Silence group targeting Russian Banks via Malicious CHM

Posted by admin on 24/Jan/2019

In November 2018 we followed up on a tweet mentioning a potential malicious code disseminated in CHM (Microsoft Compiled HTML Help). A preliminary analysis caught the attention of our Threat Analysis and Intelligence team as it yielded interesting data that, among other things, shows that the attack campaign was targeting employees from financial entities, specifically in the Russian Federation and the Republic of Belarus. We conclude that the actor behind the attack is Silence group, a relatively new threat actor that’s been operating since mid-2016. Continue reading “Silence group targeting Russian Banks via Malicious CHM” →

Gootkit Campaign Targeting Italian Government Institutions

Posted by admin on 14/Dec/2018

ReaQta has found evidence of an active Gootkit trojan campaign with focus on Italian government institutions. We began tracking the campaign since the end of November 2018 and so far it showed a very low detection rate.
Continue reading “Gootkit Campaign Targeting Italian Government Institutions” →

Spear-phishing campaign targeting Qatar and Turkey

Posted by admin on 01/Dec/2018

During our daily threat hunting activities we have come across a tweet reporting an active spear-phishing campaign apparently targeting Turkey. After an initial assessment we decided to investigate further, finding similarities with other campaigns active in the recent past and possibly coming from the same actors.
Continue reading “Spear-phishing campaign targeting Qatar and Turkey” →

Ursnif reloaded: tracing the latest trojan campaigns

Posted by admin on 19/Nov/2018

On the 9^th of October our customers started reporting the same kind of incident over the span of a few hours. The identified activity appears to be linked to the banking Trojan Ursnif, a long active malware, whose roots can be traced back to 2007 together with ZeuS and SpyEye, still with strong infection capabilities in each of its campaigns. The attack vector was a malicious email with a Word document attached.
Continue reading “Ursnif reloaded: tracing the latest trojan campaigns” →

Banks and crypto wallets: unveiling a global malware campaign using Zeus/Panda

Posted by admin on 06/Sep/2018

For the past weeks our Threat Intelligence team has been following an enxtesive campaign, possibly operated by the same group, targeting a large amount of financial institutions, cyptocurrency wallets and the occasional Google and Apple accounts. The attackers target their victims both with Phishing emails, typo-squatted domains and malicious attachments that eventually lead to the installation of Zeus/Panda banking malware. The group appears to be active since at least 2015 and it’s most likely related to several campaigns identified by the security community in the past 3 years.
Continue reading “Banks and crypto wallets: unveiling a global malware campaign using Zeus/Panda” →

Active Learning as a powerful tool in the Cyber Security arsenal

Posted by admin on 24/Apr/2018

When datasets are hard to label or highly skewed, Active Learning shows great potential to help both the algorithms and the analyst to make sense of data faster and more efficiently.

The promise of AI in cyber-security has long been that of helping humans to automate and simplify the daunting task of preventing data loss by detecting, tracking and blocking malicious software and intruders. AI is a tremendously powerful tool for such a task but, unlike what happens in other domains, gathering and labelling data to train any kind of engine/classifier is not only expensive but also hard.
Continue reading “Active Learning as a powerful tool in the Cyber Security arsenal” →

Spear-phishing campaign leveraging on MSXSL

Posted by admin on 02/Mar/2018

We have identified an ongoing spear-phishing campaign targeting a variety of entities with malicious RTF documents exploiting three different vulnerabilities: CVE-2017-8570, CVE-2017-11882 and CVE-2018-0802 and taking advantage of a misplaced trust binary, Microsoft’s msxsl, to run a JScript backdoor. The whole attack chain leverages on system’s signed components to remain under the radar as much as possible and it shares many similarities with previous campaigns from the Cobalt Group.
Continue reading “Spear-phishing campaign leveraging on MSXSL” →

A dive into MuddyWater APT targeting Middle-East

Posted by admin on 22/Nov/2017

MuddyWater is a threat actor that caught our attention for their extensive use of “Living off the Land” attacks in a targeted campaign aimed at the Middle East. During our investigation we reconstruct the evolution of the vectors used and how the group operates to target their victims, evade detections and move laterally inside the compromised infrastructures.
Continue reading “A dive into MuddyWater APT targeting Middle-East” →

A short journey into DarkVNC attack chain

Posted by admin on 08/Nov/2017

During an analysis of different remote desktop trojans we came across an interesting attack-chain which leverages an RTF that exploits CVE-2017-8759 to deliver DarkVNC, a malicious version of the well-known VNC, designed to silently remote-control a victim.
Continue reading “A short journey into DarkVNC attack chain” →

Locky Dropper Now Comes Embedded in the Loader

Posted by admin on 28/Jul/2016

We have noticed a change of behaviour in the latest spam email campaigns used by Locky. Since its first release Locky took advantage of compromised domains to download the dropper binary, while recently Locky dropper is being delivered embedded into the loader code itself. By tracking these campaigns we have also noticed that Locky’s authors have made several attempts at embedding the dropper into the loader.

Continue reading “Locky Dropper Now Comes Embedded in the Loader” →

Category: Malware