Threat Intelligence.Blog.

Dissecting PlugX to Extract Its Crown Jewels

September 14th, 2022

Backdoor via XFF - Mysterious Threat Actor Under Radar

June 15th, 2022

PlugX is a malware family first spotted in 2008. It is a Remote Access Trojan that has been used by several threat actors and provides them with full control over infected machines. It has continually evolved over time, adding new features and functionalities with each iteration. Hence, it is important to keep following and documenting its transformations.

Currently, it remains as one of the most popular tools in the Asian cybercrime community, given its flexibility and trajectory in the market; and it is still actively used by notorious threat actors such as Mustang Panda, Winnti, Gallium, DragonOK and Earth Berberoka. Continue Reading...

Our incident response team caught a strange-looking Webshell activity on a server that was running an internal web application. It raised many questions such as how the malicious code was uploaded to the service if it is not exposed to the public internet and what was the vulnerability which allowed attackers to enter the server.
With assistance from our Red Team, we found that the attackers used a known bypass technique abusing the X-FORWARDED-FOR (XFF) HTTP header to manipulate Cloudflare barriers, escape detection, and access a forbidden service that was supposed to be exposed only to a selected ranges of IP addresses.

Sockbot in GoLand - Linking APT Actors With Ransomware Gangs

March 9th, 2022

Our incident response team had responded to malicious activity in one of our clients'
network infrastructure. A compromised Secure Access instance was probing other network
devices using SoftPerfect Network Scanner and ADFind. These tools have been used in the
past by multiple threat actors, including nation-state sponsored, for discovery reasons.
Investigating further into the malicious activity, we saw that the patient zero legitimately
accessed the network via SSL-VPN, which pointed to a possible credential theft that
allowed attackers to gain access to the instance in question.

Aura Over Rafah, Revealing Hackers Responsible for SMShing

August 25th, 2021

Scams have been spreading rapidly over the wire as financial gain is around the corner for hackers who go after the weakest link - victims. SMShing attacks impersonating the Israeli Post Office took shape and were targeting Israeli residents on a daily basis. Having recieved a shoutout from local security researchers and victims, we decided to dive into a research that will assist law enforcements to capture the individuals behind these attacks. In the report you could find the result of the research we conducted - READ FULL REPORT

Secrets Behind Ever101 Ransomware

June 22nd, 2021

A victim called the incident response teams of Global Threat Center, reporting a seemingly
new stream of ransomware attack. Upon investigation, we determined the extension of the
encrypted files was certainly new, but the malware displayed significant similarities with
several ransomware families—a combination that made attribution an interesting and difficult
riddle. The attack’s signature was a Music folder containing an arsenal of tools, which the
malware dropped and executed on each of the encrypted machines... 

May 5th, 2021

Cuba Ransomware On a Roll

At the end of 2020, our team made up of SecurityJoes and Profero incident responders, led an investigation into a complex attack in which hundreds of machines were encrypted, knocking the victim company offline completely. The threat actors behind the attack deployed the Cuba ransomware across the corporate network, using a mixture of PowerShell scripts, SystemBC, and Cobalt Strike to propagate it. Cuba Ransomware utilizes the symmetric ChaCha20 algorithm for encrypting files, and the asymmetric RSA algorithm for encrypting key information. As a result, the files could not be decrypted without the threat actor’s private RSA key... READ MORE

APT27 Turns To Ransomware

January 4th, 2021

At the peak of the COVID-19 pandemic and economic crisis, our Global Incident Response and Cyber Crisis Management teams were engaged on several fronts around the world, fighting cybercrime, and even nation-state actors. The following report tells the story of one of these engagements and how again, the thin line between nation-states and cybercrime was crossed.