Blog
Silence of the Moles
Kaspersky Labs published a technical analysis of a new malware, Silence that is aimed at attacking financial institutions. After uploading the loader of this malware to Intezer Analyze™, we have found a possible connection through code reuse to the loader of another campaign of malware, Mole previously discovered by Unit 42 of Palo Alto Networks. This connection might be an indicator that these two attacks are originated from the same threat actor, but currently it is too early to tell.
November 1, 2017
NotPetya Returns as Bad Rabbit
Large scale cyber attacks seem to be happening once a month these days. Originally discovered by ESET, Ukrainian and Russian organizations have been hit with the latest ransomware attack named Bad Rabbit. At the time of writing this post, the ransomware has believed to have originated from compromised webpages with a fake popup for updating Adobe Flash Player. It has been reported that much of the behavior of Bad Rabbit has been similar to a previous ransomware known as NotPetya.
October 25, 2017
Evidence Aurora Operation Still Active Part 2: More Ties Uncovered Between CCleaner Hack & Chinese Hackers
Since my last post, we have found new evidence in the next stage payloads of the CCleaner supply chain attack that provide a stronger link between this attack and the Axiom group. First of all, our researchers would like to thank the entire team at Cisco Talos for their excellent work on this attack (their post regarding stage 2 can be found here) as well as their cooperation by allowing us access to the stage 2 payload. Also, we would like to give a special thanks to Kaspersky Labs for their collaboration.
October 2, 2017
Evidence Aurora Operation Still Active: Supply Chain Attack Through CCleaner
Recently, there have been a few attacks with a supply chain infection, such as Shadowpad being implanted in many of Netsarang’s products, affecting millions of people. You may have the most up to date cyber security software, but when the software you are trusting to keep you protected gets infected there is a problem. A backdoor, inserted into legitimate code by a third party with malicious intent, leads to millions of people being hacked and their information stolen.
September 20, 2017
New Variants of Agent.BTZ/ComRAT Found: The Threat That Hit The Pentagon In 2008 Still Evolving; Part 2/2
Our previous blog post was a short brief of new Agent.BTZ variants that we found. This second part in the series will demonstrate in greater detail exactly how we discovered these new variants. Methodology To begin, we used our hunting methodology, which consist of four main parts: Collection: Collect multiple samples from different versions. Analysis: Mark functions that have stayed consistent across all versions that are likely to be a part of the next version. Creating a signature: Create a robust yet flexible YARA rule for these functions. Hunting: Search a large repository of files with that YARA rule (VirusTotal, for example). Why focus on Agent.BTZ? We chose to focus on Agent.BTZ for several reasons: First, This is one of the oldest state-sponsored threat, developed and operated by the Turla group since (at least) 2007 for dozens of targeted attacks.
September 13, 2017
New Variants of Agent.BTZ/ComRAT Found: The Threat That Hit The Pentagon In 2008 Still Evolving; Part 1/2
Agent.BTZ–also known as ComRAT–is one of the world’s oldest known state-sponsored threats, mainly known for the 2008 Pentagon breach. Technically speaking, Agent.BTZ is a sophisticated user-mode RAT developed and operated by the Turla group in conjunction with Snake/Uroburos rootkit. In the past few months, we conducted research on Agent.BTZ’s code-base and how it evolved using Intezer Code Intelligence™ technology. Based on our research conclusions, we were able to hunt about a dozen new samples and more than seventy previously unknown live IP & DNS addresses indicating the ongoing abuse of satellite internet providers operating in both Africa & the Middle East.
August 7, 2017
"EternalMiner" Copycats exploiting SambaCry for cryptocurrency mining
About eight weeks ago, a critical RCE vulnerability present in every Samba version since 2010 was reported and patched. This vulnerability is mostly known as “SambaCry” after the famous WannaCry attack targeting Windows systems vulnerable to “EternalBlue” SMB exploit. The vulnerability lies in a logical bug, which enables an attacker with write-only access to a share to load a malicious samba module and execute arbitrary code. Immediately after writing & publishing the first public POC code, I wrote a yara signature for a possible exploit payload and we began monitoring our data feeds for threats exploiting this vulnerability. Over time, we have noticed countless bind/reverse shells and droppers. Most of them are either Metasploit payload or other publicly available implants.
July 26, 2017