Tag: Sigma

Zerologon Attack Detection (CVE-2020-1472)

After a very hot July, especially fruitful for critical vulnerabilities (1, 2, 3), Microsoft’s Patch Tuesday in August went relatively quiet. Yes, once again more than a hundred vulnerabilities were patched, yes, 17 flaws were rated as Critical, and Microsoft didn’t point at bugs of the “We All Doomed” level. Although back then security researchers […]

Read More
Nanocore RAT Detection

Nanocore RAT has been used in cyberattacks for about 7 years, and there are a huge number of modifications of this trojan. Official, “semi-official” and cracked versions of this malware are sold on forums on the DarkNet, and sometimes even given away for free, so it is not surprising that the number of attacks using […]

Read More
Recent Attacks of Lazarus APT

The Lazarus APT group is one of the few state-sponsored cyber espionage units that also handle financially motivated cybercrimes and it is the most profitable threat actor in the cryptocurrency scene which managed to steal about $2 billion. In 2017 alone, the group stole more than half a billion dollars in cryptocurrency, so their interest […]

Read More
Transparent Tribe APT

Transparent Tribe (aka PROJECTM and MYTHIC LEOPARD) is a cyber espionage unit that is linked to the Pakistani government and has been active since at least 2013. The group has been quite active in the last four years targeting primarily Indian military and government personnel, but during the last year, they attacked more and more […]

Read More
BLINDINGCAN RAT

Late last week, Ariel Millahuel released community threat hunting rule to detect BLINDINGCAN Remote Access Trojan that is used by North Korean state-sponsored hackers: https://tdm.socprime.com/tdm/info/pi0B7x1SzQlU/FiBkEHQBSh4W_EKGcibk/?p=1 The rule is based on a malware analysis report recently published by CISA experts. Threat actor used BLINDINGCAN RAT in a cyberespionage campaign primarily targeted at the US defense and […]

Read More
Threat Hunting Rules: Possible C2 Connection via DoH

It’s been a year since the first malware timidly exploited DNS-over-HTTPS (DoH) to retrieve the IPs for the command-and-control infrastructure. Security researchers had already warned that this could be a serious problem and started to look for a solution that would help detect such malicious traffic. More and more malware has been switching to DoH […]

Read More
Detection Content: Mekotio Banking Trojan

Mekotio is one more Latin American banking trojan that is targeted at users mainly in Brazil, Mexico, Spain, Chile, Peru, and Portugal. This is persistent malware that is distributed via phishing emails and ensures persistence either by creating an LNK file in the startup folder or using a Run key. It is capable of stealing […]

Read More
Rule of the Week: Microsoft Teams Updater Abuse

Since the start of the pandemic, video conferencing solutions have become an integral part of the workflow in many organizations. First, Zoom took the lead, and many cybercriminals immediately began using it in phishing campaigns, taking advantage of the fact that a huge number of employees had not previously used this technology. Soon, security researchers […]

Read More
Threat Hunting Rules: Ave Maria RAT

Today’s article is somewhat a continuation of Detection Content: Arkei Stealer since the author of the detection rule for Ave Maria RAT is the same, and both malicious tools have recently been actively spread using the Spamhaus Botnet.  Ave Maria is a Remote Access Trojan that is often used by adversaries to take over the […]

Read More
Detection Content: Arkei Stealer

Arkei Stealer is a variant of infostealer malware and its functionality is similar to Azorult malware: it steals sensitive information, credentials, and private keys to cryptocurrency wallets. The malware is sold on underground forums, and anyone can acquire and use both the “legitimate” version and the cracked version of Arkei Stealer, making it difficult to […]

Read More