Credit to Author: Sherif Magdy| Date: Tue, 11 Jul 2023 00:00:00 +0000
In this entry, we discuss the findings of our investigation into a piece of a signed rootkit, whose main binary functions as a universal loader that enables attackers to directly load a second-stage unsigned kernel module.
Read moreCredit to Author: Lucas Silva| Date: Fri, 30 Jun 2023 00:00:00 +0000
We found that malicious actors used malvertising to distribute malware via cloned webpages of legitimate organizations. The distribution involved a webpage of the well-known application WinSCP, an open-source Windows application for file transfer. We were able to identify that this activity led to a BlackCat (aka ALPHV) infection, and actors also used SpyBoy, a terminator that tampers with protection provided by agents.
Read moreCredit to Author: Arianne Dela Cruz| Date: Fri, 23 Jun 2023 00:00:00 +0000
The Trigona ransomware is a relatively new ransomware family that began activities around late October 2022 — although samples of it existed as early as June 2022. Since then, Trigona’s operators have remained highly active, and in fact have been continuously updating their ransomware binaries.
Read moreCredit to Author: David Fiser| Date: Wed, 21 Jun 2023 00:00:00 +0000
In this blog post, we discuss different configuration scenarios that may lead to security issues with Azure Service Fabric, a distributed platform for deploying, managing, and scaling microservices and container applications.
Read moreCredit to Author: Sunny Lu| Date: Wed, 14 Jun 2023 00:00:00 +0000
This blog entry discusses the more technical details on the most recent tools, techniques, and procedures (TTPs) leveraged by the Earth Preta APT group, and tackles how we were able to correlate different indicators connected to this threat actor.
Read moreCredit to Author: Cedric Pernet| Date: Tue, 06 Jun 2023 00:00:00 +0000
We have been able to uncover a massive cryptocurrency scam involving more than a thousand websites handled by different affiliates linked to a program called Impulse Project, run by a threat actor named Impulse Team.
Read moreCredit to Author: Earle Maui Earnshaw| Date: Tue, 06 Jun 2023 00:00:00 +0000
This blog talks about the latest TargetCompany ransomware variant, Xollam, and the new initial access technique it uses. We also investigate previous variants’ behaviors and the ransomware family’s extortion scheme.
Read moreCredit to Author: Katherine Casona| Date: Wed, 31 May 2023 00:00:00 +0000
In this blog entry, we analyze BlackSuit ransomware and how it compares to Royal Ransomware.
Read moreCredit to Author: Feike Hacquebord| Date: Tue, 30 May 2023 00:00:00 +0000
Void Rabisu, a malicious actor believed to be associated with the RomCom backdoor, was thought to be driven by financial gain because of its ransomware attacks. But in this blog entry, we discuss how the use of the RomCom backdoor in recent attacks shows how Void Rabisu’s motives seem to have changed since at least October 2022.
Read moreCredit to Author: Joey Costoya| Date: Thu, 25 May 2023 00:00:00 +0000
This blog entry features three case studies that show how malicious actors evade the antispam, antibot, and antiabuse measures of online web services via residential proxies and CAPTCHA-breaking services.
Read more