Tag: malware
Innovation in Cyber Intrusions: The Evolution of TA544
12/18/2023
Introduction Innovation is not only an activity performed by companies, committed to protecting their perimeter, but is also an provided by threat actors. In fact, while organizations are investing in cybersecurity operations, such buying or implementing digital defenses, threat actors are implementing new strategies to bypass those protections. An example of this type of innovation […]
Unveiling “Vetta Loader”: A custom loader hitting Italy and spread through infected USB Drives
12/06/2023
In a recent investigation conducted by Yoroi's malware ZLab team, a persistent threat affecting several Italian companies, primarily in industrial, manufacturing, and digital printing sectors, has been unveiled. The modus operandi of this threat involves the utilization of infected USB drives, exploiting the heavy reliance on pen-drives for data sharing within these sectors. The identified […]
How an APT technique turns to be a public Red Team Project
09/07/2023
Introduction DLL Sideloading (T1574.002) stands as a remarkably effective stratagem employed by adversaries to execute their own malicious code, while clandestinely leveraging the implicit trust placed in legitimate applications. This report dissects the multifaceted nuances of DLL Sideloading, delving into its mechanics, the prevalence of victim applications, and its reverberating impact on the cybersecurity landscape. […]
Vulnerabilità critica su sistemi operativi RouterOS di Mikrotik
07/26/2023
PROTO: 040723 CERT Yoroi desidera informarla riguardo una vulnerabilità zero-day sulla tecnologia MikroTik RouterOS con l'identificativo CVE-2023-30799 . MikrotikLS, meglio conosciuta semplicemente con il marchio MikroTik, è un'azienda lettone con sede a Riga, produttrice di apparati informatici di networking, in particolare router e apparati wireless, e nota nel mercato dell'hardware a basso costo e ad […]
Money Ransomware: The Latest Double Extortion Group
04/13/2023
Introduction Ransomware attacks have emerged as a predominant menace in recent years, with the strategies employed by malicious actors constantly evolving. Among the most effective and worrisome tactics is the "double extortion" model, which has rapidly gained popularity as a preferred business model for threat actors. Financially motivated perpetrators particularly favor the double extortion model, […]
DuckTail: Dissecting a complex infection chain started from social engineering
03/29/2023
Introduction It is concerning to learn about the increasing use of social engineering tactics to exploit users on social media platforms. Cybercriminals commonly disguise malware as games, music, software, and other media content to deceive users into downloading and installing malicious software on their devices. One such sophisticated stealer is DuckTail, which was first identified […]
Hunting Cyber Evil Ratels: From the targeted attacks to the widespread usage of Brute Ratel
02/15/2023
Introduction Red team operations are fundamental for achieving an adequate cybersecurity maturity level. So, many different C2 commercial frameworks were born to provide help in managing security tests. However, these technologies can be used at the same time even by attackers to make cyber intrusions. One of the most emblematic examples of this phenomenon is […]
Reconstructing the last activities of Royal Ransomware
11/17/2022
Introduction Royal Ransomware is a new group first spotted on Bleeping Computer last September, where the cybersecurity news site revealed a connection with another malware known as Zeon. At the moment, we don’t have much information about the group and all its actual TTPs, but we know that they use the Double Extortion model to […]
Dissecting BlueSky Ransomware Payload
09/30/2022
Introduction BlueSky is a ransomware firstly spotted in May 2022 and it gained the attention of the threat researchers for two main reasons: the first one is that the group behind the ransomware doesn’t adopt the double-extortion model; the second one is that their targets are even normal users because the ransomware has been discovered […]
On the FootSteps of Hive Ransomware
07/26/2022
Introduction Hive ransomware is one of the most active financially motivated threat actors of this period, adopting the current Double Extorsion model. They started their malicious activities in June of the past year, and just in a year of activity they collected a big number of victims, demonstrating the capability to hit even critical infrastructures. […]
A deep dive into Eternity Group: A new emerging Cyber Threat
05/18/2022
For months, we at Yoroi Malware ZLab have studied and tracked the evolution of a new emerging cyber-criminal group which has attracted the attention of everyone inside the cyber security threat landscape. This threat actor calls itself “Eternity Group”, previously “Jester Group”, which we internally tracked it as “TH-320”. This threat has also recently been […]
Conti Ransomware source code: a well-designed COTS ransomware
03/08/2022
Introduction Since 27 February 2022, a few days after the apparition of the Conti’s gang support to the Russian invasion of the Ukrainian national territory, a new mysterious Twitter account appeared, “@ContiLeaks”. Nobody knows for sure who operates it, maybe a reluctant Conti gang member, some foreign intelligence, or police officer, but does not matter […]