Tag: Threat Bounty Program

Threat Hunting Content: PipeMon malware detection

PipeMon is a modular backdoor that is signed with a certificate belonging to a video game company, which was compromised by Winnti group in 2018. Researchers at ESET discovered this backdoor used in attacks on companies in South Korea and Taiwan that develop popular Massively Multiplayer Online games. They named the backdoor PipeMon because the […]

Read More
IOC Sigma: GreenBug APT Group Activities

Greenbug APT is an Iranian-based cyber-espionage unit that has been active since at least June 2016. The group most likely uses spear-phishing attacks to compromise targeted organizations. Adversaries use multiple tools to compromise other systems on the network after an initial compromise, and steal user names and passwords from operating systems, email accounts, and web […]

Read More
Interview with Developer: Sreeman Shanker

Meet Sreeman, one of the most active participants of SOC Prime Threat Bounty Program. Sreeman has been participating in the Threat Bounty Program since December 2019. Before he started publishing his own developed content to Threat Detection Marketplace, Sreeman had contributed a bulk of changes and improvement to the existing TDM content translations for Azure […]

Read More
Detection Content: Malspam Downloads Zloader Malware

Zloader Trojan (also known as Zeus Sphinx and Terdot) was initially spotted in August 2015. It is based on the Zeus v2 Trojan’s leaked source code and cybercriminals used it in attacks on financial organizations across the globe collecting sensitive data via web injections. In early 2018, the use of this banking Trojan in the […]

Read More
Rule Digest: Trojans, Cyberspies and RATicate group

This week in our digest there are rules exclusively developed by participants of the Threat Bounty Program. Threat actor behind the recent Ursnif variant possibly conducts targeted cybercrime operations that are still ongoing. At the heart of these campaigns is a variant of the Ursnif Trojan that was repurposed as a downloader and reconnaissance tool […]

Read More
Rule of the Week: QakBot Malware Detection

QakBot banking trojan (aka QBot) has been used in attacks on organizations for over 10 years, and its authors continuously monitor threat landscape trends adding new features or removing them if they don’t work properly. In 2017, this malware possessed worm-like capabilities and was capable of locking Active Directory users to make additional damage to […]

Read More
Detection Content: Kpot Info Stealer Campaign

COVID-19 is by far the most popular topic exploited by cybercriminals in phishing and malspam campaigns. Recently, attackers have found a new and effective way to convince the user to open a malicious attachment. Researchers at IBM X-Force discovered a malicious campaign that used emails pretended to be messages from the U.S. Department of Labor. […]

Read More
Threat Hunting Content: TAINTEDSCRIBE Trojan

Last week, CISA, FBI, and DoD released malware analysis reports on recently discovered tools of the notorious Lazarus group that perform operations in the interests of the North Korean government. The malware variants, called COPPERHEDGE, TAINTEDSCRIBE, and PEBBLEDASH, can be used for reconnaissance and deleting confidential information on target systems. TAINTEDSCRIBE malware is used as […]

Read More
Detection Content: Hunting for Netwire RAT

NetWire is a publicly-available Remote Access Trojan that is a part of the NetWiredRC malware family used by cybercriminals since 2012. Its primary functionality is focused on credentials stealing and keylogging, but it also has remote control capabilities. Adversaries often distribute NetWire through malspam and phishing emails.  In a recent campaign, cybercriminals targeted users in […]

Read More
Threat Hunting Content: HawkEye Multiple Detection

We start the week with a new rule from Emir Erdogan – HawkEye Multiple Detection (Covid19 Themed Phishing Campaign). This malware is also known as Predator Pain steals a variety of sensitive information from the infected system, including bitcoin wallet information and credentials to browsers and mail clients. The stealer is capable of taking screenshots […]

Read More