Category Archives: Cyber Threat Intelligence

Meeting POWERBAND: The APT33 .Net POWERTON variant

Meeting POWERBAND: The APT33 .Net POWERTON variant

// APT 33.Net POWERBAND variant: Introduction Since the Islamic revolution, US and regional rivals have put continuos effort in containing and isolating Iran. Implementing a foreign policy generally addressed as “strategic loneliness”, Iran’s defense strategy has been designed to compensate for the country’s low level of conventional capabilities with its activity in asymmetric warfare, and especially in the cyber domain. Then, let’s meet the APT33.Net POWERTON variant! Indeed, the implementation of the ‘maximum pressure strategy’ by the US has increased the tensions between Washington and Teheran, leading to an all-time low in the history of their relations. The combination of international and economic pressure and of asymmetric warfare is making […]

Tamper detection technologies: it takes a thief to catch a thief

Tamper detection technologies: it takes a thief to catch a thief

Tamper detection technlogies are already present in our everyday life, even when we are not aware that they can be called by that name. Tamper detection and tamper evidence methods are already in use in many common situations. They provide proof of unauthorized access to the inner components of a device (i.e. it can void the warranty) or even just of a luxury good in department stores. We speak about tamper evidence when the goal is to reveal the unauthorized access upon examination by a human, and about tamper detection when we implement some sort of automatic action in response to the event. Baseline, tamper evidence and detection methods detect […]

The Lazarus’ gaze to the world: What is behind the second stone ?

The Lazarus’ gaze to the world: What is behind the second stone ?

// Introduction Today we explore “the Lazarus’ gaze to the world.” In a recent blog post (link here) we analysed the first part of an operation likely conducted by APT38/Lazarus, which targeted various organizations, including financial and banking ones. We already described the initial phase of the kill chain where we get to describe the fact that the actor implemented in the operation two different first-stage payloads to be released to the victims on the basis of their system architecture. These payloads are used in order to carry out a first recognition phase. Beyond this, we have already described a first-level backend script used by the threat actor inside a […]

The Lazarus’ gaze to the world: What is behind the first stone ?

The Lazarus’ gaze to the world: What is behind the first stone ?

// Introduction: The Lazarus’ gaze Lazarus (aka APT38 / Hidden Cobra / Stardust Chollima) is one of the more prolific threat actors in the APT panorama. Since 2009, the group leveraged its capability in order to target and compromise a wide range of targets; Over the time, the main victims have been government and defense institutions, organizations operating in the energy and petrochemical sector in addition to those operating in financial and banking one. Let’s explore the Lazarus’ gaze, then. The group has also a wide range of tools at its disposal; among these, it’s possible to catalog [D] DoS botnets, first stage implanters, remote access tools (RATs), keyloggers and […]

DeadlyKiss: Telsy discovered a probable still unknown and untreated APT malware aimed at compromising Internet Service Providers

DeadlyKiss: Telsy discovered a probable still unknown and untreated APT malware aimed at compromising Internet Service Providers

Telsy Cyber Threat Intelligence Unit discovered DeadlyKiss, a still unknown APT malware. In the first days of September 2019, Telsy Cyber Threat Intelligence Unit received a variant of a strange and initially mysterious malware from a stream of thousands of samples coming from a partner operating in the telecommunications and internet connectivity sector. Although this sharing had not been accompanied by much information about it, it immediately seemed quite clear that the object under analysis was not something very common to be observed. Indeed, a clear picture emerged that led to the observation of an advanced, rare and extremely evasion-oriented malware, which implements effective layered obfuscation techniques and adopts many […]

Zebrocy relies on dropbox and remote template injection to supply its dishes to an institution of Eastern Europe diplomatic sector.

Zebrocy relies on dropbox and remote template injection to supply its dishes to an institution of Eastern Europe diplomatic sector.

// Introduction On the 22nd of August 2019, Zebrocy, a new spear-phishing email message has been collected by Telsy CTI Team. This malicious email has been armed with an attached lure document designed to infect and steal data from victim systems after executing a sequence of multi-stage malicious instructions. // Actor Profiling Zebrocy has been considered for years a subgroup of Sofacy (aka APT28, aka Fancy Bear, aka Group 74). However, it appears very different from the latter mainly due to its lower level of sophistication and an extensive use of a deal of development languages. Zebrocy has also the tendency to acquire and use publicly available code from sharing […]

PRIMITIVE BEAR USES A NATO-THEMED DOCUMENT TO TARGET UKRAINIAN GOVERNMENT AND DEFENSE AGENCIES

PRIMITIVE BEAR USES A NATO-THEMED DOCUMENT TO TARGET UKRAINIAN GOVERNMENT AND DEFENSE AGENCIES

Recently we catched a NATO-themed malicious lure document to be likely associated with a new PRIMITIVE BEAR operation conducted against Ukrainian defense and government agencies. According to its metadata, the document is newly created (exactly on 22/07/2019) and aims to replicate an official press release from the Main Directorate of Intelligence of the Ukrainian Ministry of Defense. The press release concerned a meeting between representatives of the Ukrainian Ministry of Information Policy, the Ukrainian Ministry of Foreign Affairs, the Ukrainian National Institute for Strategic Studies, and NATO’s Strategic Communications division. It’s originally entitled “Представники ГУР МО України провели брифінг для експертів зі стратегічних комунікацій країн – членів НАТО” or, translated […]

Unknown threat actor is using Agent Tesla variants against Oil&Gas and Energy Sector

Unknown threat actor is using Agent Tesla variants against Oil&Gas and Energy Sector

On 02/07/2019, Telsy TRT catched a new malware variant belonging to Agent Tesla family addressed to companies operating in the Energy and Oil&Gas sector. Among these organizations, Telsy identifies a very large italian company with a strong international presence, especially in the UAE area. Attack Vector As in many cases we usually observe, the main attack vector used for spreading the malicious payload is email. In this case, we were able to collect some malicious messages sent by threat actor to different targets; these messages are oriented to spoof the identity of what we belive to be a real person involved in engineering field in UAE area. Indeed, we believe […]

“CEO Fraud” campaign spreads in EU: Telsy TRT joined an international collaborative effort to meet the threat.

“CEO Fraud” campaign spreads in EU and already made victims: Telsy TRT joined an international collaborative effort for researching and mitigating the threat. The threat In the first days of May 2019, Telsy TRT joined a collaborative international effort aimed at studying, researching and mitigating a recent malicious campaign carried out by a criminal gang we internally track as #TA-927. Our collaboration has mainly seen, among others, Theo Geurts as an active member of the ICANN community . He has been an essential part of our mitigation efforts. According to Wikipedia, ICANN is the organization responsible for coordinating the maintenance and procedures of several databases related to the namespaces and […]

APT34: New leaked tool named Jason is available for the mass

In the afternoon of 03/06, Lab Dookhtegan released a new tool they report belonging to the hacking arsenal of the group APT34. This hacking tool seems to be useful in order to hack email accounts and consequently exfiltrate data. The archive we got is composed by the following file Archive file for Json data tool First analysis identified two executable files and some others in txt format likely used in supporting tasks. The file Microsoft.Exchange.WebServices.dll is an official component of Microsoft Exchange communication suite. We performed a quick AI powered malware scan getting no results over the first component extracted: Telsy internal file classification service results for Microsoft.Exchange.WebServices.dll The file […]

Utilizzando il sito, accetti l'utilizzo dei cookie da parte nostra. maggiori informazioni

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close