TLP TLP TLP CLEAR Author David Deflache, Sebastien Tricaud Summary In early November 2022, a targeted intrusion began via email, delivering an HTML file utilizing HTML smuggling. Previously relying on Excel macros, the threat actor adapted to Microsoft’s macro control updates. Upon opening the HTML, a disguised Adobe page prompted a ZIP download with a…
TLP TLP TLP CLEAR Author David Deflache, Sebastien Tricaud Summary This week, we share data from another attack being exploited. In mid-Autumn 2021, Kaspersky experts uncovered a ShadowPad malware campaign targeting a national telecom company in Pakistan. The attack, presumed to have begun in winter 2021, exploited MS Exchange vulnerability (CVE-2021-26855) to install a Cobalt…
TLP TLP TLP CLEAR Author Jordi M. Lobo, David Deflache, Sebastien Tricaud Summary Nokoyawa is a cyber intrusion that began with a malicious Excel document in October 2022. The document triggered macros, leading to the execution of an IcedID DLL payload. The attackers established persistence on the host, deployed Cobalt Strike beacons, escalated privileges, and…
TLP TLP TLP CLEAR Author Jordi M. Lobo Summary The Vice Society ransomware group gained notoriety in late 2022 and early 2023 for launching attacks across various sectors, including San Francisco’s transit system. While education and healthcare were their primary targets, Trend Micro’s data reveals manufacturing industry infiltration in Brazil, Argentina, Switzerland, and Israel. Exploiting…
TLP TLP TLP CLEAR Author Jordi M. Lobo Summary In May 2023, a campaign using the “404 TDS” Traffic Distribution System delivered Truebot via email. Recipients clicking the email link were redirected through multiple URLs, ending in a fake Adobe Acrobat document download that was a Truebot executable. After execution, Truebot copied and renamed, then…
TLP TLP TLP CLEAR Author Sebastien TRICAUD Summary Agent Tesla RAT is a potent remote access trojan designed to infiltrate systems discreetly. Employed by threat actors, it facilitates unauthorized access to compromised systems, enabling data theft, surveillance, and control. Operating since 2014, it is notorious for its keylogging capabilities, recording keystrokes to gather sensitive information…
TLP TLP TLP CLEAR Authors Sebastien Tricaud, David Deflache Summary GoBruteforcer is a newly discovered Golang-based malware that targets web servers running phpMyAdmin, MySQL, FTP, and Postgres services. The malware was found on a legitimate website and utilizes different processor architectures. It deploys an IRC bot for communication with the attacker’s server and uses specific…
TLP TLP TLP CLEAR Author David Deflache Summary This case involves a sophisticated intrusion that occurred over an 11-day period. The threat actors initiated the attack by sending an email with a link to download a password-protected zip file containing an ISO file. Upon extraction, the ISO file mounted as a CD and executed a…
TLP TLP TLP CLEAR Author David Deflache Summary The attack on the Microsoft SQL Server involved a series of sophisticated techniques employed by the adversaries. It began with the initial stage of reconnaissance, where the attackers sought to identify vulnerabilities and potential entry points. They then proceeded to exploit a known vulnerability in the server…
End of content
End of content
