Category Archives: Cyber Threat Intelligence

Unicredit employees database for sale on cyber-crime forums

On the late afternoon of 19/04/2020, a threat actor posted a new sale on a hacking and cyber-crime forum selling the database of UniCredit employees. UniCredit S.p.A. is an Italian banking and a global financial services company. It is present on 17 countries and has almost 100k employees worldwide. While currently we are not aware how this potential data loss could have occurred, according to the actor post, in the leak there are information about thousand of employees, including emails, phone, encrypted password, last name and first name. We found the database being available on at least two cyber-crime and hacking related forum. The nickname of the user selling it […]

Cybercriminals trojanized orginal SM Covid-19 awareness Android app to target Italy

Cybercriminals trojanized orginal SM Covid-19 awareness Android app to target Italy

In these days of particular sacrifices due to the spread of the COVID-19 pandemic, cyber criminals do not seem to save anyone and on the contrary, taking advantage of the emotional involvement that many people have towards this topic, they have continued and in many cases increased their hostile activities not only against normal users but also towards the health and pharmaceutical research sector. In the late evening of yesterday, within the COVID-19 CTI League, a group of about 400 experts gathered together to combat cyber threats related to the exploit of Covid-19 themed campaigns, a potentially malicious application emerged aimed at Italian users. A few moments later the same […]

APT34 (aka OilRig, aka Helix Kitten) attacks Lebanon government entities with MailDropper implants

APT34 (aka OilRig, aka Helix Kitten) attacks Lebanon government entities with MailDropper implants

Very recently another custom malicious implant that seems to be related to APT34 (aka OilRig) has been uploaded to a major malware analysis platform. Since 2014, year in which FireEye spotted out this hacking group, APT34 is well-known to conduct cyber operations primarily in the Middle East, mainly targeting financial, government, energy, chemical and telecommunications sector. In this case, the threat group probably compromised a Microsoft Exchange account of a sensitive entity related to Lebanese government, and used the mail server as command-and-control of the implant. All the traffic between the compromised machine and the C2 is conveyed through legit email messages, making the implant identification harder. The victim seems […]

Meeting POWERBAND: The APT33 .Net POWERTON variant

Meeting POWERBAND: The APT33 .Net POWERTON variant

// Introduction Since the Islamic revolution, US and regional rivals have put continuos effort in containing and isolating Iran. Implementing a foreign policy generally addressed as “strategic loneliness”, Iran’s defense strategy has been designed to compensate for the country’s low level of conventional capabilities with its activity in asymmetric warfare, and especially in the cyber domain. Indeed, the implementation of the ‘maximum pressure strategy’ by the US has increased the tensions between Washington and Teheran, leading to an all-time low in the history of their relations. The combination of international and economic pressure and of asymmetric warfare is making room for further escalation in the area. Advanced Persistent Threat 33 […]

The Lazarus’ gaze to the world: What is behind the second stone ?

The Lazarus’ gaze to the world: What is behind the second stone ?

// Introduction In a recent blog post (link here) we analysed the first part of an operation likely conducted by APT38/Lazarus, which targeted various organizations, including financial and banking ones. We already described the initial phase of the kill chain where we get to describe the fact that the actor implemented in the operation two different first-stage payloads to be released to the victims on the basis of their system architecture. These payloads are used in order to carry out a first recognition phase. Beyond this, we have already described a first-level backend script used by the threat actor inside a compromised website to manage victims and to release an […]

The Lazarus’ gaze to the world: What is behind the first stone ?

The Lazarus’ gaze to the world: What is behind the first stone ?

// Introduction Lazarus (aka APT38 / Hidden Cobra / Stardust Chollima) is one of the more prolific threat actors in the APT panorama. Since 2009, the group leveraged its capability in order to target and compromise a wide range of targets; Over the time, the main victims have been government and defense institutions, organizations operating in the energy and petrochemical sector in addition to those operating in financial and banking one. The group has also a wide range of tools at its disposal; among these, it’s possible to catalog [D] DoS botnets, first stage implanters, remote access tools (RATs), keyloggers and wipers. This list of malicious tools has over time […]

DeadlyKiss: Hit one to rule them all. Telsy discovered a probable still unknown and untreated APT malware aimed at compromising Internet Service Providers

DeadlyKiss: Hit one to rule them all. Telsy discovered a probable still unknown and untreated APT malware aimed at compromising Internet Service Providers

In the first days of September 2019, Telsy Cyber Threat Intelligence Unit received a variant of a strange and initially mysterious malware from a stream of thousands of samples coming from a partner operating in the telecommunications and internet connectivity sector. Although this sharing had not been accompanied by much information about it, it immediately seemed quite clear that the object under analysis was not something very common to be observed. Indeed, a clear picture emerged that led to the observation of an advanced, rare and extremely evasion-oriented malware, which implements effective layered obfuscation techniques and adopts many solutions dedicated to operate “under the radar”. Finding no publicly known evidence […]

PRIMITIVE BEAR USES A NATO-THEMED LURE DOCUMENT TO TARGET UKRAINIAN GOVERNMENT AND DEFENSE AGENCIES

PRIMITIVE BEAR USES A NATO-THEMED LURE DOCUMENT TO TARGET UKRAINIAN GOVERNMENT AND DEFENSE AGENCIES

Recently we catched a NATO-themed malicious lure document to be likely associated with a new PRIMITIVE BEAR operation conducted against Ukrainian defense and government agencies. According to its metadata, the document is newly created (exactly on 22/07/2019) and aims to replicate an official press release from the Main Directorate of Intelligence of the Ukrainian Ministry of Defense. The press release concerned a meeting between representatives of the Ukrainian Ministry of Information Policy, the Ukrainian Ministry of Foreign Affairs, the Ukrainian National Institute for Strategic Studies, and NATO’s Strategic Communications division. It’s originally entitled “Представники ГУР МО України провели брифінг для експертів зі стратегічних комунікацій країн – членів НАТО” or, translated […]

Unknown threat actor is using Agent Tesla variants against Oil&Gas and Energy Sector

Unknown threat actor is using Agent Tesla variants against Oil&Gas and Energy Sector

On 02/07/2019, Telsy TRT catched a new malware variant belonging to Agent Tesla family addressed to companies operating in the Energy and Oil&Gas sector. Among these organizations, Telsy identifies a very large italian company with a strong international presence, especially in the UAE area. Attack Vector As in many cases we usually observe, the main attack vector used for spreading the malicious payload is email. In this case, we were able to collect some malicious messages sent by threat actor to different targets; these messages are oriented to spoof the identity of what we belive to be a real person involved in engineering field in UAE area. Indeed, we believe […]

Recent “CEO Fraud” campaign is spreading within EU and already made victims. Telsy TRT joined an international collaborative effort for researching and mitigating the threat.

In the first days of May 2019, Telsy TRT joined a collaborative international effort aimed at studying, researching and mitigating a recent malicious campaign carried out by a criminal gang we internally track as #TA-927. Our collaboration has mainly seen, among others, Theo Geurts as an active member of the ICANN community . He has been an essential part of our mitigation efforts. According to Wikipedia, ICANN is the organization responsible for coordinating the maintenance and procedures of several databases related to the namespaces and numerical spaces of the global Internet network. The “CEO Fraud” attempts are not uncommon. Recently, an italian organization has been hit by a similar attack. […]

Utilizzando il sito, accetti l'utilizzo dei cookie da parte nostra. maggiori informazioni

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close