure}, url = {https://www.nowsecure.com/blog/2016/11/21/android-malware-analysis-radare-triada-trojan/}, language = {English}, urldate = {2020-01-10} } @online{caragay:20150924:credit:59e0581, author = {RonJay Caragay and Michael Marcos}, title = {{Credit Card-Scraping Kasidet Builder Leads to Spike in Detections}}, date = {2015-09-24}, organization = {Trend Micro}, url = {http://blog.trendmicro.com/trendlabs-security-intelligence/credit-card-scraping-kasidet-builder-leads-to-spike-in-detections/}, language = {English}, urldate = {2020-01-13} } @techreport{carcano:20181001:triton:7863291, author = {Andrea Carcano}, title = {{TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of Industrial Control Systems, Forever}}, date = {2018-10-01}, institution = {SANS Cyber Summit}, url = {https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1538425180.pdf}, language = {English}, urldate = {2020-01-20} } @online{care:202008:critical:415c34d, author = {CARE}, title = {{Critical Infrastructure Ransomware Attacks}}, date = {2020-08}, organization = {Temple University}, url = {https://sites.temple.edu/care/ci-rw-attacks/}, language = {English}, urldate = {2020-09-15} } @online{carr:20170514:cyber:0ac720f, author = {Nick Carr}, title = {{Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations}}, date = {2017-05-14}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html}, language = {English}, urldate = {2019-12-20} } @online{carr:20170524:apt32:4060afe, author = {Nick Carr}, title = {{APT32: New Cyber Espionage Group}}, date = {2017-05-24}, organization = {BrightTALK (FireEye)}, url = {https://www.brighttalk.com/webcast/10703/261205}, language = {English}, urldate = {2020-01-07} } @online{carr:20170630:obfuscation:c3d947e, author = {Nick Carr and Daniel Bohannon}, title = {{Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques}}, date = {2017-06-30}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html}, language = {English}, urldate = {2019-12-20} } @online{carr:20180801:hunt:0fe0e15, author = {Nick Carr and Kimberly Goody and Steve Miller and Barry Vengerik}, title = {{On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation}}, date = {2018-08-01}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html}, language = {English}, urldate = {2019-12-20} } @online{carr:20181106:griffon:c7f800f, author = {Nick Carr}, title = {{Tweet on a GRIFFON sample}}, date = {2018-11-06}, organization = {Twitter (@ItsReallyNick)}, url = {https://twitter.com/ItsReallyNick/status/1059898708286939136}, language = {English}, urldate = {2019-12-17} } @online{carr:20190605:malware:a6892ae, author = {Nick Carr}, title = {{Tweet on Malware Sample}}, date = {2019-06-05}, organization = {Twitter (@ItsReallyNick)}, url = {https://twitter.com/ItsReallyNick/status/1136502701301346305}, language = {English}, urldate = {2020-01-07} } @online{carr:20191010:mahalo:917c5b2, author = {Nick Carr and Josh Yoder and Kimberly Goody and Scott Runnels and Jeremy Kennelly and Jordan Nuce}, title = {{Mahalo FIN7: Responding to the Criminal Operators’ New Tools and Techniques}}, date = {2019-10-10}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/10/mahalo-fin7-responding-to-new-tools-and-techniques.html}, language = {English}, urldate = {2019-11-18} } @online{carr:20191220:grunt:02cb116, author = {Nick Carr}, title = {{Tweet on GRUNT payload}}, date = {2019-12-20}, organization = {Twitter (@ItsReallyNick)}, url = {https://twitter.com/ItsReallyNick/status/1208141697282117633}, language = {English}, urldate = {2020-01-09} } @online{carr:20200114:rough:1c149da, author = {Nick Carr and Matt Bromiley}, title = {{Rough Patch: I Promise It'll Be 200 OK (Citrix ADC CVE-2019-19781)}}, date = {2020-01-14}, organization = {FireEye}, url = {https://www.fireeye.com/blog/products-and-services/2020/01/rough-patch-promise-it-will-be-200-ok.html}, language = {English}, urldate = {2020-01-17} } @online{carr:20200601:malware:62e3d49, author = {Nick Carr}, title = {{Tweet on malware called NETFLASH}}, date = {2020-06-01}, organization = {Twitter (@ItsReallyNick)}, url = {https://twitter.com/ItsReallyNick/status/1267475216923594755}, language = {English}, urldate = {2020-06-05} } @online{carr:20201214:summarizing:67227be, author = {Nick Carr}, title = {{Tweet on summarizing post-compromise actvity of UNC2452}}, date = {2020-12-14}, organization = {Twitter (@ItsReallyNick)}, url = {https://twitter.com/ItsReallyNick/status/1338382939835478016}, language = {English}, urldate = {2020-12-14} } @online{carr:20201215:quick:5305f61, author = {Nick Carr}, title = {{A quick note from Nick Carr on COSMICGALE and SUPERNOVA that those are unrelated to UC2452 intrusion campaign}}, date = {2020-12-15}, organization = {Github (itsreallynick)}, url = {https://github.com/fireeye/sunburst_countermeasures/pull/5}, language = {English}, urldate = {2020-12-19} } @online{carvey:20190404:mimikatz:243c11a, author = {Harlan Carvey}, title = {{Mimikatz in the Wild: Bypassing Signature-Based Detections Using the “AK47 of Cyber”}}, date = {2019-04-04}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/credential-theft-mimikatz-techniques/}, language = {English}, urldate = {2019-12-20} } @online{case:20190902:digital:0f6cd23, author = {Andrew Case and Matthew Meltzer and Steven Adair}, title = {{Digital Crackdown: Large-Scale Surveillance and Exploitation of Uyghurs}}, date = {2019-09-02}, organization = {Volexity}, url = {https://www.volexity.com/blog/2019/09/02/digital-crackdown-large-scale-surveillance-and-exploitation-of-uyghurs/}, language = {English}, urldate = {2019-12-06} } @online{case:20200421:evil:54c1d46, author = {Andrew Case and Dave Lassalle and Matthew Meltzer and Sean Koessel and Steven Adair and Thomas Lancaster}, title = {{Evil Eye Threat Actor Resurfaces with iOS Exploit and Updated Implant}}, date = {2020-04-21}, organization = {Volexity}, url = {https://www.volexity.com/blog/2020/04/21/evil-eye-threat-actor-resurfaces-with-ios-exploit-and-updated-implant/}, language = {English}, urldate = {2020-04-22} } @online{caselden:20150418:operation:f2f3cba, author = {Dan Caselden and Yasir Khalid and James “Tom” Bennett and Genwei Jiang and Corbin Souffrant and Joshua Homan and Jonathan Wrolstad and Chris Phillips and Darien Kin}, title = {{Operation RussianDoll: Adobe & Windows Zero-Day Exploits Likely Leveraged by Russia’s APT28 in Highly-Targeted Attack}}, date = {2015-04-18}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html}, language = {English}, urldate = {2019-10-16} } @online{caselden:20150623:operation:dc2929c, author = {Dan Caselden and Erica Eng}, title = {{Operation Clandestine Wolf – Adobe Flash Zero-Day in APT3 Phishing Campaign}}, date = {2015-06-23}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html}, language = {English}, urldate = {2019-12-20} } @online{cash:20201214:dark:7d54c5d, author = {Damien Cash and Matthew Meltzer and Sean Koessel and Steven Adair and Thomas Lancaster and Volexity Threat Research}, title = {{Dark Halo Leverages SolarWinds Compromise to Breach Organizations}}, date = {2020-12-14}, organization = {Volexity}, url = {https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/}, language = {English}, urldate = {2020-12-15} } @online{cashdollar:20190613:latest:1dba306, author = {Larry Cashdollar}, title = {{Latest ECHOBOT: 26 Infection Vectors}}, date = {2019-06-13}, organization = {Akamai}, url = {https://blogs.akamai.com/sitr/2019/06/latest-echobot-26-infection-vectors.html}, language = {English}, urldate = {2020-01-08} } @online{cashman:20201221:how:10d8756, author = {Mo Cashman and Arnab Roy}, title = {{How A Device to Cloud Architecture Defends Against the SolarWinds Supply Chain Compromise}}, date = {2020-12-21}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/how-a-device-to-cloud-architecture-defends-against-the-solarwinds-supply-chain-compromise/}, language = {English}, urldate = {2020-12-23} } @online{caspi:20170504:osx:9f62c96, author = {Ofer Caspi}, title = {{OSX Malware is Catching Up, and it wants to Read Your HTTPS Traffic}}, date = {2017-05-04}, organization = {Check Point Software Technologies Ltd}, url = {http://blog.checkpoint.com/2017/04/27/osx-malware-catching-wants-read-https-traffic/}, language = {English}, urldate = {2019-11-24} } @online{caspi:20170713:osxdok:b34ca60, author = {Ofer Caspi}, title = {{OSX/Dok Refuses to Go Away and It’s After Your Money}}, date = {2017-07-13}, organization = {Check Point}, url = {https://blog.checkpoint.com/2017/07/13/osxdok-refuses-go-away-money/}, language = {English}, urldate = {2020-01-05} } @online{caspi:20180724:emotet:a26725d, author = {Ofer Caspi and Ben Herzog}, title = {{Emotet: The Tricky Trojan that ‘Git Clones’}}, date = {2018-07-24}, organization = {Check Point}, url = {https://research.checkpoint.com/emotet-tricky-trojan-git-clones/}, language = {English}, urldate = {2020-01-13} } @online{caspi:20200519:trickbot:50c2a51, author = {Ofer Caspi}, title = {{TrickBot BazarLoader In-Depth}}, date = {2020-05-19}, organization = {AlienLabs}, url = {https://cybersecurity.att.com/blogs/labs-research/trickbot-bazarloader-in-depth}, language = {English}, urldate = {2020-05-20} } @online{caspi:20210107:malware:2ad7d86, author = {Ofer Caspi and Fernando Martinez}, title = {{Malware using new Ezuri memory loader}}, date = {2021-01-07}, organization = {AT&T}, url = {https://cybersecurity.att.com/blogs/labs-research/malware-using-new-ezuri-memory-loader}, language = {English}, urldate = {2021-01-11} } @online{casualmalware:20200311:firebird:6d1f8a2, author = {casual_malware}, title = {{Tweet on FireBird RAT}}, date = {2020-03-11}, organization = {Twitter (@casual_malware)}, url = {https://twitter.com/casual_malware/status/1237775601035096064}, language = {English}, urldate = {2020-03-13} } @techreport{ccc:20111008:analyse:0c4a8c9, author = {CCC}, title = {{ANALYSE EINER REGIERUNGS-MALWARE}}, date = {2011-10-08}, institution = {CCC}, url = {http://www.ccc.de/system/uploads/76/original/staatstrojaner-report23.pdf}, language = {English}, urldate = {2020-01-07} } @online{ccncert:20181104:betabot:fd654de, author = {CCN-CERT}, title = {{BetaBot y Fleercivet, dos nuevos informes de código dañino del CCN-CERT}}, date = {2018-11-04}, organization = {CCN-CERT}, url = {https://www.ccn-cert.cni.es/seguridad-al-dia/comunicados-ccn-cert/6087-betabot-y-fleercivet-dos-nuevos-informes-de-codigo-danino-del-ccn-cert.html}, language = {English}, urldate = {2020-01-10} } @online{ccncert:201911:informe:69b39b5, author = {CCN-CERT}, title = {{Informe Código Dañino CCN-CERT ID-26/19}}, date = {2019-11}, organization = {CCN-CERT}, url = {https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos/4217-ccn-cert-id-26-19-ryuk-1/file.html}, language = {Espanyol}, urldate = {2020-01-10} } @online{ccncert:202005:malware:e6aed81, author = {CCN-CERT}, title = {{Malware report CCN-CERT ID-15/20 Snake Locker}}, date = {2020-05}, organization = {CCN-CERT}, url = {https://www.ccn-cert.cni.es/pdf/5045-ccn-cert-id-15-20-snake-locker-english-1/file.html}, language = {English}, urldate = {2020-06-10} } @online{centeno:20180501:legitimate:bd0644c, author = {Raphael Centeno}, title = {{Legitimate Application AnyDesk Bundled with New Ransomware Variant}}, date = {2018-05-01}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/legitimate-application-anydesk-bundled-with-new-ransomware-variant/}, language = {English}, urldate = {2019-10-14} } @online{centeno:20190508:dharma:cc5ac04, author = {Raphael Centeno}, title = {{Dharma Ransomware Uses AV Tool to Distract from Malicious Activities}}, date = {2019-05-08}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/dharma-ransomware-uses-av-tool-to-distract-from-malicious-activities/}, language = {English}, urldate = {2020-01-06} } @online{centeno:20200521:backdoor:d6d37a9, author = {Raphael Centeno and Llallum Victoria}, title = {{Backdoor, Devil Shadow Botnet Hidden in Fake Zoom Installers}}, date = {2020-05-21}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/backdoor-devil-shadow-botnet-hidden-in-fake-zoom-installers/}, language = {English}, urldate = {2020-05-23} } @online{centeno:20200921:cybercriminals:0dbaa08, author = {Raphael Centeno}, title = {{Cybercriminals Distribute Backdoor With VPN Installer}}, date = {2020-09-21}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/20/i/wind-up-windscribe-vpn-bundled-with-backdoor.html}, language = {English}, urldate = {2020-09-23} } @online{center:20130222:recent:b3d3f80, author = {Microsoft Security Response Center}, title = {{Recent Cyberattacks}}, date = {2013-02-22}, organization = {Microsoft}, url = {https://blogs.technet.microsoft.com/msrc/2013/02/22/recent-cyberattacks/}, language = {English}, urldate = {2019-12-20} } @online{center:20180330:analysis:4f1feb9, author = {Qi Anxin Threat Intelligence Center}, title = {{Analysis of the latest cyber attack activity of the APT organization against sensitive institutions in China}}, date = {2018-03-30}, organization = {360 Threat Intelligence}, url = {https://ti.360.net/blog/articles/analysis-of-apt-c-09-target-china/}, language = {Chinese}, urldate = {2020-01-13} } @techreport{center:201803:oilrig:b3c95ff, author = {NYOTRON ATTACK RESPONSE CENTER}, title = {{OilRig is Back with Next-Generation Tools and Techniques}}, date = {2018-03}, institution = {Nyotron}, url = {https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018b.pdf}, language = {English}, urldate = {2019-10-13} } @online{center:20180523:sidewinderapttapt04:2f4c2cc, author = {Tencent Mimi Threat Intelligence Center}, title = {{SideWinder“响尾蛇”APT组织(T-APT-04):针对南亚的定向攻击威胁}}, date = {2018-05-23}, organization = {Tencent}, url = {https://s.tencent.com/research/report/479.html}, language = {Chinese}, urldate = {2020-01-06} } @techreport{center:20180614:cyber:b2150a3, author = {Cyber ​​Emergency Center}, title = {{Cyber ​​Emergency Center Report No. 3}}, date = {2018-06-14}, institution = {LAC}, url = {https://www.lac.co.jp/lacwatch/pdf/20180614_cecreport_vol3.pdf}, language = {English}, urldate = {2020-07-20} } @online{center:20180723:golden:acfd437, author = {Qi Anxin Threat Intelligence Center}, title = {{Golden Rat Organization-targeted attack in Syria}}, date = {2018-07-23}, organization = {360 Threat Intelligence}, url = {https://ti.360.net/blog/articles/analysis-of-apt-c-27/}, language = {Chinese}, urldate = {2020-04-28} } @online{center:20181129:analysis:08c590c, author = {Qi Anxin Threat Intelligence Center}, title = {{Analysis Of Targeted Attack Against Pakistan By Exploiting InPage Vulnerability And Related APT Groups}}, date = {2018-11-29}, organization = {360 Threat Intelligence}, url = {https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english}, language = {English}, urldate = {2020-03-02} } @online{center:20181129:analysis:d46e3e4, author = {Threat Intelligence Center}, title = {{Analysis Of Targeted Attack Against Pakistan By Exploiting InPage Vulnerability And Related APT Groups}}, date = {2018-11-29}, organization = {360 Threat Intelligence}, url = {https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/}, language = {English}, urldate = {2020-01-10} } @online{center:20181212:donot:32e8fb0, author = {Qi Anxin Threat Intelligence Center}, title = {{Donot (APT-C-35) Group Is Targeting Pakistani Businessman Working In China}}, date = {2018-12-12}, organization = {360 Threat Intelligence}, url = {https://ti.360.net/blog/articles/donot-group-is-targeting-pakistani-businessman-working-in-china-en/}, language = {English}, urldate = {2020-01-13} } @online{center:20190218:aptc36:abbf9ea, author = {Anxin Threat Intelligence Center}, title = {{APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations}}, date = {2019-02-18}, organization = {360 Threat Intelligence}, url = {https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/}, language = {English}, urldate = {2020-01-09} } @online{center:20190819:konni:5af29f8, author = {East Security Response Center}, title = {{Konni APT organization emerges as an attack disguised as Russian document}}, date = {2019-08-19}, organization = {EST Security}, url = {https://blog.alyac.co.kr/2474}, language = {Korean}, urldate = {2020-01-20} } @online{center:20191212:gallium:79f6460, author = {Microsoft Threat Intelligence Center}, title = {{GALLIUM: Targeting global telecom}}, date = {2019-12-12}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/}, language = {English}, urldate = {2020-01-07} } @techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } @online{center:20200528:analysis:5b197d4, author = {Threat Intelligence Center}, title = {{Analysis of recent rattlesnake APT attacks against surrounding countries and regions}}, date = {2020-05-28}, organization = {Qianxin}, url = {https://ti.qianxin.com/blog/articles/the-recent-rattlesnake-apt-organized-attacks-on-neighboring-countries-and-regions/}, language = {Chinese}, urldate = {2020-10-27} } @online{center:20200604::a1c780b, author = {Chianxin Virus Response Center}, title = {{脚本系贼寇之风兴起,买卖体系堪比勒索软件}}, date = {2020-06-04}, url = {https://mp.weixin.qq.com/s/REXBtbnI2zXj4H3u6ofMMw}, language = {Chinese}, urldate = {2020-07-16} } @online{center:20200701::fc5fdee, author = {360 Threat Intelligence Center}, title = {{游走在东欧和中亚的奇幻熊}}, date = {2020-07-01}, organization = {360}, url = {https://mp.weixin.qq.com/s/pE_6VRDk-2aTI996sff0og}, language = {Chinese}, urldate = {2020-10-26} } @online{center:20200821:recurrence:d780ef1, author = {Baidu Security Emergency Response Center}, title = {{Recurrence and research of macro attacks under macOS}}, date = {2020-08-21}, organization = {Baidu Security Emergency Response Center}, url = {https://mp.weixin.qq.com/s/a_0Vbnr38drTZAlQfoH10A}, language = {Chinese}, urldate = {2020-08-25} } @online{center:20200825:darkhotel:cf3af4b, author = {360 Threat Intelligence Center}, title = {{Darkhotel (APT-C-06) organized multiple attacks using the Thinmon backdoor framework to reveal the secrets}}, date = {2020-08-25}, organization = {360 Threat Intelligence Center}, url = {https://mp.weixin.qq.com/s/nyxZFXgrtm2-tBiV3-wiMg}, language = {Chinese}, urldate = {2020-08-25} } @online{center:20201023:apt28:099c6cd, author = {360 Threat Intelligence Center}, title = {{APT28携小众压缩包诱饵对北约、中亚目标的定向攻击分析}}, date = {2020-10-23}, organization = {360}, url = {https://mp.weixin.qq.com/s/6R7bFs9lH1I3BNdkatCC9g}, language = {Chinese}, urldate = {2020-10-26} } @online{center:20201026:analysis:81bfa52, author = {Threat Intelligence Center}, title = {{Analysis of the attack activities of the Rattlesnake organization using the Buffy bilateral agreement as bait}}, date = {2020-10-26}, organization = {Qianxin}, url = {https://www.secrss.com/articles/26507}, language = {Chinese}, urldate = {2020-10-27} } @online{center:20201030:aptc41:ede60de, author = {Threat Intelligence Center}, title = {{蓝色魔眼(APT-C-41)组织首次针对我国重要机构定向攻击活动披露}}, date = {2020-10-30}, organization = {360}, url = {https://mp.weixin.qq.com/s/5No0TR4ECVPp_Xv4joXEBg}, language = {Chinese}, urldate = {2020-11-02} } @online{center:20201030:donot:5f3e428, author = {Threat Intelligence Center}, title = {{攻击武器再升级:Donot组织利用伪造签名样本的攻击活动分析}}, date = {2020-10-30}, organization = {Qianxin}, url = {https://mp.weixin.qq.com/s/3Pa3hiuZyQBspDzH0kGSHw}, language = {Chinese}, urldate = {2020-11-02} } @online{center:20201109:analysis:ccf80c0, author = {360 Threat Intelligence Center}, title = {{Analysis of the latest targeted attacks by Lugansk against Ukraine}}, date = {2020-11-09}, organization = {360}, url = {https://mp.weixin.qq.com/s/aMj_EDmTYyAouHWFbY64-A}, language = {Chinese}, urldate = {2020-11-11} } @online{center:20201213:customer:1f4f734, author = {Microsoft Security Response Center}, title = {{Customer Guidance on Recent Nation-State Cyber Attacks}}, date = {2020-12-13}, organization = {Microsoft}, url = {https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/}, language = {English}, urldate = {2020-12-14} } @techreport{centre:20180705:nciipc:2796c50, author = {National Critical Information Infrastructure Protection Centre}, title = {{NCIIPC Newsletter July 2018}}, date = {2018-07-05}, institution = {National Critical Information Infrastructure Protection Centre}, url = {https://nciipc.gov.in/documents/NCIIPC_Newsletter_July18.pdf}, language = {English}, urldate = {2020-01-10} } @online{cepe:20100531:sasfis:7642314, author = {Joseph Cepe}, title = {{SASFIS Malware Uses a New Trick}}, date = {2010-05-31}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/sasfis-malware-uses-a-new-trick/}, language = {English}, urldate = {2020-01-09} } @techreport{cepe:20100531:sasfis:c0eab28, author = {Joseph Cepe}, title = {{SASFIS Malware Uses a New Trick}}, date = {2010-05-31}, institution = {Trend Micro}, url = {https://aptnotes.malwareconfig.com/web/viewer.html?file=../APTnotes/2014/apt28.pdf}, language = {English}, urldate = {2020-01-08} } @online{cerberus:201906:twitter:97cd9de, author = {Android Cerberus}, title = {{Twitter Account of Android Cerberus}}, date = {2019-06}, organization = {Twitter (@AndroidCerberus)}, url = {https://twitter.com/AndroidCerberus}, language = {English}, urldate = {2020-01-09} } @online{cert:20160306:network:f9244d3, author = {thyssenkrupp CERT}, title = {{Network detector for Winnti malware}}, date = {2016-03-06}, organization = {Github (TKCERT)}, url = {https://github.com/TKCERT/winnti-detector}, language = {English}, urldate = {2020-01-07} } @online{cert:20160906:kzcert:3d8bb82, author = {KZ CERT}, title = {{KZ-CERT has analyzed another sample of malicious software, which is a component of targeted attacks (Targeted attacks, Advanced Persistent Threats (APT))}}, date = {2016-09-06}, organization = {KZ CERT}, url = {http://www.kz-cert.kz/page/502}, language = {Kazakh}, urldate = {2019-10-16} } @techreport{cert:20161104:from:a139d13, author = {Antiy CERT}, title = {{FROM EQUATION TO EQUATIONS}}, date = {2016-11-04}, institution = {Antiy CERT}, url = {https://www.antiy.com/response/FROM_EQUATION_TO_EQUATIONS.pdf}, language = {English}, urldate = {2020-08-18} } @online{cert:20180423:energetic:451033f, author = {Kaspersky Lab ICS CERT}, title = {{Energetic Bear/Crouching Yeti: attacks on servers}}, date = {2018-04-23}, organization = {Kaspersky Labs}, url = {https://securelist.com/energetic-bear-crouching-yeti/85345/}, language = {English}, urldate = {2019-12-20} } @online{cert:20180522:nmap:1ee2530, author = {thyssenkrupp CERT}, title = {{Nmap Script to scan for Winnti infections}}, date = {2018-05-22}, organization = {Github (TKCERT)}, url = {https://github.com/TKCERT/winnti-nmap-script}, language = {English}, urldate = {2020-01-07} } @online{cert:20180919::c3b6955, author = {Antiy CERT}, title = {{绿斑”行动——持续多年的攻击}}, date = {2018-09-19}, url = {https://www.antiy.com/response/20180919.html}, language = {English}, urldate = {2020-08-14} } @online{cert:20190124:greyenergys:523e803, author = {Kaspersky Lab ICS CERT}, title = {{GreyEnergy’s overlap with Zebrocy}}, date = {2019-01-24}, organization = {Kaspersky Labs}, url = {https://securelist.com/greyenergys-overlap-with-zebrocy/89506/}, language = {English}, urldate = {2019-12-20} } @online{cert:20200522:analysis:fc8e2b2, author = {Antiy CERT}, title = {{Analysis of Ramsay components of Darkhotel's infiltration and isolation network}}, date = {2020-05-22}, organization = {Antiy CERT}, url = {https://www.antiy.cn/research/notice&report/research_report/20200522.html}, language = {Chinese}, urldate = {2020-05-23} } @online{cert:20200616:active:1c01229, author = {New Zealand CERT}, title = {{Active ransomware campaign leveraging remote access technologies}}, date = {2020-06-16}, organization = {New Zealand CERT}, url = {https://www.cert.govt.nz/it-specialists/advisories/active-ransomware-campaign-leveraging-remote-access-technologies/}, language = {English}, urldate = {2020-06-21} } @online{cert:20200617:targeted:4a2a126, author = {Kaspersky Lab ICS CERT}, title = {{Targeted attacks on industrial companies using Snake ransomware}}, date = {2020-06-17}, organization = {Kaspersky Labs}, url = {https://ics-cert.kaspersky.com/alerts/2020/06/17/targeted-attacks-on-industrial-companies-using-snake-ransomware/}, language = {English}, urldate = {2020-06-18} } @techreport{cert:20200924:threat:2d7986d, author = {Kaspersky Lab ICS CERT}, title = {{Threat landscape for industrial automation systems - H1 2020}}, date = {2020-09-24}, institution = {Kaspersky Labs}, url = {https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf}, language = {English}, urldate = {2020-10-04} } @techreport{cert:20201105:attackson:62f1e26, author = {Kaspersky Lab ICS CERT and Vyacheslav Kopeytsev}, title = {{Attackson industrial enterprises using RMS and TeamViewer: new data}}, date = {2020-11-05}, institution = {Kaspersky Labs}, url = {https://ics-cert.kaspersky.com/media/Kaspersky-Attacks-on-industrial-enterprises-using-RMS-and-TeamViewer-EN.pdf}, language = {English}, urldate = {2020-11-06} } @online{cert:20201223:solarwindsapt:a237c40, author = {Qi AnXin CERT}, title = {{从Solarwinds供应链攻击(金链熊)看APT行动中的隐蔽作战}}, date = {2020-12-23}, organization = {Qianxin}, url = {https://mp.weixin.qq.com/s/UqXC1vovKUu97569LkYm2Q}, language = {Chinese}, urldate = {2020-12-23} } @online{cert:20201228:civerids:b40d172, author = {Antiy CERT}, title = {{"Civerids" organization vs. Middle East area attack activity analysis report}}, date = {2020-12-28}, organization = {Antiy CERT}, url = {https://www.antiy.cn/research/notice&report/research_report/20201228.html}, language = {Chinese}, urldate = {2021-01-04} } @online{certagid:20200713:campagna:1da46a9, author = {Cert-AgID}, title = {{Campagna sLoad v.2.9.3 veicolata via PEC}}, date = {2020-07-13}, organization = {Cert-AgID}, url = {https://cert-agid.gov.it/news/campagna-sload-v-2-9-3-veicolata-via-pec/}, language = {Italian}, urldate = {2020-07-15} } @online{certagid:20201231:simplify:1a7bcd2, author = {Cert-AgID}, title = {{Simplify Emotet parsing with Python and iced x86}}, date = {2020-12-31}, organization = {Cert-AgID}, url = {https://cert-agid.gov.it/news/malware/semplificare-lanalisi-di-emotet-con-python-e-iced-x86/}, language = {Italian}, urldate = {2021-01-05} } @online{certbund:20191108:spam:0630ad5, author = {CERT-Bund}, title = {{Tweet on Spam Mails containing MAZE}}, date = {2019-11-08}, organization = {Twitter (@certbund)}, url = {https://twitter.com/certbund/status/1192756294307995655}, language = {English}, urldate = {2020-01-08} } @online{certem:20180803:certfr:65e03cf, author = {CERT-EM}, title = {{CERT-FR ALERT BULLETIN}}, date = {2018-08-03}, organization = {CERT-EM}, url = {https://www.cert.ssi.gouv.fr/alerte/CERTFR-2018-ALE-008/}, language = {French}, urldate = {2020-01-08} } @techreport{certeu:20200603:cyber:681a7c2, author = {CERT-EU}, title = {{Cyber brief (June2020)}}, date = {2020-06-03}, institution = {CERT-EU}, url = {https://media.cert.europa.eu/static/MEMO/2020/TLP-WHITE-CERT-EU-CYBER-BRIEF-20-06%20v1.1.pdf}, language = {English}, urldate = {2020-06-05} } @online{certfr:20191122:rapport:c457ee8, author = {CERT-FR}, title = {{RAPPORT MENACES ET INCIDENTS DU CERT-FR}}, date = {2019-11-22}, organization = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/cti/CERTFR-2019-CTI-009/}, language = {French}, urldate = {2020-01-07} } @online{certfr:20200318:rapport:abbc7c4, author = {CERT-FR}, title = {{Rapport Menaces et Incidents du CERT-FR: Attaques par le rançongiciel Mespinoza/Pysa}}, date = {2020-03-18}, organization = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/cti/CERTFR-2020-CTI-002/}, language = {French}, urldate = {2020-03-26} } @techreport{certfr:20200423:le:4dbca96, author = {CERT-FR}, title = {{LE GROUPE CYBERCRIMINEL SILENCE}}, date = {2020-04-23}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-004.pdf}, language = {French}, urldate = {2020-05-07} } @online{certfr:20200525:indicateurs:642332f, author = {CERT-FR}, title = {{INDICATEURS DE COMPROMISSION DU CERT-FR - Objet: Le code malveillant Dridex}}, date = {2020-05-25}, organization = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/ioc/CERTFR-2020-IOC-003/}, language = {French}, urldate = {2020-06-03} } @techreport{certfr:20200525:le:ac94f72, author = {CERT-FR}, title = {{Le Code Malveillant Dridex: Origines et Usages}}, date = {2020-05-25}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-005.pdf}, language = {French}, urldate = {2020-05-26} } @techreport{certfr:20200622:volution:fba1cfa, author = {CERT-FR}, title = {{Évolution De Lactivité du Groupe Cybercriminel TA505}}, date = {2020-06-22}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf}, language = {French}, urldate = {2020-06-24} } @techreport{certfr:20200717:malware:5c58cdf, author = {CERT-FR}, title = {{The Malware Dridex: Origins and Uses}}, date = {2020-07-17}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf}, language = {English}, urldate = {2020-07-20} } @techreport{certfr:20200820:development:d518522, author = {CERT-FR}, title = {{Development of the Activity of the TA505 Cybercriminal Group}}, date = {2020-08-20}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf}, language = {English}, urldate = {2020-08-28} } @online{certfr:20200907:bulletin:f7b2023, author = {CERT-FR}, title = {{Bulletin d'alerte du CERT-FR: Recrudescence d’activité Emotet en France}}, date = {2020-09-07}, organization = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/alerte/CERTFR-2020-ALE-019/}, language = {English}, urldate = {2020-09-15} } @techreport{certfr:20201029:le:d296223, author = {CERT-FR}, title = {{LE MALWARE-AS-A-SERVICE EMOTET}}, date = {2020-10-29}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-010.pdf}, language = {English}, urldate = {2020-11-04} } @techreport{certil:20170424:wave:d0c610f, author = {CERT-IL}, title = {{Wave attacks against government agencies, academia and business entities in Israel}}, date = {2017-04-24}, institution = {CERT-IL}, url = {https://www.gov.il/BlobFolder/reports/attack_il/he/CERT-IL-ALERT-W-120.pdf}, language = {Hebrew}, urldate = {2020-05-18} } @online{certopmd:20190110:dnspionage:88c7100, author = {CERT-OPMD}, title = {{[DNSPIONAGE] – Focus on internal actions}}, date = {2019-01-10}, organization = {CERT-OPMD}, url = {https://blog-cert.opmd.fr/dnspionage-focus-on-internal-actions/}, language = {English}, urldate = {2020-01-09} } @online{certpa:20190110:divergent:c0ab442, author = {Cert-PA}, title = {{“Divergent” malware Fileless}}, date = {2019-01-10}, organization = {Cert-Pa}, url = {https://www.cert-pa.it/notizie/devergent-malware-fileless/}, language = {Italian}, urldate = {2019-11-23} } @online{certpa:20200310:campagna:dac7559, author = {Cert-PA}, title = {{Campagna sLoad “Star Wars Edition” veicolata via PEC}}, date = {2020-03-10}, organization = {Cert-Pa}, url = {https://www.cert-pa.it/notizie/campagna-sload-star-wars-edition-veicolata-via-pec/}, language = {Italian}, urldate = {2020-03-11} } @online{certpa:20200323:pwndlocker:3607042, author = {Cert-PA}, title = {{PwndLocker si rinnova in ProLock Ransomware}}, date = {2020-03-23}, organization = {Cert-Pa}, url = {https://www.cert-pa.it/notizie/pwndlocker-si-rinnova-in-prolock-ransomware/}, language = {Italian}, urldate = {2020-03-25} } @techreport{certpl:20110603:botnet:fd65588, author = {CERT.PL}, title = {{Botnet Hamweq - analiza}}, date = {2011-06-03}, institution = {CERT Polska / NASK}, url = {https://www.cert.pl/wp-content/uploads/2011/06/201106_hamweq.pdf}, language = {Polish}, urldate = {2019-11-28} } @online{certpl:20141215:banatrix:ff1a5a2, author = {CERT.PL}, title = {{Banatrix – an indepth look}}, date = {2014-12-15}, organization = {CERT.PL}, url = {https://www.cert.pl/en/news/single/banatrix-an-indepth-look/}, language = {English}, urldate = {2019-10-23} } @online{certpl:20151110:talking:d93cf24, author = {CERT.PL}, title = {{Talking to Dridex (part 0) – inside the dropper}}, date = {2015-11-10}, organization = {CERT.PL}, url = {https://www.cert.pl/en/news/single/talking-dridex-part-0-inside-the-dropper/}, language = {English}, urldate = {2020-01-06} } @techreport{certpl:201512:zeusp2p:47dc4ed, author = {CERT.PL}, title = {{ZeuS-P2P monitoring and analysis}}, date = {2015-12}, institution = {CERT.PL}, url = {https://www.cert.pl/wp-content/uploads/2015/12/2013-06-p2p-rap_en.pdf}, language = {English}, urldate = {2020-01-13} } @online{certpl:20191118:brushaloader:f75d346, author = {CERT.PL}, title = {{Brushaloader gaining new layers like a pro}}, date = {2019-11-18}, organization = {CERT.PL}, url = {https://www.cert.pl/en/news/single/brushaloader-gaining-new-layers-like-a-pro/}, language = {English}, urldate = {2020-01-13} } @online{certua:20180903:bulk:09fa177, author = {Cert-UA}, title = {{Bulk mailing of spyware like Pterodo}}, date = {2018-09-03}, organization = {Cert-UA}, url = {https://cert.gov.ua/news/42}, language = {Ukrainian}, urldate = {2020-01-08} } @online{certua:20181115:pterodo:3ed19e5, author = {Cert-UA}, title = {{Виявлена підготовка до проведення кібератаки з використанням ШПЗ типу Pterodo}}, date = {2018-11-15}, organization = {Cert-UA}, url = {https://cert.gov.ua/news/46}, language = {Ukrainian}, urldate = {2020-01-13} } @online{ch0sys:20170615:dubrute:3cb7c5a, author = {ch0sys}, title = {{DUBrute}}, date = {2017-06-15}, organization = {Github (ch0sys)}, url = {https://github.com/ch0sys/DUBrute}, language = {English}, urldate = {2020-01-08} } @online{chang:20160603:sends:176f9ab, author = {Yin Hong Chang and Sudeep Singh}, title = {{APT Group Sends Spear Phishing Emails to Indian Government Officials}}, date = {2016-06-03}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2016/06/apt_group_sends_spea.html}, language = {English}, urldate = {2019-12-20} } @online{chang:20170619:erebus:dee1998, author = {Ziv Chang and Gilbert Sison and Jeanne Jocson}, title = {{Erebus Resurfaces as Linux Ransomware}}, date = {2017-06-19}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/erebus-resurfaces-as-linux-ransomware/}, language = {English}, urldate = {2020-01-08} } @online{channell:20200612:what:af937e9, author = {Justin Channell}, title = {{What is the Gibberish Hack?}}, date = {2020-06-12}, organization = {SUCURI}, url = {https://blog.sucuri.net/2020/06/gibberish-hack.html}, language = {English}, urldate = {2020-06-16} } @online{charlie:20200713:fell:f278f19, author = {Charlie}, title = {{Fell Deeds Awake}}, date = {2020-07-13}, organization = {Cofense}, url = {https://cofenselabs.com/fell-deeds-awake/}, language = {English}, urldate = {2020-07-15} } @online{chaturvedi:20200710:deep:f2d16c7, author = {Rohit Chaturvedi and Naveen Selvan}, title = {{Deep Dive Into the M00nD3V Logger}}, date = {2020-07-10}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/deep-dive-m00nd3v-logger}, language = {English}, urldate = {2020-07-16} } @online{chaudhari:20171003:evolution:5462d67, author = {Pavankumar Chaudhari}, title = {{Evolution of jRAT JAVA Malware}}, date = {2017-10-03}, organization = {Seqrite}, url = {https://blogs.seqrite.com/evolution-of-jrat-java-malware/}, language = {English}, urldate = {2020-01-06} } @online{chaudhari:20200512:java:47c27e7, author = {Pavankumar Chaudhari}, title = {{Java RAT Campaign Targets Co-Operative Banks in India}}, date = {2020-05-12}, organization = {Seqrite}, url = {https://www.seqrite.com/blog/java-rat-campaign-targets-co-operative-banks-in-india/}, language = {English}, urldate = {2020-05-23} } @online{chaudhari:20200810:gorgon:3a961be, author = {Pavankumar Chaudhari}, title = {{Gorgon APT targeting MSME sector in India}}, date = {2020-08-10}, organization = {Seqrite}, url = {https://www.seqrite.com/blog/gorgon-apt-targeting-msme-sector-in-india/}, language = {English}, urldate = {2020-08-13} } @online{chaudhari:20201218:rat:50074a2, author = {Pavankumar Chaudhari}, title = {{RAT used by Chinese cyberspies infiltrating Indian businesses}}, date = {2020-12-18}, organization = {Seqrite}, url = {https://www.seqrite.com/blog/rat-used-by-chinese-cyberspies-infiltrating-indian-businesses/}, language = {English}, urldate = {2020-12-18} } @online{chebyshev:20200225:mobile:e40c963, author = {Victor Chebyshev}, title = {{Mobile malware evolution 2019}}, date = {2020-02-25}, organization = {Kaspersky Labs}, url = {https://securelist.com/mobile-malware-evolution-2019/96280/}, language = {English}, urldate = {2020-02-26} } @techreport{checkpoint:20131212:malware:45645af, author = {Checkpoint}, title = {{Malware Research Group HIMAN Malware Analysis}}, date = {2013-12-12}, institution = {Checkpoint}, url = {https://www.checkpoint.com/threatcloud-central/downloads/check-point-himan-malware-analysis.pdf}, language = {English}, urldate = {2019-12-17} } @online{checkpoint:20190204:speakup:9fa2718, author = {Checkpoint}, title = {{SpeakUp: A New Undetected Backdoor Linux Trojan}}, date = {2019-02-04}, organization = {Checkpoint}, url = {https://research.checkpoint.com/speakup-a-new-undetected-backdoor-linux-trojan/}, language = {English}, urldate = {2019-07-11} } @online{checkpoint:20200721:how:5980135, author = {Checkpoint}, title = {{How scammers are hiding their phishing trips in public clouds}}, date = {2020-07-21}, organization = {Checkpoint}, url = {https://blog.checkpoint.com/2020/07/21/how-scammers-are-hiding-their-phishing-trips-in-public-clouds/}, language = {English}, urldate = {2020-07-30} } @online{chen:20140602:sinowal:6d7af96, author = {Chao Chen}, title = {{Sinowal banking trojan}}, date = {2014-06-02}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2014/06/sinowal-banking-trojan}, language = {English}, urldate = {2020-01-10} } @online{chen:20151217:slembunk:df100af, author = {Zhaofeng Chen and Jimmy Su and Wu Zhou and Jing Xie and Heqing Huang}, title = {{SlemBunk: An Evolving Android Trojan Family Targeting Users of Worldwide Banking Apps}}, date = {2015-12-17}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2015/12/slembunk_an_evolvin.html}, language = {English}, urldate = {2019-12-20} } @online{chen:20160622:after:aaa03f7, author = {Joseph C Chen}, title = {{After Angler: Shift in Exploit Kit Landscape and New Crypto-Ransomware Activity}}, date = {2016-06-22}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/angler-shift-ek-landscape-new-crytpo-ransomware-activity/}, language = {English}, urldate = {2019-10-12} } @online{chen:20161027:blackgear:00f52d4, author = {Joey Chen and MingYen Hsieh}, title = {{BLACKGEAR Espionage Campaign Evolves, Adds Japan To Target List}}, date = {2016-10-27}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/blackgear-espionage-campaign-evolves-adds-japan-target-list/}, language = {English}, urldate = {2019-12-18} } @online{chen:20171107:redbaldknightbronze:63a08fe, author = {Joey Chen and MingYen Hsieh}, title = {{REDBALDKNIGHT/BRONZE BUTLER’s Daserf Backdoor Now Using Steganography}}, date = {2017-11-07}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/}, language = {English}, urldate = {2020-01-09} } @online{chen:20180717:blackgear:69b5213, author = {Joey Chen}, title = {{Blackgear Cyberespionage Campaign Resurfaces, Abuses Social Media for C&C Communication}}, date = {2018-07-17}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/blackgear-cyberespionage-campaign-resurfaces-abuses-social-media-for-cc-communication/}, language = {English}, urldate = {2020-01-13} } @online{chen:20180918:magecart:af83872, author = {Joseph C Chen}, title = {{Magecart Skimming Attack Targets Mobile Users of Hotel Chain Booking Websites}}, date = {2018-09-18}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/magecart-skimming-attack-targets-mobile-users-of-hotel-chain-booking-websites/}, language = {English}, urldate = {2020-01-08} } @online{chen:20190418:predator:5135f9f, author = {Yueh-Ting Chen and Evgeny Ananin}, title = {{Predator the Thief: New Routes of Delivery}}, date = {2019-04-18}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/predator-the-thief-new-routes-delivery.html}, language = {English}, urldate = {2019-12-17} } @online{chen:20190503:mirrorthief:05f07e5, author = {Joseph C Chen}, title = {{Mirrorthief Group Uses Magecart Skimming Attack to Hit Hundreds of Campus Online Stores in US and Canada}}, date = {2019-05-03}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/mirrorthief-group-uses-magecart-skimming-attack-to-hit-hundreds-of-campus-online-stores-in-us-and-canada/}, language = {English}, urldate = {2019-11-27} } @online{chen:20191009:fin6:11bb05d, author = {Joseph C. Chen}, title = {{FIN6 Compromised E-commerce Platform via Magecart to Inject Credit Card Skimmers Into Thousands of Online Shops}}, date = {2019-10-09}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/fin6-compromised-e-commerce-platform-via-magecart-to-inject-credit-card-skimmers-into-thousands-of-online-shops/}, language = {English}, urldate = {2020-02-25} } @techreport{chen:20191129:operation:16f5aaa, author = {Joey Chen and Hiroyuki Kakara and Masaoki Shoji}, title = {{Operation ENDTRADE:TICK: 2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data}}, date = {2019-11-29}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf}, language = {English}, urldate = {2020-06-02} } @online{chen:20191129:operation:749d75d, author = {Joey Chen and Hiroyuki Kakara and Masaoki Shoji}, title = {{Operation ENDTRADE: Finding Multi-Stage Backdoors that TICK}}, date = {2019-11-29}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/operation-endtrade-finding-multi-stage-backdoors-that-tick/}, language = {English}, urldate = {2019-12-17} } @online{chen:20200217:clambling:1a0bb8e, author = {Theo Chen and Zero Chen}, title = {{CLAMBLING - A New Backdoor Base On Dropbox}}, date = {2020-02-17}, organization = {Talent-Jump Technologies}, url = {http://www.talent-jump.com/article/2020/02/17/CLAMBLING-A-New-Backdoor-Base-On-Dropbox-en/}, language = {English}, urldate = {2020-03-30} } @online{chen:20200512:tropic:8fff7a4, author = {Joey Chen}, title = {{Tropic Trooper’s Back: USBferry Attack Targets Air-gapped Environments}}, date = {2020-05-12}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-troopers-back-usbferry-attack-targets-air-gapped-environments/}, language = {English}, urldate = {2020-05-14} } @techreport{chen:20200512:tropic:a3285d0, author = {Joey Chen}, title = {{Tropic Trooper’s Back: USBferry Attack Targets Air-gapped Environments (Technical Brief)}}, date = {2020-05-12}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf}, language = {English}, urldate = {2020-05-14} } @online{chen:20200626:us:8bce65c, author = {Joseph C Chen}, title = {{US Local Government Services Targeted by New Magecart Credit Card Skimming Attack}}, date = {2020-06-26}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/us-local-government-services-targeted-by-new-magecart-credit-card-skimming-attack/}, language = {English}, urldate = {2020-06-30} } @techreport{chen:20200804:operation:4cf417f, author = {Chung-Kuan Chen and Inndy Lin and Shang-De Jiang}, title = {{Operation Chimera - APT Operation Targets Semiconductor Vendors}}, date = {2020-08-04}, institution = {BlackHat}, url = {https://i.blackhat.com/USA-20/Thursday/us-20-Chen-Operation-Chimera-APT-Operation-Targets-Semiconductor-Vendors.pdf}, language = {English}, urldate = {2020-11-04} } @online{chen:20200806:water:e7860e3, author = {Marshall Chen and Loseway Lu and Yorkbing Yap and Fyodor Yarochkin}, title = {{Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts}}, date = {2020-08-06}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/water-nue-campaign-targets-c-suites-office-365-accounts/}, language = {English}, urldate = {2020-08-13} } @online{chen:20200902:cybersquatting:b5f5a8f, author = {Zhanhao Chen and Janos Szurdi}, title = {{Cybersquatting: Attackers Mimicking Domains of Major Brands Including Facebook, Apple, Amazon and Netflix to Scam Consumers}}, date = {2020-09-02}, organization = {paloalto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/cybersquatting/}, language = {English}, urldate = {2020-09-03} } @online{chen:20201109:closer:b1c72cf, author = {Jin Chen and Tao Yan and Taojie Wang and Yu Fu}, title = {{A Closer Look at the Web Skimmer}}, date = {2020-11-09}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/web-skimmer/}, language = {English}, urldate = {2020-11-11} } @online{chen:20201209:sidewinder:a454abd, author = {Joseph C Chen and Jaromír Hořejší and Ecular Xu}, title = {{SideWinder Leverages South Asian Territorial Issues for Spear Phishing and Mobile Device Attacks}}, date = {2020-12-09}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/20/l/sidewinder-leverages-south-asian-territorial-issues-for-spear-ph.html}, language = {English}, urldate = {2020-12-10} } @online{cheng:20170421:china:8c7d327, author = {Jonathan Cheng and Josh Chin}, title = {{China Hacked South Korea Over Missile Defense, U.S. Firm Says}}, date = {2017-04-21}, organization = {The Wall Street Journal}, url = {https://www.wsj.com/articles/chinas-secret-weapon-in-south-korea-missile-fight-hackers-1492766403}, language = {English}, urldate = {2020-08-17} } @online{cheng:20170421:china:ab10228, author = {Jonathan Cheng and Josh Chin}, title = {{China Hacked South Korea Over Missile Defense, U.S. Firm Says}}, date = {2017-04-21}, organization = {The Wall Street Journal}, url = {https://www.wsj.com/articles/chinas-secret-weapon-in-south-korea-missile-fight-hackers-1492766403?emailToken=JRrydPtyYnqTg9EyZsw31FwuZ7JNEOKCXF7LaW/HM1DLsjnUp6e6wLgph560pnmiTAN/5ssf7moyADPQj2p2Gc+YkL1yi0zhIiUM9M6aj1HTYQ==}, language = {English}, urldate = {2020-01-06} } @techreport{cherepanov:20141113:roaming:1b09324, author = {Anton Cherepanov}, title = {{Roaming tiger}}, date = {2014-11-13}, institution = {ZeroNights}, url = {http://2014.zeronights.org/assets/files/slides/roaming_tiger_zeronights_2014.pdf}, language = {English}, urldate = {2020-01-09} } @online{cherepanov:20150908:carbanak:c9457cd, author = {Anton Cherepanov}, title = {{Carbanak gang is back and packing new guns}}, date = {2015-09-08}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2015/09/08/carbanak-gang-is-back-and-packing-new-guns/}, language = {English}, urldate = {2019-11-14} } @techreport{cherepanov:20160517:operation:e907b67, author = {Anton Cherepanov}, title = {{Operation Groundbait: Analysis of a surveillance toolkit}}, date = {2016-05-17}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2016/05/Operation-Groundbait.pdf}, language = {English}, urldate = {2019-10-25} } @online{cherepanov:20161213:rise:d6ee3c1, author = {Anton Cherepanov}, title = {{The rise of TeleBots: Analyzing disruptive KillDisk attacks}}, date = {2016-12-13}, organization = {ESET Research}, url = {http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/}, language = {English}, urldate = {2019-12-20} } @online{cherepanov:20170523:xdata:98a14a3, author = {Anton Cherepanov}, title = {{XData ransomware making rounds amid global WannaCryptor scare}}, date = {2017-05-23}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/05/23/xdata-ransomware-making-rounds-amid-global-wannacryptor-scare/}, language = {English}, urldate = {2020-01-13} } @online{cherepanov:20170612:industroyer:15f0bec, author = {Anton Cherepanov and Robert Lipovsky}, title = {{Industroyer: Biggest threat to industrial control systems since Stuxnet}}, date = {2017-06-12}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/06/12/industroyer-biggest-threat-industrial-control-systems-since-stuxnet/}, language = {English}, urldate = {2019-11-14} } @techreport{cherepanov:20170612:win32industroyer:060c0e6, author = {Anton Cherepanov}, title = {{WIN32/INDUSTROYER: A new threat for industrial control systems}}, date = {2017-06-12}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf}, language = {English}, urldate = {2020-01-13} } @online{cherepanov:20170630:telebots:84aa93d, author = {Anton Cherepanov}, title = {{TeleBots are back: Supply‑chain attacks against Ukraine}}, date = {2017-06-30}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/}, language = {English}, urldate = {2019-12-20} } @techreport{cherepanov:20170703:blackenergy:2403feb, author = {Anton Cherepanov and Robert Lipovsky}, title = {{BlackEnergy – what we really know about the notorious cyber attacks}}, date = {2017-07-03}, institution = {ESET Research}, url = {https://www.virusbulletin.com/uploads/pdf/magazine/2016/VB2016-Cherepanov-Lipovsky.pdf}, language = {English}, urldate = {2019-10-14} } @online{cherepanov:20170704:analysis:37c48b2, author = {Anton Cherepanov}, title = {{Analysis of TeleBots’ cunning backdoor}}, date = {2017-07-04}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/07/04/analysis-of-telebots-cunning-backdoor/}, language = {English}, urldate = {2019-11-14} } @online{cherepanov:20171005:industroyer:4406e62, author = {Anton Cherepanov and Robert Lipovsky}, title = {{Industroyer: Biggest threat to industrial control systems since Stuxnet}}, date = {2017-10-05}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/conference/vb2017/abstracts/last-minute-paper-industroyer-biggest-threat-industrial-control-systems-stuxnet/}, language = {English}, urldate = {2020-01-09} } @online{cherepanov:20180709:certificates:ae214b6, author = {Anton Cherepanov}, title = {{Certificates stolen from Taiwanese tech‑companies misused in Plead malware campaign}}, date = {2018-07-09}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/07/09/certificates-stolen-taiwanese-tech-companies-plead-malware-campaign/}, language = {English}, urldate = {2019-11-14} } @online{cherepanov:20181011:new:8e588c3, author = {Anton Cherepanov and Robert Lipovsky}, title = {{New TeleBots backdoor: First evidence linking Industroyer to NotPetya}}, date = {2018-10-11}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/}, language = {English}, urldate = {2019-11-14} } @online{cherepanov:20181017:eset:c34687b, author = {Anton Cherepanov and Robert Lipovsky}, title = {{ESET unmasks ‘GREYENERGY’ cyber-espionage group}}, date = {2018-10-17}, organization = {ESET Research}, url = {https://www.eset.com/int/greyenergy-exposed/}, language = {English}, urldate = {2020-01-13} } @online{cherepanov:20181017:greyenergy:f328dbf, author = {Anton Cherepanov and Robert Lipovsky}, title = {{GreyEnergy: Updated arsenal of one of the most dangerous threat actors}}, date = {2018-10-17}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/10/17/greyenergy-updated-arsenal-dangerous-threat-actors/}, language = {English}, urldate = {2020-01-07} } @techreport{cherepanov:20181018:greyenergy:9885d0c, author = {Anton Cherepanov}, title = {{GREYENERGY: A successor to BlackEnergy}}, date = {2018-10-18}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf}, language = {English}, urldate = {2020-01-09} } @online{cherepanov:20190514:plead:3140588, author = {Anton Cherepanov}, title = {{Plead malware distributed via MitM attacks at router level, misusing ASUS WebStorage}}, date = {2019-05-14}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/05/14/plead-malware-mitm-asus-webstorage/}, language = {English}, urldate = {2019-11-14} } @online{cherepanov:20200910:who:2fdc6a6, author = {Anton Cherepanov}, title = {{Who is calling? CDRThief targets Linux VoIP softswitches}}, date = {2020-09-10}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/09/10/who-callin-cdrthief-linux-voip-softswitches/}, language = {English}, urldate = {2020-09-15} } @online{cherepanov:20201116:lazarus:6b90a77, author = {Anton Cherepanov and Peter Kálnai}, title = {{Lazarus supply‑chain attack in South Korea}}, date = {2020-11-16}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/11/16/lazarus-supply-chain-attack-south-korea/}, language = {English}, urldate = {2020-11-18} } @online{chester:20170813:analysis:11db4f8, author = {Adam Chester}, title = {{Analysis of APT28 hospitality malware (Part 2)}}, date = {2017-08-13}, url = {https://blog.xpnsec.com/apt28-hospitality-malware-part-2/}, language = {English}, urldate = {2020-01-08} } @online{chester:20190510:exploring:758b4e8, author = {Adam Chester}, title = {{Exploring Mimikatz - Part 1 - WDigest}}, date = {2019-05-10}, organization = {XPN Blog}, url = {https://blog.xpnsec.com/exploring-mimikatz-part-1/}, language = {English}, urldate = {2020-09-01} } @online{chiang:20070403:case:5dd68c2, author = {Ken Chiang and Levi Lloyd}, title = {{A Case Study of the Rustock Rootkit and Spam Bot}}, date = {2007-04-03}, organization = {USENIX}, url = {https://www.usenix.org/legacy/event/hotbots07/tech/full_papers/chiang/chiang_html/index.html}, language = {English}, urldate = {2019-12-17} } @techreport{chien:2011:nitro:76c8338, author = {Eric Chien and Gavin O'Gorman}, title = {{The Nitro Attacks}}, date = {2011}, institution = {Symantec}, url = {http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_nitro_attacks.pdf}, language = {English}, urldate = {2020-01-13} } @online{chili:20180201:operation:305d726, author = {Ivona Alexandra Chili and Bogdan Botezatu}, title = {{Operation PZChao: a possible return of the Iron Tiger APT}}, date = {2018-02-01}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2018/02/operation-pzchao-a-possible-return-of-the-iron-tiger-apt/}, language = {English}, urldate = {2020-01-05} } @online{chimino:20190206:icedid:ef0caad, author = {Itzik Chimino and Limor Kessem and Ophir Harpaz}, title = {{IcedID Operators Using ATSEngine Injection Panel to Hit E-Commerce Sites}}, date = {2019-02-06}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/icedid-operators-using-atsengine-injection-panel-to-hit-e-commerce-sites/}, language = {English}, urldate = {2020-01-08} } @online{chirgwin:20180110:taiwanese:1ccf7ce, author = {Richard Chirgwin}, title = {{Taiwanese cops give malware-laden USB sticks as prizes for security quiz}}, date = {2018-01-10}, organization = {The Register}, url = {https://www.theregister.co.uk/2018/01/10/taiwanese_police_malware/}, language = {English}, urldate = {2020-01-09} } @online{chiu:20170621:player:b44064a, author = {Alex Chiu and Warren Mercer and Jaeson Schultz and Sean Baird and Matthew Molyett}, title = {{Player 1 Limps Back Into the Ring - Hello again, Locky!}}, date = {2017-06-21}, organization = {Cisco}, url = {http://blog.talosintelligence.com/2017/06/necurs-locky-campaign.html}, language = {English}, urldate = {2019-12-17} } @online{chohan:20180816:chinese:91aaa15, author = {Sanil Chohan and Winnona Desombre and Justin Grosfelt}, title = {{Chinese Cyberespionage Originating From Tsinghua University Infrastructure}}, date = {2018-08-16}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/chinese-cyberespionage-operations/}, language = {English}, urldate = {2020-01-09} } @online{chokepoint:20170417:azazel:0fc47c6, author = {chokepoint}, title = {{Azazel}}, date = {2017-04-17}, organization = {Github (chokepoint)}, url = {https://github.com/chokepoint/azazel}, language = {English}, urldate = {2020-01-10} } @online{chong:20120416:detailed:3f191a4, author = {Rong Hwa Chong}, title = {{Detailed Analysis Of Sykipot (Smartcard Proxy Variant)}}, date = {2012-04-16}, organization = {SANS}, url = {https://www.sans.org/reading-room/whitepapers/malicious/detailed-analysis-sykipot-smartcard-proxy-variant-33919}, language = {English}, urldate = {2020-01-07} } @online{chong:20130401:trojanaptbanechant:3b8eea7, author = {Rong Hwa Chong}, title = {{Trojan.APT.BaneChant: In-Memory Trojan That Observes for Multiple Mouse Clicks}}, date = {2013-04-01}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2013/04/trojan-apt-banechant-in-memory-trojan-that-observes-for-multiple-mouse-clicks.html}, language = {English}, urldate = {2020-07-15} } @online{chris:20140501:hunting:bcefc84, author = {Chris}, title = {{Hunting Hidden Lynx: How OSINT is Crucial for APT Analysis}}, date = {2014-05-01}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/hidden-lynx-analysis/}, language = {English}, urldate = {2020-01-07} } @online{chrisjd20:20170512:powershellwebbackdoor:ceb76d4, author = {chrisjd20}, title = {{powershell_web_backdoor}}, date = {2017-05-12}, organization = {Github (chrisjd20)}, url = {https://github.com/chrisjd20/powershell_web_backdoor}, language = {English}, urldate = {2020-01-06} } @online{chrysaidos:20151104:droidjack:d4ab0f5, author = {Nikolaos Chrysaidos}, title = {{DroidJack isn’t the only spying software out there: Avast discovers OmniRat}}, date = {2015-11-04}, organization = {Avast}, url = {https://blog.avast.com/2015/11/05/droidjack-isnt-the-only-spying-software-out-there-avast-discovers-that-omnirat-is-currently-being-used-and-spread-by-criminals-to-gain-full-remote-co}, language = {English}, urldate = {2019-12-10} } @online{chrysaidos:20171220:new:6ebc559, author = {Nikolaos Chrysaidos}, title = {{New version of mobile malware Catelites possibly linked to Cron cyber gang}}, date = {2017-12-20}, organization = {Avast}, url = {https://blog.avast.com/new-version-of-mobile-malware-catelites-possibly-linked-to-cron-cyber-gang}, language = {English}, urldate = {2020-01-07} } @online{chumley:20140529:iranian:38c457f, author = {Cheryl K. Chumley}, title = {{Iranian hackers sucker punch U.S. defense officials with creative social-media scam}}, date = {2014-05-29}, organization = {The Washington Times}, url = {https://www.washingtontimes.com/news/2014/may/29/iranian-hackers-sucker-punch-us-defense-heads-crea/}, language = {English}, urldate = {2020-01-06} } @online{ciccarelli:20191121:going:0e7cac5, author = {Mario Ciccarelli}, title = {{Going Deep | A Guide to Reversing Smoke Loader Malware}}, date = {2019-11-21}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/going-deep-a-guide-to-reversing-smoke-loader-malware/}, language = {English}, urldate = {2020-01-07} } @online{cid:20140318:windigo:7fd6adb, author = {Daniel B. Cid}, title = {{Windigo Linux Analysis – Ebury and Cdorked}}, date = {2014-03-18}, url = {https://blog.sucuri.net/2014/03/windigo-linux-analysis-ebury-and-cdorked.html}, language = {English}, urldate = {2019-12-18} } @online{cimpanu:20160112:trochilus:2b0bc1c, author = {Catalin Cimpanu}, title = {{Trochilus RAT Evades Antivirus Detection, Used for Cyber-Espionage in South-East Asia}}, date = {2016-01-12}, organization = {Softpedia News}, url = {https://news.softpedia.com/news/trochilus-rat-evades-antivirus-detection-used-for-cyber-espionage-in-south-east-asia-498776.shtml}, language = {English}, urldate = {2020-01-13} } @online{cimpanu:20160309:korean:06f01a0, author = {Catalin Cimpanu}, title = {{Korean Energy and Transportation Targets Attacked by OnionDog APT}}, date = {2016-03-09}, organization = {SOFTPEDIA® NEWS}, url = {http://news.softpedia.com/news/korean-energy-and-transportation-targets-attacked-by-oniondog-apt-501534.shtml}, language = {English}, urldate = {2019-12-24} } @online{cimpanu:20160911:free:c125edd, author = {Catalin Cimpanu}, title = {{Free Darktrack RAT Has the Potential of Being the Best RAT on the Market Search}}, date = {2016-09-11}, organization = {Softpedia News}, url = {http://news.softpedia.com/news/free-darktrack-rat-has-the-potential-of-being-the-best-rat-on-the-market-508179.shtml}, language = {English}, urldate = {2019-12-17} } @online{cimpanu:20161209:proof:25c0bdd, author = {Catalin Cimpanu}, title = {{"Proof of Concept" CryptoWire Ransomware Spawns Lomix and UltraLocker Families}}, date = {2016-12-09}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/-proof-of-concept-cryptowire-ransomware-spawns-lomix-and-ultralocker-families/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20170104:firecrypt:5b965cd, author = {Catalin Cimpanu}, title = {{FireCrypt Ransomware Comes With a DDoS Component}}, date = {2017-01-04}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/firecrypt-ransomware-comes-with-a-ddos-component/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20170117:new:3c28f96, author = {Catalin Cimpanu}, title = {{New GhostAdmin Malware Used for Data Theft and Exfiltration}}, date = {2017-01-17}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-ghostadmin-malware-used-for-data-theft-and-exfiltration/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20170206:polish:577f33c, author = {Catalin Cimpanu}, title = {{Polish Banks Infected with Malware Hosted on Their Own Government's Site}}, date = {2017-02-06}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/polish-banks-infected-with-malware-hosted-on-their-own-governments-site/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20170410:longhorn:97fddcb, author = {Catalin Cimpanu}, title = {{Longhorn Cyber-Espionage Group Is Actually the CIA}}, date = {2017-04-10}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/longhorn-cyber-espionage-group-is-actually-the-cia/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20170421:brickerbot:658d8b8, author = {Catalin Cimpanu}, title = {{BrickerBot Author Claims He Bricked Two Million Devices}}, date = {2017-04-21}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/brickerbot-author-claims-he-bricked-two-million-devices/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20170622:locky:4a088f0, author = {Catalin Cimpanu}, title = {{Locky Ransomware Returns, but Targets Only Windows XP & Vista}}, date = {2017-06-22}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/locky-ransomware-returns-but-targets-only-windows-xp-and-vista/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20170629:ransomware:d2d7b40, author = {Catalin Cimpanu}, title = {{Ransomware Attacks Continue in Ukraine with Mysterious WannaCry Clone}}, date = {2017-06-29}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ransomware-attacks-continue-in-ukraine-with-mysterious-wannacry-clone/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20170826:us:0d7249a, author = {Catalin Cimpanu}, title = {{US Arrests Chinese Man Involved With Sakula Malware Used in OPM and Anthem Hacks}}, date = {2017-08-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/us-arrests-chinese-man-involved-with-sakula-malware-used-in-opm-and-anthem-hacks/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20171101:cryptoshuffler:64a3db4, author = {Catalin Cimpanu}, title = {{CryptoShuffler Stole $150,000 by Replacing Bitcoin Wallet IDs in PC Clipboards}}, date = {2017-11-01}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/cryptoshuffler-stole-150-000-by-replacing-bitcoin-wallet-ids-in-pc-clipboards/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20171109:ordinypt:cc9c071, author = {Catalin Cimpanu}, title = {{Ordinypt Ransomware Intentionally Destroys Files, Currently Targeting Germany}}, date = {2017-11-09}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ordinypt-ransomware-intentionally-destroys-files-currently-targeting-germany/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20171124:mirai:ea4773e, author = {Catalin Cimpanu}, title = {{Mirai Activity Picks up Once More After Publication of PoC Exploit Code}}, date = {2017-11-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/mirai-activity-picks-up-once-more-after-publication-of-poc-exploit-code/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20171211:brickerbot:52db283, author = {Catalin Cimpanu}, title = {{BrickerBot Author Retires Claiming to Have Bricked over 10 Million IoT Devices}}, date = {2017-12-11}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/brickerbot-author-retires-claiming-to-have-bricked-over-10-million-iot-devices/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20171212:moneytaker:b5f4fbb, author = {Catalin Cimpanu}, title = {{MoneyTaker Hacker Group Steals Millions from US and Russian Banks}}, date = {2017-12-12}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/moneytaker-hacker-group-steals-millions-from-us-and-russian-banks/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20180124:new:90c5883, author = {Catalin Cimpanu}, title = {{New HNS IoT Botnet Has Already Amassed 14K Bots}}, date = {2018-01-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-hns-iot-botnet-has-already-amassed-14k-bots/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20180226:nanocore:4659d30, author = {Catalin Cimpanu}, title = {{Nanocore RAT Author Gets 33 Months in Prison}}, date = {2018-02-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/nanocore-rat-author-gets-33-months-in-prison/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20180418:stresspaint:640ad68, author = {Catalin Cimpanu}, title = {{Stresspaint Malware Steals Facebook Credentials and Session Cookies}}, date = {2018-04-18}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/stresspaint-malware-steals-facebook-credentials-and-session-cookies/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20180427:north:b7ed973, author = {Catalin Cimpanu}, title = {{North Korean Hackers Are up to No Good Again}}, date = {2018-04-27}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/north-korean-hackers-are-up-to-no-good-again/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20180508:hide:5ab3dfd, author = {Catalin Cimpanu}, title = {{"Hide and Seek" Becomes First IoT Botnet Capable of Surviving Device Reboots}}, date = {2018-05-08}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/hide-and-seek-becomes-first-iot-botnet-capable-of-surviving-device-reboots/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20180612:trik:137e306, author = {Catalin Cimpanu}, title = {{Trik Spam Botnet Leaks 43 Million Email Addresses}}, date = {2018-06-12}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/trik-spam-botnet-leaks-43-million-email-addresses/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20180614:dbger:c326e0a, author = {Catalin Cimpanu}, title = {{DBGer Ransomware Uses EternalBlue and Mimikatz to Spread Across Networks}}, date = {2018-06-14}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/dbger-ransomware-uses-eternalblue-and-mimikatz-to-spread-across-networks/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20180615:chinese:e0be0ab, author = {Catalin Cimpanu}, title = {{Chinese Cyber-Espionage Group Hacked Government Data Center}}, date = {2018-06-15}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/chinese-cyber-espionage-group-hacked-government-data-center/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20180615:hacker:e0452dd, author = {Catalin Cimpanu}, title = {{Hacker Breaches Syscoin GitHub Account and Poisons Official Client}}, date = {2018-06-15}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/hacker-breaches-syscoin-github-account-and-poisons-official-client/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20180706:hns:c7115f1, author = {Catalin Cimpanu}, title = {{HNS Evolves From IoT to Cross-Platform Botnet}}, date = {2018-07-06}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/hns-evolves-from-iot-to-cross-platform-botnet/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20180719:router:38a2d38, author = {Catalin Cimpanu}, title = {{Router Crapfest: Malware Author Builds 18,000-Strong Botnet in a Day}}, date = {2018-07-19}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/router-crapfest-malware-author-builds-18-000-strong-botnet-in-a-day/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20180728:new:b35a74a, author = {Catalin Cimpanu}, title = {{New Underminer Exploit Kit Discovered Pushing Bootkits and CoinMiners}}, date = {2018-07-28}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-underminer-exploit-kit-discovered-pushing-bootkits-and-coinminers/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20180821:microsoft:bc5c2f0, author = {Catalin Cimpanu}, title = {{Microsoft Disrupts APT28 Hacking Campaign Aimed at US Midterm Elections}}, date = {2018-08-21}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/microsoft-disrupts-apt28-hacking-campaign-aimed-at-us-midterm-elections/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20180823:lazarus:e929232, author = {Catalin Cimpanu}, title = {{Lazarus Group Deploys Its First Mac Malware in Cryptocurrency Exchange Hack}}, date = {2018-08-23}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/lazarus-group-deploys-its-first-mac-malware-in-cryptocurrency-exchange-hack/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20180824:iranian:04296ee, author = {Catalin Cimpanu}, title = {{Iranian Hackers Charged in March Are Still Actively Phishing Universities}}, date = {2018-08-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/iranian-hackers-charged-in-march-are-still-actively-phishing-universities/}, language = {English}, urldate = {2019-12-20} } @online{cimpanu:20180905:new:c1c9e19, author = {Catalin Cimpanu}, title = {{New Silence hacking group suspected of having ties to cyber-security industry}}, date = {2018-09-05}, organization = {ZDNet}, url = {https://www.zdnet.com/article/new-silence-hacking-group-suspected-of-having-ties-to-cyber-security-industry/}, language = {English}, urldate = {2019-12-19} } @online{cimpanu:20190116:north:8f56bd0, author = {Catalin Cimpanu}, title = {{North Korean hackers infiltrate Chile's ATM network after Skype job interview}}, date = {2019-01-16}, organization = {ZDNet}, url = {https://www.zdnet.com/article/north-korean-hackers-infiltrate-chiles-atm-network-after-skype-job-interview/}, language = {English}, urldate = {2020-01-10} } @online{cimpanu:20190214:127:78132dd, author = {Catalin Cimpanu}, title = {{127 million user records from 8 companies put up for sale on the dark web}}, date = {2019-02-14}, organization = {ZDNet}, url = {https://www.zdnet.com/article/127-million-user-records-from-8-companies-put-up-for-sale-on-the-dark-web/}, language = {English}, urldate = {2019-12-24} } @online{cimpanu:20190217:hacker:19fe800, author = {Catalin Cimpanu}, title = {{Hacker puts up for sale third round of hacked databases on the Dark Web}}, date = {2019-02-17}, organization = {ZDNet}, url = {https://www.zdnet.com/article/hacker-puts-up-for-sale-third-round-of-hacked-databases-on-the-dark-web/}, language = {English}, urldate = {2020-01-10} } @online{cimpanu:20190317:round:53521b8, author = {Catalin Cimpanu}, title = {{Round 4: Hacker returns and puts 26Mil user records for sale on the Dark Web}}, date = {2019-03-17}, organization = {ZDNet}, url = {https://www.zdnet.com/article/round-4-hacker-returns-and-puts-26mil-user-records-for-sale-on-the-dark-web/}, language = {English}, urldate = {2019-12-15} } @online{cimpanu:20190415:hacker:4b851e8, author = {Catalin Cimpanu}, title = {{A hacker has dumped nearly one billion user records over the past two months}}, date = {2019-04-15}, organization = {ZDNet}, url = {https://www.zdnet.com/article/a-hacker-has-dumped-nearly-one-billion-user-records-over-the-past-two-months/}, language = {English}, urldate = {2020-01-05} } @online{cimpanu:20190419:security:683479e, author = {Catalin Cimpanu}, title = {{Security researcher MalwareTech pleads guilty}}, date = {2019-04-19}, organization = {ZDNet}, url = {https://www.zdnet.com/article/security-researcher-malwaretech-pleads-guilty/}, language = {English}, urldate = {2020-01-13} } @online{cimpanu:20190509:new:f8a3f46, author = {Catalin Cimpanu}, title = {{New leaks of Iranian cyber-espionage operations hit Telegram and the Dark Web}}, date = {2019-05-09}, organization = {ZDNet}, url = {https://www.zdnet.com/article/new-leaks-of-iranian-cyber-espionage-operations-hit-telegram-and-the-dark-web/}, language = {English}, urldate = {2020-01-09} } @online{cimpanu:20191010:new:3f09021, author = {Catalin Cimpanu}, title = {{New espionage malware found targeting Russian-speaking users in Eastern Europe}}, date = {2019-10-10}, organization = {ZDNet}, url = {https://www.zdnet.com/article/new-espionage-malware-found-targeting-russian-speaking-users-in-eastern-europe/}, language = {English}, urldate = {2020-01-06} } @online{cimpanu:20191120:new:f9c81de, author = {Catalin Cimpanu}, title = {{New Roboto botnet emerges targeting Linux servers running Webmin}}, date = {2019-11-20}, organization = {ZDNet}, url = {https://www.zdnet.com/article/new-roboto-botnet-emerges-targeting-linux-servers-running-webmin}, language = {English}, urldate = {2019-12-17} } @online{cimpanu:20191123:extensive:4db6fce, author = {Catalin Cimpanu}, title = {{Extensive hacking operation discovered in Kazakhstan}}, date = {2019-11-23}, organization = {ZDNet}, url = {https://www.zdnet.com/article/extensive-hacking-operation-discovered-in-kazakhstan/}, language = {English}, urldate = {2020-01-08} } @online{cimpanu:20200108:naive:31da98b, author = {Catalin Cimpanu}, title = {{Naive IoT botnet wastes its time mining cryptocurrency}}, date = {2020-01-08}, organization = {ZDNet}, url = {https://www.zdnet.com/article/naive-iot-botnet-wastes-its-time-mining-cryptocurrency/}, language = {English}, urldate = {2020-01-13} } @online{cimpanu:20200123:someone:fb903da, author = {Catalin Cimpanu}, title = {{Someone is uninstalling the Phorpiex malware from infected PCs and telling users to install an antivirus}}, date = {2020-01-23}, organization = {ZDNet}, url = {https://www.zdnet.com/article/someone-is-uninstalling-the-phorpiex-malware-from-infected-pcs-and-telling-users-to-install-an-antivirus/}, language = {English}, urldate = {2020-01-27} } @online{cimpanu:20200129:dod:57de65d, author = {Catalin Cimpanu}, title = {{DOD contractor suffers ransomware infection}}, date = {2020-01-29}, organization = {ZDNet}, url = {https://www.zdnet.com/article/dod-contractor-suffers-ransomware-infection/}, language = {English}, urldate = {2020-02-03} } @online{cimpanu:20200210:fbi:1904430, author = {Catalin Cimpanu}, title = {{FBI warns about ongoing attacks against software supply chain companies}}, date = {2020-02-10}, organization = {ZDNet}, url = {https://www.zdnet.com/article/fbi-warns-about-ongoing-attacks-against-software-supply-chain-companies/}, language = {English}, urldate = {2020-02-11} } @online{cimpanu:20200220:croatias:ac07fa3, author = {Catalin Cimpanu}, title = {{Croatia's largest petrol station chain impacted by cyber-attack}}, date = {2020-02-20}, organization = {ZDNet}, url = {https://www.zdnet.com/article/croatias-largest-petrol-station-chain-impacted-by-cyber-attack/}, language = {English}, urldate = {2020-02-26} } @online{cimpanu:20200229:meet:b1d7dbd, author = {Catalin Cimpanu}, title = {{Meet the white-hat group fighting Emotet, the world's most dangerous malware}}, date = {2020-02-29}, organization = {ZDNet}, url = {https://www.zdnet.com/article/meet-the-white-hat-group-fighting-emotet-the-worlds-most-dangerous-malware/}, language = {English}, urldate = {2020-03-02} } @online{cimpanu:20200319:france:9882b07, author = {Catalin Cimpanu}, title = {{France warns of new ransomware gang targeting local governments}}, date = {2020-03-19}, organization = {ZDNet}, url = {https://www.zdnet.com/article/france-warns-of-new-ransomware-gang-targeting-local-governments/}, language = {English}, urldate = {2020-03-26} } @online{cimpanu:20200327:booz:90c4f8d, author = {Catalin Cimpanu}, title = {{Booz Allen analyzed 200+ Russian hacking operations to better understand their tactics}}, date = {2020-03-27}, organization = {ZDNet}, url = {https://www.zdnet.com/article/booz-allen-analyzed-200-russian-hacking-operations-to-better-understand-their-tactics/}, language = {English}, urldate = {2020-03-27} } @online{cimpanu:20200331:fbi:91630df, author = {Catalin Cimpanu}, title = {{FBI re-sends alert about supply chain attacks for the third time in three months}}, date = {2020-03-31}, organization = {ZDNet}, url = {https://www.zdnet.com/article/fbi-re-sends-alert-about-supply-chain-attacks-for-the-third-time-in-three-months/}, language = {English}, urldate = {2020-04-07} } @online{cimpanu:20200427:shade:4d47bf1, author = {Catalin Cimpanu}, title = {{Shade (Troldesh) ransomware shuts down and releases decryption keys}}, date = {2020-04-27}, organization = {ZDNet}, url = {https://www.zdnet.com/article/shade-troldesh-ransomware-shuts-down-and-releases-all-decryption-keys/}, language = {English}, urldate = {2020-04-28} } @online{cimpanu:20200518:fbi:54e14c9, author = {Catalin Cimpanu}, title = {{FBI: ProLock ransomware gains access to victim networks via Qakbot infections}}, date = {2020-05-18}, organization = {ZDNet}, url = {https://www.zdnet.com/article/fbi-prolock-ransomware-gains-access-to-victim-networks-via-qakbot-infections/}, language = {English}, urldate = {2020-05-18} } @online{cimpanu:20200602:revil:883c59f, author = {Catalin Cimpanu}, title = {{REvil ransomware gang launches auction site to sell stolen data}}, date = {2020-06-02}, organization = {ZDNet}, url = {https://www.zdnet.com/article/revil-ransomware-gang-launches-auction-site-to-sell-stolen-data/}, language = {English}, urldate = {2020-06-03} } @online{cimpanu:20200603:ransomware:116ecb8, author = {Catalin Cimpanu}, title = {{Ransomware gang says it breached one of NASA's IT contractors}}, date = {2020-06-03}, organization = {ZDNet}, url = {https://www.zdnet.com/article/ransomware-gang-says-it-breached-one-of-nasas-it-contractors/}, language = {English}, urldate = {2020-06-03} } @online{cimpanu:20200615:web:a10a55d, author = {Catalin Cimpanu}, title = {{Web skimmers found on the websites of Intersport, Claire's, and Icing}}, date = {2020-06-15}, organization = {ZDNet}, url = {https://www.zdnet.com/article/web-skimmers-found-on-the-websites-of-intersport-claires-and-icing/}, language = {English}, urldate = {2020-06-16} } @online{cimpanu:20200715:chinese:0ff06bd, author = {Catalin Cimpanu}, title = {{Chinese state hackers target Hong Kong Catholic Church}}, date = {2020-07-15}, organization = {ZDNet}, url = {https://www.zdnet.com/article/chinese-state-hackers-target-hong-kong-catholic-church/}, language = {English}, urldate = {2020-07-30} } @online{cimpanu:20200729:kaspersky:d874677, author = {Catalin Cimpanu}, title = {{Kaspersky: New hacker-for-hire mercenary group is targeting European law firms}}, date = {2020-07-29}, organization = {ZDNet}, url = {https://www.zdnet.com/article/kaspersky-new-hacker-for-hire-mercenary-group-is-targeting-european-law-firms/}, language = {English}, urldate = {2020-08-18} } @online{cimpanu:20200804:ransomware:e0320ee, author = {Catalin Cimpanu}, title = {{Ransomware gang publishes tens of GBs of internal data from LG and Xerox}}, date = {2020-08-04}, organization = {ZDNet}, url = {https://www.zdnet.com/article/ransomware-gang-publishes-tens-of-gbs-of-internal-data-from-lg-and-xerox/}, language = {English}, urldate = {2020-08-18} } @online{cimpanu:20200810:fbi:10c4512, author = {Catalin Cimpanu}, title = {{FBI says an Iranian hacking group is attacking F5 networking devices}}, date = {2020-08-10}, organization = {ZDNet}, url = {https://www.zdnet.com/article/fbi-says-an-iranian-hacking-group-is-attacking-f5-networking-devices}, language = {English}, urldate = {2020-09-18} } @online{cimpanu:20200810:fbi:704abe2, author = {Catalin Cimpanu}, title = {{FBI says an Iranian hacking group is attacking F5 networking devices}}, date = {2020-08-10}, organization = {ZDNet}, url = {https://www.zdnet.com/article/fbi-says-an-iranian-hacking-group-is-attacking-f5-networking-devices/}, language = {English}, urldate = {2020-08-12} } @online{cimpanu:20200901:iranian:5f8dd6c, author = {Catalin Cimpanu}, title = {{Iranian hackers are selling access to compromised companies on an underground forum}}, date = {2020-09-01}, organization = {ZDNet}, url = {https://www.zdnet.com/article/iranian-hackers-are-selling-access-to-compromised-companies-on-an-underground-forum}, language = {English}, urldate = {2020-09-18} } @online{cimpanu:20201008:german:7b88550, author = {Catalin Cimpanu}, title = {{German tech giant Software AG down after ransomware attack}}, date = {2020-10-08}, organization = {ZDNet}, url = {https://www.zdnet.com/article/german-tech-giant-software-ag-down-after-ransomware-attack/}, language = {English}, urldate = {2020-10-12} } @online{cimpanu:20201015:ubisoft:51fe666, author = {Catalin Cimpanu}, title = {{Ubisoft, Crytek data posted on ransomware gang's site}}, date = {2020-10-15}, organization = {ZDNet}, url = {https://www.zdnet.com/article/ubisoft-crytek-data-posted-on-ransomware-gangs-site/}, language = {English}, urldate = {2020-10-21} } @online{cimpanu:20201022:eu:ed3c7a4, author = {Catalin Cimpanu}, title = {{EU sanctions Russia over 2015 German Parliament hack}}, date = {2020-10-22}, organization = {ZDNet}, url = {https://www.zdnet.com/article/eu-sanctions-russia-over-2015-german-parliament-hack/}, language = {English}, urldate = {2020-10-26} } @online{cimpanu:20201104:revil:02ca78c, author = {Catalin Cimpanu}, title = {{REvil ransomware gang 'acquires' KPOT malware}}, date = {2020-11-04}, organization = {ZDNet}, url = {https://www.zdnet.com/article/revil-ransomware-gang-acquires-kpot-malware/}, language = {English}, urldate = {2020-11-06} } @online{cimpanu:20201120:malware:0b8ff59, author = {Catalin Cimpanu}, title = {{The malware that usually installs ransomware and you need to remove right away}}, date = {2020-11-20}, organization = {ZDNet}, url = {https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/}, language = {English}, urldate = {2020-11-23} } @online{cimpanu:20201205:ransomware:49c8fff, author = {Catalin Cimpanu}, title = {{Ransomware hits helicopter maker Kopter}}, date = {2020-12-05}, organization = {ZDNet}, url = {https://www.zdnet.com/article/ransomware-hits-helicopter-maker-kopter/}, language = {English}, urldate = {2020-12-08} } @online{cimpanu:20201208:norway:86ae7a1, author = {Catalin Cimpanu}, title = {{Norway says Russian hacking group APT28 is behind August 2020 Parliament hack}}, date = {2020-12-08}, organization = {ZDNet}, url = {https://www.zdnet.com/article/norway-says-russian-hacking-group-apt28-is-behind-august-2020-parliament-hack/}, language = {English}, urldate = {2020-12-08} } @online{cimpanu:20201217:microsoft:e52b204, author = {Catalin Cimpanu}, title = {{Microsoft confirms it was also breached in recent SolarWinds supply chain hack}}, date = {2020-12-17}, organization = {ZDNet}, url = {https://www.zdnet.com/article/microsoft-was-also-breached-in-recent-solarwinds-supply-chain-hack-report/}, language = {English}, urldate = {2020-12-18} } @online{cimpanu:20210107:londons:3d62f93, author = {Catalin Cimpanu}, title = {{Tweet on London's Hackney Council attacked by Pysa/Mespinoza ransomware}}, date = {2021-01-07}, organization = {Twitter (@campuscodi)}, url = {https://twitter.com/campuscodi/status/1347223969984897026}, language = {English}, urldate = {2021-01-11} } @techreport{circl:20130329:analysis:b3c48b0, author = {CIRCL}, title = {{Analysis Report (TLP:WHITE) Analysis of a PlugX variant (PlugX version 7.0)}}, date = {2013-03-29}, institution = {Computer Incident Response Center Luxembourg}, url = {https://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf}, language = {English}, urldate = {2019-11-24} } @techreport{circl:20130529:malware:cd9f6f8, author = {CIRCL}, title = {{Malware analysis report of a Backdoor.Snifula variant}}, date = {2013-05-29}, institution = {CIRCL}, url = {https://www.circl.lu/assets/files/tr-13/tr-13-snifula-analysis-report-v1.3.pdf}, language = {English}, urldate = {2019-07-11} } @techreport{circl:20130530:analysis:e828e08, author = {CIRCL}, title = {{Analysis of a stage 3 Miniduke sample}}, date = {2013-05-30}, institution = {CIRCL}, url = {https://www.circl.lu/files/tr-14/circl-analysisreport-miniduke-stage3-public.pdf}, language = {English}, urldate = {2020-01-08} } @online{circl:20141126:tr23:fb5d867, author = {CIRCL}, title = {{TR-23 Analysis - NetWiredRC malware}}, date = {2014-11-26}, organization = {CIRCL}, url = {https://www.circl.lu/pub/tr-23/}, language = {English}, urldate = {2020-01-09} } @online{circl:2014:tr25:97f9b0e, author = {CIRCL}, title = {{TR-25 Analysis - Turla / Pfinet / Snake/ Uroburos}}, date = {2014}, organization = {circl.lu}, url = {https://www.circl.lu/pub/tr-25/}, language = {English}, urldate = {2020-07-01} } @online{cisa:20170412:ics:0d94c2e, author = {CISA}, title = {{ICS Alert (ICS-ALERT-17-102-01A)}}, date = {2017-04-12}, organization = {CISA}, url = {https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-102-01A}, language = {English}, urldate = {2020-01-09} } @online{cisa:20170612:alert:7799e28, author = {CISA}, title = {{Alert (TA17-163A)}}, date = {2017-06-12}, organization = {CISA}, url = {https://www.us-cert.gov/ncas/alerts/TA17-163A}, language = {English}, urldate = {2020-01-08} } @online{cisa:20180809:malware:71c0559, author = {CISA}, title = {{Malware Analysis Report (AR18-221A)}}, date = {2018-08-09}, organization = {CISA}, url = {https://www.us-cert.gov/ncas/analysis-reports/AR18-221A}, language = {English}, urldate = {2020-01-07} } @online{cisa:20190509:malware:0fa3b40, author = {CISA}, title = {{Malware Analysis Report (AR19-129A)}}, date = {2019-05-09}, organization = {CISA}, url = {https://www.us-cert.gov/ncas/analysis-reports/AR19-129A}, language = {English}, urldate = {2020-01-08} } @online{cisa:20190909:malware:f266520, author = {CISA}, title = {{Malware Analysis Report (AR19-252A)}}, date = {2019-09-09}, organization = {CISA}, url = {https://www.us-cert.gov/ncas/analysis-reports/ar19-252a}, language = {English}, urldate = {2020-01-07} } @online{cisa:20191031:malware:4eccc2d, author = {CISA}, title = {{Malware Analysis Report (AR19-304A)}}, date = {2019-10-31}, organization = {CISA}, url = {https://www.us-cert.gov/ncas/analysis-reports/ar19-304a}, language = {English}, urldate = {2020-01-09} } @online{cisa:2019:hidden:52ee565, author = {CISA}, title = {{HIDDEN COBRA - North Korean Malicious Cyber Activity}}, date = {2019}, organization = {CISA}, url = {https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity}, language = {English}, urldate = {2020-01-07} } @online{cisa:20200826:mar103017061v1:735a8fc, author = {CISA}, title = {{MAR-10301706-1.v1 - North Korean Remote Access Tool: ECCENTRICBANDWAGON}}, date = {2020-08-26}, organization = {CISA}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar20-239a}, language = {English}, urldate = {2020-09-01} } @online{cisa:20200826:mar103017062v1:e64b3ac, author = {CISA}, title = {{MAR-10301706-2.v1 - North Korean Remote Access Tool: VIVACIOUSGIFT}}, date = {2020-08-26}, organization = {CISA}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar20-239b}, language = {English}, urldate = {2020-09-01} } @techreport{cisa:20201028:aa20302a:80b6a06, author = {CISA and FBI and HHS}, title = {{AA20-302A: Ransomware Activity Targeting the Healthcare and Public Health Sector}}, date = {2020-10-28}, institution = {CISA}, url = {https://us-cert.cisa.gov/sites/default/files/publications/AA20-302A_Ransomware%20_Activity_Targeting_the_Healthcare_and_Public_Health_Sector.pdf}, language = {English}, urldate = {2020-11-02} } @online{cisa:20201213:active:44eb4a4, author = {CISA}, title = {{Active Exploitation of SolarWinds Software}}, date = {2020-12-13}, organization = {CISA}, url = {https://us-cert.cisa.gov/ncas/current-activity/2020/12/13/active-exploitation-solarwinds-software}, language = {English}, urldate = {2020-12-15} } @techreport{citizenlab:20100406:shadows:0ddd0ca, author = {CitizenLab and Information Warfare Monitor and Shadowserver Foundation}, title = {{SHADOWS IN THE CLOUD: Investigating Cyber Espionage 2.0}}, date = {2010-04-06}, institution = {CitizenLab}, url = {https://citizenlab.ca/wp-content/uploads/2017/05/shadows-in-the-cloud.pdf}, language = {English}, urldate = {2020-01-13} } @online{citizenlab:20200609:dark:6fc74ec, author = {CitizenLab}, title = {{Dark Basin Indicators of Compromise}}, date = {2020-06-09}, organization = {Github (citizenlab)}, url = {https://github.com/citizenlab/malware-indicators/tree/master/202006_DarkBasin}, language = {English}, urldate = {2020-11-02} } @techreport{clarke:20201130:its:1b6b681, author = {Mitchell Clarke and Tom Hall}, title = {{It's not FINished The Evolving Maturity in Ransomware Operations}}, date = {2020-11-30}, institution = {FireEye}, url = {https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf}, language = {English}, urldate = {2020-12-14} } @techreport{clarke:20201209:its:c312acc, author = {Mitchell Clarke and Tom Hall}, title = {{It's not FINished The Evolving Maturity in Ransomware Operations (SLIDES)}}, date = {2020-12-09}, institution = {FireEye}, url = {https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf}, language = {English}, urldate = {2020-12-15} } @techreport{clearsky:201707:operationwilted:7e57e58, author = {ClearSky and Trend Micro}, title = {{OperationWilted Tulip}}, date = {2017-07}, institution = {ClearSky}, url = {https://www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf}, language = {English}, urldate = {2020-01-06} } @online{clearsky:20180213:enfal:e063cf1, author = {ClearSky}, title = {{Tweet on Enfal loader}}, date = {2018-02-13}, organization = {Twitter (@ClearskySec)}, url = {https://twitter.com/ClearskySec/status/963829930776723461}, language = {English}, urldate = {2019-07-10} } @techreport{clearsky:20201015:operation:dead010, author = {ClearSky}, title = {{Operation Quicksand: MuddyWater’s Offensive Attack Against Israeli Organizations}}, date = {2020-10-15}, institution = {ClearSky}, url = {https://www.clearskysec.com/wp-content/uploads/2020/10/Operation-Quicksand.pdf}, language = {English}, urldate = {2020-10-21} } @online{clueley:20200109:man:cea3f4b, author = {Graham Clueley}, title = {{Man jailed for using webcam RAT to spy on women in their bedrooms}}, date = {2020-01-09}, organization = {The State of Security}, url = {https://www.tripwire.com/state-of-security/featured/man-jailed-using-webcam-rat-women-bedrooms/}, language = {English}, urldate = {2020-01-20} } @online{cluley:20121113:new:627d122, author = {Graham Cluley}, title = {{New variant of Mac Trojan discovered, targeting Tibet}}, date = {2012-11-13}, organization = {Sophos}, url = {https://nakedsecurity.sophos.com/2012/11/13/new-mac-trojan/}, language = {English}, urldate = {2020-01-08} } @online{cluley:20150526:moose:4cb9940, author = {Graham Cluley}, title = {{Moose – the router worm with an appetite for social networks}}, date = {2015-05-26}, organization = {ESET Research}, url = {http://www.welivesecurity.com/2015/05/26/moose-router-worm/}, language = {English}, urldate = {2019-12-20} } @online{cluley:20170830:new:c821389, author = {Graham Cluley}, title = {{New ESET research uncovers Gazer, the stealthy backdoor that spies on embassies}}, date = {2017-08-30}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/08/30/eset-research-cyberespionage-gazer/}, language = {English}, urldate = {2019-11-14} } @online{cluley:20170904:despite:6f4a25f, author = {Graham Cluley}, title = {{Despite appearances, WikiLeaks wasn’t hacked}}, date = {2017-09-04}, organization = {Graham Cluley Blog}, url = {https://www.grahamcluley.com/despite-appearances-wikileaks-wasnt-hacked/}, language = {English}, urldate = {2019-11-28} } @online{cluley:20200409:travelex:bb5a2d7, author = {Graham Cluley}, title = {{Travelex paid hackers $2.3 million worth of Bitcoin after ransomware attack}}, date = {2020-04-09}, organization = {Graham Cluley Blog}, url = {https://www.grahamcluley.com/travelex-paid-ransom/}, language = {English}, urldate = {2020-04-26} } @online{cluley:20200505:kaiji:94f85b6, author = {Graham Cluley}, title = {{Kaiji – a new strain of IoT malware seizing control and launching DDoS attacks}}, date = {2020-05-05}, organization = {Bitdefender}, url = {https://www.bitdefender.com/box/blog/iot-news/kaiji-new-strain-iot-malware-seizing-control-launching-ddos-attacks/}, language = {English}, urldate = {2020-05-06} } @online{cn33liz:20170605:javascript:36e302d, author = {Cn33liz}, title = {{A JavaScript and VBScript Based Empire Launcher - by Cn33liz 2017}}, date = {2017-06-05}, organization = {Github (Cn33liz)}, url = {https://github.com/Cn33liz/StarFighters}, language = {English}, urldate = {2020-04-07} } @online{cna:201901:destructive:38ed2c3, author = {Saudi Arabia CNA}, title = {{Destructive Attack “DUSTMAN” Technical Report}}, date = {2019-01}, organization = {Saudi Arabia CNA}, url = {https://www.scribd.com/document/442225568/Saudi-Arabia-CNA-report}, language = {English}, urldate = {2020-01-13} } @online{cobb:20130502:stealthiness:6579e26, author = {Stephen Cobb}, title = {{The stealthiness of Linux/Cdorked: a clarification}}, date = {2013-05-02}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2013/05/02/the-stealthiness-of-linuxcdorked-a-clarification/}, language = {English}, urldate = {2019-11-14} } @online{cobli:20180618:six:c3dc8c0, author = {Claudiu Cobliș and Cristian Istrate and Cornel Punga and Andrei Ardelean}, title = {{Six Years and Counting: Inside the Complex Zacinlo Ad Fraud Operation}}, date = {2018-06-18}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/wp-content/uploads/downloads/six-years-and-counting-inside-the-complex-zacinlo-ad-fraud-operation/}, language = {English}, urldate = {2020-07-08} } @online{codeandsec:20141002:finfisher:3b1d9c1, author = {CodeAndSec}, title = {{FinFisher Malware Analysis - Part 2}}, date = {2014-10-02}, organization = {CodeAndSec}, url = {https://www.codeandsec.com/FinFisher-Malware-Analysis-Part-2}, language = {English}, urldate = {2020-03-19} } @online{codercto:20181220:analysis:60da1aa, author = {Codercto}, title = {{Analysis of the attack activities of Hailian Lotus APT group against large domestic investment companies}}, date = {2018-12-20}, organization = {Codercto}, url = {https://www.codercto.com/a/46729.html}, language = {Chinese}, urldate = {2020-01-07} } @online{coding:20140801:soraya:4e51b2f, author = {Coding and Security}, title = {{Soraya Malware Analysis - Dropper}}, date = {2014-08-01}, organization = {Coding and Security}, url = {https://www.codeandsec.com/Soraya-Malware-Analysis-Dropper}, language = {English}, urldate = {2020-01-09} } @online{coding:20161203:sophisticated:af2cbb4, author = {Coding and Security}, title = {{"Sophisticated" and "Genius" Shamoon 2.0 Malware Analysis}}, date = {2016-12-03}, organization = {Coding and Security}, url = {https://www.codeandsec.com/Sophisticated-CyberWeapon-Shamoon-2-Malware-Analysis}, language = {English}, urldate = {2020-01-08} } @online{cofense:20170323:tales:cbdee9a, author = {Cofense}, title = {{Tales from the Trenches: Loki Bot Malware}}, date = {2017-03-23}, organization = {Cofense}, url = {https://phishme.com/loki-bot-malware/}, language = {English}, urldate = {2019-12-02} } @online{cofense:20190121:kutaki:3bff835, author = {Cofense}, title = {{The Kutaki Malware Bypasses Gateways to Steal Users’ Credentials}}, date = {2019-01-21}, organization = {Cofense}, url = {https://cofense.com/kutaki-malware-bypasses-gateways-steal-users-credentials/}, language = {English}, urldate = {2020-01-06} } @online{cofense:20201029:online:867b653, author = {Cofense}, title = {{Online Leader Invites You to This Webex Phish}}, date = {2020-10-29}, organization = {Cofense}, url = {https://cofense.com/online-leader-invites-you-to-this-webex-phish/}, language = {English}, urldate = {2020-11-02} } @online{cognizant:20200418:cognizant:0e20ac0, author = {Cognizant}, title = {{Cognizant Security Incident Update}}, date = {2020-04-18}, organization = {Cognizant}, url = {https://web.archive.org/save/https://news.cognizant.com/2020-04-18-cognizant-security-update}, language = {English}, urldate = {2020-04-20} } @techreport{cognizant:20200617:notice:37fe994, author = {Cognizant}, title = {{Notice of Data Breach}}, date = {2020-06-17}, institution = {Cognizant}, url = {https://oag.ca.gov/system/files/Letter%204.pdf}, language = {English}, urldate = {2020-06-18} } @online{cohen:20180521:decrypting:37d595c, author = {Itay Cohen}, title = {{Decrypting APT33’s Dropshot Malware with Radare2 and Cutter – Part 1}}, date = {2018-05-21}, organization = {MegaBeets}, url = {https://www.megabeets.net/decrypting-dropshot-with-radare2-and-cutter-part-1/}, language = {English}, urldate = {2019-07-10} } @online{cohen:20180629:backswap:1605a3d, author = {Ruby Cohen and Doron Voolf}, title = {{BackSwap Defrauds Online Banking Customers Using Hidden Input Fields}}, date = {2018-06-29}, organization = {F5}, url = {https://www.f5.com/labs/articles/threat-intelligence/backswap-defrauds-online-banking-customers-using-hidden-input-fi}, language = {English}, urldate = {2020-01-10} } @online{cohen:20180820:ryuk:5756495, author = {Itay Cohen and Ben Herzog}, title = {{Ryuk Ransomware: A Targeted Campaign Break-Down}}, date = {2018-08-20}, organization = {Check Point}, url = {https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/}, language = {English}, urldate = {2019-12-10} } @online{cohen:20181130:evolution:045e447, author = {Itay Cohen}, title = {{The Evolution of BackSwap}}, date = {2018-11-30}, organization = {Check Point}, url = {https://research.checkpoint.com/the-evolution-of-backswap/}, language = {English}, urldate = {2020-01-10} } @online{cohen:20190117:qealler:3db4f96, author = {David Cohen}, title = {{Qealler — The Silent Java Credential Thief}}, date = {2019-01-17}, organization = {CyberArk}, url = {https://www.cyberark.com/threat-research-blog/qealler-the-silent-java-credential-thief/}, language = {English}, urldate = {2020-05-18} } @online{cohen:20190424:deobfuscating:581c86e, author = {Itay Cohen}, title = {{Deobfuscating APT32 Flow Graphs with Cutter and Radare2}}, date = {2019-04-24}, organization = {Check Point Research}, url = {https://research.checkpoint.com/deobfuscating-apt32-flow-graphs-with-cutter-and-radare2/}, language = {English}, urldate = {2020-05-06} } @online{cohen:20201002:graphology:af4c7bd, author = {Itay Cohen and Eyal Itkin}, title = {{Graphology of an Exploit – Hunting for exploits by looking for the author’s fingerprints}}, date = {2020-10-02}, organization = {Check Point Research}, url = {https://research.checkpoint.com/2020/graphology-of-an-exploit-volodya/}, language = {English}, urldate = {2020-10-06} } @online{cohen:20201026:exploit:9ec173c, author = {Itay Cohen and Eyal Itkin}, title = {{Exploit Developer Spotlight: The Story of PlayBit}}, date = {2020-10-26}, organization = {Checkpoint}, url = {https://research.checkpoint.com/2020/graphology-of-an-exploit-playbit/}, language = {English}, urldate = {2020-10-27} } @online{cohen:20201217:sunburst:7931c48, author = {Itay Cohen}, title = {{Tweet on SUNBURST malware discussing some of its evasion techniques}}, date = {2020-12-17}, organization = {Twitter (@megabeets_)}, url = {https://twitter.com/megabeets_/status/1339308801112027138}, language = {English}, urldate = {2020-12-18} } @online{cohen:20210107:meet:9fbcca8, author = {Ben Cohen}, title = {{Meet Oski Stealer: An In-depth Analysis of the Popular Credential Stealer}}, date = {2021-01-07}, organization = {CyberArk}, url = {https://www.cyberark.com/resources/threat-research-blog/meet-oski-stealer-an-in-depth-analysis-of-the-popular-credential-stealer}, language = {English}, urldate = {2021-01-11} } @online{coldshell:20180828:walk:fb8dcc6, author = {Coldshell}, title = {{A walk through the AcridRain Stealer}}, date = {2018-08-28}, organization = {This is Security}, url = {https://thisissecurity.stormshield.com/2018/08/28/acridrain-stealer/}, language = {English}, urldate = {2020-01-07} } @online{coldshell:20190118:nymaim:1d2e6f9, author = {Coldshell}, title = {{Nymaim deobfuscation}}, date = {2019-01-18}, organization = {Github (coldshell)}, url = {https://github.com/coldshell/Malware-Scripts/tree/master/Nymaim}, language = {English}, urldate = {2020-01-10} } @online{cole:20200205:stomp:77ecf4b, author = {Rick Cole and Andrew Moore and Genevieve Stark and Blaine Stancill}, title = {{STOMP 2 DIS: Brilliance in the (Visual) Basics}}, date = {2020-02-05}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html}, language = {English}, urldate = {2020-02-09} } @online{conant:20180207:rat:5f1eba8, author = {Simon Conant}, title = {{RAT Trapped? LuminosityLink Falls Foul of Vermin Eradication Efforts}}, date = {2018-02-07}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/02/unit42-rat-trapped-luminositylink-falls-foul-vermin-eradication-efforts/}, language = {English}, urldate = {2019-12-20} } @techreport{condor:20201028:decade:b8d7422, author = {Ruben Andrei Condor}, title = {{A Decade of WMI Abuse – an Overview of Techniques in Modern Malware}}, date = {2020-10-28}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/377/Bitdefender-Whitepaper-WMI-creat4871-en-EN-GenericUse.pdf}, language = {English}, urldate = {2020-11-02} } @techreport{consulting:20201020:incident:275ade2, author = {F-Secure Consulting}, title = {{Incident Readiness: Preparing a proactive response to attacks}}, date = {2020-10-20}, institution = {F-Secure}, url = {https://www.f-secure.com/content/dam/f-secure/en/consulting/our-thinking/collaterals/digital/f-secure-consulting-incident-readiness-proactive-response-guide-2020.pdf}, language = {English}, urldate = {2020-10-23} } @online{contextis:20191003:avivore:421fc23, author = {Contextis}, title = {{AVIVORE – Hunting Global Aerospace through the Supply Chain}}, date = {2019-10-03}, organization = {Contextis}, url = {https://www.contextis.com/de/blog/avivore}, language = {English}, urldate = {2020-01-09} } @online{coogan:20100204:spyeye:5c54efe, author = {Peter Coogan}, title = {{SpyEye Bot versus Zeus Bot}}, date = {2010-02-04}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/spyeye-bot-versus-zeus-bot}, language = {English}, urldate = {2020-01-06} } @online{coogan:20100426:spyeyes:fb53c77, author = {Peter Coogan}, title = {{SpyEye’s "Kill Zeus" Bark is Worse Than its Bite}}, date = {2010-04-26}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/spyeye-s-kill-zeus-bark-worse-its-bite}, language = {English}, urldate = {2019-12-16} } @online{corera:20161010:how:29d38b3, author = {Gordon Corera}, title = {{How France's TV5 was almost destroyed by 'Russian hackers'}}, date = {2016-10-10}, organization = {BBC}, url = {https://www.bbc.com/news/technology-37590375}, language = {English}, urldate = {2020-01-09} } @online{cornateanu:20200303:extracting:a48a754, author = {Ryan Cornateanu}, title = {{Extracting Embedded Payloads From Malware}}, date = {2020-03-03}, url = {https://medium.com/@ryancor/extracting-embedded-payloads-from-malware-aaca8e9aa1a9}, language = {English}, urldate = {2020-03-04} } @online{cornateanu:20201123:genetic:cd446d2, author = {Ryan Cornateanu}, title = {{Genetic Analysis of CryptoWall Ransomware}}, date = {2020-11-23}, organization = {Medium ryancor}, url = {https://ryancor.medium.com/genetic-analysis-of-cryptowall-ransomware-843f86055c7f}, language = {English}, urldate = {2020-12-03} } @online{corp:20200416:taiwan:3029f53, author = {CyCraft Technology Corp}, title = {{Taiwan High-Tech Ecosystem Targeted by Foreign APT Group: Digital Skeleton Key Bypasses Security Measures}}, date = {2020-04-16}, organization = {Medium CyCraft}, url = {https://medium.com/cycraft/taiwan-high-tech-ecosystem-targeted-by-foreign-apt-group-5473d2ad8730}, language = {English}, urldate = {2020-11-04} } @online{corp:20201008:taiwan:3a6afa1, author = {CyCraft Technology Corp}, title = {{Taiwan Government Targeted by Multiple Cyberattacks in April 2020 Part 1: Waterbear Malware}}, date = {2020-10-08}, organization = {Medium CyCraft}, url = {https://medium.com/cycraft/taiwan-government-targeted-by-multiple-cyberattacks-in-april-2020-1980acde92b0}, language = {English}, urldate = {2020-10-23} } @online{corp:20201014:taiwan:7628b24, author = {CyCraft Technology Corp}, title = {{Taiwan Government Targeted by Multiple Cyberattacks in April 2020 Part 2: Owlproxy Malware}}, date = {2020-10-14}, organization = {Medium CyCraft}, url = {https://medium.com/cycraft/taiwan-government-targeted-by-multiple-cyberattacks-in-april-2020-3b20cea1dc20}, language = {English}, urldate = {2020-10-23} } @online{cortes:20171005:freemilk:1c7eb5d, author = {Juan Cortes and Esmid Idrizovic}, title = {{FreeMilk: A Highly Targeted Spear Phishing Campaign}}, date = {2017-10-05}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-freemilk-highly-targeted-spear-phishing-campaign/}, language = {English}, urldate = {2020-01-08} } @online{cortes:20171005:freemilk:a929f1b, author = {Juan Cortes and Esmid Idrizovic}, title = {{FreeMilk: A Highly Targeted Spear Phishing Campaign}}, date = {2017-10-05}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/}, language = {English}, urldate = {2019-12-20} } @online{costis:20200724:tau:2730a2c, author = {Andrew Costis}, title = {{TAU Threat Discovery: Cryptocurrency Clipper Malware Evolves}}, date = {2020-07-24}, organization = {VMWare Carbon Black}, url = {https://www.carbonblack.com/blog/tau-threat-discovery-cryptocurrency-clipper-malware-evolves/}, language = {English}, urldate = {2020-08-05} } @online{couchard:20200925:catching:f381664, author = {Guillaume Couchard and Qimin Wang and Thiam Loong Siew}, title = {{Catching Lazarus: Threat Intelligence to Real Detection Logic - Part One}}, date = {2020-09-25}, organization = {F-Secure Labs}, url = {https://labs.f-secure.com/blog/catching-lazarus-threat-intelligence-to-real-detection-logic}, language = {English}, urldate = {2020-10-05} } @online{couchard:20201023:catching:5788228, author = {Guillaume Couchard and Qimin Wang and Thiam Loong Siew}, title = {{Catching Lazarus: Threat Intelligence to Real Detection Logic - Part Two}}, date = {2020-10-23}, organization = {F-Secure Labs}, url = {https://labs.f-secure.com/blog/catching-lazarus-threat-intelligence-to-real-detection-logic-part-two}, language = {English}, urldate = {2020-10-26} } @online{coveware:20190129:phobos:8423f74, author = {CoveWare}, title = {{Phobos Ransomware, A Combo of CrySiS and Dharma}}, date = {2019-01-29}, organization = {CodeWare}, url = {https://www.coveware.com/blog/phobos-ransomware-distributed-dharma-crew}, language = {English}, urldate = {2020-01-08} } @online{cowman:20191218:understanding:d629d14, author = {Pete Cowman}, title = {{Understanding Ransomware Series: Detecting Sodin}}, date = {2019-12-18}, organization = {Hatching.io}, url = {https://hatching.io/blog/ransomware-part2}, language = {English}, urldate = {2020-01-08} } @online{cowman:20200827:smokeloader:6b86b56, author = {Pete Cowman}, title = {{Smokeloader Analysis and More Family Detections}}, date = {2020-08-27}, organization = {Hatching.io}, url = {https://hatching.io/blog/tt-2020-08-27/}, language = {English}, urldate = {2020-09-03} } @online{creaktive:20180521:tiny:13fd580, author = {creaktive}, title = {{Tiny SHell}}, date = {2018-05-21}, organization = {Github (creaktive)}, url = {https://github.com/creaktive/tsh}, language = {English}, urldate = {2020-01-10} } @online{creus:20160926:sofacys:2c11dc9, author = {Dani Creus and Tyler Halfpop and Robert Falcone}, title = {{Sofacy’s ‘Komplex’ OS X Trojan}}, date = {2016-09-26}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/}, language = {English}, urldate = {2019-12-20} } @online{creus:20160926:sofacys:6ddbb81, author = {Dani Creus and Tyler Halfpop and Robert Falcone}, title = {{Sofacy’s ‘Komplex’ OS X Trojan}}, date = {2016-09-26}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-sofacys-komplex-os-x-trojan/}, language = {English}, urldate = {2020-01-13} } @online{crook:20200622:dynamic:47a0942, author = {Jack Crook}, title = {{Dynamic Correlation, ML and Hunting}}, date = {2020-06-22}, organization = {FindingBad Blogspot}, url = {http://findingbad.blogspot.com/2020/06/dynamic-correlation-ml-and-hunting.html}, language = {English}, urldate = {2020-06-23} } @techreport{crowdstrike:20150206:crowdstrike:fbcc37f, author = {CrowdStrike}, title = {{CrowdStrike Global Threat Intel Report 2014}}, date = {2015-02-06}, institution = {CrowdStrike}, url = {https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf}, language = {English}, urldate = {2020-05-11} } @techreport{crowdstrike:20150210:global:da4da20, author = {CrowdStrike}, title = {{Global Threat Intel Report}}, date = {2015-02-10}, institution = {CrowdStrike}, url = {http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf}, language = {English}, urldate = {2020-01-09} } @techreport{crowdstrike:2018:2018:5ba6206, author = {CrowdStrike}, title = {{2018 Global Threat Report}}, date = {2018}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2018GlobalThreatReport.pdf}, language = {English}, urldate = {2019-12-17} } @online{crowdstrike:2019:2019:2c268c8, author = {CrowdStrike}, title = {{2019 CrowdStrike Global Threat Report}}, date = {2019}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/}, language = {English}, urldate = {2020-07-16} } @techreport{crowdstrike:2019:2019:4e50c97, author = {CrowdStrike}, title = {{2019 CrowdStrike Global Threat Report}}, date = {2019}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2019GlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-15} } @techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } @techreport{crowdstrike:20200610:csit20081:a09522b, author = {CrowdStrike}, title = {{CSIT-20081 : Technical Analysis Of The Netwalker Ransomware}}, date = {2020-06-10}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/ReportCSIT-20081e.pdf}, language = {English}, urldate = {2020-07-23} } @online{crowdstrike:2020:2019:f849658, author = {CrowdStrike}, title = {{2019 Crowdstrike Global Threat Report}}, date = {2020}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report}, language = {English}, urldate = {2020-07-23} } @online{cryptolaemus:20180912:emotet:013e01b, author = {Cryptolaemus}, title = {{Emotet IOC}}, date = {2018-09-12}, organization = {Cryptolaemus Pastedump}, url = {https://paste.cryptolaemus.com}, language = {English}, urldate = {2020-01-13} } @online{cryptome:20121125:parastoo:b652ed3, author = {Cryptome}, title = {{Parastoo Hacks IAEA}}, date = {2012-11-25}, organization = {Cryptome}, url = {https://cryptome.org/2012/11/parastoo-hacks-iaea.htm}, language = {English}, urldate = {2020-01-06} } @online{csirt:20201029:list:5fb0206, author = {Swisscom CSIRT}, title = {{List of CobaltStrike C2's used by RYUK}}, date = {2020-10-29}, organization = {Github (Swisscom)}, url = {https://github.com/swisscom/detections/blob/main/RYUK/cobaltstrike_c2s.txt}, language = {English}, urldate = {2020-11-02} } @techreport{csis:2012:w32tinba:542635f, author = {Peter Kruse (CSIS) and Feike Hacquebord (Trend Micro) and Robert McArdle (Trend Micro)}, title = {{W32.Tinba (Tinybanker) The Turkish Incident}}, date = {2012}, institution = {CSIS Trend Micro}, url = {http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_w32-tinba-tinybanker.pdf}, language = {English}, urldate = {2019-12-24} } @techreport{csis:20200110:threat:7454f36, author = {CSIS}, title = {{Threat Matrix H1 2019}}, date = {2020-01-10}, institution = {CSIS}, url = {https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf}, language = {English}, urldate = {2020-01-22} } @online{ctu:20150730:sakula:8025917, author = {Dell Secureworks CTU}, title = {{Sakula Malware Family}}, date = {2015-07-30}, organization = {Secureworks}, url = {https://www.secureworks.com/research/sakula-malware-family}, language = {English}, urldate = {2020-01-06} } @online{cucci:20200419:reversing:4523233, author = {Kyle Cucci}, title = {{Reversing Ryuk: A Technical Analysis of Ryuk Ransomware}}, date = {2020-04-19}, organization = {SecurityLiterate}, url = {https://securityliterate.com/reversing-ryuk-a-technical-analysis-of-ryuk-ransomware/}, language = {English}, urldate = {2020-08-13} } @online{cucci:20200819:chantays:3998ebb, author = {Kyle Cucci}, title = {{Chantay’s Resume: Investigating a CV-Themed ZLoader Malware}}, date = {2020-08-19}, organization = {SecurityLiterate}, url = {https://securityliterate.com/chantays-resume-investigating-a-cv-themed-zloader-malware-campaign/}, language = {English}, urldate = {2020-09-01} } @online{cummings:20191217:incident:44acf5c, author = {JJ Cummings and Dave Liebenberg}, title = {{Incident Response lessons from recent Maze ransomware attacks}}, date = {2019-12-17}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2019/12/IR-Lessons-Maze.html}, language = {English}, urldate = {2020-01-09} } @online{curtis:20201019:revisited:df05745, author = {Curtis}, title = {{Revisited: Fancy Bear's New Faces...and Sandworms' too}}, date = {2020-10-19}, organization = {Riskint Blog}, url = {https://www.riskint.blog/post/revisited-fancy-bear-s-new-faces-and-sandworms-too}, language = {English}, urldate = {2020-10-23} } @online{cutler:20190515:winnti:269a852, author = {Silas Cutler and Juan Andrés Guerrero-Saade}, title = {{Winnti: More than just Windows and Gates}}, date = {2019-05-15}, organization = {Chronicle}, url = {https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a}, language = {English}, urldate = {2019-10-14} } @online{cutler:20191116:fresh:871567d, author = {Silas Cutler}, title = {{Fresh PlugX October 2019}}, date = {2019-11-16}, organization = {Silas Cutler's Blog}, url = {https://silascutler.blogspot.com/2019/11/fresh-plugx-october-2019.html}, language = {English}, urldate = {2020-01-07} } @online{cyber:20190328:unleash:f5f7048, author = {Skylight Cyber}, title = {{Unleash The Hash - ShadowHammer MAC Address List}}, date = {2019-03-28}, organization = {Skylight Cyber}, url = {https://skylightcyber.com/2019/03/28/unleash-the-hash-shadowhammer-mac-list/}, language = {English}, urldate = {2019-10-23} } @online{cyber:20200611:snowstorm:7112209, author = {MDR Cyber}, title = {{SNOWSTORM: Hacker-for-hire and physical surveillance targeted financial analyst}}, date = {2020-06-11}, organization = {Mishcon de Reya}, url = {https://www.mishcon.com/news/snowstorm-hacker-for-hire-and-physical-surveillance-targeted-financial-analyst}, language = {English}, urldate = {2020-06-12} } @techreport{cyberark:20200224:analyzing:57cc981, author = {CyberArk}, title = {{Analyzing the Raccoon Stealer}}, date = {2020-02-24}, institution = {CyberArk}, url = {https://lp.cyberark.com/rs/316-CZP-275/images/CyberArk-Labs-Racoon-Malware-wp.pdf}, language = {English}, urldate = {2020-04-15} } @techreport{cyberint:2019:legit:9925ea3, author = {CyberInt}, title = {{Legit Remote Admin Tools Turn into Threat Actors' Tools}}, date = {2019}, institution = {CyberInt}, url = {https://e.cyberint.com/hubfs/Report%20Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors%20Tools/CyberInt_Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors'%20Tools_Report.pdf}, language = {English}, urldate = {2019-12-19} } @online{cyberint:20201105:cerberus:c5716d3, author = {CyberInt}, title = {{Cerberus is Dead, Long Live Cerberus?}}, date = {2020-11-05}, organization = {CyberInt}, url = {https://blog.cyberint.com/cerberus-is-dead-long-live-cerberus}, language = {English}, urldate = {2020-11-19} } @online{cyberint:20201210:ryuk:e74b8f6, author = {CyberInt}, title = {{Ryuk Crypto-Ransomware}}, date = {2020-12-10}, organization = {CyberInt}, url = {https://blog.cyberint.com/ryuk-crypto-ransomware}, language = {English}, urldate = {2020-12-14} } @online{cybermalveillance:20191106:outil:dfa36a5, author = {Cybermalveillance}, title = {{Outil de déchiffrement du rançongiciel (ransomware) PyLocky versions 1 et 2}}, date = {2019-11-06}, organization = {Cybermalveillance}, url = {https://www.cybermalveillance.gouv.fr/nos-articles/outil-dechiffrement-rancongiciel-ransomware-pylocky-v1-2/}, language = {French}, urldate = {2019-12-18} } @online{cybermasterv:20201127:dissecting:23d6915, author = {CyberMasterV}, title = {{Dissecting APT21 samples using a step-by-step approach}}, date = {2020-11-27}, organization = {CYBER GEEKS All Things Infosec}, url = {https://cybergeeks.tech/dissecting-apt21-samples-using-a-step-by-step-approach/}, language = {English}, urldate = {2020-12-08} } @online{cybermasterv:20201226:analyzing:b94f52e, author = {CyberMasterV}, title = {{Analyzing APT19 malware using a step-by-step method}}, date = {2020-12-26}, organization = {CYBER GEEKS All Things Infosec}, url = {https://cybergeeks.tech/analyzing-apt19-malware-using-a-step-by-step-method/}, language = {English}, urldate = {2021-01-01} } @online{cybersecurity:201606:operation:eb6c3d9, author = {ClearSky Cybersecurity}, title = {{Operation DustySky Part 2}}, date = {2016-06}, organization = {clearskysec}, url = {https://www.europol.europa.eu/newsroom/news/mastermind-behind-eur-1-billion-cyber-bank-robbery-arrested-in-spain}, language = {English}, urldate = {2019-12-24} } @techreport{cybersecurity:20170210:ar1720045:43c91fd, author = {National Cybersecurity and Communications Integration Center}, title = {{AR-17-20045 - Enhanced Analysis of GRIZZLY STEPPE Activity}}, date = {2017-02-10}, institution = {Department of Homeland Security}, url = {https://www.us-cert.gov/sites/default/files/publications/AR-17-20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity.pdf}, language = {English}, urldate = {2019-11-05} } @online{cybersecurity:20180720:alert:89ca0c7, author = {National Cybersecurity and Communications Integration Center}, title = {{Alert (TA18-201A) Emotet Malware}}, date = {2018-07-20}, organization = {NCCIC}, url = {https://www.us-cert.gov/ncas/alerts/TA18-201A}, language = {English}, urldate = {2019-10-27} } @online{cyberthreat:20200501:chin:3a4fb89, author = {Cyberthreat}, title = {{Chiến dịch của nhóm APT Trung Quốc Goblin Panda tấn công vào Việt Nam lợi dụng đại dịch Covid-19 (phần 1)}}, date = {2020-05-01}, organization = {Viettel Cybersecurity}, url = {https://blog.viettelcybersecurity.com/p1-chien-dich-cua-nhom-apt-trung-quoc-goblin-panda-tan-cong-vao-viet-nam-loi-dung-dai-dich-covid-19/}, language = {Vietnamese}, urldate = {2020-09-09} } @online{cyberthreatinsider:20200820:global:34ee2ea, author = {cyberthreatinsider}, title = {{Global Ransomware Attacks in 2020: The Top 4 Vulnerabilities}}, date = {2020-08-20}, organization = {sensecy}, url = {https://blog.sensecy.com/2020/08/20/global-ransomware-attacks-in-2020-the-top-4-vulnerabilities/}, language = {English}, urldate = {2020-11-04} } @online{cyberx:20170128:radiation:141e735, author = {CyberX}, title = {{Radiation Report}}, date = {2017-01-28}, organization = {CyberX}, url = {http://get.cyberx-labs.com/radiation-report}, language = {English}, urldate = {2020-01-13} } @online{cyble:20201117:oceanlotus:d33eb97, author = {Cyble}, title = {{OceanLotus Continues With Its Cyber Espionage Operations}}, date = {2020-11-17}, organization = {cyble}, url = {https://cybleinc.com/2020/11/17/oceanlotus-continues-with-its-cyber-espionage-operations/}, language = {English}, urldate = {2020-11-18} } @online{cybleinc:20201231:strongpity:bb6ab94, author = {cybleinc}, title = {{StrongPity APT Extends Global Reach with New Infrastructure}}, date = {2020-12-31}, organization = {cyble}, url = {https://cybleinc.com/2020/12/31/strongpity-apt-extends-global-reach-with-new-infrastructure/}, language = {English}, urldate = {2021-01-04} } @techreport{cylance:20160406:operation:d4da7b5, author = {Cylance}, title = {{Operation Cleaver}}, date = {2016-04-06}, institution = {Cylance}, url = {https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf}, language = {English}, urldate = {2020-01-10} } @techreport{cylance:20181102:spyrats:67888b3, author = {Cylance}, title = {{The SpyRATs of OceanLotus}}, date = {2018-11-02}, institution = {Cylance}, url = {https://www.cylance.com/content/dam/cylance-web/en-us/resources/knowledge-center/resource-library/reports/SpyRATsofOceanLotusMalwareWhitePaper.pdf}, language = {English}, urldate = {2020-01-10} } @techreport{cymmetria:2016:unveiling:da4224b, author = {Cymmetria}, title = {{Unveiling Patchwork: The Copy-Paste APT}}, date = {2016}, institution = {Cymmetria}, url = {https://s3-us-west-2.amazonaws.com/cymmetria-blog/public/Unveiling_Patchwork.pdf}, language = {English}, urldate = {2020-01-06} } @online{cymmetria:20170919:unveiling:e67fe90, author = {Cymmetria}, title = {{Unveiling Patchwork – a targeted attack caught with cyber deception}}, date = {2017-09-19}, organization = {Cymmetria}, url = {https://www.cymmetria.com/patchwork-targeted-attack/}, language = {English}, urldate = {2019-12-18} } @online{cymru:20190725:unmasking:91638f6, author = {Team Cymru}, title = {{Unmasking AVE_MARIA}}, date = {2019-07-25}, organization = {Team Cymru}, url = {https://blog.team-cymru.com/2019/07/25/unmasking-ave_maria/}, language = {English}, urldate = {2020-01-08} } @online{cymru:20200219:azorult:de72301, author = {Team Cymru}, title = {{Azorult – what we see using our own tools}}, date = {2020-02-19}, organization = {Team Cymru}, url = {https://blog.team-cymru.com/2020/02/19/azorult-what-we-see-using-our-own-tools/}, language = {English}, urldate = {2020-02-26} } @online{cymru:20200325:how:b1d8c31, author = {Team Cymru}, title = {{How the Iranian Cyber Security Agency Detects Emissary Panda Malware}}, date = {2020-03-25}, organization = {Team Cymru}, url = {https://team-cymru.com/2020/03/25/how-the-iranian-cyber-security-agency-detects-emissary-panda-malware/}, language = {English}, urldate = {2020-07-13} } @online{cyrus:20190424:introducing:f1d4536, author = {Richie Cyrus}, title = {{Introducing Venator: A macOS tool for proactive detection}}, date = {2019-04-24}, organization = {SpecterOps}, url = {https://posts.specterops.io/introducing-venator-a-macos-tool-for-proactive-detection-34055a017e56}, language = {English}, urldate = {2020-01-07} } @online{czy:20200715:indepth:9a7c4dd, author = {Bartlomiej Czyż}, title = {{An in-depth analysis of SpyNote remote access trojan}}, date = {2020-07-15}, organization = {Relativity}, url = {https://bulldogjob.pl/articles/1200-an-in-depth-analysis-of-spynote-remote-access-trojan}, language = {English}, urldate = {2020-11-06} } @techreport{d00rt:20180706:lokibot:6508667, author = {d00rt}, title = {{LokiBot Infostealer Jihacked Version}}, date = {2018-07-06}, institution = {Github (d00rt)}, url = {https://github.com/d00rt/hijacked_lokibot_version/blob/master/doc/LokiBot_hijacked_2018.pdf}, language = {English}, urldate = {2020-01-10} } @online{d00rt:20190105:emotet:8dee25a, author = {d00rt}, title = {{Emotet Research}}, date = {2019-01-05}, organization = {Github (d00rt)}, url = {https://github.com/d00rt/emotet_research}, language = {English}, urldate = {2020-01-10} } @online{d00rtrm:2019:emutet:8913da8, author = {D00RT_RM}, title = {{Emutet}}, date = {2019}, url = {https://d00rt.github.io/emotet_network_protocol/}, language = {English}, urldate = {2020-01-07} } @online{d:20151019:github:b15ea7e, author = {Anderson D}, title = {{Github Repository for AllaKore}}, date = {2015-10-19}, organization = {Github (Anderson-D)}, url = {https://github.com/Anderson-D/AllaKore}, language = {English}, urldate = {2020-01-08} } @online{daavid:20140623:havex:21f2ca4, author = {Daavid}, title = {{Havex Hunts For ICS/SCADA Systems}}, date = {2014-06-23}, organization = {F-Secure}, url = {https://www.f-secure.com/weblog/archives/00002718.html}, language = {English}, urldate = {2020-01-09} } @online{dahan:20170425:shadowwali:565d1c1, author = {Assaf Dahan}, title = {{ShadowWali: New variant of the xxmm family of backdoors}}, date = {2017-04-25}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/labs-shadowwali-new-variant-of-the-xxmm-family-of-backdoors}, language = {English}, urldate = {2020-02-11} } @online{dahan:20170524:operation:d79be79, author = {Assaf Dahan}, title = {{Operation Cobalt Kitty: A large-scale APT in Asia carried out by the OceanLotus Group}}, date = {2017-05-24}, organization = {Cybereason}, url = {https://www.cybereason.com/labs-operation-cobalt-kitty-a-large-scale-apt-in-asia-carried-out-by-the-oceanlotus-group/}, language = {English}, urldate = {2020-01-09} } @online{dahan:20181003:new:5f6c0b5, author = {Assaf Dahan}, title = {{New Betabot campaign under the microscope}}, date = {2018-10-03}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/betabot-banking-trojan-neurevt}, language = {English}, urldate = {2020-01-06} } @online{dahan:20190312:new:a435b52, author = {Assaf Dahan and Cybereason Nocturnus}, title = {{New Ursnif Variant targets Japan packed with new Features}}, date = {2019-03-12}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/new-ursnif-variant-targets-japan-packed-with-new-features}, language = {English}, urldate = {2019-11-28} } @online{dahan:20191120:phoenix:9c5d752, author = {Assaf Dahan}, title = {{Phoenix: The Tale of the Resurrected Keylogger}}, date = {2019-11-20}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/phoenix-the-tale-of-the-resurrected-alpha-keylogger}, language = {English}, urldate = {2020-02-11} } @online{dahan:20191211:dropping:0849f70, author = {Assaf Dahan and Lior Rochberger and Eli Salem and Mary Zhao and Niv Yona and Omer Yampel and Matt Hart}, title = {{Dropping Anchor: From a TrickBot Infection to the Discovery of the Anchor Malware}}, date = {2019-12-11}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware}, language = {English}, urldate = {2020-01-06} } @online{dahan:20201102:back:64a6991, author = {Assaf Dahan and Lior Rochberger and Daniel Frank and Tom Fakterman}, title = {{Back to the Future: Inside the Kimsuky KGH Spyware Suite}}, date = {2020-11-02}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite}, language = {English}, urldate = {2020-11-02} } @online{dahl:20130503:department:8be1534, author = {Matt Dahl}, title = {{Department of Labor Strategic Web Compromise}}, date = {2013-05-03}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/department-labor-strategic-web-compromise/}, language = {English}, urldate = {2019-12-20} } @online{dahl:20131010:regional:120d284, author = {Matt Dahl}, title = {{Regional Conflict and Cyber Blowback}}, date = {2013-10-10}, organization = {CrowdStrike}, url = {https://web.archive.org/web/20160315044507/https://www.crowdstrike.com/blog/regional-conflict-and-cyber-blowback/}, language = {English}, urldate = {2020-05-18} } @online{dahl:20140513:cat:e5c45ff, author = {Matt Dahl}, title = {{Cat Scratch Fever: CrowdStrike Tracks Newly Reported Iranian Actor as FLYING KITTEN}}, date = {2014-05-13}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/cat-scratch-fever-crowdstrike-tracks-newly-reported-iranian-actor-flying-kitten/}, language = {English}, urldate = {2019-12-20} } @online{dahl:20141124:i:38a6ade, author = {Matt Dahl}, title = {{I am Ironman: DEEP PANDA Uses Sakula Malware to Target Organizations in Multiple Sectors}}, date = {2014-11-24}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/ironman-deep-panda-uses-sakula-malware-target-organizations-multiple-sectors/}, language = {English}, urldate = {2019-12-20} } @online{dahl:20190125:widespread:48d15a3, author = {Matt Dahl}, title = {{Widespread DNS Hijacking Activity Targets Multiple Sectors}}, date = {2019-01-25}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/widespread-dns-hijacking-activity-targets-multiple-sectors/}, language = {English}, urldate = {2019-12-20} } @online{dahl:20200601:malware:aa6f2ab, author = {Matt Dahl}, title = {{Tweet on malware called knspy used by Donot}}, date = {2020-06-01}, organization = {Twitter (@voodoodahl1)}, url = {https://twitter.com/voodoodahl1/status/1267571622732578816}, language = {English}, urldate = {2020-06-04} } @online{dahms:20140602:molerats:8b00d0d, author = {Timothy Dahms}, title = {{Molerats, Here for Spring!}}, date = {2014-06-02}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2014/06/molerats-here-for-spring.html}, language = {English}, urldate = {2019-12-20} } @online{dallas:20190326:babylon:32e6481, author = {Korben Dallas}, title = {{Tweet on Babylon RAT IOCs}}, date = {2019-03-26}, organization = {Twitter (@KorbenD_Intel)}, url = {https://twitter.com/KorbenD_Intel/status/1110654679980085262}, language = {English}, urldate = {2020-01-13} } @online{dan:20180208:merlin:cfc9e6b, author = {Action Dan}, title = {{Merlin for Red Teams}}, date = {2018-02-08}, organization = {Lockboxx}, url = {http://lockboxx.blogspot.com/2018/02/merlin-for-red-teams.html}, language = {English}, urldate = {2020-01-09} } @online{danchev:20080610:whos:504e579, author = {Dancho Danchev}, title = {{Who's behind the GPcode ransomware?}}, date = {2008-06-10}, organization = {ZDNet}, url = {http://www.zdnet.com/article/whos-behind-the-gpcode-ransomware/}, language = {English}, urldate = {2019-12-18} } @online{danchev:20120928:dissecting:1ee1a3f, author = {Dancho Danchev}, title = {{Dissecting 'Operation Ababil' - an OSINT Analysis}}, date = {2012-09-28}, organization = {Dancho Danchev's Blog}, url = {http://ddanchev.blogspot.com.es/2012/09/dissecting-operation-ababil-osint.html}, language = {English}, urldate = {2020-01-10} } @online{dangu:20180123:uncovering:a3ba605, author = {Jerome Dangu}, title = {{Uncovering 2017’s Largest Malvertising Operation}}, date = {2018-01-23}, organization = {Confiant}, url = {https://blog.confiant.com/uncovering-2017s-largest-malvertising-operation-b84cd38d6b85}, language = {English}, urldate = {2019-12-24} } @online{dangu:20180305:zirconium:06d9e29, author = {Jerome Dangu}, title = {{Zirconium was one step ahead of Chrome’s redirect blocker with 0-day}}, date = {2018-03-05}, organization = {Confiant}, url = {https://blog.confiant.com/zirconium-was-one-step-ahead-of-chromes-redirect-blocker-with-0-day-2d61802efd0d}, language = {English}, urldate = {2020-01-09} } @online{dannythesloth:20190608:vanilla:bcf3518, author = {DannyTheSloth}, title = {{Vanilla RAT}}, date = {2019-06-08}, organization = {Github (DannyTheSloth)}, url = {https://github.com/DannyTheSloth/VanillaRAT}, language = {English}, urldate = {2020-01-13} } @techreport{dantzig:20191219:operation:96804be, author = {Maarten van Dantzig and Erik Schamper}, title = {{Operation Wocao: Shining a light on one of China’s hidden hacking groups}}, date = {2019-12-19}, institution = {Fox-IT}, url = {https://resources.fox-it.com/rs/170-CAK-271/images/201912_Report_Operation_Wocao.pdf}, language = {English}, urldate = {2020-01-13} } @online{dart:20201221:advice:dd08ada, author = {Detection and Response Team (DART)}, title = {{Advice for incident responders on recovery from systemic identity compromises}}, date = {2020-12-21}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/12/21/advice-for-incident-responders-on-recovery-from-systemic-identity-compromises/}, language = {English}, urldate = {2020-12-23} } @online{data:20140228:uroburos:f6fdb48, author = {G Data}, title = {{Uroburos - highly complex espionage software with Russian roots}}, date = {2014-02-28}, organization = {G Data Blog}, url = {https://www.gdatasoftware.com/blog/2014/02/23968-uroburos-highly-complex-espionage-software-with-russian-roots}, language = {English}, urldate = {2019-11-28} } @online{data:20140307:uroburos:22ddc69, author = {G Data}, title = {{Uroburos – Deeper travel into kernel protection mitigation}}, date = {2014-03-07}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/2014/03/23966-uroburos-deeper-travel-into-kernel-protection-mitigation}, language = {English}, urldate = {2019-11-23} } @online{data:20140513:uroburos:a8b1175, author = {G Data}, title = {{Uroburos rootkit: Belgian Foreign Ministry stricken}}, date = {2014-05-13}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/2014/05/23958-uroburos-rootkit-belgian-foreign-ministry-stricken}, language = {English}, urldate = {2019-10-27} } @online{data:20140602:analysis:1038a5f, author = {G Data}, title = {{Analysis of Uroburos, using WinDbg}}, date = {2014-06-02}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/2014/06/23953-analysis-of-uroburos-using-windbg}, language = {English}, urldate = {2020-01-09} } @online{data:20140731:poweliks:250c05f, author = {G Data}, title = {{Poweliks: the persistent malware without a file}}, date = {2014-07-31}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/2014/07/23947-poweliks-the-persistent-malware-without-a-file}, language = {English}, urldate = {2020-01-10} } @online{data:20141030:com:0da80b3, author = {G Data}, title = {{COM Object hijacking: the discreet way of persistence}}, date = {2014-10-30}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence}, language = {English}, urldate = {2020-01-07} } @techreport{data:20141031:operation:9205b87, author = {G Data}, title = {{OPERATION “TOOHASH”: HOW TARGETED ATTACKS WORK}}, date = {2014-10-31}, institution = {G Data}, url = {https://public.gdatasoftware.com/Presse/Publikationen/Whitepaper/EN/GDATA_TooHash_CaseStudy_102014_EN_v1.pdf}, language = {English}, urldate = {2020-01-08} } @online{data:20141111:uroburos:8dce097, author = {G Data}, title = {{The Uroburos case: new sophisticated RAT identified}}, date = {2014-11-11}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/2014/11/23937-the-uroburos-case-new-sophisticated-rat-identified}, language = {English}, urldate = {2020-01-08} } @online{data:20150115:weiterentwicklung:a65efbe, author = {G Data}, title = {{Weiterentwicklung anspruchsvoller Spyware: von Agent.BTZ zu ComRAT}}, date = {2015-01-15}, organization = {G Data}, url = {https://blog.gdata.de/2015/01/23779-weiterentwicklung-anspruchsvoller-spyware-von-agent-btz-zu-comrat}, language = {English}, urldate = {2020-01-08} } @online{data:20150120:analysis:2fe6cf2, author = {G Data}, title = {{Analysis of Project Cobra}}, date = {2015-01-20}, organization = {G Data}, url = {https://blog.gdatasoftware.com/2015/01/23926-analysis-of-project-cobra}, language = {English}, urldate = {2020-01-05} } @online{data:20150218:babar:24e6c08, author = {G Data}, title = {{Babar: espionage software finally found and put under the microscope}}, date = {2015-02-18}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/2015/02/24270-babar-espionage-software-finally-found-and-put-under-the-microscope}, language = {English}, urldate = {2019-12-02} } @online{data:20160411:manamecrypt:06eda37, author = {G Data}, title = {{Manamecrypt – a ransomware that takes a different route}}, date = {2016-04-11}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/2016/04/28234-manamecrypt-a-ransomware-that-takes-a-different-route}, language = {English}, urldate = {2020-01-08} } @online{data:20161123:analysis:0bbfdb9, author = {G Data}, title = {{Analysis: Ursnif - spying on your data since 2007}}, date = {2016-11-23}, organization = {G Data}, url = {https://blog.gdatasoftware.com/2016/11/29325-analysis-ursnif-spying-on-your-data-since-2007}, language = {English}, urldate = {2020-01-10} } @online{data:20170512:warning:162cfc4, author = {G Data}, title = {{Warning: Massive "WannaCry" Ransomware campaign launched}}, date = {2017-05-12}, organization = {G Data}, url = {https://blog.gdatasoftware.com/2017/05/29751-wannacry-ransomware-campaign}, language = {English}, urldate = {2020-01-13} } @online{data:20170703:who:7b53706, author = {G Data}, title = {{Who is behind Petna?}}, date = {2017-07-03}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/2017/07/29859-who-is-behind-petna}, language = {English}, urldate = {2020-01-08} } @online{data:20170711:ordinypt:a3f61cf, author = {G Data}, title = {{Ordinypt hat es auf Benutzer aus Deutschland abgesehen}}, date = {2017-07-11}, organization = {G Data}, url = {https://www.gdata.de/blog/2017/11/30151-ordinypt}, language = {Deutsch}, urldate = {2020-01-08} } @online{data:20170720:rurktar:fa8bc7e, author = {G Data}, title = {{Rurktar - Spyware under Construction}}, date = {2017-07-20}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/2017/07/29896-rurktar-spyware-under-construction}, language = {English}, urldate = {2020-01-09} } @online{data:20171012:emotet:c99dec0, author = {G Data}, title = {{Emotet beutet Outlook aus}}, date = {2017-10-12}, organization = {G Data}, url = {https://www.gdata.de/blog/2017/10/30110-emotet-beutet-outlook-aus}, language = {English}, urldate = {2019-12-05} } @online{data:20191121:new:cbeb2e4, author = {G Data}, title = {{New SectopRAT: Remote access malware utilizes second desktop to control browsers}}, date = {2019-11-21}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/2019/11/35548-new-sectoprat-remote-access-malware-utilizes-second-desktop-to-control-browsers}, language = {English}, urldate = {2020-01-10} } @online{data:20200630:ransomware:3f071e1, author = {G Data}, title = {{Ransomware on the Rise: Buran’s transformation into Zeppelin}}, date = {2020-06-30}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/2020/06/35946-burans-transformation-into-zeppelin}, language = {English}, urldate = {2020-07-02} } @online{davenport:20141218:keypoint:4c1fd04, author = {Christian Davenport}, title = {{KeyPoint network breach could affect thousands of federal workers}}, date = {2014-12-18}, organization = {The Washington Post}, url = {https://www.washingtonpost.com/business/economy/keypoint-suffers-network-breach-thousands-of-fed-workers-could-be-affected/2014/12/18/e6c7146c-86e1-11e4-a702-fa31ff4ae98e_story.html}, language = {English}, urldate = {2020-01-13} } @online{davila:20200518:eleethub:d605473, author = {Asher Davila and Yang Ji}, title = {{Eleethub: A Cryptocurrency Mining Botnet with Rootkit for Self-Hiding}}, date = {2020-05-18}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/los-zetas-from-eleethub-botnet/}, language = {English}, urldate = {2020-05-20} } @online{davis:20170921:apt33:52822d2, author = {Stuart Davis and Nick Carr}, title = {{APT33: New Insights into Iranian Cyber Espionage Group}}, date = {2017-09-21}, organization = {FireEye}, url = {https://www.brighttalk.com/webcast/10703/275683}, language = {English}, urldate = {2019-12-20} } @online{davis:20180529:mexico:d40bc2d, author = {Michelle Davis}, title = {{Mexico Foiled a $110 Million Bank Heist, Then Kept It a Secret}}, date = {2018-05-29}, organization = {Bloomberg}, url = {https://www.bloomberg.com/news/articles/2018-05-29/mexico-foiled-a-110-million-bank-heist-then-kept-it-a-secret}, language = {English}, urldate = {2020-01-07} } @online{davison:20170804:smoke:06d64d3, author = {Jason Davison}, title = {{Smoke Loader Adds Additional Obfuscation Methods to Mitigate Analysis}}, date = {2017-08-04}, organization = {PhishLabs}, url = {https://info.phishlabs.com/blog/smoke-loader-adds-additional-obfuscation-methods-to-mitigate-analysis}, language = {English}, urldate = {2020-01-08} } @online{davison:20180321:trickbot:1f0576e, author = {Jason Davison}, title = {{TrickBot Banking Trojan Adapts with New Module}}, date = {2018-03-21}, organization = {Webroot}, url = {https://www.webroot.com/blog/2018/03/21/trickbot-banking-trojan-adapts-new-module/}, language = {English}, urldate = {2020-01-13} } @online{dcso:20190314:pegasusbuhtrap:2e48e0e, author = {DCSO}, title = {{Pegasus/Buhtrap analysis of the malware stage based on the leaked source code}}, date = {2019-03-14}, organization = {DCSO}, url = {https://blog.dcso.de/pegasus-buhtrap-analysis-of-the-malware-stage-based-on-the-leaked-source-code/}, language = {English}, urldate = {2020-01-07} } @online{dcso:20190318:enterprise:ff92a62, author = {DCSO}, title = {{Enterprise Malware-as-a-Service: Lazarus Group and the Evolution of Ransomware}}, date = {2019-03-18}, organization = {DCSO}, url = {https://blog.dcso.de/enterprise-malware-as-a-service/}, language = {English}, urldate = {2020-01-06} } @online{dcso:20200116:curious:15c5610, author = {DCSO}, title = {{A Curious Case of CVE-2019-19781 Palware: remove_bds}}, date = {2020-01-16}, organization = {DCSO}, url = {https://blog.dcso.de/a-curious-case-of-cve-2019-19781-palware-remove_bds/}, language = {English}, urldate = {2020-01-17} } @online{ddash:20201112:lootwodniw:03198af, author = {ddash}, title = {{Tweet on Lootwodniw}}, date = {2020-11-12}, organization = {Twitter (@ddash_ct)}, url = {https://twitter.com/ddash_ct/status/1326887125103616000}, language = {English}, urldate = {2020-12-03} } @online{deacon:20200331:indepth:3719ebb, author = {Joshua Deacon and Lloyd Macrohon}, title = {{An In-depth Look at MailTo Ransomware, Part One of Three}}, date = {2020-03-31}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/an-in-depth-look-at-mailto-ransomware-part-one-of-three/}, language = {English}, urldate = {2020-04-14} } @online{deacon:20200408:indepth:c6628d7, author = {Joshua Deacon and Lloyd Macrohon}, title = {{An In-depth Look at MailTo Ransomware, Part Two of Three}}, date = {2020-04-08}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/an-in-depth-look-at-mailto-ransomware-part-two-of-three/}, language = {English}, urldate = {2020-04-14} } @online{deacon:20200410:indepth:13fc66f, author = {Joshua Deacon and Lloyd Macrohon}, title = {{An In-depth Look at MailTo Ransomware, Part Three of Three}}, date = {2020-04-10}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/an-in-depth-look-at-mailto-ransomware-part-three-of-three/}, language = {English}, urldate = {2020-04-14} } @online{decapua:20200225:feds:423f929, author = {Joel DeCapua}, title = {{Feds Fighting Ransomware: How the FBI Investigates and How You Can Help}}, date = {2020-02-25}, organization = {RSA Conference}, url = {https://www.youtube.com/watch?v=LUxOcpIRxmg}, language = {English}, urldate = {2020-03-04} } @techreport{decker:20090522:pushdo:518e04c, author = {Alice Decker and David Sancho and Loucif Kharouni and Max Goncharov and Robert McArdle}, title = {{Pushdo / Cutwail Botnet}}, date = {2009-05-22}, institution = {Trend Micro}, url = {https://www.trendmicro.de/cloud-content/us/pdfs/business/white-papers/wp_study-of-pushdo-cutwail-botnet.pdf}, language = {English}, urldate = {2020-01-13} } @online{decrypterfixer:20140911:torrentlocker:10d80ec, author = {DecrypterFixer}, title = {{TorrentLocker Ransomware Cracked and Decrypter has been made}}, date = {2014-09-11}, organization = {BleepingComputer Forums}, url = {http://www.bleepingcomputer.com/forums/t/547708/torrentlocker-ransomware-cracked-and-decrypter-has-been-made/}, language = {English}, urldate = {2020-01-06} } @online{dedola:20200820:transparent:b63fac6, author = {Giampaolo Dedola}, title = {{Transparent Tribe: Evolution analysis, part 1}}, date = {2020-08-20}, organization = {Kaspersky Labs}, url = {https://securelist.com/transparent-tribe-part-1/98127/}, language = {English}, urldate = {2020-08-24} } @online{dedola:20200826:transparent:b6f0422, author = {Giampaolo Dedola}, title = {{Transparent Tribe: Evolution analysis, part 2}}, date = {2020-08-26}, organization = {Kaspersky Labs}, url = {https://securelist.com/transparent-tribe-part-2/98233/}, language = {English}, urldate = {2020-08-27} } @online{dee:20181113:amadey:81d3bc6, author = {Dee}, title = {{Tweet on Amadey Malware}}, date = {2018-11-13}, organization = {Twitter (@ViriBack)}, url = {https://twitter.com/ViriBack/status/1062405363457118210}, language = {English}, urldate = {2020-01-07} } @online{dee:20200129:borr:528fccb, author = {Dee}, title = {{Tweet on Borr}}, date = {2020-01-29}, organization = {Twitter (@ViriBack)}, url = {https://twitter.com/ViriBack/status/1222704498923032576}, language = {English}, urldate = {2020-02-13} } @online{defense:20191111:revenge:114921b, author = {Binary Defense}, title = {{Revenge Is A Dish Best Served… Obfuscated?}}, date = {2019-11-11}, organization = {Binary Defense}, url = {https://www.binarydefense.com/revenge-is-a-dish-best-served-obfuscated}, language = {English}, urldate = {2020-01-09} } @techreport{defense:20200901:military:670494d, author = {US Department of Defense}, title = {{Military and Security Developments Involving the People’s Republic of China 2020}}, date = {2020-09-01}, institution = {US Department of Defense}, url = {https://media.defense.gov/2020/Sep/01/2002488689/-1/-1/1/2020-DOD-CHINA-MILITARY-POWER-REPORT-FINAL.PDF}, language = {English}, urldate = {2020-09-01} } @online{defense:20201028:turla:6f32714, author = {Cyber Defense}, title = {{Turla uses HyperStack, Carbon, and Kazuar to compromise government entity}}, date = {2020-10-28}, organization = {Accenture}, url = {https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity}, language = {English}, urldate = {2020-10-29} } @online{degrippo:20200316:ta505:6cfbbb0, author = {Sherrod DeGrippo}, title = {{TA505 and Others Launch New Coronavirus Campaigns; Now the Largest Collection of Attack Types in Years}}, date = {2020-03-16}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/ta505-and-others-launch-new-coronavirus-campaigns-now-largest-collection-attack}, language = {English}, urldate = {2020-04-26} } @online{degrippo:20200622:hakbit:4d8be82, author = {Sherrod DeGrippo and Proofpoint Threat Research Team}, title = {{Hakbit Ransomware Campaign Against Germany, Austria, Switzerland}}, date = {2020-06-22}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/hakbit-ransomware-campaign-against-germany-austria-switzerland}, language = {English}, urldate = {2020-06-23} } @online{degrippo:20200717:ta547:cec93e0, author = {Sherrod DeGrippo}, title = {{TA547 Pivots from Ursnif Banking Trojan to Ransomware in Australian Campaign}}, date = {2020-07-17}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/security-briefs/ta547-pivots-ursnif-banking-trojan-ransomware-australian-campaign}, language = {English}, urldate = {2020-07-23} } @online{delcher:20201203:what:9853c58, author = {Pierre Delcher}, title = {{What did DeathStalker hide between two ferns?}}, date = {2020-12-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/what-did-deathstalker-hide-between-two-ferns/99616/}, language = {English}, urldate = {2020-12-08} } @online{delmas:20170226:treasurehunter:cd0c965, author = {Arnaud Delmas}, title = {{TreasureHunter : A POS Malware Case Study}}, date = {2017-02-26}, url = {http://adelmas.com/blog/treasurehunter.php}, language = {English}, urldate = {2019-12-02} } @online{delmas:20170314:analyzing:1c055df, author = {Arnaud Delmas}, title = {{Analyzing and Deobfuscating FlokiBot Banking Trojan}}, date = {2017-03-14}, organization = {Arnaud Delmas}, url = {http://adelmas.com/blog/flokibot.php}, language = {English}, urldate = {2020-01-08} } @online{deloitte:20200122:project:0a44796, author = {Deloitte}, title = {{Project Lurus}}, date = {2020-01-22}, organization = {Deloitte}, url = {https://www.cityofpensacola.com/DocumentCenter/View/18879/Deloitte-Executive-Summary-PDF}, language = {English}, urldate = {2020-02-13} } @online{delpy:20190104:mimikatz:caaf928, author = {Benjamin Delpy}, title = {{mimikatz Repository}}, date = {2019-01-04}, organization = {Github (gentilkiwi)}, url = {https://github.com/gentilkiwi/mimikatz}, language = {English}, urldate = {2020-01-07} } @online{deluca:20201020:fbi:db32b2f, author = {Alex DeLuca}, title = {{FBI Investigating Threatening Emails Sent To Democrats In Florida}}, date = {2020-10-20}, organization = {WUFT}, url = {https://www.wuft.org/news/2020/10/20/fbi-investigating-threatening-emails-sent-to-democrats-in-florida/}, language = {English}, urldate = {2020-10-23} } @online{demetria:20121030:jacksbot:8a7230b, author = {Johanne Demetria}, title = {{JACKSBOT Has Some Dirty Tricks up Its Sleeves}}, date = {2012-10-30}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/jacksbot-has-some-dirty-tricks-up-its-sleeves/}, language = {English}, urldate = {2020-01-06} } @techreport{demirkapi:20200805:demystifying:147bf1e, author = {Bill Demirkapi}, title = {{Demystifying Modern Windows Rootkits}}, date = {2020-08-05}, institution = {BlackHat}, url = {https://billdemirkapi.me/slides/Demystifying-Modern-Windows-Rootkits-BH.pdf}, language = {English}, urldate = {2020-08-18} } @online{dennesen:20141201:fin4:0760295, author = {Kristen Dennesen and Jordan Berry and Barry Vengerik and Jonathan Wrolstad}, title = {{FIN4: Stealing Insider Information for an Advantage in Stock Trading?}}, date = {2014-12-01}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2014/11/fin4_stealing_insid.html}, language = {English}, urldate = {2019-12-20} } @techreport{dereszowski:20150211:turladevelopment:98e2483, author = {Andrzej Dereszowski}, title = {{Turla-development & operations}}, date = {2015-02-11}, institution = {FIRST Tbilisi}, url = {https://www.first.org/resources/papers/tbilisi2014/turla-operations_and_development.pdf}, language = {English}, urldate = {2020-01-06} } @online{desai:201608:agent:d527844, author = {Deepen Desai}, title = {{Agent Tesla Keylogger delivered using cybersquatting}}, date = {2016-08}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/agent-tesla-keylogger-delivered-using-cybersquatting}, language = {English}, urldate = {2019-11-26} } @online{desai:20200319:new:00516c3, author = {Shivang Desai}, title = {{New Android App Offers Coronavirus Safety Mask But Delivers SMS Trojan}}, date = {2020-03-19}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/new-android-app-offers-coronavirus-safety-mask-delivers-sms-trojan}, language = {English}, urldate = {2020-03-26} } @online{desai:20200729:android:fb3b3d0, author = {Shivang Desai}, title = {{Android Spyware Targeting Tanzania Premier League}}, date = {2020-07-29}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/android-spyware-targeting-tanzania-premier-league}, language = {English}, urldate = {2020-08-05} } @online{desai:20200908:tiktok:d920a43, author = {Shivang Desai}, title = {{TikTok Spyware: A detailed analysis of spyware masquerading as TikTok}}, date = {2020-09-08}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/tiktok-spyware}, language = {English}, urldate = {2020-09-15} } @online{designativedave:20121116:remote:d5d4856, author = {DesignativeDave}, title = {{Remote Administration Tool for Android devices}}, date = {2012-11-16}, organization = {Github (DesignativeDave)}, url = {https://github.com/DesignativeDave/androrat}, language = {English}, urldate = {2019-11-26} } @online{deutsch:20201210:dutch:fe5465d, author = {Anthony Deutsch and Toby Sterling}, title = {{Dutch expel two Russian diplomats for suspected espionage}}, date = {2020-12-10}, organization = {Reuters}, url = {https://www.reuters.com/article/netherlands-russia/dutch-expel-two-russian-diplomats-for-suspected-espionage-idUSKBN28K2AT}, language = {English}, urldate = {2020-12-11} } @online{devadoss:20200629:initial:0c8ed48, author = {Dinesh Devadoss}, title = {{Tweet on initial Discovery of EvilQuest}}, date = {2020-06-29}, organization = {Twitter (@dineshdina04)}, url = {https://twitter.com/dineshdina04/status/1277668001538433025}, language = {English}, urldate = {2020-07-01} } @online{devane:20160721:phishing:314ff25, author = {Oliver Devane and Mohinder Gill}, title = {{Phishing Attacks Employ Old but Effective Password Stealer}}, date = {2016-07-21}, organization = {McAfee}, url = {https://securingtomorrow.mcafee.com/mcafee-labs/phishing-attacks-employ-old-effective-password-stealer/}, language = {English}, urldate = {2019-12-17} } @online{dex:20200514:energy:43e92b4, author = {Dex}, title = {{The energy reserves in the Eastern Mediterranean Sea and a malicious campaign of APT10 against Turkey}}, date = {2020-05-14}, organization = {Lab52}, url = {https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/}, language = {English}, urldate = {2020-06-10} } @techreport{dfir:20200221:apt10:e9c3328, author = {ADEO DFIR}, title = {{APT10 Threat Analysis Report}}, date = {2020-02-21}, institution = {ADEO DFIR}, url = {https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf}, language = {English}, urldate = {2020-03-03} } @online{dhanalakshmi:20180705:look:c39d2cb, author = {Dhanalakshmi}, title = {{A Look At Recent Tinba Banking Trojan Variant}}, date = {2018-07-05}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/look-recent-tinba-banking-trojan-variant}, language = {English}, urldate = {2019-11-20} } @online{die:20130203:infection:ac33cd2, author = {Malware Must Die!}, title = {{The infection of Styx Exploit Kit (Landing page: painterinvoice.ru + Payload: PWS/Ursnif Variant)}}, date = {2013-02-03}, organization = {Malware Must Die!}, url = {http://blog.malwaremustdie.org/2013/02/the-infection-of-styx-exploit-kit.html}, language = {English}, urldate = {2019-07-11} } @online{dietrich:20181130:virut:2b9101c, author = {Christian J. Dietrich}, title = {{Virut Resurrects -- Musings on long-term sinkholing}}, date = {2018-11-30}, url = {https://chrisdietri.ch/post/virut-resurrects/}, language = {English}, urldate = {2019-11-25} } @online{digiamo:20181001:cds:a580f8f, author = {Christopher DiGiamo and Nalani Fraser and Jacqueline O’Leary}, title = {{CDS 2018 | Unmasking APT X}}, date = {2018-10-01}, organization = {Youtube (FireEye Inc.)}, url = {https://youtu.be/8hJyLkLHH8Q?t=1208}, language = {English}, urldate = {2020-01-06} } @online{digitrust:20170105:qrat:d5e7b46, author = {DigiTrust}, title = {{QRAT is Living in The World of JAVA}}, date = {2017-01-05}, organization = {DigiTrust}, url = {https://www.digitrustgroup.com/java-rat-qrat/}, language = {English}, urldate = {2020-01-09} } @techreport{dimaggio:20150806:black:af5cf27, author = {Jon DiMaggio}, title = {{The Black Vine cyberespionage group}}, date = {2015-08-06}, institution = {Symantec}, url = {https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-black-vine-cyberespionage-group.pdf}, language = {English}, urldate = {2020-01-10} } @techreport{dimaggio:20150806:black:b0fbb35, author = {Jon DiMaggio}, title = {{The Black Vine cyberespionage group}}, date = {2015-08-06}, institution = {Symantec}, url = {https://www-west.symantec.com/content/dam/symantec/docs/security-center/white-papers/black-vine-cyberespionage-group-15-en.pdf}, language = {English}, urldate = {2020-04-21} } @online{dimaggio:20160315:suckfly:0b3835e, author = {Jon DiMaggio}, title = {{Suckfly: Revealing the secret life of your code signing certificates}}, date = {2016-03-15}, organization = {Symantec}, url = {http://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates}, language = {English}, urldate = {2020-01-05} } @online{dimaggio:20160315:suckfly:a1c8359, author = {Jon DiMaggio}, title = {{Suckfly: Revealing the secret life of your code signing certificates}}, date = {2016-03-15}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=62e325ae-f551-4855-b9cf-28a7d52d1534&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } @online{dimaggio:20160329:taiwan:4b83179, author = {Jon DiMaggio}, title = {{Taiwan targeted with new cyberespionage back door Trojan}}, date = {2016-03-29}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/taiwan-targeted-new-cyberespionage-back-door-trojan}, language = {English}, urldate = {2019-12-18} } @online{dimaggio:20160329:taiwan:de4b254, author = {Jon DiMaggio}, title = {{Taiwan targeted with new cyberespionage back doorTrojan}}, date = {2016-03-29}, organization = {Symantec}, url = {https://app.box.com/s/xqh458fe1url7mgl072hhd0yxqw3x0jm}, language = {English}, urldate = {2020-01-20} } @online{dimaggio:20160428:tick:9fec91a, author = {Jon DiMaggio}, title = {{Tick cyberespionage group zeros in on Japan}}, date = {2016-04-28}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/tick-cyberespionage-group-zeros-japan}, language = {English}, urldate = {2020-01-10} } @online{dimaggio:20160517:indian:98dff05, author = {Jon DiMaggio}, title = {{Indian organizations targeted in Suckfly attacks}}, date = {2016-05-17}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7a60af1f-7786-446c-976b-7c71a16e9d3b&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } @online{dimaggio:20160517:indian:baa172f, author = {Jon DiMaggio}, title = {{Indian organizations targeted in Suckfly attacks}}, date = {2016-05-17}, organization = {Symantec}, url = {http://www.symantec.com/connect/blogs/indian-organizations-targeted-suckfly-attacks}, language = {English}, urldate = {2019-10-23} } @online{dimchev:20160927:new:3bba3cd, author = {Alex Dimchev}, title = {{New Voldemort/Nagini Ransomware Virus Infection}}, date = {2016-09-27}, organization = {Best Security Research}, url = {http://bestsecuritysearch.com/voldemortnagini-ransomware-virus/}, language = {English}, urldate = {2019-11-28} } @online{dimino:20120802:cridex:a9b195f, author = {Andre M. DiMino}, title = {{Cridex Analysis using Volatility}}, date = {2012-08-02}, url = {http://www.sempersecurus.org/2012/08/cridex-analysis-using-volatility.html}, language = {English}, urldate = {2019-10-23} } @online{dimino:20120803:cridex:eab5b19, author = {Andre DiMino}, title = {{Cridex Analysis using Volatility}}, date = {2012-08-03}, organization = {Contagio Dump}, url = {http://contagiodump.blogspot.com/2012/08/cridex-analysis-using-volatility-by.html}, language = {English}, urldate = {2019-12-18} } @online{division:2000:2000:6d829fc, author = {CERT Division}, title = {{2000 CERT Advisories}}, date = {2000}, organization = {Carnegie Mellon University}, url = {https://resources.sei.cmu.edu/library/asset-view.cfm?assetID=496186}, language = {English}, urldate = {2020-01-08} } @techreport{division:20200514:malware:34fa46f, author = {Leonardo’s Cyber Security division}, title = {{Malware Technical Insight Turla "Penquin_x64"}}, date = {2020-05-14}, institution = {Leonardo}, url = {https://www.leonardocompany.com/documents/20142/10868623/Malware+Technical+Insight+_Turla+%E2%80%9CPenquin_x64%E2%80%9D.pdf}, language = {English}, urldate = {2020-05-14} } @techreport{division:20200707:cosmic:cc97389, author = {AGARI CYBER INTELLIGENCE DIVISION}, title = {{Cosmic Lynx: The Rise of Russian BEC}}, date = {2020-07-07}, institution = {}, url = {https://www.agari.com/cyber-intelligence-research/whitepapers/acid-agari-cosmic-lynx.pdf}, language = {English}, urldate = {2020-07-08} } @online{dixon:20180623:oceanlotus:555d8bf, author = {Brandon Dixon and Steve Ginty}, title = {{OceanLotus 2018: Malicious Infrastructure}}, date = {2018-06-23}, organization = {passivetotal}, url = {https://community.riskiq.com/projects/53b4bd1e-dad0-306b-7712-d2a608400c8f}, language = {English}, urldate = {2019-11-16} } @online{dodia:20190315:immortal:43b3d3d, author = {Rajdeepsinh Dodia and Uday Pratap Singh}, title = {{Immortal information stealer}}, date = {2019-03-15}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/immortal-information-stealer}, language = {English}, urldate = {2020-06-08} } @online{dodia:20190808:saefko:bdc733d, author = {Rajdeepsinh Dodia and Priyanka Bhati}, title = {{Saefko: A new multi-layered RAT}}, date = {2019-08-08}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/saefko-new-multi-layered-rat}, language = {English}, urldate = {2019-11-26} } @online{dodia:20200116:ftcode:9e80307, author = {Rajdeepsinh Dodia and Amandeep Kumar and Atinderpal Singh}, title = {{FTCODE Ransomware - New Version Includes Stealing Capabilities}}, date = {2020-01-16}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/ftcode-ransomware--new-version-includes-stealing-capabilities}, language = {English}, urldate = {2020-01-27} } @techreport{doerr:20190808:enemy:3962b21, author = {Eric Doerr}, title = {{The Enemy Within: Modern Supply Chain Attacks}}, date = {2019-08-08}, institution = {BlackHat}, url = {https://i.blackhat.com/USA-19/Thursday/us-19-Doerr-The-Enemy-Within-Modern-Supply-Chain-Attacks.pdf}, language = {English}, urldate = {2020-08-14} } @online{doffman:20190816:warning:65452b4, author = {Zak Doffman}, title = {{Warning As Devious New Android Malware Hides In Fake Adobe Flash Player Installations (Updated)}}, date = {2019-08-16}, organization = {Forbes}, url = {https://www.forbes.com/sites/zakdoffman/2019/08/16/dangerous-new-android-trojan-hides-from-malware-researchers-and-taunts-them-on-twitter/}, language = {English}, urldate = {2020-01-08} } @techreport{doherty:20130917:hidden:1b7b01c, author = {Stephen Doherty and Jozsef Gegeny and Branko Spasojevic and Jonell Baltazar}, title = {{Hidden Lynx – Professional Hackers for Hire}}, date = {2013-09-17}, institution = {Symantec}, url = {http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/hidden_lynx.pdf}, language = {English}, urldate = {2020-01-08} } @techreport{doherty:20130917:hidden:72a1bd7, author = {Stephen Doherty and Jozsef Gegeny and Branko Spasojevic and Jonell Baltazar}, title = {{Hidden Lynx – Professional Hackers for Hire}}, date = {2013-09-17}, institution = {Symantec}, url = {https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/hidden_lynx.pdf}, language = {English}, urldate = {2020-04-21} } @online{dolas:20200731:masslogger:b17ff73, author = {Aniruddha Dolas}, title = {{MassLogger: An Emerging Spyware and Keylogger}}, date = {2020-07-31}, organization = {Seqrite}, url = {https://www.seqrite.com/blog/masslogger-an-emerging-spyware-and-keylogger/}, language = {English}, urldate = {2020-08-05} } @online{dolgushev:20181019:darkpulsar:c98e816, author = {Andrey Dolgushev and Dmitry Tarakanov and Vasily Berdnikov}, title = {{DarkPulsar}}, date = {2018-10-19}, organization = {Kaspersky Labs}, url = {https://securelist.com/darkpulsar/88199/}, language = {English}, urldate = {2019-12-20} } @online{dolgushev:20191105:darkuniverse:36ead28, author = {Andrey Dolgushev and Vasily Berdnikov and Alexander Fedotov}, title = {{DarkUniverse – the mysterious APT framework #27}}, date = {2019-11-05}, organization = {Kaspersky Labs}, url = {https://securelist.com/darkuniverse-the-mysterious-apt-framework-27/94897/}, language = {English}, urldate = {2020-04-24} } @online{domaintools:20170321:hunt:e4d1473, author = {DomainTools}, title = {{Hunt Case Study: Hunting Campaign Indicators on Privacy Protected Attack Infrastructure}}, date = {2017-03-21}, organization = {DomainTools}, url = {https://www.domaintools.com/resources/blog/case-study-hunting-campaign-indicators-on-privacy-protected-attack-infrastr}, language = {English}, urldate = {2020-05-18} } @online{doman:20141027:scanbox:c4beb38, author = {Chris Doman and Tom Lancaster}, title = {{ScanBox framework – who’s affected, and who’s using it?