Skip to content

Blog

Targeted Phishing Attack against Ukrainian Government Expands to Georgia

In May 2021, Fortinet published a report about the early stages of an ongoing phishing attack against the Ukrainian government. The attack, initially based on the Saint Bot downloader, also targeted Georgia as reported by Malwarebytes. Since June we have seen this threat actor expand its operation with new samples targeting government entities in Georgia. In this report we will cover the new malware samples we found. Method of Infection The attack’s entry point is a spear phishing email referencing government-related topics including veterans, Ukraine’s Anti-Terrorist Operation (ATO), Georgia’s Internally Displaced Persons (IDPs), organizations in Georgia’s private sector and COVID-19. The attack mainly targets government agencies in Ukraine and Georgia.

Read more →

July 14, 2021

Energy Sector and its Suppliers Targeted in Global Phishing Campaign

Our research team has found a sophisticated campaign, active for at least one year, targeting large international companies in the energy, oil & gas, and electronics industries. The attack also targets oil & gas suppliers, possibly indicating that this is only the first stage in a wider campaign. In the event of a successful breach, the attacker could use the compromised email account of the receipt to send spear phishing emails to companies that work with the supplier. Thus using the established reputation of the supplier to go after more targeted entities.

Read more →

July 7, 2021

Klingon RAT Holding on for Dear Life

With more malware written in Golang than ever before, the threat from Go-based Remote Access Trojans (RATs) has never been higher. Not only has the number of Go malware increased but also the sophistication of these threats. This is a technical analysis of an advanced RAT written in Go that we are calling Klingon RAT. The RAT is well-featured and resilient due to its multiple methods of persistence and privilege escalation. It was determined that the RAT is being used by cybercriminals for financial gain. It is important to stay on top of this threat as it will degrade Antivirus security through killing targeted processes and hiding communications through encrypted channels.

Read more →

June 17, 2021

Wrapping Up a Year of Infamous Bazar Campaigns

Bazar is the latest tool developed by the TrickBot gang Common malware used for cybercrime such as Agent Tesla, Dridex and Formbook have been around for at least five years and are still distributed and active. About one year ago, a new malware named Bazar breathed some fresh air into this landscape. Since its first campaign, Bazar has been extremely active and has taken part in large-scale breaches including the nationwide Ryuk ransomware attack on UHS hospitals.

Read more →

May 27, 2021

Why Relying on the Cloud Provider for Security is Not Enough

73% of organizations using the cloud are not sure which parts of security fall under their responsibility. Ultimately, the customer is responsible for security in the cloud, meaning protecting the workloads (applications and code) hosted on top of the virtual resources created in the cloud provider’s platform. Whereas the cloud provider is responsible for the security of the cloud, meaning the physical infrastructure (e.g., data centers, network and server equipment) and for operating that infrastructure (e.g., physical security, power redundancy, connectivity between facilities). The big three cloud providers, Amazon Web Services (AWS), Microsoft Azure and Google Cloud Platform (GCP), offer various built-in tools and services designed to prevent a wide range of attacks and reduce the attack surface. Yet, breaches still happen. Let’s examine some cases where the security tools provided by the cloud provider were not enough to fully secure the customer’s environment.

Read more →

May 20, 2021

CVE-2021-27075: Microsoft Azure Vulnerability Allows Privilege Escalation and Leak of Private Data

In this post I will explain how the Microsoft Azure Virtual Machine (VM) extension works and how we found a fatal vulnerability in the extension mechanism affecting Azure VM Linux systems. As part of the responsible disclosure policy, we reported the vulnerability to Microsoft Security Response Center (MSRC). They soon patched and assigned it CVE-2021-27075. This vulnerability would have allowed an unprivileged user to leak any Azure VM extension’s private data. Paired with the design of the VMAccess extension, an official Azure extension built for assisting system admins, we will demonstrate how this could have been used to achieve privilege escalation and possibly lateral movement.

Read more →

May 11, 2021

HabitsRAT Used to Target Linux and Windows Servers

We have discovered a new malware written in Go, which we are calling HabitsRAT, targeting both Windows and Linux machines. The Windows version of the malware was first reported on by Brian Krebs and The Shadowserver Foundation in attacks against Microsoft Exchange servers. In addition to this version, we have identified a newer Windows variant and a variant targeting Linux environments. As of this writing, the Linux version is undetected by all Antivirus engines on VirusTotal. We assess that the Linux version is used to target Linux servers in an adjacent campaign to the one reported by The Shadowserver Foundation. The malware allows the attacker to control the compromised machine remotely. To protect themself from being taken over by others, the attacker’s commands are signed by a private key that only the attacker has access to. The malware does not execute commands that are not signed by the correct key, suggesting that the malware has been developed by a sophisticated programmer.

Read more →

April 20, 2021

Rocke Group Actively Targeting the Cloud: Wants Your SSH Keys

New Malware Variant Exploits Production Environment Rocke Group is a Chinese-based threat actor most known for running cryptojacking malware on Linux machines. The group has been active since 2018 and continues to evolve by modifying its tools and techniques to stay evasive. In 2019, we reported that Rocke Group was competing with Pacha Group for cryptomining positioning on Linux-based servers in the cloud. We have found a new malware variant developed by Rocke Group, that infects other machines in the network using saved SSH keys and weak passwords. It also exploits vulnerabilities in popular platforms and services such as Jenkins, Redis and ActiveMQ. Once the victim is infected a Monero cryptominer is executed. Below we present our findings with instructions on how to check if your system has been compromised, as well as how to protect your cloud environments against future Rocke Group attacks.

Read more →

April 6, 2021

New Linux Backdoor RedXOR Likely Operated by Chinese Nation-State Actor

We discovered a new sophisticated backdoor targeting Linux endpoints and servers Based on Tactics, Techniques, and Procedures (TTPs) the backdoor is believed to be developed by Chinese nation-state actors The backdoor masquerades itself as polkit daemon. We named it RedXOR for its network data encoding scheme based on XOR. The malware was compiled on Red Hat Enterprise Linux We provide recommendations for detecting and responding to this threat below Intro 2020 set a record for new Linux malware families. New malware families targeting Linux systems are being discovered on a regular basis. Backdoors attributed to advanced threat actors are disclosed less frequently.

Read more →

March 10, 2021

When Viruses Mutate: Did SunCrypt Ransomware Evolve from QNAPCrypt?

Dov Lerner from Cybersixgill contributed to this report Intro Programmers frequently reuse code, as recycling something that is already written and functional is much more efficient than writing from scratch. Malware authors are no different; functions and modules from one malware can be reused in the next. Because of this, code reuse analysis can connect different malware to the same author. When performing code reuse analysis, it is important to ensure that the code is unique to the specific developer and not common code that, for example, is part of an open-source library since open-source code can be used by many and cannot be tied to a specific author. If this is handled correctly, code reuse is a very powerful method for attributing malware to a specific malware author.

Read more →

March 2, 2021