Banks and crypto wallets: unveiling a global malware campaign using Zeus/Panda

Posted by admin on 06/Sep/2018

For the past weeks our Threat Intelligence team has been following an enxtesive campaign, possibly operated by the same group, targeting a large amount of financial institutions, cyptocurrency wallets and the occasional Google and Apple accounts. The attackers target their victims both with Phishing emails, typo-squatted domains and malicious attachments that eventually lead to the installation of Zeus/Panda banking malware. The group appears to be active since at least 2015 and it’s most likely related to several campaigns identified by the security community in the past 3 years.
Continue reading “Banks and crypto wallets: unveiling a global malware campaign using Zeus/Panda” →

Active Learning as a powerful tool in the Cyber Security arsenal

Posted by admin on 24/Apr/2018

When datasets are hard to label or highly skewed, Active Learning shows great potential to help both the algorithms and the analyst to make sense of data faster and more efficiently.

The promise of AI in cyber-security has long been that of helping humans to automate and simplify the daunting task of preventing data loss by detecting, tracking and blocking malicious software and intruders. AI is a tremendously powerful tool for such a task but, unlike what happens in other domains, gathering and labelling data to train any kind of engine/classifier is not only expensive but also hard.
Continue reading “Active Learning as a powerful tool in the Cyber Security arsenal” →

Spear-phishing campaign leveraging on MSXSL

Posted by admin on 02/Mar/2018

We have identified an ongoing spear-phishing campaign targeting a variety of entities with malicious RTF documents exploiting three different vulnerabilities: CVE-2017-8570, CVE-2017-11882 and CVE-2018-0802 and taking advantage of a misplaced trust binary, Microsoft’s msxsl, to run a JScript backdoor. The whole attack chain leverages on system’s signed components to remain under the radar as much as possible and it shares many similarities with previous campaigns from the Cobalt Group.
Continue reading “Spear-phishing campaign leveraging on MSXSL” →

From False Positive to True Positive: the story of Mavinject.exe, the Microsoft Injector

Posted by admin on 16/Dec/2017

Mavinject is a legitimate Windows component that can be used, and abused, to perform arbitrary code injections inside any running process. As this is a common component on Windows, it can be leveraged to perform living-off-the-land attacks.
Continue reading “From False Positive to True Positive: the story of Mavinject.exe, the Microsoft Injector” →

A dive into MuddyWater APT targeting Middle-East

Posted by admin on 22/Nov/2017

MuddyWater is a threat actor that caught our attention for their extensive use of “Living off the Land” attacks in a targeted campaign aimed at the Middle East. During our investigation we reconstruct the evolution of the vectors used and how the group operates to target their victims, evade detections and move laterally inside the compromised infrastructures.
Continue reading “A dive into MuddyWater APT targeting Middle-East” →

A short journey into DarkVNC attack chain

Posted by admin on 08/Nov/2017

During an analysis of different remote desktop trojans we came across an interesting attack-chain which leverages an RTF that exploits CVE-2017-8759 to deliver DarkVNC, a malicious version of the well-known VNC, designed to silently remote-control a victim.
Continue reading “A short journey into DarkVNC attack chain” →

Locky Dropper Now Comes Embedded in the Loader

Posted by admin on 28/Jul/2016

We have noticed a change of behaviour in the latest spam email campaigns used by Locky. Since its first release Locky took advantage of compromised domains to download the dropper binary, while recently Locky dropper is being delivered embedded into the loader code itself. By tracking these campaigns we have also noticed that Locky’s authors have made several attempts at embedding the dropper into the loader.

Continue reading “Locky Dropper Now Comes Embedded in the Loader” →

Dridex Downloader Tries New Sandbox-Evasion Techniques

Posted by admin on 20/Jul/2016

Dridex is currently one of the most active and widespread banking malwares. Like Locky ransomware also Dridex is dispatched through a massive spam mail campaign that uses the Necurs botnet. Our sensors have long been tracking these spam campaigns and recent captured emails contain a Word document that drops Dridex. In our latest samples we have observed a delay on execution of the downloader stage that wasn’t present before, we have further investigated to figure out whether Dridex’s authors were experimenting with new, even if basic, anti-sandbox techniques.

Continue reading “Dridex Downloader Tries New Sandbox-Evasion Techniques” →

RAA – An entirely new JS ransomware delivering Pony malware

Posted by admin on 14/Jun/2016

On 13th of June, while monitoring Twitter, we have observed an interesting tweet that reported a suspicious domain with an open directory listing. Among the listed files we found a zip archive containing a javascript. In this blogpost we will take a closer look at the javascript and we will show that it has ransomware capabilities, which we have dubbed RAA ransomware and that additionally delivers a dropping stage for the Pony malware.

Continue reading “RAA – An entirely new JS ransomware delivering Pony malware” →

Blog