Category Archives: Cyber Threat Intelligence

Turla Skipper over the ocean of cyber operations

Turla Skipper over the ocean of cyber operations

In the middle of May 2019 new malware variants identified to be part of Turla suite comes into light. Turla, also known as Snake or Uroburos is one of the most advanced threat actor in the cyber operations landscape. The full malicious set retrieved can be referred to a campaign started in the second half of 2018 and likely aimed at compromise government entities and high-level diplomatic institutions. The average number of variants found in conjunction sometime with low detection rates as well as the nature of targeted entities confirm the “APT” nature of the actor and its ability to remain in the shadows for a long time. It has […]

LightNeuron: Telsy TRT releases its YARA rule to detect this Microsoft Exchange backdoor

LightNeuron: Telsy TRT releases its YARA rule to detect this Microsoft Exchange backdoor

A recent APT malware infection, known as LightNeuron, uses the basic functions of Microsoft’s Exchange Server to monitor and control outgoing and incoming communications from mail servers. Indeed, the threat group that uses it usually targets high-level diplomatic and international relations institutions. In order to assist the security community in fighting and hunting this insidious threat, Telsy TRT has publicly released one of its specific tracking signature on a dedicated GitHub repo. LightNeuron YARA rule signature rule Turla_LNTA_v1 {meta:description = “Detect Turla LightNeuron Transport Agent”author = “Emanuele De Lucia – Telsy SpA – thanks to @TS_WAY_SRL for cooperation”tlp = “white”strings:$x1 = “networkservice\\appdata\\local\\temp\\tmp1197.tmp” fullword wide$x2 = “networkservice\\appdata\\local\\temp\\tmp8621.tmp” fullword wide$s1 = “BPA.Transport.dll” […]

Unknown threat actor uses compromised website government institution of Middle-East in a campaign referring commercial and financial themes.

Unknown threat actor uses compromised website government institution of Middle-East in a campaign referring commercial and financial themes.

Recently, Telsy TRT detected a wave of malicious documents tied to an unknown threat actor trying to impersonate an official institution of a government of Middle-East. Moreover, the website of another government institution of the same country appears to have been compromised in order to spread a dot NET malicious payload. To protect these gov entities, we don’t want for now to share too many details about, but we will integrate this post when the incident response operations from their side will be completed. In consideration of a moderate level of diffusion of the collected malicious payloads as well as limited global requests for DNS resolution of the domain name […]

Threat Hunters vs Red Teamers. A meeting in the cyber space…

Threat Hunters vs Red Teamers. A meeting in the cyber space…

Threat hunters vs Red Teamers is a common struggle in the cyber universe. Recently, a new wave of malicious decoy Microsoft Office documents addressed exclusively to a central country of the european geographical area was intercepted by Telsy TRT. These have been collected while landing on a media sector company. Observed TTPs did not lead to any known threat actor and initially we were imagining that a new group was coming out of the shadow… Who was operating behind this campaign seemed to use different infection methods to reach the execution of its 1st stage payload, including the adoption of the “EvilClippy” tool, released during a BlackHat Asia talk (March […]

OceanLotus On ASEAN Affairs

OceanLotus On ASEAN Affairs

In last days of March, we discovered the activity of OceanLotus threat towards ASEAN Affairs. Telsy TRT captured same malicious macro armed documents likely tergeting ASEAN affairs and meeting members. In fact, telemetry and spreading statistics related to these decoy documents highlight their diffusion in the geographical area of Thailand. According to OSINT information, the 34th ASEAN Meeting will be held in Bangkok, Thailand, on June 2019. Generally, these malicious documents have been designed to induce the victims to enable a macro code that will lead to an in-memory payload injection through the use of layered obfuscation techniques. At the time of analysis, however, the full infection cycle showed a […]

Introducing Our CTI Research Blog

This post introduces the CTI Research Blog of the Telsy Threat Recon Team. Find out all updates here! CTI Research Blog: What is Cyber Threat Intelligence? Cyber threat intelligence, is information an organization uses to understand the threats that have, will, or are currently targeting the organization. This info is used to prepare, prevent, and identify cyber threats looking to take advantage of valuable resources.  We live in a world where cyber threats could bring an organization to its knees. Therefore, it can be downright terrifying. Threat intelligence can help organizations gain valuable knowledge about these threats. It also builds effective defense mechanisms and mitigate the risks that could damage their bottom line […]

Utilizzando il sito, accetti l'utilizzo dei cookie da parte nostra. maggiori informazioni

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close