Today in the Rule of the Week section we want to highlight a new threat hunting rule from Ariel Millahuel which helps to detect samples of Bunitu Proxy Trojan: https://tdm.socprime.com/tdm/info/3evdCZVz3mCX/_WrlonIBPeJ4_8xctGPi/?p=1 Bunitu Trojan is used for turning infected systems into a proxy for remote clients. Its malicious actions can slow down the network traffic, and adversaries […]
Higaisa APT has been known since November 2019, when Tencent researchers first documented its activities. The group was discovered recently, but attackers have been operating for several years and use common tools to complicate the attribution. They mainly use mobile malware and the Gh0st and PlugX trojans. Researchers believe that Higaisa APT is a South […]
Despite the fact that new ransomware families appear quite often, most of them are focused exclusively on Windows systems. Way more interesting is Tycoon, a multi-platform Java ransomware that can encrypt files on both Windows and Linux systems. This family has been observed in-the-wild since at least December 2019. Its authors compiled it into a […]
Hello everyone, we are back with five fresh rules submitted this week by participants of the Threat Bounty Program. You can check our previous digests here, and if you have any questions, then welcome to the chat. Pykspa worm-like malware can install itself to maintain persistence, listen to incoming port for additional commands, and drop […]
Scarab ransomware was spotted for the first time in June 2017 and had been reappearing with new versions since then. This ransomware is one of the many HiddenTear variants, an open source ransomware Trojan released in 2015. The recently discovered versions of ransomware use an improved RSA encryption method and add various extensions to infected […]
PipeMon is a modular backdoor that is signed with a certificate belonging to a video game company, which was compromised by Winnti group in 2018. Researchers at ESET discovered this backdoor used in attacks on companies in South Korea and Taiwan that develop popular Massively Multiplayer Online games. They named the backdoor PipeMon because the […]
This week in our digest there are rules exclusively developed by participants of the Threat Bounty Program. Threat actor behind the recent Ursnif variant possibly conducts targeted cybercrime operations that are still ongoing. At the heart of these campaigns is a variant of the Ursnif Trojan that was repurposed as a downloader and reconnaissance tool […]
Last week, CISA, FBI, and DoD released malware analysis reports on recently discovered tools of the notorious Lazarus group that perform operations in the interests of the North Korean government. The malware variants, called COPPERHEDGE, TAINTEDSCRIBE, and PEBBLEDASH, can be used for reconnaissance and deleting confidential information on target systems. TAINTEDSCRIBE malware is used as […]
This digest includes rules from both members of the Threat Bounty Program and the SOC Prime Team. Letās start with rules by Arunkumar Krishna which will debut in our Rule Digest with CVE-2020-0932: A Remote Code Execution Bug in Microsoft SharePoint. CVE-2020-0932 was patched in April, it allows authenticated users to execute arbitrary code on […]
Floxif Trojan is primarily known for being used by the Winnti group, they distributed it with the infected CCleaner, which was downloaded by users from the official site. The attack occurred in September 2017, attackers allegedly gained access to CCleaner’s build environment. Floxif Trojan was used with Nyetya Trojan to collect information about infected systems […]