}}, date = {2014-10-27}, organization = {PWC}, url = {http://pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whos-affected-and-whos-using-it-1.html}, language = {English}, urldate = {2020-01-07} } @online{doman:20161026:moonlight:1edffaa, author = {Chris Doman}, title = {{Moonlight – Targeted attacks in the Middle East}}, date = {2016-10-26}, organization = {Unknown}, url = {https://www.vectra.ai/blogpost/moonlight-middle-east-targeted-attacks}, language = {English}, urldate = {2020-04-06} } @online{doman:20170612:open:b143d52, author = {Christopher Doman}, title = {{Open Source Malware - Sharing is caring?}}, date = {2017-06-12}, organization = {SlideShare}, url = {https://www.slideshare.net/ChristopherDoman/open-source-malware-sharing-is-caring}, language = {English}, urldate = {2020-01-13} } @online{doman:20181008:delivery:8f2c9ed, author = {Chris Doman}, title = {{Delivery (Key)Boy}}, date = {2018-10-08}, organization = {AT&T Cybersecurity}, url = {https://www.alienvault.com/blogs/labs-research/delivery-keyboy}, language = {English}, urldate = {2019-10-15} } @online{doman:20190306:internet:c3afbc0, author = {Chris Doman}, title = {{Internet of Termites}}, date = {2019-03-06}, organization = {AT&T}, url = {https://www.alienvault.com/blogs/labs-research/internet-of-termites}, language = {English}, urldate = {2020-01-07} } @online{doman:20200516:recent:bb6d18e, author = {Chris Doman and James Campbell}, title = {{Recent Attacks Against Supercomputers}}, date = {2020-05-16}, organization = {Cado Security}, url = {https://www.cadosecurity.com/2020/05/16/1318/}, language = {English}, urldate = {2020-05-18} } @online{doman:20200611:ongoing:d94778b, author = {Chris Doman and James Campbell}, title = {{An Ongoing AWS Phishing Campaign}}, date = {2020-06-11}, organization = {Cado Security}, url = {https://www.cadosecurity.com/2020/06/11/an-ongoing-aws-phishing-campaign/}, language = {English}, urldate = {2020-06-12} } @online{doman:20200817:team:a654242, author = {Chris Doman and James Campbell}, title = {{Team TNT - The First Crypto-Mining Worm to Steal AWS Credentials}}, date = {2020-08-17}, organization = {Cado Security}, url = {https://www.cadosecurity.com/2020/08/17/teamtnt-the-first-crypto-mining-worm-to-steal-aws-credentials/}, language = {English}, urldate = {2020-08-19} } @online{doman:20201214:responding:639d2ce, author = {Christopher Doman}, title = {{Responding to Solarigate}}, date = {2020-12-14}, organization = {Cado Security}, url = {https://www.cadosecurity.com/post/responding-to-solarigate}, language = {English}, urldate = {2020-12-14} } @online{done:20201005:darkside:d3005ca, author = {Zawadi Done}, title = {{DarkSide ransomware analysis}}, date = {2020-10-05}, organization = {Zawadi Done}, url = {https://zawadidone.nl/2020/10/05/darkside-ransomware-analysis.html}, language = {English}, urldate = {2020-11-17} } @online{dong:20201109:old:5454254, author = {Zhengyu Dong}, title = {{An Old Joker’s New Tricks: Using Github To Hide Its Payload}}, date = {2020-11-09}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/20/k/an-old-jokers-new-tricks--using-github-to-hide-its-payload.html}, language = {English}, urldate = {2020-11-19} } @online{dong:20201117:regretlocker:84dd317, author = {Chuong Dong}, title = {{RegretLocker}}, date = {2020-11-17}, organization = {Chuongdong blog}, url = {http://chuongdong.com/reverse%20engineering/2020/11/17/RegretLocker/}, language = {English}, urldate = {2020-11-19} } @online{dong:20201212:contiunpacker:05a9897, author = {Chuong Dong}, title = {{ContiUnpacker: An automatic unpacker for Conti rasnomware}}, date = {2020-12-12}, organization = {Github (cdong1012)}, url = {https://github.com/cdong1012/ContiUnpacker}, language = {English}, urldate = {2020-12-14} } @online{dong:20201215:conti:afb68fe, author = {Chuong Dong}, title = {{Conti Ransomware v2}}, date = {2020-12-15}, organization = {Chuongdong blog}, url = {http://chuongdong.com/reverse%20engineering/2020/12/15/ContiRansomware/}, language = {English}, urldate = {2020-12-23} } @online{dong:20210103:babuk:b5b2e9e, author = {Chuong Dong}, title = {{Babuk Ransomware}}, date = {2021-01-03}, organization = {Chuongdong blog}, url = {http://chuongdong.com/reverse%20engineering/2021/01/03/BabukRansomware/}, language = {English}, urldate = {2021-01-05} } @online{donohue:20141125:regin:15d544f, author = {Brain Donohue}, title = {{Regin APT Attacks Among the Most Sophisticated Ever Analyzed}}, date = {2014-11-25}, organization = {Kaspersky Labs}, url = {https://www.kaspersky.com/blog/regin-apt-most-sophisticated/6852/}, language = {English}, urldate = {2019-12-17} } @online{doraisjoncas:20120316:osximuler:badbc2e, author = {Alexis Dorais-Joncas}, title = {{OSX/Imuler updated: still a threat on Mac OS X}}, date = {2012-03-16}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2012/03/16/osximuler-updated-still-a-threat-on-mac-os-x/}, language = {English}, urldate = {2019-11-14} } @online{dorfman:20200715:exclusive:6a11ebe, author = {Zach Dorfman and Kim Zetter and Jenna McLaughlin and Sean D. Naylor}, title = {{Exclusive: Secret Trump order gives CIA more powers to launch cyberattacks}}, date = {2020-07-15}, organization = {Yahoo News}, url = {https://news.yahoo.com/secret-trump-order-gives-cia-more-powers-to-launch-cyberattacks-090015219.html}, language = {English}, urldate = {2020-07-16} } @online{dorneanu:20140707:disect:49df4ee, author = {Victor Dorneanu}, title = {{Disect Android APKs like a Pro - Static code analysis}}, date = {2014-07-07}, url = {http://blog.dornea.nu/2014/07/07/disect-android-apks-like-a-pro-static-code-analysis/}, language = {English}, urldate = {2020-01-07} } @online{douglas:20170309:spora:7038fba, author = {Kevin Douglas}, title = {{Spora Ransomware: Understanding the HTA Infection Vector}}, date = {2017-03-09}, organization = {Tenable}, url = {https://www.linkedin.com/pulse/spora-ransomware-understanding-hta-infection-vector-kevin-douglas}, language = {English}, urldate = {2020-01-10} } @online{downey:20190422:unpacking:2cb6558, author = {Mike Downey}, title = {{Unpacking & Decrypting FlawedAmmyy}}, date = {2019-04-22}, organization = {SANS}, url = {https://www.sans.org/reading-room/whitepapers/reverseengineeringmalware/unpacking-decrypting-flawedammyy-38930}, language = {English}, urldate = {2020-01-09} } @online{downs:20151016:surveillance:86d472f, author = {Rob Downs}, title = {{Surveillance Malware Trends: Tracking Predator Pain and HawkEye}}, date = {2015-10-16}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2015/10/surveillance-malware-trends-tracking-predator-pain-and-hawkeye/}, language = {English}, urldate = {2019-12-20} } @techreport{dragos:20170613:crashoverride:33b0a7e, author = {Dragos}, title = {{CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations}}, date = {2017-06-13}, institution = {Dragos}, url = {https://dragos.com/wp-content/uploads/CrashOverride-01.pdf}, language = {English}, urldate = {2020-01-13} } @techreport{dragos:20170613:crashoverride:ee53f66, author = {Dragos}, title = {{CRASHOVERRIDE: Analysis of the Threatto Electric Grid Operations}}, date = {2017-06-13}, institution = {Dragos}, url = {https://dragos.com/blog/crashoverride/CrashOverride-01.pdf}, language = {English}, urldate = {2020-01-10} } @techreport{dragos:20171213:trisis:43675c1, author = {Dragos}, title = {{TRISIS Malware: Analysis of Safety System Targeted Malware}}, date = {2017-12-13}, institution = {Dragos}, url = {https://dragos.com/blog/trisis/TRISIS-01.pdf}, language = {English}, urldate = {2020-01-13} } @techreport{dragos:20180301:industrial:6e4e898, author = {Dragos}, title = {{INDUSTRIAL CONTROL SYSTEM THREATS}}, date = {2018-03-01}, institution = {Dragos}, url = {https://dragos.com/media/2017-Review-Industrial-Control-System-Threats.pdf}, language = {English}, urldate = {2020-01-08} } @online{dragos:20180802:raspite:1873c25, author = {Dragos}, title = {{Raspite}}, date = {2018-08-02}, organization = {Dragos}, url = {https://dragos.com/blog/20180802Raspite.html}, language = {English}, urldate = {2020-01-13} } @online{dragos:20190403:allanite:46dcddd, author = {Dragos}, title = {{Allanite}}, date = {2019-04-03}, organization = {Dragos}, url = {https://dragos.com/blog/20180510Allanite.html}, language = {English}, urldate = {2020-01-09} } @techreport{dragos:20190801:global:2b76e8c, author = {Dragos}, title = {{Global Oil and Gas Cyber Threat Perspective}}, date = {2019-08-01}, institution = {Dragos}, url = {https://dragos.com/wp-content/uploads/Dragos-Oil-and-Gas-Threat-Perspective-2019.pdf}, language = {English}, urldate = {2020-01-09} } @online{dragos:2019:adversary:0237a20, author = {Dragos}, title = {{Adversary Reports}}, date = {2019}, organization = {Dragos}, url = {https://dragos.com/adversaries.html}, language = {English}, urldate = {2020-01-10} } @online{dragos:20200109:parisite:d17dd24, author = {Dragos}, title = {{PARISITE}}, date = {2020-01-09}, organization = {Dragos}, url = {https://www.dragos.com/threat/parisite}, language = {English}, urldate = {2020-09-18} } @techreport{dragos:202001:north:41ab73f, author = {Dragos}, title = {{North American Electric Cyber Threat Perspective}}, date = {2020-01}, institution = {Dragos}, url = {https://www.dragos.com/wp-content/uploads/NA-EL-Threat-Perspective-2019.pdf}, language = {English}, urldate = {2020-09-18} } @online{dragos:20200203:ekans:041a3ee, author = {Dragos}, title = {{EKANS Ransomware and ICS Operations}}, date = {2020-02-03}, organization = {Dragos}, url = {https://dragos.com/blog/industry-news/ekans-ransomware-and-ics-operations/}, language = {English}, urldate = {2020-02-04} } @techreport{dragos:20200224:2019:b583cc8, author = {Dragos}, title = {{2019 Year In Review: The ICS Landscape and Threat Actviity Groups}}, date = {2020-02-24}, institution = {Dragos}, url = {https://www.dragos.com/wp-content/uploads/The-ICS-Threat-Landscape.pdf}, language = {English}, urldate = {2020-09-18} } @techreport{dragos:20201112:cyber:cf5b4fd, author = {Dragos}, title = {{Cyber Threat Perspective MANUFACTURING SECTOR}}, date = {2020-11-12}, institution = {Dragos}, url = {https://hub.dragos.com/hubfs/Whitepaper-Downloads/Dragos_Manufacturing%20Threat%20Perspective_1120.pdf}, language = {English}, urldate = {2020-11-18} } @online{driker:20200915:rudeminer:1cea628, author = {David Driker and Amir Landau}, title = {{Rudeminer, Blacksquid and Lucifer Walk Into A Bar}}, date = {2020-09-15}, organization = {Checkpoint}, url = {https://research.checkpoint.com/2020/rudeminer-blacksquid-and-lucifer-walk-into-a-bar/}, language = {English}, urldate = {2020-09-18} } @online{drstache:20200212:manabotnet:9a3d3c6, author = {DrStache}, title = {{Tweet on ManaBotnet}}, date = {2020-02-12}, organization = {Twitter (@DrStache_)}, url = {https://twitter.com/DrStache_/status/1227662001247268864}, language = {English}, urldate = {2020-02-27} } @online{drweb:20120822:first:3c5cc7e, author = {Dr.Web}, title = {{The first Trojan in history to steal Linux and Mac OS X passwords}}, date = {2012-08-22}, organization = {Dr.Web}, url = {https://news.drweb.com/show/?i=2679&lng=en&c=14}, language = {English}, urldate = {2020-01-13} } @online{drweb:20140409:backdoorgootkit112a:b63758d, author = {Dr.Web}, title = {{BackDoor.Gootkit.112—a new multi-purpose backdoor}}, date = {2014-04-09}, organization = {Dr.Web}, url = {https://news.drweb.com/show/?i=4338&lng=en}, language = {English}, urldate = {2019-07-11} } @online{drweb:20160822:trojanmutabaha1:912e922, author = {Dr.Web}, title = {{Trojan.Mutabaha.1}}, date = {2016-08-22}, organization = {Dr.Web}, url = {http://vms.drweb.ru/virus/?_is=1&i=8477920}, language = {Russian}, urldate = {2020-01-09} } @online{drweb:20160908:doctor:00c53a5, author = {Dr.Web}, title = {{Doctor Web discovers Linux Trojan written in Rust}}, date = {2016-09-08}, organization = {Dr.Web}, url = {https://news.drweb.com/show/?c=5&i=10193&lng=en}, language = {English}, urldate = {2020-01-05} } @online{drweb:20170511:macbackdoorsystemd1:c74a3ef, author = {Dr.Web}, title = {{Mac.BackDoor.Systemd.1}}, date = {2017-05-11}, organization = {Dr.Web}, url = {https://vms.drweb.com/virus/?_is=1&i=15299312&lng=en}, language = {English}, urldate = {2020-01-08} } @online{drweb:20180807:doctor:4154c38, author = {Dr.Web}, title = {{Doctor Web discovered a clipper Trojan for Android}}, date = {2018-08-07}, organization = {Dr.Web}, url = {https://news.drweb.com/show?lng=en&i=12739}, language = {English}, urldate = {2020-01-13} } @online{drweb:20190508:new:06a3aa5, author = {Dr.Web}, title = {{A new threat for macOS spreads as WhatsApp}}, date = {2019-05-08}, organization = {Dr.Web}, url = {https://news.drweb.ru/show/?i=13281&c=23}, language = {English}, urldate = {2020-01-08} } @techreport{drweb:20200720:study:442ba99, author = {Dr.Web}, title = {{Study of the APT attacks on state institutions in Kazakhstan and Kyrgyzstan}}, date = {2020-07-20}, institution = {Dr.Web}, url = {https://st.drweb.com/static/new-www/news/2020/july/Study_of_the_APT_attacks_on_state_institutions_in_Kazakhstan_and_Kyrgyzstan_en.pdf}, language = {English}, urldate = {2020-10-02} } @techreport{drweb:20200925:spear:aeadfac, author = {Dr.Web}, title = {{Spear phishing campaigns threaten Russian fuel and energy companies}}, date = {2020-09-25}, institution = {Dr.Web}, url = {https://st.drweb.com/static/new-www/news/2020/september/tek_rf_article_en.pdf}, language = {English}, urldate = {2020-10-02} } @techreport{drweb:20201027:study:9f6e628, author = {Dr.Web}, title = {{Study of the ShadowPad APT backdoor and its relation to PlugX}}, date = {2020-10-27}, institution = {Dr.Web}, url = {https://st.drweb.com/static/new-www/news/2020/october/Study_of_the_ShadowPad_APT_backdoor_and_its_relation_to_PlugX_en.pdf}, language = {English}, urldate = {2020-10-29} } @online{dsouza:20190311:resecurity:8388bc5, author = {Melissa Dsouza}, title = {{Resecurity reports ‘IRIDUIM’ behind Citrix data breach, 200+ government agencies, oil and gas companies, and technology companies also targeted.}}, date = {2019-03-11}, organization = {Packt}, url = {https://hub.packtpub.com/resecurity-reports-iriduim-behind-citrix-data-breach-200-government-agencies-oil-and-gas-companies-and-technology-companies-also-targeted/}, language = {English}, urldate = {2020-01-10} } @online{duan:20201029:domain:413ffab, author = {Ruian Duan and Zhanhao Chen and Seokkyung Chung and Janos Szurdi and Jingwei Fan}, title = {{Domain Parking: A Gateway to Attackers Spreading Emotet and Impersonating McAfee}}, date = {2020-10-29}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/domain-parking/}, language = {English}, urldate = {2020-11-02} } @online{ducharme:20190911:watchbog:7f5240b, author = {Luke DuCharme and Paul Lee}, title = {{Watchbog and the Importance of Patching}}, date = {2019-09-11}, organization = {Talos Intelligence}, url = {https://blog.talosintelligence.com/2019/09/watchbog-patching.html}, language = {English}, urldate = {2020-05-18} } @online{ducklin:20140121:digitally:4a7a4ee, author = {Paul Ducklin}, title = {{Digitally signed data-stealing malware targets Mac users in “undelivered courier item” attack}}, date = {2014-01-21}, organization = {Sophos Naked Security}, url = {https://nakedsecurity.sophos.com/2014/01/21/data-stealing-malware-targets-mac-users-in-undelivered-courier-item-attack/}, language = {English}, urldate = {2020-01-09} } @online{ducklin:20160229:hawkeye:e5bd59b, author = {Paul Ducklin}, title = {{The “HawkEye” attack: how cybercrooks target small businesses for big money}}, date = {2016-02-29}, organization = {Sophos}, url = {https://nakedsecurity.sophos.com/2016/02/29/the-hawkeye-attack-how-cybercrooks-target-small-businesses-for-big-money/}, language = {English}, urldate = {2019-11-27} } @online{ducklin:20180131:what:4aa6a12, author = {Paul Ducklin}, title = {{What are “WannaMine” attacks, and how do I avoid them?}}, date = {2018-01-31}, organization = {Sophos Naked Security}, url = {https://nakedsecurity.sophos.com/2018/01/31/what-are-wannamine-attacks-and-how-do-i-avoid-them/}, language = {English}, urldate = {2020-11-25} } @online{ducklin:20200624:glupteba:8f0c66a, author = {Paul Ducklin}, title = {{Glupteba - the malware that gets secret messages from the Bitcoin blockchain}}, date = {2020-06-24}, organization = {Sophos Naked Security}, url = {https://nakedsecurity.sophos.com/2020/06/24/glupteba-the-bot-that-gets-secret-messages-from-the-bitcoin-blockchain/}, language = {English}, urldate = {2020-06-26} } @online{dudek:20190410:trisis:480b199, author = {Marcin Dudek}, title = {{TRISIS / TRITON / HatMan Malware Repository}}, date = {2019-04-10}, organization = {Github (ICSrepo)}, url = {https://github.com/ICSrepo/TRISIS-TRITON-HATMAN}, language = {English}, urldate = {2019-07-09} } @techreport{dumont:20181201:dark:20efc15, author = {Romain Dumont and Marc-Etienne M.Léveillé and Hugo Porcher}, title = {{THE DARK SIDE OF THE FORSSHE: A landscape of OpenSSH backdoors}}, date = {2018-12-01}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf}, language = {English}, urldate = {2020-01-09} } @online{dumont:20190409:oceanlotus:eb8a99f, author = {Romain Dumont}, title = {{OceanLotus: macOS malware update}}, date = {2019-04-09}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/}, language = {English}, urldate = {2019-11-14} } @online{duncan:20160509:pseudodarkleech:5dff946, author = {Brad Duncan}, title = {{PSEUDO-DARKLEECH ANGLER EK FROM 185.118.66.154 SENDS BEDEP/CRYPTXXX}}, date = {2016-05-09}, organization = {Malware Traffic Analysis}, url = {http://malware-traffic-analysis.net/2016/05/09/index.html}, language = {English}, urldate = {2020-01-08} } @online{duncan:20170117:eitest:f6e103b, author = {Brad Duncan}, title = {{EITEST RIG-V FROM 92.53.127.86 SENDS SPORA RANSOMWARE}}, date = {2017-01-17}, organization = {Malware Traffic Analysis}, url = {http://malware-traffic-analysis.net/2017/01/17/index2.html}, language = {English}, urldate = {2020-01-13} } @online{duncan:20170117:vreikstadi:aea370f, author = {Brad Duncan}, title = {{Tweet on Vreikstadi Malspam}}, date = {2017-01-17}, organization = {Twitter (@malware_traffic)}, url = {https://twitter.com/malware_traffic/status/821483557990318080}, language = {English}, urldate = {2020-01-08} } @online{duncan:20170121:sage:cf422da, author = {Brad Duncan}, title = {{Sage 2.0 Ransomware}}, date = {2017-01-21}, organization = {SANS ISC InfoSec Forums}, url = {https://isc.sans.edu/forums/diary/Sage+20+Ransomware/21959/}, language = {English}, urldate = {2019-07-11} } @online{duncan:20170403:dhl:b9c41a9, author = {Brad Duncan}, title = {{DHL Invoice Malspam/Photo Malspam}}, date = {2017-04-03}, organization = {Malware Traffic Analysis}, url = {http://malware-traffic-analysis.net/2017/04/03/index2.html}, language = {English}, urldate = {2020-01-13} } @online{duncan:20170425:20170425:dfd0f09, author = {Brian Duncan}, title = {{2017-04-25 - "GOOD MAN" CAMPAIGN RIG EK SENDS LATENTBOT}}, date = {2017-04-25}, organization = {Malware Traffic Analysis}, url = {http://malware-traffic-analysis.net/2017/04/25/index.html}, language = {English}, urldate = {2019-11-29} } @online{duncan:20170509:rig:c6b2df9, author = {Brad Duncan}, title = {{RIG EK SENDS BUNITU TROJAN}}, date = {2017-05-09}, organization = {Malware Traffic Analysis}, url = {http://malware-traffic-analysis.net/2017/05/09/index.html}, language = {English}, urldate = {2020-01-08} } @online{duncan:20170516:20170516:920d589, author = {Brad Duncan}, title = {{2017-05-16 - MORE EXAMPLES OF MALSPAM PUSHING JAFF RANSOMWARE}}, date = {2017-05-16}, organization = {Malware Traffic Analysis}, url = {http://malware-traffic-analysis.net/2017/05/16/index.html}, language = {English}, urldate = {2020-01-07} } @online{duncan:20170612:20170612:04b2c09, author = {Brian Duncan}, title = {{2017-06-12 - LOKI BOT MALSPAM - SUBJECT: RE: PURCHASE ORDER 457211}}, date = {2017-06-12}, organization = {Malware Traffic Analysis}, url = {http://www.malware-traffic-analysis.net/2017/06/12/index.html}, language = {English}, urldate = {2019-11-28} } @online{duncan:20170627:checking:23c2251, author = {Brad Duncan}, title = {{Checking out the new Petya variant}}, date = {2017-06-27}, organization = {SANS}, url = {https://isc.sans.edu/forums/diary/Checking+out+the+new+Petya+variant/22562/}, language = {English}, urldate = {2020-01-06} } @online{duncan:20170704:malspam:3713609, author = {Brad Duncan}, title = {{MALSPAM WITH JAVA-BASED RAT}}, date = {2017-07-04}, organization = {Malware Traffic Analysis}, url = {http://malware-traffic-analysis.net/2017/07/04/index.html}, language = {English}, urldate = {2020-01-10} } @online{duncan:20170901:eitest:6388761, author = {Brad Duncan}, title = {{EITest: HoeflerText Popups Targeting Google Chrome Users Now Push RAT Malware}}, date = {2017-09-01}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/09/unit42-hoeflertext-popups-targeting-google-chrome-users-now-pushing-rat-malware/}, language = {English}, urldate = {2019-12-20} } @online{duncan:20171013:blank:71e7858, author = {Brad Duncan}, title = {{Blank Slate Malspam Stops Pushing Locky, Starts Pushing Sage 2.2 Randsomware}}, date = {2017-10-13}, organization = {Malware Traffic Analysis}, url = {http://malware-traffic-analysis.net/2017/10/13/index.html}, language = {English}, urldate = {2020-01-13} } @online{duncan:20171102:20171102:dfff76e, author = {Brad Duncan}, title = {{2017-11-02 - ADVENTURES WITH SMOKE LOADER}}, date = {2017-11-02}, organization = {Malware Traffic Analysis}, url = {http://www.malware-traffic-analysis.net/2017/11/02/index.html}, language = {English}, urldate = {2020-01-06} } @online{duncan:20171123:necurs:15f819e, author = {Brad Duncan}, title = {{NECURS BOTNET MALSPAM PUSHES "SCARAB" RANSOMWARE}}, date = {2017-11-23}, organization = {Malware Traffic Analysis}, url = {http://malware-traffic-analysis.net/2017/11/23/index.html}, language = {English}, urldate = {2020-01-10} } @online{duncan:20171222:malspam:4a3fd87, author = {Brad Duncan}, title = {{MALSPAM USES CVE-2017-0199 TO DISTRIBUTE REMCOS RAT}}, date = {2017-12-22}, organization = {Malware Traffic Analysis}, url = {http://malware-traffic-analysis.net/2017/12/22/index.html}, language = {English}, urldate = {2019-07-11} } @online{duncan:20180104:malspam:ce2dfac, author = {Brad Duncan}, title = {{MALSPAM PUSHING PCRAT/GH0ST}}, date = {2018-01-04}, organization = {Malware Traffic Analysis}, url = {http://www.malware-traffic-analysis.net/2018/01/04/index.html}, language = {English}, urldate = {2019-12-24} } @online{duncan:20180201:quick:320f855, author = {Brad Duncan}, title = {{Quick Test Drive of Trickbot (It now has a Monero Module)}}, date = {2018-02-01}, organization = {Malware Traffic Analysis}, url = {http://www.malware-traffic-analysis.net/2018/02/01/}, language = {English}, urldate = {2019-07-09} } @online{duncan:20180307:ransomware:504a693, author = {Brad Duncan}, title = {{Ransomware news: GlobeImposter gets a facelift, GandCrab is still out there}}, date = {2018-03-07}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/23417}, language = {English}, urldate = {2020-01-06} } @online{duncan:20181204:malspam:8e2d810, author = {Brad Duncan}, title = {{Malspam pushing Lokibot malware}}, date = {2018-12-04}, url = {https://isc.sans.edu/diary/24372}, language = {English}, urldate = {2019-10-29} } @online{duncan:20181219:malspam:b8c4580, author = {Brad Duncan}, title = {{MALSPAM PUSHING THE MYDOOM WORM IS STILL A THING}}, date = {2018-12-19}, organization = {Malware Traffic Analysis}, url = {https://www.malware-traffic-analysis.net/2018/12/19/index.html}, language = {English}, urldate = {2020-01-13} } @online{duncan:20190117:emotet:0754347, author = {Brad Duncan}, title = {{Emotet infections and follow-up malware}}, date = {2019-01-17}, organization = {SANS ISC InfoSec Forums}, url = {https://isc.sans.edu/forums/diary/Emotet+infections+and+followup+malware/24532/}, language = {English}, urldate = {2020-01-13} } @online{duncan:20190123:russian:150eb22, author = {Brad Duncan and Mike Harbison}, title = {{Russian Language Malspam Pushing Redaman Banking Malware}}, date = {2019-01-23}, url = {https://unit42.paloaltonetworks.com/russian-language-malspam-pushing-redaman-banking-malware/}, language = {English}, urldate = {2020-01-06} } @online{duncan:20190220:more:a3216b8, author = {Brad Duncan}, title = {{More Russian language malspam pushing Shade (Troldesh) ransomware}}, date = {2019-02-20}, organization = {SANS ISC InfoSec Forums}, url = {https://isc.sans.edu/forums/diary/More+Russian+language+malspam+pushing+Shade+Troldesh+ransomware/24668/}, language = {English}, urldate = {2020-01-13} } @online{duncan:20190522:shade:7647744, author = {Brad Duncan}, title = {{Shade Ransomware Hits High-Tech, Wholesale, Education Sectors in U.S, Japan, India, Thailand, Canada}}, date = {2019-05-22}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/shade-ransomware-hits-high-tech-wholesale-education-sectors-in-u-s-japan-india-thailand-canada/}, language = {English}, urldate = {2020-01-13} } @online{duncan:20190625:rig:31ecb33, author = {Brad Duncan}, title = {{Rig Exploit Kit sends Pitou.B Trojan}}, date = {2019-06-25}, organization = {SANS}, url = {https://isc.sans.edu/diary/rss/25068}, language = {English}, urldate = {2019-12-17} } @online{duncan:20190711:recent:bd25d5a, author = {Brad Duncan}, title = {{Recent AZORult activity}}, date = {2019-07-11}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/25120}, language = {English}, urldate = {2020-01-10} } @online{duncan:20191108:wireshark:f37b983, author = {Brad Duncan}, title = {{Wireshark Tutorial: Examining Trickbot Infections}}, date = {2019-11-08}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/wireshark-tutorial-examining-trickbot-infections/}, language = {English}, urldate = {2020-01-06} } @online{duncan:20191122:trickbot:e14933b, author = {Brad Duncan}, title = {{Trickbot Updates Password Grabber Module}}, date = {2019-11-22}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/trickbot-updates-password-grabber-module/}, language = {English}, urldate = {2020-01-22} } @online{duncan:20191219:valak:a793639, author = {Brad Duncan}, title = {{Tweet on Valak Malware}}, date = {2019-12-19}, organization = {Twitter (@malware_traffic)}, url = {https://twitter.com/malware_traffic/status/1207824548021886977}, language = {English}, urldate = {2020-01-05} } @online{duncan:20191223:wireshark:11f95ab, author = {Brad Duncan}, title = {{Wireshark Tutorial: Examining Ursnif Infections}}, date = {2019-12-23}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/wireshark-tutorial-examining-ursnif-infections/}, language = {English}, urldate = {2020-01-13} } @online{duncan:20200123:german:2c867b2, author = {Brad Duncan}, title = {{German language malspam pushes Ursnif}}, date = {2020-01-23}, organization = {SANS ISC InfoSec Forums}, url = {https://isc.sans.edu/forums/diary/German+language+malspam+pushes+Ursnif/25732/}, language = {English}, urldate = {2020-01-26} } @online{duncan:20200403:guloader:4b27e7a, author = {Brad Duncan}, title = {{GuLoader: Malspam Campaign Installing NetWire RAT}}, date = {2020-04-03}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/}, language = {English}, urldate = {2021-01-10} } @online{duncan:20200528:goodbye:87a0245, author = {Brad Duncan}, title = {{Goodbye Mworm, Hello Nworm: TrickBot Updates Propagation Module}}, date = {2020-05-28}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/goodbye-mworm-hello-nworm-trickbot-updates-propagation-module/}, language = {English}, urldate = {2020-05-29} } @online{duncan:20200724:evolution:a372b2b, author = {Brad Duncan}, title = {{Evolution of Valak, from Its Beginnings to Mass Distribution}}, date = {2020-07-24}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/valak-evolution/}, language = {English}, urldate = {2020-08-05} } @online{duncan:20200821:wireshark:d98d5ed, author = {Brad Duncan}, title = {{Wireshark Tutorial: Decrypting HTTPS Traffic}}, date = {2020-08-21}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/wireshark-tutorial-decrypting-https-traffic/}, language = {English}, urldate = {2020-08-25} } @online{duncan:20200907:collection:09ab7be, author = {Brad Duncan}, title = {{Collection of recent Dridex IOCs}}, date = {2020-09-07}, organization = {Github (pan-unit42)}, url = {https://github.com/pan-unit42/tweets/blob/master/2020-09-07-Dridex-IOCs.txt}, language = {English}, urldate = {2020-09-15} } @online{duncan:20200910:recent:f9e103f, author = {Brad Duncan}, title = {{Recent Dridex activity}}, date = {2020-09-10}, organization = {SANS ISC InfoSec Forums}, url = {https://isc.sans.edu/forums/diary/Recent+Dridex+activity/26550/}, language = {English}, urldate = {2020-09-15} } @online{duncan:20201119:threat:67ef9bd, author = {Kyle Duncan}, title = {{Threat Actor Utilizes COVID-19 Uncertainty to Target Users}}, date = {2020-11-19}, organization = {Cofense}, url = {https://cofense.com/threat-actor-utilizes-covid-19-uncertainty-to-target-users/}, language = {English}, urldate = {2020-11-23} } @online{duncan:20201209:recent:0992506, author = {Brad Duncan}, title = {{Recent Qakbot (Qbot) activity}}, date = {2020-12-09}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/rss/26862}, language = {English}, urldate = {2020-12-10} } @online{duncan:20210107:ta551:6346c62, author = {Brad Duncan}, title = {{TA551: Email Attack Campaign Switches from Valak to IcedID}}, date = {2021-01-07}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/ta551-shathak-icedid/}, language = {English}, urldate = {2021-01-11} } @online{dunwoody:20170403:dissecting:65071e7, author = {Matthew Dunwoody}, title = {{Dissecting One of APT29’s Fileless WMI and PowerShell Backdoors (POSHSPY)}}, date = {2017-04-03}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html}, language = {English}, urldate = {2019-12-20} } @online{dunwoody:20170404:poshspy:dc59dda, author = {Matthew Dunwoody}, title = {{POSHSPY backdoor code}}, date = {2017-04-04}, organization = {GitHub (matthewdunwoody)}, url = {https://github.com/matthewdunwoody/POSHSPY}, language = {English}, urldate = {2019-12-18} } @online{dunwoody:20181119:not:e581291, author = {Matthew Dunwoody and Andrew Thompson and Ben Withnell and Jonathan Leathery and Michael Matonis and Nick Carr}, title = {{Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign}}, date = {2018-11-19}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html}, language = {English}, urldate = {2019-12-20} } @online{duquette:20130124:linuxsshdoora:0b9dc3e, author = {Sébastien Duquette}, title = {{Linux/SSHDoor.A Backdoored SSH daemon that steals passwords}}, date = {2013-01-24}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2013/01/24/linux-sshdoor-a-backdoored-ssh-daemon-that-steals-passwords/}, language = {English}, urldate = {2019-11-14} } @online{durando:20170426:bankbot:f7430c7, author = {Dario Durando and David Maciejak}, title = {{BankBot, the Prequel}}, date = {2017-04-26}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/bankbot-the-prequel.html}, language = {English}, urldate = {2019-12-17} } @online{durando:20170919:look:79fa513, author = {Dario Durando}, title = {{A Look Into The New Strain Of BankBot}}, date = {2017-09-19}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/a-look-into-the-new-strain-of-bankbot.html}, language = {English}, urldate = {2020-01-13} } @online{durando:20190703:bianlian:c6f94bb, author = {Dario Durando}, title = {{BianLian: A New Wave Emerges}}, date = {2019-07-03}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/new-wave-bianlian-malware.html}, language = {English}, urldate = {2019-12-24} } @online{durando:20190904:funkybot:625b9ba, author = {Dario Durando}, title = {{FunkyBot: A New Android Malware Family Targeting Japan}}, date = {2019-09-04}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/funkybot-malware-targets-japan.html}, language = {English}, urldate = {2020-01-13} } @online{dutcher:20130904:sykipot:3c79c33, author = {Darin Dutcher}, title = {{Sykipot Now Targeting US Civil Aviation Sector Information}}, date = {2013-09-04}, organization = {Trend Micro}, url = {http://blog.trendmicro.com/trendlabs-security-intelligence/sykipot-now-targeting-us-civil-aviation-sector-information/}, language = {English}, urldate = {2020-01-08} } @online{dutcher:20130904:sykipot:8fffe0c, author = {Darin Dutcher}, title = {{Sykipot Now Targeting US Civil Aviation Sector Information}}, date = {2013-09-04}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/sykipot-now-targeting-us-civil-aviation-sector-information/}, language = {English}, urldate = {2019-12-05} } @online{dwoskin:20190220:microsoft:9d4cb73, author = {Elizabeth Dwoskin and Craig Timberg}, title = {{Microsoft says it has found another Russian operation targeting prominent think tanks}}, date = {2019-02-20}, organization = {Washington Post}, url = {https://www.washingtonpost.com/technology/2019/02/20/microsoft-says-it-has-found-another-russian-operation-targeting-prominent-think-tanks/?utm_term=.870ff11468ae}, language = {English}, urldate = {2019-11-29} } @online{east:20150619:russian:fe2f7aa, author = {London South East}, title = {{Russian Hackers Suspected In Cyberattack On German Parliament}}, date = {2015-06-19}, organization = {London South East}, url = {http://www.lse.co.uk/AllNews.asp?code=kwdwehme&headline=Russian_Hackers_Suspected_In_Cyberattack_On_German_Parliament}, language = {English}, urldate = {2020-01-05} } @techreport{ebach:20170622:analysis:25ecd34, author = {Luca Ebach}, title = {{Analysis Results of Zeus.Variant.Panda}}, date = {2017-06-22}, institution = {G Data}, url = {https://cyberwtf.files.wordpress.com/2017/07/panda-whitepaper.pdf}, language = {English}, urldate = {2019-12-02} } @online{ebach:20200831:trickbot:c975ec5, author = {Luca Ebach}, title = {{Trickbot rdpscanDll – Transforming Candidate Credentials for Brute-Forcing RDP Servers}}, date = {2020-08-31}, organization = {cyber.wtf blog}, url = {https://cyber.wtf/2020/08/31/trickbot-rdpscandll-password-transof/}, language = {English}, urldate = {2020-08-31} } @online{eckels:20201109:wow64hooks:a0c0b3e, author = {Stephen Eckels}, title = {{WOW64!Hooks: WOW64 Subsystem Internals and Hooking Techniques}}, date = {2020-11-09}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/11/wow64-subsystem-internals-and-hooking-techniques.html}, language = {English}, urldate = {2020-11-11} } @online{eckels:20201224:sunburst:3fcb239, author = {Stephen Eckels and Jay Smith and William Ballenthin}, title = {{SUNBURST Additional Technical Details}}, date = {2020-12-24}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/12/sunburst-additional-technical-details.html}, language = {English}, urldate = {2020-12-26} } @online{eckman:20201007:ghostdnsbusters:9a32391, author = {Brian Eckman}, title = {{GhostDNSbusters (Part 2)}}, date = {2020-10-07}, organization = {Team Cymru}, url = {https://team-cymru.com/blog/2020/10/07/ghostdnsbusters-part-2/}, language = {English}, urldate = {2020-10-12} } @online{eclypsium:20201203:trickbot:7b5b0eb, author = {Eclypsium}, title = {{TrickBot Now Offers ‘TrickBoot’: Persist, Brick, Profit}}, date = {2020-12-03}, organization = {Eclypsium}, url = {https://eclypsium.com/2020/12/03/trickbot-now-offers-trickboot-persist-brick-profit/}, language = {English}, urldate = {2020-12-03} } @online{editor:20170118:flashback:4ac713f, author = {Editor}, title = {{Flashback Wednesday: Pakistani Brain}}, date = {2017-01-18}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/01/18/flashback-wednesday-pakistani-brain/}, language = {English}, urldate = {2019-11-14} } @online{editor:20171024:kiev:b706a68, author = {Editor}, title = {{Kiev metro hit with a new variant of the infamous Diskcoder ransomware}}, date = {2017-10-24}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/10/24/kiev-metro-hit-new-variant-infamous-diskcoder-ransomware/?utm_content=buffer8ffe4&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer}, language = {English}, urldate = {2019-11-14} } @online{edmondson:20190118:black:e66dcec, author = {Mark Edmondson}, title = {{BLACK ENERGY – Analysis}}, date = {2019-01-18}, url = {https://marcusedmondson.com/2019/01/18/black-energy-analysis/}, language = {English}, urldate = {2020-01-08} } @techreport{edwards:2011:survey:e95ca12, author = {Jeff Edwards and Jose Nazario}, title = {{A Survey of Contemporary Chinese DDoS Malware}}, date = {2011}, institution = {Virus Bulletin}, url = {https://www.virusbulletin.com/uploads/pdf/conference_slides/2011/Edwards-Nazario-VB2011.pdf}, language = {English}, urldate = {2020-01-06} } @techreport{edwards:20161016:hajime:e095dad, author = {Sam Edwards and Ioannis Profetis}, title = {{Hajime: Analysis of a decentralizedinternet worm for IoT devices}}, date = {2016-10-16}, institution = {RapidityNetworks}, url = {https://security.rapiditynetworks.com/publications/2016-10-16/hajime.pdf}, language = {English}, urldate = {2020-01-09} } @online{ehmke:20200820:webinar:cad7a98, author = {Kyle Ehmke}, title = {{[webinar] Proactive Infrastructure Hunting with ThreatConnect & DomainTools}}, date = {2020-08-20}, organization = {ThreatConnect}, url = {https://threatconnect.com/resource/proactive-infrastructure-hunting-with-threatconnect-domaintools/}, language = {English}, urldate = {2020-09-06} } @online{eidgenossenschaft:20190812:trojaner:60574cc, author = {Schweizerische Eidgenossenschaft}, title = {{Trojaner Emotet greift Unternehmensnetzwerke an}}, date = {2019-08-12}, organization = {Schweizerische Eidgenossenschaft}, url = {https://www.melani.admin.ch/melani/de/home/dokumentation/newsletter/Trojaner_Emotet_greift_Unternehmensnetzwerke_an.html}, language = {German}, urldate = {2020-01-08} } @online{eisenkraft:20190619:check:0a79b2b, author = {Kobi Eisenkraft and Moshe Hayun}, title = {{Check Point’s Threat Emulation Stops Large-Scale Phishing Campaign in Germany}}, date = {2019-06-19}, organization = {Check Point}, url = {https://blog.checkpoint.com/2019/06/19/sandblast-agent-phishing-germany-campaign-security-hack-ransomware/}, language = {English}, urldate = {2020-01-08} } @online{elastic:20200630:detection:79c8fbe, author = {Elastic}, title = {{Detection Rules by Elastic}}, date = {2020-06-30}, organization = {Github (elastic)}, url = {https://github.com/elastic/detection-rules}, language = {English}, urldate = {2020-07-02} } @online{eldeeb:20190820:source:66124bb, author = {Sherif Eldeeb}, title = {{Source code: TinyMet}}, date = {2019-08-20}, organization = {Github (SherifEldeeb)}, url = {https://github.com/SherifEldeeb/TinyMet}, language = {English}, urldate = {2020-02-13} } @online{elder:20190625:ransomware:4b72d11, author = {Jeff Elder}, title = {{Ransomware strain Troldesh spikes again – Avast tracks new attacks}}, date = {2019-06-25}, organization = {Avast}, url = {https://blog.avast.com/ransomware-strain-troldesh-spikes}, language = {English}, urldate = {2020-01-09} } @online{elevenpaths:20180511:new:8c874e9, author = {ElevenPaths}, title = {{New report: Malware attacks Chilean banks and bypasses SmartScreen, by exploiting DLL Hijacking within popular software}}, date = {2018-05-11}, organization = {Think Big}, url = {http://blog.en.elevenpaths.com/2018/05/new-report-malware-attacks-chilean.html}, language = {English}, urldate = {2020-01-08} } @online{elshinbary:20200505:deep:f5661cb, author = {Abdallah Elshinbary}, title = {{Deep Analysis of Ryuk Ransomware}}, date = {2020-05-05}, organization = {N1ght-W0lf Blog}, url = {https://n1ght-w0lf.github.io/malware%20analysis/ryuk-ransomware/}, language = {English}, urldate = {2020-05-10} } @online{elshinbary:20200621:deep:1a39a3f, author = {Abdallah Elshinbary}, title = {{Deep Analysis of SmokeLoader}}, date = {2020-06-21}, organization = {N1ght-W0lf Blog}, url = {https://n1ght-w0lf.github.io/malware%20analysis/smokeloader/}, language = {English}, urldate = {2020-06-22} } @online{elshinbary:20200704:deep:bdfbd8a, author = {Abdallah Elshinbary}, title = {{Deep Analysis of Anubis Banking Malware}}, date = {2020-07-04}, organization = {N1ght-W0lf Blog}, url = {https://n1ght-w0lf.github.io/malware%20analysis/anubis-banking-malware/}, language = {English}, urldate = {2020-07-06} } @online{elshinbary:20200715:deep:9b38d20, author = {Abdallah Elshinbary}, title = {{Deep Analysis of QBot Banking Trojan}}, date = {2020-07-15}, organization = {N1ght-W0lf Blog}, url = {https://n1ght-w0lf.github.io/malware%20analysis/qbot-banking-trojan/}, language = {English}, urldate = {2020-07-16} } @techreport{elwell:20181001:attcking:3c6d888, author = {Regina Elwell and Katie Nickels}, title = {{ATT&CKing FIN7}}, date = {2018-10-01}, institution = {FireEye}, url = {https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf}, language = {English}, urldate = {2020-06-25} } @online{endo:20180803:volatility:4597ce0, author = {Takuya Endo and Yukako Uchida}, title = {{Volatility Plugin for Detecting Cobalt Strike Beacon}}, date = {2018-08-03}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/en/2018/08/volatility-plugin-for-detecting-cobalt-strike-beacon.html}, language = {English}, urldate = {2019-07-11} } @techreport{eng:2011:nitro:656e464, author = {Erica Eng and Gavin O'Gorman}, title = {{The Nitro Attacks: Stealing Secrets from the Chemical Industry}}, date = {2011}, institution = {Symantec}, url = {https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2011/the_nitro_attacks.pdf}, language = {English}, urldate = {2020-04-21} } @online{entdark:20170530:bankbot:4cb608c, author = {entdark}, title = {{Bankbot on Google Play}}, date = {2017-05-30}, organization = {Koodous}, url = {http://blog.koodous.com/2017/05/bankbot-on-google-play.html}, language = {English}, urldate = {2020-01-13} } @online{eremin:20190322:azorult:3080ee5, author = {Alexander Eremin}, title = {{AZORult++: Rewriting history}}, date = {2019-03-22}, organization = {Kaspersky Labs}, url = {https://securelist.com/azorult-analysis-history/89922/}, language = {English}, urldate = {2019-12-20} } @online{eremin:20200324:people:752ed0f, author = {Alexander Eremin}, title = {{People infected with coronavirus are all around you, says Ginp Trojan}}, date = {2020-03-24}, organization = {Kaspersky Labs}, url = {https://www.kaspersky.com/blog/ginp-trojan-coronavirus-finder/34338/}, language = {English}, urldate = {2020-03-26} } @online{eremin:20200623:oh:4e55504, author = {Alexander Eremin}, title = {{Oh, what a boot-iful mornin’ Rovnix bootkit back in business}}, date = {2020-06-23}, organization = {Kaspersky Labs}, url = {https://securelist.com/oh-what-a-boot-iful-mornin/97365}, language = {English}, urldate = {2020-06-23} } @online{erlich:20181025:game:af49ad1, author = {Chen Erlich and Yakov Goldberg}, title = {{Game of Trojans: Dissecting the #Khalesi Infostealer Malware}}, date = {2018-10-25}, organization = {enSilo}, url = {https://blog.ensilo.com/game-of-trojans-dissecting-khalesi-infostealer-malware}, language = {English}, urldate = {2020-01-06} } @online{erlich:20190716:avast:b3dec63, author = {Chen Erlich}, title = {{The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable}}, date = {2019-07-16}, organization = {enSilo}, url = {https://medium.com/@chenerlich/the-avast-abuser-metamorfo-banking-malware-hides-by-abusing-avast-executable-ac9b8b392767}, language = {English}, urldate = {2020-04-13} } @online{erquiaga:20190412:analysis:bb76a6f, author = {María José Erquiaga}, title = {{Analysis of an IRC based Botnet}}, date = {2019-04-12}, organization = {Stratosphere Lab}, url = {https://www.stratosphereips.org/blog/2019/4/12/analysis-of-a-irc-based-botnet}, language = {English}, urldate = {2020-01-10} } @online{eschweiler:20181025:cutwail:494e458, author = {Sebastian Eschweiler and Brett Stone-Gross and Bex Hartley}, title = {{Cutwail Spam Campaign Uses Steganography to Distribute URLZone}}, date = {2018-10-25}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/cutwail-spam-campaign-uses-steganography-to-distribute-urlzone/}, language = {English}, urldate = {2019-12-20} } @online{escinsecurity:20180129:weekly:2cd5b6e, author = {EscInSecurity}, title = {{Weekly TrickBot Analysis - End of w/c 22-Jan-2018 to 1000119}}, date = {2018-01-29}, organization = {EscInSecurity}, url = {https://escinsecurity.blogspot.de/2018/01/weekly-trickbot-analysis-end-of-wc-22.html}, language = {English}, urldate = {2020-01-09} } @online{eset:20090805:pc:16d1905, author = {Eset}, title = {{PC Users Threatened by Conficker Worm and new Internet-browser Modifier}}, date = {2009-08-05}, organization = {ESET Research}, url = {https://www.eset.com/int/about/newsroom/press-releases/announcements/press-threatsense-report-july-2009/}, language = {English}, urldate = {2020-03-19} } @online{eset:20170627:new:891fe4f, author = {Eset}, title = {{New WannaCryptor‑like ransomware attack hits globally: All you need to know}}, date = {2017-06-27}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/06/27/new-ransomware-attack-hits-ukraine/}, language = {English}, urldate = {2020-01-08} } @techreport{eset:201801:diplomats:89688b4, author = {Eset}, title = {{Diplomats in Eastern Europe bitten by a Turla mosquito}}, date = {2018-01}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf}, language = {English}, urldate = {2020-01-08} } @online{esparza:20091001:detecting:3586ef7, author = {Jose Miguel Esparza}, title = {{Detecting ZeuS}}, date = {2009-10-01}, organization = {Eternal Todo}, url = {http://eternal-todo.com/blog/detecting-zeus}, language = {English}, urldate = {2020-01-10} } @online{esparza:20091106:new:f49d94c, author = {Jose Miguel Esparza}, title = {{New ZeuS binary}}, date = {2009-11-06}, organization = {Eternal Todo}, url = {http://eternal-todo.com/blog/new-zeus-binary}, language = {English}, urldate = {2020-01-08} } @online{esparza:20100202:zeus:c1a8f1f, author = {Jose Miguel Esparza}, title = {{ZeuS spreading via Facebook}}, date = {2010-02-02}, organization = {EternalTODO Blog}, url = {http://eternal-todo.com/blog/zeus-spreading-facebook}, language = {English}, urldate = {2019-07-11} } @online{esparza:20130901:yet:d6bf0b6, author = {Jose Miguel Esparza}, title = {{Yet another Andromeda / Gamarue analysis}}, date = {2013-09-01}, organization = {Eternal Todo}, url = {https://eternal-todo.com/blog/yet-another-andromeda-gamarue-analysis}, language = {English}, urldate = {2020-01-10} } @online{esparza:20141005:dissecting:93f306b, author = {Jose Miguel Esparza}, title = {{Dissecting SmokeLoader (or Yulia's sweet ass proposition)}}, date = {2014-10-05}, organization = {Eternal Todo}, url = {https://eternal-todo.com/blog/smokeloader-analysis-yulia-photo}, language = {English}, urldate = {2020-01-13} } @online{esparza:20150417:andromedagamarue:2330f4e, author = {Jose Miguel Esparza}, title = {{Andromeda/Gamarue bot loves JSON too (new versions details)}}, date = {2015-04-17}, organization = {Eternal Todo}, url = {https://eternal-todo.com/blog/andromeda-gamarue-loves-json}, language = {English}, urldate = {2020-01-10} } @online{esparza:20191106:spanish:eaf5520, author = {Jose Miguel Esparza and Blueliv Team}, title = {{Spanish consultancy Everis suffers BitPaymer ransomware attack: a brief analysis}}, date = {2019-11-06}, organization = {Blueliv}, url = {https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/research/everis-bitpaymer-ransomware-attack-analysis-dridex/}, language = {English}, urldate = {2020-01-08} } @online{europol:20140710:global:63da679, author = {Europol}, title = {{Global Action Targeting Shylock Malware}}, date = {2014-07-10}, organization = {Europol}, url = {https://www.europol.europa.eu/newsroom/news/global-action-targeting-shylock-malware}, language = {English}, urldate = {2019-12-18} } @online{europol:20171204:andromeda:2024e4d, author = {Europol}, title = {{Andromeda botnet dismantled in international cyber operation}}, date = {2017-12-04}, organization = {Europol}, url = {https://www.europol.europa.eu/newsroom/news/andromeda-botnet-dismantled-in-international-cyber-operation}, language = {English}, urldate = {2020-01-09} } @online{europol:20181025:pay:d82bbfc, author = {Europol}, title = {{Pay No More: universal GandCrab decryption tool released for free on No More Ransom}}, date = {2018-10-25}, organization = {Europol}, url = {https://www.europol.europa.eu/newsroom/news/pay-no-more-universal-gandcrab-decryption-tool-released-for-free-no-more-ransom}, language = {English}, urldate = {2019-11-26} } @online{europol:20190516:goznym:37f6fa9, author = {Europol}, title = {{GOZNYM MALWARE: CYBERCRIMINAL NETWORK DISMANTLED IN INTERNATIONAL OPERATION}}, date = {2019-05-16}, organization = {Europol}, url = {https://www.europol.europa.eu/newsroom/news/goznym-malware-cybercriminal-network-dismantled-in-international-operation}, language = {English}, urldate = {2019-12-18} } @online{europol:20201217:spain:9b7a4ef, author = {Europol}, title = {{Spain dismantles top Russian-speaking organised crime network that had infiltrated public institutions}}, date = {2020-12-17}, organization = {Europol}, url = {https://www.europol.europa.eu/newsroom/news/spain-dismantles-top-russian-speaking-organised-crime-network-had-infiltrated-public-institutions}, language = {English}, urldate = {2020-12-18} } @online{evans:20190917:cryptocurrency:8f3a9e9, author = {Christopher Evans and David Liebenberg}, title = {{Cryptocurrency miners aren’t dead yet: Documenting the voracious but simple “Panda”}}, date = {2019-09-17}, organization = {Talos}, url = {https://blog.talosintelligence.com/2019/09/panda-evolution.html}, language = {English}, urldate = {2019-10-31} } @online{evans:20200711:injecting:3d78e32, author = {Peter Evans and Rodel Mendrez}, title = {{Injecting Magecart into Magento Global Config}}, date = {2020-07-11}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/injecting-magecart-into-magento-global-config/}, language = {English}, urldate = {2020-07-15} } @online{evild3ad:20110430:bkatrojaner:f7e6f23, author = {evild3ad}, title = {{BKA-Trojaner (Ransomware)}}, date = {2011-04-30}, organization = {evild3ad blog}, url = {https://www.evild3ad.com/405/bka-trojaner-ransomware/}, language = {English}, urldate = {2020-01-06} } @online{ewane:20170609:macspy:608f090, author = {Peter Ewane}, title = {{MacSpy: OS X Mac RAT as a Service}}, date = {2017-06-09}, organization = {AT&T}, url = {https://www.alienvault.com/blogs/labs-research/macspy-os-x-rat-as-a-service}, language = {English}, urldate = {2019-12-04} } @techreport{ewhitehats:20180809:kovter:3181581, author = {eWhitehats}, title = {{Kovter Uncovered: Malware Teardown}}, date = {2018-08-09}, institution = {Github (ewhitehats)}, url = {https://github.com/ewhitehats/kovterTools/blob/master/KovterWhitepaper.pdf}, language = {English}, urldate = {2020-01-09} } @online{eybisi:20190407:mobile:c60bdb5, author = {Eybisi}, title = {{Mobile Malware Analysis : Tricks used in Anubis}}, date = {2019-04-07}, organization = {Eybisi}, url = {https://eybisi.run/Mobile-Malware-Analysis-Tricks-used-in-Anubis/}, language = {English}, urldate = {2020-01-08} } @online{f0rb1dd3n:20190304:reptile:cc8715f, author = {f0rb1dd3n}, title = {{Reptile}}, date = {2019-03-04}, organization = {Github (f0rb1dd3n)}, url = {https://github.com/f0rb1dd3n/Reptile}, language = {English}, urldate = {2020-01-10} } @online{f:20160512:hancitor:9c250c0, author = {Axel F and Matthew Mesa}, title = {{Hancitor and Ruckguv Reappear, Updated and With Vawtrak On Deck}}, date = {2016-05-12}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappear}, language = {English}, urldate = {2019-12-20} } @online{f:20160707:nettraveler:a613df3, author = {Axel F}, title = {{NetTraveler APT Targets Russian, European Interests}}, date = {2016-07-07}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/nettraveler-apt-targets-russian-european-interests}, language = {English}, urldate = {2019-12-20} } @online{f:20170427:targets:b3540fd, author = {Axel F}, title = {{APT Targets Financial Analysts with CVE-2017-0199}}, date = {2017-04-27}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/apt-targets-financial-analysts}, language = {English}, urldate = {2019-12-20} } @online{f:20171016:leviathan:a898346, author = {Axel F and Pierre T}, title = {{Leviathan: Espionage actor spearphishes maritime and defense targets}}, date = {2017-10-16}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets}, language = {English}, urldate = {2019-12-20} } @online{f:20190515:threat:06b415a, author = {Axel F and Proofpoint Threat Insight Team}, title = {{Threat Actor Profile: TA542, From Banker to Malware Distribution Service}}, date = {2019-05-15}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta542-banker-malware-distribution-service}, language = {English}, urldate = {2019-12-20} } @online{f:20200318:coronavirus:8fe12a3, author = {Axel F and Sam Scholten}, title = {{Coronavirus Threat Landscape Update}}, date = {2020-03-18}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update}, language = {English}, urldate = {2020-03-26} } @online{f:20200828:comprehensive:df5ff9b, author = {Axel F and Proofpoint Threat Research Team}, title = {{A Comprehensive Look at Emotet’s Summer 2020 Return}}, date = {2020-08-28}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-summer-2020-return}, language = {English}, urldate = {2020-08-30} } @online{f:20201001:emotet:59780d9, author = {Axel F and Proofpoint Threat Research Team}, title = {{Emotet Makes Timely Adoption of Political and Elections Lures}}, date = {2020-10-01}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/emotet-makes-timely-adoption-political-and-elections-lures}, language = {English}, urldate = {2020-10-05} } @online{facebook:20130215:protecting:491c151, author = {Facebook}, title = {{Protecting People On Facebook}}, date = {2013-02-15}, organization = {Facebook}, url = {https://www.facebook.com/notes/facebook-security/protecting-people-on-facebook/10151249208250766}, language = {English}, urldate = {2020-01-13} } @techreport{facebook:20200901:august:b00a9e2, author = {Facebook}, title = {{August 2020 Coordinated Inauthentic Behavior Report}}, date = {2020-09-01}, institution = {Facebook}, url = {https://about.fb.com/wp-content/uploads/2020/09/August-2020-CIB-Report.pdf}, language = {English}, urldate = {2020-09-01} } @techreport{fagerland:2012:many:c938856, author = {Snorre Fagerland}, title = {{The many faces of Gh0st Rat}}, date = {2012}, institution = {Norman ASA}, url = {http://download01.norman.no/documents/ThemanyfacesofGh0stRat.pdf}, language = {English}, urldate = {2019-12-20} } @techreport{fagerland:20131211:chinese:b7bb523, author = {Snorre Fagerland}, title = {{The Chinese Malware Complexes: The Maudi Surveillance Operation}}, date = {2013-12-11}, institution = {Norman Shark}, url = {https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2012/NormanShark-MaudiOperation.pdf}, language = {English}, urldate = {2020-01-27} } @online{fagerland:20141209:blue:0d254a1, author = {Snorre Fagerland and Waylon Grange}, title = {{Blue Coat Exposes “The Inception Framework”; Very Sophisticated, Layered Malware Attack Targeted at Military, Diplomats, and Business Execs}}, date = {2014-12-09}, organization = {Blue Coat}, url = {https://web.archive.org/web/20160710180729/https://www.bluecoat.com/security-blog/2014-12-09/blue-coat-exposes-%E2%80%9C-inception-framework%E2%80%9D-very-sophisticated-layered-malware}, language = {English}, urldate = {2020-04-21} } @techreport{fagerland:20141209:inception:1966734, author = {Snorre Fagerland and Waylon Grange}, title = {{The Inception Framework: Cloud-hosted APT}}, date = {2014-12-09}, institution = {Blue Coat}, url = {https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2014/bcs_wp_InceptionReport_EN_v12914.pdf}, language = {English}, urldate = {2020-04-21} } @online{fagerland:201602:from:78bc745, author = {Snorre Fagerland}, title = {{From Seoul to Sony The History of the Darkseoul Group and the Sony Intrusion Malware Destover}}, date = {2016-02}, organization = {Blue Coat Systems Inc}, url = {https://app.box.com/s/xyyord0b806e6or2nh92coxw2areyyx4}, language = {English}, urldate = {2020-08-18} } @online{fakterman:20200903:no:7719da5, author = {Tom Fakterman}, title = {{No Rest for the Wicked: Evilnum Unleashes PyVil RAT}}, date = {2020-09-03}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/no-rest-for-the-wicked-evilnum-unleashes-pyvil-rat}, language = {English}, urldate = {2020-09-04} } @online{fakterman:20201119:cybereason:da3ab54, author = {Tom Fakterman and Assaf Dahan}, title = {{Cybereason vs. MedusaLocker Ransomware}}, date = {2020-11-19}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/medusalocker-ransomware}, language = {English}, urldate = {2020-11-23} } @online{falcone:20150518:cmstar:3d947f0, author = {Robert Falcone}, title = {{Cmstar Downloader: Lurid and Enfal’s New Cousin}}, date = {2015-05-18}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2015/05/cmstar-downloader-lurid-and-enfals-new-cousin/}, language = {English}, urldate = {2019-12-20} } @online{falcone:20150727:ups:ae69e4c, author = {Robert Falcone and Richard Wartell}, title = {{UPS: Observations on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload}}, date = {2015-07-27}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2015/07/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/}, language = {English}, urldate = {2019-12-20} } @online{falcone:20150923:chinese:4faf76a, author = {Robert Falcone and Jen Miller-Osborn}, title = {{Chinese Actors Use ‘3102’ Malware in Attacks on US Government and EU Media}}, date = {2015-09-23}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2015/09/chinese-actors-use-3102-malware-in-attacks-on-us-government-and-eu-media/}, language = {English}, urldate = {2019-12-20} } @online{falcone:20150923:chinese:7210cf9, author = {Robert Falcone and Jen Miller-Osborn}, title = {{Chinese Actors Use ‘3102’ Malware in Attacks on US Government and EU Media}}, date = {2015-09-23}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2015/09/chinese-actors-use-3102-malware-in-attacks-on-us-government-and-eu-media/}, language = {English}, urldate = {2019-12-20} } @online{falcone:20151218:attack:e1f82ab, author = {Robert Falcone and Jen Miller-Osborn}, title = {{Attack on French Diplomat Linked to Operation Lotus Blossom}}, date = {2015-12-18}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/attack-on-french-diplomat-linked-to-operation-lotus-blossom/}, language = {English}, urldate = {2020-01-06} } @online{falcone:20160124:scarlet:c5ef791, author = {Robert Falcone and Jen Miller-Osborn}, title = {{Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists}}, date = {2016-01-24}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/scarlet-mimic-years-long-espionage-targets-minority-activists/}, language = {English}, urldate = {2020-01-08} } @online{falcone:20160203:emissary:99f3e21, author = {Robert Falcone and Jen Miller-Osborn}, title = {{Emissary Trojan Changelog: Did Operation Lotus Blossom Cause It to Evolve?}}, date = {2016-02-03}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2016/02/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/}, language = {English}, urldate = {2019-12-20} } @online{falcone:20160325:projectm:afcff3a, author = {Robert Falcone and Simon Conant}, title = {{ProjectM: Link Found Between Pakistani Actor and Operation Transparent Tribe}}, date = {2016-03-25}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-projectm-link-found-between-pakistani-actor-and-operation-transparent-tribe}, language = {English}, urldate = {2020-01-10} } @online{falcone:20160526:oilrig:89b6b4d, author = {Robert Falcone and Bryan Lee}, title = {{The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor}}, date = {2016-05-26}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/}, language = {English}, urldate = {2019-12-20} } @online{falcone:20160526:oilrig:99f488f, author = {Robert Falcone and Bryan Lee}, title = {{The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor}}, date = {2016-05-26}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/}, language = {English}, urldate = {2020-01-13} } @online{falcone:20160614:new:0c98099, author = {Robert Falcone and Bryan Lee}, title = {{New Sofacy Attacks Against US Government Agency}}, date = {2016-06-14}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-new-sofacy-attacks-against-us-government-agency/}, language = {English}, urldate = {2019-10-29} } @online{falcone:20160614:new:1ba80fd, author = {Robert Falcone and Bryan Lee}, title = {{New Sofacy Attacks Against US Government Agency}}, date = {2016-06-14}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2016/06/unit42-new-sofacy-attacks-against-us-government-agency/}, language = {English}, urldate = {2019-12-20} } @online{falcone:20160614:new:b51d1ab, author = {Robert Falcone and Bryan Lee}, title = {{New Sofacy Attacks Against US Government Agency}}, date = {2016-06-14}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2016/06/unit42-new-sofacy-attacks-against-us-government-agency/}, language = {English}, urldate = {2020-09-15} } @online{falcone:20160726:attack:2df4ff7, author = {Robert Falcone and Jen Miller-Osborn}, title = {{Attack Delivers ‘9002’ Trojan Through Google Drive}}, date = {2016-07-26}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2016/07/unit-42-attack-delivers-9002-trojan-through-google-drive/}, language = {English}, urldate = {2019-12-20} } @online{falcone:20161017:dealerschoice:14aaca9, author = {Robert Falcone and Bryan Lee}, title = {{‘DealersChoice’ is Sofacy’s Flash Player Exploit Platform}}, date = {2016-10-17}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platform/}, language = {English}, urldate = {2019-12-20} } @online{falcone:20161130:shamoon:6befcf1, author = {Robert Falcone}, title = {{Shamoon 2: Return of the Disttrack Wiper}}, date = {2016-11-30}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/?adbsc=social68389776&adbid=804134348374970368&adbpl=tw&adbpr=4487645412}, language = {English}, urldate = {2019-12-20} } @online{falcone:20161215:let:d1d1011, author = {Robert Falcone and Bryan Lee}, title = {{Let It Ride: The Sofacy Group’s DealersChoice Attacks Continue}}, date = {2016-12-15}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/}, language = {English}, urldate = {2020-01-07} } @online{falcone:20170109:second:2e36550, author = {Robert Falcone}, title = {{Second Wave of Shamoon 2 Attacks Identified}}, date = {2017-01-09}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-second-wave-shamoon-2-attacks-identified/}, language = {English}, urldate = {2020-01-07} } @online{falcone:20170214:xagentosx:33ef060, author = {Robert Falcone}, title = {{XAgentOSX: Sofacy’s XAgent macOS Tool}}, date = {2017-02-14}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2017/02/unit42-xagentosx-sofacys-xagent-macos-tool/}, language = {English}, urldate = {2019-12-20} } @online{falcone:20170326:shamoon:8a62f1a, author = {Robert Falcone and Bryan Lee}, title = {{Shamoon 2: Delivering Disttrack}}, date = {2017-03-26}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2017/03/unit42-shamoon-2-delivering-disttrack/}, language = {English}, urldate = {2019-12-20} } @online{falcone:20170427:oilrig:fd3e813, author = {Robert Falcone}, title = {{OilRig Actors Provide a Glimpse into Development and Testing Efforts}}, date = {2017-04-27}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-oilrig-actors-provide-glimpse-development-testing-efforts/}, language = {English}, urldate = {2020-01-07} } @online{falcone:20170727:oilrig:36046ef, author = {Robert Falcone and Bryan Lee}, title = {{OilRig Uses ISMDoor Variant; Possibly Linked to Greenbug Threat Group}}, date = {2017-07-27}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group/}, language = {English}, urldate = {2019-11-16} } @online{falcone:20170731:twoface:8fe5f2d, author = {Robert Falcone and Bryan Lee}, title = {{TwoFace Webshell: Persistent Access Point for Lateral Movement}}, date = {2017-07-31}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-twoface-webshell-persistent-access-point-lateral-movement/}, language = {English}, urldate = {2020-01-07} } @online{falcone:20170926:striking:45926d9, author = {Robert Falcone and Bryan Lee}, title = {{Striking Oil: A Closer Look at Adversary Infrastructure}}, date = {2017-09-26}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-striking-oil-closer-look-adversary-infrastructure/}, language = {English}, urldate = {2020-01-08} } @online{falcone:20170926:striking:f9aa319, author = {Robert Falcone and Bryan Lee}, title = {{Striking Oil: A Closer Look at Adversary Infrastructure}}, date = {2017-09-26}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/09/unit42-striking-oil-closer-look-adversary-infrastructure/}, language = {English}, urldate = {2019-12-20} } @online{falcone:20171009:oilrig:71ea256, author = {Robert Falcone and Bryan Lee}, title = {{OilRig Group Steps Up Attacks with New Delivery Documents and New Injector Trojan}}, date = {2017-10-09}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-oilrig-group-steps-attacks-new-delivery-documents-new-injector-trojan/}, language = {English}, urldate = {2019-10-14} } @online{falcone:20171108:oilrig:a8a3089, author = {Robert Falcone}, title = {{OilRig Deploys “ALMA Communicator” – DNS Tunneling Trojan}}, date = {2017-11-08}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/11/unit42-oilrig-deploys-alma-communicator-dns-tunneling-trojan/}, language = {English}, urldate = {2019-12-20} } @online{falcone:20171211:oilrig:8d7f26f, author = {Robert Falcone}, title = {{OilRig Performs Tests on the TwoFace Webshell}}, date = {2017-12-11}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-oilrig-performs-tests-twoface-webshell/}, language = {English}, urldate = {2020-01-10} } @online{falcone:20180125:oilrig:80920f0, author = {Robert Falcone}, title = {{OilRig uses RGDoor IIS Backdoor on Targets in the Middle East}}, date = {2018-01-25}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/}, language = {English}, urldate = {2020-01-08} } @online{falcone:20180125:oilrig:ac00139, author = {Robert Falcone}, title = {{OilRig uses RGDoor IIS Backdoor on Targets in the Middle East}}, date = {2018-01-25}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/}, language = {English}, urldate = {2019-12-20} } @online{falcone:20180727:new:90cdd2c, author = {Robert Falcone and Bryan Lee and Tom Lancaster}, title = {{New Threat Actor Group DarkHydrus Targets Middle East Government}}, date = {2018-07-27}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/}, language = {English}, urldate = {2019-12-20} } @online{falcone:20180802:gorgon:06112b1, author = {Robert Falcone and David Fuertes and Josh Grunzweig and Kyle Wilhoit}, title = {{The Gorgon Group: Slithering Between Nation State and Cybercrime}}, date = {2018-08-02}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/}, language = {English}, urldate = {2019-12-20} } @online{falcone:20180802:gorgon:8a338cc, author = {Robert Falcone and David Fuertes and Josh Grunzweig and Kyle Wilhoit}, title = {{The Gorgon Group: Slithering Between Nation State and Cybercrime}}, date = {2018-08-02}, url = {https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/}, language = {English}, urldate = {2019-11-29} } @online{falcone:20180807:darkhydrus:d449ea2, author = {Robert Falcone}, title = {{DarkHydrus Uses Phishery to Harvest Credentials in the Middle East}}, date = {2018-08-07}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-darkhydrus-uses-phishery-harvest-credentials-middle-east/}, language = {English}, urldate = {2020-01-09} } @online{falcone:20181116:analyzing:037fccb, author = {Robert Falcone and Kyle Wilhoit}, title = {{Analyzing OilRig’s Ops Tempo from Testing to Weaponization to Delivery}}, date = {2018-11-16}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-analyzing-oilrigs-ops-tempo-testing-weaponization-delivery/}, language = {English}, urldate = {2020-01-09} } @online{falcone:20181120:sofacy:b1ef88a, author = {Robert Falcone and Bryan Lee}, title = {{Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan}}, date = {2018-11-20}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/11/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/}, language = {English}, urldate = {2019-12-20} } @online{falcone:20181120:sofacy:bb4fd84, author = {Robert Falcone and Bryan Lee}, title = {{Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan}}, date = {2018-11-20}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/}, language = {English}, urldate = {2020-01-08} } @online{falcone:20181213:shamoon:1623fe7, author = {Robert Falcone}, title = {{Shamoon 3 Targets Oil and Gas Organization}}, date = {2018-12-13}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/}, language = {English}, urldate = {2020-01-10} } @online{falcone:20181218:sofacy:3573b82, author = {Robert Falcone}, title = {{Sofacy Creates New ‘Go’ Variant of Zebrocy Tool}}, date = {2018-12-18}, organization = {paloalto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/sofacy-creates-new-go-variant-of-zebrocy-tool/}, language = {English}, urldate = {2020-01-07} } @online{falcone:20190108:darkhydrus:3996fa4, author = {Robert Falcone and Bryan Lee}, title = {{DarkHydrus delivers new Trojan that can use Google Drive for C2 communications}}, date = {2019-01-08}, organization = {paloalto Netoworks: Unit42}, url = {https://unit42.paloaltonetworks.com/darkhydrus-delivers-new-trojan-that-can-use-google-drive-for-c2-communications/}, language = {English}, urldate = {2020-01-07} } @online{falcone:20190304:new:5bf1cea, author = {Robert Falcone and Brittany Ash}, title = {{New Python-Based Payload MechaFlounder Used by Chafer}}, date = {2019-03-04}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/}, language = {English}, urldate = {2019-12-24} } @online{falcone:20190416:dns:fed953e, author = {Robert Falcone}, title = {{DNS Tunneling in the Wild: Overview of OilRig’s DNS Tunneling}}, date = {2019-04-16}, url = {https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/}, language = {English}, urldate = {2019-12-03} } @online{falcone:20190417:aggah:f17c88f, author = {Robert Falcone and Brittany Ash}, title = {{Aggah Campaign: Bit.ly, BlogSpot, and Pastebin Used for C2 in Large Scale Campaign}}, date = {2019-04-17}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/aggah-campaign-bit-ly-blogspot-and-pastebin-used-for-c2-in-large-scale-campaign/}, language = {English}, urldate = {2020-01-07} } @online{falcone:20190528:emissary:dc0f942, author = {Robert Falcone and Tom Lancaster}, title = {{Emissary Panda Attacks Middle East Government Sharepoint Servers}}, date = {2019-05-28}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/}, language = {English}, urldate = {2020-01-09} } @online{falcone:20190923:xhunt:7d50e81, author = {Robert Falcone and Brittany Barbehenn}, title = {{xHunt Campaign: Attacks on Kuwait Shipping and Transportation Organizations}}, date = {2019-09-23}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/xhunt-campaign-attacks-on-kuwait-shipping-and-transportation-organizations/}, language = {English}, urldate = {2020-11-09} } @online{falcone:20191010:xhunt:df8aa36, author = {Robert Falcone and Brittany Barbehenn}, title = {{xHunt Campaign: New PowerShell Backdoor Blocked Through DNS Tunnel Detection}}, date = {2019-10-10}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/more-xhunt-new-powershell-backdoor-blocked-through-dns-tunnel-detection/}, language = {English}, urldate = {2020-11-11} } @online{falcone:20191204:xhunt:9f95e2e, author = {Robert Falcone}, title = {{xHunt Campaign: xHunt Actor’s Cheat Sheet}}, date = {2019-12-04}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/xhunt-actors-cheat-sheet/}, language = {English}, urldate = {2020-11-09} } @online{falcone:20200127:xhunt:9d0527b, author = {Robert Falcone and Brittany Barbehenn}, title = {{xHunt Campaign: New Watering Hole Identified for Credential Harvesting}}, date = {2020-01-27}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/xhunt-campaign-new-watering-hole-identified-for-credential-harvesting/}, language = {English}, urldate = {2020-11-09} } @online{falcone:20200303:molerats:990b000, author = {Robert Falcone and Bryan Lee and Alex Hinchliffe}, title = {{Molerats Delivers Spark Backdoor to Government and Telecommunications Organizations}}, date = {2020-03-03}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/}, language = {English}, urldate = {2020-03-03} } @online{falcone:20200722:oilrig:4c26a7f, author = {Robert Falcone}, title = {{OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory}}, date = {2020-07-22}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/}, language = {English}, urldate = {2020-07-23} } @online{falcone:20200904:thanos:b5eb551, author = {Robert Falcone}, title = {{Thanos Ransomware: Destructive Variant Targeting State-Run Organizations in the Middle East and North Africa}}, date = {2020-09-04}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/thanos-ransomware/}, language = {English}, urldate = {2020-09-06} } @online{falcone:20201109:xhunt:1d9f468, author = {Robert Falcone}, title = {{xHunt Campaign: Newly Discovered Backdoors Using Deleted Email Drafts and DNS Tunneling for Command and Control}}, date = {2020-11-09}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/xhunt-campaign-backdoors/}, language = {English}, urldate = {2020-11-09} } @techreport{falliere:2009:zeus:73559c2, author = {Nicolas Falliere and Eric Chien}, title = {{Zeus: King of the Bots}}, date = {2009}, institution = {Symantec}, url = {http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/zeus_king_of_bots.pdf}, language = {English}, urldate = {2020-01-07} } @techreport{falliere:201107:sality:85158ba, author = {Nicolas Falliere}, title = {{Sality: Story of a Peerto-Peer Viral Network}}, date = {2011-07}, institution = {Symantec}, url = {https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/sality_peer_to_peer_viral_network.pdf}, language = {English}, urldate = {2019-11-28} } @techreport{falliere:2012:w32qakbot:974b5b5, author = {Nicolas Falliere}, title = {{W32.Qakbot in Detail}}, date = {2012}, institution = {Symantec}, url = {http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf}, language = {English}, urldate = {2019-11-28} } @techreport{faou:201702:read:03c3c9e, author = {Matthieu Faou and Jean-Ian Boutin}, title = {{Read The Manual: A Guide to the RTM Banking Trojan}}, date = {2017-02}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf}, language = {English}, urldate = {2019-11-25} } @online{faou:20180905:powerpool:5cde83e, author = {Matthieu Faou}, title = {{PowerPool malware exploits ALPC LPE zero‑day vulnerability}}, date = {2018-09-05}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/09/05/powerpool-malware-exploits-zero-day-vulnerability/}, language = {English}, urldate = {2019-11-14} } @online{faou:20190507:turla:0300283, author = {Matthieu Faou}, title = {{Turla LightNeuron: An email too far}}, date = {2019-05-07}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/05/07/turla-lightneuron-email-too-far/}, language = {English}, urldate = {2019-11-14} } @online{faou:20190529:dive:3afd32e, author = {Matthieu Faou and Romain Dumont}, title = {{A dive into Turla PowerShell usage}}, date = {2019-05-29}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/}, language = {English}, urldate = {2019-11-14} } @techreport{faou:201905:turla:5a8a05f, author = {Matthieu Faou}, title = {{TURLA LIGHTNEURON: One email away from remote code execution}}, date = {2019-05}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf}, language = {English}, urldate = {2020-01-08} } @techreport{faou:20191017:operation:b695c9b, author = {Matthieu Faou and Mathieu Tartare and Thomas Dupuy}, title = {{OPERATION GHOST The Dukes aren’t back — they never left}}, date = {2019-10-17}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf}, language = {English}, urldate = {2020-05-18} } @online{faou:20200312:tracking:913d16e, author = {Matthieu Faou}, title = {{Tracking Turla: New backdoor delivered via Armenian watering holes}}, date = {2020-03-12}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/03/12/tracking-turla-new-backdoor-armenian-watering-holes/}, language = {English}, urldate = {2020-03-13} } @online{faou:20200526:from:804e2da, author = {Matthieu Faou}, title = {{From Agent.BTZ to ComRAT v4: A ten‑year journey}}, date = {2020-05-26}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/05/26/agentbtz-comratv4-ten-year-journey/}, language = {English}, urldate = {2020-05-27} } @techreport{faou:20200526:from:89e2854, author = {Matthieu Faou}, title = {{From Agent.BTZ to ComRAT v4: A ten‑year journey (White Paper)}}, date = {2020-05-26}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf}, language = {English}, urldate = {2020-05-27} } @online{faou:20200902:kryptocibule:9fb272b, author = {Matthieu Faou and Alexandre Côté Cyr}, title = {{KryptoCibule: The multitasking multicurrency cryptostealer}}, date = {2020-09-02}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/09/02/kryptocibule-multitasking-multicurrency-cryptostealer/}, language = {English}, urldate = {2020-09-03} } @techreport{faou:20200930:xdspy:3189c15, author = {Matthieu Faou and Francis Labelle}, title = {{XDSPY: STEALING GOVERNMENT SECRETS SINCE 2011}}, date = {2020-09-30}, institution = {Virus Bulletin}, url = {https://vblocalhost.com/uploads/VB2020-Faou-Labelle.pdf}, language = {English}, urldate = {2020-10-08} } @online{faou:20201001:xdspy:33a6429, author = {Matthieu Faou}, title = {{XDSpy Indicators of Compromise}}, date = {2020-10-01}, organization = {Github (eset)}, url = {https://github.com/eset/malware-ioc/tree/master/xdspy/}, language = {English}, urldate = {2020-10-08} } @online{faou:20201002:xdspy:c3724c7, author = {Matthieu Faou}, title = {{XDSpy: Stealing government secrets since 2011}}, date = {2020-10-02}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/10/02/xdspy-stealing-government-secrets-since-2011/}, language = {English}, urldate = {2020-10-05} } @online{faou:20201202:turla:7f8c935, author = {Matthieu Faou}, title = {{Turla Crutch: Keeping the “back door” open}}, date = {2020-12-02}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/}, language = {English}, urldate = {2020-12-08} } @online{faouzi:20150929:andromeda:06d70c0, author = {Ayoub Faouzi}, title = {{Andromeda Bot Analysis part 1}}, date = {2015-09-29}, organization = {InfoSec Institute}, url = {http://resources.infosecinstitute.com/andromeda-bot-analysis/}, language = {English}, urldate = {2020-01-13} } @online{faouzi:20150929:andromeda:543098f, author = {Ayoub Faouzi}, title = {{Andromeda Bot Analysis part 2}}, date = {2015-09-29}, organization = {InfoSec Institute}, url = {http://resources.infosecinstitute.com/andromeda-bot-analysis-part-two/}, language = {English}, urldate = {2020-01-07} } @online{faouzi:20151009:beta:fffb6be, author = {Ayoub Faouzi}, title = {{Beta Bot Analysis: Part 1}}, date = {2015-10-09}, organization = {InfoSec Institute}, url = {http://resources.infosecinstitute.com/beta-bot-analysis-part-1/#gref}, language = {English}, urldate = {2020-01-07} } @online{faria:20200701:threat:54ff8db, author = {John Faria}, title = {{Threat Bulletin: Cutting-off the Command-and-Control Infrastructure of CollectorGoomba}}, date = {2020-07-01}, organization = {VMRay}, url = {https://www.vmray.com/cyber-security-blog/cutting-off-command-and-control-infrastructure-collectorgoomba-threat-bulletin}, language = {English}, urldate = {2020-07-02} } @online{faria:20200701:threat:b9163dc, author = {John Faria}, title = {{Threat Bulletin: Cutting-off the Command-and-Control Infrastructure of CollectorGoomba}}, date = {2020-07-01}, organization = {VMRay}, url = {https://www.vmray.com/cyber-security-blog/cutting-off-command-and-control-infrastructure-collectorgoomba-threat-bulletin/}, language = {English}, urldate = {2020-07-02} } @online{farina:20190111:avemaria:a3fd77c, author = {Antonio Farina and Luca Mella and Antonio Pirozzi}, title = {{The “AVE_MARIA” Malware}}, date = {2019-01-11}, organization = {Cybaze-Yorio Z-Lab}, url = {https://blog.yoroi.company/research/the-ave_maria-malware/}, language = {English}, urldate = {2019-11-26} } @techreport{farinholt:20200126:dark:9c2f434, author = {Brown Farinholt and Mohammad Rezaeirad and Damon McCoy and Kirill Levchenko}, title = {{Dark Matter: Uncovering the DarkComet RAT Ecosystem}}, date = {2020-01-26}, institution = {}, url = {https://www.sysnet.ucsd.edu/sysnet/miscpapers/darkmatter-www20.pdf}, language = {English}, urldate = {2020-03-07} } @online{fbi:20181220:chinese:06e7a78, author = {FBI}, title = {{Chinese Hackers Indicted - Members of APT 10 Group Targeted Intellectual Property and Confidential Business Information}}, date = {2018-12-20}, organization = {FBI}, url = {https://www.fbi.gov/news/stories/chinese-hackers-indicted-122018}, language = {English}, urldate = {2019-11-28} } @online{fbi:20200325:fbi:f2ba305, author = {FBI}, title = {{FBI Flash CP-000111-MW: Kwampirs Malware Indicators of Compromise Employed in Ongoing Cyber Supply Chain Campaign Targeting Global Industries}}, date = {2020-03-25}, organization = {FBI}, url = {http://www.documentcloud.org/documents/6821581-FLASH-CP-000111-MW-Downgraded-Version.html}, language = {English}, urldate = {2020-04-07} } @techreport{fbi:20200728:indicators:7dada00, author = {FBI}, title = {{Indicators Associated with Netwalker Ransomware}}, date = {2020-07-28}, institution = {FBI}, url = {https://www.ic3.gov/media/news/2020/200929-2.pdf}, language = {English}, urldate = {2020-10-05} } @techreport{fbi:20200823:ac000129tt:39b2ab4, author = {FBI}, title = {{AC-000129-TT: Chinese Government-Mandated Tax Software Contains Malware, Enabling Backdoor Access}}, date = {2020-08-23}, institution = {FBI}, url = {https://www.ic3.gov/media/news/2020/200728.pdf}, language = {English}, urldate = {2020-08-27} } @techreport{fbi:20200824:ac000131mw:ad03507, author = {FBI}, title = {{AC-000131-MW: Tactics, Techniques, and Procedures Associated with Malware within Chinese Government-Mandated Tax Software}}, date = {2020-08-24}, institution = {FBI}, url = {https://www.ic3.gov/Media/News/2020/201103-1.pdf}, language = {English}, urldate = {2020-11-09} } @techreport{fbi:20200910:fbi:596f87c, author = {FBI and National Cyber Investigative Joint Task Force (NCIJTF)}, title = {{FBI PIN NUMBER 20200910-001: Cyber Actors Conduct CredentialStuffing Attacks Against US Financial Sector}}, date = {2020-09-10}, institution = {FBI}, url = {https://www.ic3.gov/media/news/2020/200929-1.pdf}, language = {English}, urldate = {2020-10-05} } @techreport{fbi:20200916:fbi:76fd945, author = {FBI}, title = {{FBI Flash AC-000133-TT: Indictment of China-Based Cyber Actors Associated with APT 41for Intrusion Activities}}, date = {2020-09-16}, institution = {FBI}, url = {https://assets.documentcloud.org/documents/7210602/FLASH-AC-000133-TT-Published.pdf}, language = {English}, urldate = {2020-09-18} } @techreport{fbi:20200917:fbi:144c69c, author = {FBI}, title = {{FBI FLASH ME-000134-MW: Indicators of Compromise Associated with Rana Intelligence Computing, also known as APT39, Chafer, Cadelspy, Remexi, and ITG07}}, date = {2020-09-17}, institution = {FBI}, url = {https://www.ic3.gov/media/news/2020/200917-2.pdf}, language = {English}, urldate = {2020-09-23} } @techreport{fbi:20200917:fbi:9893ba0, author = {FBI}, title = {{FBI PIN Number 20200917-001: IRGC-Associated Cyber Operations Against US Company Networks}}, date = {2020-09-17}, institution = {FBI}, url = {https://www.ic3.gov/media/news/2020/200917-1.pdf}, language = {English}, urldate = {2020-09-23} } @online{fbi:20200922:alert:61bd784, author = {FBI}, title = {{Alert Number I-092220-PSA: Foreign Actors and Cybercriminals Likely to Spread Disinformation Regarding 2020 Election Results}}, date = {2020-09-22}, organization = {FBI}, url = {https://www.ic3.gov/media/2020/200922.aspx}, language = {English}, urldate = {2020-09-25} } @online{fbi:20200924:alert:7ae81a3, author = {FBI}, title = {{Alert Number I-092420-PSA: Cyber Threats to Voting Processes Could Slow But Not Prevent Voting}}, date = {2020-09-24}, organization = {FBI}, url = {https://www.ic3.gov/media/2020/200924.aspx}, language = {English}, urldate = {2020-09-25} } @online{fbi:20200928:alert:62dc80c, author = {FBI}, title = {{Alert Number I-092820-PSA: False Claims of Hacked Voter Information Likely Intended to Cast Doubt on Legitimacy of U.S. Elections}}, date = {2020-09-28}, organization = {FBI}, url = {https://www.ic3.gov/media/2020/200928.aspx}, language = {English}, urldate = {2020-10-05} } @online{fbi:20200930:alert:cc6c032, author = {FBI}, title = {{Alert Number I-093020-PSA: Distributed Denial of Service Attacks Could Hinder Access to Voting Information, Would Not Prevent Voting}}, date = {2020-09-30}, organization = {FBI}, url = {https://www.ic3.gov/media/2020/200930.aspx}, language = {English}, urldate = {2020-10-05} } @online{fbi:20201001:alert:f641a9f, author = {FBI}, title = {{Alert Number I-100120-PSA: Foreign Actors Likely to Use Online Journals to Spread Disinformation Regarding 2020 Elections}}, date = {2020-10-01}, organization = {FBI}, url = {https://www.ic3.gov/media/2020/201001.aspx}, language = {English}, urldate = {2020-10-05} } @online{fbi:20201002:alert:ad3b2e0, author = {FBI}, title = {{Alert Number I-100220-PSA: Spoofed Internet Domains and Email Accounts Pose Cyber and Disinformation Risks to Voters}}, date = {2020-10-02}, organization = {FBI}, url = {https://www.ic3.gov/media/2020/201002.aspx}, language = {English}, urldate = {2020-10-05} } @techreport{fbi:20201014:cp000135dm:13d0f65, author = {FBI}, title = {{CP-000135-DM: Unattributed Entities Register Domains Spoofing the US Census Bureau’s Websites, Likely for Malicious Use}}, date = {2020-10-14}, institution = {FBI}, url = {https://www.ic3.gov/Media/News/2020/201106.pdf}, language = {English}, urldate = {2020-11-09} } @techreport{fbi:20201014:fbi:1a924aa, author = {FBI}, title = {{FBI FLASH MU-000136-MW: Cyber ActorsTarget Misconfigured SonarQube Instances to Access Proprietary Source Code of US Government Agencies and Businesses}}, date = {2020-10-14}, institution = {FBI}, url = {https://www.ic3.gov/Media/News/2020/201103-3.pdf}, language = {English}, urldate = {2020-11-09} } @online{fbi:20201019:gru:8a34c71, author = {FBI}, title = {{GRU HACKERS' DESTRUCTIVE MALWARE AND INTERNATIONAL CYBER ATTACKS}}, date = {2020-10-19}, organization = {FBI}, url = {https://www.fbi.gov/wanted/cyber/gru-hackers-destructive-malware-and-international-cyber-attacks}, language = {English}, urldate = {2020-10-19} } @techreport{fbi:20201029:alert:6b115f0, author = {FBI}, title = {{Alert Number ME-000138-TT: Indicators of Compromise Pertaining to Iranian Interference in the 2020 US Presidential Election}}, date = {2020-10-29}, institution = {FBI}, url = {https://ic3.gov/Media/News/2020/201030.pdf}, language = {English}, urldate = {2020-11-02} } @techreport{fbi:20201119:mu000140mw:680c1f8, author = {FBI}, title = {{MU-000140-MW: Indicators of Compromise Associated with Ragnar Locker Ransomware}}, date = {2020-11-19}, institution = {FBI}, url = {https://www.waterisac.org/system/files/articles/FLASH-MU-000140-MW.pdf}, language = {English}, urldate = {2020-11-23} } @online{fbi:20201123:alert:b813e71, author = {FBI}, title = {{Alert Number I-112320-PSA: Spoofed FBI Internet Domains Pose Cyber and Disinformation Risks}}, date = {2020-11-23}, organization = {FBI}, url = {https://www.ic3.gov/Media/Y2020/PSA201123}, language = {English}, urldate = {2020-11-25} } @techreport{fbi:20201210:pin:8657b3e, author = {FBI}, title = {{PIN Number 20201210-001: DoppelPaymer Ransomware Attacks on Critical Infrastructure Impact Critical Services}}, date = {2020-12-10}, institution = {FBI}, url = {https://www.ic3.gov/Media/News/2020/201215-1.pdf}, language = {English}, urldate = {2020-12-19} } @online{fbi:20201222:pin:ea37578, author = {FBI}, title = {{PIN Number 20201222-001: Advanced Persistent Threat Actors Leverage SolarWinds Vulnerabilities}}, date = {2020-12-22}, organization = {FBI}, url = {https://drive.google.com/file/d/1R79Q1oC18GmKK8FYBoYEt0vYF7SpsvQI/view}, language = {English}, urldate = {2020-12-26} } @online{fbi:20201223:iranian:e252f2e, author = {FBI}, title = {{Iranian Cyber Actors Responsible for Website Threatening U.S. Election Officials}}, date = {2020-12-23}, organization = {FBI}, url = {https://www.fbi.gov/news/pressrel/press-releases/iranian-cyber-actors-responsible-for-website-threatening-us-election-officials}, language = {English}, urldate = {2020-12-26} } @techreport{fbi:20210106:pin:66d55ca, author = {FBI}, title = {{PIN Number 20210106-001: Egregor Ransomware Targets Businesses Worldwide, Attempting to Extort Businesses by Publicly Releasing Exfiltrated Data}}, date = {2021-01-06}, institution = {FBI}, url = {https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf}, language = {English}, urldate = {2021-01-11} } @online{feeley:20190215:sinful:729f693, author = {Brendon Feeley and Bex Hartley}, title = {{“Sin”-ful SPIDERS: WIZARD SPIDER and LUNAR SPIDER Sharing the Same Web}}, date = {2019-02-15}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/}, language = {English}, urldate = {2019-12-20} } @online{feeley:20190306:pinchy:f5060bd, author = {Brendon Feeley and Bex Hartley and Sergei Frankoff}, title = {{PINCHY SPIDER Affiliates Adopt “Big Game Hunting” Tactics to Distribute GandCrab Ransomware}}, date = {2019-03-06}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/pinchy-spider-adopts-big-game-hunting/}, language = {English}, urldate = {2019-12-20} } @online{feeley:20190320:new:07bf05b, author = {Brendon Feeley and Brett Stone-Gross}, title = {{New Evidence Proves Ongoing WIZARD SPIDER / LUNAR SPIDER Collaboration}}, date = {2019-03-20}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/wizard-spider-lunar-spider-shared-proxy-module/}, language = {English}, urldate = {2019-12-20} } @online{fernandez:20190823:ransomware:dffa5db, author = {Manny Fernandez and David E. Sanger and Marina Trahan Martinez}, title = {{Ransomware Attacks Are Testing Resolve of Cities Across America}}, date = {2019-08-23}, organization = {The New York Times}, url = {https://www.nytimes.com/2019/08/22/us/ransomware-attacks-hacking.html}, language = {English}, urldate = {2020-01-13} } @online{fernndez:20201013:tracing:14bb6fa, author = {Gerardo Fernández and Vicente Diaz}, title = {{Tracing fresh Ryuk campaigns itw}}, date = {2020-10-13}, organization = {VirusTotal}, url = {https://blog.virustotal.com/2020/10/tracing-fresh-ryuk-campaigns-itw.html}, language = {English}, urldate = {2020-10-23} } @online{ferrell:20200618:hiding:c2db03f, author = {John Ferrell}, title = {{Hiding In Plain Sight}}, date = {2020-06-18}, organization = {Medium Huntress Labs}, url = {https://blog.huntresslabs.com/hiding-in-plain-sight-556469e0a4e}, language = {English}, urldate = {2020-06-19} } @online{figueroa:20201022:inside:228798e, author = {Marco Figueroa}, title = {{An Inside Look at How Ryuk Evolved Its Encryption and Evasion Techniques}}, date = {2020-10-22}, organization = {Sentinel LABS}, url = {https://labs.sentinelone.com/an-inside-look-at-how-ryuk-evolved-its-encryption-and-evasion-techniques/}, language = {English}, urldate = {2020-10-26} } @online{figueroa:20201223:solarwinds:ff463f0, author = {Marco Figueroa and James Haughom and Jim Walter}, title = {{SolarWinds | Understanding & Detecting the SUPERNOVA Webshell Trojan}}, date = {2020-12-23}, organization = {Sentinel LABS}, url = {https://labs.sentinelone.com/solarwinds-understanding-detecting-the-supernova-webshell-trojan/}, language = {English}, urldate = {2020-12-26} } @online{figueroa:20210104:building:37407a6, author = {Marco Figueroa}, title = {{Building a Custom Malware Analysis Lab Environment}}, date = {2021-01-04}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/building-a-custom-malware-analysis-lab-environment/}, language = {English}, urldate = {2021-01-13} } @online{finkle:20130219:exclusive:fc04bd6, author = {Jim Finkle and Joseph Menn}, title = {{Exclusive: Apple, Macs hit by hackers who targeted Facebook}}, date = {2013-02-19}, organization = {Reuters}, url = {https://www.reuters.com/article/us-apple-hackers/exclusive-apple-macs-hit-by-hackers-who-targeted-facebook-idUSBRE91I10920130219}, language = {English}, urldate = {2020-01-09} } @online{finkle:20170105:taiwan:1c7585c, author = {Jim Finkle and J.R. Wu}, title = {{Taiwan ATM heist linked to European hacking spree: security firm}}, date = {2017-01-05}, organization = {Reuters}, url = {https://www.reuters.com/article/us-taiwan-cyber-atms/taiwan-atm-heist-linked-to-european-hacking-spree-security-firm-idUSKBN14P0CX}, language = {English}, urldate = {2020-01-07} } @techreport{fireeye:20130219:apt1:8d8a51a, author = {FireEye}, title = {{APT1: Exposing One of China’s Cyber Espionage Units}}, date = {2013-02-19}, institution = {FireEye}, url = {https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf}, language = {English}, urldate = {2020-01-06} } @techreport{fireeye:2014:apt28:27799d1, author = {FireEye}, title = {{APT28}}, date = {2014}, institution = {FireEye}, url = {http://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf}, language = {English}, urldate = {2020-01-08} } @techreport{fireeye:2014:apt28:277f9ab, author = {FireEye}, title = {{APT28: A Windows into Russia's Cyber Espionage Operations?}}, date = {2014}, institution = {FireEye}, url = {https://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf}, language = {English}, urldate = {2019-12-04} } @techreport{fireeye:2014:operation:2160679, author = {FireEye}, title = {{Operation Quantum Entanglement}}, date = {2014}, institution = {FireEye}, url = {http://csecybsec.com/download/zlab/20180713_CSE_APT28_X-Agent_Op-Roman%20Holiday-Report_v6_1.pdf}, language = {English}, urldate = {2020-01-12} } @techreport{fireeye:201504:apt30:0129bf7, author = {FireEye}, title = {{APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION}}, date = {2015-04}, institution = {FireEye}, url = {https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf}, language = {English}, urldate = {2020-01-07} } @techreport{fireeye:201505:hiding:8695fc2, author = {FireEye}, title = {{HIDING IN PLAIN SIGHT: FIREEYE AND MICROSOFT EXPOSE OBFUSCATION TACTIC}}, date = {2015-05}, institution = {FireEye}, url = {https://www2.fireeye.com/rs/fireye/images/APT17_Report.pdf}, language = {English}, urldate = {2019-12-19} } @techreport{fireeye:20150908:two:c836c9a, author = {FireEye}, title = {{Two for One: Microsoft Office Encapsulated PostScriptand Windows Privilege Escalation Zero-Days}}, date = {2015-09-08}, institution = {FireEye}, url = {https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/twoforonefinal.pdf}, language = {English}, urldate = {2020-01-20} } @techreport{fireeye:201511:pinpointing:03765ec, author = {FireEye}, title = {{PINPOINTING TARGETS: Exploiting Web Analytics to Ensnare Victims}}, date = {2015-11}, institution = {FireEye}, url = {https://www2.fireeye.com/rs/848-DID-242/images/rpt-witchcoven.pdf}, language = {English}, urldate = {2020-01-08} } @techreport{fireeye:20160308:southeast:cc3c8de, author = {FireEye}, title = {{SOUTHEAST ASIA: AN EVOLVING CYBER THREAT LANDSCAPE}}, date = {2016-03-08}, institution = {FireEye}, url = {https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-southeast-asia-threat-landscape.pdf}, language = {English}, urldate = {2020-01-06} } @techreport{fireeye:20160426:apt31:ecc41bd, author = {FireEye}, title = {{APT31 Threat Group Profile}}, date = {2016-04-26}, institution = {FireEye}, url = {https://github.com/GuardaCyber/APT-Groups-and-Operations/blob/master/Reports/FireEye%20Intel%20-%20APT31%20Threat%20Group%20Profile.pdf}, language = {English}, urldate = {2019-10-13} } @techreport{fireeye:201604:follow:5df2e81, author = {FireEye}, title = {{Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6}}, date = {2016-04}, institution = {FireEye}, url = {https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf}, language = {English}, urldate = {2020-04-23} } @online{fireeye:20160608:spear:0d7a2c9, author = {FireEye}, title = {{Spear Phishing Attacks: Why They are Successful and How to Stop Them}}, date = {2016-06-08}, organization = {FireEye}, url = {https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html}, language = {English}, urldate = {2020-01-09} } @online{fireeye:20170314:mtrend:0ea7d30, author = {FireEye}, title = {{M-Trend 2017: A View From the Front Lines}}, date = {2017-03-14}, organization = {FireEye}, url = {https://content.fireeye.com/m-trends/rpt-m-trends-2017}, language = {English}, urldate = {2020-06-03} } @techreport{fireeye:20170616:fin10:aa62677, author = {FireEye}, title = {{FIN10: Anatomy of a Cyber Extortion Operation}}, date = {2017-06-16}, institution = {FireEye}, url = {https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin10.pdf}, language = {English}, urldate = {2020-01-08} } @online{fireeye:20171201:advanced:da42c60, author = {FireEye}, title = {{Advanced Persistent Threat Groups}}, date = {2017-12-01}, organization = {FireEye}, url = {https://www.fireeye.com/current-threats/apt-groups.html}, language = {English}, urldate = {2020-01-07} } @online{fireeye:20180203:attacks:c65eb33, author = {FireEye}, title = {{Attacks Leveraging Adobe Zero-Day (CVE-2018-4878) – Threat Attribution, Attack Scenario and Recommendations}}, date = {2018-02-03}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2018/02/attacks-leveraging-adobe-zero-day.html}, language = {English}, urldate = {2020-04-06} } @online{fireeye:20180220:apt37:2ca8466, author = {FireEye}, title = {{APT37 (Reaper): The Overlooked North Korean Actor}}, date = {2018-02-20}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2018/02/apt37-overlooked-north-korean-actor.html}, language = {English}, urldate = {2019-12-20} } @techreport{fireeye:20180220:apt37:bc54ada, author = {FireEye}, title = {{APT37 (REAPER) The Overlooked North Korean Actor}}, date = {2018-02-20}, institution = {FireEye}, url = {https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf}, language = {English}, urldate = {2019-12-20} } @online{fireeye:20180316:suspected:2a77316, author = {FireEye}, title = {{Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries}}, date = {2018-03-16}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html}, language = {English}, urldate = {2019-12-20} } @online{fireeye:2018:apt38:20161b7, author = {FireEye}, title = {{APT38}}, date = {2018}, organization = {FireEye}, url = {https://content.fireeye.com/apt/rpt-apt38}, language = {English}, urldate = {2020-01-13} } @techreport{fireeye:2018:apt38:c81b87d, author = {FireEye}, title = {{APT38}}, date = {2018}, institution = {FireEye}, url = {https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/pf/apt/rpt-apt38-2018.pdf}, language = {English}, urldate = {2020-01-07} } @techreport{fireeye:2018:forrester:ae307d3, author = {FireEye}, title = {{The Forrester New Wave™: External Threat Intelligence Services, Q3 2018.}}, date = {2018}, institution = {FireEye}, url = {http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf}, language = {English}, urldate = {2020-01-08} } @techreport{fireeye:2018:mtrends2018:f07ca60, author = {FireEye}, title = {{M-TRENDS2018}}, date = {2018}, institution = {FireEye}, url = {https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf}, language = {English}, urldate = {2020-01-08} } @online{fireeye:20190411:mtrend:597b240, author = {FireEye}, title = {{M-Trend 2019}}, date = {2019-04-11}, organization = {FireEye}, url = {https://content.fireeye.com/m-trends/rpt-m-trends-2019}, language = {English}, urldate = {2020-01-10} } @online{fireeye:20190809:double:40f736e, author = {FireEye}, title = {{Double Dragon APT41, a dual espionage and cyber crime operation}}, date = {2019-08-09}, organization = {FireEye}, url = {https://content.fireeye.com/apt-41/rpt-apt41/}, language = {English}, urldate = {2019-12-18} } @online{fireeye:20190904:apt41:43d6dab, author = {FireEye}, title = {{APT41: Double Dragon APT41, a dual espionage and cyber crime operation}}, date = {2019-09-04}, organization = {FireEye}, url = {https://content.fireeye.com/apt-41/rpt-apt41}, language = {English}, urldate = {2020-01-13} } @online{fireeye:20190904:apt41:b5d6780, author = {FireEye}, title = {{APT41: Double Dragon APT41, a dual espionage and cyber crime operation}}, date = {2019-09-04}, organization = {FireEye}, url = {https://content.fireeye.com/api/pdfproxy?id=86840}, language = {English}, urldate = {2020-01-13} } @techreport{fireeye:20190906:ransomware:fb16cd8, author = {FireEye and Mandiant}, title = {{Ransomware Protection and Containment Strategies: Practical Guidance for Endpoint Protection, Hardening and Containment}}, date = {2019-09-06}, institution = {FireEye}, url = {https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/wp-ransomware-protection-and-containment-strategies.pdf}, language = {English}, urldate = {2020-11-02} } @online{fireeye:20200117:state:c000016, author = {FireEye}, title = {{State of the Hack: Spotlight Iran - from Cain & Abel to full SANDSPY}}, date = {2020-01-17}, organization = {FireEye}, url = {https://youtu.be/pBDu8EGWRC4?t=2492}, language = {English}, urldate = {2020-09-18} } @online{fireeye:20200219:mtrends:193613a, author = {FireEye}, title = {{M-Trends 2020}}, date = {2020-02-19}, organization = {FireEye}, url = {https://content.fireeye.com/m-trends/rpt-m-trends-2020}, language = {English}, urldate = {2020-02-20} } @online{fireeye:20201208:unauthorized:c480412, author = {FireEye}, title = {{Unauthorized Access of FireEye Red Team Tools}}, date = {2020-12-08}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html}, language = {English}, urldate = {2020-12-15} } @online{fireeye:20201209:fireeye:36cafd8, author = {FireEye}, title = {{Fireeye RED TEAM tool countermeasures}}, date = {2020-12-09}, organization = {Github (fireeye)}, url = {https://github.com/fireeye/red_team_tool_countermeasures}, language = {English}, urldate = {2020-12-14} } @online{fireeye:20201213:sunburst:04e594f, author = {FireEye}, title = {{SUNBURST Countermeasures}}, date = {2020-12-13}, organization = {Github (fireeye)}, url = {https://github.com/fireeye/sunburst_countermeasures}, language = {English}, urldate = {2020-12-19} } @online{fireeye:20201216:sunburst:310ef08, author = {FireEye}, title = {{Tweet on SUNBURST from FireEye detailing some additional information}}, date = {2020-12-16}, organization = {Twitter (@FireEye)}, url = {https://twitter.com/FireEye/status/1339295983583244302}, language = {English}, urldate = {2020-12-17} } @online{firsh:20180503:whos:19ffd6f, author = {Alexey Firsh}, title = {{Who’s who in the Zoo}}, date = {2018-05-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/whos-who-in-the-zoo/85394/}, language = {English}, urldate = {2020-05-18} } @online{firsh:20180503:whos:79a3074, author = {Alexey Firsh}, title = {{Who’s who in the Zoo}}, date = {2018-05-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/whos-who-in-the-zoo/85394}, language = {English}, urldate = {2019-12-20} } @techreport{firsh:20180503:whos:b1957dc, author = {Alexey Firsh}, title = {{WHO’S WHO IN THEZOO. CYBERESPIONAGE OPERATION TARGETS ANDROID USERS IN THE MIDDLE EAST.}}, date = {2018-05-03}, institution = {Kaspersky Labs}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/03114450/ZooPark_for_public_final_edit.pdf}, language = {English}, urldate = {2020-01-09} } @online{firsh:20180829:busygasper:bf544dd, author = {Alexey Firsh}, title = {{BusyGasper – the unfriendly spy}}, date = {2018-08-29}, organization = {Kaspersky Labs}, url = {https://securelist.com/busygasper-the-unfriendly-spy/87627/}, language = {English}, urldate = {2019-12-20} } @online{firsh:20200326:ios:9898c0f, author = {Alexey Firsh and Kurt Baumgartner and Brian Bartholomew}, title = {{iOS exploit chain deploys LightSpy feature-rich malware}}, date = {2020-03-26}, organization = {Kaspersky Labs}, url = {https://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/}, language = {English}, urldate = {2020-03-27} } @online{firsh:20200428:hiding:97cbb7b, author = {Alexey Firsh and Lev Pikman}, title = {{Hiding in plain sight: PhantomLance walks into a market}}, date = {2020-04-28}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-phantomlance/96772/}, language = {English}, urldate = {2020-05-05} } @online{fiser:20201218:teamtnt:3d5abe1, author = {David Fiser}, title = {{TeamTNT Now Deploying DDoS-Capable IRC Bot TNTbotinger}}, date = {2020-12-18}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/20/l/teamtnt-now-deploying-ddos-capable-irc-bot-tntbotinger.html}, language = {English}, urldate = {2020-12-23} } @online{fishbein:20200728:watch:cf3e499, author = {Nicole Fishbein and Michael Kajiloti}, title = {{Watch Your Containers: Doki Infecting Docker Servers in the Cloud}}, date = {2020-07-28}, organization = {Intezer}, url = {https://www.intezer.com/container-security/watch-your-containers-doki-infecting-docker-servers-in-the-cloud/}, language = {English}, urldate = {2020-07-30} } @online{fishbein:20200908:attackers:46e4aab, author = {Nicole Fishbein}, title = {{Attackers Abusing Legitimate Cloud Monitoring Tools to Conduct Cyber Attacks}}, date = {2020-09-08}, organization = {Intezer}, url = {https://www.intezer.com/blog/cloud-workload-protection/attackers-abusing-legitimate-cloud-monitoring-tools-to-conduct-cyber-attacks/}, language = {English}, urldate = {2020-09-15} } @online{fishbein:20201001:storm:5dbbfae, author = {Nicole Fishbein and Avigayil Mechtinger}, title = {{A Storm is Brewing: IPStorm Now Has Linux Malware}}, date = {2020-10-01}, organization = {Intezer}, url = {https://www.intezer.com/blog/research/a-storm-is-brewing-ipstorm-now-has-linux-malware/}, language = {English}, urldate = {2020-10-05} } @online{fisher:20130320:researchers:dcff6dc, author = {Dennis Fisher}, title = {{Researchers Uncover ‘TeamSpy’ Attack Campaign Against Government, Research Targets}}, date = {2013-03-20}, url = {https://threatpost.com/researchers-uncover-teamspy-attack-campaign-targeting-government-research-targets-032013/77646/}, language = {English}, urldate = {2019-11-20} } @online{fisher:20190212:groups:6605dcc, author = {Dennis Fisher}, title = {{APT Groups Moving Down the Supply Chain}}, date = {2019-02-12}, organization = {Duo}, url = {https://duo.com/decipher/apt-groups-moving-down-the-supply-chain}, language = {English}, urldate = {2019-11-26} } @online{fisher:20201016:trickbot:be18c46, author = {Dennis Fisher}, title = {{Trickbot Up to Its Old Tricks}}, date = {2020-10-16}, organization = {Duo}, url = {https://duo.com/decipher/trickbot-up-to-its-old-tricks}, language = {English}, urldate = {2020-10-23} } @techreport{fitzgibbon:20090401:confickerc:bb043d2, author = {Niall Fitzgibbon and Mike Wood}, title = {{Conficker.C A Technical Analysis}}, date = {2009-04-01}, institution = {Sophos Labs}, url = {https://www.sophos.com/fr-fr/medialibrary/PDFs/marketing%20material/confickeranalysis.pdf}, language = {English}, urldate = {2019-12-17} } @online{flade:20200505:brenjagd:96d209e, author = {Florian Flade and Georg Mascolo}, title = {{Bärenjagd}}, date = {2020-05-05}, url = {https://www.sueddeutsche.de/politik/hack-bundestag-angriff-russland-1.4891668}, language = {English}, urldate = {2020-05-05} } @online{flashpoint:20151207:flashpoint:3f5aee6, author = {Flashpoint and Talos}, title = {{Flashpoint and Talos Analyze the Curious Case of the flokibot Connector}}, date = {2015-12-07}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/flokibot-curious-case-brazilian-connector/}, language = {English}, urldate = {2019-11-20} } @online{flashpoint:20161003:multipurpose:436518b, author = {Flashpoint}, title = {{Multi-Purpose “Floki Bot” Emerges as New Malware Kit}}, date = {2016-10-03}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/blog/cybercrime/floki-bot-emerges-new-malware-kit/}, language = {English}, urldate = {2020-01-07} } @online{flashpoint:20170126:dridex:2ca4920, author = {Flashpoint}, title = {{Dridex Banking Trojan Returns, Leverages New UAC Bypass Method}}, date = {2017-01-26}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/blog-dridex-banking-trojan-returns/}, language = {English}, urldate = {2020-01-08} } @online{flashpoint:20170525:linguistic:70ffc44, author = {Flashpoint}, title = {{Linguistic Analysis of WannaCry Ransomware Messages Suggests Chinese-Speaking Authors}}, date = {2017-05-25}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/blog/linguistic-analysis-wannacry-ransomware/}, language = {English}, urldate = {2019-12-10} } @online{flashpoint:20170727:new:bb5c883, author = {Flashpoint}, title = {{New Version of “Trickbot” Adds Worm Propagation Module}}, date = {2017-07-27}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/blog/new-version-trickbot-adds-worm-propagation-module/}, language = {English}, urldate = {2020-01-13} } @online{flashpoint:20170825:wirex:2f29c36, author = {Flashpoint}, title = {{The WireX Botnet: How Industry Collaboration Disrupted a DDoS Attack}}, date = {2017-08-25}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/blog/wirex-botnet-industry-collaboration/}, language = {English}, urldate = {2020-01-08} } @online{flashpoint:20180510:treasurehunter:d6e33c1, author = {Flashpoint}, title = {{TreasureHunter Point-of-Sale Malware and Builder Source Code Leaked}}, date = {2018-05-10}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/blog/treasurehunter-source-code-leaked/}, language = {English}, urldate = {2020-01-08} } @techreport{flashpoint:202007:zeppelin:8c54ff6, author = {Flashpoint}, title = {{Zeppelin Ransomware Analysis}}, date = {2020-07}, institution = {Flashpoint}, url = {https://storage.pardot.com/272312/124918/Flashpoint_Hunt_Team___Zeppelin_Ransomware_Analysis.pdf}, language = {English}, urldate = {2020-08-14} } @techreport{flores:20120106:official:5984bcc, author = {Rick Flores}, title = {{Official Malware Report: Malware Reverse Engineering}}, date = {2012-01-06}, institution = {Exploit-DB}, url = {https://www.exploit-db.com/docs/english/18387-malware-reverse-engineering-part-1---static-analysis.pdf}, language = {English}, urldate = {2020-01-09} } @online{flores:20201201:impact:415bf2e, author = {Ryan Flores}, title = {{The Impact of Modern Ransomware on Manufacturing Networks}}, date = {2020-12-01}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/20/l/the-impact-of-modern-ransomware-on-manufacturing-networks.html}, language = {English}, urldate = {2020-12-08} } @online{florio:20070717:trojangpcodere:f491e6b, author = {Elia Florio}, title = {{Trojan.Gpcoder.E}}, date = {2007-07-17}, organization = {Symantec}, url = {https://www.symantec.com/security_response/writeup.jsp?docid=2007-071711-3132-99&tabid=2}, language = {English}, urldate = {2020-01-10} } @online{flossman:20170216:viperrat:85bc048, author = {Michael Flossman}, title = {{ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar}}, date = {2017-02-16}, organization = {Lookout}, url = {https://blog.lookout.com/blog/2017/02/16/viperrat-mobile-apt/}, language = {English}, urldate = {2020-01-13} } @online{flossman:20170831:lookout:4dc3061, author = {Michael Flossman}, title = {{Lookout discovers sophisticated xRAT malware tied to 2014 “Xsser / mRAT” surveillance campaign against Hong Kong protesters}}, date = {2017-08-31}, organization = {Lookout}, url = {https://blog.lookout.com/xrat-mobile-threat}, language = {English}, urldate = {2020-01-09} } @online{flossman:20171020:jaderat:88e09f8, author = {Michael Flossman}, title = {{JadeRAT mobile surveillanceware spikes in espionage activity}}, date = {2017-10-20}, organization = {Lookout}, url = {http://paper.seebug.org/345/}, language = {English}, urldate = {2019-12-19} } @online{flossman:20171020:jaderat:946d7ac, author = {Michael Flossman}, title = {{JadeRAT mobile surveillanceware spikes in espionage activity}}, date = {2017-10-20}, organization = {Lookout}, url = {https://blog.lookout.com/mobile-threat-jaderat}, language = {English}, urldate = {2020-01-08} } @online{flossman:20171116:tropic:4cd1fde, author = {Michael Flossman}, title = {{Tropic Trooper goes mobile with Titan surveillanceware}}, date = {2017-11-16}, organization = {Lookout}, url = {https://blog.lookout.com/titan-mobile-threat}, language = {English}, urldate = {2020-01-06} } @online{fois:20190111:threat:5be977b, author = {Quentin Fois}, title = {{Threat Actor “Cold River”: Network Traffic Analysis and a Deep Dive on Agent Drable}}, date = {2019-01-11}, organization = {Lastline}, url = {https://www.lastline.com/labsblog/threat-actor-cold-river-network-traffic-analysis-and-a-deep-dive-on-agent-drable/}, language = {English}, urldate = {2020-01-09} } @online{fokker:20181030:fallout:fa86aca, author = {John Fokker and Marc Rivero López}, title = {{Fallout Exploit Kit Releases the Kraken Ransomware on Its Victims}}, date = {2018-10-30}, organization = {McAfee}, url = {https://securingtomorrow.mcafee.com/mcafee-labs/fallout-exploit-kit-releases-the-kraken-ransomware-on-its-victims/}, language = {English}, urldate = {2019-12-17} } @online{fokker:20190109:ryuk:350f477, author = {John Fokker and Christiaan Beek}, title = {{Ryuk Ransomware Attack: Rush to Attribution Misses the Point}}, date = {2019-01-09}, organization = {McAfee}, url = {https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/ryuk-ransomware-attack-rush-to-attribution-misses-the-point/}, language = {English}, urldate = {2020-01-09} } @techreport{fontarensky:20140711:eye:2641a17, author = {Ivan Fontarensky and Fabien Perigaud and Ronan Mouchoux and Cedric Pernet and David Bizeul}, title = {{The Eye of the Tiger}}, date = {2014-07-11}, institution = {Airbus Defence & Space}, url = {https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2014/2014.07.11.Pitty_Tiger/Pitty_Tiger_Final_Report.pdf}, language = {English}, urldate = {2020-01-13} } @techreport{fontarensky:2014:eye:a4c3c1b, author = {Ivan Fontarensky and Fabien Perigaud and Ronan Mouchoux and Cedric Pernet and David Bizeul}, title = {{The Eye of the Tiger}}, date = {2014}, institution = {Airbus Defence & Space}, url = {https://bitbucket.org/cybertools/whitepapers/downloads/Pitty%20Tiger%20Final%20Report.pdf}, language = {English}, urldate = {2020-01-08} } @online{fortiguard:20190228:empiremonkey:9163175, author = {FortiGuard}, title = {{EmpireMonkey malware distribution}}, date = {2019-02-28}, organization = {Fortiguard}, url = {https://fortiguard.com/encyclopedia/botnet/7630456}, language = {English}, urldate = {2020-03-22} } @online{fortiguard:20190510:activity:4b58c05, author = {FortiGuard}, title = {{Activity Summary - Week Ending May 10, 2019}}, date = {2019-05-10}, organization = {Fortiguard}, url = {https://fortiguard.com/resources/threat-brief/2019/05/10/fortiguard-threat-intelligence-brief-may-10-2019}, language = {English}, urldate = {2019-11-28} } @online{foundation:20190516:goznym:37cf686, author = {The Shadowserver Foundation}, title = {{Goznym Indictments – action following on from successful Avalanche Operations}}, date = {2019-05-16}, organization = {The Shadowserver Foundation}, url = {https://www.shadowserver.org/news/goznym-indictments-action-following-on-from-successful-avalanche-operations/}, language = {English}, urldate = {2020-01-10} } @online{foundation:20200315:has:80a92d5, author = {Shadowserver Foundation}, title = {{Has The Sun Set On The Necurs Botnet?}}, date = {2020-03-15}, organization = {The Shadowserver Foundation}, url = {https://www.shadowserver.org/news/has-the-sun-set-on-the-necurs-botnet/}, language = {English}, urldate = {2020-03-17} } @online{fr3dhk:20200610:masslogger:c1f2c2f, author = {FR3D.HK}, title = {{MassLogger - Frankenstein's Creation}}, date = {2020-06-10}, organization = {FR3D.HK}, url = {https://fr3d.hk/blog/masslogger-frankenstein-s-creation}, language = {English}, urldate = {2020-06-18} } @online{fr3dhk:20201006:ixware:9d39aa5, author = {FR3D.HK}, title = {{IXWare - Kids will be skids}}, date = {2020-10-06}, organization = {FR3D.HK}, url = {https://fr3d.hk/blog/ixware-kids-will-be-skids}, language = {English}, urldate = {2020-10-19} } @online{france:20200122:wannamine:6e6ab42, author = {Sophos France}, title = {{WannaMine : Même les cybercriminels veulent avoir leur mot à dire sur le Brexit !}}, date = {2020-01-22}, organization = {Sophos}, url = {https://news.sophos.com/fr-fr/2020/01/22/wannamine-meme-cybercriminels-veulent-avoir-mot-a-dire-sur-brexit/}, language = {French}, urldate = {2020-11-25} } @online{franceschibicchierai:20150218:meet:2f64fcb, author = {Lorenzo Franceschi-Bicchierai}, title = {{Meet Babar, a New Malware Almost Certainly Created by France}}, date = {2015-02-18}, organization = {Vice Motherboard}, url = {https://motherboard.vice.com/read/meet-babar-a-new-malware-almost-certainly-created-by-france}, language = {English}, urldate = {2020-01-10} } @online{franceschibicchierai:20150705:spy:30cea5b, author = {Lorenzo Franceschi-Bicchierai}, title = {{Spy Tech Company 'Hacking Team' Gets Hacked}}, date = {2015-07-05}, organization = {Vice}, url = {https://www.vice.com/en_us/article/gvye3m/spy-tech-company-hacking-team-gets-hacked}, language = {English}, urldate = {2019-10-14} } @online{franceschibicchierai:20170921:this:b59488a, author = {Lorenzo Franceschi-Bicchierai}, title = {{This Ransomware Demands Nudes Instead of Bitcoin}}, date = {2017-09-21}, organization = {Vice}, url = {https://motherboard.vice.com/en_us/article/yw3w47/this-ransomware-demands-nudes-instead-of-bitcoin}, language = {English}, urldate = {2019-10-29} } @online{franceschibicchierai:20190329:researchers:5987d8a, author = {Lorenzo Franceschi-Bicchierai and Riccardo Coluccini}, title = {{Researchers Find Google Play Store Apps Were Actually Government Malware}}, date = {2019-03-29}, organization = {Vice Motherboard}, url = {https://motherboard.vice.com/en_us/article/43z93g/hackers-hid-android-malware-in-google-play-store-exodus-esurv}, language = {English}, urldate = {2020-01-06} } @online{franceschibicchierai:20190401:prosecutors:7880fc0, author = {Lorenzo Franceschi-Bicchierai}, title = {{Prosecutors Launch Investigation Into Company That Put Malware on Google Play Store}}, date = {2019-04-01}, organization = {Vice Motherboard}, url = {https://motherboard.vice.com/en_us/article/eveeq4/prosecutors-investigation-esurv-exodus-malware-on-google-play-store}, language = {English}, urldate = {2020-01-08} } @online{franceschibicchierai:20200721:worlds:666e813, author = {Lorenzo Franceschi-Bicchierai}, title = {{'World's Most Wanted Man' Involved in Bizarre Attempt to Buy Hacking Tools}}, date = {2020-07-21}, organization = {Vice}, url = {https://www.vice.com/en_us/article/jgxvdx/jan-marsalek-wirecard-bizarre-attempt-to-buy-hacking-team-spyware}, language = {English}, urldate = {2020-07-30} } @online{frank:20200430:eventbot:f5a167d, author = {Daniel Frank and Lior Rochberger and Yaron Rimmer and Assaf Dahan}, title = {{EVENTBOT: A NEW MOBILE BANKING TROJAN IS BORN}}, date = {2020-04-30}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born}, language = {English}, urldate = {2020-05-04} } @online{frank:20200716:bazar:3ed900d, author = {Daniel Frank and Mary Zhao and Assaf Dahan}, title = {{A Bazar of Tricks: Following Team9’s Development Cycles}}, date = {2020-07-16}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles}, language = {English}, urldate = {2020-07-16} } @online{frankoff:20141204:inside:80c0fea, author = {Sergei Frankoff}, title = {{Inside The New Asprox/Kuluoz (October 2013 - January 2014)}}, date = {2014-12-04}, url = {http://oalabs.openanalysis.net/2014/12/04/inside-the-new-asprox-kuluoz-october-2013-january-2014/}, language = {English}, urldate = {2020-01-08} } @online{frankoff:20180111:unpacking:bd095df, author = {Sergei Frankoff}, title = {{Unpacking Pykspa Malware With Python and IDA Pro - Subscriber Request Part 1}}, date = {2018-01-11}, organization = {Youtube (OALabs)}, url = {https://www.youtube.com/watch?v=HfSQlC76_s4}, language = {English}, urldate = {2019-11-29} } @online{frankoff:20180304:unpacking:4d7dc7c, author = {Sergei Frankoff}, title = {{Unpacking Gootkit Malware With IDA Pro and X64dbg - Subscriber Request}}, date = {2018-03-04}, organization = {Youtube (OALabs)}, url = {https://www.youtube.com/watch?v=242Tn0IL2jE}, language = {English}, urldate = {2020-01-08} } @online{frankoff:20180312:python:eb6b9f5, author = {Sergei Frankoff}, title = {{Python decryptor for newer AdWind config file}}, date = {2018-03-12}, organization = {Github (herrcore)}, url = {https://gist.github.com/herrcore/8336975475e88f9bc539d94000412885}, language = {English}, urldate = {2020-01-09} } @online{frankoff:20180520:unpacking:7db8c96, author = {Sergei Frankoff}, title = {{Unpacking Gootkit Part 2 - Debugging Anti-Analysis Tricks With IDA Pro and x64dbg}}, date = {2018-05-20}, organization = {Youtube (OALabs)}, url = {https://www.youtube.com/watch?v=QgUlPvEE4aw}, language = {English}, urldate = {2020-01-08} } @online{frankoff:20181026:unpacking:b6155cc, author = {Sergei Frankoff}, title = {{Unpacking Bokbot / IcedID Malware - Part 1}}, date = {2018-10-26}, organization = {Youtube (OALabs)}, url = {https://www.youtube.com/watch?v=wObF9n2UIAM}, language = {English}, urldate = {2020-01-08} } @online{frankoff:20181114:big:723025d, author = {Sergei Frankoff and Bex Hartley}, title = {{Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware}}, date = {2018-11-14}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/}, language = {English}, urldate = {2019-12-20} } @online{frankoff:20190822:remcos:b86c5bd, author = {Sergei Frankoff}, title = {{Remcos RAT Unpacked From VB6 With x64dbg Debugger}}, date = {2019-08-22}, organization = {Youtube (OALabs)}, url = {https://www.youtube.com/watch?v=DIH4SvKuktM}, language = {English}, urldate = {2020-01-10} } @online{frankoff:20200126:ida:a8194b4, author = {Sergei Frankoff and Sean Wilson}, title = {{IDA Pro Automated String Decryption For REvil Ransomware}}, date = {2020-01-26}, organization = {Youtube (OALabs)}, url = {https://www.youtube.com/watch?v=l2P5CMH9TE0}, language = {English}, urldate = {2020-01-27} } @online{frankoff:20200530:irc:a711f6e, author = {Sergei Frankoff}, title = {{IRC Botnet Reverse Engineering Part 1 - Preparing Binary for Analysis in IDA PRO}}, date = {2020-05-30}, organization = {Youtube (OALabs)}, url = {https://www.youtube.com/watch?v=JPvcLLYR0tE}, language = {English}, urldate = {2020-06-05} } @online{frankoff:20200713:how:fd519be, author = {Sergei Frankoff and OALabs}, title = {{How To Sinkhole A Botnet}}, date = {2020-07-13}, organization = {Youtube (OALabs)}, url = {https://www.youtube.com/watch?v=FAFuSO9oAl0}, language = {English}, urldate = {2020-07-16} } @online{frankoff:20201210:malware:0a70511, author = {Sergei Frankoff}, title = {{Malware Triage Analyzing PrnLoader Used To Drop Emotet}}, date = {2020-12-10}, organization = {Youtube (OALabs)}, url = {https://www.youtube.com/watch?v=5_-oR_135ss}, language = {English}, urldate = {2020-12-18} } @online{frankowicz:20160512:latentbot:9506f35, author = {Kamil Frankowicz}, title = {{LatentBot – modularny i silnie zaciemniony bot}}, date = {2016-05-12}, organization = {CERT.PL}, url = {https://www.cert.pl/news/single/latentbot-modularny-i-silnie-zaciemniony-bot/}, language = {Polish}, urldate = {2019-12-18} } @online{frankowicz:20160810:cryptxxx:1ee108b, author = {Kamil Frankowicz}, title = {{CryptXXX \ CrypMIC – intensywnie dystrybuowany ransomware w ramach exploit-kitów}}, date = {2016-08-10}, organization = {CERT.PL}, url = {https://www.cert.pl/news/single/cryptxxx-crypmic-ransomware-dystrybuowany-ramach-exploit-kitow/}, language = {Polish}, urldate = {2019-10-14} } @online{fraser:20190807:apt41:ce48314, author = {Nalani Fraser and Fred Plan and Jacqueline O’Leary and Vincent Cannon and Raymond Leong and Dan Perez and Chi-en Shen}, title = {{APT41: A Dual Espionage and Cyber Crime Operation}}, date = {2019-08-07}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html}, language = {English}, urldate = {2019-12-20} } @online{french:20191204:ransomware:92a6fae, author = {David French}, title = {{Ransomware, interrupted: Sodinokibi and the supply chain}}, date = {2019-12-04}, organization = {Elastic}, url = {https://www.elastic.co/blog/ransomware-interrupted-sodinokibi-and-the-supply-chain}, language = {English}, urldate = {2020-06-30} } @online{froes:20210106:expanding:c61590d, author = {Leandro Froes}, title = {{Expanding Range and Improving Speed: A RansomExx Approach}}, date = {2021-01-06}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/a/expanding-range-and-improving-speed-a-ransomexx-approach.html}, language = {English}, urldate = {2021-01-11} } @online{fumik0:20181015:predator:9c3fcd9, author = {fumik0}, title = {{Predator The Thief: In-depth analysis (v2.3.5)}}, date = {2018-10-15}, organization = {fumik0 blog}, url = {https://fumik0.com/2018/10/15/predator-the-thief-in-depth-analysis-v2-3-5/}, language = {English}, urldate = {2020-01-10} } @online{fumik0:20181224:lets:f7dfc2c, author = {fumik0}, title = {{Let’s dig into Vidar – An Arkei Copycat/Forked Stealer (In-depth analysis)}}, date = {2018-12-24}, organization = {fumik0 blog}, url = {https://fumik0.com/2018/12/24/lets-dig-into-vidar-an-arkei-copycat-forked-stealer-in-depth-analysis/}, language = {English}, urldate = {2020-01-13} } @online{fumik0:2018:entry:62d5ae4, author = {fumik0}, title = {{Entry on Rarog}}, date = {2018}, organization = {fumik0 malware tracker}, url = {https://tracker.fumik0.com/malware/Rarog}, language = {English}, urldate = {2020-01-08} } @online{fumik0:20190503:lets:39770a3, author = {fumik0}, title = {{Let’s nuke Megumin Trojan}}, date = {2019-05-03}, organization = {fumik0 blog}, url = {https://fumik0.com/2019/05/03/lets-nuke-megumin-trojan/}, language = {English}, urldate = {2019-11-28} } @online{fumko:20190325:lets:e773175, author = {fumko}, title = {{Let’s play with Qulab, an exotic malware developed in AutoIT}}, date = {2019-03-25}, url = {https://fumik0.com/2019/03/25/lets-play-with-qulab-an-exotic-malware-developed-in-autoit/}, language = {English}, urldate = {2020-01-05} } @online{fumko:20190524:overview:7963f07, author = {fumko}, title = {{Overview of Proton Bot, another loader in the wild!}}, date = {2019-05-24}, url = {https://fumik0.com/2019/05/24/overview-of-proton-bot-another-loader-in-the-wild/}, language = {English}, urldate = {2019-12-19} } @online{funko:20191225:lets:599836d, author = {funko}, title = {{Let’s play (again) with Predator the thief}}, date = {2019-12-25}, url = {https://fumik0.com/2019/12/25/lets-play-again-with-predator-the-thief/}, language = {English}, urldate = {2020-01-08} } @online{gaffie:20200819:respondermultirelay:191b62a, author = {Laurent Gaffie}, title = {{Responder/MultiRelay}}, date = {2020-08-19}, organization = {Github (lgandx)}, url = {https://github.com/lgandx/Responder}, language = {English}, urldate = {2020-08-24} } @online{gahlot:20201026:threat:7eeb763, author = {Ashish Gahlot}, title = {{Threat Hunting for Avaddon Ransomware}}, date = {2020-10-26}, organization = {AWAKE}, url = {https://awakesecurity.com/blog/threat-hunting-for-avaddon-ransomware/}, language = {English}, urldate = {2020-11-02} } @online{gahlot:20201110:threat:e9c7a9c, author = {Ashish Gahlot}, title = {{Threat Hunting for REvil Ransomware}}, date = {2020-11-10}, organization = {AP News}, url = {https://awakesecurity.com/blog/threat-hunting-for-revil-ransomware/}, language = {English}, urldate = {2020-11-12} } @online{gahr:201710:lokibot:45755da, author = {Wesley Gahr and Pham Duy Phuc and Niels Croese}, title = {{LokiBot - The first hybrid Android malware}}, date = {2017-10}, organization = {Threat Fabric}, url = {https://www.threatfabric.com/blogs/lokibot_the_first_hybrid_android_malware.html}, language = {English}, urldate = {2019-12-19} } @techreport{gaiscert:20200527:dridex:90bd3bd, author = {GAIS-CERT}, title = {{Dridex Banking Trojan Technical Analysis Report}}, date = {2020-05-27}, institution = {GAIS-CERT}, url = {https://gaissecurity.com/uploads/csirt/EN-Dridex-banking-trojan.pdf}, language = {English}, urldate = {2020-06-24} } @online{gallagher:20150805:newly:dc763a1, author = {Sean Gallagher}, title = {{Newly discovered Chinese hacking group hacked 100+ websites to use as “watering holes”}}, date = {2015-08-05}, organization = {Ars Technica}, url = {https://arstechnica.com/information-technology/2015/08/newly-discovered-chinese-hacking-group-hacked-100-websites-to-use-as-watering-holes/}, language = {English}, urldate = {2020-01-06} } @online{gallagher:20170421:researchers:f1ea70c, author = {Sean Gallagher}, title = {{Researchers claim China trying to hack South Korea missile defense efforts}}, date = {2017-04-21}, organization = {Ars Technica}, url = {https://arstechnica.com/information-technology/2017/04/researchers-claim-china-trying-to-hack-south-korea-missile-defense-efforts/}, language = {English}, urldate = {2020-01-08} } @online{gallagher:20190508:robbinhood:a7fdd3f, author = {Sean Gallagher}, title = {{“RobbinHood” ransomware takes down Baltimore City government networks}}, date = {2019-05-08}, organization = {Ars Technica}, url = {https://arstechnica.com/information-technology/2019/05/baltimore-city-government-hit-by-robbinhood-ransomware/}, language = {English}, urldate = {2019-12-18} } @online{gallagher:20200727:prolock:4992cfc, author = {Sean Gallagher}, title = {{ProLock ransomware gives you the first 8 kilobytes of decryption for free}}, date = {2020-07-27}, organization = {Sophos Labs}, url = {https://news.sophos.com/en-us/2020/07/27/prolock-ransomware-gives-you-the-first-8-kilobytes-of-decryption-for-free/}, language = {English}, urldate = {2020-07-30} } @online{gallagher:20201014:theyre:99f5d1e, author = {Sean Gallagher}, title = {{They’re back: inside a new Ryuk ransomware attack}}, date = {2020-10-14}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/}, language = {English}, urldate = {2020-10-16} } @online{gallagher:20201021:lockbit:13c4faa, author = {Sean Gallagher}, title = {{LockBit uses automated attack tools to identify tasty targets}}, date = {2020-10-21}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2020/10/21/lockbit-attackers-uses-automated-attack-tools-to-identify-tasty-targets}, language = {English}, urldate = {2020-10-23} } @online{gallagher:20201028:hacks:8e1d051, author = {Sean Gallagher and Peter Mackenzie and Elida Leite and Syed Shahram and Bill Kearny and Anand Ajjan and Brett Cove and Gabor Szappanos}, title = {{Hacks for sale: inside the Buer Loader malware-as-a-service}}, date = {2020-10-28}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2020/10/28/hacks-for-sale-inside-the-buer-loader-malware-as-a-service/}, language = {English}, urldate = {2020-11-02} } @online{gallagher:20201208:egregor:fe48cfd, author = {Sean Gallagher and Anand Aijan and Gabor Szappanos and Syed Shahram and Bill Kearney and Mark Loman and Peter Mackenzie and Sergio Bestulic}, title = {{Egregor ransomware: Maze’s heir apparent}}, date = {2020-12-08}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2020/12/08/egregor-ransomware-mazes-heir-apparent/}, language = {English}, urldate = {2020-12-08} } @online{gallagher:20201216:ransomware:0b0fdf2, author = {Sean Gallagher and Sivagnanam Gn}, title = {{Ransomware operators use SystemBC RAT as off-the-shelf Tor backdoor}}, date = {2020-12-16}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2020/12/16/systembc/}, language = {English}, urldate = {2020-12-17} } @online{galov:20201201:dox:85fa427, author = {Dmitry Galov and Vladislav Tushkanov and Leonid Bezvershenko}, title = {{Dox, steal, reveal. Where does your personal data end up?}}, date = {2020-12-01}, organization = {Kaspersky Labs}, url = {https://securelist.com/dox-steal-reveal/99577/}, language = {English}, urldate = {2020-12-08} } @online{galperin:20140119:vietnamese:6ff15b6, author = {Eva Galperin and Morgan Marquis-Boire}, title = {{Vietnamese Malware Gets Very Personal}}, date = {2014-01-19}, organization = {Electronic Frontier Foundation}, url = {https://www.eff.org/deeplinks/2014/01/vietnamese-malware-gets-personal}, language = {English}, urldate = {2020-01-13} } @techreport{galperin:201608:operation:38ba7ff, author = {Eva Galperin and Cooper Quintin and Morgan Marquis-Boire and Claudio Guarnieri}, title = {{Operation Manul}}, date = {2016-08}, institution = {Electronic Frontier Foundation}, url = {https://www.eff.org/files/2018/01/29/operation-manul.pdf}, language = {English}, urldate = {2020-06-08} } @online{gamble:20201215:finding:50ef51c, author = {John Gamble}, title = {{Finding SUNBURST Backdoor with Zeek Logs & Corelight}}, date = {2020-12-15}, organization = {Corelight}, url = {https://corelight.blog/2020/12/15/finding-sunburst-backdoor-with-zeek-logs-and-corelight/}, language = {English}, urldate = {2020-12-15} } @online{gamblin:20170715:mirai:72ffffb, author = {Jerry Gamblin}, title = {{Mirai BotNet Source Code}}, date = {2017-07-15}, organization = {Github (jgamblin)}, url = {https://github.com/jgamblin/Mirai-Source-Code}, language = {English}, urldate = {2019-12-17} } @online{gandhi:20160810:android:81912fe, author = {Viral Gandhi}, title = {{Android Marcher: Continuously Evolving Mobile Malware}}, date = {2016-08-10}, organization = {Zscaler}, url = {https://www.zscaler.de/blogs/research/android-marcher-continuously-evolving-mobile-malware}, language = {English}, urldate = {2020-01-10} } @online{gandler:20200330:zeus:bef1da7, author = {Amir Gandler and Limor Kessem}, title = {{Zeus Sphinx Trojan Awakens Amidst Coronavirus Spam Frenzy}}, date = {2020-03-30}, organization = {IBM}, url = {https://securityintelligence.com/posts/zeus-sphinx-trojan-awakens-amidst-coronavirus-spam-frenzy/}, language = {English}, urldate = {2020-04-01} } @online{ganti:2004:mydoom:461c630, author = {Srinivas Ganti}, title = {{MyDoom and its backdoor}}, date = {2004}, organization = {GIAC}, url = {https://www.giac.org/paper/gcih/619/mydoom-backdoor/106503}, language = {English}, urldate = {2019-12-05} } @online{garage4hackers:20140921:reversing:33b3a34, author = {garage4hackers}, title = {{Reversing Tinba: World's smallest trojan-banker DGA Code}}, date = {2014-09-21}, organization = {garage4hackers}, url = {http://garage4hackers.com/entry.php?b=3086}, language = {English}, urldate = {2019-07-11} } @online{garca:201910:geost:fb6829c, author = {Sebastian García and María José Erquiaga and Anna Shirokova}, title = {{Geost botnet. The story of the discovery of a new Android banking trojan from an OpSec error}}, date = {2019-10}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2019/10/vb2019-paper-geost-botnet-story-discovery-new-android-banking-trojan-opsec-error/}, language = {English}, urldate = {2020-12-08} } @online{gardo:20160323:new:c7c1042, author = {Tomáš Gardoň}, title = {{New self‑protecting USB trojan able to avoid detection}}, date = {2016-03-23}, organization = {ESET Research}, url = {http://www.welivesecurity.com/2016/03/23/new-self-protecting-usb-trojan-able-to-avoid-detection/}, language = {English}, urldate = {2019-12-20} } @online{gardo:20170822:gamescom:764a8eb, author = {Tomáš Gardoň}, title = {{Gamescom 2017: It’s all fun and games until black hats step in}}, date = {2017-08-22}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/08/22/gamescom-2017-fun-blackhats/}, language = {English}, urldate = {2019-11-14} } @online{gastesi:20100907:zeus:330336f, author = {Mikel Gastesi}, title = {{ZeuS: The missing link}}, date = {2010-09-07}, organization = {S21sec}, url = {https://www.s21sec.com/en/zeus-the-missing-link/}, language = {English}, urldate = {2020-01-17} } @online{gatlan:20190517:teamviewer:563f298, author = {Sergiu Gatlan}, title = {{TeamViewer Confirms Undisclosed Breach From 2016}}, date = {2019-05-17}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/teamviewer-confirms-undisclosed-breach-from-2016/}, language = {English}, urldate = {2019-12-20} } @online{gatlan:20191018:maze:fb2c4b6, author = {Sergiu Gatlan}, title = {{Maze Ransomware Now Delivered by Spelevo Exploit Kit}}, date = {2019-10-18}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/maze-ransomware-now-delivered-by-spelevo-exploit-kit/}, language = {English}, urldate = {2019-12-17} } @online{gatlan:20191118:linux:3b44951, author = {Sergiu Gatlan}, title = {{Linux, Windows Users Targeted With New ACBackdoor Malware}}, date = {2019-11-18}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/linux-windows-users-targeted-with-new-acbackdoor-malware/}, language = {English}, urldate = {2020-01-13} } @online{gatlan:20191209:snatch:04dbbf3, author = {Sergiu Gatlan}, title = {{Snatch Ransomware Reboots to Windows Safe Mode to Bypass AV Tools}}, date = {2019-12-09}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/snatch-ransomware-reboots-to-windows-safe-mode-to-bypass-av-tools/}, language = {English}, urldate = {2020-01-07} } @online{gatlan:20200110:sodinokibi:73cbf66, author = {Sergiu Gatlan}, title = {{Sodinokibi Ransomware Hits New York Airport Systems}}, date = {2020-01-10}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-hits-new-york-airport-systems/}, language = {English}, urldate = {2020-01-20} } @online{gatlan:20200123:sodinokibi:86b1d46, author = {Sergiu Gatlan}, title = {{Sodinokibi Ransomware Threatens to Publish Data of Automotive Group}}, date = {2020-01-23}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-threatens-to-publish-data-of-automotive-group/}, language = {English}, urldate = {2020-01-23} } @online{gatlan:20200207:ta505:7a8e5a2, author = {Sergiu Gatlan}, title = {{TA505 Hackers Behind Maastricht University Ransomware Attack}}, date = {2020-02-07}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ta505-hackers-behind-maastricht-university-ransomware-attack/}, language = {English}, urldate = {2020-02-13} } @online{gatlan:20200330:banking:9d302f2, author = {Sergiu Gatlan}, title = {{Banking Malware Spreading via COVID-19 Relief Payment Phishing}}, date = {2020-03-30}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/banking-malware-spreading-via-covid-19-relief-payment-phishing/}, language = {English}, urldate = {2020-04-01} } @online{gatlan:20200403:microsoft:c12a844, author = {Sergiu Gatlan}, title = {{Microsoft: Emotet Took Down a Network by Overheating All Computers}}, date = {2020-04-03}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/microsoft-emotet-took-down-a-network-by-overheating-all-computers/}, language = {English}, urldate = {2020-04-08} } @online{gatlan:20200414:ragnarlocker:2a77ec4, author = {Sergiu Gatlan}, title = {{RagnarLocker ransomware hits EDP energy giant, asks for €10M}}, date = {2020-04-14}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ragnarlocker-ransomware-hits-edp-energy-giant-asks-for-10m/}, language = {English}, urldate = {2020-04-16} } @online{gatlan:20200616:chipmaker:0e801b8, author = {Sergiu Gatlan}, title = {{Chipmaker MaxLinear reports data breach after Maze Ransomware attack}}, date = {2020-06-16}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/chipmaker-maxlinear-reports-data-breach-after-maze-ransomware-attack/}, language = {English}, urldate = {2020-06-17} } @online{gatlan:20200626:admin:044ef9a, author = {Sergiu Gatlan}, title = {{Admin of carding portal behind $568M in losses pleads guilty}}, date = {2020-06-26}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/admin-of-carding-portal-behind-568m-in-losses-pleads-guilty/}, language = {English}, urldate = {2020-06-29} } @online{gatlan:20200630:evilquest:b90c9ad, author = {Sergiu Gatlan}, title = {{EvilQuest wiper uses ransomware cover to steal files from Macs}}, date = {2020-06-30}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/evilquest-wiper-uses-ransomware-cover-to-steal-files-from-macs/}, language = {English}, urldate = {2020-07-01} } @online{gatlan:20200724:garmin:05d9247, author = {Sergiu Gatlan}, title = {{Garmin outage caused by confirmed WastedLocker ransomware attack}}, date = {2020-07-24}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/garmin-outage-caused-by-confirmed-wastedlocker-ransomware-attack/}, language = {English}, urldate = {2020-07-30} } @online{gatlan:20200728:emotet:37429c5, author = {Sergiu Gatlan}, title = {{Emotet malware now steals your email attachments to attack contacts}}, date = {2020-07-28}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/emotet-malware-now-steals-your-email-attachments-to-attack-contacts/}, language = {English}, urldate = {2020-07-30} } @online{gatlan:20201105:brazils:f1f0810, author = {Sergiu Gatlan}, title = {{Brazil's court system under massive RansomExx ransomware attack}}, date = {2020-11-05}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/brazils-court-system-under-massive-ransomexx-ransomware-attack/}, language = {English}, urldate = {2020-11-09} } @online{gatlan:20201113:biotech:cbe6093, author = {Sergiu Gatlan}, title = {{Biotech research firm Miltenyi Biotec hit by ransomware, data leaked}}, date = {2020-11-13}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/biotech-research-firm-miltenyi-biotec-hit-by-ransomware-data-leaked/}, language = {English}, urldate = {2020-11-19} } @online{gatlan:20201222:biden:e871104, author = {Sergiu Gatlan}, title = {{Biden blasts Trump administration over SolarWinds attack response}}, date = {2020-12-22}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/biden-blasts-trump-administration-over-solarwinds-attack-response/}, language = {English}, urldate = {2020-12-23} } @online{gatlan:20201230:emotet:1f2a80b, author = {Sergiu Gatlan}, title = {{Emotet malware hits Lithuania's National Public Health Center}}, date = {2020-12-30}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/emotet-malware-hits-lithuanias-national-public-health-center/}, language = {English}, urldate = {2021-01-05} } @online{gatlan:20210104:translink:628f0c4, author = {Sergiu Gatlan}, title = {{TransLink confirms ransomware data theft, still restoring systems}}, date = {2021-01-04}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/translink-confirms-ransomware-data-theft-still-restoring-systems/}, language = {English}, urldate = {2021-01-05} } @online{gavriel:20180103:new:34da39b, author = {Hod Gavriel}, title = {{New LockPoS Malware Injection Technique}}, date = {2018-01-03}, organization = {Cyberbit}, url = {https://www.cyberbit.com/new-lockpos-malware-injection-technique/}, language = {English}, urldate = {2019-11-28} } @online{gavriel:20180411:new:9ed9a94, author = {Hod Gavriel and Boris Erbesfeld}, title = {{New ‘Early Bird’ Code Injection Technique Discovered}}, date = {2018-04-11}, organization = {Cyberbit}, url = {https://www.cyberbit.com/new-early-bird-code-injection-technique-discovered/}, language = {English}, urldate = {2020-08-21} } @online{gavriel:20180806:backswap:f13384a, author = {Hod Gavriel and Boris Erbesfeld}, title = {{BackSwap Banker Malware Hides Inside Replicas of Legitimate Programs}}, date = {2018-08-06}, organization = {Cyberbit}, url = {https://www.cyberbit.com/backswap-banker-malware-hides-inside-replicas-of-legitimate-programs/}, language = {English}, urldate = {2020-08-21} } @online{gavriel:20180814:latest:7df6364, author = {Hod Gavriel}, title = {{Latest Trickbot Variant has New Tricks Up Its Sleeve}}, date = {2018-08-14}, organization = {Cyberbit}, url = {https://www.cyberbit.com/latest-trickbot-variant-has-new-tricks-up-its-sleeve/}, language = {English}, urldate = {2020-08-21} } @online{gavriel:20190130:new:6e4ec87, author = {Hod Gavriel}, title = {{New Ursnif Malware Variant – a Stunning Matryoshka (Матрёшка)}}, date = {2019-01-30}, organization = {Cyberbit}, url = {https://www.cyberbit.com/new-ursnif-malware-variant/}, language = {English}, urldate = {2020-08-21} } @online{gavriel:20190612:formbook:8dc2df9, author = {Hod Gavriel}, title = {{Formbook Research Hints Large Data Theft Attack Brewing}}, date = {2019-06-12}, organization = {Cyberbit}, url = {https://www.cyberbit.com/formbook-research-hints-large-data-theft-attack-brewing/}, language = {English}, urldate = {2020-08-21} } @online{gavriel:20190813:hawkeye:379a3e4, author = {Hod Gavriel}, title = {{HawkEye Malware Changes Keylogging Technique}}, date = {2019-08-13}, organization = {Cyberbit}, url = {https://www.cyberbit.com/hawkeye-malware-keylogging-technique/}, language = {English}, urldate = {2020-08-21} } @online{gavriel:20191121:dtrack:fe6fbbc, author = {Hod Gavriel}, title = {{Dtrack: In-depth analysis of APT on a nuclear power plant}}, date = {2019-11-21}, organization = {Cyberbit}, url = {https://www.cyberbit.com/dtrack-apt-malware-found-in-nuclear-power-plant/}, language = {English}, urldate = {2020-08-21} } @techreport{gazer:201708:gazing:b454362, author = {Gazing at Gazer and Turla’s new second stage backdoor}, title = {{Gazing at Gazer Turla’s new second stage backdoor}}, date = {2017-08}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf}, language = {English}, urldate = {2020-01-08} } @online{gbrindisi:20160323:gozi:aa28233, author = {gbrindisi}, title = {{Gozi ISFB Sourceccode}}, date = {2016-03-23}, organization = {Github (gbrindisi)}, url = {https://github.com/gbrindisi/malware/tree/master/windows/gozi-isfb}, language = {English}, urldate = {2020-01-13} } @online{gdata:20180629:where:6b57825, author = {G-Data}, title = {{Where we go, we don't need files: Analysis of fileless malware "Rozena"}}, date = {2018-06-29}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/2018/06/30862-fileless-malware-rozena}, language = {English}, urldate = {2020-01-13} } @online{gdata:20190509:strange:2e58aae, author = {G-Data}, title = {{Strange Bits: HTML Smuggling and GitHub Hosted Malware}}, date = {2019-05-09}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/2019/05/31695-strange-bits-smuggling-malware-github}, language = {English}, urldate = {2019-12-10} } @online{gdata:20201118:business:f4eda3a, author = {G-Data}, title = {{Business as usual: Criminal Activities in Times of a Global Pandemic}}, date = {2020-11-18}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/global-pandemic-remcos-tesla-netwire}, language = {English}, urldate = {2020-11-23} } @online{ge:20110909:bios:c162598, author = {Livian Ge}, title = {{BIOS Threat is Showing up Again!}}, date = {2011-09-09}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/bios-threat-showing-again}, language = {English}, urldate = {2019-12-10} } @online{geenens:20180201:jenx:8b824f5, author = {Pascal Geenens}, title = {{JenX – Los Calvos de San Calvicie}}, date = {2018-02-01}, organization = {Radware Blog}, url = {https://blog.radware.com/security/2018/02/jenx-los-calvos-de-san-calvicie/}, language = {English}, urldate = {2019-07-10} } @techreport{geffner:20130719:endtoend:0b46196, author = {Jason Geffner}, title = {{End-to-End Analysis of a Domain Generating Algorithm Malware Family}}, date = {2013-07-19}, institution = {BlackHat}, url = {https://media.blackhat.com/us-13/US-13-Geffner-End-To-End-Analysis-of-a-Domain-Generating-Algorithm-Malware-Family-WP.pdf}, language = {English}, urldate = {2020-01-13} } @techreport{gemini:20200707:full:283dfdd, author = {GEMINI}, title = {{Full list of all the 570+ sites that the Keeper gang hacked since April 2017}}, date = {2020-07-07}, institution = {}, url = {https://geminiadvisory.io/wp-content/uploads/2020/07/Appendix-C-1.pdf}, language = {English}, urldate = {2020-07-08} } @online{gemini:20200707:keeper:b2f882b, author = {GEMINI}, title = {{"Keeper" Magecart Group Infects 570 Sites}}, date = {2020-07-07}, url = {https://geminiadvisory.io/keeper-magecart-group-infects-570-sites/}, language = {English}, urldate = {2020-07-08} } @online{gemini:20201119:chinese:ffd0136, author = {GEMINI}, title = {{Chinese Scam Shops Lure Black Friday Shoppers}}, date = {2020-11-19}, organization = {GEMINI}, url = {https://geminiadvisory.io/chinese-scam-shops/}, language = {English}, urldate = {2020-11-23} } @online{generale:20150413:analyzing:2a4956d, author = {CERT Societe Generale}, title = {{Analyzing Gootkit's persistence mechanism (new ASEP inside!)}}, date = {2015-04-13}, organization = {CERT Societe Generale}, url = {http://blog.cert.societegenerale.com/2015/04/analyzing-gootkits-persistence-mechanism.html}, language = {English}, urldate = {2020-01-13} } @online{genheimer:20190728:third:ede6ba2, author = {Marius Genheimer}, title = {{Third time's the charm? Analysing WannaCry samples}}, date = {2019-07-28}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/third-times-the-charm-analysing-wannacry-samples.html}, language = {English}, urldate = {2020-03-27} } @online{genheimer:20190730:picking:cea78ea, author = {Marius Genheimer}, title = {{Picking Locky}}, date = {2019-07-30}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/picking-locky.html}, language = {English}, urldate = {2020-03-27} } @online{genheimer:20190731:tfw:3fa5aba, author = {Marius Genheimer}, title = {{TFW Ransomware is only your side hustle...}}, date = {2019-07-31}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/tfw-ransomware-is-only-your-side-hustle.html}, language = {English}, urldate = {2020-01-10} } @online{genheimer:20190810:germanwipers:96d9745, author = {Marius Genheimer}, title = {{GermanWiper's big Brother? GandGrab's kid ? Sodinokibi!}}, date = {2019-08-10}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/germanwipers-big-brother-gandgrabs-kid-sodinokibi.html}, language = {English}, urldate = {2020-03-27} } @online{genheimer:20190907:malicious:37195ec, author = {Marius Genheimer}, title = {{Malicious RATatouille}}, date = {2019-09-07}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/malicious-ratatouille.html}, language = {English}, urldate = {2020-03-27} } @online{genheimer:20190924:return:f85ef19, author = {Marius Genheimer}, title = {{Return of the Mummy - Welcome back, Emotet}}, date = {2019-09-24}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/return-of-the-mummy-welcome-back-emotet.html}, language = {English}, urldate = {2020-03-27} } @online{genheimer:20191002:nicht:20adbf8, author = {Marius Genheimer}, title = {{Nicht so goot - Breaking down Gootkit and Jasper (+ FTCODE)}}, date = {2019-10-02}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/nicht-so-goot-breaking-down-gootkit-and-jasper-ftcode.html}, language = {English}, urldate = {2020-03-27} } @online{genheimer:20191026:earnquickbtcwithhiddentearmp4:b77f350, author = {Marius Genheimer}, title = {{Earn-quick-BTC-with-Hiddentear.mp4 / About Open Source Ransomware}}, date = {2019-10-26}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/earn-quick-btc-with-hiddentearmp4-about-open-source-ransomware.html}, language = {English}, urldate = {2020-03-27} } @online{genheimer:20191029:osiris:55e249f, author = {Marius Genheimer}, title = {{Osiris, the god of afterlife...and banking malware?!}}, date = {2019-10-29}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/osiris-the-god-of-afterlifeand-banking-malware.html}, language = {English}, urldate = {2020-03-27} } @online{genheimer:20191105:try:3aafee6, author = {Marius Genheimer}, title = {{Try not to stare - MedusaLocker at a glance}}, date = {2019-11-05}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/try-not-to-stare-medusalocker-at-a-glance.html}, language = {English}, urldate = {2020-03-27} } @online{genheimer:20191119:quick:b7c4538, author = {Marius Genheimer}, title = {{Quick and painless - Reversing DeathRansom / "Wacatac"}}, date = {2019-11-19}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/quick-and-painless-reversing-deathransom-wacatac.html}, language = {English}, urldate = {2020-03-27} } @online{genheimer:20191202:god:79aa57d, author = {Marius Genheimer}, title = {{God save the Queen [...] 