Category: Malware
Leonardo S.p.A. Data Breach Analysis
Published 1 month ago
ReaQta Threat Intelligence Team identified the malware used in an exfiltration operation against the defence contractor Leonardo S.p.A. The analysis of the malware, which we dubbed Fujinama, highlights its capabilities for data theft and exfiltration while maintaining a reasonably low-profile.
Dridex: the secret in a PostMessage()
Published 8 months ago
Dridex is a well-known banking malware that evolves constantly. This time we analyze a new variant that uses an effective technique to bypass security solutions.
ReaQta Launches ReaQta-EON and Hive-Guard
Published 8 months ago
Introducing two new additions to the ReaQta suite of solutions, ReaQta-EON and Hive Guard.
Meet HIVE GUARD: The Anti-Malware Module
Published 8 months ago
ReaQta’s Anti-malware module Hive Guard adds pre-execution dynamic emulation, behavioral heuristics and signature-based prevention combined with a new A.I. based analysis module.
Oil and Gas Supply-chain Phishing Campaign
Published 9 months ago
ReaQta has been tracking an extensive and long running spear-phishing campaign, targeting the supply-chain in the Oil & Gas industry, most likely for espionage purposes. The campaign started in 2018 and it’s still running today, with a new wave began on the first week of May. It is carefully prepared and executed, with attackers taking […]
Attackers are Starting to Exploit Vulnerable Drivers – Are Defenders Ready?
Published 11 months ago
Criminal actors are now using a bug in a legitimate driver to launch RobbinHood, a new type of ransomware that can escape detection as it operates at kernel level. Understanding how RobbinHood works is key to understanding how to stop novel kind of attacks relying on trusted components.
Ave_Maria Malware: there's more than meets the eye
Published 1 year ago
Introduction AVE_MARIA, a malware used in phishing campaigns and so far identified only as an info-stealer, appears to be more complex and insidious, offering a wide range of capabilities, from privilege escalation to camera exfiltration, RDP connections, email extraction and more. For the past few months we have been monitoring various phishing campaign delivering AVE_MARIA […]
Silence group targeting Russian Banks via Malicious CHM
Published 2 years ago
In November 2018 we followed up on a tweet mentioning a potential malicious code disseminated in CHM (Microsoft Compiled HTML Help). A preliminary analysis caught the attention of our Threat Analysis and Intelligence team as it yielded interesting data that, among other things, shows that the attack campaign was targeting employees from financial entities, specifically […]
Gootkit Campaign Targeting Italian Government Institutions
Published 2 years ago
ReaQta has found evidence of an active Gootkit trojan campaign with focus on Italian government institutions. We began tracking the campaign since the end of November 2018 and so far it showed a very low detection rate.
Spear-phishing campaign targeting Qatar and Turkey
Published 2 years ago
During our daily threat hunting activities we have come across a tweet reporting an active spear-phishing campaign apparently targeting Turkey. After an initial assessment we decided to investigate further, finding similarities with other campaigns active in the recent past and possibly coming from the same actors.
Ursnif reloaded: tracing the latest trojan campaigns
Published 2 years ago
On the 9th of October our customers started reporting the same kind of incident over the span of a few hours. The identified activity appears to be linked to the banking Trojan Ursnif, a long active malware, whose roots can be traced back to 2007 together with ZeuS and SpyEye, still with strong infection capabilities in […]
Banks and crypto wallets: unveiling a global malware campaign using Zeus/Panda
Published 2 years ago
For the past weeks our Threat Intelligence team has been following an enxtesive campaign, possibly operated by the same group, targeting a large amount of financial institutions, cyptocurrency wallets and the occasional Google and Apple accounts. The attackers target their victims both with Phishing emails, typo-squatted domains and malicious attachments that eventually lead to the […]
Active Learning as a powerful tool in the Cyber Security arsenal
Published 2 years ago
When datasets are hard to label or highly skewed, Active Learning shows great potential to help both the algorithms and the analyst to make sense of data faster and more efficiently. The promise of AI in cyber-security has long been that of helping humans to automate and simplify the daunting task of preventing data loss […]
Spear-phishing campaign leveraging on MSXSL
Published 2 years ago
We have identified an ongoing spear-phishing campaign targeting a variety of entities with malicious RTF documents exploiting three different vulnerabilities: CVE-2017-8570, CVE-2017-11882 and CVE-2018-0802 and taking advantage of a misplaced trust binary, Microsoft’s msxsl, to run a JScript backdoor. The whole attack chain leverages on system’s signed components to remain under the radar as much as possible and it shares many […]
A dive into MuddyWater APT targeting Middle-East
Published 3 years ago
MuddyWater is a threat actor that caught our attention for their extensive use of “Living off the Land” attacks in a targeted campaign aimed at the Middle East. During our investigation we reconstruct the evolution of the vectors used and how the group operates to target their victims, evade detections and move laterally inside the compromised […]
A short journey into DarkVNC attack chain
Published 3 years ago
During an analysis of different remote desktop trojans we came across an interesting attack-chain which leverages an RTF that exploits CVE-2017-8759 to deliver DarkVNC, a malicious version of the well-known VNC, designed to silently remote-control a victim.
