
Category: research
Dissecting the MuddyWater Infection Chain
12/07/2018
Introduction In the last days of November, some Middle East countries have been targeted by a new wave of attacks related to the Iranian APT group known as "MuddyWater": their first campaign was observed back in 2017 and more recently Unit42 researchers reported attacks in the ME area. The MuddyWater’s TTPs seem to be quite invariant […]
Dissecting the latest Ursnif DHL-Themed Campaign
12/04/2018
Introduction In the last weeks, a new variant of the infamous Ursnif malware was discovered hitting Italian users through a malspam campaign. In fact, Yoroi-Cybaze ZLAB isolated several malicious emails having the following content: Subject: “VS Spedizione DHL AWB 94856978972 proveniente dalla GRAN BRETAGNA AVVISO DI GIACENZA” Attachment: “GR930495-30495.zip” The content of the attachment is a […]
Dissecting the Mindscrew-Powershell Obfuscation
11/29/2018
Introduction Few days ago, the CERT-Yoroi bulletin N061118 disclosed a dangerous campaign attacking several Italian users. The attack wave contained some interesting techniques need to look into further, especially regarding the obfuscation used to hide the malicious dropping infrastructure. The Yoroi-Cybaze ZLAB dissected the VBS script embedded into the zip archives delivered to the victims, […]
The SLoad Powershell Threat is Expanding to Italy
11/27/2018
Introduction In the past months CERT-Yoroi observed an emerging attack pattern targeting its constituency. These series of malicious email messages shared common techniques may be likely related to a single threat group starting its operation against the Italian cyber panorama. It is still not clear if these attack attempts may be originated by a well […]
New “Cozy Bear” campaign, old habits
11/21/2018
Introduction The researchers of the Yoroi-Cybaze ZLab, on 16 November, accessed to a new APT29’s dangerous malware used for the recent attacks against many important US entities, such as military agencies, law enforcement, defense contractors, media companies and pharmaceutical companies. The Russian group spread the malware through a spear phishing attacks impersonating a State Department […]
Hunting for Sofacy: Lojax Double-Agent Analysis
11/16/2018
Introduction A new variant of the infamous APT28 Lojax (aka Double-Agent) has been discovered by the Yoroi-Cybaze ZLab researchers. It is the latest version of the well-known rootkit Double-Agent, previously analyzed by ESET researchers. The behavior of the Lojax sample seems to be similar to the previous versions and exploits the legitimate “Absolute Lojack” software […]
The “MartyMcFly” investigation: anchors-chain case
11/13/2018
Background On October 17th we disclosed the “MartyMcFly” Threat (Rif. Analysis) where unknown attackers were targeting Italian naval industries. The analysis was cited by Kaspersky’s ICS CERT who exposed a wider threat extension across multiple countries such as: Germany, Spain, and India. Thanks to Kaspersky’s extended analysis we decided to harvest more indicators and to […]
Cyber-Espionage Campaign Targeting the Naval Industry (“MartyMcFly”)
10/17/2018
Background During the last week Yoroi CERT’s analysts uncovered several attacks targeting the italian naval and defence industry. The attacker used email as known propagation vector in order to infect victims by sending a special crafted xls file. The identified attack properties triggered internal defcon escalation in order to assess the threat magnitude and eventually special […]