Additional Insights on Shamoon2

IBM analysts recently unveiled a first look at how threat actors may have placed Shamoon2 malware on systems in Saudi Arabia. Researchers showcased a potential malware lifecycle which started with spear phishing and eventually led to the deployment of the disk-wiping malware known as Shamoon. Their research showcased a set of downloaders and domains that […]

Flokibot Invades PoS: Trouble in Brazil

Curt Wilson

Introduction Threat actors salivate at the thought of an increased volume of credit and debit card transactions flowing through endpoints they have compromised with card-stealing malware. While there are many distinct malware families that scrape unencrypted process memory to obtain cards, some of these malware capabilities overlap with generic information stealing trojans such as Flokibot […]

Non-Government Organization in Support of Government Hopes

Red Team analysis is the process of viewing a situation from the perspective of an adversary thus providing insights beyond those that might otherwise be limited by normative biases. This blog provides an assessment of one company’s foray into the popular APT outing trend in the context of China’s cyber buildup and what that could […]

Dismantling a Nuclear Bot

Dennis Schwarz

A recent tweet mentioned that a new banking malware called “Nuclear Bot” has started to appear for sale on underground marketplaces. Its price starts around $2500 which is more than double the price of another recent entry to the market. This post dismantles a sample of this malware to determine whether we need to take […]

Diving Into Buhtrap Banking Trojan Activity

Curt Wilson

Cyphort recently published an article about the Buhtrap banking trojan [https://www.cyphort.com/banking-malware-buhtrap-caught-action/], targeting users of Russian and Ukrainian banks as reported in March of 2016 by Group-IB [http://www.group-ib.com/brochures/gib-buhtrap-report.pdf]. Cyphort’s insightful article analyzes the compromise chain from the website eurolab[.]ua, directing users via an apparently injected HTML script src attribute to rozhlas[.]site which served exploit code for […]

FlokiBot: A Flock of Bots?

Dennis Schwarz

In early October, Flashpoint released an analysis of an underground forum advertisement for a new malware family known as FlokiBot. It took some time before a sample was found in the wild, but a researcher known as hasherezade flagged one on VirusTotal in early November. She also wrote an analysis of its dropper here. This […]

Flying Dragon Eye: Uyghur Themed Threat Activity

Curt Wilson

DOWNLOAD FULL REPORT HERE DOWNLOAD INDICATORS OF COMPROMISE (IOCs) HERE This paper documents attempted exploitation activity aimed at Uyghur interests outside of China. Exploitation is being attempted via the usual tactic of spear phishing containing malicious attachments to targets. The exploit code attached used for dropping the malware is older – CVE-2012-0158 – and from […]

TrickBot Banker Insights

ASERT team

A new banking trojan, TrickBot, has seemingly risen from the ashes left behind by the November 2015 takedown of Dyreza/Dyre infrastructure and the arrests of threat actors identified by Russian authorities. Dyreza was used to target customers of over 1000 U.S. and U.K. banks and other companies during the peak of operations. Researchers at Threat Geek […]

The Great DGA of Sphinx

Dennis Schwarz

This post takes a quick look at Sphinx’s domain generation algorithm (DGA). Sphinx, another Zeus-based banking trojan variant, has been around circa August 2015. The DGA domains are used as a backup mechanism for when the primary hardcoded command and control (C2) servers go down. It is currently unknown to us as to what version […]

Panda Banker’s Future DGA

Dennis Schwarz

Since we last visited the Panda Bankers at the malware zoo, two new versions have emerged: 2.2.6 and 2.2.7. While sifting through the encrypted strings of the latest version, two interesting ones stood out: dgaconfigs DGA, download “%S”. Tracing the first one through the code does indeed lead to a DGA or a domain generation […]