TLP TLP TLP CLEAR Author David Deflache, Sebastien Tricaud Summary In early November 2022, a targeted intrusion began via email, delivering an HTML file utilizing HTML smuggling. Previously relying on Excel macros, the threat actor adapted to Microsoft’s macro control updates. Upon opening the HTML, a disguised Adobe page prompted a ZIP download with a…
TLP TLP TLP CLEAR Author David Deflache, Sebastien Tricaud Summary This week, we share data from another attack being exploited. In mid-Autumn 2021, Kaspersky experts uncovered a ShadowPad malware campaign targeting a national telecom company in Pakistan. The attack, presumed to have begun in winter 2021, exploited MS Exchange vulnerability (CVE-2021-26855) to install a Cobalt…
TLP TLP TLP CLEAR Author Jordi M. Lobo Summary Microsoft has uncovered a stealthy and targeted malicious campaign led by Volt Typhoon, a state-sponsored actor from China, with a focus on post-compromise credential access and network system discovery. Their primary targets are critical infrastructure organizations in the United States, including sectors such as communications, manufacturing,…
TLP TLP TLP CLEAR Authors Jordi M. Lobo Summary BlackByte 2.0 Ransomware Abuses Vulnerable Windows Driver to Disable Security Solutions, believed to be an offshoot of the now-discontinued Conti group, is part of the big game cybercrime crews, which zeroes in on large, high-profile targets as part of its ransomware-as-a-service (RaaS) scheme. The forensic analysis…
TLP TLP TLP CLEAR Authors Sebastien Tricaud, David Deflache Summary GoBruteforcer is a newly discovered Golang-based malware that targets web servers running phpMyAdmin, MySQL, FTP, and Postgres services. The malware was found on a legitimate website and utilizes different processor architectures. It deploys an IRC bot for communication with the attacker’s server and uses specific…
TLP TLP TLP CLEAR Author David Deflache Summary This case involves a sophisticated intrusion that occurred over an 11-day period. The threat actors initiated the attack by sending an email with a link to download a password-protected zip file containing an ISO file. Upon extraction, the ISO file mounted as a CD and executed a…
TLP TLP TLP CLEAR Author Jordi Lobo Summary Clop ransomware is a variant of a previously known strain called CryptoMix. In 2019, Clop was delivered as the final payload of a phishing campaign associated with the financially motivated actor TA505. In 2020, Clop has evolved from a ransomware delivered through malicious spam to one being…
End of content
End of content
