Category Archives: Cyber Threat Intelligence

Operation “Space Race”: reaching the stars through professional Social Networks

Operation “Space Race”: reaching the stars through professional Social Networks

At the beginning of May 2020, Telsy analyzed some social-engineering based attacks against individuals operating in the aerospace and avionics sector performed through the popular professional social network LinkedIn. According to our visibility, the targeted organizations are currently operating within the Italian territory and the targeted individuals are subjects of high professional profile in the aerospace research sector. Adversary used a real-looking LinkedIn virtual identity impersonating an HR (Human Resource) recruiter of a satellite imagery company with which it contacted the targets via internal private messages, inviting them to download an attachment containing information about a fake job vacation. Based on code similarities of analyzed pieces of malware, Telsy asserts, […]

Turla / Venomous Bear updates its arsenal: “NewPass” appears on the APT threat scene

Recently Telsy observed some artifacts related to an attack that occurred in June 2020 that is most likely linked to the popular Russian Advanced Persistent Threat (APT) known as Venomous Bear (aka Turla or Uroburos). At the best of our knowledge, this time the hacking group used a previously unseen implant, that we internally named “NewPass“ as one of the parameters used to send exfiltrated data to the command and control. Telsy suspects this implant has been used to target at least one European Union country in the sector of diplomacy and foreign affairs. NewPass is quite a complex malware composed by different components that rely on an encoded file to […]

Unicredit employees database for sale on cyber-crime forums

On the late afternoon of 19/04/2020, a threat actor posted a new sale on a hacking and cyber-crime forum selling the database of UniCredit employees. UniCredit S.p.A. is an Italian banking and a global financial services company. It is present on 17 countries and has almost 100k employees worldwide. While currently we are not aware how this potential data loss could have occurred, according to the actor post, in the leak there are information about thousand of employees, including emails, phone, encrypted password, last name and first name. We found the database being available on at least two cyber-crime and hacking related forum. The nickname of the user selling it […]

Cybercriminals trojanized orginal SM Covid-19 awareness Android app to target Italy

Cybercriminals trojanized orginal SM Covid-19 awareness Android app to target Italy

In these days of particular sacrifices due to the spread of the COVID-19 pandemic, cyber criminals do not seem to save anyone and on the contrary, taking advantage of the emotional involvement that many people have towards this topic, they have continued and in many cases increased their hostile activities not only against normal users but also towards the health and pharmaceutical research sector. In the late evening of yesterday, within the COVID-19 CTI League, a group of about 400 experts gathered together to combat cyber threats related to the exploit of Covid-19 themed campaigns, a potentially malicious application emerged aimed at Italian users. A few moments later the same […]

APT34 (aka OilRig, aka Helix Kitten) attacks Lebanon government entities with MailDropper implants

APT34 (aka OilRig, aka Helix Kitten) attacks Lebanon government entities with MailDropper implants

Very recently another custom malicious implant that seems to be related to APT34 (aka OilRig) has been uploaded to a major malware analysis platform. Since 2014, year in which FireEye spotted out this hacking group, APT34 is well-known to conduct cyber operations primarily in the Middle East, mainly targeting financial, government, energy, chemical and telecommunications sector. In this case, the threat group probably compromised a Microsoft Exchange account of a sensitive entity related to Lebanese government, and used the mail server as command-and-control of the implant. All the traffic between the compromised machine and the C2 is conveyed through legit email messages, making the implant identification harder. The victim seems […]

Meeting POWERBAND: The APT33 .Net POWERTON variant

Meeting POWERBAND: The APT33 .Net POWERTON variant

// Introduction Since the Islamic revolution, US and regional rivals have put continuos effort in containing and isolating Iran. Implementing a foreign policy generally addressed as “strategic loneliness”, Iran’s defense strategy has been designed to compensate for the country’s low level of conventional capabilities with its activity in asymmetric warfare, and especially in the cyber domain. Indeed, the implementation of the ‘maximum pressure strategy’ by the US has increased the tensions between Washington and Teheran, leading to an all-time low in the history of their relations. The combination of international and economic pressure and of asymmetric warfare is making room for further escalation in the area. Advanced Persistent Threat 33 […]

The Lazarus’ gaze to the world: What is behind the second stone ?

The Lazarus’ gaze to the world: What is behind the second stone ?

// Introduction In a recent blog post (link here) we analysed the first part of an operation likely conducted by APT38/Lazarus, which targeted various organizations, including financial and banking ones. We already described the initial phase of the kill chain where we get to describe the fact that the actor implemented in the operation two different first-stage payloads to be released to the victims on the basis of their system architecture. These payloads are used in order to carry out a first recognition phase. Beyond this, we have already described a first-level backend script used by the threat actor inside a compromised website to manage victims and to release an […]

The Lazarus’ gaze to the world: What is behind the first stone ?

The Lazarus’ gaze to the world: What is behind the first stone ?

// Introduction Lazarus (aka APT38 / Hidden Cobra / Stardust Chollima) is one of the more prolific threat actors in the APT panorama. Since 2009, the group leveraged its capability in order to target and compromise a wide range of targets; Over the time, the main victims have been government and defense institutions, organizations operating in the energy and petrochemical sector in addition to those operating in financial and banking one. The group has also a wide range of tools at its disposal; among these, it’s possible to catalog [D] DoS botnets, first stage implanters, remote access tools (RATs), keyloggers and wipers. This list of malicious tools has over time […]

DeadlyKiss: Hit one to rule them all. Telsy discovered a probable still unknown and untreated APT malware aimed at compromising Internet Service Providers

DeadlyKiss: Hit one to rule them all. Telsy discovered a probable still unknown and untreated APT malware aimed at compromising Internet Service Providers

In the first days of September 2019, Telsy Cyber Threat Intelligence Unit received a variant of a strange and initially mysterious malware from a stream of thousands of samples coming from a partner operating in the telecommunications and internet connectivity sector. Although this sharing had not been accompanied by much information about it, it immediately seemed quite clear that the object under analysis was not something very common to be observed. Indeed, a clear picture emerged that led to the observation of an advanced, rare and extremely evasion-oriented malware, which implements effective layered obfuscation techniques and adopts many solutions dedicated to operate “under the radar”. Finding no publicly known evidence […]

PRIMITIVE BEAR USES A NATO-THEMED LURE DOCUMENT TO TARGET UKRAINIAN GOVERNMENT AND DEFENSE AGENCIES

PRIMITIVE BEAR USES A NATO-THEMED LURE DOCUMENT TO TARGET UKRAINIAN GOVERNMENT AND DEFENSE AGENCIES

Recently we catched a NATO-themed malicious lure document to be likely associated with a new PRIMITIVE BEAR operation conducted against Ukrainian defense and government agencies. According to its metadata, the document is newly created (exactly on 22/07/2019) and aims to replicate an official press release from the Main Directorate of Intelligence of the Ukrainian Ministry of Defense. The press release concerned a meeting between representatives of the Ukrainian Ministry of Information Policy, the Ukrainian Ministry of Foreign Affairs, the Ukrainian National Institute for Strategic Studies, and NATO’s Strategic Communications division. It’s originally entitled “Представники ГУР МО України провели брифінг для експертів зі стратегічних комунікацій країн – членів НАТО” or, translated […]

Utilizzando il sito, accetti l'utilizzo dei cookie da parte nostra. maggiori informazioni

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close