Category: research

Introduction Royal Ransomware is a new group first spotted on Bleeping Computer last September, where the cybersecurity news site revealed a connection with another malware known as Zeon.   At the moment, we don’t have much information about the group and all its actual TTPs, but we know that they use the Double Extortion model to […]

Introduction Through the internal project called Saguri, we started with the analysis of the Cisco Identity Service Engine - 3.1.0.518-Patch3-22042809, the Cisco ISE is a useful tool in the management of one's own network and not only, it allows the implementation and application in a dynamic and automated way of security and 'management' policies, simplifying […]

Introduction During a security assessment on FusionDirectory version 1.3 two criticalities have been identified.FusionDirectory allows to manage data archived in LDAP directories so, as you might imagine, security problems leading to an exposure of personal and enterprise could have a serious impact on the business. Advisory CVE-2022-36180 - Cross Site Scripting – CWE 79 CVE-2022-36180 […]

Introduction In July 2022 the Yoroi advisory team, in the context of its internal project Saguri, started analysing the Cisco Identity Service En-gine (ver. 3.1.0.518-Patch3-22042809).Cisco ISE is a network management tool which allows definition and implementation of security and management policies, which enable precise controls over who can access the network, what they have access […]

Introduction In July 2022 the Yoroi advisory team, in the context of its internal project Saguri, started analysing the Cisco Identity Service Engine (ver. 3.1.0.518-Patch3-22042809). Cisco ISE is a network management tool which allows definition and implementation of security and management policies, which enable precise controls over who can access the network, what they have […]

Introduction BlueSky is a ransomware firstly spotted in May 2022 and it gained the attention of the threat researchers for two main reasons: the first one is that the group behind the ransomware doesn’t adopt the double-extortion model; the second one is that their targets are even normal users because the ransomware has been discovered […]

Introduction  Hive ransomware is one of the most active financially motivated threat actors of this period, adopting the current Double Extorsion model. They started their malicious activities in June of the past year, and just in a year of activity they collected a big number of victims, demonstrating the capability to hit even critical infrastructures.   […]

For months, we at Yoroi Malware ZLab have studied and tracked the evolution of a new emerging cyber-criminal group which has attracted the attention of everyone inside the cyber security threat landscape. This threat actor calls itself “Eternity Group”, previously “Jester Group”, which we internally tracked it as “TH-320”. This threat has also recently been […]

Introduction  Since 27 February 2022, a few days after the apparition of the Conti’s gang support to the Russian invasion of the Ukrainian national territory, a new mysterious Twitter account appeared, “@ContiLeaks”. Nobody knows for sure who operates it, maybe a reluctant Conti gang member, some foreign intelligence, or police officer, but does not matter […]

Introduction  During the early hours of Thursday 24 February 2022, Russia launched an attack on the country of Ukraine due to the ongoing dispute over its possible inclusion within NATO countries. This event has led to a tense geo-political climate within the eurozone.  All the shared Initial information shows that the attack by Russian troops […]

Introduction  Threat actors' consistency over time represents an indication of effectiveness and experience, resulting in an increasing risk for targeted companies.  The Yoroi Malware ZLAB is tracking the threat actor Aggah (TH-157) since 2019, along with PaloAlto UNIT42, HP and Juniper Networks, and the persistency of its malicious operation over time reveals a structured information stealing infrastructure, a worldwide campaign capable of quickly varying its distribution technique.  We discovered new data theft and reconnaissance operations targeting multiple victims worldwide, including Ukraine, Lithuania, and Italy. The whole campaign impacted hundreds of victims and lasted for two months. CERT Yoroi was able to track the malware […]

Introduction  Contrasting the malware delivery is hard. Cyber attackers evolve their techniques frequently, but a major trend remained constant: Microsoft Office and Excel documents represent the favorite delivery method many cyber criminals use to inoculate malware into private and public companies. This technique is extremely flexible and both opportunistic and APT actors abuse it.  In the last months, we monitored with particular attention several attack waves adopting a new delivery technique: binary libraries directly loaded by Microsoft Excel, just in one click. This emergent delivery technique leverages XLL files, a particular file type containing a Microsoft Excel application ready to be loaded. […]