'cause Ransom is money - SaveTheQueen Encryptor}}, date = {2019-12-02}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/god-save-the-queen-cause-ransom-is-money-savethequeen-encryptor.html}, language = {English}, urldate = {2020-03-27} } @online{genheimer:20191211:projectexe:72f2c37, author = {Marius Genheimer}, title = {{A "Project.exe" that should have stayed in a drawer - MZRevenge / MaMo434376}}, date = {2019-12-11}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/a-projectexe-that-should-have-stayed-in-a-drawer-mzrevenge-mamo434376.html}, language = {English}, urldate = {2020-03-27} } @online{genheimer:20191214:another:7c9c60a, author = {Marius Genheimer}, title = {{Another one for the collection - Mespinoza (Pysa) Ransomware}}, date = {2019-12-14}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/another-one-for-the-collection-mespinoza-pysa-ransomware.html}, language = {English}, urldate = {2020-01-26} } @online{genheimer:20191223:i:516e8d0, author = {Marius Genheimer}, title = {{I literally can't think of a fitting pun - MrDec Ransomware}}, date = {2019-12-23}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/i-literally-cant-think-of-a-fitting-pun-mrdec-ransomware.html}, language = {English}, urldate = {2020-03-27} } @online{genheimer:20200102:nice:266b137, author = {Marius Genheimer}, title = {{"Nice decorating. Let me guess, Satan?" - Dot / MZP Ransomware}}, date = {2020-01-02}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/nice-decorating-let-me-guess-satan-dot-mzp-ransomware.html}, language = {English}, urldate = {2020-03-27} } @online{genheimer:20200109:not:187b390, author = {Marius Genheimer}, title = {{Not so nice after all - Afrodita Ransomware}}, date = {2020-01-09}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/not-so-nice-after-all-afrodita-ransomware.html}, language = {English}, urldate = {2020-03-27} } @online{genheimer:20200123:opposite:b471c6b, author = {Marius Genheimer}, title = {{The Opposite of Fileless Malware - NodeJS Ransomware}}, date = {2020-01-23}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/the-opposite-of-fileless-malware-nodejs-ransomware.html}, language = {English}, urldate = {2020-03-27} } @online{genheimer:20200318:why:545326b, author = {Marius Genheimer}, title = {{Why would you even bother?! - JavaLocker}}, date = {2020-03-18}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/why-would-you-even-bother-javalocker.html}, language = {English}, urldate = {2020-03-27} } @online{genheimer:20200320:jamba:9d5bb76, author = {Marius Genheimer}, title = {{Jamba Superdeal: Helo Sir, you want to buy mask? - Corona Safety Mask SMS Scam}}, date = {2020-03-20}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/jamba-superdeal-helo-sir-you-want-to-buy-mask-corona-safety-mask-sms-scam.html}, language = {English}, urldate = {2020-03-27} } @online{genheimer:20200413:blame:b258b2b, author = {Marius Genheimer}, title = {{The Blame Game - About False Flags and overwritten MBRs}}, date = {2020-04-13}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/the-blame-game-about-false-flags-and-overwritten-mbrs.html}, language = {English}, urldate = {2020-04-15} } @online{genheimer:20200617:deicer:de78cca, author = {Marius Genheimer}, title = {{deICEr: A Go tool for extracting config from IcedID second stage Loaders}}, date = {2020-06-17}, organization = {Github (f0wl)}, url = {https://github.com/f0wl/deICEr}, language = {English}, urldate = {2020-06-18} } @online{genheimer:20210109:ezuriunpack:59f3343, author = {Marius Genheimer}, title = {{ezuri_unpack}}, date = {2021-01-09}, organization = {Github (f0wl)}, url = {https://github.com/f0wl/ezuri_unpack}, language = {English}, urldate = {2021-01-11} } @online{georgia:20200901:us:69ac101, author = {U.S. Embassy in Georgia}, title = {{U.S. Embassy statement on September 1, 2020 cyberattack against Georgian Ministry of Health}}, date = {2020-09-01}, organization = {U.S. Embassy in Georgia}, url = {https://ge.usembassy.gov/u-s-embassy-statement-on-september-1-2020-cyberattack-against-georgian-ministry-of-health/}, language = {English}, urldate = {2020-09-06} } @online{georgiev:20191011:7:a4962f1, author = {Roman Georgiev}, title = {{За российскими дипломатами 7 лет следят с помощью шпионского ПО}}, date = {2019-10-11}, organization = {c news}, url = {https://safe.cnews.ru/news/top/2019-10-11_za_rossijskimi_diplomatami}, language = {Russian}, urldate = {2019-11-29} } @online{gheorghe:20160705:new:8f65d0c, author = {Alexandra Gheorghe}, title = {{New Backdoor Allows Full Access to Mac Systems, Bitdefender Warns}}, date = {2016-07-05}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2016/07/new-mac-backdoor-nukes-os-x-systems/}, language = {English}, urldate = {2020-01-08} } @online{giagone:20171120:cobalt:fb5c2ed, author = {Ronnie Giagone and Lenart Bermejo and Fyodor Yarochkin}, title = {{Cobalt Strikes Again: Spam Runs Use Macros and CVE-2017-8759 Exploit Against Russian Banks}}, date = {2017-11-20}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/cobalt-spam-runs-use-macros-cve-2017-8759-exploit/}, language = {English}, urldate = {2019-10-29} } @online{giang:20191104:nemty:6f237c6, author = {Nguyen Hoang Giang and Eduardo Altares and Muhammad Hasib Latif}, title = {{Nemty Ransomware Expands Its Reach, Also Delivered by Trik Botnet}}, date = {2019-11-04}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/nemty-ransomware-trik-botnet}, language = {English}, urldate = {2020-06-02} } @online{giang:20200330:emotet:6034d14, author = {Nguyen Hoang Giang and Mingwei Zhang}, title = {{Emotet: Dangerous Malware Keeps on Evolving}}, date = {2020-03-30}, organization = {Symantec}, url = {https://medium.com/threat-intel/emotet-dangerous-malware-keeps-on-evolving-ac84aadbb8de}, language = {English}, urldate = {2020-04-01} } @online{gibb:20180410:icedid:f1a3ff2, author = {Ross Gibb and Daphne Galme and Michael Gorelik}, title = {{IcedID Banking Trojan Teams up with Ursnif/Dreambot for Distribution}}, date = {2018-04-10}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2018/04/icedid-banking-trojan.html}, language = {English}, urldate = {2019-12-17} } @online{giczewski:20201117:trickbot:1bbf92a, author = {Robert Giczewski}, title = {{Trickbot tricks again}}, date = {2020-11-17}, organization = {malware.love}, url = {https://malware.love/trickbot/malware_analysis/reverse_engineering/2020/11/17/trickbots-latest-trick.html}, language = {English}, urldate = {2020-11-19} } @online{giczewski:20201122:trickbot:06baa84, author = {Robert Giczewski}, title = {{Trickbot tricks again [UPDATE]}}, date = {2020-11-22}, organization = {malware.love}, url = {https://malware.love/trickbot/malware_analysis/reverse_engineering/2020/11/22/trickbot-fake-ips-part2.html}, language = {English}, urldate = {2020-11-23} } @online{giczewski:20201127:having:7cd6ae8, author = {Robert Giczewski}, title = {{Having fun with a Ursnif VBS dropper}}, date = {2020-11-27}, organization = {malware.love}, url = {https://malware.love/malware_analysis/reverse_engineering/2020/11/27/analyzing-a-vbs-dropper.html}, language = {English}, urldate = {2020-12-01} } @online{gilberti:20201214:solarwinds:394f5d5, author = {Nick Gilberti and Tyler Hudak}, title = {{SolarWinds Orion and UNC2452 – Summary and Recommendations}}, date = {2020-12-14}, organization = {TrustedSec}, url = {https://www.trustedsec.com/blog/solarwinds-orion-and-unc2452-summary-and-recommendations/}, language = {English}, urldate = {2020-12-16} } @online{gillespie:20160811:smrss32:0f85a72, author = {Michael Gillespie}, title = {{Smrss32 (.encrypted) Ransomware Help & Support - _HOW_TO_Decrypt.bmp}}, date = {2016-08-11}, organization = {BleepingComputer Forums}, url = {https://www.bleepingcomputer.com/forums/t/623132/smrss32-encrypted-ransomware-help-support-how-to-decryptbmp/}, language = {English}, urldate = {2019-07-09} } @online{gillespie:20180306:cryakl:4a313ab, author = {Michael Gillespie}, title = {{Tweet on Cryakl}}, date = {2018-03-06}, organization = {Twitter (@demonslay335)}, url = {https://twitter.com/demonslay335/status/971164798376468481}, language = {English}, urldate = {2020-01-07} } @online{gillespie:20181117:analyzing:7ff3264, author = {Michael Gillespie}, title = {{Analyzing Ransomware - Reversing Basic .NET Ransomware}}, date = {2018-11-17}, organization = {Youtube (Demonslay335)}, url = {https://www.youtube.com/watch?v=7gCU31ScJgk}, language = {English}, urldate = {2020-01-08} } @online{gillespie:20181117:analyzing:ecd5641, author = {Michael Gillespie}, title = {{Analyzing Ransomware - Beginner Static Analysis}}, date = {2018-11-17}, organization = {Youtube (Demonslay335)}, url = {https://www.youtube.com/watch?v=9nuo-AGg4p4}, language = {English}, urldate = {2020-02-27} } @online{gillespie:20200923:ironcat:12f0892, author = {Michael Gillespie}, title = {{Tweet on Ironcat (Sodinokibi imposter)}}, date = {2020-09-23}, organization = {Twitter (@demonslay335)}, url = {https://twitter.com/demonslay335/status/1308827693312548864}, language = {English}, urldate = {2020-09-24} } @online{ginty:20200821:pinchy:24fe21a, author = {Steve Ginty}, title = {{Pinchy Spider: Ransomware Infrastructure Connected to Dark Web Marketplace}}, date = {2020-08-21}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/3315064b}, language = {English}, urldate = {2020-09-01} } @online{ginty:20201014:wellmarked:9176303, author = {Steve Ginty and Jon Gross}, title = {{A Well-Marked Trail: Journeying through OceanLotus's Infrastructure}}, date = {2020-10-14}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/f0320980}, language = {English}, urldate = {2020-10-23} } @online{ginty:20201028:domain:a285cb1, author = {Steve Ginty}, title = {{Domain Impersonation Targets Saudi Arabian Government Ministries}}, date = {2020-10-28}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/4fff4b0f}, language = {English}, urldate = {2020-11-02} } @online{giuliani:20110913:mebromi:2d33f8d, author = {Marco Giuliani}, title = {{Mebromi: the first BIOS rootkit in the wild}}, date = {2011-09-13}, organization = {Webroot}, url = {https://www.webroot.com//blog/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/}, language = {English}, urldate = {2020-01-08} } @online{gleicher:20200922:removing:8fe26cd, author = {Nathaniel Gleicher}, title = {{Removing Coordinated Inauthentic Behavior}}, date = {2020-09-22}, organization = {Facebook}, url = {https://about.fb.com/news/2020/09/removing-coordinated-inauthentic-behavior-china-philippines/}, language = {English}, urldate = {2020-09-24} } @online{gleicher:20200924:removing:595f9bf, author = {Nathaniel Gleicher}, title = {{Removing Coordinated Inauthentic Behavior}}, date = {2020-09-24}, organization = {Facebook}, url = {https://about.fb.com/news/2020/09/removing-coordinated-inauthentic-behavior-russia/}, language = {English}, urldate = {2020-09-25} } @online{gleicher:20201210:taking:8581c10, author = {Nathaniel Gleicher and Mike Dvilyanski}, title = {{Taking Action Against Hackers in Bangladesh and Vietnam}}, date = {2020-12-10}, organization = {Facebook}, url = {https://about.fb.com/news/2020/12/taking-action-against-hackers-in-bangladesh-and-vietnam}, language = {English}, urldate = {2020-12-15} } @online{gleicher:20201210:taking:fd014bd, author = {Nathaniel Gleicher and Mike Dvilyanski}, title = {{Taking Action Against Hackers in Bangladesh and Vietnam}}, date = {2020-12-10}, organization = {Facebook}, url = {https://about.fb.com/news/2020/12/taking-action-against-hackers-in-bangladesh-and-vietnam/}, language = {English}, urldate = {2020-12-11} } @online{gleicher:20201215:removing:6d0ca62, author = {Nathaniel Gleicher and David Agranovich}, title = {{Removing Coordinated Inauthentic Behavior from France and Russia}}, date = {2020-12-15}, organization = {Facebook}, url = {https://about.fb.com/news/2020/12/removing-coordinated-inauthentic-behavior-france-russia/}, language = {English}, urldate = {2020-12-18} } @online{global:20150917:dukes:5dc47f5, author = {F-Secure Global}, title = {{The Dukes: 7 Years Of Russian Cyber-Espionage}}, date = {2015-09-17}, organization = {F-Secure}, url = {https://www.zdnet.com/article/source-code-of-iranian-cyber-espionage-tools-leaked-on-telegram/}, language = {English}, urldate = {2020-01-09} } @online{global:20171027:big:916374a, author = {F-Secure Global}, title = {{The big difference with Bad Rabbit}}, date = {2017-10-27}, organization = {F-Secure}, url = {https://labsblog.f-secure.com/2017/10/27/the-big-difference-with-bad-rabbit/}, language = {English}, urldate = {2020-01-07} } @online{global:20190328:analysis:8b788ab, author = {F-Secure Global}, title = {{Analysis of ShadowHammer ASUS Attack First Stage Payload}}, date = {2019-03-28}, organization = {F-Secure}, url = {https://countercept.com/blog/analysis-shadowhammer-asus-attack-first-stage-payload/}, language = {English}, urldate = {2020-01-08} } @online{glyer:20200325:this:0bc322f, author = {Christopher Glyer and Dan Perez and Sarah Jones and Steve Miller}, title = {{This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits}}, date = {2020-03-25}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html}, language = {English}, urldate = {2020-04-14} } @online{goet:20200110:hitchhikers:03fefe9, author = {Maarten Goet}, title = {{A hitchhikers guide to the cybersecurity galaxy}}, date = {2020-01-10}, organization = {Youtube (Azure Thursday)}, url = {https://www.youtube.com/watch?v=fBFm2fiEPTg}, language = {English}, urldate = {2020-06-16} } @online{golak:20190625:icedid:0a3e153, author = {Dawid Golak}, title = {{IcedID aka #Bokbot Analysis with Ghidra}}, date = {2019-06-25}, url = {https://medium.com/@dawid.golak/icedid-aka-bokbot-analysis-with-ghidra-560e3eccb766}, language = {English}, urldate = {2019-12-02} } @online{gold:20140122:iran:b9a3b8e, author = {Steve Gold}, title = {{Iran and Russia blamed for state-sponsored espionage}}, date = {2014-01-22}, organization = {SC Magazine}, url = {https://web.archive.org/web/20140129192702/https://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/}, language = {English}, urldate = {2020-06-08} } @techreport{goldberg:201509:variant:0121be8, author = {Yakov Goldberg and Maayan Fishelov}, title = {{A Variant of the Network Worm Win32 Allaple has been Spotted in the Wild}}, date = {2015-09}, institution = {Trapx Security}, url = {https://trapx.com/wp-content/uploads/2017/08/White_Paper_TrapX_AllapleWorm.pdf}, language = {English}, urldate = {2019-11-16} } @online{goldberg:20180606:operation:64e4fac, author = {Daniel Goldberg and Ofri Ziv and Mor Matal}, title = {{Operation Prowli: Monetizing 40,000 Victim Machines}}, date = {2018-06-06}, organization = {Guardicore}, url = {https://www.guardicore.com/2018/06/operation-prowli-traffic-manipulation-cryptocurrency-mining/}, language = {English}, urldate = {2019-10-14} } @online{goldencrown:20040415:mydoom:38c5e17, author = {Matt Goldencrown}, title = {{MyDoom is Your Doom: An Analysis of the MyDoom Virus}}, date = {2004-04-15}, organization = {SANS GIAC}, url = {https://www.giac.org/paper/gcih/568/mydoom-dom-anlysis-mydoom-virus/106069}, language = {English}, urldate = {2019-11-26} } @online{goldsmith:20201218:selfdelusion:be7b367, author = {Jack Goldsmith}, title = {{Self-Delusion on the Russia Hack}}, date = {2020-12-18}, organization = {THE DISPATCH}, url = {https://thedispatch.com/p/self-delusion-on-the-russia-hack}, language = {English}, urldate = {2020-12-19} } @online{goliate:20150818:ransomware:be29cd4, author = {goliate}, title = {{ransomware open-sources}}, date = {2015-08-18}, organization = {Github (goliate)}, url = {https://github.com/goliate/hidden-tear}, language = {English}, urldate = {2020-01-13} } @online{golovanov:20170404:atmitch:1ed35bc, author = {Sergey Golovanov}, title = {{ATMitch: remote administration of ATMs}}, date = {2017-04-04}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/sas/77918/atmitch-remote-administration-of-atms/}, language = {English}, urldate = {2019-12-20} } @online{golovin:20200706:pig:c3a73df, author = {Igor Golovin and Anton Kivva}, title = {{Pig in a poke: smartphone adware}}, date = {2020-07-06}, organization = {Kaspersky Labs}, url = {https://securelist.com/pig-in-a-poke-smartphone-adware/97607/}, language = {English}, urldate = {2020-07-08} } @online{gomez:20130207:ladyboyle:5927b00, author = {J. Gomez and Thoufique Haq}, title = {{LadyBoyle Comes to Town with a New Exploit}}, date = {2013-02-07}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2013/02/lady-boyle-comes-to-town-with-a-new-exploit.html}, language = {English}, urldate = {2019-12-20} } @online{goodin:20110914:malware:c1e8db0, author = {Dan Goodin}, title = {{Malware burrows deep into computer BIOS to escape AV}}, date = {2011-09-14}, organization = {The Register}, url = {http://www.theregister.co.uk/2011/09/14/bios_rootkit_discovered/}, language = {English}, urldate = {2020-01-06} } @online{goodin:20150216:how:4e36cde, author = {Dan Goodin}, title = {{How “omnipotent” hackers tied to NSA hid for 14 years—and were found at last}}, date = {2015-02-16}, organization = {Ars Technica}, url = {https://arstechnica.com/information-technology/2015/02/how-omnipotent-hackers-tied-to-the-nsa-hid-for-14-years-and-were-found-at-last/}, language = {English}, urldate = {2019-12-06} } @online{goodin:20150415:elite:eaaea2d, author = {Dan Goodin}, title = {{Elite cyber crime group strikes back after attack by rival APT gang}}, date = {2015-04-15}, organization = {Ars Technica}, url = {http://arstechnica.com/security/2015/04/elite-cyber-crime-group-strikes-back-after-attack-by-rival-apt-gang/}, language = {English}, urldate = {2019-11-29} } @online{goodin:20170118:newly:2b58256, author = {Dan Goodin}, title = {{Newly discovered Mac malware found in the wild also works well on Linux}}, date = {2017-01-18}, organization = {Ars Technica}, url = {https://arstechnica.com/security/2017/01/newly-discovered-mac-malware-may-have-circulated-in-the-wild-for-2-years/}, language = {English}, urldate = {2020-01-13} } @online{goodin:20170725:perverse:998aed8, author = {Dan Goodin}, title = {{“Perverse” malware infecting hundreds of Macs remained undetected for years}}, date = {2017-07-25}, organization = {Ars Technica}, url = {https://arstechnica.com/security/2017/07/perverse-malware-infecting-hundreds-of-macs-remained-undetected-for-years/}, language = {English}, urldate = {2020-01-13} } @online{goodin:20180418:tens:ad8fd3a, author = {Dan Goodin}, title = {{Tens of thousands of Facebook accounts compromised in days by malware}}, date = {2018-04-18}, organization = {Ars Technica}, url = {https://arstechnica.com/information-technology/2018/04/tens-of-thousands-of-facebook-accounts-compromised-in-days-by-malware/}, language = {English}, urldate = {2019-11-23} } @online{goodin:20190606:google:f1f32d4, author = {Dan Goodin}, title = {{Google confirms that advanced backdoor came preinstalled on Android devices}}, date = {2019-06-06}, organization = {Ars Technica}, url = {https://arstechnica.com/information-technology/2019/06/google-confirms-2017-supply-chain-attack-that-sneaked-backdoor-on-android-devices/}, language = {English}, urldate = {2020-01-13} } @online{goody:20190111:nasty:3c872d4, author = {Kimberly Goody and Jeremy Kennelly and Jaideep Natu and Christopher Glyer}, title = {{A Nasty Trick: From Credential Theft Malware to Business Disruption}}, date = {2019-01-11}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html}, language = {English}, urldate = {2019-12-20} } @online{goody:20200507:navigating:7147cb7, author = {Kimberly Goody and Jeremy Kennelly and Joshua Shilko}, title = {{Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents}}, date = {2020-05-07}, organization = {FireEye Inc}, url = {https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html}, language = {English}, urldate = {2020-05-11} } @online{goody:20200521:navigating:a2eae5f, author = {Kimberly Goody and Jeremy Kennelly}, title = {{Navigating MAZE: Analysis of a Rising Ransomware Threat}}, date = {2020-05-21}, organization = {BrightTALK (FireEye)}, url = {https://www.brighttalk.com/webcast/7451/408167/navigating-maze-analysis-of-a-rising-ransomware-threat}, language = {English}, urldate = {2020-06-05} } @online{goody:20201028:unhappy:c0d2e4b, author = {Kimberly Goody and Jeremy Kennelly and Joshua Shilko and Steve Elovitz and Douglas Bienstock}, title = {{Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser}}, date = {2020-10-28}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html}, language = {English}, urldate = {2020-11-02} } @online{gordon:20200720:what:b88e81f, author = {Daniel Gordon}, title = {{What even is Winnti?}}, date = {2020-07-20}, organization = {Risky.biz}, url = {https://risky.biz/whatiswinnti/}, language = {English}, urldate = {2020-08-18} } @online{gordon:20201028:many:6ac3611, author = {Daniel Gordon and Brett Winterford}, title = {{The many personalities of Lazarus}}, date = {2020-10-28}, organization = {Risky.biz}, url = {https://risky.biz/laz/}, language = {English}, urldate = {2020-11-02} } @online{gorelik:20170427:iranian:4ab7f08, author = {Michael Gorelik}, title = {{Iranian Fileless Attack Infiltrates Israeli Organizations}}, date = {2017-04-27}, organization = {Morphisec}, url = {https://blog.morphisec.com/iranian-fileless-cyberattack-on-israel-word-vulnerability}, language = {English}, urldate = {2020-07-30} } @online{gorelik:20170427:iranian:827f6f3, author = {Michael Gorelik}, title = {{Iranian Fileless Attack Infiltrates Israeli Organizations}}, date = {2017-04-27}, organization = {Morphisec}, url = {http://blog.morphisec.com/iranian-fileless-cyberattack-on-israel-word-vulnerability}, language = {English}, urldate = {2019-12-04} } @online{gorelik:20170609:fin7:3b251c4, author = {Michael Gorelik}, title = {{FIN7 Takes Another Bite at the Restaurant Industry}}, date = {2017-06-09}, organization = {Morphisec}, url = {http://blog.morphisec.com/fin7-attacks-restaurant-industry}, language = {English}, urldate = {2019-12-04} } @online{gorelik:20170609:fin7:3be08a2, author = {Michael Gorelik}, title = {{FIN7 Takes Another Bite at the Restaurant Industry}}, date = {2017-06-09}, organization = {Morphisec}, url = {https://blog.morphisec.com/fin7-attacks-restaurant-industry}, language = {English}, urldate = {2020-09-04} } @online{gorelik:20170918:morphisec:501cc93, author = {Michael Gorelik}, title = {{Morphisec Discovers CCleaner Backdoor Saving Millions of Avast Users}}, date = {2017-09-18}, organization = {Morphisec}, url = {http://blog.morphisec.com/morphisec-discovers-ccleaner-backdoor}, language = {English}, urldate = {2020-01-08} } @online{gorelik:20171013:fin7:36ef13a, author = {Michael Gorelik}, title = {{FIN7 Dissected: Hackers Accelerate Pace of Innovation}}, date = {2017-10-13}, organization = {Morphisec}, url = {https://blog.morphisec.com/fin7-attack-modifications-revealed}, language = {English}, urldate = {2020-09-04} } @online{gorelik:20171013:fin7:d52a75d, author = {Michael Gorelik}, title = {{FIN7 Dissected: Hackers Accelerate Pace of Innovation}}, date = {2017-10-13}, organization = {Morphisec}, url = {http://blog.morphisec.com/fin7-attack-modifications-revealed}, language = {English}, urldate = {2019-11-29} } @online{gorelik:20181008:cobalt:dece0e0, author = {Michael Gorelik}, title = {{Cobalt Group 2.0}}, date = {2018-10-08}, organization = {Morphisec}, url = {https://blog.morphisec.com/cobalt-gang-2.0}, language = {English}, urldate = {2020-01-05} } @online{gorelik:20181121:fin7:02ad475, author = {Michael Gorelik}, title = {{FIN7 Not Finished – Morphisec Spots New Campaign}}, date = {2018-11-21}, organization = {mor}, url = {http://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign}, language = {English}, urldate = {2020-01-08} } @online{gorelik:20181221:fin7:d71e1b0, author = {Michael Gorelik}, title = {{FIN7 Not Finished - Morphisec Spots New Campaign}}, date = {2018-12-21}, organization = {Morphisec}, url = {https://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign}, language = {English}, urldate = {2020-09-04} } @online{gorelik:20190227:new:5296a0b, author = {Michael Gorelik and Alon Groisman}, title = {{New Global Cyber Attack on Point of Sale Sytem}}, date = {2019-02-27}, organization = {Morphisec}, url = {http://blog.morphisec.com/new-global-attack-on-point-of-sale-systems}, language = {English}, urldate = {2020-01-09} } @online{gorelik:20200228:trickbot:678683b, author = {Michael Gorelik}, title = {{Trickbot Delivery Method Gets a New Upgrade Focusing on Windows 10}}, date = {2020-02-28}, organization = {Morphisec}, url = {https://blog.morphisec.com/trickbot-delivery-method-gets-a-new-upgrade-focusing-on-windows}, language = {English}, urldate = {2020-03-03} } @online{gorelik:20200616:crystalbit:1906ecc, author = {Michael Gorelik}, title = {{CrystalBit / Apple Double DLL Hijack -- From fraudulent software bundle downloads to an evasive miner raging campaign}}, date = {2020-06-16}, organization = {Morphisec}, url = {https://blog.morphisec.com/crystalbit-apple-double-dll-hijack}, language = {English}, urldate = {2020-06-16} } @online{gorelik:20201105:agent:1cefe08, author = {Michael Gorelik}, title = {{Agent Tesla: A Day in a Life of IR}}, date = {2020-11-05}, organization = {Morphisec}, url = {https://blog.morphisec.com/agent-tesla-a-day-in-a-life-of-ir}, language = {English}, urldate = {2020-11-09} } @online{gostev:20120528:flame:4aa29b8, author = {Alexander Gostev}, title = {{The Flame: Questions and Answers}}, date = {2012-05-28}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-flame-questions-and-answers-51/34344/}, language = {English}, urldate = {2020-01-06} } @online{gostev:20140312:agentbtz:8f1988f, author = {Alexander Gostev}, title = {{Agent.btz: a Source of Inspiration?}}, date = {2014-03-12}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/virus-watch/58551/agent-btz-a-source-of-inspiration/}, language = {English}, urldate = {2019-12-20} } @online{gottesman:20151006:moker:1b8240a, author = {Yotam Gottesman}, title = {{MOKER, PART 1: DISSECTING A NEW APT UNDER THE MICROSCOPE}}, date = {2015-10-06}, organization = {enSilo}, url = {https://breakingmalware.com/malware/moker-part-1-dissecting-a-new-apt-under-the-microscope/}, language = {English}, urldate = {2020-01-07} } @online{gottesman:20151006:moker:ed878d9, author = {Yotam Gottesman}, title = {{MOKER: A NEW APT DISCOVERED WITHIN A SENSITIVE NETWORK}}, date = {2015-10-06}, organization = {enSilo}, url = {http://blog.ensilo.com/moker-a-new-apt-discovered-within-a-sensitive-network}, language = {English}, urldate = {2019-07-09} } @online{gottesman:20151008:moker:4a42451, author = {Yotam Gottesman}, title = {{MOKER, PART 2: CAPABILITIES}}, date = {2015-10-08}, organization = {enSilo}, url = {https://breakingmalware.com/malware/moker-part-2-capabilities/}, language = {English}, urldate = {2020-01-08} } @online{govcertch:20150911:analysing:e00b8ce, author = {GovCERT.ch}, title = {{Analysing a new eBanking Trojan called Fobber}}, date = {2015-09-11}, organization = {GovCERT.ch}, url = {https://www.govcert.admin.ch/blog/12/analysing-a-new-ebanking-trojan-called-fobber}, language = {English}, urldate = {2019-11-29} } @techreport{govcertch:20150911:fobber:a23b812, author = {GovCERT.ch}, title = {{Fobber Analysis}}, date = {2015-09-11}, institution = {GovCERT.ch}, url = {http://www.govcert.admin.ch/downloads/whitepapers/govcertch_fobber_analysis.pdf}, language = {English}, urldate = {2019-12-17} } @techreport{govcertch:20160523:case:b6612e9, author = {GovCERT.ch}, title = {{APT Case RUAG - Technical Report}}, date = {2016-05-23}, institution = {MELANI GovCERT}, url = {https://www.melani.admin.ch/dam/melani/de/dokumente/2016/technical%20report%20ruag.pdf.download.pdf/Report_Ruag-Espionage-Case.pdf}, language = {English}, urldate = {2019-12-17} } @online{govcertch:20170130:sage:022d593, author = {GovCERT.ch}, title = {{Sage 2.0 comes with IP Generation Algorithm (IPGA)}}, date = {2017-01-30}, organization = {GovCERT.ch}, url = {https://www.govcert.admin.ch/blog/27/saga-2.0-comes-with-ip-generation-algorithm-ipga}, language = {English}, urldate = {2019-11-29} } @online{govcertch:20170803:retefe:07f6df3, author = {GovCERT.ch}, title = {{The Retefe Saga}}, date = {2017-08-03}, organization = {GovCERT.ch}, url = {https://www.govcert.admin.ch/blog/33/the-retefe-saga}, language = {English}, urldate = {2020-01-13} } @online{govcertch:20181108:reversing:87c494c, author = {GovCERT.ch}, title = {{Reversing Retefe}}, date = {2018-11-08}, organization = {GovCERT.ch}, url = {https://www.govcert.admin.ch/blog/35/reversing-retefe}, language = {English}, urldate = {2019-11-21} } @online{govcertch:20190509:severe:2767782, author = {GovCERT.ch}, title = {{Severe Ransomware Attacks Against Swiss SMEs}}, date = {2019-05-09}, organization = {GovCERT.ch}, url = {https://www.govcert.admin.ch/blog/36/severe-ransomware-attacks-against-swiss-smes}, language = {English}, urldate = {2019-07-11} } @online{govcertch:20190514:rise:8fd8ef4, author = {GovCERT.ch}, title = {{The Rise of Dridex and the Role of ESPs}}, date = {2019-05-14}, organization = {GovCERT.ch}, url = {https://www.govcert.admin.ch/blog/28/the-rise-of-dridex-and-the-role-of-esps}, language = {English}, urldate = {2020-01-09} } @online{govcertch:20190925:trickbot:8346dd7, author = {GovCERT.ch}, title = {{Trickbot - An analysis of data collected from the botnet}}, date = {2019-09-25}, organization = {GovCERT.ch}, url = {https://www.govcert.ch/blog/37/trickbot-an-analysis-of-data-collected-from-the-botnet}, language = {English}, urldate = {2020-01-08} } @online{govcertch:20200220:analysis:18301ef, author = {GovCERT.ch}, title = {{Analysis of an Unusual HawkEye Sample}}, date = {2020-02-20}, organization = {GovCERT.ch}, url = {https://www.govcert.ch/blog/analysis-of-an-unusual-hawkeye-sample/}, language = {English}, urldate = {2020-02-20} } @online{goydenko:20201127:investigation:7d12cee, author = {Denis Goydenko and Alexey Vishnyakov}, title = {{Investigation with a twist: an accidental APT attack and averted data destruction}}, date = {2020-11-27}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/}, language = {English}, urldate = {2020-12-01} } @online{graeber:20201208:why:31709f3, author = {Matt Graeber}, title = {{The why, what, and how of threat research}}, date = {2020-12-08}, organization = {Red Canary}, url = {https://redcanary.com/blog/threat-research-questions}, language = {English}, urldate = {2020-12-10} } @online{graff:20170321:inside:dc89cf2, author = {Garrett M. Graff}, title = {{Inside the Hunt for Russia's Most Notorious Hacker}}, date = {2017-03-21}, organization = {Wired}, url = {https://www.wired.com/?p=2171700}, language = {English}, urldate = {2020-01-13} } @online{graff:20171104:how:7a25415, author = {Garrett M. Graff}, title = {{How the FBI Took Down Russia's Spam King—And His Massive Botnet}}, date = {2017-11-04}, organization = {Wired}, url = {https://www.wired.com/2017/04/fbi-took-russias-spam-king-massive-botnet/}, language = {English}, urldate = {2019-12-03} } @online{graham:20161229:some:111da12, author = {Robert Graham}, title = {{Some notes on IoCs}}, date = {2016-12-29}, organization = {Errata Security}, url = {https://blog.erratasec.com/2016/12/some-notes-on-iocs.html}, language = {English}, urldate = {2020-01-06} } @online{graham:20170629:nonpetya:c470dd8, author = {Robert Graham}, title = {{NonPetya: no evidence it was a "smokescreen"}}, date = {2017-06-29}, url = {http://blog.erratasec.com/2017/06/nonpetya-no-evidence-it-was-smokescreen.html}, language = {English}, urldate = {2020-01-07} } @techreport{grandy:20200924:offensive:8c9687e, author = {Matt Grandy and Joe Leon}, title = {{Offensive Maldocs in 2020}}, date = {2020-09-24}, institution = {Github (FortyNorthSecurity)}, url = {https://github.com/FortyNorthSecurity/Presentations/blob/master/Offensive%20Maldocs%20in%202020.pdf}, language = {English}, urldate = {2020-09-25} } @online{grange:20141209:blue:63864e2, author = {Waylon Grange}, title = {{Blue Coat Exposes “The Inception Framework”; Very Sophisticated, Layered Malware Attack Targeted at Military, Diplomats, and Bus}}, date = {2014-12-09}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/blue-coat-exposes-inception-framework-very-sophisticated-layered-malware-attack-targeted-milit}, language = {English}, urldate = {2019-12-20} } @online{grange:20170418:hajime:b2ed231, author = {Waylon Grange}, title = {{Hajime worm battles Mirai for control of the Internet of Things}}, date = {2017-04-18}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/hajime-worm-battles-mirai-control-internet-things}, language = {English}, urldate = {2019-12-06} } @online{grange:20200713:anchordns:d83e6f5, author = {Waylon Grange}, title = {{Anchor_dns malware goes cross platform}}, date = {2020-07-13}, organization = {Stage 2 Security}, url = {https://medium.com/stage-2-security/anchor-dns-malware-family-goes-cross-platform-d807ba13ca30}, language = {English}, urldate = {2020-07-16} } @online{graziano:20170130:eyepyramid:a15d7c0, author = {Mariano Graziano and Paul Rascagnères}, title = {{EyePyramid: An Archaeological Journey}}, date = {2017-01-30}, organization = {Cisco}, url = {http://blog.talosintel.com/2017/01/Eye-Pyramid.html}, language = {English}, urldate = {2019-11-22} } @online{great:20120717:madi:ddf85da, author = {GReAT}, title = {{The Madi Campaign – Part I}}, date = {2012-07-17}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-madi-campaign-part-i-5/33693/}, language = {English}, urldate = {2019-12-20} } @online{great:20120726:madi:d4f911e, author = {GReAT}, title = {{The Madi Campaign – Part II}}, date = {2012-07-26}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-madi-campaign-part-ii-53/33701/}, language = {English}, urldate = {2019-12-20} } @online{great:20120816:shamoon:143efb8, author = {GReAT}, title = {{Shamoon the Wiper – Copycats at Work}}, date = {2012-08-16}, organization = {Kaspersky Labs}, url = {https://securelist.com/shamoon-the-wiper-copycats-at-work/}, language = {English}, urldate = {2019-12-20} } @online{great:20130114:red:ac55753, author = {GReAT}, title = {{"Red October" Diplomatic Cyber Attacks Investigation}}, date = {2013-01-14}, organization = {Kaspersky Labs}, url = {https://securelist.com/red-october-diplomatic-cyber-attacks-investigation/36740/}, language = {English}, urldate = {2020-04-06} } @techreport{great:20130320:teamspy:10e8000, author = {GReAT}, title = {{The ‘TeamSpy’ Story -Abusing TeamViewer in Cyberespionage Campaigns}}, date = {2013-03-20}, institution = {Kaspersky Labs}, url = {https://d2538mqrb7brka.cloudfront.net/wp-content/uploads/sites/43/2018/03/20134928/theteamspystory_final_t2.pdf}, language = {English}, urldate = {2020-01-08} } @online{great:20130320:teamspy:2e6f353, author = {GReAT}, title = {{The TeamSpy Crew Attacks – Abusing TeamViewer for Cyberespionage}}, date = {2013-03-20}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/incidents/35520/the-teamspy-crew-attacks-abusing-teamviewer-for-cyberespionage-8/}, language = {English}, urldate = {2019-12-20} } @online{great:20130411:winnti:b1c0d83, author = {GReAT}, title = {{Winnti. More than just a game}}, date = {2013-04-11}, organization = {Kaspersky Labs}, url = {https://securelist.com/winnti-more-than-just-a-game/37029/}, language = {English}, urldate = {2019-12-20} } @online{great:20130411:winnti:f53a759, author = {GReAT}, title = {{Winnti FAQ. More Than Just a Game}}, date = {2013-04-11}, organization = {Kaspersky Labs}, url = {https://securelist.com/winnti-faq-more-than-just-a-game/57585/}, language = {English}, urldate = {2019-12-20} } @techreport{great:201304:winnti:c8e6f40, author = {GReAT}, title = {{Winnti - More than just a game}}, date = {2013-04}, institution = {Kaspersky Labs}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/20134508/winnti-more-than-just-a-game-130410.pdf}, language = {English}, urldate = {2019-07-11} } @online{great:20130604:kaspersky:070481d, author = {GReAT}, title = {{Kaspersky Lab Uncovers ‘Operation NetTraveler,’ a Global Cyberespionage Campaign Targeting Government-Affiliated Organizations and Research Institutes}}, date = {2013-06-04}, organization = {Kaspersky Labs}, url = {https://www.kaspersky.com/about/press-releases/2013_kaspersky-lab-uncovers--operation-nettraveler--a-global-cyberespionage-campaign-targeting-government-affiliated-organizations-and-research-institutes}, language = {English}, urldate = {2020-01-13} } @online{great:20130604:nettraveler:a9ac0f1, author = {GReAT}, title = {{“NetTraveler is Running!” – Red Star APT Attacks Compromise High-Profile Victims}}, date = {2013-06-04}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/35936/nettraveler-is-running-red-star-apt-attacks-compromise-high-profile-victims/}, language = {English}, urldate = {2019-12-20} } @online{great:20130925:icefog:7f2dd2b, author = {GReAT}, title = {{The Icefog APT: A Tale of Cloak and Three Daggers}}, date = {2013-09-25}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-icefog-apt-a-tale-of-cloak-and-three-daggers/57331/}, language = {English}, urldate = {2019-12-20} } @online{great:20140210:caretomask:1aa235f, author = {GReAT}, title = {{The Careto/Mask APT: Frequently Asked Questions}}, date = {2014-02-10}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-caretomask-apt-frequently-asked-questions/58254/}, language = {English}, urldate = {2019-12-20} } @online{great:20140807:epic:ba080b6, author = {GReAT}, title = {{The Epic Turla Operation}}, date = {2014-08-07}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-epic-turla-operation/65545/}, language = {English}, urldate = {2019-12-20} } @online{great:20140807:epic:f8b0803, author = {GReAT}, title = {{The Epic Turla Operation}}, date = {2014-08-07}, organization = {Kaspersky Labs}, url = {https://securelist.com/analysis/publications/65545/the-epic-turla-operation/}, language = {English}, urldate = {2019-12-20} } @online{great:20140820:el:c4534ec, author = {GReAT}, title = {{“El Machete”}}, date = {2014-08-20}, organization = {Kaspersky Labs}, url = {https://securelist.com/el-machete/66108/}, language = {English}, urldate = {2019-12-20} } @online{great:20141110:darkhotel:19e4934, author = {GReAT}, title = {{The Darkhotel APT}}, date = {2014-11-10}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-darkhotel-apt/66779/}, language = {English}, urldate = {2019-12-20} } @online{great:20141110:darkhotel:b1f9560, author = {GReAT}, title = {{The Darkhotel APT}}, date = {2014-11-10}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/66779/the-darkhotel-apt/}, language = {English}, urldate = {2019-12-20} } @online{great:20141210:cloud:ccb4794, author = {GReAT}, title = {{Cloud Atlas: RedOctober APT is back in style}}, date = {2014-12-10}, organization = {Kaspersky Labs}, url = {https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/}, language = {English}, urldate = {2019-12-20} } @online{great:20150216:equation:7b95c72, author = {GReAT}, title = {{Equation: The Death Star of Malware Galaxy}}, date = {2015-02-16}, organization = {Kaspersky Labs}, url = {https://securelist.com/equation-the-death-star-of-malware-galaxy/68750/#_1}, language = {English}, urldate = {2019-12-20} } @online{great:20150216:equation:ad81ead, author = {GReAT}, title = {{Equation: The Death Star of Malware Galaxy}}, date = {2015-02-16}, organization = {Kaspersky Labs}, url = {https://securelist.com/equation-the-death-star-of-malware-galaxy/68750/}, language = {English}, urldate = {2019-12-20} } @online{great:201502:carbanak:1b262fc, author = {GReAT}, title = {{Carbanak APT: The Great Bank Robbery}}, date = {2015-02}, organization = {Kaspersky SAS}, url = {https://app.box.com/s/p7qzcury97tuwk26694uutujwqmwqyhe}, language = {English}, urldate = {2020-05-18} } @techreport{great:201502:carbanak:22f5e49, author = {GReAT}, title = {{CARBANAK APTTHE GREAT BANK ROBBERY}}, date = {2015-02}, institution = {Kaspersky Labs}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064518/Carbanak_APT_eng.pdf}, language = {English}, urldate = {2020-01-06} } @techreport{great:201502:desert:0826d08, author = {GReAT}, title = {{The Desert Falcons Targeted Attacks}}, date = {2015-02}, institution = {Kaspersky Labs}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064309/The-Desert-Falcons-targeted-attacks.pdf}, language = {English}, urldate = {2020-04-06} } @online{great:20150306:animals:f15e26a, author = {GReAT}, title = {{Animals in the APT Farm}}, date = {2015-03-06}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/69114/animals-in-the-apt-farm/}, language = {English}, urldate = {2019-12-20} } @online{great:20150311:inside:28cec3e, author = {GReAT}, title = {{Inside the EquationDrug Espionage Platform}}, date = {2015-03-11}, organization = {Kaspersky Labs}, url = {https://securelist.com/inside-the-equationdrug-espionage-platform/69203/}, language = {English}, urldate = {2019-12-20} } @online{great:20150610:mystery:c1ef5c2, author = {GReAT}, title = {{The Mystery of Duqu 2.0: a sophisticated cyberespionage actor returns}}, date = {2015-06-10}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/}, language = {English}, urldate = {2020-03-09} } @online{great:20150708:wild:4e853a7, author = {GReAT}, title = {{Wild Neutron – Economic espionage threat actor returns with new tricks}}, date = {2015-07-08}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/}, language = {English}, urldate = {2019-12-20} } @online{great:20150708:wild:ee7c858, author = {GReAT}, title = {{Wild Neutron – Economic espionage threat actor returns with new tricks}}, date = {2015-07-08}, organization = {Kaspersky Labs}, url = {https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/}, language = {English}, urldate = {2019-12-20} } @online{great:20150810:darkhotels:3c831d5, author = {GReAT}, title = {{Darkhotel’s attacks in 2015}}, date = {2015-08-10}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/71713/darkhotels-attacks-in-2015/}, language = {English}, urldate = {2019-12-20} } @online{great:20151204:sofacy:664b5a8, author = {GReAT}, title = {{Sofacy APT hits high profile targets with updated toolset}}, date = {2015-12-04}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/}, language = {English}, urldate = {2019-12-20} } @online{great:20151204:sofacy:b437b35, author = {GReAT}, title = {{Sofacy APT hits high profile targets with updated toolset}}, date = {2015-12-04}, organization = {Kaspersky Labs}, url = {https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/}, language = {English}, urldate = {2020-08-30} } @online{great:20160128:blackenergy:3c2a914, author = {GReAT}, title = {{BlackEnergy APT Attacks in Ukraine employ spearphishing with Word documents}}, date = {2016-01-28}, organization = {Kaspersky Labs}, url = {https://securelist.com/blackenergy-apt-attacks-in-ukraine-employ-spearphishing-with-word-documents/73440/}, language = {English}, urldate = {2019-12-20} } @online{great:20160208:aptstyle:5b3a24e, author = {GReAT and Computer Incidents Investigation Department}, title = {{APT-style bank robberies increase with Metel, GCMAN and Carbanak 2.0 attacks}}, date = {2016-02-08}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-style-bank-robberies-increase-with-metel-gcman-and-carbanak-2-0-attacks/73638/}, language = {English}, urldate = {2019-12-20} } @online{great:20160209:poseidon:61725f7, author = {GReAT}, title = {{Poseidon Group: a Targeted Attack Boutique specializing in global cyber-espionage}}, date = {2016-02-09}, organization = {Kaspersky Labs}, url = {https://securelist.com/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/73673/}, language = {English}, urldate = {2019-12-20} } @online{great:20160427:freezer:13a8a66, author = {GReAT}, title = {{Freezer Paper around Free Meat (Repackaging Open Source BeEF for Tracking and More)}}, date = {2016-04-27}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/software/74503/freezer-paper-around-free-meat/}, language = {English}, urldate = {2019-10-18} } @online{great:20160427:freezer:bec7033, author = {GReAT}, title = {{Freezer Paper around Free Meat}}, date = {2016-04-27}, organization = {Kaspersky Labs}, url = {https://securelist.com/freezer-paper-around-free-meat/74503/}, language = {English}, urldate = {2019-12-20} } @online{great:20160517:atm:f05ffb9, author = {GReAT and Olga Kochetova and Alexey Osipov}, title = {{ATM infector}}, date = {2016-05-17}, organization = {Kaspersky Labs}, url = {https://securelist.com/atm-infector/74772/}, language = {English}, urldate = {2019-12-20} } @online{great:20160525:cve20152545:7006bff, author = {GReAT}, title = {{CVE-2015-2545: overview of current threats}}, date = {2016-05-25}, organization = {Kaspersky Labs}, url = {https://securelist.com/analysis/publications/74828/cve-2015-2545-overview-of-current-threats/}, language = {English}, urldate = {2019-12-20} } @online{great:20160708:dropping:273c1df, author = {GReAT}, title = {{The Dropping Elephant – aggressive cyber-espionage in the Asian region}}, date = {2016-07-08}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-dropping-elephant-actor/75328/}, language = {English}, urldate = {2019-12-20} } @online{great:20160808:projectsauron:503a441, author = {GReAT}, title = {{ProjectSauron: top level cyber-espionage platform covertly extracts encrypted government comms}}, date = {2016-08-08}, organization = {Kaspersky Labs}, url = {https://securelist.com/analysis/publications/75533/faq-the-projectsauron-apt/}, language = {English}, urldate = {2019-12-20} } @techreport{great:20160909:projectsauron:9114f84, author = {GReAT}, title = {{THE PROJECTSAURON APT}}, date = {2016-09-09}, institution = {Kaspersky Labs}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07190154/The-ProjectSauron-APT_research_KL.pdf}, language = {English}, urldate = {2019-11-02} } @online{great:20160929:teamxrat:880e95a, author = {GReAT and Anton Ivanov and Fedor Sinitsyn}, title = {{TeamXRat: Brazilian cybercrime meets ransomware}}, date = {2016-09-29}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/76153/teamxrat-brazilian-cybercrime-meets-ransomware/}, language = {English}, urldate = {2019-12-20} } @online{great:20170112:eyepyramid:18aa9df, author = {GReAT}, title = {{The “EyePyramid” attacks}}, date = {2017-01-12}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/incidents/77098/the-eyepyramid-attacks/}, language = {English}, urldate = {2019-12-20} } @online{great:20170221:newish:1c13271, author = {GReAT}, title = {{New(ish) Mirai Spreader Poses New Risks}}, date = {2017-02-21}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/77621/newish-mirai-spreader-poses-new-risks/}, language = {English}, urldate = {2019-12-20} } @techreport{great:20170307:from:3af6ed0, author = {GReAT}, title = {{FROM SHAMOON TO STONEDRILL: Wipers attacking Saudi organizations and beyond}}, date = {2017-03-07}, institution = {Kaspersky Labs}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180722/Report_Shamoon_StoneDrill_final.pdf}, language = {English}, urldate = {2020-01-15} } @online{great:20170403:lazarus:033fcf7, author = {GReAT}, title = {{Lazarus under the Hood}}, date = {2017-04-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/lazarus-under-the-hood/77908/}, language = {English}, urldate = {2019-12-20} } @online{great:20170403:lazarus:689432c, author = {GReAT}, title = {{Lazarus under the Hood}}, date = {2017-04-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/sas/77908/lazarus-under-the-hood/}, language = {English}, urldate = {2019-12-20} } @online{great:20170411:unraveling:8be3efd, author = {GReAT}, title = {{Unraveling the Lamberts Toolkit}}, date = {2017-04-11}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/77990/unraveling-the-lamberts-toolkit/}, language = {English}, urldate = {2019-12-20} } @online{great:20170512:wannacry:b24b188, author = {GReAT}, title = {{WannaCry ransomware used in widespread attacks all over the world}}, date = {2017-05-12}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/}, language = {English}, urldate = {2019-12-20} } @online{great:20170627:schroedingers:43c7e28, author = {GReAT}, title = {{Schroedinger’s Pet(ya)}}, date = {2017-06-27}, organization = {Kaspersky Labs}, url = {https://securelist.com/schroedingers-petya/78870/}, language = {English}, urldate = {2019-12-20} } @online{great:20170630:from:d91b457, author = {GReAT}, title = {{From BlackEnergy to ExPetr}}, date = {2017-06-30}, organization = {Kaspersky Labs}, url = {https://securelist.com/from-blackenergy-to-expetr/78937/}, language = {English}, urldate = {2019-12-20} } @online{great:20170815:shadowpad:3d5b9a0, author = {GReAT}, title = {{ShadowPad in corporate networks}}, date = {2017-08-15}, organization = {Kaspersky Labs}, url = {https://securelist.com/shadowpad-in-corporate-networks/81432/}, language = {English}, urldate = {2019-12-20} } @online{great:20170830:introducing:80a9653, author = {GReAT}, title = {{Introducing WhiteBear}}, date = {2017-08-30}, organization = {Kaspersky Labs}, url = {https://securelist.com/introducing-whitebear/81638/}, language = {English}, urldate = {2019-12-20} } @online{great:20171016:blackoasis:b447418, author = {GReAT}, title = {{BlackOasis APT and new targeted attacks leveraging zero-day exploit}}, date = {2017-10-16}, organization = {Kaspersky Labs}, url = {https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/}, language = {English}, urldate = {2019-12-20} } @online{great:20171101:silence:b22eae0, author = {GReAT}, title = {{Silence – a new Trojan attacking financial organizations}}, date = {2017-11-01}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-silence/83009/}, language = {English}, urldate = {2019-12-20} } @online{great:20180220:slice:0f910f7, author = {GReAT}, title = {{A Slice of 2017 Sofacy Activity}}, date = {2018-02-20}, organization = {Kaspersky Labs}, url = {https://securelist.com/a-slice-of-2017-sofacy-activity/83930/}, language = {English}, urldate = {2019-12-20} } @online{great:20180308:devils:3373375, author = {GReAT}, title = {{The devil’s in the Rich header}}, date = {2018-03-08}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-devils-in-the-rich-header/84348/}, language = {English}, urldate = {2019-12-20} } @online{great:20180308:olympicdestroyer:79780c9, author = {GReAT}, title = {{OlympicDestroyer is here to trick the industry}}, date = {2018-03-08}, organization = {Kaspersky Labs}, url = {https://securelist.com/olympicdestroyer-is-here-to-trick-the-industry/84295/}, language = {English}, urldate = {2019-12-20} } @online{great:20180309:masha:636eab4, author = {GReAT}, title = {{Masha and these Bears - 2018 Sofacy Activity}}, date = {2018-03-09}, organization = {Kaspersky Labs}, url = {https://securelist.com/masha-and-these-bears/84311/}, language = {English}, urldate = {2020-08-28} } @techreport{great:201803:icefog:2e293e6, author = {GReAT}, title = {{The 'Icefog' APT: A Tale of Cloak and Three Daggers}}, date = {2018-03}, institution = {Kaspersky Labs}, url = {https://d2538mqrb7brka.cloudfront.net/wp-content/uploads/sites/43/2018/03/20133739/icefog.pdf}, language = {English}, urldate = {2020-01-13} } @online{great:20180412:operation:fdc83bc, author = {GReAT}, title = {{Operation Parliament, who is doing what?}}, date = {2018-04-12}, organization = {Kaspersky Labs}, url = {https://securelist.com/operation-parliament-who-is-doing-what/85237/}, language = {English}, urldate = {2019-12-20} } @online{great:20180412:trends:babf7f6, author = {GReAT}, title = {{APT Trends report Q1 2018}}, date = {2018-04-12}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q1-2018/85280/}, language = {English}, urldate = {2020-01-08} } @online{great:20180524:vpnfilter:cb1c89f, author = {GReAT}, title = {{VPNFilter EXIF to C2 mechanism analysed}}, date = {2018-05-24}, organization = {Kaspersky Labs}, url = {https://securelist.com/vpnfilter-exif-to-c2-mechanism-analysed/85721/}, language = {English}, urldate = {2019-12-20} } @online{great:20180619:hades:99ff28a, author = {GReAT}, title = {{Hades, the actor behind Olympic Destroyer is still alive}}, date = {2018-06-19}, organization = {Kaspersky Labs}, url = {https://securelist.com/olympic-destroyer-is-still-alive/86169/}, language = {English}, urldate = {2019-12-20} } @online{great:20180710:trends:4651c7b, author = {GReAT}, title = {{APT Trends Report Q2 2018}}, date = {2018-07-10}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2018/86487/}, language = {English}, urldate = {2019-12-20} } @online{great:20180821:dark:430988e, author = {GReAT}, title = {{Dark Tequila Añejo}}, date = {2018-08-21}, organization = {Kaspersky Labs}, url = {https://securelist.com/dark-tequila-anejo/87528/}, language = {English}, urldate = {2019-12-20} } @online{great:20180823:operation:c1011d3, author = {GReAT}, title = {{Operation AppleJeus: Lazarus hits cryptocurrency exchange with fake installer and macOS malware}}, date = {2018-08-23}, organization = {Kaspersky Labs}, url = {https://securelist.com/operation-applejeus/87553/}, language = {English}, urldate = {2019-12-20} } @online{great:20180910:luckymouse:e309805, author = {GReAT}, title = {{LuckyMouse signs malicious NDISProxy driver with certificate of Chinese IT company}}, date = {2018-09-10}, organization = {Kaspersky Labs}, url = {https://securelist.com/luckymouse-ndisproxy-driver/87914/}, language = {English}, urldate = {2019-12-20} } @online{great:20181004:shedding:5f22310, author = {GReAT}, title = {{Shedding Skin – Turla’s Fresh Faces}}, date = {2018-10-04}, organization = {Kaspersky Labs}, url = {https://securelist.com/shedding-skin-turlas-fresh-faces/88069/}, language = {English}, urldate = {2020-02-27} } @online{great:20181010:muddywater:12992b3, author = {GReAT}, title = {{MuddyWater expands operations}}, date = {2018-10-10}, organization = {Kaspersky Labs}, url = {https://securelist.com/muddywater/88059/}, language = {English}, urldate = {2019-12-20} } @online{great:20181015:octopusinfested:1f464bf, author = {GReAT}, title = {{Octopus-infested seas of Central Asia}}, date = {2018-10-15}, organization = {Kaspersky Labs}, url = {https://securelist.com/octopus-infested-seas-of-central-asia/88200/}, language = {English}, urldate = {2019-12-20} } @online{great:20190111:zebrocy:671fed1, author = {GReAT}, title = {{A Zebrocy Go Downloader}}, date = {2019-01-11}, organization = {Kaspersky Labs}, url = {https://securelist.com/a-zebrocy-go-downloader/89419/}, language = {English}, urldate = {2019-12-20} } @online{great:20190311:predatory:63ab818, author = {GReAT}, title = {{A predatory tale: Who’s afraid of the thief?}}, date = {2019-03-11}, organization = {Kaspersky Labs}, url = {https://securelist.com/a-predatory-tale/89779}, language = {English}, urldate = {2019-12-20} } @online{great:20190325:operation:c4bf341, author = {GReAT and AMR}, title = {{Operation ShadowHammer}}, date = {2019-03-25}, organization = {Kaspersky Labs}, url = {https://securelist.com/operation-shadowhammer/89992/}, language = {English}, urldate = {2019-12-20} } @online{great:20190326:cryptocurrency:c95b701, author = {GReAT}, title = {{Cryptocurrency businesses still being targeted by Lazarus}}, date = {2019-03-26}, organization = {Kaspersky Labs}, url = {https://securelist.com/cryptocurrency-businesses-still-being-targeted-by-lazarus/90019/}, language = {English}, urldate = {2019-12-20} } @online{great:20190328:return:be8d0b5, author = {GReAT}, title = {{The return of the BOM}}, date = {2019-03-28}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-return-of-the-bom/90065/}, language = {English}, urldate = {2019-12-20} } @online{great:20190423:operation:20b8f83, author = {GReAT and AMR}, title = {{Operation ShadowHammer: a high-profile supply chain attack}}, date = {2019-04-23}, organization = {Kaspersky Labs}, url = {https://securelist.com/operation-shadowhammer-a-high-profile-supply-chain-attack/90380/}, language = {English}, urldate = {2019-12-20} } @online{great:20190513:scarcruft:eb8bb1c, author = {GReAT}, title = {{ScarCruft continues to evolve, introduces Bluetooth harvester}}, date = {2019-05-13}, organization = {Kaspersky Labs}, url = {https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/}, language = {English}, urldate = {2019-12-20} } @online{great:20190603:zebrocys:25be7a9, author = {GReAT}, title = {{Zebrocy’s Multilanguage Malware Salad}}, date = {2019-06-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/zebrocys-multilanguage-malware-salad/90680/}, language = {English}, urldate = {2019-12-20} } @online{great:20190626:viceleaker:7145f5f, author = {GReAT}, title = {{ViceLeaker Operation: mobile espionage targeting Middle East}}, date = {2019-06-26}, organization = {Kaspersky Labs}, url = {https://securelist.com/fanning-the-flames-viceleaker-operation/90877/}, language = {English}, urldate = {2019-12-20} } @online{great:20190710:new:f1277c3, author = {GReAT and AMR}, title = {{New FinSpy iOS and Android implants revealed ITW}}, date = {2019-07-10}, organization = {Kaspersky Labs}, url = {https://securelist.com/new-finspy-ios-and-android-implants-revealed-itw/91685/}, language = {English}, urldate = {2019-12-20} } @online{great:20190801:trends:5e25d5b, author = {GReAT}, title = {{APT trends report Q2 2019}}, date = {2019-08-01}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2019/91897/}, language = {English}, urldate = {2020-08-13} } @online{great:20190812:recent:3a35688, author = {GReAT}, title = {{Recent Cloud Atlas activity}}, date = {2019-08-12}, organization = {Kaspersky Labs}, url = {https://securelist.com/recent-cloud-atlas-activity/92016/}, language = {English}, urldate = {2019-12-20} } @online{great:20190829:fully:a86ed11, author = {GReAT}, title = {{Fully equipped Spying Android RAT from Brazil: BRATA}}, date = {2019-08-29}, organization = {Kaspersky Labs}, url = {https://securelist.com/spying-android-rat-from-brazil-brata/92775/}, language = {English}, urldate = {2019-12-20} } @online{great:20191003:compfun:fd13b9e, author = {GReAT}, title = {{COMpfun successor Reductor infects files on the fly to compromise TLS traffic}}, date = {2019-10-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/compfun-successor-reductor/93633/}, language = {English}, urldate = {2020-01-08} } @online{great:20191128:revengehotels:4fd8ea9, author = {GReAT}, title = {{RevengeHotels: cybercrime targeting hotel front desks worldwide}}, date = {2019-11-28}, organization = {Kaspersky Labs}, url = {https://securelist.com/revengehotels/95229/}, language = {English}, urldate = {2020-01-09} } @online{great:20200108:operation:ea445d5, author = {GReAT}, title = {{Operation AppleJeus Sequel}}, date = {2020-01-08}, organization = {Kaspersky Labs}, url = {https://securelist.com/operation-applejeus-sequel/95596/}, language = {English}, urldate = {2020-01-13} } @online{great:20200508:naikons:f1646a6, author = {GReAT}, title = {{Naikon’s Aria}}, date = {2020-05-08}, organization = {Kaspersky Labs}, url = {https://securelist.com/naikons-aria/96899/}, language = {English}, urldate = {2020-07-06} } @online{great:20200514:compfun:eda09d1, author = {GReAT}, title = {{COMpfun authors spoof visa application with HTTP status-based Trojan}}, date = {2020-05-14}, organization = {Kaspersky Labs}, url = {https://securelist.com/compfun-http-status-based-trojan/96874/}, language = {English}, urldate = {2020-05-14} } @online{great:20200603:cycldek:ed9a830, author = {GReAT and Mark Lechtik and Giampaolo Dedola}, title = {{Cycldek: Bridging the (air) gap}}, date = {2020-06-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/cycldek-bridging-the-air-gap/97157/}, language = {English}, urldate = {2020-06-03} } @online{great:20200714:tetrade:c97f76a, author = {GReAT}, title = {{The Tetrade: Brazilian banking malware goes global}}, date = {2020-07-14}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-tetrade-brazilian-banking-malware/97779/}, language = {English}, urldate = {2020-07-15} } @online{great:20200722:mata:591e184, author = {GReAT}, title = {{MATA: Multi-platform targeted malware framework}}, date = {2020-07-22}, organization = {Kaspersky Labs}, url = {https://securelist.com/mata-multi-platform-targeted-malware-framework/97746/}, language = {English}, urldate = {2020-07-23} } @online{great:20200729:trends:6810325, author = {GReAT}, title = {{APT trends report Q2 2020}}, date = {2020-07-29}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2020/97937/}, language = {English}, urldate = {2020-07-30} } @online{great:20200910:overview:f751b73, author = {GReAT}, title = {{An overview of targeted attacks and APTs on Linux}}, date = {2020-09-10}, organization = {Kaspersky Labs}, url = {https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/}, language = {English}, urldate = {2020-10-05} } @online{great:20201103:trends:febc159, author = {GReAT}, title = {{APT trends report Q3 2020}}, date = {2020-11-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q3-2020/99204/}, language = {English}, urldate = {2020-11-04} } @online{great:20201109:ghimob:d93dd04, author = {GReAT}, title = {{Ghimob: a Tétrade threat actor moves to infect mobile devices}}, date = {2020-11-09}, organization = {Kaspersky Labs}, url = {https://securelist.com/ghimob-tetrade-threat-mobile-devices/99228/}, language = {English}, urldate = {2020-11-11} } @online{greenberg:20170920:ccleaner:3590e9c, author = {Andy Greenberg}, title = {{The CCleaner Malware Fiasco Targeted at Least 18 Specific Tech Firms}}, date = {2017-09-20}, organization = {Wired}, url = {https://www.wired.com/story/ccleaner-malware-targeted-tech-firms}, language = {English}, urldate = {2019-12-16} } @online{greenberg:20171024:new:5359735, author = {Andy Greenberg}, title = {{New Ransomware Linked to NotPetya Sweeps Russia and Ukraine}}, date = {2017-10-24}, organization = {Wired}, url = {https://www.wired.com/story/badrabbit-ransomware-notpetya-russia-ukraine/}, language = {English}, urldate = {2020-01-06} } @online{greenberg:20171109:he:5442358, author = {Andy Greenberg}, title = {{He Perfected a Password-Hacking Tool—Then the Russians Came Calling}}, date = {2017-11-09}, organization = {Wired}, url = {https://www.wired.com/story/how-mimikatz-became-go-to-hacker-tool/}, language = {English}, urldate = {2020-01-08} } @online{greenberg:20191017:untold:c257d22, author = {Andy Greenberg}, title = {{The Untold Story of the 2018 Olympics Cyberattack, the Most Deceptive Hack in History}}, date = {2019-10-17}, organization = {Wired}, url = {https://www.wired.com/story/untold-story-2018-olympics-destroyer-cyberattack/}, language = {English}, urldate = {2020-01-13} } @online{greenberg:20200528:nsa:c35f45e, author = {Andy Greenberg}, title = {{NSA: Russia's Sandworm Hackers Have Hijacked Mail Servers}}, date = {2020-05-28}, organization = {Wired}, url = {https://www.wired.com/story/nsa-sandworm-exim-mail-server-warning/}, language = {English}, urldate = {2020-05-29} } @online{greenberg:20200716:iranian:4cc83df, author = {Andy Greenberg}, title = {{Iranian Spies Accidentally Leaked Videos of Themselves Hacking}}, date = {2020-07-16}, organization = {Wired}, url = {https://www.wired.com/story/iran-apt35-hacking-video/}, language = {English}, urldate = {2020-07-16} } @online{greenberg:20200724:russias:689bbb1, author = {Andy Greenberg}, title = {{Russia's GRU Hackers Hit US Government and Energy Targets}}, date = {2020-07-24}, organization = {Wired}, url = {https://www.wired.com/story/russia-fancy-bear-us-hacking-campaign-government-energy/}, language = {English}, urldate = {2020-07-30} } @online{greenberg:20200806:chinese:32c43e3, author = {Andy Greenberg}, title = {{Chinese Hackers Have Pillaged Taiwan's Semiconductor Industry}}, date = {2020-08-06}, organization = {Wired}, url = {https://www.wired.com/story/chinese-hackers-taiwan-semiconductor-industry-skeleton-key/}, language = {English}, urldate = {2020-11-04} } @online{greenberg:20201001:russias:3440982, author = {Andy Greenberg}, title = {{Russia’s Fancy Bear Hackers Likely Penetrated a US Federal Agency}}, date = {2020-10-01}, organization = {Wired}, url = {https://www.wired.com/story/russias-fancy-bear-hack-us-federal-agency/}, language = {English}, urldate = {2020-10-05} } @online{greenberg:20201019:us:89aec2c, author = {Andy Greenberg}, title = {{US Indicts Sandworm, Russia's Most Destructive Cyberwar Unit}}, date = {2020-10-19}, organization = {Wired}, url = {https://www.wired.com/story/us-indicts-sandworm-hackers-russia-cyberwar-unit/}, language = {English}, urldate = {2020-10-19} } @online{greenberg:20201026:russian:22b05dd, author = {Andy Greenberg}, title = {{The Russian Hackers (BERSERK BEAR) Playing 'Chekhov's Gun' With US Infrastructure}}, date = {2020-10-26}, organization = {Wired}, url = {https://www.wired.com/story/berserk-bear-russia-infrastructure-hacking/}, language = {English}, urldate = {2020-10-29} } @online{greminger:20150618:so:28825c8, author = {Slavo Greminger}, title = {{So Long, and Thanks for All the Domains}}, date = {2015-06-18}, organization = {SWITCH Security Blog}, url = {https://securityblog.switch.ch/2015/06/18/so-long-and-thanks-for-all-the-domains/}, language = {English}, urldate = {2019-07-11} } @online{griffin:20160808:monsoon:ac7eb5b, author = {Nicholas Griffin}, title = {{MONSOON - Analysis Of An APT Campaign}}, date = {2016-08-08}, organization = {Forcepoint}, url = {https://www.forcepoint.com/blog/x-labs/monsoon-analysis-apt-campaign}, language = {English}, urldate = {2020-04-06} } @online{griffin:20160922:zeus:94d0df7, author = {Nicholas Griffin}, title = {{Zeus Delivered by DELoader to Defraud Customers of Canadian Banks}}, date = {2016-09-22}, organization = {Forcepoint}, url = {https://www.forcepoint.com/blog/security-labs/zeus-delivered-deloader-defraud-customers-canadian-banks}, language = {English}, urldate = {2020-01-13} } @online{griffin:20160928:highly:c9c3359, author = {Nicholas Griffin}, title = {{Highly Evasive Code Injection Awaits User Interaction Before Delivering Malware}}, date = {2016-09-28}, organization = {Forcepoint}, url = {https://www.forcepoint.com/blog/security-labs/highly-evasive-code-injection-awaits-user-interaction-delivering-malware}, language = {English}, urldate = {2020-01-09} } @online{griffin:20170117:carbanak:68e7e00, author = {Nicholas Griffin}, title = {{Carbanak Group uses Google for malware command-and-control}}, date = {2017-01-17}, organization = {Forcepoint}, url = {https://www.forcepoint.com/blog/x-labs/carbanak-group-uses-google-malware-command-and-control}, language = {English}, urldate = {2020-05-27} } @online{grill:20170313:detecting:b90625c, author = {Bernhard Grill and Megan Ruthven and Xin Zhao}, title = {{Detecting and eliminating Chamois, a fraud botnet on Android}}, date = {2017-03-13}, organization = {Google}, url = {https://android-developers.googleblog.com/2017/03/detecting-and-eliminating-chamois-fraud.html}, language = {English}, urldate = {2020-01-06} } @online{grimminck:20201226:spoofing:a0a5622, author = {Stefan Grimminck}, title = {{Spoofing JARM signatures. I am the Cobalt Strike server now!}}, date = {2020-12-26}, organization = {Medium grimminck}, url = {https://grimminck.medium.com/spoofing-jarm-signatures-i-am-the-cobalt-strike-server-now-a27bd549fc6b}, language = {English}, urldate = {2021-01-01} } @online{grll:20201218:nordkorea:510c3c7, author = {Philipp Grüll and Hakan Tanriverdi}, title = {{Nordkorea in Verdacht: Cyberspionage gegen deutsche Rüstungskonzerne}}, date = {2020-12-18}, organization = {Tagesschau}, url = {https://www.tagesschau.de/investigativ/br-recherche/cyberspionage-ruestung-nordkorea-105.html}, language = {German}, urldate = {2021-01-11} } @online{groisman:20190301:threat:aaf612e, author = {Alon Groisman}, title = {{Threat Alert: AVE Maria infostealer on the rise}}, date = {2019-03-01}, organization = {Morphisec}, url = {http://blog.morphisec.com/threat-alert-ave-maria-infostealer-on-the-rise-with-new-stealthier-delivery}, language = {English}, urldate = {2020-01-09} } @online{grooten:20180427:gravityrat:40749fa, author = {Martijn Grooten}, title = {{GravityRAT malware takes your system's temperature}}, date = {2018-04-27}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/blog/2018/04/gravityrat-malware-takes-your-systems-temperature/}, language = {English}, urldate = {2020-01-13} } @online{gross:20150513:cylance:57a5597, author = {Jon Gross}, title = {{Cylance SPEAR Team: A Threat Actor Resurfaces}}, date = {2015-05-13}, organization = {Cylance}, url = {https://blog.cylance.com/spear-a-threat-actor-resurfaces}, language = {English}, urldate = {2019-10-15} } @techreport{gross:20160223:operation:424641b, author = {Jon Gross and Cylance SPEAR Team}, title = {{Operation Dust Storm}}, date = {2016-02-23}, institution = {Cylance}, url = {https://www.cylance.com/content/dam/cylance/pdfs/reports/Op_Dust_Storm_Report.pdf}, language = {English}, urldate = {2020-01-09} } @online{gross:20170227:deception:3690880, author = {Jon Gross}, title = {{The Deception Project: A New Japanese-Centric Threat}}, date = {2017-02-27}, organization = {Cylance}, url = {https://threatvector.cylance.com/en_us/home/the-deception-project-a-new-japanese-centric-threat.html}, language = {English}, urldate = {2020-01-09} } @online{gross:20170227:deception:c424a01, author = {Jon Gross}, title = {{The Deception Project: A New Japanese-Centric Threat}}, date = {2017-02-27}, organization = {Threat Vector}, url = {https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html}, language = {English}, urldate = {2020-01-05} } @online{gross:20200819:riskiq:94e5ccf, author = {Jon Gross and Cory Kennedy}, title = {{RiskIQ Adventures in Cookie Land - Part 1}}, date = {2020-08-19}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/5fe2da7f}, language = {English}, urldate = {2020-09-23} } @online{gross:20200916:riskiq:da4b864, author = {Jon Gross}, title = {{RiskIQ: Adventures in Cookie Land - Part 2}}, date = {2020-09-16}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/56fa1b2f}, language = {English}, urldate = {2020-09-23} } @online{gross:20200930:diving:8e26441, author = {Jon Gross}, title = {{Diving Into DONOT's Mobile Rabbit Hole}}, date = {2020-09-30}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/6f60db72}, language = {English}, urldate = {2020-10-04} } @online{group:20161009:siteintel:906676a, author = {SITE Intelligence Group}, title = {{SiteIntel: Cyber Caliphate Army}}, date = {2016-10-09}, url = {https://ent.siteintelgroup.com/index.php?option=com_customproperties&view=search&task=tag&bind_to_category=content:37&tagId=697}, language = {English}, urldate = {2020-05-27} } @online{group:20181113:chinese:6141b55, author = {Insikt Group}, title = {{Chinese Threat Actor TEMP.Periscope Targets UK-Based Engineering Company Using Russian APT Techniques}}, date = {2018-11-13}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/chinese-threat-actor-tempperiscope/}, language = {English}, urldate = {2020-01-13} } @techreport{group:20190206:apt10:74d18e7, author = {Insikt Group and Rapid7}, title = {{APT10 Targeted Norwegian MSP and US Companies in Sustained Campaign}}, date = {2019-02-06}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2019-0206.pdf}, language = {English}, urldate = {2019-12-17} } @techreport{group:20190206:apt10:9c61d0b, author = {Insikt Group and Rapid7}, title = {{APT10 Targeted NorwegianMSP and US Companies in Sustained Campaign}}, date = {2019-02-06}, institution = {Recorded Future}, url = {http://go.recordedfuture.com/hubfs/reports/cta-2019-0206.pdf}, language = {English}, urldate = {2020-01-06} } @techreport{group:20200123:european:c3ca9e3, author = {Insikt Group}, title = {{European Energy Sector Organization Targeted by PupyRAT Malware in Late 2019}}, date = {2020-01-23}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2020-0123.pdf}, language = {English}, urldate = {2020-01-27} } @online{group:20200312:swallowing:b1becb5, author = {Insikt Group}, title = {{Swallowing the Snake’s Tail: Tracking Turla Infrastructure}}, date = {2020-03-12}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/turla-apt-infrastructure/}, language = {English}, urldate = {2020-03-13} } @techreport{group:20200610:new:fbd9342, author = {Insikt Group®}, title = {{New Ransomware-as-a-Service Tool ‘Thanos’ Shows Connections to ‘Hakbit}}, date = {2020-06-10}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2020-0610.pdf}, language = {English}, urldate = {2020-06-11} } @online{group:20200615:striking:8fdf4bb, author = {Exploit Development Group}, title = {{Striking Back at Retired Cobalt Strike: A look at a legacy vulnerability}}, date = {2020-06-15}, organization = {NCC Group}, url = {https://research.nccgroup.com/2020/06/15/striking-back-at-retired-cobalt-strike-a-look-at-a-legacy-vulnerability/}, language = {English}, urldate = {2020-06-16} } @techreport{group:20200729:chinese:1929fcd, author = {Insikt Group}, title = {{Chinese State-sponsored Group RedDelta Targets the Vatican and Catholic Organizations}}, date = {2020-07-29}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2020-0728.pdf}, language = {English}, urldate = {2020-07-30} } @techreport{group:20200903:russianrelated:448f739, author = {Insikt Group®}, title = {{Russian-related Threats to the 2020 U.S. Presidential Election}}, date = {2020-09-03}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2020-0903.pdf}, language = {English}, urldate = {2020-09-06} } @techreport{group:20200915:back:2c78a6f, author = {Insikt Group®}, title = {{Back Despite Disruption: RedDelta Resumes Operations}}, date = {2020-09-15}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2020-0915.pdf}, language = {English}, urldate = {2020-09-16} } @techreport{group:20201016:banking:bcbd283, author = {Insikt Group®}, title = {{Banking Web Injects Are Top Cyber Threat For Financial Sector}}, date = {2020-10-16}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2020-1016.pdf}, language = {English}, urldate = {2020-10-23} } @techreport{group:20201027:pulse:9a5781b, author = {Insikt Group®}, title = {{Pulse Report:Insikt Group Discovers Global Credential Harvesting Campaign Using FiercePhish Open Source Framework}}, date = {2020-10-27}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2020-1027.pdf}, language = {English}, urldate = {2020-11-02} } @online{group:20201103:infyaptfoudre:e546c27, author = {Shadow Chaser Group}, title = {{美人鱼(Infy)APT组织的归来——使用最新的Foudre后门进行攻击活动的分析}}, date = {2020-11-03}, organization = {Gcow-Sec}, url = {https://cloud.tencent.com/developer/article/1738806}, language = {Chinese}, urldate = {2020-11-04} } @techreport{group:20201104:ransomwareasaservice:5ccfc55, author = {Insikt Group®}, title = {{Ransomware-as-a-Service Becomes Increasingly Accessible via Social Media and Open Sources}}, date = {2020-11-04}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2020-1104.pdf}, language = {English}, urldate = {2020-11-06} } @techreport{group:20201110:new:97e5657, author = {Insikt Group®}, title = {{New APT32 Malware Campaign Targets Cambodian Government}}, date = {2020-11-10}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2020-1110.pdf}, language = {English}, urldate = {2020-11-11} } @techreport{group:20201203:egregor:a56f637, author = {Insikt Group®}, title = {{Egregor Ransomware, Used in a String of High-Profile Attacks, Shows Connections to QakBot}}, date = {2020-12-03}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2020-1203.pdf}, language = {English}, urldate = {2020-12-08} } @online{group:20201204:tibet:42fc885, author = {Insikt Group®}, title = {{Tibet and Taiwan Targeted in Spearphishing Campaigns Using MESSAGEMANIFOLD Malware}}, date = {2020-12-04}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/messagemanifold-malware-spearphishing-campaigns/}, language = {English}, urldate = {2020-12-08} } @techreport{group:20201210:exploit:9c6663c, author = {Insikt Group®}, title = {{Exploit Kits though in Decline, Remain Powerful Tool for Delivering Malware}}, date = {2020-12-10}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2020-1210.pdf}, language = {English}, urldate = {2020-12-14} } @techreport{group:20210107:aversary:9771829, author = {Insikt Group®}, title = {{Aversary Infrastructure Report 2020: A Defender's View}}, date = {2021-01-07}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2021-0107.pdf}, language = {English}, urldate = {2021-01-11} } @techreport{groupib:201603:buhtrap:65fd758, author = {Group-IB}, title = {{BUHTRAP: The Evolution of Targetted Attacks Against Financial Instituitions}}, date = {2016-03}, institution = {Group-IB}, url = {https://www.group-ib.com/brochures/gib-buhtrap-report.pdf}, language = {English}, urldate = {2020-01-12} } @online{groupib:2016:cron:ef29ee9, author = {Group-IB}, title = {{Cron has fallen}}, date = {2016}, organization = {Group-IB}, url = {http://blog.group-ib.com/cron}, language = {English}, urldate = {2020-01-13} } @techreport{groupib:20180522:anunak:97d0646, author = {Group-IB and Fox-IT}, title = {{Anunak: APT against financial institutions}}, date = {2018-05-22}, institution = {Group-IB}, url = {https://www.group-ib.com/resources/threat-research/Anunak_APT_against_financial_institutions.pdf}, language = {English}, urldate = {2020-01-06} } @online{groupib:20180905:silence:6886d17, author = {Group-IB}, title = {{Silence: Moving into the Darkside}}, date = {2018-09-05}, organization = {Group-IB}, url = {https://www.group-ib.com/blog/silence}, language = {English}, urldate = {2019-12-18} } @online{groupib:20190328:groupib:e9956d2, author = {Group-IB and Pavel Krylov and Rustam Mirkasymov}, title = {{Group-IB uncovers Android Trojan named «Gustuff» capable of targeting more than 100 global banking apps, cryptocurrency and marketplace applications}}, date = {2019-03-28}, organization = {Group-IB}, url = {https://www.group-ib.com/media/gustuff/}, language = {English}, urldate = {2019-07-09} } @online{groupib:201908:attacks:9da5611, author = {Group-IB}, title = {{Attacks by Silence}}, date = {2019-08}, organization = {Group-IB}, url = {https://www.group-ib.com/resources/threat-research/silence.html}, language = {English}, urldate = {2020-01-07} } @techreport{groupib:201908:silence:1845381, author = {Group-IB}, title = {{Silence 2.0 - Going Global}}, date = {2019-08}, institution = {Group-IB}, url = {https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf}, language = {English}, urldate = {2019-12-17} } @techreport{groupib:20201201:egregor:37e5698, author = {Group-IB}, title = {{Egregor ransomware: The legacy of Maze lives on}}, date = {2020-12-01}, institution = {Group-IB}, url = {https://web.archive.org/web/20201207094648/https://go.group-ib.com/rs/689-LRE-818/images/Group-IB_Egregor_Ransomware.pdf}, language = {English}, urldate = {2020-12-09} } @online{grozev:20200505:who:bd9d865, author = {Christo Grozev}, title = {{Who Is Dmitry Badin, The GRU Hacker Indicted By Germany Over The Bundestag Hacks?}}, date = {2020-05-05}, organization = {Bellingcat}, url = {https://www.bellingcat.com/news/2020/05/05/who-is-dmitry-badin-the-gru-hacker-indicted-by-germany-over-the-bundestag-hacks/}, language = {English}, urldate = {2020-05-05} } @online{grujars:20191213:squad:437183d, author = {GrujaRS}, title = {{Tweet on Squad Ransomware}}, date = {2019-12-13}, organization = {Twitter (@GrujaRS)}, url = {https://twitter.com/GrujaRS/status/1205566219971125249}, language = {English}, urldate = {2020-01-08} } @online{grujars:20191227:yarraq:bdde865, author = {GrujaRS}, title = {{Tweet on Yarraq Ransomware}}, date = {2019-12-27}, organization = {Twitter (@GrujaRS)}, url = {https://twitter.com/GrujaRS/status/1210541690349662209}, language = {English}, urldate = {2020-01-13} } @online{grujars:20200322:new:d94c371, author = {GrujaRS}, title = {{New #VHD (virtual hard disk)#Ransomware extension .vhd!