Locky Dropper Now Comes Embedded in the Loader
Published 4 years ago
We have noticed a change of behaviour in the latest spam email campaigns used by Locky. Since its first release Locky took advantage of compromised domains to download the dropper binary, while recently Locky dropper is being delivered embedded into the loader code itself. By tracking these campaigns we have also noticed that Locky’s authors have made […]
Dridex Downloader Tries New Sandbox-Evasion Techniques
Published 4 years ago
Dridex is currently one of the most active and widespread banking malware. Like Locky ransomware also Dridex is dispatched through a massive spam mail campaign that uses the Necurs botnet. Our sensors have long been tracking these spam campaigns and recent captured emails contain a Word document that drops Dridex. In our latest samples we have observed a delay on execution of the […]
RAA – An entirely new JS ransomware delivering Pony malware
Published 4 years ago
On 13th of June, while monitoring Twitter, we have observed an interesting tweet that reported a suspicious domain with an open directory listing. Among the listed files we found a zip archive containing a javascript. In this blogpost we will take a closer look at the javascript and we will show that it has ransomware capabilities, which […]
Nemucod meets a new buddy: PHP
Published 4 years ago
We have already written about Nemucod downloader when it was paired with 7-Zip, this time we have spotted a new variant in the wild that appears to be a further evolution from previous versions. Before we dig into the analysis part, let’s take a quick look at the most recent history of Nemucod:
Uncovering a ransomware distribution operation – Part 2
Published 4 years ago
In Part 1 we’ve analyzed a vast Crypt0L0cker ransomware distribution operation currently affecting continental Europe and ready to jump to new countries. In this second post we’ll analyze in detail the server side code used to dispatch the victims towards the correct websites, up to the ransomware itself. We’ll also analyze the ransomware behaviour and how […]
Nemucod meets 7-Zip to launch ransomware attacks
Published 4 years ago
Nemucod is a Javascript downloader used to perform all kind of nasty stuff, recently a “ransomware” routine has been found in some samples, even if a simple one: a XOR with a predefined 255 bytes key. In other instances we have observed the download of a malicious executable responsible for the encryption process. What we will analyze this […]
Uncovering a ransomware distribution operation – Part 1
Published 4 years ago
Recently we uncovered a ransomware distribution operation targeting European users and carried out via phishing scams. In this post we will show how we have conducted the research: from the initial infection stage back to the person that is orchestrating the whole operation. These campaigns are targeting Italy, Denmark and Spain, although we have detected two new campaigns about to be started […]
Bandarchor Ransomware Still Active
Published 4 years ago
Bandarchor is a ransomware identified for the first time at the end of 2014 that seemed almost to disappear halfway through 2015. With some surprise we’ve found it to still be alive, well and with a very low detection rate: in fact lately we have been receiving help requests from companies infected by a ransomware that […]
Hydracrypt Ransomware Analysis
Published 5 years ago
On the 2nd of January Joe Security research team uncovered a new threat dubbed HydraCrypt ransomware. We gave it a quick test run to understand if our customers are already protected from the threat or not, and what damage this new ransomware can cause to the infected systems. For what we have seen so far this ransomware appears to be […]
Diving into Chimera Ransomware
Published 5 years ago
Recently the ransomware world provided a couple surprises: the discovery of CryptoWall 4 in the wild and a new ransomware dubbed Chimera, so far found to be infecting businesses mainly in Germany and threatening to leak personal files if the ransom isn’t paid.
Poweliks File-less Malware Keeps Evolving – Update 1
Published 5 years ago
Poweliks (actually we should say Kovter) is a well-known and studied click-fraud malware that made its first appearance in early August 2014, it became famous very quickly due the fact that it used a persistence mechanism that allowed it to be fileless on disk, taking advantage of the Windows Registry and also because it adopted new […]
Ransomware – A Quick Overview
Published 5 years ago
Ransomware is a type of malicious software (known as malware) that restricts, using encryption, access to data on your computer. Once the restriction takes place, a ransom is requested to unblock your data and if paid the restriction is removed, in theory. In principle, ransomware is a simple threat, yet one that has caused a lot […]
Analysis of an Undetected Dridex Sample
Published 5 years ago
On the 4th of August one of our customers reported an infection attempt on one of their machines. In their deployment ReaQta-core is used to augment the security of their signature-based enterprise endpoint protection system, so an infection attempt detected by our solution is a sign that the AV missed the threat. Usually this either […]