Dissecting PlugX to Extract Its Crown Jewels
September 14th, 2022
Backdoor via XFF - Mysterious Threat Actor Under Radar
June 15th, 2022
PlugX is a malware family first spotted in 2008. It is a Remote Access Trojan that has been used by several threat actors and provides them with full control over infected machines. It has continually evolved over time, adding new features and functionalities with each iteration. Hence, it is important to keep following and documenting its transformations.
Currently, it remains as one of the most popular tools in the Asian cybercrime community, given its flexibility and trajectory in the market; and it is still actively used by notorious threat actors such as Mustang Panda, Winnti, Gallium, DragonOK and Earth Berberoka. Continue Reading...
Our incident response team caught a strange-looking Webshell activity on a server that was running an internal web application. It raised many questions such as how the malicious code was uploaded to the service if it is not exposed to the public internet and what was the vulnerability which allowed attackers to enter the server.
With assistance from our Red Team, we found that the attackers used a known bypass technique abusing the X-FORWARDED-FOR (XFF) HTTP header to manipulate Cloudflare barriers, escape detection, and access a forbidden service that was supposed to be exposed only to a selected ranges of IP addresses. READ FULL REPORT
Sockbot in GoLand - Linking APT Actors With Ransomware Gangs
March 9th, 2022
Our incident response team had responded to malicious activity in one of our clients'
network infrastructure. A compromised Secure Access instance was probing other network
devices using SoftPerfect Network Scanner and ADFind. These tools have been used in the
past by multiple threat actors, including nation-state sponsored, for discovery reasons.
Investigating further into the malicious activity, we saw that the patient zero legitimately
accessed the network via SSL-VPN, which pointed to a possible credential theft that
allowed attackers to gain access to the instance in question. READ FULL REPORT
Aura Over Rafah, Revealing Hackers Responsible for SMShing
August 25th, 2021
Scams have been spreading rapidly over the wire as financial gain is around the corner for hackers who go after the weakest link - victims. SMShing attacks impersonating the Israeli Post Office took shape and were targeting Israeli residents on a daily basis. Having recieved a shoutout from local security researchers and victims, we decided to dive into a research that will assist law enforcements to capture the individuals behind these attacks. In the report you could find the result of the research we conducted - READ FULL REPORT
Secrets Behind Ever101 Ransomware
June 22nd, 2021
A victim called the incident response teams of Global Threat Center, reporting a seemingly
new stream of ransomware attack. Upon investigation, we determined the extension of the
encrypted files was certainly new, but the malware displayed significant similarities with
several ransomware families—a combination that made attribution an interesting and difficult
riddle. The attack’s signature was a Music folder containing an arsenal of tools, which the
malware dropped and executed on each of the encrypted machines... READ MORE
May 5th, 2021
Cuba Ransomware On a Roll
At the end of 2020, our team made up of SecurityJoes and Profero incident responders, led an investigation into a complex attack in which hundreds of machines were encrypted, knocking the victim company offline completely. The threat actors behind the attack deployed the Cuba ransomware across the corporate network, using a mixture of PowerShell scripts, SystemBC, and Cobalt Strike to propagate it. Cuba Ransomware utilizes the symmetric ChaCha20 algorithm for encrypting files, and the asymmetric RSA algorithm for encrypting key information. As a result, the files could not be decrypted without the threat actor’s private RSA key... READ MORE
APT27 Turns To Ransomware
January 4th, 2021
At the peak of the COVID-19 pandemic and economic crisis, our Global Incident Response and Cyber Crisis Management teams were engaged on several fronts around the world, fighting cybercrime, and even nation-state actors. The following report tells the story of one of these engagements and how again, the thin line between nation-states and cybercrime was crossed.