}}, date = {2020-03-22}, url = {https://twitter.com/GrujaRS/status/1241657443282825217}, language = {English}, urldate = {2020-03-27} } @online{grujars:20200427:about:54c4b58, author = {GrujaRS}, title = {{Tweet about spotting goCryptoLocker in the wild}}, date = {2020-04-27}, organization = {Twitter (@GrujaRS)}, url = {https://twitter.com/GrujaRS/status/1254657823478353920}, language = {English}, urldate = {2020-04-28} } @online{grunzweig:20121213:dexter:339a8fd, author = {Josh Grunzweig}, title = {{The Dexter Malware: Getting Your Hands Dirty}}, date = {2012-12-13}, organization = {SpiderLabs Blog}, url = {https://www.trustwave.com/Resources/SpiderLabs-Blog/The-Dexter-Malware--Getting-Your-Hands-Dirty/}, language = {English}, urldate = {2020-01-06} } @online{grunzweig:20130508:alina:4b70c89, author = {Josh Grunzweig}, title = {{Alina: Casting a Shadow on POS}}, date = {2013-05-08}, organization = {SpiderLabs Blog}, url = {https://www.trustwave.com/Resources/SpiderLabs-Blog/Alina--Casting-a-Shadow-on-POS/}, language = {English}, urldate = {2020-01-09} } @online{grunzweig:20130517:alina:f668aaf, author = {Josh Grunzweig}, title = {{Alina: Following The Shadow Part 1}}, date = {2013-05-17}, organization = {Trustwave}, url = {https://www.trustwave.com/Resources/SpiderLabs-Blog/Alina--Following-The-Shadow-Part-1/}, language = {English}, urldate = {2019-12-17} } @online{grunzweig:20130603:alina:2c8f3e9, author = {Josh Grunzweig}, title = {{Alina: Following The Shadow Part 2}}, date = {2013-06-03}, organization = {Trustwave}, url = {https://www.trustwave.com/Resources/SpiderLabs-Blog/Alina--Following-The-Shadow-Part-2/}, language = {English}, urldate = {2019-12-17} } @online{grunzweig:20131209:curious:8c64525, author = {Josh Grunzweig}, title = {{The Curious Case of the Malicious IIS Module}}, date = {2013-12-09}, organization = {Trustwave}, url = {https://www.trustwave.com/Resources/SpiderLabs-Blog/The-Curious-Case-of-the-Malicious-IIS-Module/}, language = {English}, urldate = {2019-12-04} } @online{grunzweig:20140715:unit:0cf98cb, author = {Josh Grunzweig}, title = {{Unit 42 Technical Analysis: Seaduke}}, date = {2014-07-15}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/}, language = {English}, urldate = {2020-08-19} } @online{grunzweig:20150319:findpos:87059f2, author = {Josh Grunzweig}, title = {{FindPOS: New POS Malware Family Discovered}}, date = {2015-03-19}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2015/03/findpos-new-pos-malware-family-discovered/}, language = {English}, urldate = {2019-12-20} } @online{grunzweig:20151009:latest:c328965, author = {Josh Grunzweig}, title = {{Latest TeslaCrypt Ransomware Borrows Code From Carberp Trojan}}, date = {2015-10-09}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2015/10/latest-teslacrypt-ransomware-borrows-code-from-carberp-trojan/}, language = {English}, urldate = {2019-12-20} } @online{grunzweig:20160122:new:f7cb504, author = {Josh Grunzweig and Bryan Lee}, title = {{New Attacks Linked to C0d0so0 Group}}, date = {2016-01-22}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2016/01/new-attacks-linked-to-c0d0s0-group/}, language = {English}, urldate = {2019-12-20} } @online{grunzweig:20160311:powersniff:ca6c14f, author = {Josh Grunzweig and Brandon Levene}, title = {{PowerSniff Malware Used in Macro-based Attacks}}, date = {2016-03-11}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/powersniff-malware-used-in-macro-based-attacks/}, language = {English}, urldate = {2020-01-08} } @online{grunzweig:20160314:digital:b6ddc60, author = {Josh Grunzweig and Robert Falcone and Bryan Lee}, title = {{Digital Quartermaster Scenario Demonstrated in Attacks Against the Mongolian Government}}, date = {2016-03-14}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2016/03/digital-quartermaster-scenario-demonstrated-in-attacks-against-the-mongolian-government/}, language = {English}, urldate = {2019-12-20} } @online{grunzweig:20160502:prince:bd368e1, author = {Josh Grunzweig}, title = {{Prince of Persia Hashes}}, date = {2016-05-02}, organization = {Github (pan-unit42)}, url = {https://github.com/pan-unit42/iocs/blob/master/prince_of_persia/hashes.csv}, language = {English}, urldate = {2020-01-08} } @online{grunzweig:20160524:new:d1cd669, author = {Josh Grunzweig and Mike Scott and Bryan Lee}, title = {{New Wekby Attacks Use DNS Requests As Command and Control Mechanism}}, date = {2016-05-24}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/}, language = {English}, urldate = {2019-12-20} } @online{grunzweig:20160708:investigating:576bb94, author = {Josh Grunzweig}, title = {{Investigating the LuminosityLink Remote Access Trojan Configuration}}, date = {2016-07-08}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2016/07/unit42-investigating-the-luminositylink-remote-access-trojan-configuration/}, language = {English}, urldate = {2019-12-20} } @online{grunzweig:20160816:aveo:6f3cf5c, author = {Josh Grunzweig and Robert Falcone}, title = {{Aveo Malware Family Targets Japanese Speaking Users}}, date = {2016-08-16}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2016/08/unit42-aveo-malware-family-targets-japanese-speaking-users/}, language = {English}, urldate = {2019-12-20} } @online{grunzweig:20161004:oilrig:2e3b9e0, author = {Josh Grunzweig and Robert Falcone}, title = {{OilRig Malware Campaign Updates Toolset and Expands Targets}}, date = {2016-10-04}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/}, language = {English}, urldate = {2019-10-22} } @online{grunzweig:20161004:oilrig:72c4b0e, author = {Josh Grunzweig and Robert Falcone}, title = {{OilRig Malware Campaign Updates Toolset and Expands Targets}}, date = {2016-10-04}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/}, language = {English}, urldate = {2019-12-20} } @online{grunzweig:20170105:dragonok:2b228f2, author = {Josh Grunzweig}, title = {{DragonOK Updates Toolset and Targets Multiple Geographic Regions}}, date = {2017-01-05}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/}, language = {English}, urldate = {2019-12-17} } @online{grunzweig:20170105:dragonok:f5f73f6, author = {Josh Grunzweig}, title = {{DragonOK Updates Toolset and Targets Multiple Geographic Regions}}, date = {2017-01-05}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2017/01/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/}, language = {English}, urldate = {2019-12-20} } @online{grunzweig:20170315:nexuslogger:5530c6b, author = {Josh Grunzweig}, title = {{NexusLogger: A New Cloud-based Keylogger Enters the Market}}, date = {2017-03-15}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2017/03/unit42-nexuslogger-new-cloud-based-keylogger-enters-market/}, language = {English}, urldate = {2019-12-20} } @online{grunzweig:20170420:cardinal:dbe903e, author = {Josh Grunzweig}, title = {{Cardinal RAT Active for Over Two Years}}, date = {2017-04-20}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2017/04/unit42-cardinal-rat-active-two-years/?adbsc=social71702736&adbid=855028404965433346&adbpl=tw&adbpr=4487645412}, language = {English}, urldate = {2019-12-20} } @online{grunzweig:20170928:threat:835bf8e, author = {Josh Grunzweig and Robert Falcone}, title = {{Threat Actors Target Government of Belarus Using CMSTAR Trojan}}, date = {2017-09-28}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/09/unit42-threat-actors-target-government-belarus-using-cmstar-trojan}, language = {English}, urldate = {2019-12-20} } @online{grunzweig:20171110:new:12fdedb, author = {Josh Grunzweig and Jen Miller-Osborn}, title = {{New Malware with Ties to SunOrcal Discovered}}, date = {2017-11-10}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/}, language = {English}, urldate = {2019-12-20} } @online{grunzweig:20180126:tophat:42d9f5d, author = {Josh Grunzweig}, title = {{The TopHat Campaign: Attacks Within The Middle East Region Using Popular Third-Party Services}}, date = {2018-01-26}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/01/unit42-the-tophat-campaign-attacks-within-the-middle-east-region-using-popular-third-party-services/}, language = {English}, urldate = {2019-12-20} } @online{grunzweig:20180417:squirtdanger:86b0da6, author = {Josh Grunzweig and Brandon Levene and Kyle Wilhoit and Pat Litke}, title = {{SquirtDanger: The Swiss Army Knife Malware from Veteran Malware Author TheBottle}}, date = {2018-04-17}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/04/unit42-squirtdanger-swiss-army-knife-malware-veteran-malware-author-thebottle/}, language = {English}, urldate = {2019-12-20} } @online{grunzweig:20180927:new:d33c053, author = {Josh Grunzweig and Bryan Lee}, title = {{New KONNI Malware attacking Eurasia and Southeast Asia}}, date = {2018-09-27}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/}, language = {English}, urldate = {2019-12-20} } @online{grunzweig:20181001:nokki:b458c95, author = {Josh Grunzweig}, title = {{NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT}}, date = {2018-10-01}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/}, language = {English}, urldate = {2019-12-20} } @online{grunzweig:20190225:multiple:5d7b857, author = {Josh Grunzweig and Brittany Ash}, title = {{Multiple ArtraDownloader Variants Used by BITTER to Target Pakistan}}, date = {2019-02-25}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/multiple-artradownloader-variants-used-by-bitter-to-target-pakistan/}, language = {English}, urldate = {2019-12-10} } @online{grunzweig:20191129:fractured:65257b7, author = {Josh Grunzweig and Kyle Wilhoit}, title = {{The Fractured Block Campaign: CARROTBAT Used to Deliver Malware Targeting Southeast Asia}}, date = {2019-11-29}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-the-fractured-block-campaign-carrotbat-malware-used-to-deliver-malware-targeting-southeast-asia/}, language = {English}, urldate = {2020-01-12} } @online{gu:20171030:coin:5a1f004, author = {Jason Gu and Veo Zhang and Seven Shen}, title = {{Coin Miner Mobile Malware Returns, Hits Google Play}}, date = {2017-10-30}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/coin-miner-mobile-malware-returns-hits-google-play/}, language = {English}, urldate = {2019-12-24} } @techreport{gu:2019:vine:df5dbfb, author = {Lion Gu and Bowen Pan}, title = {{A vine climbing over the Great Firewall: A long-term attack against China}}, date = {2019}, institution = {Virus Bulletin}, url = {https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-GuPan.pdf}, language = {English}, urldate = {2020-01-08} } @online{guardicore:20200630:botnet:9a0cb16, author = {Guardicore}, title = {{Botnet Encyclopedia}}, date = {2020-06-30}, organization = {Guardicore}, url = {https://www.guardicore.com/botnet-encyclopedia/}, language = {English}, urldate = {2020-07-02} } @online{guarino:20190614:houdini:d6c63fa, author = {Nick Guarino and Aaron Riley}, title = {{Houdini Worm Transformed in New Phishing Attack}}, date = {2019-06-14}, organization = {Cofense}, url = {https://cofense.com/houdini-worm-transformed-new-phishing-attack/}, language = {English}, urldate = {2020-01-08} } @online{guarnieri:20130607:keyboy:58ebd77, author = {Claudio Guarnieri and Mark Schloesser}, title = {{KeyBoy, Targeted Attacks against Vietnam and India}}, date = {2013-06-07}, organization = {Rapid7 Labs}, url = {https://blog.rapid7.com/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india/}, language = {English}, urldate = {2019-12-20} } @online{guarnieri:20150619:digital:6c1a11b, author = {Claudio Guarnieri}, title = {{Digital Attack on German Parliament: Investigative Report on the Hack of the Left Party Infrastructure in Bundestag}}, date = {2015-06-19}, organization = {Netzpolitik.org}, url = {https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/}, language = {English}, urldate = {2020-01-10} } @techreport{guarnieri:201608:iran:d15568e, author = {Claudio Guarnieri and Collin Anderson}, title = {{Iran and the Soft Warfor Internet Dominance}}, date = {2016-08}, institution = {Black Hat}, url = {https://www.blackhat.com/docs/us-16/materials/us-16-Guarnieri-Iran-And-The-Soft-War-For-Internet-Dominance-wp.pdf}, language = {English}, urldate = {2019-11-26} } @online{guarnieri:20170206:ikittens:b5486bb, author = {Claudio Guarnieri and Collin Anderson}, title = {{iKittens: Iranian Actor Resurfaces with Malware for Mac (MacDownloader)}}, date = {2017-02-06}, organization = {Iran Threats}, url = {https://iranthreats.github.io/resources/macdownloader-macos-malware/}, language = {English}, urldate = {2020-01-09} } @online{gubi:20181017:emergence:670b6fd, author = {Israel Gubi}, title = {{The Emergence of the New Azorult 3.3}}, date = {2018-10-17}, organization = {Check Point}, url = {https://research.checkpoint.com/the-emergence-of-the-new-azorult-3-3/}, language = {English}, urldate = {2020-01-07} } @online{gubi:20190709:2019:38d9134, author = {Israel Gubi}, title = {{The 2019 Resurgence of Smokeloader}}, date = {2019-07-09}, organization = {Check Point}, url = {https://research.checkpoint.com/2019-resurgence-of-smokeloader/}, language = {English}, urldate = {2020-01-10} } @online{guerrerosaade:20171224:turla:dd95598, author = {Juan Andrés Guerrero-Saade}, title = {{Tweet on Turla Penquin}}, date = {2017-12-24}, organization = {Twitter (@juanandres_gs)}, url = {https://twitter.com/juanandres_gs/status/944741575837528064}, language = {English}, urldate = {2020-01-06} } @techreport{guerrerosaade:201803:penquins:1c6305e, author = {Juan Andrés Guerrero-Saade and Costin Raiu and Daniel Moore and Thomas Rid}, title = {{Penquin's Moonlit Maze}}, date = {2018-03}, institution = {Kaspersky Labs}, url = {https://securelist.com/files/2017/04/Penquins_Moonlit_Maze_PDF_eng.pdf}, language = {English}, urldate = {2019-11-25} } @online{guerrerosaade:20180626:redalpha:58724c7, author = {Juan Andrés Guerrero-Saade and Sanil Chohan}, title = {{RedAlpha: New Campaigns Discovered Targeting the Tibetan Community}}, date = {2018-06-26}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/redalpha-cyber-campaigns/}, language = {English}, urldate = {2020-01-07} } @techreport{guerrerosaade:20180626:redalpha:c7f1df0, author = {Juan Andrés Guerrero-Saade and Sanil Chohan}, title = {{RedAlpha: New Campaigns Discovered Targeting theTibetan Community}}, date = {2018-06-26}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2018-0626.pdf}, language = {English}, urldate = {2020-01-09} } @techreport{guerrerosaade:20190409:flame:4ce4c10, author = {Juan Andrés Guerrero-Saade and Silas Cutler}, title = {{Flame 2.0: Risen from the Ashes}}, date = {2019-04-09}, institution = {Chronicle Security}, url = {https://storage.googleapis.com/chronicle-research/Flame%202.0%20Risen%20from%20the%20Ashes.pdf}, language = {English}, urldate = {2020-01-08} } @techreport{guerrerosaade:20190409:oldest:062ea25, author = {Juan Andrés Guerrero-Saade and Silas Cutler}, title = {{The Oldest Stuxnet Component Dials Up}}, date = {2019-04-09}, institution = {Chronicle Security}, url = {https://storage.googleapis.com/chronicle-research/STUXSHOP%20Stuxnet%20Dials%20In%20.pdf}, language = {English}, urldate = {2019-12-04} } @online{guerrerosaade:20200422:nazar:0c5eef8, author = {Juan Andrés Guerrero-Saade}, title = {{Nazar: A Lost Amulet}}, date = {2020-04-22}, organization = {EpicTurla}, url = {https://www.epicturla.com/blog/the-lost-nazar}, language = {English}, urldate = {2020-05-05} } @online{guerrerosaade:20200526:acidbox:06edc14, author = {Juan Andrés Guerrero-Saade}, title = {{ACIDBOX Clustering}}, date = {2020-05-26}, organization = {EpicTurla}, url = {https://www.epicturla.com/blog/acidbox-clustering}, language = {English}, urldate = {2020-06-29} } @online{guerrerosaade:20200528:sysinturla:8cad820, author = {Juan Andrés Guerrero-Saade}, title = {{SysInTURLA}}, date = {2020-05-28}, organization = {EpicTurla}, url = {https://www.epicturla.com/blog/sysinturla}, language = {English}, urldate = {2020-05-29} } @online{guertin:20200109:pha:deb82eb, author = {Alec Guertin and Vadim Kotov}, title = {{PHA Family Highlights: Bread (and Friends)}}, date = {2020-01-09}, organization = {Google}, url = {https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html}, language = {English}, urldate = {2020-01-20} } @online{guillois:20200729:sodinokibi:6d76347, author = {Nicolas Guillois}, title = {{Sodinokibi / REvil Malware Analysis}}, date = {2020-07-29}, organization = {AmosSys}, url = {https://blog.amossys.fr/sodinokibi-malware-analysis.html}, language = {English}, urldate = {2020-08-31} } @online{guinet:20200829:emulating:45c0c16, author = {Adrien Guinet}, title = {{Emulating NotPetya bootloader with Miasm}}, date = {2020-08-29}, organization = {Aguinet}, url = {https://aguinet.github.io//blog/2020/08/29/miasm-bootloader.html}, language = {English}, urldate = {2020-09-04} } @online{guirakhoo:20200312:how:cf2276f, author = {Alex Guirakhoo}, title = {{How cybercriminals are taking advantage of COVID-19: Scams, fraud, and misinformation}}, date = {2020-03-12}, organization = {Digital Shadows}, url = {https://www.digitalshadows.com/blog-and-research/how-cybercriminals-are-taking-advantage-of-covid-19-scams-fraud-misinformation/}, language = {English}, urldate = {2020-03-19} } @online{gull:20190810:select:56061b1, author = {Omer Gull}, title = {{SELECT code_execution FROM * USING SQLite;}}, date = {2019-08-10}, organization = {Check Point}, url = {https://research.checkpoint.com/2019/select-code_execution-from-using-sqlite/}, language = {English}, urldate = {2020-02-09} } @online{gutierrez:20121220:trojanstabuniq:3e7b380, author = {Fred Gutierrez}, title = {{Trojan.Stabuniq Found on Financial Institution Servers}}, date = {2012-12-20}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/trojanstabuniq-found-financial-institution-servers}, language = {English}, urldate = {2020-01-10} } @online{h4ck:20141108:review:85ad7e4, author = {H4ck}, title = {{Review of jSpy a RAT from jSpy.net}}, date = {2014-11-08}, organization = {How-To-Hack.net}, url = {https://how-to-hack.net/hacking-guides/review-of-jspy-rat-jspy-net/}, language = {English}, urldate = {2019-07-31} } @online{h:20200316:new:60f8c3d, author = {Jeremy H and Axel F and Proofpoint Threat Insight Team}, title = {{New RedLine Stealer Distributed Using Coronavirus-themed Email Campaign}}, date = {2020-03-16}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/new-redline-stealer-distributed-using-coronavirus-themed-email-campaign}, language = {English}, urldate = {2020-03-17} } @online{haag:20210104:malleable:ab64356, author = {Michael Haag}, title = {{Malleable C2 Profiles and You}}, date = {2021-01-04}, organization = {Medium haggis-m}, url = {https://haggis-m.medium.com/malleable-c2-profiles-and-you-7c7ab43e7929}, language = {English}, urldate = {2021-01-05} } @online{hackdig:20160217:russian:41104f7, author = {HackDig}, title = {{Russian Police Prevented Massive Banking Sector Cyber Attack}}, date = {2016-02-17}, url = {http://webcache.googleusercontent.com/search?q=cache:TWoHHzH9gU0J:en.hackdig.com/02/39538.htm}, language = {English}, urldate = {2020-06-03} } @online{hackdig:20200812:antiys:0d7e73e, author = {HackDig}, title = {{Antiy's analysis report on the recent APT attacks against the Green Spot organization}}, date = {2020-08-12}, url = {http://www.hackdig.com/08/hack-107672.htm}, language = {Chinese}, urldate = {2020-08-14} } @online{hacker:20171011:more:9040492, author = {Wraith Hacker}, title = {{More info on 'Evolved DNSMessenger'}}, date = {2017-10-11}, organization = {Wraith Hacker Blog}, url = {http://wraithhacker.com/2017/10/11/more-info-on-evolved-dnsmessenger/}, language = {English}, urldate = {2019-10-12} } @online{hacking:20201229:how:401dbfb, author = {Guided Hacking}, title = {{How to Unpack Ramnit Dropper - Malware Unpacking Tutorial 2}}, date = {2020-12-29}, organization = {Youtube (Guided Hacking)}, url = {https://www.youtube.com/watch?v=l6ZunH6YG0A}, language = {English}, urldate = {2021-01-11} } @online{hacks4pancakes:20170628:why:8053178, author = {hacks4pancakes}, title = {{Why NotPetya Kept Me Awake (& You Should Worry Too)}}, date = {2017-06-28}, url = {https://tisiphone.net/2017/06/28/why-notpetya-kept-me-awake-you-should-worry-too/}, language = {English}, urldate = {2020-01-09} } @online{hacquebord:20151022:pawn:8231722, author = {Feike Hacquebord}, title = {{Pawn Storm Targets MH17 Investigation Team}}, date = {2015-10-22}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-targets-mh17-investigation-team/}, language = {English}, urldate = {2020-01-10} } @online{hacquebord:20191212:more:a1e84b7, author = {Feike Hacquebord and Cedric Pernet and Kenney Lu}, title = {{More than a Dozen Obfuscated APT33 Botnets Used for Extreme Narrow Targeting}}, date = {2019-12-12}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/more-than-a-dozen-obfuscated-apt33-botnets-used-for-extreme-narrow-targeting/}, language = {English}, urldate = {2020-01-13} } @techreport{hacquebord:20200311:pawn:d7ef8ae, author = {Feike Hacquebord}, title = {{Pawn Storm in 2019: A Year of Scanning and Credential Phishing on High-Profile Targets}}, date = {2020-03-11}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/white_papers/wp-pawn-storm-in-2019.pdf}, language = {English}, urldate = {2020-03-19} } @online{hacquebord:20201217:pawn:0e42861, author = {Feike Hacquebord and Lord Alfred Remorin}, title = {{Pawn Storm’s Lack of Sophistication as a Strategy}}, date = {2020-12-17}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/20/l/pawn-storm-lack-of-sophistication-as-a-strategy.html}, language = {English}, urldate = {2020-12-19} } @online{hada:20201015:pandas:962b364, author = {Hiroki Hada}, title = {{Panda’s New Arsenal: Part 1 Tmanger}}, date = {2020-10-15}, organization = {NTT Security}, url = {https://insight-jp.nttsecurity.com/post/102gi9b/pandas-new-arsenal-part-1-tmanger}, language = {Japanese}, urldate = {2020-10-19} } @online{hada:20201118:pandas:f87f080, author = {Hiroki Hada}, title = {{Panda’s New Arsenal: Part 2 Albaniiutas}}, date = {2020-11-18}, organization = {NTT Security}, url = {https://insight-jp.nttsecurity.com/post/102gkfp/pandas-new-arsenal-part-2-albaniiutas}, language = {Japanese}, urldate = {2020-11-25} } @online{hada:20201211:pandas:b182e4e, author = {Hiroki Hada}, title = {{Panda’s New Arsenal: Part 3 Smanager}}, date = {2020-12-11}, organization = {NTT Security}, url = {https://insight-jp.nttsecurity.com/post/102glv5/pandas-new-arsenal-part-3-smanager}, language = {Japanese}, urldate = {2021-01-01} } @online{hadar:20180116:globeimposter:6a2afda, author = {Alon Hadar}, title = {{GlobeImposter Ransomware}}, date = {2018-01-16}, organization = {enSilo}, url = {https://blog.ensilo.com/globeimposter-ransomware-technical}, language = {English}, urldate = {2019-07-09} } @online{hadi:20201214:learning:f4175a9, author = {Ali Hadi}, title = {{Learning about .NET Malware by Going Over the SUNBURST SolarWinds Backdoor}}, date = {2020-12-14}, organization = {Youtube (Ali Hadi)}, url = {https://www.youtube.com/watch?v=cMauHTV-lJg}, language = {English}, urldate = {2020-12-18} } @online{hahn:20161027:procleanerexe:bde4a80, author = {Karsten Hahn}, title = {{Tweet on procleaner.exe}}, date = {2016-10-27}, organization = {Twitter (@struppigel)}, url = {https://twitter.com/struppigel/status/791535679905927168}, language = {English}, urldate = {2019-11-26} } @online{hahn:20161218:unlock92:31d2259, author = {Karsten Hahn}, title = {{Tweet on Unlock92 Ransomware}}, date = {2016-12-18}, organization = {Twitter (@struppigel)}, url = {https://twitter.com/struppigel/status/810753660737073153}, language = {English}, urldate = {2020-01-07} } @online{hahn:20161219:cryptoblock:cd82b17, author = {Karsten Hahn}, title = {{Tweet on CryptoBlock}}, date = {2016-12-19}, organization = {Twitter (@struppigel)}, url = {https://twitter.com/struppigel/status/810770490491043840}, language = {English}, urldate = {2020-01-06} } @online{hahn:20161221:manifestus:d86e48c, author = {Karsten Hahn}, title = {{Tweet on Manifestus Ransomware}}, date = {2016-12-21}, organization = {Twitter (@struppigel)}, url = {https://twitter.com/struppigel/status/811587154983981056}, language = {English}, urldate = {2020-01-13} } @online{hahn:20161224:derialock:4ab9ba7, author = {Karsten Hahn}, title = {{Tweet on DeriaLock}}, date = {2016-12-24}, organization = {Twitter (@struppigel)}, url = {https://twitter.com/struppigel/status/812601286088597505}, language = {English}, urldate = {2019-11-26} } @online{hahn:20161224:kokokrypt:fb647ed, author = {Karsten Hahn}, title = {{Tweet on KoKoKrypt}}, date = {2016-12-24}, organization = {Twitter (@struppigel)}, url = {https://twitter.com/struppigel/status/812726545173401600}, language = {English}, urldate = {2020-01-08} } @online{hahn:20170105:comradecircle:246172d, author = {Karsten Hahn}, title = {{Tweet on ComradeCircle Ransomware}}, date = {2017-01-05}, organization = {Twitter (@struppigel)}, url = {https://twitter.com/struppigel/status/816926371867926528}, language = {English}, urldate = {2020-01-13} } @online{hahn:20170118:spora:43d64d0, author = {Karsten Hahn}, title = {{Spora - the Shortcut Worm that is also a Ransomware}}, date = {2017-01-18}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/2017/01/29442-spora-worm-and-ransomware}, language = {English}, urldate = {2019-10-15} } @online{hahn:20171203:malware:b8a77b5, author = {Karsten Hahn}, title = {{Malware Analysis - ROKRAT Unpacking from Injected Shellcode}}, date = {2017-12-03}, url = {https://www.youtube.com/watch?v=uoBQE5s2ba4}, language = {English}, urldate = {2020-01-12} } @online{hahn:20180109:hiddentear:372b79c, author = {Karsten Hahn}, title = {{Tweet on HiddenTear Sample}}, date = {2018-01-09}, organization = {Twitter (@struppigel)}, url = {https://twitter.com/struppigel/status/950787783353884672}, language = {English}, urldate = {2019-12-04} } @online{hahn:20190520:yggdrasil:5a23fde, author = {Karsten Hahn}, title = {{Tweet on Yggdrasil / CinaRAT}}, date = {2019-05-20}, organization = {Twitter (@struppigel)}, url = {https://twitter.com/struppigel/status/1130455143504318466}, language = {English}, urldate = {2020-01-13} } @online{hahn:20191121:stop:a5c8118, author = {Karsten Hahn and Stefan Karpenstein}, title = {{STOP Ransomware: Finger weg von illegalen Software-Downloads}}, date = {2019-11-21}, organization = {G Data}, url = {https://www.gdata.de/blog/1970/01/-35391-finger-weg-von-illegalen-software-downloads}, language = {English}, urldate = {2020-01-10} } @online{hahn:20200206:40000:3a0d792, author = {Karsten Hahn}, title = {{40,000 CryptBot Downloads per Day: Bitbucket Abused as Malware Slinger}}, date = {2020-02-06}, organization = {Gdata}, url = {https://www.gdatasoftware.com/blog/2020/02/35802-bitbucket-abused-as-malware-slinger}, language = {English}, urldate = {2020-04-02} } @online{hahn:20200402:pekraut:479527e, author = {Karsten Hahn}, title = {{Pekraut - German RAT starts gnawing}}, date = {2020-04-02}, organization = {Gdata}, url = {https://www.gdatasoftware.com/blog/2020/04/35849-pekraut-german-rat-starts-gnawing}, language = {English}, urldate = {2020-04-06} } @online{hahn:20200616:new:124c3d1, author = {Karsten Hahn}, title = {{New Java STRRAT ships with .crimson ransomware module}}, date = {2020-06-16}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/strrat-crimson}, language = {English}, urldate = {2020-06-16} } @online{hahn:20200624:discordtokenstealer:2b4cc58, author = {Karsten Hahn}, title = {{Tweet on DiscordTokenStealer}}, date = {2020-06-24}, organization = {Twitter (@struppigel)}, url = {https://twitter.com/struppigel/status/1275731035184156675}, language = {English}, urldate = {2020-06-24} } @online{hahn:20200901:dll:2af82dc, author = {Karsten Hahn}, title = {{DLL Fixer leads to Cyrat Ransomware}}, date = {2020-09-01}, organization = {Gdata}, url = {https://www.gdatasoftware.com/blog/cyrat-ransomware}, language = {English}, urldate = {2020-09-01} } @online{hahn:20201021:trat:389d7f3, author = {Karsten Hahn}, title = {{T-RAT 2.0: Malware control via smartphone}}, date = {2020-10-21}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/trat-control-via-smartphone}, language = {English}, urldate = {2020-10-23} } @online{hahn:20201105:babax:3e78762, author = {Karsten Hahn}, title = {{Babax stealer rebrands to Osno, installs rootkit}}, date = {2020-11-05}, organization = {Gdata}, url = {https://www.gdatasoftware.com/blog/2020/11/36459-babax-stealer-rebrands-to-osno-installs-rootkit}, language = {English}, urldate = {2020-11-06} } @online{hahn:20201201:icerat:bc43ba0, author = {Karsten Hahn}, title = {{IceRat evades antivirus by running PHP on Java VM}}, date = {2020-12-01}, organization = {Gdata}, url = {https://www.gdatasoftware.com/blog/icerat-evades-antivirus-by-using-jphp}, language = {English}, urldate = {2020-12-03} } @online{haigh:20200707:configuring:a0cb3d9, author = {Matthew Haigh and Trevor Haskell}, title = {{Configuring a Windows Domain to Dynamically Analyze an Obfuscated Lateral Movement Tool}}, date = {2020-07-07}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/07/configuring-windows-domain-dynamically-analyze-obfuscated-lateral-movement-tool.html}, language = {English}, urldate = {2020-08-18} } @online{hajime:20180328:quick:2874046, author = {Hajime}, title = {{Quick summary about the Port 8291 scan}}, date = {2018-03-28}, organization = {Netlab}, url = {https://blog.netlab.360.com/quick-summary-port-8291-scan-en/}, language = {English}, urldate = {2020-01-07} } @techreport{hajime:20200117:operation:ef488fd, author = {Takai Hajime}, title = {{Operation Bitter Biscuit}}, date = {2020-01-17}, institution = {NTT Security}, url = {https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_3_takai_jp.pdf}, language = {Japanese}, urldate = {2020-07-20} } @online{hall:20201015:moobots:2aaf302, author = {Chris Hall}, title = {{Moobot's Cloud Migration}}, date = {2020-10-15}, organization = {lacework}, url = {https://www.lacework.com/moobots-cloud-migration/}, language = {English}, urldate = {2020-10-23} } @online{hall:20201110:meet:a741348, author = {Chris Hall}, title = {{Meet Muhstik – IoT Botnet Infecting Cloud Servers}}, date = {2020-11-10}, organization = {lacework}, url = {https://www.lacework.com/meet-muhstik-iot-botnet-infecting-cloud-servers/}, language = {English}, urldate = {2020-11-12} } @online{hamacher:20191221:how:9d026a8, author = {Adriana Hamacher}, title = {{How ransomware exploded in the age of Bitcoin}}, date = {2019-12-21}, organization = {Decrypt}, url = {https://decrypt.co/15394/how-ransomware-exploded-in-the-age-of-btc}, language = {English}, urldate = {2020-01-13} } @online{hamada:20160725:patchwork:77fa6bb, author = {Joji Hamada}, title = {{Patchwork cyberespionage group expands targets from governments to wide range of industries}}, date = {2016-07-25}, organization = {Symantec}, url = {http://www.symantec.com/connect/blogs/patchwork-cyberespionage-group-expands-targets-governments-wide-range-industries}, language = {English}, urldate = {2020-01-13} } @online{hamdan:20200929:getting:c01923a, author = {Kareem Hamdan and Lucas Miller}, title = {{Getting the Bacon from the Beacon}}, date = {2020-09-29}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/}, language = {English}, urldate = {2020-10-05} } @online{hamzeloofard:20200131:new:5d058ea, author = {Shahab Hamzeloofard}, title = {{New wave of PlugX targets Hong Kong}}, date = {2020-01-31}, organization = {Avira}, url = {https://insights.oem.avira.com/new-wave-of-plugx-targets-hong-kong/}, language = {English}, urldate = {2020-02-10} } @online{han:20171120:android:c3f825c, author = {Inhee Han}, title = {{Android Malware Appears Linked to Lazarus Cybercrime Group}}, date = {2017-11-20}, organization = {McAfee}, url = {https://securingtomorrow.mcafee.com/mcafee-labs/android-malware-appears-linked-to-lazarus-cybercrime-group/#sf174581990}, language = {English}, urldate = {2019-12-17} } @online{hanel:20190110:big:7e10bdf, author = {Alexander Hanel}, title = {{Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware}}, date = {2019-01-10}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/}, language = {English}, urldate = {2019-12-20} } @online{hanel:20191101:wizard:a34a09e, author = {Alexander Hanel and Brett Stone-Gross}, title = {{WIZARD SPIDER Adds New Features to Ryuk for Targeting Hosts on LAN}}, date = {2019-11-01}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/wizard-spider-adds-new-feature-to-ryuk-ransomware/}, language = {English}, urldate = {2019-12-20} } @online{hankins:20201202:automated:7a91425, author = {Jamie Hankins}, title = {{Automated string de-gobfuscation}}, date = {2020-12-02}, organization = {Kryptos Logic}, url = {https://www.kryptoslogic.com/blog/2020/12/automated-string-de-gobfuscation/}, language = {English}, urldate = {2020-12-08} } @online{hao:20191109:apt34:550c673, author = {Mina Hao}, title = {{APT34 Event Analysis Report}}, date = {2019-11-09}, organization = {NSFOCUS}, url = {https://nsfocusglobal.com/apt34-event-analysis-report/}, language = {English}, urldate = {2020-03-09} } @online{haoming:20181129:analysis:6192262, author = {haoming}, title = {{Analysis Report of the Xorddos Malware Family}}, date = {2018-11-29}, organization = {NSFOCUS}, url = {https://blog.nsfocusglobal.com/threats/vulnerability-analysis/analysis-report-of-the-xorddos-malware-family/}, language = {English}, urldate = {2020-01-06} } @online{haoming:20181206:satan:69932c8, author = {haoming}, title = {{SATAN variant analysis & handling guide}}, date = {2018-12-06}, organization = {NSFOCUS}, url = {http://blog.nsfocusglobal.com/categories/trend-analysis/satan-variant-analysis-handling-guide/}, language = {English}, urldate = {2019-10-15} } @online{haq:20130924:now:3cc13be, author = {Thoufique Haq and Ned Moran}, title = {{Now You See Me - H-worm by Houdini}}, date = {2013-09-24}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2013/09/now-you-see-me-h-worm-by-houdini.html}, language = {English}, urldate = {2019-12-20} } @online{haq:20131031:know:e772ee9, author = {Thoufique Haq and Ned Moran}, title = {{Know Your Enemy: Tracking A Rapidly Evolving APT Actor}}, date = {2013-10-31}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2013/10/know-your-enemy-tracking-a-rapidly-evolving-apt-actor.html}, language = {English}, urldate = {2019-12-20} } @techreport{haq:20140930:operation:ce4e85c, author = {Thoufique Haq and Ned Moran and Sai Vashisht and Mike Scott}, title = {{OPERATION QUANTUM ENTANGLEMENT}}, date = {2014-09-30}, institution = {FireEye}, url = {https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf}, language = {English}, urldate = {2020-01-08} } @online{harakhavik:20190620:danabot:238fce9, author = {Yaroslav Harakhavik and Aliaksandr Chailytko}, title = {{DanaBot Demands a Ransom Payment}}, date = {2019-06-20}, organization = {Check Point}, url = {https://research.checkpoint.com/danabot-demands-a-ransom-payment/}, language = {English}, urldate = {2020-01-07} } @online{harakhavik:20200203:warzone:18606cf, author = {Yaroslav Harakhavik}, title = {{Warzone: Behind the enemy lines}}, date = {2020-02-03}, organization = {Check Point Research}, url = {https://research.checkpoint.com/2020/warzone-behind-the-enemy-lines/}, language = {English}, urldate = {2020-02-03} } @online{harang:20201214:sophosreversinglabs:20ea30b, author = {Richard Harang}, title = {{Sophos-ReversingLabs (SOREL) 20 Million sample malware dataset}}, date = {2020-12-14}, organization = {Sophos}, url = {https://ai.sophos.com/2020/12/14/sophos-reversinglabs-sorel-20-million-sample-malware-dataset/}, language = {English}, urldate = {2020-12-15} } @online{harbison:20180413:say:920b109, author = {Mike Harbison and Simon Conant}, title = {{Say “Cheese”: WebMonitor RAT Comes with C2-as-a-Service (C2aaS)}}, date = {2018-04-13}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/04/unit42-say-cheese-webmonitor-rat-comes-c2-service-c2aas/}, language = {English}, urldate = {2019-12-20} } @online{harbison:20180713:upatre:8d5e804, author = {Mike Harbison and Brittany Ash}, title = {{Upatre Continued to Evolve with new Anti-Analysis Techniques}}, date = {2018-07-13}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/}, language = {English}, urldate = {2019-12-20} } @online{hardy:20170427:advanced:d1d61c4, author = {Colin Hardy}, title = {{Advanced Banload Analysis}}, date = {2017-04-27}, organization = {ColinGuru}, url = {https://colin.guru/index.php?title=Advanced_Banload_Analysis}, language = {English}, urldate = {2019-12-10} } @online{hardy:20201215:cyberchef:9f25c79, author = {Colin Hardy}, title = {{Tweet on CyberChef recipe to extract and decode strings from #SolarWinds malware binaries.}}, date = {2020-12-15}, organization = {Twitter @cybercdh)}, url = {https://twitter.com/cybercdh/status/1338885244246765569}, language = {English}, urldate = {2020-12-17} } @online{hardy:20201215:some:5b19d5f, author = {Colin Hardy}, title = {{Tweet on some more capabilties of SUNBURST backdoor}}, date = {2020-12-15}, organization = {Twitter @cybercdh)}, url = {https://twitter.com/cybercdh/status/1338975171093336067}, language = {English}, urldate = {2020-12-18} } @online{hardy:20201216:3:c3e0e68, author = {Colin Hardy}, title = {{Tweet on 3 key actions SUNBURST performs as soon as it's invoked}}, date = {2020-12-16}, organization = {Twitter @cybercdh)}, url = {https://twitter.com/cybercdh/status/1339241246024404994}, language = {English}, urldate = {2020-12-18} } @online{hardy:20201217:sunburst:059bdbe, author = {Colin Hardy}, title = {{SUNBURST SolarWinds Malware - Tools, Tactics and Methods to get you started with Reverse Engineering}}, date = {2020-12-17}, organization = {Youtube (Colin Hardy)}, url = {https://www.youtube.com/watch?v=JoMwrkijTZ8}, language = {English}, urldate = {2020-12-18} } @online{hardy:20201222:sunburst:78b5056, author = {Colin Hardy}, title = {{SUNBURST SolarWinds RECON - Malware Reverse Engineering, OSINT and Identifying Victims}}, date = {2020-12-22}, organization = {Youtube (Colin Hardy)}, url = {https://www.youtube.com/watch?v=mbGN1xqy1jY}, language = {English}, urldate = {2020-12-23} } @online{hardy:20201231:supernova:f852a43, author = {Colin Hardy}, title = {{SUPERNOVA - Everything you need to know to Reverse Engineer an APT WebShell}}, date = {2020-12-31}, organization = {Youtube (Colin Hardy)}, url = {https://www.youtube.com/watch?v=7WX5fCEzTlA}, language = {English}, urldate = {2021-01-04} } @online{harley:20110302:tdl4:9071c3f, author = {David Harley}, title = {{TDL4 and Glupteba: Piggyback PiggyBugs}}, date = {2011-03-02}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2011/03/02/tdl4-and-glubteba-piggyback-piggybugs/}, language = {English}, urldate = {2019-11-14} } @online{harley:20110714:cycbot:9e18833, author = {David Harley}, title = {{Cycbot: Ready to Ride}}, date = {2011-07-14}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2011/07/14/cycbot-ready-to-ride/}, language = {English}, urldate = {2019-11-14} } @online{harmon:20190731:systembc:d98f03c, author = {Kade Harmon and Kafeine and Dennis Schwarz and Proofpoint Threat Insight Team}, title = {{SystemBC is like Christmas in July for SOCKS5 Malware and Exploit Kits}}, date = {2019-07-31}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/systembc-christmas-july-socks5-malware-and-exploit-kits}, language = {English}, urldate = {2019-12-20} } @online{harpaz:20180215:trickbots:2cf1b53, author = {Ophir Harpaz and Magal Baz and Limor Kessem}, title = {{TrickBot’s Cryptocurrency Hunger: Tricking the Bitcoin Out of Wallets}}, date = {2018-02-15}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/trickbots-cryptocurrency-hunger-tricking-the-bitcoin-out-of-wallets/}, language = {English}, urldate = {2020-01-06} } @online{harpaz:20200401:vollgar:b10972a, author = {Ophir Harpaz}, title = {{THE VOLLGAR CAMPAIGN: MS-SQL SERVERS UNDER ATTACK}}, date = {2020-04-01}, organization = {Guardicore}, url = {https://www.guardicore.com/2020/04/vollgar-ms-sql-servers-under-attack/}, language = {English}, urldate = {2020-04-07} } @online{harpaz:20200819:fritzfrog:c2548e5, author = {Ophir Harpaz}, title = {{FritzFrog: A New Generation Of Peer-To-Peer Botnets}}, date = {2020-08-19}, organization = {Guardicore}, url = {https://www.guardicore.com/2020/08/fritzfrog-p2p-botnet-infects-ssh-servers/}, language = {English}, urldate = {2020-08-19} } @online{harpaz:20201210:pleasereadme:cd5b2b6, author = {Ophir Harpaz and Omri Marom}, title = {{PLEASE_READ_ME: The Opportunistic Ransomware Devastating MySQL Servers}}, date = {2020-12-10}, organization = {Guardicore}, url = {https://www.guardicore.com/labs/please-read-me-opportunistic-ransomware-devastating-mysql-servers/}, language = {English}, urldate = {2020-12-14} } @online{hartong:20201214:fireeye:d7c17f5, author = {Olaf Hartong}, title = {{FireEye Sunburst KQL Detections}}, date = {2020-12-14}, url = {https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f}, language = {English}, urldate = {2020-12-15} } @online{haruyama:20190904:cb:7c71995, author = {Takahiro Haruyama}, title = {{CB TAU Threat Intelligence Notification: Winnti Malware 4.0}}, date = {2019-09-04}, organization = {CarbonBlack}, url = {https://www.carbonblack.com/2019/09/04/cb-tau-threat-intelligence-notification-winnti-malware-4-0/}, language = {English}, urldate = {2019-12-17} } @techreport{haruyama:20191024:defeating:4016e1f, author = {Takahiro Haruyama}, title = {{Defeating APT10 Compiler-level Obfuscations}}, date = {2019-10-24}, institution = {Carbon Black}, url = {https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-Haruyama.pdf}, language = {English}, urldate = {2020-03-03} } @online{haruyama:20200220:threat:aa4ef11, author = {Takahiro Haruyama}, title = {{Threat Analysis: Active C2 Discovery Using Protocol Emulation Part2 (Winnti 4.0)}}, date = {2020-02-20}, organization = {Carbon Black}, url = {https://www.carbonblack.com/2020/02/20/threat-analysis-active-c2-discovery-using-protocol-emulation-part2-winnti-4-0/}, language = {English}, urldate = {2020-02-21} } @online{hasbini:20150928:gaza:0c6e96e, author = {Mohamad Amin Hasbini and Ghareeb Saad}, title = {{Gaza cybergang, where’s your IR team?}}, date = {2015-09-28}, organization = {Kaspersky Labs}, url = {https://securelist.com/gaza-cybergang-wheres-your-ir-team/72283/}, language = {English}, urldate = {2019-12-20} } @online{hasbini:20160817:operation:9bfa7d2, author = {Mohamad Amin Hasbini}, title = {{Operation Ghoul: targeted attacks on industrial and engineering organizations}}, date = {2016-08-17}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/75718/operation-ghoul-targeted-attacks-on-industrial-and-engineering-organizations/}, language = {English}, urldate = {2019-12-20} } @online{hasbini:20171030:gaza:7c531cc, author = {Mohamad Amin Hasbini and Ghareeb Saad}, title = {{Gaza Cybergang – updated activity in 2017:}}, date = {2017-10-30}, organization = {Kaspersky Labs}, url = {https://securelist.com/gaza-cybergang-updated-2017-activity/82765/}, language = {English}, urldate = {2019-12-20} } @online{haschek:20200608:a1:b166c86, author = {Christian Haschek}, title = {{The A1 Telekom Austria Hack}}, date = {2020-06-08}, organization = {Christian Haschek's Blog}, url = {https://blog.haschek.at/2020/the-a1-telekom-hack.html}, language = {English}, urldate = {2020-06-11} } @online{hasegawa:20191029:threat:180cf21, author = {Tatsuya Hasegawa}, title = {{Threat Spotlight: Neshta File Infector Endures}}, date = {2019-10-29}, organization = {Cylance}, url = {https://threatvector.cylance.com/en_us/home/threat-spotlight-neshta-file-infector-endures.html}, language = {English}, urldate = {2019-11-16} } @online{hasegawa:20200413:threat:57b739e, author = {Tatsuya Hasegawa and Masaki Kasuya}, title = {{Threat Spotlight: Gootkit Banking Trojan}}, date = {2020-04-13}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2020/04/threat-spotlight-gootkit-banking-trojan}, language = {English}, urldate = {2020-11-23} } @online{hasherezade:20150713:revisiting:391fe73, author = {hasherezade}, title = {{Revisiting The Bunitu Trojan}}, date = {2015-07-13}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2015/07/revisiting-the-bunitu-trojan/}, language = {English}, urldate = {2019-12-20} } @online{hasherezade:20150819:inside:1828f15, author = {hasherezade}, title = {{Inside Neutrino botnet builder}}, date = {2015-08-19}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2015/08/inside-neutrino-botnet-builder/}, language = {English}, urldate = {2019-12-20} } @online{hasherezade:20151104:technical:abd2b27, author = {hasherezade}, title = {{A Technical Look At Dyreza}}, date = {2015-11-04}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2015/11/a-technical-look-at-dyreza/}, language = {English}, urldate = {2019-12-20} } @online{hasherezade:20160202:dma:5d599e2, author = {hasherezade}, title = {{DMA Locker: New Ransomware, But No Reason To Panic}}, date = {2016-02-02}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/02/dma-locker-a-new-ransomware-but-no-reason-to-panic/}, language = {English}, urldate = {2019-12-20} } @online{hasherezade:20160209:dma:1fe0c43, author = {hasherezade}, title = {{DMA Locker Strikes Back}}, date = {2016-02-09}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/02/dma-locker-strikes-back/}, language = {English}, urldate = {2019-12-20} } @online{hasherezade:20160301:look:fe35696, author = {hasherezade}, title = {{Look Into Locky Ransomware}}, date = {2016-03-01}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/03/look-into-locky/}, language = {English}, urldate = {2019-12-20} } @online{hasherezade:20160311:cerber:f1fb954, author = {hasherezade}, title = {{Cerber ransomware: new, but mature}}, date = {2016-03-11}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/03/cerber-ransomware-new-but-mature/}, language = {English}, urldate = {2019-12-20} } @online{hasherezade:20160324:maktub:fbe0f56, author = {hasherezade}, title = {{Maktub Locker – Beautiful And Dangerous}}, date = {2016-03-24}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/03/maktub-locker-beautiful-and-dangerous/}, language = {English}, urldate = {2019-12-20} } @online{hasherezade:20160506:7ev3n:6b6cfb1, author = {hasherezade}, title = {{7ev3n ransomware turning ‘HONE$T’}}, date = {2016-05-06}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/05/7ev3n-ransomware/}, language = {English}, urldate = {2019-12-20} } @online{hasherezade:20160519:petya:25c555f, author = {hasherezade}, title = {{Petya and Mischa – Ransomware Duet (Part 1)}}, date = {2016-05-19}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/05/petya-and-mischa-ransomware-duet-p1/}, language = {English}, urldate = {2019-12-20} } @online{hasherezade:20160523:dma:352692f, author = {hasherezade}, title = {{DMA Locker 4.0: Known ransomware preparing for a massive distribution}}, date = {2016-05-23}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/05/dma-locker-4-0-known-ransomware-preparing-for-a-massive-distribution/}, language = {English}, urldate = {2019-12-20} } @online{hasherezade:20160625:rokku:be9fc6d, author = {hasherezade}, title = {{Rokku Ransomware shows possible link with Chimera}}, date = {2016-06-25}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/}, language = {English}, urldate = {2020-12-20} } @online{hasherezade:20161117:princess:378c704, author = {hasherezade}, title = {{Princess Locker decryptor}}, date = {2016-11-17}, organization = {hasherezade's 1001 nights}, url = {https://hshrzd.wordpress.com/2016/11/17/princess-locker-decryptor/}, language = {English}, urldate = {2020-01-10} } @online{hasherezade:20170614:unpacking:a820fac, author = {hasherezade}, title = {{Unpacking YoungLotus malware}}, date = {2017-06-14}, organization = {Youtube (hasherezade)}, url = {https://www.youtube.com/watch?v=AUGxYhE_CUY}, language = {English}, urldate = {2020-01-06} } @online{hasherezade:20171215:unpacking:8c8d58c, author = {hasherezade}, title = {{Unpacking Magniber ransomware with PE-sieve (former: 'hook_finder')}}, date = {2017-12-15}, url = {https://www.youtube.com/watch?v=lqWJaaofNf4}, language = {English}, urldate = {2019-10-23} } @online{hasherezade:20171230:unpacking:5477bb2, author = {hasherezade}, title = {{Unpacking TrickBot with PE-sieve}}, date = {2017-12-30}, organization = {Youtube (hasherezade)}, url = {https://www.youtube.com/watch?v=lTywPmZEU1A}, language = {English}, urldate = {2020-01-06} } @online{hasherezade:201801:coin:7ef1583, author = {hasherezade}, title = {{A coin miner with a “Heaven’s Gate”}}, date = {2018-01}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2018/01/a-coin-miner-with-a-heavens-gate/amp/}, language = {English}, urldate = {2019-12-04} } @online{hasherezade:20180223:avzhan:299cc86, author = {hasherezade}, title = {{Avzhan DDoS bot dropped by Chinese drive-by attack}}, date = {2018-02-23}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2018/02/avzhan-ddos-bot-dropped-by-chinese-drive-by-attack/}, language = {English}, urldate = {2019-12-20} } @online{hasherezade:20180301:blast:6bec8e3, author = {hasherezade}, title = {{Blast from the past: stowaway Virut delivered with Chinese DDoS bot}}, date = {2018-03-01}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2018/03/blast-from-the-past-stowaway-virut-delivered-with-chinese-ddos-bot/}, language = {English}, urldate = {2019-12-20} } @online{hasherezade:20180319:unpacking:150cdac, author = {hasherezade}, title = {{Unpacking Ursnif}}, date = {2018-03-19}, url = {https://www.youtube.com/watch?v=jlc7Ahp8Iqg}, language = {English}, urldate = {2019-12-24} } @online{hasherezade:20180331:deobfuscating:39c1be0, author = {hasherezade}, title = {{Deobfuscating TrickBot's strings with libPeConv}}, date = {2018-03-31}, organization = {Youtube (hasherezade)}, url = {https://www.youtube.com/watch?v=KMcSAlS9zGE}, language = {English}, urldate = {2020-01-13} } @online{hasherezade:20180726:hidden:76d28ed, author = {hasherezade and Jérôme Segura}, title = {{‘Hidden Bee’ miner delivered via improved drive-by download toolkit}}, date = {2018-07-26}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2018/07/hidden-bee-miner-delivered-via-improved-drive-by-download-toolkit/}, language = {English}, urldate = {2019-10-21} } @online{hasherezade:20181112:whats:e44d5f3, author = {hasherezade}, title = {{What’s new in TrickBot? Deobfuscating elements}}, date = {2018-11-12}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/malware-threat-analysis/2018/11/whats-new-trickbot-deobfuscating-elements/}, language = {English}, urldate = {2019-12-20} } @online{hasherezade:20190321:unpacking:8c38703, author = {hasherezade}, title = {{Unpacking Baldr stealer}}, date = {2019-03-21}, organization = {Youtube (hasherezade)}, url = {https://www.youtube.com/watch?v=E2V4kB_gtcQ}, language = {English}, urldate = {2019-07-11} } @online{hasherezade:20190406:unpacking:dc6a1be, author = {hasherezade}, title = {{Unpacking ISFB (including the custom 'PX' format)}}, date = {2019-04-06}, organization = {Youtube (hasherezade)}, url = {https://www.youtube.com/watch?v=KvOpNznu_3w}, language = {English}, urldate = {2019-11-29} } @online{hasherezade:20190531:hidden:14f8a1c, author = {hasherezade}, title = {{Hidden Bee: Let’s go down the rabbit hole}}, date = {2019-05-31}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2019/05/hidden-bee-lets-go-down-the-rabbit-hole/}, language = {English}, urldate = {2019-12-20} } @online{hasherezade:20190724:deep:c7d1aed, author = {hasherezade}, title = {{A deep dive into Phobos ransomware}}, date = {2019-07-24}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2019/07/a-deep-dive-into-phobos-ransomware/}, language = {English}, urldate = {2020-01-13} } @online{hasherezade:20190815:hidden:d93c104, author = {hasherezade}, title = {{The Hidden Bee infection chain, part 1: the stegano pack}}, date = {2019-08-15}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2019/08/the-hidden-bee-infection-chain-part-1-the-stegano-pack/}, language = {English}, urldate = {2019-12-20} } @techreport{hasherezade:20200521:silent:95b5ce7, author = {hasherezade and prsecurity}, title = {{The “Silent Night” Zloader/Zbot}}, date = {2020-05-21}, institution = {Malwarebytes}, url = {https://resources.malwarebytes.com/files/2020/05/The-Silent-Night-Zloader-Zbot_Final.pdf}, language = {English}, urldate = {2020-05-23} } @online{hasherezade:20201130:german:72b40c6, author = {hasherezade and Jérôme Segura}, title = {{German users targeted with Gootkit banker or REvil ransomware}}, date = {2020-11-30}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2020/11/german-users-targeted-with-gootkit-banker-or-revil-ransomware/}, language = {English}, urldate = {2020-12-03} } @online{hassold:20180326:silent:9ce69cd, author = {Crane Hassold}, title = {{Silent Librarian: More to the Story of the Iranian Mabna Institute Indictment}}, date = {2018-03-26}, organization = {PhishLabs}, url = {https://info.phishlabs.com/blog/silent-librarian-more-to-the-story-of-the-iranian-mabna-institute-indictment}, language = {English}, urldate = {2020-01-07} } @online{hassold:20180405:silent:288fac9, author = {Crane Hassold}, title = {{Silent Librarian University Attacks Continue Unabated in Days Following Indictment}}, date = {2018-04-05}, organization = {PhishLabs}, url = {https://info.phishlabs.com/blog/silent-librarian-university-attacks-continue-unabated-in-days-following-indictment}, language = {English}, urldate = {2019-10-23} } @online{haughom:20180806:reversing:8b4d9cf, author = {James Haughom}, title = {{Reversing Cerber - RaaS}}, date = {2018-08-06}, organization = {rinse and REpeat analysis}, url = {https://rinseandrepeatanalysis.blogspot.com/2018/08/reversing-cerber-raas.html}, language = {English}, urldate = {2020-01-08} } @online{haughom:20200310:iqy:1844f48, author = {James Haughom}, title = {{IQY files and Paradise Ransomware}}, date = {2020-03-10}, organization = {Lastline}, url = {https://www.lastline.com/labsblog/iqy-files-and-paradise-ransomware/}, language = {English}, urldate = {2020-06-17} } @online{haughom:20200602:evolution:3286d87, author = {James Haughom and Stefano Ortolani}, title = {{Evolution of Excel 4.0 Macro Weaponization}}, date = {2020-06-02}, organization = {Lastline Labs}, url = {https://www.lastline.com/labsblog/evolution-of-excel-4-0-macro-weaponization/}, language = {English}, urldate = {2020-06-03} } @online{haughom:20201218:solarwinds:8e1f0c5, author = {James Haughom}, title = {{SolarWinds SUNBURST Backdoor: Inside the APT Campaign}}, date = {2020-12-18}, organization = {Sentinel LABS}, url = {https://labs.sentinelone.com/solarwinds-sunburst-backdoor-inside-the-stealthy-apt-campaign/}, language = {English}, urldate = {2020-12-19} } @online{hausding:20170707:94:4d1e639, author = {Michael Hausding}, title = {{94 .ch & .li domain names hijacked and used for drive-by}}, date = {2017-07-07}, organization = {SWITCH Security Blog}, url = {https://securityblog.switch.ch/2017/07/07/94-ch-li-domain-names-hijacked-and-used-for-drive-by/}, language = {English}, urldate = {2020-01-07} } @online{hausknecht:20200722:github:82e2b88, author = {Ryan Hausknecht}, title = {{Github Repository for PowerZure}}, date = {2020-07-22}, organization = {Github (hausec)}, url = {https://github.com/hausec/PowerZure}, language = {English}, urldate = {2020-08-18} } @online{hawley:20190129:apt39:926a2a1, author = {Sarah Hawley and Ben Read and Cristiana Brafman-Kittner and Nalani Fraser and Andrew Thompson and Yuri Rozhansky and Sanaz Yashar}, title = {{APT39: An Iranian Cyber Espionage Group Focused on Personal Information}}, date = {2019-01-29}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html}, language = {English}, urldate = {2019-12-20} } @online{hayashi:20130430:linuxcdorked:5456e0a, author = {Kaoru Hayashi and Joseph Bingham and Takayoshi Nakayama}, title = {{Linux.Cdorked}}, date = {2013-04-30}, organization = {Symantec}, url = {https://www.symantec.com/security-center/writeup/2013-050214-5501-99}, language = {English}, urldate = {2019-12-06} } @online{hayashi:20160509:krbanker:c59923f, author = {Kaoru Hayashi and Vicky Ray}, title = {{KRBanker Targets South Korea Through Adware and Exploit Kits}}, date = {2016-05-09}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2016/05/unit42-krbanker-targets-south-korea-through-adware-and-exploit-kits-2/}, language = {English}, urldate = {2019-12-20} } @online{hayashi:20160915:mile:302680e, author = {Kaoru Hayashi}, title = {{MILE TEA: Cyber Espionage Campaign Targets Asia Pacific Businesses and Government Agencies}}, date = {2016-09-15}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2016/09/mile-tea-cyber-espionage-campaign-targets-asia-pacific-businesses-and-government-agencies/}, language = {English}, urldate = {2019-12-20} } @online{hayashi:20170215:banking:c5e917c, author = {Kaoru Hayashi}, title = {{Banking Trojans: Ursnif Global Distribution Networks Identified}}, date = {2017-02-15}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/}, language = {English}, urldate = {2019-10-25} } @online{hayashi:20170725:tick:d89ab89, author = {Kaoru Hayashi}, title = {{“Tick” Group Continues Attacks}}, date = {2017-07-25}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/07/unit42-tick-group-continues-attacks/}, language = {English}, urldate = {2019-12-20} } @online{hayashi:20180731:bisonal:2ca3a6b, author = {Kaoru Hayashi and Vicky Ray}, title = {{Bisonal Malware Used in Attacks Against Russia and South Korea}}, date = {2018-07-31}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/}, language = {English}, urldate = {2019-12-20} } @online{hayashi:20180731:bisonal:8ca9ce6, author = {Kaoru Hayashi and Vicky Ray}, title = {{Bisonal Malware Used in Attacks Against Russia and South Korea}}, date = {2018-07-31}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-bisonal-malware-used-attacks-russia-south-korea/}, language = {English}, urldate = {2020-07-20} } @online{hazmalware:20161227:analysis:4038ecb, author = {Hazmalware}, title = {{ANALYSIS OF AUGUST STEALER MALWARE}}, date = {2016-12-27}, url = {https://hazmalware.blogspot.de/2016/12/analysis-of-august-stealer-malware.html}, language = {English}, urldate = {2019-11-22} } @online{hazum:20200709:new:5e06825, author = {Aviran Hazum and Bogdan Melnykov and Israel Wernik}, title = {{New Joker variant hits Google Play with an old trick}}, date = {2020-07-09}, organization = {Checkpoint}, url = {https://research.checkpoint.com/2020/new-joker-variant-hits-google-play-with-an-old-trick/}, language = {English}, urldate = {2020-07-11} } @online{hazum:20201203:vulnerability:6459e24, author = {Aviran Hazum and Jonathan Shimonovich}, title = {{Vulnerability in Google Play Core Library Remains Unpatched in Google Play Applications}}, date = {2020-12-03}, organization = {Check Point Research}, url = {https://research.checkpoint.com/2020/vulnerability-in-google-play-core-library-remains-unpatched-in-google-play-applications/}, language = {English}, urldate = {2020-12-08} } @techreport{hc3:20201002:report:0ca373f, author = {Health Sector Cybersecurity Coordination Center (HC3)}, title = {{Report 202010021600: Recent Bazarloader Use in Ransomware Campaigns}}, date = {2020-10-02}, institution = {Health Sector Cybersecurity Coordination Center (HC3)}, url = {https://www.hhs.gov/sites/default/files/bazarloader.pdf}, language = {English}, urldate = {2020-11-02} } @techreport{heal:2018:complete:96388ed, author = {Quick Heal}, title = {{The Complete story of EMOTET Most prominent Malware of 2018}}, date = {2018}, institution = {Quick Heal}, url = {https://quickheal.co.in/documents/technical-paper/Whitepaper_HowToPM.pdf}, language = {English}, urldate = {2020-01-13} } @online{hegde:20201117:nibiru:7a0faf4, author = {Nikhil Hegde}, title = {{Nibiru ransomware variant decryptor}}, date = {2020-11-17}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/11/Nibiru-ransomware.html}, language = {English}, urldate = {2020-11-19} } @online{hegel:20170711:winnti:e03c673, author = {Tom Hegel and Nate Marx}, title = {{Winnti (LEAD/APT17) Evolution - Going Open Source}}, date = {2017-07-11}, organization = {401 TRG}, url = {https://401trg.pw/winnti-evolution-going-open-source/}, language = {English}, urldate = {2019-12-18} } @online{hegel:20171016:update:9033e56, author = {Tom Hegel}, title = {{An Update on Winnti (LEAD/APT17)}}, date = {2017-10-16}, organization = {401TRG}, url = {https://401trg.pw/an-update-on-winnti/}, language = {English}, urldate = {2019-08-05} } @online{hegel:20180503:burning:2837854, author = {Tom Hegel}, title = {{Burning Umbrella: An Intelligence Report on the Winnti Umbrella and Associated State-Sponsored Attackers}}, date = {2018-05-03}, organization = {ProtectWise}, url = {https://401trg.com/burning-umbrella/}, language = {English}, urldate = {2019-10-15} } @online{heinemeyer:20200402:catching:b7f137d, author = {Max Heinemeyer}, title = {{Catching APT41 exploiting a zero-day vulnerability}}, date = {2020-04-02}, organization = {Darktrace}, url = {https://www.darktrace.com/en/blog/catching-apt-41-exploiting-a-zero-day-vulnerability/}, language = {English}, urldate = {2020-04-13} } @online{helling:20200516:high:cf7dadf, author = {Robert Helling}, title = {{High Performance Hackers}}, date = {2020-05-16}, organization = {atdotde}, url = {https://atdotde.blogspot.com/2020/05/high-performance-hackers.html}, language = {English}, urldate = {2020-05-18} } @online{henderson:20180711:chinese:f0f3cbc, author = {Scott Henderson and Steve Miller and Dan Perez and Marcin Siedlarz and Ben Wilson and Ben Read}, title = {{Chinese Espionage Group TEMP.Periscope Targets Cambodia Ahead of July 2018 Elections and Reveals Broad Operations Globally}}, date = {2018-07-11}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2018/07/chinese-espionage-group-targets-cambodia-ahead-of-elections.html}, language = {English}, urldate = {2019-12-20} } @online{henderson:20200422:vietnamese:d9dc0db, author = {Scott Henderson and Gabby Roncone and Sarah Jones and John Hultquist and Ben Read}, title = {{Vietnamese Threat Actors APT32 Targeting Wuhan Government and Chinese Ministry of Emergency Management in Latest Example of COVID-19 Related Espionage}}, date = {2020-04-22}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/04/apt32-targeting-chinese-government-in-covid-19-related-espionage.html}, language = {English}, urldate = {2020-04-26} } @online{henkel:20200818:decrypt:e395f6d, author = {Mario Henkel}, title = {{Decrypt MassLogger 2.4.0.0 configuration}}, date = {2020-08-18}, organization = {Medium mariohenkel}, url = {https://medium.com/@mariohenkel/decrypt-masslogger-2-4-0-0-configuration-eff3ee0720a7}, language = {English}, urldate = {2020-08-18} } @online{henkel:20200903:decrypting:16cd7a9, author = {Mario Henkel}, title = {{Decrypting AgentTesla strings and config}}, date = {2020-09-03}, organization = {Medium mariohenkel}, url = {https://medium.com/@mariohenkel/decrypting-agenttesla-strings-and-config-b9000b18c996?sk=fcead9538516eeb3daa7b53cb537f6f4}, language = {English}, urldate = {2020-09-03} } @online{henkel:20200910:decrypting:2bcb10d, author = {Mario Henkel}, title = {{Decrypting NanoCore config and dump all plugins}}, date = {2020-09-10}, organization = {Medium mariohenkel}, url = {https://medium.com/@mariohenkel/decrypting-nanocore-config-and-dump-all-plugins-f4944bfaba52}, language = {English}, urldate = {2020-09-10} } @online{heppner:20170227:betabot:68ba19f, author = {Ted Heppner}, title = {{Betabot: Configuration Data Extraction}}, date = {2017-02-27}, organization = {Sophos}, url = {https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/BetaBot.pdf?la=en}, language = {English}, urldate = {2020-01-13} } @online{herman:20200207:magecart:185b67b, author = {Jordan Herman}, title = {{Magecart Group 12’s Latest: Actors Behind Attacks on Olympics Ticket Re-sellers Deftly Swapped Domains to Continue Campaign}}, date = {2020-02-07}, organization = {RiskIQ}, url = {https://www.riskiq.com/blog/labs/magecart-group-12-olympics/}, language = {English}, urldate = {2020-02-09} } @online{herman:20200609:misconfigured:75c6908, author = {Jordan Herman}, title = {{Misconfigured Amazon S3 Buckets Continue to be a Launchpad for Malicious Code}}, date = {2020-06-09}, organization = {RiskIQ}, url = {https://www.riskiq.com/blog/labs/misconfigured-s3-buckets/}, language = {English}, urldate = {2020-06-10} } @online{herman:20200902:inter:93b8c50, author = {Jordan Herman}, title = {{The Inter Skimmer Kit}}, date = {2020-09-02}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/30f22a00}, language = {English}, urldate = {2020-09-04} } @online{herman:20201111:magecart:8137a1f, author = {Jordan Herman}, title = {{Magecart Group 12: End of Life Magento Sites Infested with Ants and Cockroaches}}, date = {2020-11-11}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/fda1f967}, language = {English}, urldate = {2020-11-18} } @online{herman:20201118:grelos:7b6e4d2, author = {Jordan Herman}, title = {{The Grelos Skimmer: A New Variant}}, date = {2020-11-18}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/8c4b4a7a}, language = {English}, urldate = {2020-11-23} } @online{hern:20170703:notpetya:ba6bc6c, author = {Alex Hern}, title = {{'NotPetya' malware attacks could warrant retaliation, says Nato affiliated-researcher}}, date = {2017-07-03}, organization = {The Guardian}, url = {https://www.theguardian.com/technology/2017/jul/03/notpetya-malware-attacks-ukraine-warrant-retaliation-nato-researcher-tomas-minarik}, language = {English}, urldate = {2019-07-11} } @online{hernandez:20170622:new:a5cf2c6, author = {Erye Hernandez and Danny Tsechansky}, title = {{The New and Improved macOS Backdoor from OceanLotus}}, date = {2017-06-22}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/06/unit42-new-improved-macos-backdoor-oceanlotus/}, language = {English}, urldate = {2019-12-20} } @online{hernandez:20200529:phishers:2759c33, author = {Elmer Hernandez}, title = {{Phishers Cast a Wider Net in the African Banking Sector}}, date = {2020-05-29}, organization = {Cofense}, url = {https://cofense.com/phishers-cast-wider-net-african-banking-sector/}, language = {English}, urldate = {2020-06-02} } @techreport{herr:20200729:breaking:d37db04, author = {Trey Herr and June Lee and William Loomis and Stewart Scott}, title = {{BREAKING TRUST: Shades of Crisis Across an Insecure Software Supply Chain}}, date = {2020-07-29}, institution = {Atlantic Council}, url = {https://www.atlanticcouncil.org/wp-content/uploads/2020/07/Breaking-trust-Shades-of-crisis-across-an-insecure-software-supply-chain.pdf}, language = {English}, urldate = {2020-08-05} } @online{herwig:20190224:measurement:01d44af, author = {Stephen Herwig and Katura Harvey and George Hughey and Richard Roberts and Dave Levin}, title = {{Measurement and Analysis of Hajime, a Peer-to-peer IoT Botnet}}, date = {2019-02-24}, organization = {NDSS}, url = {https://par.nsf.gov/servlets/purl/10096257}, language = {English}, urldate = {2020-10-12} } @online{herzog:20181014:godzilla:0f2194a, author = {Ben Herzog}, title = {{Godzilla Loader and the Long Tail of Malware}}, date = {2018-10-14}, organization = {Check Point}, url = {https://research.checkpoint.com/godzilla-loader-and-the-long-tail-of-malware/}, language = {English}, urldate = {2020-01-09} } @online{herzog:20190520:malware:dac1524, author = {Ben Herzog}, title = {{Malware Against the C Monoculture}}, date = {2019-05-20}, organization = {Check Point}, url = {https://research.checkpoint.com/malware-against-the-c-monoculture/}, language = {English}, urldate = {2019-10-14} } @online{hfiref0x:20150328:uacme:f1b9f62, author = {hfiref0x}, title = {{UACME}}, date = {2015-03-28}, organization = {Github (hfiref0x)}, url = {https://github.com/hfiref0x/UACME}, language = {English}, urldate = {2020-01-06} } @online{hfiref0x:20190419:tdl:31ca191, author = {hfiref0x}, title = {{TDL (Turla Driver Loader) Repository}}, date = {2019-04-19}, organization = {Github (hfiref0x)}, url = {https://github.com/hfiref0x/TDL}, language = {English}, urldate = {2020-01-08} } @online{hfiref0x:20200120:dustman:70f16bf, author = {hfiref0x}, title = {{Dustman APT: Art of Copy-Paste}}, date = {2020-01-20}, organization = {The Vault Blog}, url = {https://swapcontext.blogspot.com/2020/01/dustman-apt-art-of-copy-paste.html}, language = {English}, urldate = {2020-01-22} } @online{higgins:20151013:prolific:0b6089c, author = {Kelly Jackson Higgins}, title = {{Prolific Cybercrime Gang Favors Legit Login Credentials}}, date = {2015-10-13}, organization = {DARKReading}, url = {https://www.darkreading.com/analytics/prolific-cybercrime-gang-favors-legit-login-credentials/d/d-id/1322645?}, language = {English}, urldate = {2020-01-10} } @online{higgins:20160209:chinese:1d80f84, author = {Kelly Jackson Higgins}, title = {{Chinese Cyberspies Pivot To Russia In Wake Of Obama-Xi Pact}}, date = {2016-02-09}, organization = {DARKReading}, url = {http://www.darkreading.com/endpoint/chinese-cyberspies-pivot-to-russia-in-wake-of-obama-xi-pact/d/d-id/1324242}, language = {English}, urldate = {2020-01-09} } @online{higgins:20190924:iranian:4966d90, author = {Kelly Jackson Higgins}, title = {{Iranian Government Hackers Target US Veterans}}, date = {2019-09-24}, organization = {DARKReading}, url = {https://www.darkreading.com/threat-intelligence/iranian-government-hackers-target-us-veterans/d/d-id/1335897}, language = {English}, urldate = {2020-03-22} } @online{hilt:20160914:bksod:f75ef88, author = {Stephen Hilt and William Gamazo Sanchez}, title = {{BkSoD by Ransomware: HDDCryptor Uses Commercial Tools to Encrypt Network Shares and Lock HDDs}}, date = {2016-09-14}, organization = {Trend Micro}, url = {http://blog.trendmicro.com/trendlabs-security-intelligence/bksod-by-ransomware-hddcryptor-uses-commercial-tools-to-encrypt-network-shares-and-lock-hdds/}, language = {English}, urldate = {2020-01-09} } @online{hilt:20170824:malicious:7a258f4, author = {Stephen Hilt and Lord Alfred Remorin}, title = {{Malicious Chrome Extensions Stealing Roblox In-Game Currency, Sending Cookies via Discord}}, date = {2017-08-24}, organization = {Trend Micro}, url = {http://blog.trendmicro.com/trendlabs-security-intelligence/malicous-chrome-extensions-stealing-roblox-game-currency-sending-cookies-via-discord/}, language = {English}, urldate = {2019-12-16} } @online{hinchliffe:20170831:updated:fd02a16, author = {Alex Hinchliffe and Jen Miller-Osborn}, title = {{Updated KHRAT Malware Used in Cambodia Attacks}}, date = {2017-08-31}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/08/unit42-updated-khrat-malware-used-in-cambodia-attacks/}, language = {English}, urldate = {2019-12-20} } @online{hinchliffe:20180313:henbox:4d61efe, author = {Alex Hinchliffe and Mike Harbison and Jen Miller-Osborn and Tom Lancaster}, title = {{HenBox: The Chickens Come Home to Roost}}, date = {2018-03-13}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/}, language = {English}, urldate = {2020-01-09} } @online{hinchliffe:20190226:farseer:62554e3, author = {Alex Hinchliffe and Mike Harbison}, title = {{Farseer: Previously Unknown Malware Family bolsters the Chinese armoury}}, date = {2019-02-26}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/farseer-previously-unknown-malware-family-bolsters-the-chinese-armoury/}, language = {English}, urldate = {2020-01-08} } @online{hinchliffe:20191003:pkplug:4a43ea5, author = {Alex Hinchliffe}, title = {{PKPLUG: Chinese Cyber Espionage Group Attacking Asia}}, date = {2019-10-03}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/pkplug_chinese_cyber_espionage_group_attacking_asia/}, language = {English}, urldate = {2020-01-07} } @online{hinchliffe:20200302:pulling:35771e7, author = {Alex Hinchliffe}, title = {{Pulling the PKPLUG: the adversary playbook for the long-standing espionage activity of a Chinese nation-state adversary}}, date = {2020-03-02}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-pulling-pkplug-adversary-playbook-long-standing-espionage-activity-chinese-nation-state-adversary/}, language = {English}, urldate = {2020-03-02} } @techreport{hines:20040130:mydoomb:1946152, author = {Eric S. Hines}, title = {{MyDoom.B Worm Analysis}}, date = {2004-01-30}, institution = {Applied Watch Technologies}, url = {http://ivanlef0u.fr/repo/madchat/vxdevl/papers/analysis/mydoom_b_analysis.pdf}, language = {English}, urldate = {2019-10-14} } @online{hirani:20190110:global:a53ec6a, author = {Muks Hirani and Sarah Jones and Ben Read}, title = {{Global DNS Hijacking Campaign: DNS Record Manipulation at Scale}}, date = {2019-01-10}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html}, language = {English}, urldate = {2019-12-20} } @online{hiroaki:20190827:ta505:9bcbff1, author = {Hara Hiroaki and Jaromír Hořejší and Loseway Lu}, title = {{TA505 At It Again: Variety is the Spice of ServHelper and FlawedAmmyy}}, date = {2019-08-27}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/ta505-at-it-again-variety-is-the-spice-of-servhelper-and-flawedammyy/}, language = {English}, urldate = {2019-11-27} } @online{hjelmvik:20141027:full:83d84ee, author = {Erik Hjelmvik}, title = {{Full Disclosure of Havex Trojans}}, date = {2014-10-27}, organization = {Netresec}, url = {http://www.netresec.com/?page=Blog&month=2014-10&post=Full-Disclosure-of-Havex-Trojans}, language = {English}, urldate = {2019-11-29} } @online{hjelmvik:20201217:reassembling:2a2f222, author = {Erik Hjelmvik}, title = {{Reassembling Victim Domain Fragments from SUNBURST DNS}}, date = {2020-12-17}, organization = {Netresec}, url = {https://www.netresec.com/?page=Blog&month=2020-12&post=Reassembling-Victim-Domain-Fragments-from-SUNBURST-DNS}, language = {English}, urldate = {2020-12-18} } @online{hjelmvik:20201229:extracting:1640842, author = {Erik Hjelmvik}, title = {{Extracting Security Products from SUNBURST DNS Beacons}}, date = {2020-12-29}, organization = {Netresec}, url = {https://www.netresec.com/?page=Blog&month=2020-12&post=Extracting-Security-Products-from-SUNBURST-DNS-Beacons}, language = {English}, urldate = {2021-01-04} } @online{hjelmvik:20210104:finding:d869bd9, author = {Erik Hjelmvik}, title = {{Finding Targeted SUNBURST Victims with pDNS}}, date = {2021-01-04}, organization = {Netresec}, url = {https://netresec.com/?b=2113a6a}, language = {English}, urldate = {2021-01-05} } @online{hk:20200429:gazorp:3aef446, author = {Fred HK}, title = {{Gazorp - Thieving from thieves}}, date = {2020-04-29}, organization = {FR3D.HK}, url = {https://fr3d.hk/blog/gazorp-thieving-from-thieves}, language = {English}, urldate = {2020-05-06} } @online{hk:20200810:diamondfox:d2a194b, author = {Fred HK}, title = {{DiamondFox - Bank Robbers will be replaced}}, date = {2020-08-10}, organization = {FR3D.HK}, url = {https://fr3d.hk/blog/diamondfox-bank-robbers-will-be-replaced}, language = {English}, urldate = {2020-08-12} } @online{hladik:20200730:obscured:41a50f3, author = {Joseph Hladik and Josh Fleischer}, title = {{Obscured by Clouds: Insights into Office 365 Attacks and How Mandiant Managed Defense Investigates}}, date = {2020-07-30}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/07/insights-into-office-365-attacks-and-how-managed-defense-investigates.html}, language = {English}, urldate = {2020-08-05} } @online{hlavek:20201221:russian:804662f, author = {Adam Hlavek and Kimberly Ortiz}, title = {{Russian cyber attack campaigns and actors}}, date = {2020-12-21}, organization = {IronNet}, url = {https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors}, language = {English}, urldate = {2021-01-05} } @online{hlavek:20201224:china:723bed3, author = {Adam Hlavek}, title = {{China cyber attacks: the current threat landscape}}, date = {2020-12-24}, organization = {IronNet}, url = {https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape}, language = {English}, urldate = {2021-01-01} } @online{hoej:20161226:alphabet:3e422a6, author = {Jaromír Hořejší}, title = {{Tweet on Alphabet Ransomware}}, date = {2016-12-26}, organization = {Twitter (@JaromirHorejsi)}, url = {https://twitter.com/JaromirHorejsi/status/813714602466877440}, language = {English}, urldate = {2019-10-15} } @online{hoej:20161227:adamlocker:9266526, author = {Jaromír Hořejší}, title = {{Tweet on AdamLocker}}, date = {2016-12-27}, organization = {Twitter (@JaromirHorejsi)}, url = {https://twitter.com/JaromirHorejsi/status/813712587997249536}, language = {English}, urldate = {2020-01-10} } @online{hoej:20161227:shelllocker:e32df2e, author = {Jaromír Hořejší}, title = {{Tweet on ShellLocker}}, date = {2016-12-27}, organization = {Twitter (JaromirHorejsi)}, url = {https://twitter.com/JaromirHorejsi/status/813726714228604928}, language = {English}, urldate = {2019-12-10} } @online{hoej:20161227:venuslocker:0a9196a, author = {Jaromír Hořejší}, title = {{Tweet on VenusLocker}}, date = {2016-12-27}, organization = {Twitter (@JaromirHorejsi)}, url = {https://twitter.com/JaromirHorejsi/status/813690129088937984}, language = {English}, urldate = {2020-01-09} } @online{hoej:20170102:new:adaeda4, author = {Jaromír Hořejší}, title = {{Tweet on new ransomware}}, date = {2017-01-02}, organization = {Twitter (JaromirHorejsi)}, url = {https://twitter.com/JaromirHorejsi/status/815949909648150528}, language = {English}, urldate = {2019-12-04} } @online{hoej:20170102:ransomware:d94c3dd, author = {Jaromír Hořejší}, title = {{Tweet on Ransomware}}, date = {2017-01-02}, organization = {Twitter (JaromirHorejsi)}, url = {https://twitter.com/JaromirHorejsi/status/815861135882780673}, language = {English}, urldate = {2020-01-09} } @online{hoej:20170103:red:ed15894, author = {Jaromír Hořejší}, title = {{Tweet on Red Alert}}, date = {2017-01-03}, organization = {Twitter (@JaromirHorejsi)}, url = {https://twitter.com/JaromirHorejsi/status/816237293073797121}, language = {English}, urldate = {2020-01-09} } @online{hoej:20170106:cockblocker:90b91b4, author = {Jaromír Hořejší}, title = {{Tweet on Cockblocker Ransomware}}, date = {2017-01-06}, organization = {Twitter (JaromirHorejsi)}, url = {https://twitter.com/JaromirHorejsi/status/817311664391524352}, language = {English}, urldate = {2020-01-08} } @online{hoej:20170109:virustotal:0db44ac, author = {Jaromír Hořejší}, title = {{Tweet on Virustotal Sample}}, date = {2017-01-09}, organization = {Twitter (@JaromirHorejsi)}, url = {https://twitter.com/JaromirHorejsi/status/818369717371027456}, language = {English}, urldate = {2020-01-05} } @online{hoej:20170622:filecoder:ac5445f, author = {Jaromír Hořejší}, title = {{Tweet on Filecoder}}, date = {2017-06-22}, organization = {Twitter (@JaromirHorejsi)}, url = {https://twitter.com/JaromirHorejsi/status/877811773826641920}, language = {English}, urldate = {2020-01-13} } @online{hoej:20171005:syscon:48eb01a, author = {Jaromír Hořejší}, title = {{SYSCON Backdoor Uses FTP as a C&C Channel}}, date = {2017-10-05}, organization = {Trend Micro}, url = {http://blog.trendmicro.com/trendlabs-security-intelligence/syscon-backdoor-uses-ftp-as-a-cc-channel/}, language = {English}, urldate = {2019-10-14} } @online{hoej:20180312:campaign:00eb661, author = {Jaromír Hořejší}, title = {{Campaign Possibly Connected to “MuddyWater” Surfaces in the Middle East and Central Asia}}, date = {2018-03-12}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/campaign-possibly-connected-muddywater-surfaces-middle-east-central-asia/}, language = {English}, urldate = {2020-01-13} } @online{hoej:20180314:tropic:352cf22, author = {Jaromír Hořejší and Joey Chen and Joseph C. Chen}, title = {{Tropic Trooper’s New Strategy}}, date = {2018-03-14}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/}, language = {English}, urldate = {2020-01-09} } @online{hoej:20180404:new:16fe860, author = {Jaromír Hořejší}, title = {{New MacOS Backdoor Linked to OceanLotus Found}}, date = {2018-04-04}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/}, language = {English}, urldate = {2020-01-13} } @online{hoej:20180821:supply:d426e6b, author = {Jaromír Hořejší and Joseph C. Chen and Kawabata Kohei and Kenney Lu}, title = {{Supply Chain Attack Operation Red Signature Targets South Korean Organizations}}, date = {2018-08-21}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/supply-chain-attack-operation-red-signature-targets-south-korean-organizations/}, language = {English}, urldate = {2020-01-06} } @online{hoej:20190904:glupteba:230e916, author = {Jaromír Hořejší and Joseph C. Chen}, title = {{Glupteba Campaign Hits Network Routers and Updates C&C Servers with Data from Bitcoin Transactions}}, date = {2019-09-04}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/glupteba-campaign-hits-network-routers-and-updates-cc-servers-with-data-from-bitcoin-transactions/}, language = {English}, urldate = {2020-01-10} } @techreport{hoej:20191001:new:4a49a90, author = {Jaromír Hořejší and Joseph C. Chen}, title = {{New Fileless Botnet Novter Distributed by KovCoreG Malvertising Campaign}}, date = {2019-10-01}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/Tech-Brief-New-Fileless-Botnet-Novter-Distributed-by-KovCoreG-Malvertising-Campaign.pdf}, language = {English}, urldate = {2019-12-18} } @online{hoej:20191001:new:feb95a9, author = {Jaromír Hořejší and Joseph C. Chen}, title = {{New Fileless Botnet Novter Distributed by KovCoreG Malvertising Campaign}}, date = {2019-10-01}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/new-fileless-botnet-novter-distributed-by-kovcoreg-malvertising-campaign/}, language = {English}, urldate = {2019-10-15} } @techreport{hoej:20200311:operation:782b803, author = {Jaromír Hořejší and Joseph Chen}, title = {{Operation Overtrap Targets Japanese Online Banking Users Via Bottle Exploit Kit and Brand-New Cinobi Banking Trojan: Technical Brief}}, date = {2020-03-11}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/pdf/Tech%20Brief_Operation%20Overtrap%20Targets%20Japanese%20Online%20Banking%20Users.pdf}, language = {English}, urldate = {2020-03-11} } @online{hoej:20200311:operation:f03d64e, author = {Jaromír Hořejší and Joseph Chen}, title = {{Operation Overtrap Targets Japanese Online Banking Users Via Bottle Exploit Kit and Brand-New Cinobi Banking Trojan}}, date = {2020-03-11}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/operation-overtrap-targets-japanese-online-banking-users-via-bottle-exploit-kit-and-brand-new-cinobi-banking-trojan/}, language = {English}, urldate = {2020-03-11} } @techreport{hoej:20201003:earth:688aaf8, author = {Jaromír Hořejší and Daniel Lunghi and Cedric Pernet and Kazuki Fujisawa}, title = {{Earth Akhlut: Exploring the Tools, Tactics, and Procedures of an Advanced Threat Actor Operating a Large Infrastructure}}, date = {2020-10-03}, institution = {Trend Micro}, url = {https://vblocalhost.com/uploads/VB2020-Lunghi-Horejsi.pdf}, language = {English}, urldate = {2020-10-06} } @online{hoej:20201124:analysis:9e93ede, author = {Jaromír Hořejší and David Fiser}, title = {{Analysis of Kinsing Malware's Use of Rootkit}}, date = {2020-11-24}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/20/k/analysis-of-kinsing-malwares-use-of-rootkit.html}, language = {English}, urldate = {2020-11-25} } @online{hoffman:20141125:curious:57f7b6a, author = {Nick Hoffman}, title = {{Curious Korlia}}, date = {2014-11-25}, organization = {Adventures in Security}, url = {https://securitykitten.github.io/2014/11/25/curious-korlia.html}, language = {English}, urldate = {2019-10-18} } @online{hoffman:20141126:getmypass:5028f5e, author = {Nick Hoffman}, title = {{Getmypass Point of Sale Malware}}, date = {2014-11-26}, url = {https://securitykitten.github.io/2014/11/26/getmypass-point-of-sale-malware.html}, language = {English}, urldate = {2020-01-08} } @online{hoffman:20141201:lusypos:3df4156, author = {Nick Hoffman}, title = {{LusyPOS and Tor}}, date = {2014-12-01}, organization = {SecurityKitten Blog}, url = {https://securitykitten.github.io/2014/12/01/lusypos-and-tor.html}, language = {English}, urldate = {2019-08-07} } @online{hoffman:20150108:getmypass:1fa4beb, author = {Nick Hoffman}, title = {{Getmypass Point of Sale Malware Update}}, date = {2015-01-08}, organization = {SecurityKitten Blog}, url = {https://securitykitten.github.io/2015/01/08/getmypass-point-of-sale-malware-update.html}, language = {English}, urldate = {2019-07-10} } @online{hoffman:20150111:mozart:025c466, author = {Nick Hoffman}, title = {{The Mozart RAM Scraper}}, date = {2015-01-11}, organization = {Security Kitten Blog}, url = {https://securitykitten.github.io/2015/01/11/the-mozart-ram-scraper.html}, language = {English}, urldate = {2020-01-06} } @online{hoffman:20150714:bernhardpos:c1e10e7, author = {Nick Hoffman}, title = {{BernhardPOS}}, date = {2015-07-14}, url = {https://securitykitten.github.io/2015/07/14/bernhardpos.html}, language = {English}, urldate = {2020-01-08} } @online{hoffman:20151116:introducing:eed78d1, author = {Nick Hoffman}, title = {{Introducing LogPOS}}, date = {2015-11-16}, url = {https://securitykitten.github.io/2015/11/16/logpos-new-point-of-sale-malware-using-mailslots.html}, language = {English}, urldate = {2020-01-07} } @online{hoffman:20161115:scanpos:4f3423a, author = {Nick Hoffman}, title = {{ScanPOS, new POS malware being distributed by Kronos}}, date = {2016-11-15}, url = {https://securitykitten.github.io/2016/11/15/scanpos.html}, language = {English}, urldate = {2020-01-08} } @online{hoffman:20161128:klrd:dc173ab, author = {Nick Hoffman}, title = {{The KLRD Keylogger}}, date = {2016-11-28}, organization = {SecurityKitten Blog}, url = {https://securitykitten.github.io/2016/11/28/the-klrd-keylogger.html}, language = {English}, urldate = {2020-01-08} } @online{hoffman:20161214:mikey:300fbdb, author = {Nick Hoffman}, title = {{MiKey - A Linux keylogger}}, date = {2016-12-14}, organization = {Adventures in Security}, url = {https://securitykitten.github.io/2016/12/14/mikey.html}, language = {English}, urldate = {2020-01-08} } @techreport{hoffman:20170215:deep:37a8ef5, author = {Nick Hoffman and Jeremy Humble}, title = {{Deep Dive on the DragonOK Rambo Backdoor}}, date = {2017-02-15}, institution = {Morphick}, url = {https://github.com/m0n0ph1/APT_CyberCriminal_Campagin_Collections-1/blob/master/2017/2017.02.15.deep-dive-dragonok-rambo-backdoor/Deep%20Dive%20on%20the%20DragonOK%20Rambo%20Backdoor%20_%20Morphick%20Cyber%20Security.pdf}, language = {English}, urldate = {2020-04-08} } @online{hoffman:20170215:rambo:fef31fe, author = {Nick Hoffman}, title = {{The Rambo Backdoor}}, date = {2017-02-15}, organization = {Adventures in Security}, url = {https://securitykitten.github.io/2017/02/15/the-rambo-backdoor.html}, language = {English}, urldate = {2020-01-10} } @techreport{holban:201805:mtrends:b30aba2, author = {Anca Holban}, title = {{M-Trends May 2018: From the field}}, date = {2018-05}, institution = {FireEye}, url = {https://mkd-cirt.mk/wp-content/uploads/2018/08/20181009_3_1_M-Trends2018-May-2018-compressed.pdf}, language = {English}, urldate = {2020-01-06} } @online{holland:20190719:analysis:06a9a1c, author = {Alex Holland}, title = {{An Analysis of L0rdix RAT, Panel and Builder}}, date = {2019-07-19}, organization = {HP}, url = {https://www.bromium.com/an-analysis-of-l0rdix-rat-panel-and-builder/}, language = {English}, urldate = {2020-01-07} } @online{holland:20190801:decrypting:3885751, author = {Alex Holland}, title = {{Decrypting L0rdix RAT’s C2}}, date = {2019-08-01}, organization = {Bromium}, url = {https://www.bromium.com/decrypting-l0rdix-rats-c2/}, language = {English}, urldate = {2020-01-07} } @online{holland:20190903:deobfuscating:22e33f3, author = {Alex Holland}, title = {{Deobfuscating Ostap: TrickBot’s 34,000 Line JavaScript Downloader}}, date = {2019-09-03}, organization = {Bromium}, url = {https://www.bromium.com/deobfuscating-ostap-trickbots-javascript-downloader/}, language = {English}, urldate = {2020-01-06} } @online{holland:20190905:l0rdix:2472b65, author = {Alex Holland}, title = {{l0rdix C2 traffic decryptor}}, date = {2019-09-05}, organization = {Github (cryptogramfan)}, url = {https://github.com/cryptogramfan/Malware-Analysis-Scripts/blob/master/decrypt_l0rdix_c2.py}, language = {English}, urldate = {2020-01-13} } @online{holland:20190912:ostap:9374bd2, author = {Alex Holland}, title = {{Ostap Deobfuscation script}}, date = {2019-09-12}, organization = {Github (cryptogramfan)}, url = {https://github.com/cryptogramfan/Malware-Analysis-Scripts/blob/master/deobfuscate_ostap.py}, language = {English}, urldate = {2020-01-06} } @online{holland:20200621:investigating:1dc98a0, author = {Alex Holland}, title = {{Investigating Threats in HP Sure Controller 4.2: TVRAT}}, date = {2020-06-21}, organization = {Bromium}, url = {https://threatresearch.ext.hp.com/investigating-threats-in-hp-sure-controller-4-2/}, language = {English}, urldate = {2020-07-11} } @online{holland:20201008:droppers:b8a580e, author = {Alex Holland}, title = {{Droppers, Downloaders and TrickBot: Detecting a Stealthy COVID-19-themed Campaign using Toolmarks}}, date = {2020-10-08}, organization = {Bromium}, url = {https://threatresearch.ext.hp.com/detecting-a-stealthy-trickbot-campaign/}, language = {English}, urldate = {2020-10-29} } @online{holland:20201127:aggah:7dd38ba, author = {Alex Holland}, title = {{Aggah Campaign’s Latest Tactics: Victimology, PowerPoint Dropper and Cryptocurrency Stealer}}, date = {2020-11-27}, organization = {HP}, url = {https://threatresearch.ext.hp.com/aggah-campaigns-latest-tactics-victimology-powerpoint-dropper-and-cryptocurrency-stealer/}, language = {English}, urldate = {2020-11-27} } @techreport{honeywell:202006:usb:0b58405, author = {Honeywell}, title = {{USB Security-Myths vs. Reality}}, date = {2020-06}, institution = {}, url = {http://honeywellprocess.blob.core.windows.net/public/Marketing/White-Paper-USB-Security-Myths-vs-Reality.pdf}, language = {English}, urldate = {2020-07-15} } @online{hopfengetraenk:20190525:fasdisassembler:aed58f5, author = {Hopfengetraenk}, title = {{Fas-Disassembler for Visuallisp 0.8}}, date = {2019-05-25}, organization = {Github (Hopfengetraenk)}, url = {https://github.com/Hopfengetraenk/Fas-Disasm}, language = {English}, urldate = {2020-01-13} } @techreport{hork:20191206:demystifying:1285ddd, author = {Juraj Horňák and Jakub Souček}, title = {{Demystifying banking trojans from Latin America}}, date = {2019-12-06}, institution = {Botconf}, url = {https://www.botconf.eu/wp-content/uploads/2019/12/B2019-Soucek-Hornak-DemystifyingBankingTrojansFromLatinAmerica.pdf}, language = {English}, urldate = {2020-05-05} } @online{hosseini:20170718:ten:600fd92, author = {Ashkan Hosseini}, title = {{Ten process injection techniques: A technical survey of common and trending process injection techniques}}, date = {2017-07-18}, organization = {Elastic}, url = {https://www.elastic.co/de/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process}, language = {English}, urldate = {2020-07-15} } @online{hosseini:20170718:ten:af036b3, author = {Ashkan Hosseini}, title = {{Ten process injection techniques: A technical survey of common and trending process injection techniques}}, date = {2017-07-18}, organization = {Elastic}, url = {https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process}, language = {English}, urldate = {2020-07-15} } @online{hosseini:20170718:ten:fa1e393, author = {Ashkan Hosseini}, title = {{Ten Process Injection Techniques: A Technical Survey of Common and Trending Process Injection Techniques}}, date = {2017-07-18}, organization = {Endgame}, url = {https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process}, language = {English}, urldate = {2020-01-09} } @online{hpp:20200507:ruhruniversitt:7991318, author = {hpp}, title = {{Ruhr-Universität Bochum meldet Computerangriff}}, date = {2020-05-07}, organization = {Der Spiegel}, url = {https://www.spiegel.de/netzwelt/web/ruhr-uni-bochum-offenbar-opfer-von-computerangriff-a-c42754cc-72dc-4d34-8b58-bb0008619c05?utm_source=dlvr.it&utm_medium=twitter#ref=rss}, language = {English}, urldate = {2020-07-06} } @online{hrka:20191126:stantinko:0fbdd59, author = {Vladislav Hrčka}, title = {{Stantinko botnet adds cryptomining to its pool of criminal activities}}, date = {2019-11-26}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/11/26/stantinko-botnet-adds-cryptomining-criminal-activities/}, language = {English}, urldate = {2020-01-12} } @online{hrka:20200319:stantinkos:b6a60f8, author = {Vladislav Hrčka}, title = {{Stantinko’s new cryptominer features unique obfuscation techniques}}, date = {2020-03-19}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/03/19/stantinko-new-cryptominer-unique-obfuscation-techniques/}, language = {English}, urldate = {2020-03-26} } @online{hrka:20200807:stadeo:9fc4787, author = {Vladislav Hrčka}, title = {{Stadeo: Deobfuscating Stantinko and more}}, date = {2020-08-07}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/08/07/stadeo-deobfuscating-stantinko-and-more/}, language = {English}, urldate = {2020-08-14} } @online{hromcov:20180607:invisimole:5c5f0ed, author = {Zuzana Hromcová}, title = {{InvisiMole: Surprisingly equipped spyware, undercover since 2013}}, date = {2018-06-07}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/}, language = {English}, urldate = {2019-11-14} } @online{hromcov:20190708:malicious:f712ebc, author = {Zuzana Hromcová}, title = {{Malicious campaign targets South Korean users with backdoor‑laced torrents}}, date = {2019-07-08}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/}, language = {English}, urldate = {2019-11-14} } @online{hromcov:20190718:okrum:3841a95, author = {Zuzana Hromcová}, title = {{Okrum: Ke3chang group targets diplomatic missions}}, date = {2019-07-18}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/07/18/okrum-ke3chang-targets-diplomatic-missions/}, language = {English}, urldate = {2019-11-14} } @online{hromcov:20190814:in:4da809c, author = {Zuzana Hromcová}, title = {{In the Balkans, businesses are under fire from a double‑barreled weapon}}, date = {2019-08-14}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/08/14/balkans-businesses-double-barreled-weapon/}, language = {English}, urldate = {2019-11-14} } @online{hromcov:20191010:eset:70f9671, author = {Zuzana Hromcová}, title = {{ESET discovers Attor, a spy platform with curious GSM fingerprinting}}, date = {2019-10-10}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/10/10/eset-discovers-attor-spy-platform}, language = {English}, urldate = {2020-04-06} } @online{hromcov:20191010:eset:d4155ed, author = {Zuzana Hromcová}, title = {{ESET discovers Attor, a spy platform with curious GSM fingerprinting}}, date = {2019-10-10}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/10/10/eset-discovers-attor-spy-platform/}, language = {English}, urldate = {2020-02-13} } @techreport{hromcov:201910:at:3b4754e, author = {Zuzana Hromcová}, title = {{AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM}}, date = {2019-10}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Attor.pdf}, language = {English}, urldate = {2020-01-13} } @techreport{hromcov:20200608:invisimole:70a4dc1, author = {Zuzana Hromcová and Anton Cherepanov}, title = {{InvisiMole: The Hidden Part of the Story - Unearthing InvisiMole's Espionage Toolset and Strategic Cooperations}}, date = {2020-06-08}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf}, language = {English}, urldate = {2020-06-29} } @online{hromcov:20200618:digging:285d02f, author = {Zuzana Hromcová and Anton Cherepanov}, title = {{Digging up InvisiMole’s hidden arsenal}}, date = {2020-06-18}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/06/18/digging-up-invisimole-hidden-arsenal/}, language = {English}, urldate = {2020-06-29} } @online{hron:20200925:fresh:41ed4d0, author = {Martin Hron}, title = {{The Fresh Smell of ransomed coffee}}, date = {2020-09-25}, organization = {Avast Decoded}, url = {https://decoded.avast.io/martinhron/the-fresh-smell-of-ransomed-coffee/}, language = {English}, urldate = {2020-09-25} } @online{hsu:20200624:lucifer:5fc044c, author = {Ken Hsu and Durgesh Sangvikar and Zhibin Zhang and Chris Navarrete}, title = {{Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices}}, date = {2020-06-24}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware/}, language = {English}, urldate = {2020-06-24} } @online{hsu:20201014:two:aa1efb9, author = {Ken Hsu and Yue Guan and Vaibhav Singhal and Qi Deng}, title = {{Two New IoT Vulnerabilities Identified with Mirai Payloads}}, date = {2020-10-14}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/iot-vulnerabilities-mirai-payloads/}, language = {English}, urldate = {2020-10-23} } @online{huang:20170705:security:8819459, author = {Kevin Y. Huang}, title = {{Security 101: The Impact of Cryptocurrency-Mining Malware}}, date = {2017-07-05}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/security-101-the-impact-of-cryptocurrency-mining-malware}, language = {English}, urldate = {2020-01-07} } @online{hulcoop:20161117:its:b644801, author = {Adam Hulcoop and Matt Brooks and Etienne Maynier and John Scott-Railton and Masashi Crete-Nishihata}, title = {{It’s Parliamentary - KeyBoy and the targeting of the Tibetan Community}}, date = {2016-11-17}, organization = {CitizenLab}, url = {https://citizenlab.ca/2016/11/parliament-keyboy/}, language = {English}, urldate = {2019-07-11} } @online{hultquist:20190416:spear:a0125cb, author = {John Hultquist and Ben Read and Oleg Bondarenko and Chi-en Shen}, title = {{Spear Phishing Campaign Targets Ukraine Government and Military; Infrastructure Reveals Potential Link to So-Called Luhansk People's Republic}}, date = {2019-04-16}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/04/spear-phishing-campaign-targets-ukraine-government.html}, language = {English}, urldate = {2019-12-20} } @online{humphrey:20180612:cve20178570:4d94250, author = {Ben Humphrey}, title = {{CVE-2017-8570 RTF and the Sisfader RAT}}, date = {2018-06-12}, organization = {NCC Group}, url = {https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/june/cve-2017-8750-rtf-and-the-sisfader-rat/}, language = {English}, urldate = {2020-01-07} } @online{humphrey:20181122:turla:de7f30a, author = {Ben Humphrey}, title = {{Turla PNG Dropper is back}}, date = {2018-11-22}, organization = {nccgroup}, url = {https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/}, language = {English}, urldate = {2019-11-21} } @online{hungenberg:20191106:emotet:1605954, author = {Thomas Hungenberg}, title = {{Emotet, Trickbot, Ryuk – ein explosiver Malware-Cocktail}}, date = {2019-11-06}, organization = {Heise Security}, url = {https://www.heise.de/security/artikel/Emotet-Trickbot-Ryuk-ein-explosiver-Malware-Cocktail-4573848.html}, language = {German}, urldate = {2020-01-06} } @online{hunter:20181120:l0rdix:bf0024c, author = {Ben Hunter}, title = {{L0RDIX: MULTIPURPOSE ATTACK TOOL}}, date = {2018-11-20}, organization = {enSilo}, url = {https://blog.ensilo.com/l0rdix-attack-tool}, language = {English}, urldate = {2019-12-17} } @online{hunter:20190524:uncovering:7d8776e, author = {Ben Hunter}, title = {{Uncovering new Activity by APT10}}, date = {2019-05-24}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/uncovering-new-activity-by-apt-}, language = {English}, urldate = {2020-11-04} } @online{hunter:20200701:ekans:46605bc, author = {Ben Hunter and Fred Gutierrez}, title = {{EKANS Ransomware Targeting OT ICS Systems}}, date = {2020-07-01}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/ekans-ransomware-targeting-ot-ics-systems}, language = {English}, urldate = {2020-07-06} } @online{huntley:20201016:how:baafd73, author = {Shane Huntley and Google Threat Analysis Group}, title = {{How we're tackling evolving online threats}}, date = {2020-10-16}, organization = {Google}, url = {https://blog.google/threat-analysis-group/how-were-tackling-evolving-online-threats}, language = {English}, urldate = {2020-10-23} } @online{huntley:20201117:tag:74d7811, author = {Shane Huntley and Google Threat Analysis Group}, title = {{TAG Bulletin: Q4 2020}}, date = {2020-11-17}, organization = {Google}, url = {https://blog.google/threat-analysis-group/tag-bulletin-q4-2020/}, language = {English}, urldate = {2020-11-19} } @techreport{huq:201409:pos:e79a593, author = {Numaan Huq}, title = {{PoS RAM Scraper Malware}}, date = {2014-09}, institution = {Wired}, url = {https://www.wired.com/wp-content/uploads/2014/09/wp-pos-ram-scraper-malware.pdf}, language = {English}, urldate = {2020-01-07} } @online{huq:20160919:untangling:daa62bd, author = {Numaan Huq}, title = {{Untangling the Ripper ATM Malware}}, date = {2016-09-19}, organization = {Trend Micro}, url = {http://blog.trendmicro.com/trendlabs-security-intelligence/untangling-ripper-atm-malware/}, language = {English}, urldate = {2019-11-26} } @online{hurk:20191010:nemty:3be8553, author = {Frank van den Hurk}, title = {{Nemty update: decryptors for Nemty 1.5 and 1.6}}, date = {2019-10-10}, organization = {Tesorion}, url = {https://www.tesorion.nl/nemty-update-decryptors-for-nemty-1-5-and-1-6/}, language = {English}, urldate = {2019-10-23} } @online{hurley:20170703:notpetya:1453645, author = {Shaun Hurley and Karan Sood}, title = {{NotPetya Technical Analysis Part II: Further Findings and Potential for MBR Recovery}}, date = {2017-07-03}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/petrwrap-technical-analysis-part-2-further-findings-and-potential-for-mbr-recovery/}, language = {English}, urldate = {2019-12-20} } @online{hurley:20190103:digging:5219f6d, author = {Shaun Hurley and James Scalise}, title = {{Digging into BokBot’s Core Module}}, date = {2019-01-03}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/digging-into-bokbots-core-module/}, language = {English}, urldate = {2019-12-20} } @online{hurley:20190321:interception:7e57329, author = {Shaun Hurley and James Scalise}, title = {{Interception: Dissecting BokBot’s “Man in the Browser”}}, date = {2019-03-21}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/bokbots-man-in-the-browser-overview/}, language = {English}, urldate = {2019-12-20} } @online{hurley:20200501:many:22ed72c, author = {Shaun Hurley}, title = {{The Many Paths Through Maze}}, date = {2020-05-01}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/maze-ransomware-deobfuscation/}, language = {English}, urldate = {2020-05-05} } @online{huss:20151111:abaddonpos:ca72c4c, author = {Darien Huss}, title = {{AbaddonPOS: A new point of sale threat linked to Vawtrak}}, date = {2015-11-11}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/AbaddonPOS-A-New-Point-Of-Sale-Threat-Linked-To-Vawtrak}, language = {English}, urldate = {2019-12-20} } @online{huss:20160128:exploring:7f85d44, author = {Darien Huss}, title = {{Exploring Bergard: Old Malware with New Tricks}}, date = {2016-01-28}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks}, language = {English}, urldate = {2019-12-20} } @techreport{huss:20160301:operation:65330f0, author = {Darien Huss}, title = {{Operation Transparent Tribe}}, date = {2016-03-01}, institution = {Proofpoint}, url = {https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf}, language = {English}, urldate = {2019-12-02} } @online{huss:20170202:oops:ea454d5, author = {Darien Huss and Pierre T and Axel F and Proofpoint Staff}, title = {{Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX}}, date = {2017-02-02}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx}, language = {English}, urldate = {2019-12-20} } @online{huss:20170817:turla:b519667, author = {Darien Huss}, title = {{Turla APT actor refreshes KopiLuwak JavaScript backdoor for use in G20-themed attack}}, date = {2017-08-17}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/turla-apt-actor-refreshes-kopiluwak-javascript-backdoor-use-g20-themed-attack}, language = {English}, urldate = {2019-12-20} } @online{huss:20170825:operation:87e2e2b, author = {Darien Huss and Matthew Mesa}, title = {{Operation RAT Cook: Chinese APT actors use fake Game of Thrones leaks as lures}}, date = {2017-08-25}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/operation-rat-cook-chinese-apt-actors-use-fake-game-thrones-leaks-lures}, language = {English}, urldate = {2019-12-20} } @techreport{huss:20171219:north:b2da03e, author = {Darien Huss}, title = {{North Korea Bitten by Bitcoin Bug}}, date = {2017-12-19}, institution = {Proofpoint}, url = {https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf}, language = {English}, urldate = {2019-10-18} } @online{huss:20171219:north:e5ef6da, author = {Darien Huss}, title = {{North Korea Bitten by Bitcoin Bug: Financially motivated campaigns reveal new dimension of the Lazarus Group}}, date = {2017-12-19}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/north-korea-bitten-bitcoin-bug-financially-motivated-campaigns-reveal-new}, language = {English}, urldate = {2019-12-20} } @techreport{huss:20180129:north:438b45d, author = {Darien Huss}, title = {{North Korea Bitten by Bitcoin Bug}}, date = {2018-01-29}, institution = {Proofpoint}, url = {https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug-180129.pdf}, language = {English}, urldate = {2020-01-05} } @online{hussey:20200625:golden:51322e2, author = {Brian Hussey}, title = {{The Golden Tax Department and the Emergence of GoldenSpy Malware}}, date = {2020-06-25}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-golden-tax-department-and-the-emergence-of-goldenspy-malware/}, language = {English}, urldate = {2020-06-26} } @online{hussey:20200630:goldenspy:1ecdff8, author = {Brian Hussey}, title = {{GoldenSpy: Chapter Two - The Uninstaller}}, date = {2020-06-30}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/goldenspy-chapter-two-the-uninstaller/}, language = {English}, urldate = {2020-07-02} } @online{hussey:20200702:goldenspy:31c222a, author = {Brian Hussey}, title = {{GoldenSpy Chapter 3: New and Improved Uninstaller}}, date = {2020-07-02}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/goldenspy-chapter-3-new-and-improved-uninstaller/}, language = {English}, urldate = {2020-07-15} } @online{hussey:20200714:goldenspy:a870540, author = {Brian Hussey}, title = {{GoldenSpy Chapter 4: GoldenHelper Malware Embedded in Official Golden Tax Software}}, date = {2020-07-14}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/goldenspy-chapter-4-goldenhelper-malware-embedded-in-official-golden-tax-software/}, language = {English}, urldate = {2020-07-15} } @online{huynh:20200806:bypassing:83c2a87, author = {Nhan Huynh}, title = {{Bypassing MassLogger Anti-Analysis — a Man-in-the-Middle Approach}}, date = {2020-08-06}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/08/bypassing-masslogger-anti-analysis-man-in-the-middle-approach.html}, language = {English}, urldate = {2020-08-12} } @online{hvistendahl:20201217:russian:af455a9, author = {Mara Hvistendahl and Micah Lee and Jordan Smith}, title = {{Russian Hackers Have Been Inside Austin City Network for Months}}, date = {2020-12-17}, organization = {The Intercept}, url = {https://theintercept.com/2020/12/17/russia-hack-austin-texas/}, language = {English}, urldate = {2020-12-23} } @online{hybridanalysis:20150413:sqlconnt1exe:86539cc, author = {Hybrid-Analysis}, title = {{sqlconnt1.exe}}, date = {2015-04-13}, organization = {Hybrid-Analysis}, url = {https://www.hybrid-analysis.com/sample/5d631d77401615d53f3ce3dbc2bfee5d934602dc35d488aa7cebf9b3ff1c4816?environmentId=2}, language = {English}, urldate = {2020-01-13} } @online{hybridanalysis:20180208:analysis:70d43bc, author = {Hybrid-Analysis}, title = {{Analysis Run}}, date = {2018-02-08}, organization = {Hybrid-Analysis}, url = {https://www.hybrid-analysis.com/sample/dfc56a704b5e031f3b0d2d0ea1d06f9157758ad950483b44ac4b77d33293cb38?environmentId=100}, language = {English}, urldate = {2020-01-08} } @online{hydro:20190416:cyber:ada48a4, author = {Norsk Hydro}, title = {{The cyber attack rescue operation in Hydro Toulouse}}, date = {2019-04-16}, organization = {Youtube (Norsk Hydro)}, url = {https://www.youtube.com/watch?v=o6eEN0mUakM}, language = {English}, urldate = {2020-01-13} } @online{hyppnen:20110828:windows:e9fb853, author = {Mikko Hyppönen}, title = {{Windows Remote Desktop Worm "Morto" Spreading}}, date = {2011-08-28}, organization = {F-Secure}, url = {https://www.f-secure.com/weblog/archives/00002227.html}, language = {English}, urldate = {2019-07-11} } @online{iddon:20201027:mtr:3b62ca9, author = {Greg Iddon}, title = {{MTR Casebook: An active adversary caught in the act}}, date = {2020-10-27}, organization = {Sophos Managed Threat Response (MTR)}, url = {https://news.sophos.com/en-us/2020/10/27/mtr-casebook-an-active-adversary-caught-in-the-act/}, language = {English}, urldate = {2020-11-02} } @online{idf:20170205:hamas:b96235f, author = {IDF}, title = {{Hamas Uses Fake Facebook Profiles to Target Israeli Soldiers}}, date = {2017-02-05}, organization = {IDF}, url = {https://www.idf.il/en/minisites/hamas/hamas-uses-fake-facebook-profiles-to-target-israeli-soldiers/}, language = {English}, urldate = {2019-12-31} } @online{ihm:20201216:skimming:608e648, author = {Mia Ihm and Cory Kennedy and Jordan Herman}, title = {{Skimming a Little Off the Top: Meyhod’s Skimming Methods Hit Hairloss Specialists}}, date = {2020-12-16}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/14924d61}, language = {English}, urldate = {2020-12-17} } @online{ii:20181220:with:8e827ba, author = {Augusto Remillano II and Mark Vicente}, title = {{With Mirai Comes Miori: IoT Botnet Delivered via ThinkPHP Remote Code Execution Exploit}}, date = {2018-12-20}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/with-mirai-comes-miori-iot-botnet-delivered-via-thinkphp-remote-code-execution-exploit/}, language = {English}, urldate = {2019-11-29} } @online{ii:20190507:cve20193396:42de798, author = {Augusto Remillano II and Robert Malagad}, title = {{CVE-2019-3396 Redux: Confluence Vulnerability Exploited to Deliver Cryptocurrency Miner With Rootkit}}, date = {2019-05-07}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/cve-2019-3396-redux-confluence-vulnerability-exploited-to-deliver-cryptocurrency-miner-with-rootkit/}, language = {English}, urldate = {2020-01-13} } @online{ii:20200622:xorddos:d41d1a7, author = {Augusto Remillano II}, title = {{XORDDoS, Kaiji Botnet Malware Variants Target Exposed Docker Servers}}, date = {2020-06-22}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers/}, language = {English}, urldate = {2020-06-24} } @online{ii:20200908:exposed:baa98d4, author = {Augusto Remillano II}, title = {{Exposed Docker Server Abused to Drop Cryptominer, DDoS Bot}}, date = {2020-09-08}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/20/i/exposed-docker-server-abused-to-drop-cryptominer-ddos-bot-.html}, language = {English}, urldate = {2020-09-23} } @online{ilascu:20180822:turla:b3753aa, author = {Ionut Ilascu}, title = {{Turla Outlook Backdoor Uses Clever Tactics for Stealth and Persistence}}, date = {2018-08-22}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/turla-outlook-backdoor-uses-clever-tactics-for-stealth-and-persistence/}, language = {English}, urldate = {2019-12-20} } @online{ilascu:20180830:cobalt:a5490e1, author = {Ionut Ilascu}, title = {{Cobalt Hacking Group Tests Banks In Russia and Romania}}, date = {2018-08-30}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/cobalt-hacking-group-tests-banks-in-russia-and-romania/}, language = {English}, urldate = {2019-12-20} } @online{ilascu:20180905:windows:8d74121, author = {Ionut Ilascu}, title = {{Windows Task Scheduler Zero Day Exploited by Malware}}, date = {2018-09-05}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/windows-task-scheduler-zero-day-exploited-by-malware/}, language = {English}, urldate = {2019-12-20} } @online{ilascu:20180907:domestic:18a5d5c, author = {Ionut Ilascu}, title = {{Domestic Kitten APT Operates in Silence Since 2016}}, date = {2018-09-07}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/domestic-kitten-apt-operates-in-silence-since-2016/}, language = {English}, urldate = {2019-12-20} } @online{ilascu:20180911:british:392218c, author = {Ionut Ilascu}, title = {{British Airways Fell Victim To Card Scraping Attack}}, date = {2018-09-11}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/british-airways-fell-victim-to-card-scraping-attack/}, language = {English}, urldate = {2019-12-20} } @online{ilascu:20180927:apt28:12917be, author = {Ionut Ilascu}, title = {{APT28 Uses LoJax, First UEFI Rootkit Seen in the Wild}}, date = {2018-09-27}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/apt28-uses-lojax-first-uefi-rootkit-seen-in-the-wild/}, language = {English}, urldate = {2019-12-20} } @online{ilascu:20181001:report:67e6316, author = {Ionut Ilascu}, title = {{Report Ties North Korean Attacks to New Malware, Linked by Word Macros}}, date = {2018-10-01}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/report-ties-north-korean-attacks-to-new-malware-linked-by-word-macros/}, language = {English}, urldate = {2019-12-20} } @online{ilascu:20181009:magecart:fc6ccf4, author = {Ionut Ilascu}, title = {{Magecart Group Compromises Plugin Used in Thousands of Stores, Makes Rookie Mistake}}, date = {2018-10-09}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/magecart-group-compromises-plugin-used-in-thousands-of-stores-makes-rookie-mistake/}, language = {English}, urldate = {2019-12-20} } @online{ilascu:20181121:magecart:e366b8b, author = {Ionut Ilascu}, title = {{MageCart Group Sabotages Rival to Ruin Data and Reputation}}, date = {2018-11-21}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/magecart-group-sabotages-rival-to-ruin-data-and-reputation/}, language = {English}, urldate = {2019-12-20} } @online{ilascu:20181207:netbooks:a99cef1, author = {Ionut Ilascu}, title = {{Netbooks, RPis, & Bash Bunny Gear - Attacking Banks from the Inside}}, date = {2018-12-07}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/netbooks-rpis-and-bash-bunny-gear-attacking-banks-from-the-inside/}, language = {English}, urldate = {2019-12-20} } @online{ilascu:20190107:gandcrab:8167b7f, author = {Ionut Ilascu}, title = {{GandCrab Operators Use Vidar Infostealer as a Forerunner}}, date = {2019-01-07}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/gandcrab-operators-use-vidar-infostealer-as-a-forerunner/}, language = {English}, urldate = {2019-12-20} } @online{ilascu:20190110:ta505:12f4881, author = {Ionut Ilascu}, title = {{TA505 Group Adopts New ServHelper Backdoor and FlawedGrace RAT}}, date = {2019-01-10}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ta505-group-adopts-new-servhelper-backdoor-and-flawedgrace-rat/}, language = {English}, urldate = {2019-12-20} } @online{ilascu:20190123:new:113a751, author = {Ionut Ilascu}, title = {{New Anatova Ransomware Supports Modules for Extra Functionality}}, date = {2019-01-23}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-anatova-ransomware-supports-modules-for-extra-functionality/}, language = {English}, urldate = {2019-12-20} } @online{ilascu:20190130:new:5c2d8da, author = {Ionut Ilascu}, title = {{New LockerGoga Ransomware Allegedly Used in Altran Attack}}, date = {2019-01-30}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-lockergoga-ransomware-allegedly-used-in-altran-attack/}, language = {English}, urldate = {2019-12-20} } @online{ilascu:20190222:cr1ptt0r:990b8aa, author = {Ionut Ilascu}, title = {{Cr1ptT0r Ransomware Infects D-Link NAS Devices, Targets Embedded Systems}}, date = {2019-02-22}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/cr1ptt0r-ransomware-infects-d-link-nas-devices-targets-embedded-systems/}, language = {English}, urldate = {2019-12-20} } @online{ilascu:20190303:op:89fdbdd, author = {Ionut Ilascu}, title = {{Op 'Sharpshooter' Connected to North Korea's Lazarus Group}}, date = {2019-03-03}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/op-sharpshooter-connected-to-north-koreas-lazarus-group/}, language = {English}, urldate = {2019-12-20} } @online{ilascu:20190626:new:3ea2210, author = {Ionut Ilascu}, title = {{New Silex Malware Trashes IoT Devices Using Default Passwords}}, date = {2019-06-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-silex-malware-trashes-iot-devices-using-default-passwords/}, language = {English}, urldate = {2020-01-08} } @online{ilascu:20190806:new:a045b9f, author = {Ionut Ilascu}, title = {{New Echobot Botnet Variant Uses Over 50 Exploits to Propagate}}, date = {2019-08-06}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-echobot-botnet-variant-uses-over-50-exploits-to-propagate/}, language = {English}, urldate = {2019-12-20} } @online{ilascu:20190826:new:20f0561, author = {Ionut Ilascu}, title = {{New Nemty Ransomware May Spread via Compromised RDP Connections}}, date = {2019-08-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-nemty-ransomware-may-spread-via-compromised-rdp-connections/}, language = {English}, urldate = {2020-01-07} } @online{ilascu:20190830:look:9a976c7, author = {Ionut Ilascu}, title = {{A Look Inside the Highly Profitable Sodinokibi Ransomware Business}}, date = {2019-08-30}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/a-look-inside-the-highly-profitable-sodinokibi-ransomware-business/}, language = {English}, urldate = {2019-12-20} } @online{ilascu:20190903:nemty:459166a, author = {Ionut Ilascu}, title = {{Nemty Ransomware Gets Distribution from RIG Exploit Kit}}, date = {2019-09-03}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/nemty-ransomware-gets-distribution-from-rig-exploit-kit/}, language = {English}, urldate = {2020-01-08} } @online{ilascu:20190908:fake:3f0addd, author = {Ionut Ilascu}, title = {{Fake PayPal Site Spreads Nemty Ransomware}}, date = {2019-09-08}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/fake-paypal-site-spreads-nemty-ransomware/}, language = {English}, urldate = {2020-01-13} } @online{ilascu:20191115:new:533f0a6, author = {Ionut Ilascu}, title = {{New NextCry Ransomware Encrypts Data on NextCloud Linux Servers}}, date = {2019-11-15}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-nextcry-ransomware-encrypts-data-on-nextcloud-linux-servers/}, language = {English}, urldate = {2020-01-06} } @online{ilascu:20200106:sodinokibi:1feb8a3, author = {Ionut Ilascu}, title = {{Sodinokibi Ransomware Hits Travelex, Demands $3 Million}}, date = {2020-01-06}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-hits-travelex-demands-3-million/}, language = {English}, urldate = {2020-01-13} } @online{ilascu:20200526:new:5905063, author = {Ionut Ilascu}, title = {{New [F]Unicorn ransomware hits Italy via fake COVID-19 infection map}}, date = {2020-05-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-f-unicorn-ransomware-hits-italy-via-fake-covid-19-infection-map/}, language = {English}, urldate = {2020-06-08} } @online{ilascu:20200528:michigan:a52712f, author = {Ionut Ilascu}, title = {{Michigan State University network breached in ransomware attack}}, date = {2020-05-28}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/michigan-state-university-network-breached-in-ransomware-attack/}, language = {English}, urldate = {2020-05-29} } @online{ilascu:20200608:honda:59ddaf6, author = {Ionut Ilascu}, title = {{Honda investigates possible ransomware attack, networks impacted}}, date = {2020-06-08}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/honda-investigates-possible-ransomware-attack-networks-impacted/}, language = {English}, urldate = {2020-06-10} } @online{ilascu:20200613:black:f18a453, author = {Ionut Ilascu}, title = {{Black Kingdom ransomware hacks networks with Pulse VPN flaws}}, date = {2020-06-13}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/black-kingdom-ransomware-hacks-networks-with-pulse-vpn-flaws/}, language = {English}, urldate = {2020-06-16} } @online{ilascu:20200623:ryuk:c63b0c6, author = {Ionut Ilascu}, title = {{Ryuk ransomware deployed two weeks after Trickbot infection}}, date = {2020-06-23}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ryuk-ransomware-deployed-two-weeks-after-trickbot-infection/}, language = {English}, urldate = {2020-06-30} } @online{ilascu:20200731:gandcrab:f2cd6ef, author = {Ionut Ilascu}, title = {{GandCrab ransomware operator arrested in Belarus}}, date = {2020-07-31}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-operator-arrested-in-belarus/}, language = {English}, urldate = {2020-08-05} } @online{ilascu:20201027:enel:cd901d2, author = {Ionut Ilascu}, title = {{Enel Group hit by ransomware again, Netwalker demands $14 million}}, date = {2020-10-27}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/enel-group-hit-by-ransomware-again-netwalker-demands-14-million/}, language = {English}, urldate = {2020-10-29} } @online{ilascu:20201029:revil:e6b68d1, author = {Ionut Ilascu}, title = {{REvil ransomware gang claims over $100 million profit in a year}}, date = {2020-10-29}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/revil-ransomware-gang-claims-over-100-million-profit-in-a-year/}, language = {English}, urldate = {2020-11-02} } @online{ilascu:20201109:fake:c6dd7b3, author = {Ionut Ilascu}, title = {{Fake Microsoft Teams updates lead to Cobalt Strike deployment}}, date = {2020-11-09}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-updates-lead-to-cobalt-strike-deployment/}, language = {English}, urldate = {2020-11-11} } @online{ilascu:20210104:chinas:9677dc6, author = {Ionut Ilascu}, title = {{China's APT hackers move to ransomware attacks}}, date = {2021-01-04}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/chinas-apt-hackers-move-to-ransomware-attacks/}, language = {English}, urldate = {2021-01-11} } @online{ilgayev:20200827:old:8859e51, author = {Alex Ilgayev}, title = {{An Old Bot’s Nasty New Tricks: Exploring Qbot’s Latest Attack Methods}}, date = {2020-08-27}, organization = {Checkpoint}, url = {https://research.checkpoint.com/2020/exploring-qbots-latest-attack-methods/}, language = {English}, urldate = {2020-08-31} } @online{imano:20110311:trojankoredos:414e359, author = {Shunichi Imano}, title = {{Trojan.Koredos Comes with an Unwelcomed Surprise}}, date = {2011-03-11}, organization = {Symantec}, url = {https://web.archive.org/web/20131123012339/https://www.symantec.com/connect/blogs/trojankoredos-comes-unwelcomed-surprise}, language = {English}, urldate = {2020-04-21} } @online{imano:20110311:trojankoredos:c3aa3c6, author = {Shunichi Imano}, title = {{Trojan.Koredos Comes with an Unwelcomed Surprise}}, date = {2011-03-11}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/trojankoredos-comes-unwelcomed-surprise}, language = {English}, urldate = {2020-01-10} } @online{ims0rry:20171230:analysis:f221c40, author = {ims0rry}, title = {{Analysis DarkSky Botnet}}, date = {2017-12-30}, organization = {Telegra.ph blog}, url = {http://telegra.ph/Analiz-botneta-DarkSky-12-30}, language = {English}, urldate = {2020-01-08} } @techreport{inc:20190508:2019:3c20a3b, author = {Verizon Communications Inc.}, title = {{2019 Data Breach Investigations Report}}, date = {2019-05-08}, institution = {Verizon Communications Inc.}, url = {https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf}, language = {English}, urldate = {2020-05-10} } @online{incibe:20200408:ransomware:61b8c41, author = {INCIBE}, title = {{Ransomware NetWalker: análisis y medidas preventivas}}, date = {2020-04-08}, organization = {INCIBE-CERT}, url = {https://www.incibe-cert.es/blog/ransomware-netwalker-analisis-y-medidas-preventivas}, language = {Spanish}, urldate = {2020-04-14} } @online{inglot:2017:attacker:3af6c23, author = {Bart Inglot and Byrne Ghavalas}, title = {{ATTACKER ANTICS: Illustrations of Ingenuity}}, date = {2017}, organization = {FireEye}, url = {https://ruxcon.org.au/assets/2017/slides/bart-RuxCon-Presentation.pptx}, language = {English}, urldate = {2020-01-08} } @online{inocencio:20140829:new:43a114a, author = {Rhena Inocencio}, title = {{New BlackPOS Malware Emerges in the Wild, Targets Retail Accounts}}, date = {2014-08-29}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/new-blackpos-malware-emerges-in-the-wild-targets-retail-accounts/}, language = {English}, urldate = {2020-01-10} } @online{inocencio:20141113:bashlite:647137b, author = {Rhena Inocencio}, title = {{BASHLITE Affects Devices Running on BusyBox}}, date = {2014-11-13}, organization = {Trend Micro}, url = {http://blog.trendmicro.com/trendlabs-security-intelligence/bashlite-affects-devices-running-on-busybox/}, language = {English}, urldate = {2019-07-10} } @online{inquest:20200720:tweets:8920a27, author = {InQuest}, title = {{Tweets on PowerPepper decryption}}, date = {2020-07-20}, organization = {Twitter (@InQuest)}, url = {https://twitter.com/InQuest/status/1285295975347650562}, language = {English}, urldate = {2020-12-08} } @online{insaneforensics:20200823:dispatches:0a019d4, author = {Insane-Forensics}, title = {{Dispatches from Drovorub: Network Threat Hunting for Russia GRU GTsSS' Malware at Scale}}, date = {2020-08-23}, organization = {Github (Insane-Forensics)}, url = {https://github.com/Insane-Forensics/drovorub-hunt}, language = {English}, urldate = {2020-08-25} } @online{insights:20200406:mcafee:7fdc3d4, author = {McAfee Insights}, title = {{McAfee Insights: Vicious Panda: The COVID Campaign}}, date = {2020-04-06}, organization = {McAfee}, url = {https://kc.mcafee.com/corporate/index?page=content&id=KB92636&locale=en_US}, language = {English}, urldate = {2020-05-14} } @online{institute:20110419:tdss:9ffae6b, author = {Infosec Institute}, title = {{TDSS part 1: The x64 Dollar Question}}, date = {2011-04-19}, organization = {InfoSec Institute}, url = {http://resources.infosecinstitute.com/tdss4-part-1/}, language = {English}, urldate = {2020-01-06} } @online{institute:20200228:profiling:ebaa39b, author = {Financial Security Institute}, title = {{Profiling of TA505 Threat Group That Continues to Attack the Financial Sector}}, date = {2020-02-28}, organization = {Financial Security Institute}, url = {https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do}, language = {English}, urldate = {2020-02-28} } @online{institute:20201215:operation:899bf4d, author = {Advanced Threat Institute}, title = {{Operation Falling Eagle-the secret of the most influential supply chain attack in history}}, date = {2020-12-15}, organization = {360 Threat Intelligence Center}, url = {https://mp.weixin.qq.com/s/lh7y_KHUxag_-pcFBC7d0Q}, language = {Chinese}, urldate = {2020-12-18} } @online{institute:20201216:aptc47clickonce:8643850, author = {Advanced Threat Institute}, title = {{旺刺组织(APT-C-47)使用ClickOnce技术的攻击活动披露}}, date = {2020-12-16}, organization = {360 Threat Intelligence Center}, url = {https://mp.weixin.qq.com/s/h_MUJfa3QGM9SqT_kzcdHQ}, language = {Chinese}, urldate = {2021-01-01} } @online{intelhoney:20201121:reversing:e62deae, author = {Twitter (@intel_honey)}, title = {{Reversing Anubis Malware}}, date = {2020-11-21}, organization = {Medium Intel-Honey}, url = {https://intel-honey.medium.com/reversing-anubis-malware-93f28d154bbb}, language = {English}, urldate = {2020-11-23} } @techreport{intelligence:201405:into:e8ffc24, author = {ASERT Threat Intelligence}, title = {{Into the Light of Day:Uncovering Ongoing and Historical Point of Sale Malware and Attack Campaigns}}, date = {2014-05}, institution = {Arbor Networks}, url = {http://pages.arbornetworks.com/rs/arbor/images/ASERT%20Threat%20Intelligence%20Brief%202014-06%20Uncovering%20PoS%20Malware%20and%20Attack%20Campaigns.pdf}, language = {English}, urldate = {2020-01-06} } @techreport{intelligence:201507:hammertoss:9275999, author = {FireEye Threat Intelligence}, title = {{HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group}}, date = {2015-07}, institution = {FireEye}, url = {https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf}, language = {English}, urldate = {2019-10-23} } @online{intelligence:20151201:chinabased:8836a81, author = {FireEye Threat Intelligence}, title = {{China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets}}, date = {2015-12-01}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html}, language = {English}, urldate = {2019-12-20} } @online{intelligence:20160128:centerpos:551f13b, author = {FireEye Threat Intelligence}, title = {{CenterPOS: An Evolving POS Threat}}, date = {2016-01-28}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2016/01/centerpos_an_evolvi.html}, language = {English}, urldate = {2019-12-20} } @online{intelligence:20170212:lazarus:dd99beb, author = {BAE Systems Applied Intelligence}, title = {{Lazarus & Watering-hole attacks}}, date = {2017-02-12}, organization = {BAE Systems}, url = {https://baesystemsai.blogspot.com/2017/02/lazarus-watering-hole-attacks.html}, language = {English}, urldate = {2020-01-06} } @online{intelligence:20170406:apt10:08847cf, author = {FireEye iSIGHT Intelligence}, title = {{APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat}}, date = {2017-04-06}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html}, language = {English}, urldate = {2019-12-20} } @online{intelligence:20181023:triton:95a881f, author = {FireEye Intelligence}, title = {{TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers}}, date = {2018-10-23}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html}, language = {English}, urldate = {2019-12-20} } @online{intelligence:20190313:tefosteal:24e56c1, author = {Microsoft Security Intelligence}, title = {{Tweet on Tefosteal}}, date = {2019-03-13}, organization = {Twitter (@WDSecurity)}, url = {https://twitter.com/WDSecurity/status/1105990738993504256}, language = {English}, urldate = {2020-01-05} } @online{intelligence:20190315:flash:c7544fd, author = {Threat Intelligence}, title = {{Flash Bulletin: Emotet Epoch 1 Changes its C2 Communication}}, date = {2019-03-15}, organization = {Cofense}, url = {https://cofense.com/flash-bulletin-emotet-epoch-1-changes-c2-communication/}, language = {English}, urldate = {2019-10-23} } @online{intelligence:20190509:toptier:004045c, author = {Advanced Intelligence}, title = {{Top-Tier Russian Hacking Collective Claims Breaches of Three Major Anti-Virus Companies}}, date = {2019-05-09}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/blog/top-tier-russian-hacking-collective-claims-breaches-of-three-major-anti-virus-companies}, language = {English}, urldate = {2020-01-09} } @online{intelligence:20191111:operation:3bc93dc, author = {PT ESC Threat Intelligence}, title = {{Operation TA505, part four. Twins}}, date = {2019-11-11}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ru-ru/research/pt-esc-threat-intelligence/operation-ta505-part4/}, language = {Russian}, urldate = {2020-11-23} } @online{intelligence:20200519:netwalker:4681272, author = {Advanced Intelligence and Bridgit Sullivan and Daniel Frey}, title = {{NetWalker Ransomware Group Enters Advanced Targeting “Game”}}, date = {2020-05-19}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/post/netwalker-ransomware-group-enters-advanced-targeting-game}, language = {English}, urldate = {2020-05-23} } @online{intelligence:20200520:operation:7f6282e, author = {PT ESC Threat Intelligence}, title = {{Operation TA505: how we analyzed new tools from the creators of the Dridex trojan, Locky ransomware, and Neutrino botnet}}, date = {2020-05-20}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505/}, language = {English}, urldate = {2020-06-05} } @online{intelligence:20200522:operation:6e4f978, author = {PT ESC Threat Intelligence}, title = {{Operation TA505: investigating the ServHelper backdoor with NetSupport RAT. Part 2.}}, date = {2020-05-22}, organization = {Positive Technologies}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505-part2/}, language = {English}, urldate = {2020-11-23} } @online{intelligence:20200524:operation:2ce432b, author = {PT ESC Threat Intelligence}, title = {{Operation TA505: network infrastructure. Part 3.}}, date = {2020-05-24}, organization = {Positive Technologies}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505-part3/}, language = {English}, urldate = {2020-11-23} } @online{intelligence:20200604:covid19:45fa7ba, author = {PT ESC Threat Intelligence}, title = {{COVID-19 and New Year greetings: an investigation into the tools and methods used by the Higaisa group}}, date = {2020-06-04}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/covid-19-and-new-year-greetings-the-higaisa-group/}, language = {English}, urldate = {2020-06-05} } @online{intelligence:20200616:cobalt:2071fd2, author = {PT ESC Threat Intelligence}, title = {{Cobalt: tactics and tools update}}, date = {2020-06-16}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/cobalt_upd_ttps/}, language = {English}, urldate = {2020-06-16} } @online{intelligence:20200617:thread:b4b74d5, author = {Microsoft Security Intelligence}, title = {{A tweet thread on TA505 using CAPTCHA to avoid detection and infecting victims with FlawedGrace}}, date = {2020-06-17}, organization = {Twitter (@MsftSecIntel)}, url = {https://twitter.com/MsftSecIntel/status/1273359829390655488}, language = {English}, urldate = {2020-06-18} } @online{intelligence:20200710:dark:a29ccb4, author = {Advanced Intelligence}, title = {{The Dark Web of Intrigue: How REvil Used the Underground Ecosystem to Form an Extortion Cartel}}, date = {2020-07-10}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/post/the-dark-web-of-intrigue-how-revil-used-the-underground-ecosystem-to-form-an-extortion-cartel}, language = {English}, urldate = {2020-07-13} } @online{intelligence:20200825:apt:0ad132f, author = {Qi'anxin Threat Intelligence}, title = {{南亚APT组织“透明部落”在移动端上与对手的较量}}, date = {2020-08-25}, organization = {Qianxin}, url = {https://www.secrss.com/articles/24995}, language = {Chinese}, urldate = {2020-08-25} } @online{intelligence:20200827:anubis:e53422c, author = {Microsoft Security Intelligence}, title = {{Tweet on Anubis Stealer}}, date = {2020-08-27}, organization = {Twitter (@MsftSecIntel)}, url = {https://twitter.com/MsftSecIntel/status/1298752223321546754}, language = {English}, urldate = {2020-09-01} } @techreport{intelligence:20200930:china:9e6570a, author = {House Permanent Select Committee on Intelligence}, title = {{The China Deep Dive: A Report on the Intelligence Community’s Capabilities and Competencies with Respect to the People’s Republic of China}}, date = {2020-09-30}, institution = {House Permanent Select Committee on Intelligence}, url = {https://intelligence.house.gov/uploadedfiles/hpsci_china_deep_dive_redacted_summary_9.29.20.pdf}, language = {English}, urldate = {2020-10-04} } @online{intelligence:20201006:ta505:a34d957, author = {Microsoft Security Intelligence}, title = {{Tweet on TA505 threat actor exploiting Zerologon (CVE-2020-1472) Vulnerability}}, date = {2020-10-06}, organization = {Twitter (@MsftSecIntel)}, url = {https://twitter.com/MsftSecIntel/status/1313598440719355904}, language = {English}, urldate = {2020-10-08} } @online{intelligence:20201213:trojanmsilsolorigatebdha:f470d89, author = {Microsoft Security Intelligence}, title = {{Trojan:MSIL/Solorigate.B!dha}}, date = {2020-12-13}, organization = {Microsoft}, url = {https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:MSIL/Solorigate.B!dha}, language = {English}, urldate = {2020-12-14} } @online{international:20170301:how:fb75ef9, author = {FraudWatch International}, title = {{How Does the Trickbot Malware Work?}}, date = {2017-03-01}, organization = {FraudWatch International}, url = {https://blog.fraudwatchinternational.com/malware/trickbot-malware-works}, language = {English}, urldate = {2020-01-08} } @online{international:20180515:pakistan:c41a7ec, author = {Amnesty International}, title = {{PAKISTAN: HUMAN RIGHTS UNDER SURVEILLANCE}}, date = {2018-05-15}, organization = {Amnesty International}, url = {https://www.amnesty.org/en/documents/asa33/8366/2018/en/}, language = {English}, urldate = {2019-11-28} } @online{international:20200615:india:2e4e60b, author = {Amnesty International}, title = {{India: Human Rights Defenders Targeted by a Coordinated Spyware Operation}}, date = {2020-06-15}, organization = {Amnesty International}, url = {https://www.amnesty.org/en/latest/research/2020/06/india-human-rights-defenders-targeted-by-a-coordinated-spyware-operation/}, language = {English}, urldate = {2020-06-16} } @online{international:20200925:germanmade:49d85d3, author = {Amnesty International}, title = {{German-made FinSpy spyware found in Egypt, and Mac and Linux versions revealed}}, date = {2020-09-25}, organization = {Amnesty International}, url = {https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/}, language = {English}, urldate = {2020-09-25} } @online{intezer:20190920:russian:27d9f67, author = {Intezer}, title = {{Russian Cybercrime Group FullofDeep Behind QNAPCrypt Ransomware Campaigns}}, date = {2019-09-20}, organization = {Intezer}, url = {https://www.intezer.com/blog-russian-cybercrime-group-fullofdeep-behind-qnapcrypt-ransomware-campaigns/}, language = {English}, urldate = {2020-01-08} } @online{intezer:20200806:gosh:f982c3c, author = {Intezer}, title = {{Tweet on GOSH}}, date = {2020-08-06}, organization = {Twitter (@IntezerLabs)}, url = {https://twitter.com/IntezerLabs/status/1291355808811409408}, language = {English}, urldate = {2020-08-18} } @online{intezer:20201112:agelocker:d63b5bc, author = {Intezer}, title = {{Tweet on Agelocker}}, date = {2020-11-12}, organization = {Twitter (@IntezerLabs)}, url = {https://twitter.com/IntezerLabs/status/1326880812344676352}, language = {English}, urldate = {2020-11-18} } @online{intezer:20201221:top:9529707, author = {Intezer}, title = {{Top Linux Cloud Threats of 2020}}, date = {2020-12-21}, organization = {Intezer}, url = {https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/}, language = {English}, urldate = {2020-12-26} } @online{intezerlabs:20200511:ldpreload:b3e622b, author = {Twitter (IntezerLabs)}, title = {{Tweet on LD-PRELOAD userland rootkit}}, date = {2020-05-11}, organization = {Intezer}, url = {https://twitter.com/IntezerLabs/status/1259818964848386048}, language = {English}, urldate = {2020-05-18} } @online{intezerlabs:20201105:ngioweb:e145908, author = {Twitter (IntezerLabs)}, title = {{Tweet on Ngioweb botnet}}, date = {2020-11-05}, organization = {Intezer}, url = {https://twitter.com/IntezerLabs/status/1324346324683206657}, language = {English}, urldate = {2020-11-06} } @online{intezerlabs:20201214:linux:85c179b, author = {Twitter (IntezerLabs)}, title = {{Tweet on linux variant of Prometei botnet}}, date = {2020-12-14}, organization = {Intezer}, url = {https://twitter.com/IntezerLabs/status/1338480158249013250}, language = {English}, urldate = {2020-12-15} } @online{intrusiontruth:20170509:apt3:4014a9f, author = {Intrusiontruth}, title = {{APT3 is Boyusec, a Chinese Intelligence Contractor}}, date = {2017-05-09}, organization = {Intrusiontruth}, url = {https://intrusiontruth.wordpress.com/2017/05/09/apt3-is-boyusec-a-chinese-intelligence-contractor/}, language = {English}, urldate = {2020-01-07} } @online{intrusiontruth:20190724:apt17:6b9a666, author = {Intrusiontruth}, title = {{APT17 is run by the Jinan bureau of the Chinese Ministry of State Security}}, date = {2019-07-24}, organization = {Intrusiontruth}, url = {https://intrusiontruth.wordpress.com/2019/07/24/apt17-is-run-by-the-jinan-bureau-of-the-chinese-ministry-of-state-security/}, language = {English}, urldate = {2020-04-21} } @online{intrusiontruth:20200109:what:bc9bc31, author = {Intrusiontruth}, title = {{What is the Hainan Xiandun Technology Development Company?}}, date = {2020-01-09}, organization = {Intrusiontruth}, url = {https://intrusiontruth.wordpress.com/2020/01/09/what-is-the-hainan-xiandun-technology-development-company}, language = {English}, urldate = {2020-04-16} } @online{intrusiontruth:20200110:who:32afb65, author = {Intrusiontruth}, title = {{Who is Mr Gu?}}, date = {2020-01-10}, organization = {Intrusiontruth}, url = {https://intrusiontruth.wordpress.com/2020/01/10/who-is-mr-gu}, language = {English}, urldate = {2020-04-16} } @online{intrusiontruth:20200113:who:e54190c, author = {Intrusiontruth}, title = {{Who else works for this cover company network?}}, date = {2020-01-13}, organization = {Intrusiontruth}, url = {https://intrusiontruth.wordpress.com/2020/01/13/who-else-works-for-this-cover-company-network}, language = {English}, urldate = {2020-04-16} } @online{intrusiontruth:20200114:who:a06a6c3, author = {Intrusiontruth}, title = {{Who is Mr Ding?}}, date = {2020-01-14}, organization = {Intrusiontruth}, url = {https://intrusiontruth.wordpress.com/2020/01/14/who-is-mr-ding}, language = {English}, urldate = {2020-04-16} } @online{intrusiontruth:20200115:hainan:093f6f2, author = {Intrusiontruth}, title = {{Hainan Xiandun Technology Company is APT40}}, date = {2020-01-15}, organization = {Intrusiontruth}, url = {https://intrusiontruth.wordpress.com/2020/01/15/hainan-xiandun-technology-company-is-apt40}, language = {English}, urldate = {2020-04-16} } @online{ipj:20160920:hackers:fae1710, author = {ipj and kl}, title = {{Hackers lurking, parliamentarians told}}, date = {2016-09-20}, organization = {Deutsche Welle}, url = {https://www.dw.com/en/hackers-lurking-parliamentarians-told/a-19564630}, language = {English}, urldate = {2020-09-15} } @online{iris:20191209:new:cc73a24, author = {IBM IRIS}, title = {{New Destructive Wiper “ZeroCleare” Targets Energy Sector in the Middle East}}, date = {2019-12-09}, organization = {IBM Security}, url = {https://www.ibm.com/downloads/cas/OAJ4VZNJ}, language = {English}, urldate = {2020-01-09} } @online{iris:20200616:cloud:e15a0d5, author = {IBM Security X-Force® Incident Responseand Intelligence Services (IRIS)}, title = {{Cloud ThreatLandscape Report 2020}}, date = {2020-06-16}, organization = {IBM}, url = {https://www.ibm.com/downloads/cas/Z81AVOY7}, language = {English}, urldate = {2020-06-17} } @online{irmer:20150217:angry:d09af85, author = {Jan Širmer}, title = {{Angry Android hacker hides Xbot malware in popular application icons}}, date = {2015-02-17}, organization = {Avast}, url = {https://blog.avast.com/2015/02/17/angry-android-hacker-hides-xbot-malware-in-popular-application-icons/}, language = {English}, urldate = {2019-12-24} } @online{irmer:20191023:spoofing:369e661, author = {Jan Širmer and Luigino Camastra and Adolf Středa}, title = {{Spoofing in the reeds with Rietspoof}}, date = {2019-10-23}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-spoofing-reeds-rietspoof/}, language = {English}, urldate = {2020-01-27} } @online{ironnet:20201231:solarwindssunburst:1422ef4, author = {IronNet}, title = {{SolarWinds/SUNBURST: Behavioral analytics and Collective Defense in action}}, date = {2020-12-31}, organization = {IronNet}, url = {https://www.ironnet.com/blog/solarwinds/sunburst-behavioral-analytics-and-collective-defense-in-action}, language = {English}, urldate = {2021-01-05} } @online{ishikawa:20171218:relationship:fb13bae, author = {Yoshihiro Ishikawa}, title = {{Relationship between PlugX and attacker group "DragonOK"}}, date = {2017-12-18}, organization = {LAC}, url = {https://www.lac.co.jp/lacwatch/people/20171218_001445.html}, language = {Japanese}, urldate = {2019-11-22} } @online{ishikawa:20180521:confirmed:ad336b5, author = {Yoshihiro Ishikawa}, title = {{Confirmed new attacks by APT attacker group menuPass (APT10)}}, date = {2018-05-21}, organization = {LAC}, url = {https://www.lac.co.jp/lacwatch/people/20180521_001638.html}, language = {Japanese}, urldate = {2019-10-27} } @techreport{ishikawa:20181201:lets:73b0c60, author = {Yoshihiro Ishikawa and Shinichi Nagano}, title = {{Let's go with a Go RAT!}}, date = {2018-12-01}, institution = {Botconf}, url = {https://www.botconf.eu/wp-content/uploads/2018/12/2018-Y-Ishikawa-S-Nagano-Lets-go-with-a-Go-RAT-_final.pdf}, language = {English}, urldate = {2020-04-28} } @online{ishimaru:20150820:new:0b39f40, author = {Suguru Ishimaru}, title = {{New activity of the Blue Termite APT}}, date = {2015-08-20}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/71876/new-activity-of-the-blue-termite-apt/}, language = {English}, urldate = {2019-12-20} } @online{ishimaru:20150820:new:d553aa4, author = {Suguru Ishimaru}, title = {{New activity of the Blue Termite APT}}, date = {2015-08-20}, organization = {Kaspersky Labs}, url = {https://securelist.com/new-activity-of-the-blue-termite-apt/71876/}, language = {English}, urldate = {2019-12-20} } @online{ishimaru:20180416:roaming:42ebd00, author = {Suguru Ishimaru}, title = {{Roaming Mantis uses DNS hijacking to infect Android smartphones}}, date = {2018-04-16}, organization = {Kaspersky Labs}, url = {https://securelist.com/roaming-mantis-uses-dns-hijacking-to-infect-android-smartphones/85178/}, language = {English}, urldate = {2019-12-20} } @online{ishimaru:20180518:roaming:3e5185f, author = {Suguru Ishimaru}, title = {{Roaming Mantis dabbles in mining and phishing multilingually}}, date = {2018-05-18}, organization = {Kaspersky Labs}, url = {https://securelist.com/roaming-mantis-dabbles-in-mining-and-phishing-multilingually/85607/}, language = {English}, urldate = {2019-12-20} } @techreport{ishimaru:2019:roaming:23097da, author = {Suguru Ishimaru and Manabu Niseki and Hiroaki Ogawa}, title = {{Roaming Mantis: an Anatomy of a DNS Hijacking Campaign}}, date = {2019}, institution = {Kaspersky Labs}, url = {https://hitcon.org/2019/CMT/slide-files/d2_s1_r1.pdf}, language = {English}, urldate = {2020-01-09} } @online{ishimaru:20200227:roaming:3e14d12, author = {Suguru Ishimaru}, title = {{Roaming Mantis, part V: Distributed in 2019 using SMiShing and enhanced anti-researcher techniques}}, date = {2020-02-27}, organization = {Kaspersky Labs}, url = {https://securelist.com/roaming-mantis-part-v/96250/}, language = {English}, urldate = {2020-03-02} } @techreport{istrate:2015:new:254e212, author = {Cristian Istrate and Andrei Ardelean and Claudiu Cobliș and Marius Tivadar}, title = {{New Pacifier APT Components Point to Russian-Linked Turla Group}}, date = {2015}, institution = {Bitdefender}, url = {https://pdfhost.io/v/F0@QElMu2_MacProStorage_2017FinalBitdefenderWhitepaperNetrepserA4en_ENBitdefenderWhitepaperNetrepserA4en_ENindd.pdf}, language = {English}, urldate = {2020-01-08} } @online{it:20160615:mofang:59e7ad3, author = {Fox IT}, title = {{Mofang: A politically motivated information stealing adversary}}, date = {2016-06-15}, organization = {Fox-IT}, url = {https://blog.fox-it.com/2016/06/15/mofang-a-politically-motivated-information-stealing-adversary/}, language = {English}, urldate = {2019-11-27} } @online{it:20190226:identifying:689104d, author = {Fox IT}, title = {{Identifying Cobalt Strike team servers in the wild}}, date = {2019-02-26}, organization = {Fox-IT}, url = {https://blog.fox-it.com/2019/02/26/identifying-cobalt-strike-team-servers-in-the-wild/}, language = {English}, urldate = {2020-10-25} } @online{it:20190226:supreme:d4cad36, author = {dfir it!}, title = {{The Supreme Backdoor Factory}}, date = {2019-02-26}, organization = {dfir it!}, url = {https://dfir.it/blog/2019/02/26/the-supreme-backdoor-factory/}, language = {English}, urldate = {2020-01-06} } @online{it:20191219:operation:64c0cd9, author = {Fox IT}, title = {{Operation Wocao : Shining a light on one of China’s hidden hacking groups}}, date = {2019-12-19}, organization = {Fox-IT}, url = {https://www.fox-it.com/nl/actueel/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/}, language = {English}, urldate = {2020-01-07} } @online{ita:20200807:new:c2e5979, author = {CSIRT ITA}, title = {{New Phishing-As-A-Service framework}}, date = {2020-08-07}, organization = {CSIRT Italia}, url = {https://csirt.gov.it/contenuti/phishing-as-a-service-framework}, language = {Italian}, urldate = {2020-08-10} } @online{ivanov:20140301:chewbacca:5c7ac17, author = {Ivo Ivanov}, title = {{ChewBacca – A TOR Based POS Malware}}, date = {2014-03-01}, organization = {Vinsula}, url = {http://vinsula.com/2014/03/01/chewbacca-tor-based-pos-malware/}, language = {English}, urldate = {2019-11-26} } @online{ivanov:20161003:polyglot:6fe8657, author = {Anton Ivanov and Orkhan Mamedov and Fedor Sinitsyn}, title = {{Polyglot – the fake CTB-locker}}, date = {2016-10-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/76182/polyglot-the-fake-ctb-locker/}, language = {English}, urldate = {2019-12-20} } @online{ivanov:20161020:rotorcrypt:2bfa6f3, author = {Andrew Ivanov}, title = {{RotorCrypt (RotoCrypt) Ransomware Tar Ransomware}}, date = {2016-10-20}, url = {https://id-ransomware.blogspot.com/2016/10/rotorcrypt-ransomware.html}, language = {Russian}, urldate = {2019-11-23} } @online{ivanov:20170314:petrwrap:646653c, author = {Anton Ivanov and Fedor Sinitsyn}, title = {{PetrWrap: the new Petya-based ransomware used in targeted attacks}}, date = {2017-03-14}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/77762/petrwrap-the-new-petya-based-ransomware-used-in-targeted-attacks/}, language = {English}, urldate = {2019-12-20} } @online{ivanov:20170424:xpan:018ead2, author = {Anton Ivanov and Fabio Assolini and Fedor Sinitsyn and Santiago Pontiroli}, title = {{XPan, I am your father}}, date = {2017-04-24}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/78110/xpan-i-am-your-father/}, language = {English}, urldate = {2019-12-20} } @online{ivanov:20170628:expetrpetyanotpetya:903b1fc, author = {Anton Ivanov and Orkhan Mamedov}, title = {{ExPetr/Petya/NotPetya is a Wiper, Not Ransomware}}, date = {2017-06-28}, organization = {Kaspersky Labs}, url = {https://securelist.com/expetrpetyanotpetya-is-a-wiper-not-ransomware/78902/}, language = {English}, urldate = {2019-12-20} } @online{ivanov:20170809:return:124e8c1, author = {Anton Ivanov and Orkhan Mamedov}, title = {{The return of Mamba ransomware}}, date = {2017-08-09}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-return-of-mamba-ransomware/79403/}, language = {English}, urldate = {2019-12-20} } @online{ivanov:20171027:xiaoba:16e3621, author = {Andrew Ivanov}, title = {{XiaoBa Ransomware}}, date = {2017-10-27}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2017/10/xiaoba-ransomware.html}, language = {Russian}, urldate = {2020-03-19} } @online{ivanov:20171202:scarabey:802d653, author = {Andrew Ivanov}, title = {{Scarabey Ransomware}}, date = {2017-12-02}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2017/12/scarabey-ransomware.html}, language = {Russian}, urldate = {2019-12-17} } @online{ivanov:20180208:mbrlock:2c9f6d5, author = {Andrew Ivanov}, title = {{MBRlock Ransomware}}, date = {2018-02-08}, organization = {ID Ransomware}, url = {http://id-ransomware.blogspot.com.tr/2018/02/mbrlock-hax-ransomware.html}, language = {Russian}, urldate = {2019-12-17} } @online{ivanov:20180507:synack:2a41ea0, author = {Anton Ivanov and Fedor Sinitsyn and Orkhan Mamedov}, title = {{SynAck targeted ransomware uses the Doppelgänging technique}}, date = {2018-05-07}, organization = {Kaspersky Labs}, url = {https://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/}, language = {English}, urldate = {2019-12-20} } @online{ivanov:20180914:rektware:836d8ac, author = {Andrew Ivanov}, title = {{Rektware Ransomware}}, date = {2018-09-14}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2018/09/rektware-ransomware.html}, language = {Russian}, urldate = {2020-03-22} } @online{ivanov:20190203:maoloa:52e7c7f, author = {Andrew Ivanov}, title = {{Maoloa Ransomware}}, date = {2019-02-03}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2019/02/maoloa-ransomware.html}, language = {English}, urldate = {2019-11-28} } @online{ivanov:20190703:lilocked:0eb5e17, author = {Andrew Ivanov}, title = {{Lilocked Ransomware}}, date = {2019-07-03}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2019/07/lilu-lilocked-ransomware.html}, language = {Russian}, urldate = {2019-12-17} } @online{ivanov:20190905:netwalker:902cacb, author = {Andrew Ivanov}, title = {{Netwalker Ransomware}}, date = {2019-09-05}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2019/09/koko-ransomware.html}, language = {Russian}, urldate = {2020-03-22} } @online{ivanov:20191004:scarecrow:0d5bfe4, author = {Andrew Ivanov}, title = {{ScareCrow Ransomware}}, date = {2019-10-04}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2019/10/scarecrow-ransomware.html}, language = {Russian}, urldate = {2020-08-05} } @online{ivanov:20191011:mespinoza:e9cd17e, author = {Andrew Ivanov}, title = {{Mespinoza Ransomware}}, date = {2019-10-11}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2019/10/mespinoza-ransomware.html}, language = {English}, urldate = {2020-03-26} } @online{ivanov:20191015:medusalocker:132bb68, author = {Andrew Ivanov}, title = {{MedusaLocker Ransomware}}, date = {2019-10-15}, url = {http://id-ransomware.blogspot.com/2019/10/medusalocker-ransomware.html}, language = {English}, urldate = {2020-01-07} } @online{ivanov:20191019:abcd:06360d3, author = {Andrew Ivanov}, title = {{ABCD Ransomware LockBit Ransomware}}, date = {2019-10-19}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/search?q=lockbit}, language = {Russian}, urldate = {2020-03-28} } @online{ivanov:20191020:infodot:47e0fd2, author = {Andrew Ivanov}, title = {{InfoDot Ransomware}}, date = {2019-10-20}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2019/10/infodot-ransomware.html}, language = {Russian}, urldate = {2020-04-01} } @online{ivanov:20191023:pwndlocker:d776ac5, author = {Andrew Ivanov}, title = {{PwndLocker Ransomware}}, date = {2019-10-23}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2019/10/pwndlocker-ransomware.html}, language = {Russian}, urldate = {2020-03-03} } @online{ivanov:20191025:hdmr:de88a6d, author = {Andrew Ivanov}, title = {{HDMR, GO-SPORT}}, date = {2019-10-25}, url = {http://id-ransomware.blogspot.com/2019/10/hdmr-ransomware.html}, language = {Russian}, urldate = {2020-01-08} } @online{ivanov:20191104:hakbit:473fb88, author = {Andrew Ivanov}, title = {{Hakbit Ransomware}}, date = {2019-11-04}, organization = {ID Ransomware}, url = {http://id-ransomware.blogspot.com/2019/11/hakbit-ransomware.html}, language = {Russian}, urldate = {2020-01-10} } @online{ivanov:20191113:antefrigus:ad4c113, author = {Andrew Ivanov}, title = {{AnteFrigus Ransomware}}, date = {2019-11-13}, organization = {ID Ransomware}, url = {http://id-ransomware.blogspot.com/2019/11/antefrigus-ransomware.html}, language = {English}, urldate = {2020-01-08} } @online{ivanov:20191119:wacatac:c1815bb, author = {Andrew Ivanov}, title = {{Tweet on Wacatac Ransomware}}, date = {2019-11-19}, organization = {Twitter (@Amigo_A_)}, url = {https://twitter.com/Amigo_A_/status/1196898012645220354}, language = {English}, urldate = {2020-01-08} } @online{ivanov:20191119:wacatac:e257783, author = {Andrew Ivanov}, title = {{Wacatac Ransomware}}, date = {2019-11-19}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2019/11/wacatac-ransomware.html}, language = {Russian}, urldate = {2020-01-08} } @online{ivanov:20191122:turkstatik:ada70a9, author = {Andrew Ivanov}, title = {{TurkStatik Ransomware}}, date = {2019-11-22}, url = {http://id-ransomware.blogspot.com/2019/10/fuxsocy-encryptor-ransomware.html}, language = {English}, urldate = {2019-11-28} } @online{ivanov:20191205:redrum:bc66b75, author = {Andrew Ivanov}, title = {{RedRum Ransomware}}, date = {2019-12-05}, url = {https://id-ransomware.blogspot.com/2019/12/redrum-ransomware.html}, language = {Russian}, urldate = {2020-12-23} } @online{ivanov:20191219:chernolocker:1d71ebd, author = {Andrew Ivanov}, title = {{ChernoLocker Ransomware}}, date = {2019-12-19}, url = {https://id-ransomware.blogspot.com/2019/12/chernolocker-ransomware.html}, language = {Russian}, urldate = {2020-01-26} } @online{ivanov:20191231:cuba:53a177c, author = {Andrew Ivanov}, title = {{Cuba Ransomware}}, date = {2019-12-31}, url = {https://id-ransomware.blogspot.com/2019/12/cuba-ransomware.html}, language = {Russian}, urldate = {2020-06-11} } @online{ivanov:20200109:ako:79016d7, author = {Andrew Ivanov}, title = {{Ako, MedusaReborn}}, date = {2020-01-09}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/01/ako-ransomware.html}, language = {English}, urldate = {2020-05-18} } @online{ivanov:20200125:cryptopatronum:4adacea, author = {Andrew Ivanov}, title = {{cryptopatronum ransomware}}, date = {2020-01-25}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/01/cryptopatronum-ransomware.html}, language = {Russian}, urldate = {2020-02-03} } @online{ivanov:20200130:thecursedmurderer:a2a7e72, author = {Andrew Ivanov}, title = {{TheCursedMurderer Ransomware}}, date = {2020-01-30}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/01/thecursedmurderer-ransomware.html}, language = {Russian}, urldate = {2020-02-10} } @online{ivanov:20200201:fct:ba54e92, author = {Andrew Ivanov}, title = {{FCT Ransomware}}, date = {2020-02-01}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/02/fct-ransomware.html}, language = {Russian}, urldate = {2020-02-10} } @online{ivanov:20200203:passlock:a72c982, author = {Andrew Ivanov}, title = {{PassLock Ransomware}}, date = {2020-02-03}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com}, language = {Russian}, urldate = {2020-02-10} } @online{ivanov:20200204:ragnarlocker:7e8d324, author = {Andrew Ivanov}, title = {{RagnarLocker Ransomware}}, date = {2020-02-04}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/02/ragnarlocker-ransomware.html}, language = {Russian}, urldate = {2020-04-15} } @online{ivanov:20200217:gibberish:b003dbc, author = {Andrew Ivanov}, title = {{Gibberish Ransomware}}, date = {2020-02-17}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/02/gibberish-ransomware.html}, language = {Russian}, urldate = {2020-03-22} } @online{ivanov:20200225:blackkingdom:5c73f86, author = {Andrew Ivanov}, title = {{BlackKingdom Ransomware}}, date = {2020-02-25}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/02/blackkingdom-ransomware.html}, language = {Russian}, urldate = {2020-06-16} } @online{ivanov:20200301:cryptodarkrubix:6720abd, author = {Andrew Ivanov}, title = {{CryptoDarkRubix Ransomware}}, date = {2020-03-01}, url = {https://id-ransomware.blogspot.com/2020/03/cryptodarkrubix-ransomware.html}, language = {Russian}, urldate = {2020-07-30} } @online{ivanov:20200307:javalocker:4b44b72, author = {Andrew Ivanov}, title = {{JavaLocker Ransomware}}, date = {2020-03-07}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/03/javalocker-ransomware.html}, language = {Russian}, urldate = {2020-03-22} } @online{ivanov:20200311:coronavirus:1b3c4d6, author = {Andrew Ivanov}, title = {{CoronaVirus Ransomware}}, date = {2020-03-11}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/03/coronavirus-ransomware.html}, language = {Russian}, urldate = {2020-03-22} } @online{ivanov:20200312:teslarvng:0ab7628, author = {Andrew Ivanov}, title = {{Teslarvng Ransomware Yakuza Ransomware}}, date = {2020-03-12}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/03/teslarvng-ransomware.html}, language = {Russian}, urldate = {2020-03-27} } @online{ivanov:20200314:nefilim:329ccf1, author = {Andrew Ivanov}, title = {{Nefilim Ransomware}}, date = {2020-03-14}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/03/nefilim-ransomware.html}, language = {English}, urldate = {2020-03-22} } @online{ivanov:20200314:rekensom:1e0a54a, author = {Andrew Ivanov}, title = {{RekenSom Ransomware}}, date = {2020-03-14}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/03/rekensom-ransomware.html}, language = {Russian}, urldate = {2020-03-22} } @online{ivanov:20200317:prolock:3aa858f, author = {Andrew Ivanov}, title = {{ProLock Ransomware}}, date = {2020-03-17}, url = {https://id-ransomware.blogspot.com/2020/03/prolock-ransomware.html}, language = {Russian}, urldate = {2020-04-06} } @online{ivanov:20200318:sekhmet:0463cdb, author = {Andrew Ivanov}, title = {{Sekhmet Ransomware}}, date = {2020-03-18}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/03/sekhmet-ransomware.html}, language = {Russian}, urldate = {2020-03-28} } @online{ivanov:20200324:kekw:ef9d6a6, author = {Andrew Ivanov}, title = {{KEKW Ransomware KEKW-Locker Ransomware}}, date = {2020-03-24}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/03/kekw-ransomware.html}, language = {Russian}, urldate = {2020-03-28} } @online{ivanov:20200331:wannaren:0ab1946, author = {Andrew Ivanov}, title = {{WannaRen Ransomware}}, date = {2020-03-31}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/03/wannaren-ransomware.html}, language = {Russian}, urldate = {2020-04-20} } @online{ivanov:20200401:jeno:379b0a1, author = {Andrew Ivanov}, title = {{Jeno Ransomware}}, date = {2020-04-01}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/04/jeno-ransomware.html}, language = {Russian}, urldate = {2020-04-20} } @online{ivanov:20200410:void:3b7f0d1, author = {Andrew Ivanov}, title = {{Void Ransomware}}, date = {2020-04-10}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/04/void-voidcrypt-ransomware.html}, language = {Russian}, urldate = {2020-04-13} } @online{ivanov:20200419:sadogo:0a661a2, author = {Andrew Ivanov}, title = {{Sadogo Ransomware}}, date = {2020-04-19}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/04/sadogo-ransomware.html}, language = {Russian}, urldate = {2020-04-20} } @online{ivanov:20200426:gocryptolocker:116e256, author = {Andrew Ivanov}, title = {{goCryptoLocker}}, date = {2020-04-26}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/04/gocryptolocker-ransomware.html}, language = {Russian}, urldate = {2020-05-02} } @online{ivanov:20200617:ransomexx:ab0e087, author = {Andrew Ivanov}, title = {{RansomEXX Ransomware}}, date = {2020-06-17}, url = {https://id-ransomware.blogspot.com/2020/06/ransomexx-ransomware.html}, language = {Russian}, urldate = {2020-07-08} } @online{ivanov:20200707:silentdeath:fed1f53, author = {Andrew Ivanov}, title = {{SilentDeath Ransomware}}, date = {2020-07-07}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/07/silentdeath-ransomware.html}, language = {Russian}, urldate = {2020-08-05} } @online{ivanov:20200716:fastwind:5e4367c, author = {Andrew Ivanov}, title = {{FastWind Ransomware}}, date = {2020-07-16}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/07/fastwind-ransomware.html}, language = {Russian}, urldate = {2020-08-05} } @online{ivanov:20200810:darkside:2c93936, author = {Andrew Ivanov}, title = {{DarkSide Ransomware}}, date = {2020-08-10}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/08/darkside-ransomware.html}, language = {English}, urldate = {2020-11-17} } @online{ivanov:20200818:thunderx:0d8f847, author = {Andrew Ivanov}, title = {{ThunderX Ransomware}}, date = {2020-08-18}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/08/thunderx-ransomware.html}, language = {English}, urldate = {2020-09-15} } @online{ivanov:20200825:cyrat:62cd54c, author = {Andrew Ivanov}, title = {{Cyrat Ransomware}}, date = {2020-08-25}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/08/cyrat-ransomware.html}, language = {English}, urldate = {2020-09-01} } @online{ivanov:20200830:z3:21024c4, author = {Andrew Ivanov}, title = {{Z3 Ransomware}}, date = {2020-08-30}, url = {https://id-ransomware.blogspot.com/2020/08/z3-ransomware.html}, language = {Russian}, urldate = {2020-09-15} } @online{ivanov:20200831:xp10:f6f0110, author = {Andrew Ivanov}, title = {{XP10 Ransomware}}, date = {2020-08-31}, url = {https://id-ransomware.blogspot.com/2020/08/xp10-ransomware.html}, language = {Russian}, urldate = {2020-09-15} } @online{ivanov:20200918:egregor:c790f36, author = {Andrew Ivanov}, title = {{Egregor Ransomware}}, date = {2020-09-18}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/09/egregor-ransomware.html}, language = {Russian}, urldate = {2020-11-04} } @online{ivanov:20201025:metadatabin:54442a7, author = {Andrew Ivanov}, title = {{MetadataBin Ransomware}}, date = {2020-10-25}, url = {https://id-ransomware.blogspot.com/2020/10/metadata-bin-ransomware.html}, language = {Russian}, urldate = {2020-10-29} } @online{j:20181218:scumbag:720cb3c, author = {Lokesh J}, title = {{Scumbag Combo: Agent Tesla and XpertRAT}}, date = {2018-12-18}, organization = {K7 Security}, url = {https://labs.k7computing.com/?p=15672}, language = {English}, urldate = {2020-01-06} } @online{j:20200413:guloader:a8374ed, author = {Lokesh J}, title = {{GuLoader delivers RATs and Spies in