Tag: Emir Erdogan

Detection for Critical Vulnerability in Aruba ClearPass (CVE-2020-7115)

Aruba Networks, the subsidiary of Hewlett Packard Enterprise, has released a Security Advisory on recently discovered multiple vulnerabilities in their product leveraged by enterprise clients worldwide. In this article, we will cover the details of the most severe of the reported Remote Command Execution vulnerability in Aruba ClearPass (CVE-2020-7115) with CVSS 8.1, and content to […]

Read More
Behaviour Analysis of Redline Stealer

Infostealers occupy a special place among malware, since, with their simplicity, they very effectively cope with their primary tasks: to collect all potentially valuable information in the system, exfiltrate it to the command-and-control server, and then delete themselves and traces of their activities. They are used by both beginners and advanced threat actors, and there are […]

Read More
Recent Attacks of Lazarus APT

The Lazarus APT group is one of the few state-sponsored cyber espionage units that also handle financially motivated cybercrimes and it is the most profitable threat actor in the cryptocurrency scene which managed to steal about $2 billion. In 2017 alone, the group stole more than half a billion dollars in cryptocurrency, so their interest […]

Read More
Detection Content: FTCode Ransomware

Today, we want to draw your attention to another ransomware targeting at Italian-speaking users. First spotted by the researchers back in 2013, FTCode is PowerShell based ransomware that is distributed via spam. In the recent attacks, the FTCode ransomware was delivered to the victim machines with an email containing an attachment pretending to be an […]

Read More
Detection Content: RDAT Backdoor

Last week, researchers published details of the attacks targeted at Middle Eastern telecommunications carried out by APT34 (aka OilRig and Helix Kitten), and updated tools in the arsenal of this group. Of course, participants in the Threat Bounty Program did not pass by and published a couple of rules for detecting RDAT Backdoor, but more […]

Read More
Detection Content: Hancitor Trojan

Today’s post is about fresh versions of Hancitor trojan and a couple of rules released by Threat Bounty Program participants which enables security solutions to detect them. Hancitor Trojan (Evasion Technique) community rule by Emir Erdogan: https://tdm.socprime.com/tdm/info/GwJ4Y7k7tzaz/1rBKXHMBSh4W_EKGF2on/?p=1 Hancitor infection with Ursnif exclusive rule by Osman Demir: https://tdm.socprime.com/tdm/info/DXrFgt0kTBg1/Z9TBUXMBPeJ4_8xc-IFm/ This malware appeared in 2013 and at the […]

Read More
Threat Hunting Rules to Detect Exploitation of CVE-2020-1350 (SIGRed)

Today we introduce a special digest of content that helps to detect exploitation of a critical vulnerability in Windows DNS Servers. The vulnerability became known only two days ago, but since then, both the SOC Prime team (represented by Nate Guagenty) and the Threat Bounty Program participants have published 7+ rules for detecting various ways […]

Read More
Rule Digest: Trojans and Ransomware

In today’s digest, we want to highlight the content provided by members of the Threat Bounty Program that will help security solutions to detect Saefko RAT, Ursa trojan, and a pack of actively spreading ransomware strains.  The Saefko RAT is a relatively fresh remote-access trojan written in .NET that was first spotted in the midst […]

Read More
Rule of the Week: Thanos Ransomware

Today in the Rule of the Week section, we suggest paying attention to the rule published by Emir Erdogan. The new rule helps detect Thanos ransomware, which weaponized RIPlace tactic to bypass anti-ransomware solutions: https://tdm.socprime.com/tdm/info/QvmZLqPG91bq/LYA4D3MBSh4W_EKGVfTV/?p=1 Thanos ransomware first appeared at the end of last year, and its authors advertised it in underground forums and closed […]

Read More
Rule of the Week: Qbot Trojan Detection

And again, we want to highlight the content for detecting QBot malware in the Rule of the Week section. About a month ago, a simple but effective rule from Emir Erdogan was already published in this section. But the twelve-year-old Trojan continues to evolve, and just a couple of days ago, fresh samples of this […]

Read More