Dissecting PlugX to Extract Its Crown Jewels

September 14th, 2022

Backdoor via XFF - Mysterious Threat Actor Under Radar

June 15th, 2022

PlugX is a malware family first spotted in 2008. It is a Remote Access Trojan that has been used by several threat actors and provides them with full control over infected machines. It has continually evolved over time, adding new features and functionalities with each iteration. Hence, it is important to keep following and documenting its transformations.

Currently, it remains as one of the most popular tools in the Asian cybercrime community, given its flexibility and trajectory in the market; and it is still actively used by notorious threat actors such as Mustang Panda, Winnti, Gallium, DragonOK and Earth Berberoka. Continue Reading...

Our incident response team caught a strange-looking Webshell activity on a server that was running an internal web application. It raised many questions such as how the malicious code was uploaded to the service if it is not exposed to the public internet and what was the vulnerability which allowed attackers to enter the server.
With assistance from our Red Team, we found that the attackers used a known bypass technique abusing the X-FORWARDED-FOR (XFF) HTTP header to manipulate Cloudflare barriers, escape detection, and access a forbidden service that was supposed to be exposed only to a selected ranges of IP addresses. READ FULL REPORT

Sockbot in GoLand - Linking APT Actors With Ransomware Gangs

March 9th, 2022

Our incident response team had responded to malicious activity in one of our clients'
network infrastructure. A compromised Secure Access instance was probing other network
devices using SoftPerfect Network Scanner and ADFind. These tools have been used in the
past by multiple threat actors, including nation-state sponsored, for discovery reasons.
Investigating further into the malicious activity, we saw that the patient zero legitimately
accessed the network via SSL-VPN, which pointed to a possible credential theft that
allowed attackers to gain access to the instance in question. READ FULL REPORT

Scams have been spreading rapidly over the wire as financial gain is around the corner for hackers who go after the weakest link - victims. SMShing attacks impersonating the Israeli Post Office took shape and were targeting Israeli residents on a daily basis. Having recieved a shoutout from local security researchers and victims, we decided to dive into a research that will assist law enforcements to capture the individuals behind these attacks. In the report you could find the result of the research we conducted - READ FULL REPORT