Tag: Ariel Millahuel

PyVil RAT by Evilnum Group

The Evilnum group operations were first discovered in 2018. The group is highly focused on attacks on large financial technology organizations, especially on investment platforms and cryptocurrency-related companies. Most of their targets are located in Europe and the United Kingdom, but the group also carried out separate attacks on organizations in Canada and Australia. Researchers […]

Read More
JSOutProx RAT

Last year, India was named the most cyber-attacked country. Critical infrastructures in oil and gas industries, and defence, banking, and manufacturing sectors are listed as the most common targets.  In April 2020, the governmental establishments and a number of banks in India were targeted by email campaigns delivering a malicious JavaScript and Java-based backdoor which […]

Read More
Transparent Tribe APT

Transparent Tribe (aka PROJECTM and MYTHIC LEOPARD) is a cyber espionage unit that is linked to the Pakistani government and has been active since at least 2013. The group has been quite active in the last four years targeting primarily Indian military and government personnel, but during the last year, they attacked more and more […]

Read More
BLINDINGCAN RAT

Late last week, Ariel Millahuel released community threat hunting rule to detect BLINDINGCAN Remote Access Trojan that is used by North Korean state-sponsored hackers: https://tdm.socprime.com/tdm/info/pi0B7x1SzQlU/FiBkEHQBSh4W_EKGcibk/?p=1 The rule is based on a malware analysis report recently published by CISA experts. Threat actor used BLINDINGCAN RAT in a cyberespionage campaign primarily targeted at the US defense and […]

Read More
Detection Content: Drovorub Malware

Last week, the FBI and NSA released a joint security alert containing details about Drovorub malware, a new utility in APT28’s hands. This is a Linux malware that is used to deploy backdoors in compromised networks. The malware is a multi-component system that consists of a kernel module rootkit, an implant, a C&C server, a […]

Read More
Threat Hunting Rules: Gamaredon Group Behavior

The Gamaredon group appeared in 2013 and at first, did not use custom malware, but over time developed a number of cyber espionage tools, including Pterodo and EvilGnome malware. In recent months, the group has been actively sending phishing emails with documents containing malicious macros that download a multitude of different malware variants. The Gamaredon […]

Read More
IOC Sigma: Mock Folders Creation

Today we want to pay attention to the community IOC Sigma rule submitted by Ariel Millahuel to detect the creation of mock directories that can be used to bypass User Account Control (UAC): https://tdm.socprime.com/tdm/info/KB1bISN0mbzm/Hua9s3MBSh4W_EKGTlO2/?p=1 A mock folder is a specific imitation of a Windows folder with a trailing space in its name, and the security […]

Read More
Detection Content: Bazar Loader

In late April, developers of TrickBot used a new stealthy backdoor in a phishing campaign targeted at professional services, healthcare, manufacturing, IT, logistics, and travel companies across the United States and Europe. Many advanced threat actors including the infamous Lazarus APT use TrickBot’s services, and malware authors not only improve well-known tools like the Anchor […]

Read More
Threat Hunting Rules: Redaman RAT

Today, in the Threat Hunting Rules category, we are pleased to present you a new rule developed by Ariel Millahuel, which detects Redaman RAT: https://tdm.socprime.com/tdm/info/gAF3sheoIG9y/qtkZmnMBQAH5UgbBy6do/?p=1 Redaman is a form of banking trojans distributed by phishing campaigns. It was first seen in 2015 and reported as the RTM banking Trojan, new versions of Redaman appeared in […]

Read More
Detection Content: RDAT Backdoor

Last week, researchers published details of the attacks targeted at Middle Eastern telecommunications carried out by APT34 (aka OilRig and Helix Kitten), and updated tools in the arsenal of this group. Of course, participants in the Threat Bounty Program did not pass by and published a couple of rules for detecting RDAT Backdoor, but more […]

Read More