Tag: Detection Content

Detection Content: LokiBot Detector

In today’s post, we want to remind our readers about LokiBot infostealer that provides backdoors to the victim Windows OS and enables fraudsters to steal sensitive data and even bring in place different payloads. LokiBot infostealer comes to the victims via malspam campaigns often masquerading as a trusted sender, containing an attached document luring the […]

Read More
Detection Content: FTCode Ransomware

Today, we want to draw your attention to another ransomware targeting at Italian-speaking users. First spotted by the researchers back in 2013, FTCode is PowerShell based ransomware that is distributed via spam. In the recent attacks, the FTCode ransomware was delivered to the victim machines with an email containing an attachment pretending to be an […]

Read More
Detection Content: Arkei Stealer

Arkei Stealer is a variant of infostealer malware and its functionality is similar to Azorult malware: it steals sensitive information, credentials, and private keys to cryptocurrency wallets. The malware is sold on underground forums, and anyone can acquire and use both the “legitimate” version and the cracked version of Arkei Stealer, making it difficult to […]

Read More
Detection Content: Bazar Loader

This fall has brought another challenge to the guardians of corporate infrastructures. Earlier this year, in late April, developers of TrickBot used a new stealthy backdoor in a phishing campaign targeted at professional services, healthcare, manufacturing, IT, logistics, and travel companies across the United States and Europe. Many advanced threat actors including the infamous Lazarus […]

Read More
Detection Content: MATA Multi-platform malware framework by Lazarus APT

Last week, researchers reported on the latest notorious Lazarus APT tool, which has been used in the group’s attacks since spring 2018. Their new ‘toy’ was named MATA, it is a modular cross-platform framework with several components including a loader, orchestrator, and multiple plugins that can be used to infect Windows, Linux, and macOS systems. […]

Read More
Detection Content: RDAT Backdoor

Last week, researchers published details of the attacks targeted at Middle Eastern telecommunications carried out by APT34 (aka OilRig and Helix Kitten), and updated tools in the arsenal of this group. Of course, participants in the Threat Bounty Program did not pass by and published a couple of rules for detecting RDAT Backdoor, but more […]

Read More
Detection Content: Formbook Dropped Through Fake PDF (Sysmon Behavior)

The Covid19 outbreak has revealed a number of blind sides of cybersecurity. We do our best to keep you in the picture of the latest trends on our Weekly Talks, webinars, relevant content Digests. However, human curiosity in the flood of information may be a weak spot. FormBook, the infostealer known since 2016, has been […]

Read More
Detection Content: Hancitor Trojan

Today’s post is about fresh versions of Hancitor trojan and a couple of rules released by Threat Bounty Program participants which enables security solutions to detect them. Hancitor Trojan (Evasion Technique) community rule by Emir Erdogan: https://tdm.socprime.com/tdm/info/GwJ4Y7k7tzaz/1rBKXHMBSh4W_EKGF2on/?p=1 Hancitor infection with Ursnif exclusive rule by Osman Demir: https://tdm.socprime.com/tdm/info/DXrFgt0kTBg1/Z9TBUXMBPeJ4_8xc-IFm/ This malware appeared in 2013 and at the […]

Read More
Detection Content: GoldenHelper Behavior

This week we will not highlight any rule in the “Rule of the Week” section, because the hottest rules have already been published in yesterday’s special digest dedicated to the rules that detect exploitation of a critical vulnerability in Windows DNS Servers, CVE-2020-1350 (aka SIGRed). Today’s publication is dedicated to the detection of GoldenHelper malware […]

Read More
Detection Content: Phorpiex Trojan

In one of our Threat Hunting Content blog posts, we already observed a rule to detect Avaddon ransomware, a new Ransomware-as-a-Service variant that was first spotted in early June. One of the most active distributors of Avaddon ransomware is Phorpiex botnet, which recently recovered from losses incurred earlier this year. Infected systems can send tens […]

Read More