Detecting BPFDoor Backdoor Variants Abusing BPF Filters

Credit to Author: Fernando Merces| Date: Thu, 13 Jul 2023 00:00:00 +0000

An analysis of advanced persistent threat (APT) group Red Menshen’s different variants of backdoor BPFDoor as it evolves since it was first documented in 2021.

Read more

SeroXen Mechanisms: Exploring Distribution, Risks, and Impact

Credit to Author: Peter Girnus| Date: Tue, 20 Jun 2023 00:00:00 +0000

This is the third installment of a three-part technical analysis of the fully undetectable (FUD) obfuscation engine BatCloak and SeroXen malware. In this entry, we document the techniques used to spread and abuse SeroXen, as well as the security risks, impact, implications of, and insights into highly evasive FUD batch obfuscators.

Read more

SeroXen Incorporates Latest BatCloak Engine Iteration

Credit to Author: Peter Girnus| Date: Thu, 15 Jun 2023 00:00:00 +0000

We looked into the documented behavior of SeroXen malware and noted the inclusion of the latest iteration of the batch obfuscation engine BatCloak to generate a fully undetectable (FUD) .bat loader. This is the second part of a three-part series documenting the abuse of BatCloak’s evasion capabilities and interoperability with other malware.

Read more

Behind the Scenes: Unveiling the Hidden Workings of Earth Preta

Credit to Author: Sunny Lu| Date: Wed, 14 Jun 2023 00:00:00 +0000

This blog entry discusses the more technical details on the most recent tools, techniques, and procedures (TTPs) leveraged by the Earth Preta APT group, and tackles how we were able to correlate different indicators connected to this threat actor.

Read more

Attack on Security Titans: Earth Longzhi Returns With New Tricks

Credit to Author: Ted Lee| Date: Tue, 02 May 2023 00:00:00 +0000

After months of dormancy, Earth Longzhi, a subgroup of advanced persistent threat (APT) group APT41, has reemerged using new techniques in its infection routine. This blog entry forewarns readers of Earth Longzhi’s resilience as a noteworthy threat.

Read more

Pack it Secretly: Earth Preta’s Updated Stealthy Strategies

Credit to Author: Vickie Su| Date: Thu, 23 Mar 2023 00:00:00 +0000

After months of investigation, we found that several undisclosed malware and interesting tools used for exfiltration purposes were being used by Earth Preta. We also observed that the threat actors were actively changing their tools, tactics, and procedures (TTPs) to bypass security solutions. In this blog entry, we will introduce and analyze the other tools and malware used by the threat actor.

Read more

Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting

Credit to Author: Daniel Lunghi| Date: Wed, 01 Mar 2023 00:00:00 +0000

We detail the update that advanced persistent threat (APT) group Iron Tiger made on the custom malware family SysUpdate. In this version, we also found components that enable the malware to compromise Linux systems.

Read more

Earth Kitsune Delivers New WhiskerSpy Backdoor via Watering Hole Attack

Credit to Author: Joseph C Chen| Date: Fri, 17 Feb 2023 00:00:00 +0000

We discovered a new backdoor which we have attributed to the advanced persistent threat actor known as Earth Kitsune, which we have covered before. Since 2019, Earth Kitsune has been distributing variants of self-developed backdoors to targets, primarily individuals who are interested in North Korea.

Read more

Invitation to a Secret Event: Uncovering Earth Yako’s Campaigns

Credit to Author: Hara Hiroaki| Date: Thu, 16 Feb 2023 00:00:00 +0000

We detail the intrusion set Earth Yako, attributed to the campaign Operation RestyLink or EneLink. This analysis was presented in full at the JSAC 2023 in January 2023.

Read more

New APT34 Malware Targets The Middle East

Credit to Author: Mohamed Fahmy| Date: Thu, 02 Feb 2023 00:00:00 +0000

We analyze an infection campaign targeting organizations in the Middle East for cyberespionage in December 2022 using a new backdoor malware. The campaign abuses legitimate but compromised email accounts to send stolen data to external mail accounts controlled by the attackers.

Read more