Category: research

Introduction Few days ago, the CERT-Yoroi bulletin N061118 disclosed a dangerous campaign attacking several Italian users. The attack wave contained some interesting techniques need to look into further, especially regarding the obfuscation used to hide the malicious dropping infrastructure. The Yoroi-Cybaze ZLAB dissected the VBS script embedded into the zip archives delivered to the victims,  […]

Introduction In the past months CERT-Yoroi observed an emerging attack pattern targeting its constituency. These series of malicious email messages shared common techniques may be likely related to a single threat group starting its operation against the Italian cyber panorama. It is still not clear if these attack attempts may be originated by a well […]

Introduction The researchers of the Yoroi-Cybaze ZLab, on 16 November, accessed to a new APT29’s dangerous malware used for the recent attacks against many important US entities, such as military agencies, law enforcement, defense contractors, media companies and pharmaceutical companies.   The Russian group spread the malware through a spear phishing attacks impersonating a State Department […]

Introduction A new variant of the infamous APT28 Lojax (aka Double-Agent) has been discovered by the Yoroi-Cybaze ZLab researchers. It is the latest version of the well-known rootkit Double-Agent, previously analyzed by ESET researchers. The behavior of the Lojax sample seems to be similar to the previous versions and exploits the legitimate “Absolute Lojack” software […]

Background On October 17th we disclosed the “MartyMcFly” Threat (Rif. Analysis) where unknown attackers were targeting Italian naval industries. The analysis was cited by  Kaspersky’s ICS CERT who exposed a wider threat extension across multiple countries such as: Germany, Spain, and India. Thanks to Kaspersky’s extended analysis we decided to harvest more indicators and to […]

Background During the last week Yoroi CERT’s analysts uncovered several attacks targeting the italian naval and defence industry. The attacker used email as known propagation vector in order to infect victims by sending a special crafted xls file. The identified attack properties triggered internal defcon escalation in order to assess the threat magnitude and eventually special […]