Skip to content

Blog

ChinaZ Revelations: Revealing ChinaZ Relationships with other Chinese Threat Actor Groups

Introduction Distributed denial-of-service (DDoS) attacks were on the rise in 2018, ranging from a high volume of Mirai attacks to more sophisticated botnets targeting enterprises. An example of these attacks is the one targeting GitHub in February 2018, forcing the website to go offline for approximately 10 minutes. In researching the current DDoS ecosystem we find threat actors from different regions displaying different motivations. Chinese threat actors in particular have predominantly deployed DDoS attacks in their cyber campaigns, and China has emerged as having one of the highest rates of DDoS attacks.

Read more →

January 7, 2019

Muhstik Botnet Reloaded: New Variants Targeting phpMyAdmin Servers

The Muhstik botnet was first exposed by Netlab360 researchers in May 2018. This botnet targeted mainly GPON routers. At Intezer we found that Muhstik is extending its spectrum of compromised devices by targeting web servers hosting phpMyAdmin. PhpMyAdmin is a well known open-source tool written in PHP, intended to handle the administration of MySQL over the web. This tool is fairly popular among web developers due to the convenience of operating a database via a web browser. On the other hand, the use of these type of tools leads the front-end of a server to be publicly exposed, and in particular to phpMyAdmin, with a lack of protection against brute-forcing attempts.

Read more →

November 12, 2018

Paleontology: The Unknown Origins of Lazarus Malware

As seen by security researchers across the world and proven in a joint research by McAfee and Intezer, Lazarus, one of the groups operating from North Korea, has consistently reused code in their malware toolset. There is a common pattern among the code of the malware that researchers and reverse engineers alike find during their analysis. It has already been known that they have used open source projects, like one from CodeProject we documented in another blog post, or open source RATs like Gh0st RAT.

Read more →

October 31, 2018

APT37: Final1stspy Reaping the FreeMilk

Researchers at Palo Alto Networks recently published a report regarding the NOKKI malware, which has shared code with KONNI and, although not in the report by Palo Alto, KimJongRAT (discovered by Paul Rascagnères of Cisco Talos in 2013), and another report on how there is evidence of the NOKKI malware connecting to the North Korean threat actor known as APT37, Reaper, or Group123. The malicious document related to NOKKI, using VBScript, downloads a newly discovered malware named Final1stspy, due to the PDB string inside. As noted by Palo Alto Networks, Final1stspy comes in 2 components, the EXE named “LoadDll” with the sole purpose of loading up a DLL payload, internally named “hadowexecute.” After collecting information about the infected computer, the end result is that the DOGCALL malware, also known as ROKRAT, is downloaded as the final payload, thus being one of the links between NOKKI and APT37.

Read more →

October 3, 2018

Prince of Persia the Sands of Foudre

Introduction In the past couple years, Palo Alto Networks reported on the “Prince of Persia” malware campaign which is believed to be of Iranian origin and ongoing for more than 10 years. The original research, published in 2016, called the malware Infy and their second report, published in 2017, named the upgraded malware Foudre. The name “Foudre” comes from a string in the binary used to check if the computer is already infected. At the time of their blog post, Palo Alto Networks stated the version of Foudre they observed were versions 1 and 2. We have found new evidence of the Prince of Persia campaign active by finding a new version of the Foudre malware, version 8.

Read more →

August 17, 2018

Building Your Bullet Proof Incident Response Plan

Cyber security is constantly evolving, and therefore rife with challenges. Whether hobbyist hackers or state-sponsored threat actors are targeting organizations, internal security operations center (SOC) teams must proactively assemble a robust incident response plan in order to strategically manage and ultimately eradicate attacks. Security teams at even the largest organizations can be overwhelmed by the large number of attacks that need to be investigated. Meanwhile, sensitive information is at risk of being compromised by the proverbial needle in the haystack: malware hiding in plain sight among false positives.

Read more →

March 15, 2018

Yet Another Distraction? A New Version of North Korean Ransomware Hermes Has Emerged

Detecting Reused Ransomware Whether we’re dealing with a criminal threat actor looking to steal money from their victims using ransomware or malware sponsored by a nation state, we can consistently see the reuse of code. In this specific case, we have observed a variant of a well-known ransomware, via a new version of Hermes from what may have originated from a nation state threat actor. According to reports by researchers at McAfee and BAE Systems, a ransomware named Hermes was used as a diversion in an attack involving a bank heist in Taiwan. The ransomware is thought to have originated from the Lazarus group, a threat actor known to be affiliated with North Korea. (You can be read about them in this blog post about the Blockbuster campaign.). Security researcher @demonslay335 tweeted about the existence of a new sample Hermes 2.1, so our team decided to take a deeper look.

Read more →

February 8, 2018

BLOCKBUSTED: Lazarus, Blockbuster, and North Korea

As we have proven in previous research blog posts, malware authors often reuse the same code. This evolution of code and code reuse is seen all throughout the well known Blockbuster campaign and connections between other malware attributed to the Lazarus group, a cyber threat organization attributed to North Korea. You can read about excellent research on Lazarus and the Blockbuster campaign by looking at reports by Novetta, Kaspersky, and Palo Alto. The Lazarus group has been responsible for different campaigns and variations of RATs, Trojans, backdoors, and malware in general. Some of the names given to malware created by Lazarus are FALLCHILL, Destover, Hangman, Volgmer, and Manuscrypt, among others. For someone who has not personally analyzed these different malware families, a lot of the samples associated with each malware could appear to be completely different, but if you examine them at the code level, you can see that these attacks are most likely different components of the same framework that has been pieced together or upgraded.

Read more →

December 12, 2017

Don’t Be Fooled By Malware Signed with Stolen Certificates

Recent research conducted by the Cyber Security Research Institute (CSRI) demonstrates how easy and common it is for threat actors to purchase stolen digital certificates in order to bypass security solutions. In this blog, we will use this research to show how Intezer Analyze™ deals with signed malware files, even if it has a legitimate certificate. Software publishers purchase costly certificates from a trusted certification authority in order to prove their integrity. Many security vendors tend to trust files containing valid digital signatures and automatically classify them as trusted, giving these files a green light to run on machines.

Read more →

December 7, 2017

IcedID Banking Trojan Shares Code with Pony 2.0 Trojan

IBM X-Force recently released an excellent report on a new banking trojan named IcedID that is being distributed using computers already infected with Emotet. We took the MD5 of one of the droppers from the IBM report and extracted the payload. After extracting the payload from one of the droppers listed in the report, using Intezer Analyze™, we have found code reuse from another malware named Pony, written about in a report by Proofpoint.

Read more →

November 13, 2017