Hamburger Menu Icon
Yoroi Background

Category: research

The Arsenal Behind the Australian Parliament Hack

Introduction In the past days, an infamous cyber attack targeted an high profile target on the APAC area: the Australian Parliament House. As reported by the Australian prime minister there was no evidence of any information theft and the attack has been promptly isolated and contained by the Australian Cyber Security Centre (ACSC), however the […]

Read More

The Long Run of Shade Ransomware

Introduction Between January and February, a new, intense, ransomware campaign have been observed by many security firms. It spreads Shade/Treshold variants, one of the most dangerous threats in the cyber crime scenario, known since its massive infection into the Russian panorama back in 2015, its expansion has been tracked by several CSIRTs and CERTs all […]

Read More

Gootkit: Unveiling the Hidden Link with AZORult

Introduction In the last days a huge attack campaign hit several organizations across the Italian cyberspace, as stated on bulletin N020219 the attack waves tried to impersonate legit communication from a known Express Courier. However, a deeper analysis by Cybaze-Yoroi ZLAB revealed interesting hidden aspects, spotting a connection between the AZORult toolkit and a particular […]

Read More

WhitePaper: Analisi di Collection #1 nel Panorama Cyber Italiano

Introduzione Gli ultimi anni sono stati caratterizzati da incrementi sostanziali sia nel numero di attacchi informatici registrati sia nei volumi di malware prodotti da organizzazioni criminali. Questa evoluzione porta al consolidamento un'economia sommersa basata sulla compravendita di credenziali di ignari utenti, sulla realizzazione di Malware adHoc e sull’affitto di criminali informatici. Tale commercio avviene in […]

Read More

Ursnif: Long Live the Steganography!

Introduction Another wave of Ursnif attacks hits Italy. Ursnif is one of the most active banking trojan. It is also known as GOZI, in fact it is a fork of the original Gozi-ISFB banking Trojan that got its source code leaked in 2014 updating and evolving Gozi features over the years. Also in this variant, […]

Read More

The return of AdvisorsBot

Introduction In the past days, a new particular sample has been analyzed by the researchers of Cybaze- Yoroi ZLab. As usual, the malware looks like a legitimate e-mail attachment, named as “invoice.doc”. Today, weaponized microsoft office documents with macros, are one of the most common and more effective methods to deliver malware, because they also […]

Read More

Sofacy's Zepakab Downloader Spotted In-The-Wild

In the last weeks, the Cybaze-Yoroi ZLAB investigated a new APT28 campaign discovered in January 2019. The sample has been initially identified by an Italian independent security researcher, who warned the InfoSec community and shared the binary for further analysis. Cybaze-Yoroi ZLab researchers analyzed this sample to extract indicators and investigate their presence into the […]

Read More

The Story of Manuel's Java RAT

Introduction During the last weeks, the Cybaze-Yoroi ZLab researchers identified infection attempts aimed to install RAT malware directed to the naval industry sector. The malicious email messages contained a particular Adwind/JRat variant delivered via several methods tailored to lure the target company. In the recent past, similar attack cases hit this industry, such as the […]

Read More

GreyEnergy: Welcome to 2019

Introduction In the first days of January, an interesting malware sample has been disclosed through the InfoSec community: a potential GreyEnergy implant still under investigation. This kind of threat, previously analyzed by third party firms, contains similarities with the infamous BlackEnergy malware, used in the attacks against the Ukrainian energy industry back in 2015. The […]

Read More

The “AVE_MARIA” Malware

The  Cybaze-Yoroi ZLab researchers analyzed phishing attempts spreading in the last days of the past year against an italian organization operating in the Oil&Gas sector. The malicious emails try to impersonate a supplier’s sales office sending invoices and shipping orders confirmations. As usual, the mail conveys malicious Excel files exploiting the popular CVE-2017-11882 vulnerability to […]

Read More

The Enigmatic “Roma225” Campaign

Introduction The Cybaze-Yoroi ZLab researchers investigated a recent espionage malware implant weaponized to target companies in the Italian automotive sector. The malware was spread through well written phishing email trying to impersonate a senior partner of one of the major Brazilian business law firms: “Veirano Advogados”. The malicious email intercepted during the CSDC operations contains […]

Read More

Dissecting the Danabot Payload Targeting Italy

Introduction In the last weeks, a new variant of infamous botnet named Danabot hit Italy. Security firms such as Proofpoint and Eset analyzed other samples of the same threat targeting the Australian landscape back in May 2018 and, more recently, in Italy . The Cybaze-Yoroi ZLab dissected one of these recent Danabot variants spread across […]

Read More
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram