Tag Archives: APT

When a false flag doesn’t work: Exploring the digital-crime underground at campaign preparation stage

When a false flag doesn’t work: Exploring the digital-crime underground at campaign preparation stage

At the beginning of October 2020 we found copy of a malicious document potentially to be attributed to an APT group known with the name of APT34 / OilRig. The attribution, based on several elements found within the malicious document, was firstly reported by a security researcher through a social network. According the extracted evidences, the author “signed” this malicious document leaving his/her username within the document metadata. This nickname was already widely known within the Cyber Threat Intelligence field because attributed to a member of the already mentioned threat group. Indeed this nickname is Iamfarhadzadeh, linked to Mohammad Farhadzadeh, believed to be a member of the hacking unit identified […]

Operation “Space Race”: reaching the stars through professional Social Networks

Operation “Space Race”: reaching the stars through professional Social Networks

At the beginning of May 2020, Telsy analyzed some social-engineering based attacks against individuals operating in the aerospace and avionics sector performed through the popular professional social network LinkedIn. According to our visibility, the targeted organizations are currently operating within the Italian territory and the targeted individuals are subjects of high professional profile in the aerospace research sector. Adversary used a real-looking LinkedIn virtual identity impersonating an HR (Human Resource) recruiter of a satellite imagery company with which it contacted the targets via internal private messages, inviting them to download an attachment containing information about a fake job vacation. Based on code similarities of analyzed pieces of malware, Telsy asserts, […]

Turla / Venomous Bear updates its arsenal: “NewPass” appears on the APT threat scene

Recently Telsy observed some artifacts related to an attack that occurred in June 2020 that is most likely linked to the popular Russian Advanced Persistent Threat (APT) known as Venomous Bear (aka Turla or Uroburos). At the best of our knowledge, this time the hacking group used a previously unseen implant, that we internally named “NewPass“ as one of the parameters used to send exfiltrated data to the command and control. Telsy suspects this implant has been used to target at least one European Union country in the sector of diplomacy and foreign affairs. NewPass is quite a complex malware composed by different components that rely on an encoded file to […]

APT34 (aka OilRig, aka Helix Kitten) attacks Lebanon government entities with MailDropper implants

APT34 (aka OilRig, aka Helix Kitten) attacks Lebanon government entities with MailDropper implants

Very recently another custom malicious implant that seems to be related to APT34 (aka OilRig) has been uploaded to a major malware analysis platform. Since 2014, year in which FireEye spotted out this hacking group, APT34 is well-known to conduct cyber operations primarily in the Middle East, mainly targeting financial, government, energy, chemical and telecommunications sector. In this case, the threat group probably compromised a Microsoft Exchange account of a sensitive entity related to Lebanese government, and used the mail server as command-and-control of the implant. All the traffic between the compromised machine and the C2 is conveyed through legit email messages, making the implant identification harder. The victim seems […]

Meeting POWERBAND: The APT33 .Net POWERTON variant

Meeting POWERBAND: The APT33 .Net POWERTON variant

// APT 33.Net POWERBAND variant: Introduction Since the Islamic revolution, US and regional rivals have put continuos effort in containing and isolating Iran. Implementing a foreign policy generally addressed as “strategic loneliness”, Iran’s defense strategy has been designed to compensate for the country’s low level of conventional capabilities with its activity in asymmetric warfare, and especially in the cyber domain. Then, let’s meet the APT33.Net POWERTON variant! Indeed, the implementation of the ‘maximum pressure strategy’ by the US has increased the tensions between Washington and Teheran, leading to an all-time low in the history of their relations. The combination of international and economic pressure and of asymmetric warfare is making […]

The Lazarus’ gaze to the world: What is behind the first stone ?

The Lazarus’ gaze to the world: What is behind the first stone ?

// Introduction: The Lazarus’ gaze Lazarus (aka APT38 / Hidden Cobra / Stardust Chollima) is one of the more prolific threat actors in the APT panorama. Since 2009, the group leveraged its capability in order to target and compromise a wide range of targets; Over the time, the main victims have been government and defense institutions, organizations operating in the energy and petrochemical sector in addition to those operating in financial and banking one. Let’s explore the Lazarus’ gaze, then. The group has also a wide range of tools at its disposal; among these, it’s possible to catalog [D] DoS botnets, first stage implanters, remote access tools (RATs), keyloggers and […]

DeadlyKiss: Telsy discovered a probable still unknown and untreated APT malware aimed at compromising Internet Service Providers

DeadlyKiss: Telsy discovered a probable still unknown and untreated APT malware aimed at compromising Internet Service Providers

Telsy Cyber Threat Intelligence Unit discovered DeadlyKiss, a still unknown APT malware. In the first days of September 2019, Telsy Cyber Threat Intelligence Unit received a variant of a strange and initially mysterious malware from a stream of thousands of samples coming from a partner operating in the telecommunications and internet connectivity sector. Although this sharing had not been accompanied by much information about it, it immediately seemed quite clear that the object under analysis was not something very common to be observed. Indeed, a clear picture emerged that led to the observation of an advanced, rare and extremely evasion-oriented malware, which implements effective layered obfuscation techniques and adopts many […]

Zebrocy relies on dropbox and remote template injection to supply its dishes to an institution of Eastern Europe diplomatic sector.

Zebrocy relies on dropbox and remote template injection to supply its dishes to an institution of Eastern Europe diplomatic sector.

// Introduction On the 22nd of August 2019, Zebrocy, a new spear-phishing email message has been collected by Telsy CTI Team. This malicious email has been armed with an attached lure document designed to infect and steal data from victim systems after executing a sequence of multi-stage malicious instructions. // Actor Profiling Zebrocy has been considered for years a subgroup of Sofacy (aka APT28, aka Fancy Bear, aka Group 74). However, it appears very different from the latter mainly due to its lower level of sophistication and an extensive use of a deal of development languages. Zebrocy has also the tendency to acquire and use publicly available code from sharing […]

PRIMITIVE BEAR USES A NATO-THEMED DOCUMENT TO TARGET UKRAINIAN GOVERNMENT AND DEFENSE AGENCIES

PRIMITIVE BEAR USES A NATO-THEMED DOCUMENT TO TARGET UKRAINIAN GOVERNMENT AND DEFENSE AGENCIES

Recently we catched a NATO-themed malicious lure document to be likely associated with a new PRIMITIVE BEAR operation conducted against Ukrainian defense and government agencies. According to its metadata, the document is newly created (exactly on 22/07/2019) and aims to replicate an official press release from the Main Directorate of Intelligence of the Ukrainian Ministry of Defense. The press release concerned a meeting between representatives of the Ukrainian Ministry of Information Policy, the Ukrainian Ministry of Foreign Affairs, the Ukrainian National Institute for Strategic Studies, and NATO’s Strategic Communications division. It’s originally entitled “Представники ГУР МО України провели брифінг для експертів зі стратегічних комунікацій країн – членів НАТО” or, translated […]

LightNeuron: Telsy TRT releases its YARA rule to detect this Microsoft Exchange backdoor

LightNeuron: Telsy TRT releases its YARA rule to detect this Microsoft Exchange backdoor

A recent APT malware infection, known as LightNeuron, uses the basic functions of Microsoft’s Exchange Server to monitor and control outgoing and incoming communications from mail servers. Indeed, the threat group that uses it usually targets high-level diplomatic and international relations institutions. In order to assist the security community in fighting and hunting this insidious threat, Telsy TRT has publicly released one of its specific tracking signature on a dedicated GitHub repo. LightNeuron YARA rule signature rule Turla_LNTA_v1 {meta:description = “Detect Turla LightNeuron Transport Agent”author = “Emanuele De Lucia – Telsy SpA – thanks to @TS_WAY_SRL for cooperation”tlp = “white”strings:$x1 = “networkservice\\appdata\\local\\temp\\tmp1197.tmp” fullword wide$x2 = “networkservice\\appdata\\local\\temp\\tmp8621.tmp” fullword wide$s1 = “BPA.Transport.dll” […]

Utilizzando il sito, accetti l'utilizzo dei cookie da parte nostra. maggiori informazioni

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close