Disguise}}, date = {2020-04-13}, organization = {K7 Security}, url = {https://labs.k7computing.com/?p=20156}, language = {English}, urldate = {2021-01-10} } @online{jackson:20070320:gozi:701fe90, author = {Don Jackson}, title = {{Gozi Trojan}}, date = {2007-03-20}, organization = {Secureworks}, url = {https://www.secureworks.com/research/gozi}, language = {English}, urldate = {2020-01-10} } @online{jackson:20141219:unrelenting:f3f3ccf, author = {Don Jackson}, title = {{The unrelenting evolution of Vawtrak}}, date = {2014-12-19}, organization = {PhishLabs}, url = {https://info.phishlabs.com/blog/the-unrelenting-evolution-of-vawtrak}, language = {English}, urldate = {2019-11-04} } @online{jackson:20200714:python:6b03611, author = {Austin Jackson}, title = {{PYTHON MALWARE ON THE RISE}}, date = {2020-07-14}, organization = {Cyborg Security}, url = {https://www.cyborgsecurity.com/cyborg_labs/python-malware-on-the-rise/}, language = {English}, urldate = {2020-12-23} } @online{jackson:20201215:threat:00bfb46, author = {Austin Jackson}, title = {{Threat Hunt Deep Dives: SolarWinds Supply Chain Compromise (Solorigate / SUNBURST Backdoor)}}, date = {2020-12-15}, organization = {Cyborg Security}, url = {https://www.cyborgsecurity.com/cyborg_labs/threat-hunt-deep-dives-solarwinds-supply-chain-compromise-solorigate-sunburst-backdoor/}, language = {English}, urldate = {2020-12-23} } @online{jacquais:20180109:bestkorea:94b6c7a, author = {Jacquais}, title = {{BestKorea}}, date = {2018-01-09}, url = {https://github.com/Jacquais/BestKorea}, language = {English}, urldate = {2020-03-13} } @online{jallepalli:20190326:winrar:dff4878, author = {Dileep Kumar Jallepalli}, title = {{WinRAR Zero-day Abused in Multiple Campaigns}}, date = {2019-03-26}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/03/winrar-zero-day-abused-in-multiple-campaigns.html}, language = {English}, urldate = {2019-12-20} } @online{james:20111026:tsunami:7815511, author = {Peter James}, title = {{Tsunami Backdoor Can Be Used for Denial of Service Attacks}}, date = {2011-10-26}, organization = {Intego}, url = {https://www.intego.com/mac-security-blog/tsunami-backdoor-can-be-used-for-denial-of-service-attacks}, language = {English}, urldate = {2019-10-25} } @online{jamesinthebox:20181001:dga:c78b3d8, author = {James_inthe_box}, title = {{Tweet on DGA using TLD xyz}}, date = {2018-10-01}, organization = {Twitter (@James_inthe_box)}, url = {https://twitter.com/James_inthe_box/status/1046844087469391872}, language = {English}, urldate = {2020-01-08} } @online{jamesinthebox:20200512:himera:39130f2, author = {James_inthe_box}, title = {{Tweet on Himera Loader}}, date = {2020-05-12}, organization = {Twitter (@James_inthe_box)}, url = {https://twitter.com/James_inthe_box/status/1260191589789392898}, language = {English}, urldate = {2020-05-18} } @online{jamesinthebox:20200814:echelon:699dd29, author = {James_inthe_box}, title = {{Tweet on Echelon Stealer}}, date = {2020-08-14}, organization = {Twitter (@James_inthe_box)}, url = {https://twitter.com/James_inthe_box/status/1294088216807534593}, language = {English}, urldate = {2020-08-14} } @online{jameswt:20200525:fuckunicorn:8136f92, author = {JamesWT}, title = {{Tweet on FuckUnicorn instance of HiddenTear}}, date = {2020-05-25}, organization = {Twitter (@JAMESWT_MHT)}, url = {https://twitter.com/JAMESWT_MHT/status/1264828072001495041}, language = {English}, urldate = {2020-06-08} } @online{jamie:20200331:lokibot:f927742, author = {Jamie}, title = {{LokiBot: Getting Equation Editor Shellcode}}, date = {2020-03-31}, organization = {Click All the Things! Blog}, url = {https://clickallthethings.wordpress.com/2020/03/31/lokibot-getting-equation-editor-shellcode/}, language = {English}, urldate = {2020-04-07} } @online{jamie:20200619:zloader:dd6729d, author = {Jamie}, title = {{zloader: VBA, R1C1 References, and Other Tomfoolery}}, date = {2020-06-19}, organization = {Click All the Things! Blog}, url = {https://clickallthethings.wordpress.com/2020/06/19/zloader-vba-r1c1-references-and-other-tomfoolery/}, language = {English}, urldate = {2020-06-21} } @online{jamie:20201216:snake404:7b8d820, author = {Jamie}, title = {{Snake/404 Keylogger, BIFF, and Covering Tracks?: An unusual maldoc}}, date = {2020-12-16}, organization = {Click All the Things! Blog}, url = {https://clickallthethings.wordpress.com/2020/12/16/snake-404-keylogger-biff-and-covering-tracks-an-unusual-maldoc/}, language = {English}, urldate = {2020-12-18} } @online{jansen:20200902:machine:2a2ed0a, author = {Joost Jansen}, title = {{Machine learning from idea to reality: a PowerShell case study}}, date = {2020-09-02}, organization = {Fox-IT}, url = {https://blog.fox-it.com/2020/09/02/machine-learning-from-idea-to-reality-a-powershell-case-study/}, language = {English}, urldate = {2020-09-03} } @online{jarvis:20131218:cryptolocker:a15fe52, author = {Keith Jarvis}, title = {{CryptoLocker Ransomware}}, date = {2013-12-18}, organization = {Secureworks}, url = {https://www.secureworks.com/research/cryptolocker-ransomware}, language = {English}, urldate = {2019-11-27} } @online{jazi:20200416:new:6b7cb7a, author = {Hossein Jazi}, title = {{New AgentTesla variant steals WiFi credentials}}, date = {2020-04-16}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/cybercrime/2020/04/new-agenttesla-variant-steals-wifi-credentials/}, language = {English}, urldate = {2020-04-16} } @online{jazi:20200506:new:7723083, author = {Hossein Jazi and Thomas Reed and Jérôme Segura}, title = {{New Mac variant of Lazarus Dacls RAT distributed via Trojanized 2FA app}}, date = {2020-05-06}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2020/05/new-mac-variant-of-lazarus-dacls-rat-distributed-via-trojanized-2fa-app/}, language = {English}, urldate = {2020-05-07} } @online{jazi:20200603:new:96bf302, author = {Hossein Jazi and Jérôme Segura}, title = {{New LNK attack tied to Higaisa APT discovered}}, date = {2020-06-03}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/}, language = {English}, urldate = {2020-06-05} } @online{jazi:20200617:multistage:6358f3f, author = {Hossein Jazi and Jérôme Segura}, title = {{Multi-stage APT attack drops Cobalt Strike using Malleable C2 feature}}, date = {2020-06-17}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2020/06/multi-stage-apt-attack-drops-cobalt-strike-using-malleable-c2-feature/}, language = {English}, urldate = {2020-06-19} } @online{jazi:20200721:chinese:da6a239, author = {Hossein Jazi and Jérôme Segura}, title = {{Chinese APT group targets India and Hong Kong using new variant of MgBot malware}}, date = {2020-07-21}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2020/07/chinese-apt-group-targets-india-and-hong-kong-using-new-variant-of-mgbot-malware/}, language = {English}, urldate = {2020-07-22} } @online{jazi:20201006:release:11f16dc, author = {Hossein Jazi and Jérôme Segura}, title = {{Release the Kraken: Fileless APT attack abuses Windows Error Reporting service}}, date = {2020-10-06}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service}, language = {English}, urldate = {2020-10-08} } @online{jazi:20210106:retrohunting:65f1492, author = {Hossein Jazi}, title = {{Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat}}, date = {2021-01-06}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2021/01/retrohunting-apt37-north-korean-apt-used-vba-self-decode-technique-to-inject-rokrat/}, language = {English}, urldate = {2021-01-11} } @online{jedynak:20170104:technical:9cf0ab7, author = {Jarosław Jedynak}, title = {{Technical analysis of CryptoMix/CryptFile2 ransomware}}, date = {2017-01-04}, organization = {CERT.PL}, url = {https://www.cert.pl/en/news/single/technical-analysis-of-cryptomixcryptfile2-ransomware/}, language = {English}, urldate = {2020-01-13} } @online{jedynak:20170130:nymaim:d5553e6, author = {Jarosław Jedynak}, title = {{Nymaim revisited}}, date = {2017-01-30}, organization = {CERT.PL}, url = {https://www.cert.pl/en/news/single/nymaim-revisited/}, language = {English}, urldate = {2020-01-09} } @online{jedynak:20170214:sage:c9187b1, author = {Jarosław Jedynak}, title = {{Sage 2.0 analysis}}, date = {2017-02-14}, organization = {CERT.PL}, url = {https://www.cert.pl/en/news/single/sage-2-0-analysis/}, language = {English}, urldate = {2020-01-13} } @online{jedynak:20170530:mole:868f8ea, author = {Jarosław Jedynak}, title = {{Mole ransomware: analysis and decryptor}}, date = {2017-05-30}, organization = {CERT.PL}, url = {https://www.cert.pl/en/news/single/mole-ransomware-analysis-and-decryptor/}, language = {English}, urldate = {2019-12-17} } @online{jedynak:20171019:deeper:f2e50ae, author = {Jarosław Jedynak}, title = {{A deeper look at Tofsee modules}}, date = {2017-10-19}, organization = {CERT.PL}, url = {https://www.cert.pl/en/news/single/a-deeper-look-at-tofsee-modules/}, language = {English}, urldate = {2020-01-06} } @online{jeff0falltrades:20200610:frat:6a40185, author = {jeFF0Falltrades and James_inthe_box and _re_fox}, title = {{FRat Reporting, YARA, and IoCs}}, date = {2020-06-10}, url = {https://github.com/jeFF0Falltrades/IoCs/blob/master/Broadbased/frat.md}, language = {English}, urldate = {2020-06-12} } @online{jennings:20170417:python:d5a3654, author = {Luke Jennings}, title = {{Python script for decoding DOUBLEPULSAR}}, date = {2017-04-17}, organization = {Github (countercept)}, url = {https://github.com/countercept/doublepulsar-c2-traffic-decryptor}, language = {English}, urldate = {2020-01-08} } @online{jensen:20201218:strategic:0c28573, author = {Benjamin Jensen and Brandon Valeriano and Mark Montgomery}, title = {{The Strategic Implications of SolarWinds}}, date = {2020-12-18}, organization = {Lawfare Blog}, url = {https://www.lawfareblog.com/strategic-implications-solarwinds}, language = {English}, urldate = {2020-12-19} } @online{jia:20201209:njrat:f7f3b49, author = {Yanhui Jia and Chris Navarrete and Haozhe Zhang}, title = {{njRAT Spreading Through Active Pastebin Command and Control Tunnel}}, date = {2020-12-09}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/njrat-pastebin-command-and-control}, language = {English}, urldate = {2020-12-11} } @techreport{jiang:20150910:hangul:2e0fc13, author = {Genwei Jiang and Josiah Kimble}, title = {{Hangul Word Processor (HWP)Zero-Day: possible ties to North Korean threat actors}}, date = {2015-09-10}, institution = {FireEye}, url = {https://www.fireeye.com/content/dam/fireeye-www/global/en/blog/threat-research/FireEye_HWP_ZeroDay.pdf}, language = {English}, urldate = {2020-01-13} } @online{jiang:20151216:eps:3db357c, author = {Genwei Jiang and Dan Caselden and Ryann Winters}, title = {{The EPS Awakens}}, date = {2015-12-16}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2015/12/the_eps_awakens.html}, language = {English}, urldate = {2019-12-20} } @online{jiayu:20180124:mykings:63bef87, author = {JiaYu}, title = {{MyKings: A massively multiple botnet}}, date = {2018-01-24}, url = {http://blog.netlab.360.com/mykings-the-botnet-behind-multiple-active-spreading-botnets/}, language = {Chinese}, urldate = {2019-11-20} } @online{jiayu:20201006:heh:48e69cc, author = {JiaYu}, title = {{HEH, a new IoT P2P Botnet going after weak telnet services}}, date = {2020-10-06}, organization = {360 netlab}, url = {https://blog.netlab.360.com/heh-an-iot-p2p-botnet/}, language = {English}, urldate = {2020-10-07} } @online{jiayu:20201120:blackrota:ee43da1, author = {JiaYu}, title = {{Blackrota, a highly obfuscated backdoor developed by Go}}, date = {2020-11-20}, organization = {360 netlab}, url = {https://blog.netlab.360.com/blackrota-an-obfuscated-backdoor-written-in-go/}, language = {Chinese}, urldate = {2020-11-23} } @online{jiayu:20201124:blackrota:8a46a54, author = {JiaYu}, title = {{Blackrota, a heavily obfuscated backdoor written in Go}}, date = {2020-11-24}, organization = {360 netlab}, url = {https://blog.netlab.360.com/blackrota-an-obfuscated-backdoor-written-in-go-en/}, language = {English}, urldate = {2020-12-03} } @online{jin:20190117:malware:f880151, author = {Xingyu Jin and Claud Xiao}, title = {{Malware Used by “Rocke” Group Evolves to Evade Detection by Cloud Security Products}}, date = {2019-01-17}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/malware-used-by-rocke-group-evolves-to-evade-detection-by-cloud-security-products/}, language = {English}, urldate = {2020-01-07} } @online{jindanlong:20201201:hunting:b9e2674, author = {jindanlong}, title = {{Hunting Beacons}}, date = {2020-12-01}, organization = {360.cn}, url = {https://quake.360.cn/quake/#/reportDetail?id=5fc6fedd191038c3b25c4950}, language = {English}, urldate = {2021-01-10} } @online{jinye:20191217:lazarus:f97fffd, author = {Jinye and GenShen Ye}, title = {{Lazarus Group uses Dacls RAT to attack Linux platform}}, date = {2019-12-17}, organization = {Netlab}, url = {https://blog.netlab.360.com/dacls-the-dual-platform-rat/}, language = {Chinese}, urldate = {2020-01-07} } @online{jinye:20200523:new:20aa28f, author = {Jinye}, title = {{New activity of DoubleGuns Group, control hundreds of thousands of bots via public cloud service}}, date = {2020-05-23}, organization = {360 netlab}, url = {https://blog.netlab.360.com/shuangqiang/}, language = {English}, urldate = {2020-05-26} } @online{jnok:20190128:russia:579f446, author = {Juraj Jánošík}, title = {{Russia hit by new wave of ransomware spam}}, date = {2019-01-28}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/01/28/russia-hit-new-wave-ransomware-spam/}, language = {English}, urldate = {2019-11-14} } @online{joe:20170127:deep:d365b7e, author = {Joe}, title = {{Deep Analysis of Android Ransom Charger}}, date = {2017-01-27}, organization = {Joe's Security}, url = {http://blog.joesecurity.org/2017/01/deep-analysis-of-android-ransom-charger.html}, language = {English}, urldate = {2020-01-08} } @online{joe:20181118:cozybear:4801301, author = {Joe}, title = {{CozyBear – In from the Cold?}}, date = {2018-11-18}, organization = {Stranded on Pylos Blog}, url = {https://pylos.co/2018/11/18/cozybear-in-from-the-cold/}, language = {English}, urldate = {2020-01-09} } @online{johannes:20170131:malicious:ed4f2fb, author = {Johannes}, title = {{Malicious Office files using fileless UAC bypass to drop KEYBASE malware}}, date = {2017-01-31}, organization = {SANS ISC InfoSec Forums}, url = {https://isc.sans.edu/forums/diary/Malicious+Office+files+using+fileless+UAC+bypass+to+drop+KEYBASE+malware/22011/}, language = {English}, urldate = {2020-01-08} } @online{john:20201028:macos:15c0a45, author = {John}, title = {{Tweet on macOS version of Manuscrypt}}, date = {2020-10-28}, organization = {Twitter (@BitsOfBinary)}, url = {https://twitter.com/BitsOfBinary/status/1321488299932983296}, language = {English}, urldate = {2020-12-03} } @online{johnson:20130219:apt1:ee9c94f, author = {A L Johnson}, title = {{APT1: Q&A on Attacks by the Comment Crew}}, date = {2013-02-19}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=f1265df5-6e5e-4fcc-9828-d4ddbbafd3d7&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } @online{johnson:20150713:forkmeiamfamous:64957d9, author = {A L Johnson}, title = {{“Forkmeiamfamous”: Seaduke, latest weapon in the Duke armory}}, date = {2015-07-13}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=6ab66701-25d7-4685-ae9d-93d63708a11c&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-08-19} } @online{johnson:20151026:duuzer:e87f194, author = {A L Johnson}, title = {{Duuzer back door Trojan targets South Korea to take over computers}}, date = {2015-10-26}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5b9850b9-0fdd-48a9-b595-9234207ae7df&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } @online{johnson:20160222:russian:cc3bc7b, author = {A L Johnson}, title = {{Russian bank employees received fake job offers in targeted email attack}}, date = {2016-02-22}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=8e498912-44f8-4ea0-ac50-4544f0fedd6c&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } @online{johnson:20160808:strider:49d9d44, author = {A L Johnson}, title = {{Strider: Cyberespionage group turns eye of Sauron on targets}}, date = {2016-08-08}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=ce2df4da-afe9-4a24-b28c-0fb3ba671d95&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } @online{johnson:20161130:shamoon:50feb7c, author = {A L Johnson}, title = {{Shamoon: Back from the dead and destructive as ever}}, date = {2016-11-30}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=ad6f8259-2bb4-4f7f-b8e1-710b35a4cbed&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } @online{johnson:20170212:attackers:c338fa3, author = {A L Johnson}, title = {{Attackers target dozens of global banks with new malware}}, date = {2017-02-12}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/attackers-target-dozens-global-banks-new-malware}, language = {English}, urldate = {2020-04-21} } @online{johnson:20170227:shamoon:0188f39, author = {A L Johnson}, title = {{Shamoon: Multi-staged destructive attacks limited to specific targets}}, date = {2017-02-27}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5758557d-6e3a-4174-90f3-fa92a712ecd9&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } @online{johnson:20170410:longhorn:811e6dc, author = {A L Johnson}, title = {{Longhorn: Tools used by cyberespionage group linked to Vault 7}}, date = {2017-04-10}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7ca2e331-2209-46a8-9e60-4cb83f9602de&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } @online{johnson:20171214:attackers:6b0be76, author = {Blake Johnson and Dan Caban and Marina Krotofil and Dan Scali and Nathan Brubaker and Christopher Glyer}, title = {{Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure}}, date = {2017-12-14}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html}, language = {English}, urldate = {2019-12-20} } @online{johnson:20180515:swedish:47c0265, author = {Simon Johnson and Olof Swahnberg and Niklas Pollard and Hugh Lawson}, title = {{Swedish sports body says anti-doping unit hit by hacking attack}}, date = {2018-05-15}, organization = {Reuters}, url = {https://www.reuters.com/article/us-sweden-doping/swedish-sports-body-says-anti-doping-unit-hit-by-hacking-attack-idUSKCN1IG2GN}, language = {English}, urldate = {2019-12-10} } @techreport{jones:20160426:new:78ff145, author = {Jason Jones}, title = {{New Poison Ivy Activity Targeting Myanmar, Asian Countries}}, date = {2016-04-26}, institution = {Github (CyberMonitor)}, url = {https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/blob/master/2016/2016.04.26.New_Poison_Ivy_Activity_Targeting_Myanmar_Asian_Countries/New%20Poison%20Ivy%20Activity%20Targeting%20Myanmar%2C%20Asian%20Countries.pdf}, language = {English}, urldate = {2019-12-17} } @online{joven:20160603:cooking:a48c0f8, author = {Rommel Abraham D Joven}, title = {{Cooking Up Autumn (Herbst) Ransomware}}, date = {2016-06-03}, organization = {Fortinet}, url = {https://blog.fortinet.com/2016/06/03/cooking-up-autumn-herbst-ransomware}, language = {English}, urldate = {2020-01-08} } @online{joven:20170609:macransom:56a318d, author = {Rommel Joven and Wayne Chin Yick Low}, title = {{MacRansom: Offered as Ransomware as a Service}}, date = {2017-06-09}, organization = {Fortinet}, url = {https://blog.fortinet.com/2017/06/09/macransom-offered-as-ransomware-as-a-service}, language = {English}, urldate = {2020-01-05} } @online{joven:20180517:wicked:913857a, author = {Rommel Joven and Kenny Yang}, title = {{A Wicked Family of Bots}}, date = {2018-05-17}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/a-wicked-family-of-bots.html}, language = {English}, urldate = {2020-01-05} } @online{joven:20190627:inter:2cde728, author = {Rommel Joven}, title = {{Inter: Skimmer For All}}, date = {2019-06-27}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/inter-skimmer-for-all.html}, language = {English}, urldate = {2020-01-10} } @online{jpcert:20160216:banking:43d5789, author = {JPCert}, title = {{Banking Trojan “Citadel” Returns}}, date = {2016-02-16}, organization = {JPCERT/CC}, url = {http://blog.jpcert.or.jp/2016/02/banking-trojan--27d6.html}, language = {English}, urldate = {2019-12-19} } @online{jpcertcc:20180731:scanner:d1757d9, author = {JPCERT/CC}, title = {{Scanner for CobaltStrike}}, date = {2018-07-31}, organization = {Github (JPCERTCC)}, url = {https://github.com/JPCERTCC/aa-tools/blob/master/cobaltstrikescan.py}, language = {English}, urldate = {2020-01-13} } @online{jpcertcc:20191210:updated:86aee30, author = {JPCERT/CC}, title = {{[Updated] Alert Regarding Emotet Malware Infection}}, date = {2019-12-10}, organization = {JPCERT/CC}, url = {https://www.jpcert.or.jp/english/at/2019/at190044.html}, language = {English}, urldate = {2020-01-09} } @online{jr0driguezb:20181009:malware:89b0393, author = {JR0driguezB}, title = {{Malware Configs - Pandabanker}}, date = {2018-10-09}, organization = {Github (JR0driguezB)}, url = {https://github.com/JR0driguezB/malware_configs/tree/master/PandaBanker}, language = {English}, urldate = {2020-01-07} } @online{jr:20151102:shifu:700438c, author = {Floser Bacurio Jr. and Wayne Low}, title = {{Shifu – the rise of a self-destructive banking trojan}}, date = {2015-11-02}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2015/11/shifu-rise-self-destructive-banking-trojan}, language = {English}, urldate = {2020-01-09} } @online{jr:20160829:german:f88cef5, author = {Floser Bacurio Jr. and Joie Salvio}, title = {{German Speakers Targeted by SPAM Leading to Ozone RAT}}, date = {2016-08-29}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/german-speakers-targeted-by-spam-leading-to-ozone-rat.html}, language = {English}, urldate = {2020-01-13} } @online{jullian:20180112:analyzing:572a942, author = {Rémi Jullian}, title = {{Analyzing an Agent Tesla campaign: from a word document to the attacker credentials}}, date = {2018-01-12}, organization = {Stormshield}, url = {https://thisissecurity.stormshield.com/2018/01/12/agent-tesla-campaign/}, language = {English}, urldate = {2019-07-10} } @online{jullian:20180329:indepth:badef63, author = {Rémi Jullian}, title = {{In-depth Formbook malware analysis – Obfuscation and process injection}}, date = {2018-03-29}, organization = {Stormshield}, url = {https://thisissecurity.stormshield.com/2018/03/29/in-depth-formbook-malware-analysis-obfuscation-and-process-injection/}, language = {English}, urldate = {2020-01-10} } @techreport{jullian:20181205:formbook:40cf2ad, author = {Rémi Jullian}, title = {{FORMBOOK In-depth malware analysis}}, date = {2018-12-05}, institution = {Botconf}, url = {https://www.botconf.eu/wp-content/uploads/2018/12/2018-R-Jullian-In-depth-Formbook-Malware-Analysis.pdf}, language = {English}, urldate = {2019-12-17} } @techreport{jung:20200930:another:5edbad3, author = {Paul Jung}, title = {{Another Threat Actor day...}}, date = {2020-09-30}, institution = {CERT-XLM}, url = {https://vblocalhost.com/uploads/VB2020-Jung.pdf}, language = {English}, urldate = {2020-12-08} } @online{jurez:20171121:new:828279e, author = {Oscar Juárez}, title = {{New banking malware in Brazil - XPCTRA RAT ANALYSIS}}, date = {2017-11-21}, organization = {bugaroo}, url = {https://www.buguroo.com/en/blog/bank-malware-in-brazil-xpctra-rat-analysis}, language = {English}, urldate = {2020-01-08} } @online{jursa:20200520:ghostdns:43190d5, author = {David Jursa and Simi Musilova and Jan Rubín and Alexej Savčin}, title = {{GhostDNS Source Code Leaked}}, date = {2020-05-20}, organization = {Avast Decoded}, url = {https://decoded.avast.io/simonamusilova/ghostdns-source-code-leaked/}, language = {English}, urldate = {2020-05-23} } @online{justice:20170410:justice:f1767d7, author = {US Department of Justice}, title = {{Justice Department Announces Actions to Dismantle Kelihos Botnet}}, date = {2017-04-10}, organization = {US Department of Justice}, url = {https://www.justice.gov/opa/pr/justice-department-announces-actions-dismantle-kelihos-botnet-0}, language = {English}, urldate = {2019-12-03} } @online{justice:20180110:phillip:d3877cf, author = {U.S. Department of Justice}, title = {{Phillip Durachinsky Indictment}}, date = {2018-01-10}, url = {https://www.documentcloud.org/documents/4346338-Phillip-Durachinsky-Indictment.html}, language = {English}, urldate = {2019-12-24} } @online{justice:20180323:nine:51457d0, author = {United States Department of Justice}, title = {{Nine Iranians Charged With Conducting Massive Cyber Theft Campaign on Behalf of the Islamic Revolutionary Guard Corps}}, date = {2018-03-23}, organization = {United States Department of Justice}, url = {https://www.justice.gov/usao-sdny/pr/nine-iranians-charged-conducting-massive-cyber-theft-campaign-behalf-islamic}, language = {English}, urldate = {2019-10-23} } @online{justice:20180323:nine:51c3fd6, author = {Department of Justice}, title = {{Nine Iranians Charged With Conducting Massive Cyber Theft Campaign on Behalf of the Islamic Revolutionary Guard Corps}}, date = {2018-03-23}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/nine-iranians-charged-conducting-massive-cyber-theft-campaign-behalf-islamic-revolutionary}, language = {English}, urldate = {2019-12-17} } @online{justice:20180618:joshua:7362ccc, author = {Department of Justice}, title = {{Joshua Adam Schulte Charged with the Unauthorized Disclosure of Classified Information and Other Offenses Relating to the Theft of Classified Material from the Central Intelligence Agency}}, date = {2018-06-18}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/joshua-adam-schulte-charged-unauthorized-disclosure-classified-information-and-other-offenses}, language = {English}, urldate = {2019-11-26} } @online{justice:20181212:indictment:d897f0c, author = {US Department of Justice}, title = {{Indictment against Andrey Turchin aka fxmsp}}, date = {2018-12-12}, organization = {US Department of Justice}, url = {https://www.justice.gov/usao-wdwa/press-release/file/1292541/download}, language = {English}, urldate = {2020-07-08} } @online{justice:20200626:russian:276b274, author = {Department of Justice}, title = {{Russian National (Aleksei Burkov, Cardplanet) Sentenced to Prison for Operating Websites Devoted to Fraud and Malicious Cyber Activities}}, date = {2020-06-26}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/russian-national-sentenced-prison-operating-websites-devoted-fraud-and-malicious-cyber}, language = {English}, urldate = {2020-06-29} } @online{justice:20200731:malware:f004207, author = {Department of Justice}, title = {{Malware Author Pleads Guilty for Role in Transnational Cybercrime Organization Responsible for more than $568 Million in Losses}}, date = {2020-07-31}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/malware-author-pleads-guilty-role-transnational-cybercrime-organization-responsible-more-568}, language = {English}, urldate = {2020-08-05} } @online{justice:20200813:global:fd1a7c6, author = {Department of Justice}, title = {{Global Disruption of Three Terror Finance Cyber-Enabled Campaigns}}, date = {2020-08-13}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/global-disruption-three-terror-finance-cyber-enabled-campaigns}, language = {English}, urldate = {2020-08-14} } @online{justice:20200916:seven:d4591b9, author = {Department of Justice}, title = {{Seven International Cyber Defendants, Including “Apt41” Actors, Charged In Connection With Computer Intrusion Campaigns Against More Than 100 Victims Globally}}, date = {2020-09-16}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer}, language = {English}, urldate = {2020-09-18} } @online{justice:20201007:92:fa152b9, author = {Department of Justice}, title = {{92 domain names that were unlawfully used by Iran’s Islamic Revolutionary Guard Corps (IRGC) to engage in a global disinformation campaign}}, date = {2020-10-07}, organization = {Department of Justice}, url = {https://www.justice.gov/usao-ndca/press-release/file/1325981/download}, language = {English}, urldate = {2020-10-12} } @online{justice:20201007:united:b364424, author = {Department of Justice}, title = {{United States Seizes Domain Names Used by Iran’s Islamic Revolutionary Guard Corps}}, date = {2020-10-07}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/united-states-seizes-domain-names-used-iran-s-islamic-revolutionary-guard-corps}, language = {English}, urldate = {2020-10-12} } @online{justice:20201015:officials:b340951, author = {Department of Justice}, title = {{Officials Announce International Operation Targeting Transnational Criminal Organization QQAAZZ that Provided Money Laundering Services to High-Level Cybercriminals}}, date = {2020-10-15}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/officials-announce-international-operation-targeting-transnational-criminal-organization}, language = {English}, urldate = {2020-10-23} } @online{justice:20201020:six:8e508cd, author = {Department of Justice}, title = {{Six Russian GRU Officers Charged in Connection with Worldwide Deployment of Destructive Malware and Other Disruptive Actions in Cyberspace}}, date = {2020-10-20}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/press-release/file/1328521/download}, language = {English}, urldate = {2020-10-23} } @online{justice:20201104:united:1d7e2f9, author = {US Department of Justice}, title = {{United States Seizes 27 Additional Domain Names Used by Iran’s Islamic Revolutionary Guard Corps to Further a Global, Covert Influence Campaign}}, date = {2020-11-04}, organization = {US Department of Justice}, url = {https://www.justice.gov/opa/pr/united-states-seizes-27-additional-domain-names-used-iran-s-islamic-revolutionary-guard-corps}, language = {English}, urldate = {2020-11-06} } @online{justice:20210106:department:b7e85eb, author = {Department of Justice}, title = {{Department of Justice Statement on Solarwinds Update}}, date = {2021-01-06}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/department-justice-statement-solarwinds-update}, language = {English}, urldate = {2021-01-11} } @online{justin:20181217:apt39:6e13cad, author = {Justin}, title = {{Tweet on APT39}}, date = {2018-12-17}, organization = {Twitter (@MJDutch)}, url = {https://twitter.com/MJDutch/status/1074820959784321026?s=19}, language = {English}, urldate = {2020-01-08} } @online{jw:20200325:trickbot:17b0dc3, author = {JW}, title = {{Trickbot to Ryuk in Two Hours}}, date = {2020-03-25}, organization = {Wilbur Security}, url = {https://www.wilbursecurity.com/2020/03/trickbot-to-ryuk-in-two-hours/}, language = {English}, urldate = {2020-03-26} } @online{k:20110130:gpcode:53d8cac, author = {Steven K}, title = {{GpCode Ransomware 2010 Simple Analysis}}, date = {2011-01-30}, url = {http://www.xylibox.com/2011/01/gpcode-ransomware-2010-simple-analysis.html}, language = {English}, urldate = {2019-12-24} } @techreport{k:2018:in:87e5693, author = {Taha K.}, title = {{IN THE TRAILS OF WINDSHIFTAPT}}, date = {2018}, institution = {DarkMatter}, url = {https://gsec.hitb.org/materials/sg2018/D1%20COMMSEC%20-%20In%20the%20Trails%20of%20WINDSHIFT%20APT%20-%20Taha%20Karim.pdf}, language = {English}, urldate = {2020-01-08} } @online{kadiev:20101220:end:0a62065, author = {Alexei Kadiev}, title = {{End of the Line for the Bredolab Botnet?}}, date = {2010-12-20}, organization = {Kaspersky Labs}, url = {https://securelist.com/end-of-the-line-for-the-bredolab-botnet/36335/}, language = {English}, urldate = {2019-12-20} } @online{kafeine:20120816:inside:5dd3a54, author = {Kafeine}, title = {{Inside Upas Kit (1.0.1.1) aka Rombrast C&C - Botnet Control Panel}}, date = {2012-08-16}, organization = {Malware Don't Need Coffee}, url = {https://malware.dontneedcoffee.com/2012/08/inside-upas-kit1.0.1.1.html}, language = {English}, urldate = {2020-01-10} } @online{kafeine:20121129:inside:cff4761, author = {Kafeine}, title = {{Inside view of Lyposit aka (for its friends) Lucky LOCKER}}, date = {2012-11-29}, organization = {Malware Don't Need Coffee}, url = {http://malware.dontneedcoffee.com/2012/11/inside-view-of-lyposit-aka-for-its.html}, language = {English}, urldate = {2019-12-18} } @online{kafeine:20130521:unveiling:1b90bcf, author = {Kafeine}, title = {{Unveiling the Locker Bomba (aka Lucky Locker v0.6 aka Lyposit/Adneukine)}}, date = {2013-05-21}, organization = {Malware Don't Need Coffee}, url = {http://malware.dontneedcoffee.com/2013/05/unveiling-locker-bomba-aka-lucky-locker.html}, language = {English}, urldate = {2020-01-10} } @online{kafeine:20140618:neutrino:a72cb23, author = {Kafeine}, title = {{Neutrino Bot (aka MS:Win32/Kasidet)}}, date = {2014-06-18}, organization = {Malware Don't Need Coffee}, url = {http://malware.dontneedcoffee.com/2014/06/neutrino-bot-aka-kasidet.html}, language = {English}, urldate = {2020-01-10} } @online{kafeine:20150304:new:0c67206, author = {Kafeine}, title = {{New crypto ransomware in town : CryptoFortress}}, date = {2015-03-04}, organization = {Malware Don't Need Coffee}, url = {http://malware.dontneedcoffee.com/2015/03/cryptofortress-teeraca-aka.html}, language = {English}, urldate = {2019-11-29} } @online{kafeine:20170515:adylkuzz:c94b40e, author = {Kafeine}, title = {{Adylkuzz Cryptocurrency Mining Malware Spreading for Weeks Via EternalBlue/DoublePulsar}}, date = {2017-05-15}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/adylkuzz-cryptocurrency-mining-malware-spreading-for-weeks-via-eternalblue-doublepulsar}, language = {English}, urldate = {2019-12-20} } @online{kafeine:20170620:adgholas:8ca8d57, author = {Kafeine}, title = {{AdGholas Malvertising Campaign Using Astrum EK to Deliver Mole Ransomware}}, date = {2017-06-20}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/adgholas-malvertising-campaign-using-astrum-ek-deliver-mole-ransomware}, language = {English}, urldate = {2019-12-20} } @online{kafeine:20171016:coalabot:28f848f, author = {Kafeine}, title = {{CoalaBot: http Ddos Bot}}, date = {2017-10-16}, organization = {Malware Don't Need Coffee}, url = {https://malware.dontneedcoffee.com/2017/10/coalabot-http-ddos-bot.html}, language = {English}, urldate = {2020-01-10} } @online{kafeine:20171019:apt28:927b889, author = {Kafeine and Pierre T}, title = {{APT28 racing to exploit CVE-2017-11292 Flash vulnerability before patches are deployed}}, date = {2017-10-19}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/apt28-racing-exploit-cve-2017-11292-flash-vulnerability-patches-are-deployed}, language = {English}, urldate = {2019-12-20} } @online{kafeine:20180131:smominru:5a6c554, author = {Kafeine}, title = {{Smominru Monero mining botnet making millions for operators}}, date = {2018-01-31}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-making-millions-operators}, language = {English}, urldate = {2019-12-20} } @online{kafeine:20190203:fallout:00a924c, author = {Kafeine}, title = {{Tweet on Fallout Exploit Kit}}, date = {2019-02-03}, organization = {Twitter (@kafeine)}, url = {https://twitter.com/kafeine/status/1092000556598677504}, language = {English}, urldate = {2020-01-07} } @online{kafeine:20190722:brushaloader:487137c, author = {Kafeine and Proofpoint Threat Insight Team}, title = {{BrushaLoader still sweeping up victims one year later}}, date = {2019-07-22}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/brushaloader-still-sweeping-victims-one-year-later}, language = {English}, urldate = {2019-12-20} } @online{kafka:20170921:new:8bcb309, author = {Filip Kafka}, title = {{New FinFisher surveillance campaigns: Internet providers involved?}}, date = {2017-09-21}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/09/21/new-finfisher-surveillance-campaigns/}, language = {English}, urldate = {2019-11-14} } @online{kafka:20171208:strongpity2:116d419, author = {Filip Kafka}, title = {{StrongPity2 spyware replaces FinFisher in MitM campaign – ISP involved?}}, date = {2017-12-08}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/12/08/strongpity-like-spyware-replaces-finfisher/}, language = {English}, urldate = {2019-11-14} } @techreport{kafka:20180124:esets:246a0d4, author = {Filip Kafka}, title = {{ESET’S GUIDE TODEOBFUSCATING AND DEVIRTUALIZING FINFISHER}}, date = {2018-01-24}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2018/01/WP-FinFisher.pdf}, language = {English}, urldate = {2020-01-13} } @online{kafka:20180309:new:9d79d4b, author = {Filip Kafka}, title = {{New traces of Hacking Team in the wild}}, date = {2018-03-09}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/03/09/new-traces-hacking-team-wild/}, language = {English}, urldate = {2019-11-14} } @online{kafka:201901:vb2018:7d81852, author = {Filip Kafka}, title = {{VB2018 paper: From Hacking Team to hacked team to...?}}, date = {2019-01}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2019/01/vb2018-paper-hacking-team-hacked-team/}, language = {English}, urldate = {2020-01-13} } @online{kai5263499:20170222:bella:2b93625, author = {kai5263499}, title = {{Bella: A pure python, post-exploitation, data mining tool and remote administration tool for macOS.}}, date = {2017-02-22}, organization = {Github (kai5263499)}, url = {https://github.com/kai5263499/Bella}, language = {English}, urldate = {2020-01-06} } @online{kajiloti:20191112:purelocker:9d8244d, author = {Michael Kajiloti}, title = {{PureLocker: New Ransomware-as-a-Service Being Used in Targeted Attacks Against Servers}}, date = {2019-11-12}, organization = {Intezer}, url = {https://www.intezer.com/blog-purelocker-ransomware-being-used-in-targeted-attacks-against-servers/}, language = {English}, urldate = {2020-01-13} } @online{kajiloti:20200330:fantastic:c01db60, author = {Michael Kajiloti}, title = {{Fantastic payloads and where we find them}}, date = {2020-03-30}, organization = {Intezer}, url = {https://intezer.com/blog/intezer-analyze/fantastic-payloads-and-where-we-find-them}, language = {English}, urldate = {2020-04-07} } @online{kamluk:20140114:icefog:bc79c50, author = {Vitaly Kamluk and Igor Soumenkov and Costin Raiu}, title = {{The Icefog APT Hits US Targets With Java Backdoor}}, date = {2014-01-14}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-icefog-apt-hits-us-targets-with-java-backdoor/58209/}, language = {English}, urldate = {2019-12-20} } @online{kan:20170417:new:6eb33c6, author = {Michael Kan}, title = {{New NSA leak may expose its bank spying, Windows exploits}}, date = {2017-04-17}, organization = {CSO Online}, url = {https://www.csoonline.com/article/3190055/new-nsa-leak-may-expose-its-bank-spying-windows-exploits.html}, language = {English}, urldate = {2019-12-24} } @online{kandefelt:20201210:cybereason:0267d5e, author = {Joakim Kandefelt}, title = {{Cybereason vs. Ryuk Ransomware}}, date = {2020-12-10}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/cybereason-vs.-ryuk-ransomware}, language = {English}, urldate = {2020-12-14} } @techreport{karim:20190408:trails:83a8378, author = {Taha Karim}, title = {{Trails of WindShift}}, date = {2019-04-08}, institution = {SANS Cyber Security Summit}, url = {https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1554718868.pdf}, language = {English}, urldate = {2020-01-20} } @online{karim:20191210:new:b423605, author = {Taha Karim}, title = {{New macOS Bundlore Loader Analysis}}, date = {2019-12-10}, organization = {Confiant}, url = {https://blog.confiant.com/new-macos-bundlore-loader-analysis-ca16d19c058c}, language = {English}, urldate = {2020-01-07} } @online{karim:20200713:internet:be95d1e, author = {Taha Karim}, title = {{Internet Explorer CVE-2019–1367 Exploitation — part 1}}, date = {2020-07-13}, organization = {Confiant}, url = {https://blog.confiant.com/internet-explorer-cve-2019-1367-exploitation-part-1-7ff08b7dcc8b}, language = {English}, urldate = {2020-07-15} } @online{karim:20200713:internet:d7f7dd7, author = {Taha Karim}, title = {{Internet Explorer CVE-2019–1367 In the wild Exploitation - prelude}}, date = {2020-07-13}, organization = {Confiant}, url = {https://blog.confiant.com/internet-explorer-cve-2019-1367-in-the-wild-exploitation-prelude-ef546f19cd30}, language = {English}, urldate = {2020-07-15} } @online{karim:20200714:internet:a2f6f67, author = {Taha Karim}, title = {{Internet Explorer CVE-2019–1367 Exploitation — part 3}}, date = {2020-07-14}, organization = {Confiant}, url = {https://blog.confiant.com/internet-explorer-cve-2019-1367-exploitation-part-3-a92d3011b38}, language = {English}, urldate = {2020-07-15} } @online{karim:20201214:one:5d9f92c, author = {Taha Karim}, title = {{Tweet on a one liner to decrypt SUNBURST backdoor}}, date = {2020-12-14}, organization = {Twitter (@lordx64)}, url = {https://twitter.com/lordx64/status/1338526166051934213}, language = {English}, urldate = {2020-12-15} } @online{karmi:20200104:look:441fa96, author = {Doron Karmi}, title = {{A Look Into Konni 2019 Campaign}}, date = {2020-01-04}, organization = {Medium d-hunter}, url = {https://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b}, language = {English}, urldate = {2020-01-17} } @online{karpin:20161107:little:598f939, author = {Julia Karpin and Shaul Vilkomir-Preisman and Anna Dorfman}, title = {{Little Trickbot Growing Up: New Campaign}}, date = {2016-11-07}, organization = {F5 Labs}, url = {https://f5.com/labs/articles/threat-intelligence/malware/little-trickbot-growing-up-new-campaign-24412}, language = {English}, urldate = {2020-01-06} } @online{karpin:20180711:tackling:b80ad4a, author = {Julia Karpin}, title = {{Tackling Gootkit's Traps}}, date = {2018-07-11}, organization = {F5}, url = {https://www.f5.com/labs/articles/threat-intelligence/tackling-gootkit-s-traps}, language = {English}, urldate = {2019-12-17} } @techreport{karve:201608:diving:6f604b3, author = {Sanchit Karve and Guilherme Venere and Mark Olea}, title = {{DIVING INTO PINKSLIPBOT’S LATEST CAMPAIGN}}, date = {2016-08}, institution = {Intel Security}, url = {https://www.virusbulletin.com/uploads/pdf/magazine/2016/VB2016-Karve-etal.pdf}, language = {English}, urldate = {2019-11-27} } @online{kaspersky:20060626:erpresser:6c57dc7, author = {Kaspersky}, title = {{Erpresser}}, date = {2006-06-26}, organization = {Kaspersky Labs}, url = {https://de.securelist.com/analysis/59479/erpresser/}, language = {German}, urldate = {2020-01-08} } @online{kaspersky:20120717:kaspersky:bbbf635, author = {Kaspersky}, title = {{Kaspersky Lab and Seculert Announce ‘Madi,’ a Newly Discovered Cyber-Espionage Campaign in the Middle East}}, date = {2012-07-17}, organization = {Kaspersky Labs}, url = {https://www.kaspersky.com/about/press-releases/2012_kaspersky-lab-and-seculert-announce--madi--a-newly-discovered-cyber-espionage-campaign-in-the-middle-east}, language = {English}, urldate = {2019-12-10} } @techreport{kaspersky:201402:unveiling:4e5e91c, author = {Kaspersky}, title = {{Unveiling “Careto” - The Masked APT}}, date = {2014-02}, institution = {Kaspersky Labs}, url = {https://d2538mqrb7brka.cloudfront.net/wp-content/uploads/sites/43/2018/03/20133638/unveilingthemask_v1.0.pdf}, language = {English}, urldate = {2019-10-12} } @online{kaspersky:20140827:nettraveler:5469ce3, author = {Kaspersky}, title = {{NetTraveler Gets a Makeover for 10th Anniversary}}, date = {2014-08-27}, organization = {Kaspersky Labs}, url = {https://www.kaspersky.com/about/press-releases/2014_nettraveler-gets-a-makeover-for-10th-anniversary}, language = {English}, urldate = {2020-01-13} } @techreport{kaspersky:201502:equation:3c079fb, author = {Kaspersky}, title = {{Equation Group: Questions and Answers}}, date = {2015-02}, institution = {Kaspersky Labs}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064459/Equation_group_questions_and_answers.pdf}, language = {English}, urldate = {2020-01-08} } @techreport{kaspersky:20170307:from:2d853ae, author = {Kaspersky}, title = {{From Shamoon to Stonedrill}}, date = {2017-03-07}, institution = {Kaspersky Labs}, url = {https://securelist.com/files/2017/03/Report_Shamoon_StoneDrill_final.pdf}, language = {English}, urldate = {2020-01-09} } @online{kaspersky:20170501:crouching:a5be2eb, author = {Kaspersky}, title = {{Crouching Yeti (Energetic Bear) Malware}}, date = {2017-05-01}, organization = {Kaspersky Labs}, url = {https://www.kaspersky.com/resource-center/threats/crouching-yeti-energetic-bear-malware-threat}, language = {English}, urldate = {2020-01-10} } @online{kaspersky:20180717:return:1dcb99e, author = {Kaspersky}, title = {{The return of Fantomas, or how we deciphered Cryakl}}, date = {2018-07-17}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-return-of-fantomas-or-how-we-deciphered-cryakl/86511/}, language = {English}, urldate = {2019-12-20} } @online{kaspersky:20190520:video:148e81f, author = {Kaspersky}, title = {{Video: Operation ShadowHammer: Costin Raiu and Vitaly Kamlyuk at #TheSAS2019}}, date = {2019-05-20}, organization = {YouTube}, url = {https://www.youtube.com/watch?v=T5wPwvLrBYU}, language = {English}, urldate = {2020-01-08} } @online{kaspersky:20191029:shadedecryptor:4a5e5f4, author = {Kaspersky}, title = {{ShadeDecryptor tool}}, date = {2019-10-29}, organization = {Kaspersky Labs}, url = {https://support.kaspersky.com/13059}, language = {English}, urldate = {2020-01-09} } @online{kaspersky:20191211:story:d54a08a, author = {Kaspersky}, title = {{Story of the year 2019: Cities under ransomware siege}}, date = {2019-12-11}, organization = {Kaspersky Labs}, url = {https://securelist.com/story-of-the-year-2019-cities-under-ransomware-siege/95456/}, language = {English}, urldate = {2020-01-13} } @online{kaspersky:20200423:look:4e5d7ab, author = {Kaspersky}, title = {{A look at the ATM/PoS malware landscape from 2017-2019}}, date = {2020-04-23}, organization = {Kaspersky Labs}, url = {https://securelist.com/atm-pos-malware-landscape-2017-2019/96750/}, language = {English}, urldate = {2020-04-26} } @online{kasslin:20071101:spam:8c0c4cd, author = {Kimmo Kasslin and Elia Florio}, title = {{Spam from the kernel}}, date = {2007-11-01}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2007/11/spam-kernel}, language = {English}, urldate = {2020-05-04} } @online{kasza:20161025:houdinis:d57d422, author = {Anthony Kasza}, title = {{Houdini’s Magic Reappearance}}, date = {2016-10-25}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-houdinis-magic-reappearance/}, language = {English}, urldate = {2019-11-17} } @online{kasza:20161025:houdinis:f8fba8f, author = {Anthony Kasza}, title = {{Houdini’s Magic Reappearance}}, date = {2016-10-25}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2016/10/unit42-houdinis-magic-reappearance/?adbsc=social67221546&adbid=790972447373668352&adbpl=tw&adbpr=4487645412}, language = {English}, urldate = {2019-12-20} } @online{kasza:20170227:gamaredon:322eb5f, author = {Anthony Kasza and Dominik Reichel}, title = {{The Gamaredon Group Toolset Evolution}}, date = {2017-02-27}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/}, language = {English}, urldate = {2019-12-20} } @online{kasza:20170227:gamaredon:3d28d34, author = {Anthony Kasza and Dominik Reichel}, title = {{The Gamaredon Group Toolset Evolution}}, date = {2017-02-27}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution/}, language = {English}, urldate = {2020-01-09} } @online{kasza:20170227:gamaredon:a88c3f8, author = {Anthony Kasza and Dominik Reichel}, title = {{The Gamaredon Group Toolset Evolution}}, date = {2017-02-27}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution}, language = {English}, urldate = {2019-12-20} } @online{kasza:20170407:blockbuster:0e430d3, author = {Anthony Kasza and Micah Yates}, title = {{The Blockbuster Sequel}}, date = {2017-04-07}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2017/04/unit42-the-blockbuster-sequel/}, language = {English}, urldate = {2019-12-20} } @online{kasza:20170814:blockbuster:79266d5, author = {Anthony Kasza}, title = {{The Blockbuster Saga Continues}}, date = {2017-08-14}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/08/unit42-blockbuster-saga-continues/}, language = {English}, urldate = {2019-12-20} } @online{kasza:20171120:operation:0bc8efe, author = {Anthony Kasza and Juan Cortes and Micah Yates}, title = {{Operation Blockbuster Goes Mobile}}, date = {2017-11-20}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-operation-blockbuster-goes-mobile/}, language = {English}, urldate = {2019-12-24} } @online{kate:20200119:bayworld:2cc2212, author = {kate}, title = {{BayWorld event, Cyber Attack Against Foreign Trade Industry}}, date = {2020-01-19}, organization = {360}, url = {https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/}, language = {English}, urldate = {2020-02-03} } @online{kate:20200509:clodcore:6e24986, author = {kate}, title = {{ClodCore: A malware family that delivers mining modules through cloud control}}, date = {2020-05-09}, organization = {360 Total Security}, url = {https://blog.360totalsecurity.com/en/clodcore-a-malware-family-that-delivers-mining-modules-through-cloud-control/}, language = {English}, urldate = {2020-05-18} } @online{kate:20200514:vendetta:06e3cde, author = {kate}, title = {{Vendetta - new threat actor from Europe}}, date = {2020-05-14}, organization = {360 Total Security}, url = {https://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/}, language = {English}, urldate = {2020-05-18} } @online{kate:20200925:aptc43:15a3501, author = {kate}, title = {{APT-C-43 steals Venezuelan military secrets to provide intelligence support for the reactionaries - HpReact campaign}}, date = {2020-09-25}, organization = {360 Total Security}, url = {https://blog.360totalsecurity.com/en/apt-c-43-steals-venezuelan-military-secrets-to-provide-intelligence-support-for-the-reactionaries-hpreact-campaign/}, language = {English}, urldate = {2020-10-02} } @online{kate:20201014:secret:814bae5, author = {kate}, title = {{Secret Stealing Trojan Active in Brazil Releases the New Framework SolarSys}}, date = {2020-10-14}, organization = {360 Total Security}, url = {https://blog.360totalsecurity.com/en/secret-stealing-trojan-active-in-brazil-releases-the-new-framework-solarsys/}, language = {English}, urldate = {2020-10-23} } @online{kate:20201120:360:949bcc5, author = {kate}, title = {{360 File-less Attack Protection Intercepts the Banker Trojan BBtok Active in Mexico}}, date = {2020-11-20}, organization = {360}, url = {https://blog.360totalsecurity.com/en/360-file-less-attack-protection-intercepts-the-banker-trojan-bbtok-active-in-mexico/}, language = {English}, urldate = {2020-11-25} } @online{katsuki:20120820:crisis:60cb26b, author = {Takashi Katsuki}, title = {{Crisis for Windows Sneaks onto Virtual Machines}}, date = {2012-08-20}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/crisis-windows-sneaks-virtual-machines}, language = {English}, urldate = {2020-01-10} } @online{katsuki:20121116:malware:9268919, author = {Takashi Katsuki}, title = {{Malware Targeting Windows 8 Uses Google Docs}}, date = {2012-11-16}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/malware-targeting-windows-8-uses-google-docs}, language = {English}, urldate = {2020-01-10} } @online{kawaii:20191022:new:0d66066, author = {Jagaimo Kawaii}, title = {{New PatchWork Spearphishing Attack}}, date = {2019-10-22}, organization = {Lab52}, url = {https://lab52.io/blog/new-patchwork-campaign-against-pakistan/}, language = {English}, urldate = {2020-01-13} } @online{kawaii:20200113:apt27:4c2f818, author = {Jagaimo Kawaii}, title = {{APT27 ZxShell RootKit module updates}}, date = {2020-01-13}, organization = {Lab52}, url = {https://lab52.io/blog/apt27-rootkit-updates/}, language = {English}, urldate = {2020-01-13} } @online{kawaii:20200602:mustang:2cf125a, author = {Jagaimo Kawaii}, title = {{Mustang Panda Recent Activity: Dll-Sideloading trojans with temporal C2 servers}}, date = {2020-06-02}, organization = {Lab52}, url = {https://lab52.io/blog/mustang-panda-recent-activity-dll-sideloading-trojans-with-temporal-c2-servers/}, language = {English}, urldate = {2020-06-03} } @online{kawaii:20200826:twisted:b91cfb5, author = {Jagaimo Kawaii}, title = {{A twisted malware infection chain}}, date = {2020-08-26}, organization = {Lab52}, url = {https://lab52.io/blog/a-twisted-malware-infection-chain/}, language = {English}, urldate = {2020-08-31} } @online{kayal:20191002:domestic:f400298, author = {Aseel Kayal and Lotem Finkelstein}, title = {{Domestic Kitten: an Iranian surveillance program}}, date = {2019-10-02}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/conference/vb2019/abstracts/domestic-kitten-iranian-surveillance-program}, language = {English}, urldate = {2020-01-09} } @online{kazantsev:20200504:atm:20ca401, author = {Anatoly Kazantsev}, title = {{ATM malware targets Wincor and Diebold ATMs}}, date = {2020-05-04}, organization = {Avira}, url = {https://insights.oem.avira.com/atm-malware-targets-wincor-and-diebold-atms/}, language = {English}, urldate = {2020-05-18} } @online{kb:20170203:zeus:02a798a, author = {Manuel K.-B.}, title = {{Zeus Panda Webinjects: a case study}}, date = {2017-02-03}, url = {https://cyber.wtf/2017/02/03/zeus-panda-webinjects-a-case-study/}, language = {English}, urldate = {2019-11-22} } @online{kb:20170313:zeus:9a4fbcd, author = {Manuel K.-B.}, title = {{Zeus Panda Webinjects: Don’t trust your eyes}}, date = {2017-03-13}, url = {https://cyber.wtf/2017/03/13/zeus-panda-webinjects-dont-trust-your-eyes/}, language = {English}, urldate = {2020-01-13} } @online{keller:20170512:global:2ee68f6, author = {Holger Keller}, title = {{Global WannaCry ransomware outbreak uses known NSA exploits}}, date = {2017-05-12}, organization = {Emsisoft}, url = {http://blog.emsisoft.com/2017/05/12/wcry-ransomware-outbreak/}, language = {English}, urldate = {2019-12-10} } @techreport{kellermann:20200528:modern:8155ea4, author = {Tom Kellermann and Ryan Murphy}, title = {{Modern Bank Heists 3.0}}, date = {2020-05-28}, institution = {VMWare Carbon Black}, url = {https://cdn.www.carbonblack.com/wp-content/uploads/2020/05/VMWCB-Report-Modern-Bank-Heists-2020.pdf}, language = {English}, urldate = {2020-05-29} } @online{kelly:20141020:orcarat:236c19f, author = {Dan Kelly and Tom Lancaster}, title = {{OrcaRAT - A whale of a tale}}, date = {2014-10-20}, organization = {PWC}, url = {http://pwc.blogs.com/cyber_security_updates/2014/10/orcarat-a-whale-of-a-tale.html}, language = {English}, urldate = {2019-11-24} } @online{kenefick:20180910:closer:b2e9b2a, author = {Ian Kenefick}, title = {{A Closer Look at the Locky Poser, PyLocky Ransomware}}, date = {2018-09-10}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/a-closer-look-at-the-locky-poser-pylocky-ransomware/}, language = {English}, urldate = {2020-01-13} } @online{kenin:20171219:brickerbot:4cbdce8, author = {Simon Kenin}, title = {{BrickerBot mod_plaintext Analysis}}, date = {2017-12-19}, organization = {Trustwave}, url = {https://www.trustwave.com/Resources/SpiderLabs-Blog/BrickerBot-mod_plaintext-Analysis/}, language = {English}, urldate = {2020-01-08} } @online{kenin:20190314:attacker:807e3e6, author = {Simon Kenin}, title = {{Attacker Tracking Users Seeking Pakistani Passport}}, date = {2019-03-14}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/attacker-tracking-users-seeking-pakistani-passport/}, language = {English}, urldate = {2020-10-02} } @online{kennedy:20191006:go:82e5c38, author = {Joakim Kennedy}, title = {{Go under the hood: Eris Ransomware}}, date = {2019-10-06}, organization = {Playhouse}, url = {https://lekstu.ga/posts/go-under-the-hood-eris/}, language = {English}, urldate = {2020-01-10} } @online{kennedy:20200810:anomali:241a19b, author = {Joakim Kennedy and Rory Gould}, title = {{Anomali Threat Research Releases First Public Analysis of Smaug Ransomware as a Service}}, date = {2020-08-10}, organization = {Anomali}, url = {https://www.anomali.com/blog/anomali-threat-research-releases-first-public-analysis-of-smaug-ransomware-as-a-service}, language = {English}, urldate = {2020-09-15} } @online{kennedy:20201202:shadow:76686c6, author = {Corian Kennedy}, title = {{Shadow Academy: Hiding in the shadows of Mabna Institute}}, date = {2020-12-02}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/44eb0802}, language = {English}, urldate = {2020-12-10} } @online{kennedy:20201209:zebra:1c73168, author = {Joakim Kennedy}, title = {{A Zebra in Gopher's Clothing: Russian APT Uses COVID-19 Lures to Deliver Zebrocy}}, date = {2020-12-09}, organization = {Intezer}, url = {https://www.intezer.com/blog/research/russian-apt-uses-covid-19-lures-to-deliver-zebrocy/}, language = {English}, urldate = {2020-12-10} } @online{kent:20161220:backdoorpralice:4bbc640, author = {Nolan Kent}, title = {{Backdoor.Pralice}}, date = {2016-12-20}, organization = {Symantec}, url = {https://www.symantec.com/security-center/writeup/2016-122104-0203-99}, language = {English}, urldate = {2019-07-09} } @online{kerner:20170406:chinese:81730df, author = {Sean Michael Kerner}, title = {{Chinese Nation-State Hackers Target U.S in Operation TradeSecret}}, date = {2017-04-06}, organization = {eWeek}, url = {https://www.eweek.com/security/chinese-nation-state-hackers-target-u.s-in-operation-tradesecret}, language = {English}, urldate = {2020-01-08} } @online{kerr:20180213:stopping:14ebecf, author = {Devon Kerr}, title = {{Stopping Olympic Destroyer: New Process Injection Insights}}, date = {2018-02-13}, organization = {Endgame}, url = {https://www.endgame.com/blog/technical-blog/stopping-olympic-destroyer-new-process-injection-insights}, language = {English}, urldate = {2020-01-08} } @online{kersten:20190216:emotet:7cb0628, author = {Max Kersten}, title = {{Emotet droppers}}, date = {2019-02-16}, organization = {Max Kersten's Blog}, url = {https://maxkersten.nl/binary-analysis-course/malware-analysis/emotet-droppers/}, language = {English}, urldate = {2020-01-09} } @online{kersten:20191014:corona:60d807b, author = {Max Kersten}, title = {{Corona DDoS bot}}, date = {2019-10-14}, organization = {Max Kersten's Blog}, url = {https://maxkersten.nl/binary-analysis-course/malware-analysis/corona-ddos-bot/}, language = {English}, urldate = {2020-01-13} } @online{kersten:20200120:ticket:ad7af1c, author = {Max Kersten}, title = {{Ticket resellers infected with a credit card skimmer}}, date = {2020-01-20}, organization = {Max Kersten's Blog}, url = {https://maxkersten.nl/2020/01/20/ticket-resellers-infected-with-a-credit-card-skimmer/}, language = {English}, urldate = {2020-01-27} } @online{kersten:20200217:following:07470c1, author = {Max Kersten}, title = {{Following the tracks of MageCart 12}}, date = {2020-02-17}, organization = {Max Kersten's Blog}, url = {https://maxkersten.nl/2020/02/17/following-the-tracks-of-magecart-12/}, language = {English}, urldate = {2020-02-20} } @online{kersten:20200224:closing:9d39fcf, author = {Max Kersten}, title = {{Closing in on MageCart 12}}, date = {2020-02-24}, organization = {Max Kersten's Blog}, url = {https://maxkersten.nl/2020/02/24/closing-in-on-magecart-12/}, language = {English}, urldate = {2020-02-25} } @online{kersten:20200326:azorult:5d5ee1f, author = {Max Kersten}, title = {{Azorult loader stages}}, date = {2020-03-26}, organization = {Max Kersten's Blog}, url = {https://maxkersten.nl/binary-analysis-course/malware-analysis/azorult-loader-stages/}, language = {English}, urldate = {2020-03-26} } @online{kersten:20200414:emotet:ec18d45, author = {Max Kersten}, title = {{Emotet JavaScript downloader}}, date = {2020-04-14}, url = {https://maxkersten.nl/binary-analysis-course/malware-analysis/emotet-javascript-downloader/}, language = {English}, urldate = {2020-04-14} } @online{kersten:20200826:rezer0v4:3bc357a, author = {Max Kersten}, title = {{ReZer0v4 loader}}, date = {2020-08-26}, organization = {Max Kersten's Blog}, url = {https://maxkersten.nl/binary-analysis-course/malware-analysis/rezer0v4-loader/}, language = {English}, urldate = {2020-08-27} } @online{kersten:20200917:automatic:8b19414, author = {Max Kersten}, title = {{Automatic ReZer0 payload and configuration extraction}}, date = {2020-09-17}, organization = {Max Kersten's Blog}, url = {https://maxkersten.nl/binary-analysis-course/analysis-scripts/automatic-rezer0-payload-and-configuration-extraction/}, language = {English}, urldate = {2020-09-18} } @online{keshet:20161109:tricks:c3ab510, author = {Lior Keshet}, title = {{Tricks of the Trade: A Deeper Look Into TrickBot’s Machinations}}, date = {2016-11-09}, url = {https://securityintelligence.com/tricks-of-the-trade-a-deeper-look-into-trickbots-machinations/}, language = {English}, urldate = {2019-10-17} } @online{keshet:20170104:exposing:fd0938e, author = {Lior Keshet}, title = {{Exposing an AV-Disabling Driver Just in Time for Lunch}}, date = {2017-01-04}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/exposing-av-disabling-drivers-just-in-time-for-lunch/}, language = {English}, urldate = {2020-01-10} } @online{keshet:20170110:client:5352952, author = {Lior Keshet and Limor Kessem}, title = {{Client Maximus: New Remote Overlay Malware Highlights Rising Malcode Sophistication in Brazil}}, date = {2017-01-10}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/client-maximus-new-remote-overlay-malware-highlights-rising-malcode-sophistication-in-brazil/}, language = {English}, urldate = {2020-01-07} } @online{kessem:20130807:thieves:f60d69b, author = {Limor Kessem}, title = {{Thieves Reaching for Linux—”Hand of Thief” Trojan Targets Linux #INTH3WILD}}, date = {2013-08-07}, organization = {RSA}, url = {https://web.archive.org/web/20130815040638/https://blogs.rsa.com/thieves-reaching-for-linux-hand-of-thief-trojan-targets-linux-inth3wild/}, language = {English}, urldate = {2020-03-02} } @online{kessem:20150812:tinba:250e880, author = {Limor Kessem}, title = {{Tinba Trojan Sets Its Sights on Romania}}, date = {2015-08-12}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/tinba-trojan-sets-its-sights-on-romania/}, language = {English}, urldate = {2020-01-06} } @online{kessem:20150831:shifu:389070d, author = {Limor Kessem and Ilya Kolmanovich and Denis Laskov}, title = {{Shifu: ‘Masterful’ New Banking Trojan Is Attacking 14 Japanese Banks}}, date = {2015-08-31}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/shifu-masterful-new-banking-trojan-is-attacking-14-japanese-banks/}, language = {English}, urldate = {2020-10-23} } @online{kessem:20160414:meet:16351ef, author = {Limor Kessem and Lior Keshet}, title = {{Meet GozNym: The Banking Malware Offspring of Gozi ISFB and Nymaim}}, date = {2016-04-14}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/meet-goznym-the-banking-malware-offspring-of-gozi-isfb-and-nymaim/}, language = {English}, urldate = {2020-01-06} } @online{kessem:20160708:gootkit:ed75518, author = {Limor Kessem}, title = {{GootKit: Bobbing and Weaving to Avoid Prying Eyes}}, date = {2016-07-08}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/gootkit-bobbing-and-weaving-to-avoid-prying-eyes/}, language = {English}, urldate = {2020-01-07} } @online{kessem:20160816:brazil:0bc05a3, author = {Limor Kessem and Denis Laskov and Ziv Eli}, title = {{Brazil Can’t Catch a Break: After Panda Comes the Sphinx}}, date = {2016-08-16}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/brazil-cant-catch-a-break-after-panda-comes-the-sphinx/}, language = {English}, urldate = {2020-01-08} } @online{kessem:20160920:meanwhile:7b7a093, author = {Limor Kessem and Hanan Natan and Denis Laskov}, title = {{Meanwhile in Britain, Qadars v3 Hardens Evasion, Targets 18 UK Banks}}, date = {2016-09-20}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/meanwhile-britain-qadars-v3-hardens-evasion-targets-18-uk-banks/}, language = {English}, urldate = {2019-12-17} } @online{kessem:20170126:around:eaefc0c, author = {Limor Kessem}, title = {{Around the World With Zeus Sphinx: From Canada to Australia and Back}}, date = {2017-01-26}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/around-the-world-with-zeus-sphinx-from-canada-to-australia-and-back/}, language = {English}, urldate = {2020-01-07} } @online{kessem:20170328:nukebot:2b33bbb, author = {Limor Kessem and Ilya Kolmanovich}, title = {{The NukeBot Trojan, a Bruised Ego and a Surprising Source Code Leak}}, date = {2017-03-28}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/the-nukebot-trojan-a-bruised-ego-and-a-surprising-source-code-leak/}, language = {English}, urldate = {2020-01-05} } @online{kessem:20170615:zeus:7c4b8e4, author = {Limor Kessem}, title = {{Zeus Sphinx Pushes Empty Configuration Files — What Has the Sphinx Got Cooking?}}, date = {2017-06-15}, url = {https://securityintelligence.com/zeus-sphinx-pushes-empty-configuration-files-what-has-the-sphinx-got-cooking/}, language = {English}, urldate = {2019-12-02} } @online{kessem:20170727:after:10c4ba5, author = {Limor Kessem and Shachar Gritzman}, title = {{After Big Takedown Efforts, 20 More BankBot Mobile Malware Apps Make It Into Google Play}}, date = {2017-07-27}, organization = {Security Intelligence}, url = {https://securityintelligence.com/after-big-takedown-efforts-20-more-bankbot-mobile-malware-apps-make-it-into-google-play/}, language = {English}, urldate = {2019-12-06} } @online{kessem:20171011:trickbot:57ebc20, author = {Limor Kessem}, title = {{TrickBot Takes to Latin America, Continues to Expand Its Global Reach}}, date = {2017-10-11}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/trickbot-takes-to-latin-america-continues-to-expand-its-global-reach/}, language = {English}, urldate = {2020-01-08} } @online{kessem:20171113:new:bb937fd, author = {Limor Kessem and Maor Wiesen and Tal Darsan and Tomer Agayev}, title = {{New Banking Trojan IcedID Discovered by IBM X-Force Research}}, date = {2017-11-13}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/}, language = {English}, urldate = {2019-11-27} } @online{kessem:20180822:backswap:73c04f5, author = {Limor Kessem}, title = {{BackSwap Malware Now Targets Six Banks in Spain}}, date = {2018-08-22}, organization = {IBM}, url = {https://securityintelligence.com/backswap-malware-now-targets-six-banks-in-spain/}, language = {English}, urldate = {2019-12-20} } @online{kessem:20180904:camubot:d0c8b12, author = {Limor Kessem and Maor Wiesen}, title = {{CamuBot: New Financial Malware Targets Brazilian Banking Customers}}, date = {2018-09-04}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/camubot-new-financial-malware-targets-brazilian-banking-customers/}, language = {English}, urldate = {2020-01-13} } @online{kessem:20190516:goznym:cb4a177, author = {Limor Kessem}, title = {{GozNym Closure Comes in the Shape of a Europol and DOJ Arrest Operation}}, date = {2019-05-16}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/posts/goznym-closure-comes-in-the-shape-of-a-europol-and-doj-arrest-operation/}, language = {English}, urldate = {2019-12-05} } @online{khandelwal:20200608:red:ff4aae7, author = {Shantanu Khandelwal}, title = {{Red Team: Using SharpChisel to exfil internal network}}, date = {2020-06-08}, organization = {Medium shantanukhande}, url = {https://medium.com/@shantanukhande/red-team-using-sharpchisel-to-exfil-internal-network-e1b07ed9b49}, language = {English}, urldate = {2020-08-18} } @online{khanse:20170301:poorly:1107be6, author = {Anand Khanse}, title = {{Poorly coded Lamdelin Lockscreen Ransomware lets you in using Alt+F4}}, date = {2017-03-01}, organization = {The Windows Club}, url = {http://news.thewindowsclub.com/poorly-coded-lamdelin-lockscreen-ransomware-alt-f4-88576/}, language = {English}, urldate = {2019-07-09} } @online{kharouni:20100121:sasfis:8634992, author = {Loucif Kharouni}, title = {{SASFIS Fizzles in the Background}}, date = {2010-01-21}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/sasfis-fizzles-in-the-background/}, language = {English}, urldate = {2019-12-18} } @techreport{kharouni:20141027:operation:1b13f15, author = {Loucif Kharouni and Feike Hacquebord and Numaan Huq and Jim Gogolinski and Fernando Mercês and Alfred Remorin and Douglas Otis}, title = {{Operation Pawn Storm: Using Decoys to Evade Detection}}, date = {2014-10-27}, institution = {Trend Micro}, url = {https://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-pawn-storm.pdf}, language = {English}, urldate = {2020-09-15} } @techreport{kharouni:201410:operation:f1d1705, author = {Loucif Kharouni and Feike Hacquebord and Numaan Huq and Jim Gogolinski and Fernando Mercês and Alfred Remorin and Douglas Otis}, title = {{Operation Pawn Storm: Using Decoys to Evade Detection}}, date = {2014-10}, institution = {Trend Micro}, url = {http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-pawn-storm.pdf}, language = {English}, urldate = {2019-11-28} } @online{khasaia:20170717:wmighost:20b59d3, author = {Lasha Khasaia}, title = {{WMIGhost / Wimmie - WMI malware}}, date = {2017-07-17}, organization = {Secrary Blog}, url = {https://secrary.com/ReversingMalware/WMIGhost/}, language = {English}, urldate = {2019-12-24} } @online{khasaia:20180319:reversing:f6a3e7c, author = {Lasha Khasaia}, title = {{Reversing iBank Trojan [Injection Phase]}}, date = {2018-03-19}, organization = {Secrary}, url = {https://secrary.com/ReversingMalware/iBank/}, language = {English}, urldate = {2019-10-29} } @online{khasaia:20180628:brief:d854824, author = {Lasha Khasaia}, title = {{A Brief Overview of the AMMYY RAT Downloader}}, date = {2018-06-28}, organization = {Secrary Blog}, url = {https://secrary.com/ReversingMalware/AMMY_RAT_Downloader/}, language = {English}, urldate = {2020-01-13} } @online{killbit:20201214:applying:75d0dde, author = {killbit}, title = {{Applying the Diamond Model to Cognizant (MSP) vs. Maze Ransomware}}, date = {2020-12-14}, organization = {Medium Killbit}, url = {https://killbit.medium.com/applying-the-diamond-model-to-cognizant-msp-and-maze-ransomware-and-a-policy-assessment-498f01bd723f}, language = {English}, urldate = {2020-12-17} } @online{kim:20180720:cyberattack:ac7f5e4, author = {Jack Kim}, title = {{Cyberattack on Singapore health database steals details of 1.5 million, including PM}}, date = {2018-07-20}, organization = {Reuters}, url = {https://www.reuters.com/article/us-singapore-cyberattack/cyberattack-on-singapore-health-database-steals-details-of-1-5-million-including-pm-idUSKBN1KA14J}, language = {English}, urldate = {2020-01-08} } @techreport{kim:20191004:kimsuky:5780914, author = {Jaeki Kim and Kyoung-ju Kwak and Min-Chang Jang}, title = {{Kimsuky group: tracking the king of the spear-phishing}}, date = {2019-10-04}, institution = {Virus Bulletin}, url = {https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-Kim.pdf}, language = {English}, urldate = {2020-09-23} } @online{kim:20200310:kimsuky:f634a21, author = {Jaeki Kim and Kyoung-Ju Kwak (郭炅周) and Min-Chang Jang}, title = {{Kimsuky group: tracking the king of the spear phishing}}, date = {2020-03-10}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-kimsuky-group-tracking-king-spearphishing/}, language = {English}, urldate = {2020-09-23} } @online{kimayong:20180213:new:b8d70e2, author = {Paul Kimayong}, title = {{New Gootkit Banking Trojan variant pushes the limits on evasive behavior}}, date = {2018-02-13}, organization = {Juniper}, url = {https://forums.juniper.net/t5/Security-Now/New-Gootkit-Banking-Trojan-variant-pushes-the-limits-on-evasive/ba-p/319055}, language = {English}, urldate = {2019-12-10} } @online{kimayong:20180521:nukebot:dcd8985, author = {Paul Kimayong}, title = {{Nukebot Banking Trojan targeting people in France}}, date = {2018-05-21}, organization = {Juniper}, url = {https://forums.juniper.net/t5/Threat-Research/Nukebot-Banking-Trojan-targeting-people-in-France/ba-p/326702}, language = {English}, urldate = {2019-11-22} } @online{kimayong:20190926:masad:0f8ea5a, author = {Paul Kimayong}, title = {{Masad Stealer: Exfiltrating using Telegram}}, date = {2019-09-26}, organization = {Juniper}, url = {https://blogs.juniper.net/en-us/threat-research/masad-stealer-exfiltrating-using-telegram}, language = {English}, urldate = {2020-09-03} } @online{kimayong:20200618:covid19:4bb5511, author = {Paul Kimayong}, title = {{COVID-19 and FMLA Campaigns used to install new IcedID banking malware}}, date = {2020-06-18}, organization = {Juniper}, url = {https://blogs.juniper.net/en-us/threat-research/covid-19-and-fmla-campaigns-used-to-install-new-icedid-banking-malware}, language = {English}, urldate = {2020-06-23} } @online{kimayong:20200812:icedid:b40f8b4, author = {Paul Kimayong}, title = {{IcedID Campaign Strikes Back}}, date = {2020-08-12}, organization = {Juniper}, url = {https://blogs.juniper.net/en-us/threat-research/iceid-campaign-strikes-back}, language = {English}, urldate = {2020-08-27} } @online{kimayong:20201005:new:739309f, author = {Paul Kimayong}, title = {{New pastebin-like service used in multiple malware campaigns}}, date = {2020-10-05}, organization = {Juniper}, url = {https://blogs.juniper.net/en-us/threat-research/new-pastebin-like-service-used-in-multiple-malware-campaigns}, language = {English}, urldate = {2020-10-07} } @online{kimberly:20110804:analysis:fcb91de, author = {Kimberly}, title = {{Analysis of ngrBot}}, date = {2011-08-04}, organization = {Stop Malvertising Rootkits}, url = {http://stopmalvertising.com/rootkits/analysis-of-ngrbot.html}, language = {English}, urldate = {2019-12-04} } @online{kimberly:20120420:analysis:6fe646f, author = {Kimberly}, title = {{Analysis of DarkMegi aka NpcDark}}, date = {2012-04-20}, organization = {StopMalvertising}, url = {http://stopmalvertising.com/rootkits/analysis-of-darkmegi-aka-npcdark.html}, language = {English}, urldate = {2020-01-09} } @online{kimberly:20140427:analysis:a034e60, author = {Kimberly}, title = {{Analysis of the Predator Pain Keylogger}}, date = {2014-04-27}, organization = {StopMalvertising}, url = {http://stopmalvertising.com/malware-reports/analysis-of-the-predator-pain-keylogger.html}, language = {English}, urldate = {2019-11-24} } @online{kimberly:20140716:mini:58ac768, author = {Kimberly}, title = {{Mini Analysis of the TinyBanker Tinba}}, date = {2014-07-16}, organization = {StopMalvertising}, url = {http://stopmalvertising.com/malware-reports/mini-analysis-of-the-tinybanker-tinba.html}, language = {English}, urldate = {2020-01-08} } @online{kimberly:20140831:introduction:eb2cc6b, author = {Kimberly}, title = {{Introduction to the ZeroLocker ransomware}}, date = {2014-08-31}, organization = {StopMalvertising}, url = {http://stopmalvertising.com/malware-reports/introduction-to-the-zerolocker-ransomware.html}, language = {English}, urldate = {2020-01-13} } @online{kimberly:20191010:malware:032ed3c, author = {Kimberly}, title = {{Tweet on Malware Sample}}, date = {2019-10-10}, organization = {Twitter (@StopMalvertisin)}, url = {https://twitter.com/StopMalvertisin/status/1182505434231398401}, language = {English}, urldate = {2020-01-10} } @online{king:20200212:ryuk:720c14e, author = {Rachel E. King and AC}, title = {{Ryuk Ransomware Technical Analysis}}, date = {2020-02-12}, organization = {VMWare Carbon Black}, url = {https://www.carbonblack.com/blog/vmware-carbon-black-tau-ryuk-ransomware-technical-analysis/}, language = {English}, urldate = {2020-11-19} } @online{kino:20200220:lodeinfo:9842ab1, author = {Kota Kino}, title = {{日本国内の組織を狙ったマルウエアLODEINFO}}, date = {2020-02-20}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/ja/2020/02/LODEINFO.html}, language = {Japanese}, urldate = {2020-02-27} } @online{kino:20200611:lodeinfo:104e43a, author = {Kota Kino}, title = {{マルウエアLODEINFOの進化 (Evolution of Malware LODEINFO)}}, date = {2020-06-11}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/ja/2020/06/LODEINFO-2.html}, language = {Japanese}, urldate = {2020-06-12} } @online{kino:20201210:attack:cd8c552, author = {Kota Kino}, title = {{Attack Activities by Quasar Family}}, date = {2020-12-10}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/en/2020/12/quasar-family.html}, language = {English}, urldate = {2020-12-10} } @online{kipp:20201216:trend:29b2a2d, author = {Jesse Kipp and Malavika Balachandran Tadeusz}, title = {{Trend data on the SolarWinds Orion compromise}}, date = {2020-12-16}, organization = {Cloudflare}, url = {https://blog.cloudflare.com/solarwinds-orion-compromise-trend-data/}, language = {English}, urldate = {2020-12-18} } @online{kirk:20110726:spyeye:a7ad044, author = {Jeremy Kirk}, title = {{SpyEye Trojan defeating online banking defenses}}, date = {2011-07-26}, organization = {Computerworld}, url = {https://www.computerworld.com/article/2509482/spyeye-trojan-defeating-online-banking-defenses.html}, language = {English}, urldate = {2020-01-13} } @online{kirk:20120104:spyeye:3ecb013, author = {Jeremy Kirk}, title = {{SpyEye Malware Borrows Zeus Trick to Mask Fraud}}, date = {2012-01-04}, organization = {PCWorld}, url = {https://www.pcworld.com/article/247252/spyeye_malware_borrows_zeus_trick_to_mask_fraud.html}, language = {English}, urldate = {2020-01-08} } @online{kirk:20160221:source:dfeba08, author = {Jeremy Kirk}, title = {{Source code for powerful Android banking malware is leaked}}, date = {2016-02-21}, url = {https://www.pcworld.com/article/3035725/source-code-for-powerful-android-banking-malware-is-leaked.html}, language = {English}, urldate = {2019-10-29} } @techreport{kisa:20201215:operation:3972195, author = {KISA}, title = {{Operation MUZABI}}, date = {2020-12-15}, institution = {KISA}, url = {https://www.boho.or.kr/filedownload.do?attach_file_seq=2652&attach_file_id=EpF2652.pdf}, language = {Korean}, urldate = {2020-12-16} } @online{kivilevich:20201118:zooming:f28a9c1, author = {Victoria Kivilevich}, title = {{Zooming into Darknet Threats Targeting Japanese Organizations}}, date = {2020-11-18}, organization = {KELA}, url = {https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/}, language = {English}, urldate = {2020-11-19} } @online{kivilevich:20201203:easy:bae365d, author = {Victoria Kivilevich}, title = {{Easy Way In? 5 Ransomware Victims Had Their Pulse Secure VPN Credentials Leaked}}, date = {2020-12-03}, organization = {KELA}, url = {https://ke-la.com/easy-way-in-5-ransomware-victims-had-their-pulse-secure-vpn-credentials-leaked/}, language = {English}, urldate = {2021-01-01} } @online{kivva:20160606:everyone:ee770c6, author = {Anton Kivva}, title = {{Everyone sees not what they want to see}}, date = {2016-06-06}, organization = {Kaspersky Labs}, url = {https://securelist.com/everyone-sees-not-what-they-want-to-see/74997/}, language = {English}, urldate = {2019-12-20} } @online{kiwi:20110428:un:4c39d1d, author = {Gentil Kiwi}, title = {{Un observateur d’événements aveugle…}}, date = {2011-04-28}, url = {http://blog.gentilkiwi.com/securite/un-observateur-evenements-aveugle}, language = {English}, urldate = {2020-01-07} } @online{kiyotaka:20180329:chessmaster:c48e1c0, author = {Tamada Kiyotaka and MingYen Hsieh}, title = {{ChessMaster Adds Updated Tools to Its Arsenal}}, date = {2018-03-29}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-adds-updated-tools-to-its-arsenal/}, language = {English}, urldate = {2020-01-08} } @techreport{kiyotaka:20200117:is:969ff38, author = {Tamada Kiyotaka and Keita Yamazaki and You Nakatsuru}, title = {{Is It Wrong to Try to Find APT Techniques in Ransomware Attack?}}, date = {2020-01-17}, institution = {Secureworks}, url = {https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf}, language = {English}, urldate = {2020-04-06} } @online{klason:20180809:bokbot:499f316, author = {Alfred Klason}, title = {{Bokbot: The (re)birth of a banker}}, date = {2018-08-09}, organization = {Fox-IT}, url = {https://blog.fox-it.com/2018/08/09/bokbot-the-rebirth-of-a-banker/}, language = {English}, urldate = {2019-12-20} } @online{klein:20120215:merchant:b6f5565, author = {Amit Klein}, title = {{Merchant of Fraud Ret