“CEO Fraud” campaign spreads in EU: Telsy TRT joined an international collaborative effort to meet the threat.

“CEO Fraud” campaign spreads in EU and already made victims: Telsy TRT joined an international collaborative effort for researching and mitigating the threat. The threat In the first days of May 2019, Telsy TRT joined a collaborative international effort aimed at studying, researching and mitigating a recent malicious campaign carried out by a criminal gang we internally track as #TA-927. Our collaboration has mainly seen, among others, Theo Geurts as an active member of the ICANN community . He has been an essential part of our mitigation efforts. According to Wikipedia, ICANN is the organization responsible for coordinating the maintenance and procedures of several databases related to the namespaces and […]

APT34: New leaked tool named Jason is available for the mass

In the afternoon of 03/06, Lab Dookhtegan released a new tool they report belonging to the hacking arsenal of the group APT34. This hacking tool seems to be useful in order to hack email accounts and consequently exfiltrate data. The archive we got is composed by the following file Archive file for Json data tool First analysis identified two executable files and some others in txt format likely used in supporting tasks. The file Microsoft.Exchange.WebServices.dll is an official component of Microsoft Exchange communication suite. We performed a quick AI powered malware scan getting no results over the first component extracted: Telsy internal file classification service results for Microsoft.Exchange.WebServices.dll The file […]

Turla Skipper over the ocean of cyber operations

Turla Skipper over the ocean of cyber operations

In the middle of May 2019 new malware variants identified to be part of Turla suite comes into light. Turla, also known as Snake or Uroburos is one of the most advanced threat actor in the cyber operations landscape. The full malicious set retrieved can be referred to a campaign started in the second half of 2018 and likely aimed at compromise government entities and high-level diplomatic institutions. The average number of variants found in conjunction sometime with low detection rates as well as the nature of targeted entities confirm the “APT” nature of the actor and its ability to remain in the shadows for a long time. It has […]

LightNeuron: Telsy TRT releases its YARA rule to detect this Microsoft Exchange backdoor

LightNeuron: Telsy TRT releases its YARA rule to detect this Microsoft Exchange backdoor

A recent APT malware infection, known as LightNeuron, uses the basic functions of Microsoft’s Exchange Server to monitor and control outgoing and incoming communications from mail servers. Indeed, the threat group that uses it usually targets high-level diplomatic and international relations institutions. In order to assist the security community in fighting and hunting this insidious threat, Telsy TRT has publicly released one of its specific tracking signature on a dedicated GitHub repo. LightNeuron YARA rule signature rule Turla_LNTA_v1 {meta:description = “Detect Turla LightNeuron Transport Agent”author = “Emanuele De Lucia – Telsy SpA – thanks to @TS_WAY_SRL for cooperation”tlp = “white”strings:$x1 = “networkservice\\appdata\\local\\temp\\tmp1197.tmp” fullword wide$x2 = “networkservice\\appdata\\local\\temp\\tmp8621.tmp” fullword wide$s1 = “BPA.Transport.dll” […]

Unknown threat actor uses compromised website government institution of Middle-East in a campaign referring commercial and financial themes.

Unknown threat actor uses compromised website government institution of Middle-East in a campaign referring commercial and financial themes.

Recently, Telsy TRT detected a wave of malicious documents tied to an unknown threat actor trying to impersonate an official institution of a government of Middle-East. Moreover, the website of another government institution of the same country appears to have been compromised in order to spread a dot NET malicious payload. To protect these gov entities, we don’t want for now to share too many details about, but we will integrate this post when the incident response operations from their side will be completed. In consideration of a moderate level of diffusion of the collected malicious payloads as well as limited global requests for DNS resolution of the domain name […]

Threat Hunters vs Red Teamers. A meeting in the cyber space…

Threat Hunters vs Red Teamers. A meeting in the cyber space…

Threat hunters vs Red Teamers is a common struggle in the cyber universe. Recently, a new wave of malicious decoy Microsoft Office documents addressed exclusively to a central country of the european geographical area was intercepted by Telsy TRT. These have been collected while landing on a media sector company. Observed TTPs did not lead to any known threat actor and initially we were imagining that a new group was coming out of the shadow… Who was operating behind this campaign seemed to use different infection methods to reach the execution of its 1st stage payload, including the adoption of the “EvilClippy” tool, released during a BlackHat Asia talk (March […]

OceanLotus On ASEAN Affairs

OceanLotus On ASEAN Affairs

In last days of March, we discovered the activity of OceanLotus threat towards ASEAN Affairs. Telsy TRT captured same malicious macro armed documents likely tergeting ASEAN affairs and meeting members. In fact, telemetry and spreading statistics related to these decoy documents highlight their diffusion in the geographical area of Thailand. According to OSINT information, the 34th ASEAN Meeting will be held in Bangkok, Thailand, on June 2019. Generally, these malicious documents have been designed to induce the victims to enable a macro code that will lead to an in-memory payload injection through the use of layered obfuscation techniques. At the time of analysis, however, the full infection cycle showed a […]

Introducing Our CTI Research Blog

This post introduces the CTI Research Blog of the Telsy Threat Recon Team. Find out all updates here! CTI Research Blog: What is Cyber Threat Intelligence? Cyber threat intelligence, is information an organization uses to understand the threats that have, will, or are currently targeting the organization. This info is used to prepare, prevent, and identify cyber threats looking to take advantage of valuable resources.  We live in a world where cyber threats could bring an organization to its knees. Therefore, it can be downright terrifying. Threat intelligence can help organizations gain valuable knowledge about these threats. It also builds effective defense mechanisms and mitigate the risks that could damage their bottom line […]