Logo
Hamburger Menu Icon
Yoroi Background

Category: research

Dissecting the MuddyWater Infection Chain

Introduction In the last days of November, some Middle East countries have been targeted by a new wave of attacks related to the Iranian APT group known as "MuddyWater": their first campaign was observed back in 2017 and more recently Unit42 researchers reported attacks in the ME area. The MuddyWater’s TTPs seem to be quite invariant […]

Read More

Dissecting the latest Ursnif DHL-Themed Campaign

Introduction In the last weeks, a new variant of the infamous Ursnif malware was discovered hitting Italian users through a malspam campaign. In fact, Yoroi-Cybaze ZLAB isolated several malicious emails having the following content: Subject: “VS Spedizione DHL AWB 94856978972 proveniente dalla GRAN BRETAGNA AVVISO DI GIACENZA” Attachment: “GR930495-30495.zip”  The content of the attachment is a […]

Read More

Dissecting the Mindscrew-Powershell Obfuscation

Introduction Few days ago, the CERT-Yoroi bulletin N061118 disclosed a dangerous campaign attacking several Italian users. The attack wave contained some interesting techniques need to look into further, especially regarding the obfuscation used to hide the malicious dropping infrastructure. The Yoroi-Cybaze ZLAB dissected the VBS script embedded into the zip archives delivered to the victims,  […]

Read More

The SLoad Powershell Threat is Expanding to Italy

Introduction In the past months CERT-Yoroi observed an emerging attack pattern targeting its constituency. These series of malicious email messages shared common techniques may be likely related to a single threat group starting its operation against the Italian cyber panorama. It is still not clear if these attack attempts may be originated by a well […]

Read More

New “Cozy Bear” campaign, old habits

Introduction The researchers of the Yoroi-Cybaze ZLab, on 16 November, accessed to a new APT29’s dangerous malware used for the recent attacks against many important US entities, such as military agencies, law enforcement, defense contractors, media companies and pharmaceutical companies.   The Russian group spread the malware through a spear phishing attacks impersonating a State Department […]

Read More

Hunting for Sofacy: Lojax Double-Agent Analysis

Introduction A new variant of the infamous APT28 Lojax (aka Double-Agent) has been discovered by the Yoroi-Cybaze ZLab researchers. It is the latest version of the well-known rootkit Double-Agent, previously analyzed by ESET researchers. The behavior of the Lojax sample seems to be similar to the previous versions and exploits the legitimate “Absolute Lojack” software […]

Read More

The “MartyMcFly” investigation: anchors-chain case

Background On October 17th we disclosed the “MartyMcFly” Threat (Rif. Analysis) where unknown attackers were targeting Italian naval industries. The analysis was cited by  Kaspersky’s ICS CERT who exposed a wider threat extension across multiple countries such as: Germany, Spain, and India. Thanks to Kaspersky’s extended analysis we decided to harvest more indicators and to […]

Read More

Cyber-Espionage Campaign Targeting the Naval Industry (“MartyMcFly”)

Background During the last week Yoroi CERT’s analysts uncovered several attacks targeting the italian naval and defence industry. The attacker used email as known propagation vector in order to infect victims by sending a special crafted xls file. The identified attack properties triggered internal defcon escalation in order to assess the threat magnitude and eventually special […]

Read More
1 4 5 6
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram