Logo
Hamburger Menu Icon
Yoroi Background

Category: research

Aggah: How to run a botnet without renting a Server (for more than a year)

Introduction During the last year, we constantly kept track of the Aggah campaigns. We started deepening inside the Roma225 Campaign and went on with the RG Campaign, contributing to the joint effort to track the offensive activities of this threat actor. Recently, during our Cyber Defence monitoring operations, we spotted other attack attempts directed to […]

Read More

Unveiling JsOutProx: A New Enterprise Grade Implant

Introduction During our threat intelligence source monitoring operations, we spotted a new sophisticated malware implant that seems to be unrelated to mainstream cyber weapons. In fact, the recovered sample raised many interrogatives into the malware research community due to the extensive  usage of obfuscation anti-reverse techniques, hardening the investigative efforts.  For this reason, we decided […]

Read More

The sLoad Threat: Ten Months Later

Introduction SLoad (TH-163) is the protagonist of increasing and persistent attack waves against the Italian panorama since Q3 2018 and then in 2019 (e.g N020419, N040619, N010819), but also against the UK and Canada as reported by Proofpoint. Ten months ago, we wrote about the complex infection chain the sLoad malware threat was using during […]

Read More

APT or not APT? What's Behind the Aggah Campaign

Introduction During our threat monitoring activities, we discovered an interesting drop chain related to the well-known Aggah campaign, the ambiguous infection chain observed by Unit42 which seemed to deliver payloads potentially associated with the Gorgon Group APT. After that, we discovered other malicious activities using the same TTPs and infrastructures, for instance in “The Enigmatic […]

Read More

Commodity Malware Reborn: The AgentTesla “Total Oil” themed Campaign

Introduction Nowadays the Malware-As-A-Service is one of the criminal favorite ways to breach security perimeter. Agent Tesla is one of these “commodity malware”. It is a fully customizable password info-stealer and many cyber criminals are choosing it as their preferred recognition tool.   During our monitoring operations we discovered an infection-chain designed to deliver this kind […]

Read More

Dissecting the 10k Lines of the new TrickBot Dropper

Introduction TrickBot it is one of the best known Banking Trojan which has been infecting victims since 2016, it is considered a cyber-crime tool. But nowadays defining it a “Banking Trojan” is quite reductive: during the last years its modularity brought the malware to a higher level. In fact it can be considered a sort […]

Read More

JSWorm: The 4th Version of the Infamous Ransomware

Introduction The ransomware attacks have no end. These cyber weapons are supported by a dedicated staff that constantly update and improve the malware in order to make harder detection and decryption. As the popular GandCrab, which was carried on up to version 5 until its shutdown, also other ransomware are continuously supported with the purpose […]

Read More

New GoBrut Version in the Wild

Introduction Back in March we spotted and monitored a new emerging threat which we dubbed as GoBrut botnet. In our previous blog post, we analyzed a Windows version of this bot, arguing about the usage of the GoLang programming language, a modern language able to reach extremely high level of code portability, potentially enabling the […]

Read More

The Evolution of Aggah: From Roma225 to the RG Campaign

Introduction Few months ago we started observing a cyber operation aiming to attack private companies in various business sectors, from automotive to luxury, education, and media/marketing.  The attack attribution is still unclear but the large scale of the malicious activities has also been confirmed by Unit42, who reported attack attempt against government verticals too.  The […]

Read More

Java ATM Malware: The Insider Threat Phantom

Introduction Recently our attention was caught by a really particular malware sample most probably linked to recent cyber criminal operation against the banking sector. This piece of malicious code is a so called "ATM malware": a malicious tool  part of a criminal arsenal able to interact with Automatic Teller Machine. ATM malware are used in […]

Read More

P2P Worm Spreads Crypto-Miners in the Wild

Introduction In the past months we published a white paper exploring the risks that users can encounter when downloading materials from P2P sharing network, such as the Torrent one. We discussed how crooks easily lure their victims to download malware along with the desired content. Recently, our threat monitoring operations pointed us to an interesting […]

Read More

Anti-Debugging Techniques from a Complex Visual Basic Packer

Introduction As we described in our previous post, one of the latest trends for the attackers is to leverage the ISO files in order to reduce detection chances. This technique has also been used by a recent Hawkeye spreading campaign. “Hawkeye Keylogger” is an info-stealing malware for sale in the dark-web. Anyone can  easily subscribe […]

Read More
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram