Blog

New QRAT Variant Distributed via Trump-themed Spam Campaign

Cyber-criminals constantly take advantage of the “hottest” media topics to lure victims and infect them with malware. This time hackers decided to profit from the increased attention to the last US presidential elections and launched a Donald Trump-themed spam campaign. The final goal of this operation is to distribute the latest QRAT Trojan malware variant, […]

Read More
DoppelPaymer Ransomware Detection

DoppelPaymer ransomware is gaining momentum as a leading threat to critical infrastructure assets. According to the FBI warning released in December 2020, DoppelPaymer has targeted multiple organizations in healthcare, educational, governmental and other sectors. The attack routine is highly sophisticated and aggressive, allowing its operators to extort six- and seven-digit ransoms from their victims. Notably, […]

Read More
Interview with Developer: Kyaw Pyiyt Htet

Catch the latest newscast about the SOC Prime community! Today we want to introduce you to Kyaw Pyiyt Htet, an active member of our Threat Bounty Program. Kyaw joined the Program in Q3 2020 and swiftly became one of the most prolific authors with a variety of Sigma, YARA, and SNORT rules published. You can […]

Read More
CVE-2020-29583: Secret Backdoor Vulnerability in Zyxel Products

Threat actors exploit a recently discovered Zyxel secret backdoor in the wild. It’s high time to patch since adversaries are instantly searching for vulnerable installations to gain momentum before updates are installed. CVE-2020-29583 Overview The bug occurs since a number of Zyxel products incorporate an undocumented root account leveraging hardcoded login details accessible in the […]

Read More
Golden SAML Attack Method Used by APT Group Behind SolarWinds Hack

Adversaries apply a malicious Golden SAML method to expand a scale of compromise related to the SolarWinds hack. Although security researchers initially considered that the SolarWinds Orion software was a single access vector, further investigation reveals that the Golden SAML technique allows achieving persistence on any instance within a targeted cloud environment that maintains SAML […]

Read More
New Credential Stealer Banking Malware Attacks the US and Canada

The banking sector has always been an attractive target for cyber-criminals. After Zeus and Gozi emerged in 2007, prominent banking Trojans regularly made the headlines by emptying accounts of customers. Recently, security researchers have spotted yet another member of the financial malware family. This time the campaign is aimed at the US and Canadian banking […]

Read More
SUPERNOVA Backdoor: A Second APT Group Abused SolarWinds Flaw to Deploy Web Shell Malware

New details related to epoch-making SolarWinds supply-chain attack came into light. Research from Microsoft indicates that another stand-alone APT actor might have a hand in SolarWinds Orion compromise. Particularly, cyber-criminals utilized a newly discovered zero-day bug to infect targeted instances with SUPERNOVA backdoor. New ZeroDay Vulnerability in SolarWinds Orion Software (CVE-2020-10148) The vulnerability was disclosed […]

Read More
IceRat Malware Detection
IceRAT Malware Detection: Catch Me If You Can

IceRAT is a relatively new tool in the malicious arena, being a unique strain in regard to its features and unprecedented evasion tactics. Remarkably, the threat has very low detection rates, acting as a stealth malware able to steal sensitive data and financial assets from the targeted machines. What is IceRAT malware? Despite its name, […]

Read More
Zoho ManageEngine ServiceDesk Plus Vulnerability Detection and Mitigation

Zoho ManageEngine ServiceDesk Plus Exploit Detection Security researchers warn that hackers continue to exploit Zoho ManageEngine ServiceDesk Plus (SDP) vulnerability in the wild. Despite the patch released in Q1 2019, many instances remain vulnerable, allowing adversaries to deploy web shell malware and compromise targeted networks. CVE-2019-8394 Analysis The vulnerability (CVE-2019–8394) was disclosed on February 18, […]

Read More
Lazarus Group Attacks Manufacturing and Electrical Industries in Europe

The infamous Lazarus APT group (aka HiddenCobra, APT37) was yet again spotted agitating the world of cyber. This time security analysts revealed a highly targeted cyber-espionage campaign aimed at major manufacturing and electrical industry enterprises across Europe.  Lazarus Toolset and Attack Scenario The initial attack vector used by Lazarus hackers was similar to that leveraged […]

Read More