Meet Sreeman, one of the most active participants of SOC Prime Threat Bounty Program. Sreeman has been participating in the Threat Bounty Program since December 2019. Before he started publishing his own developed content to Threat Detection Marketplace, Sreeman had contributed a bulk of changes and improvement to the existing TDM content translations for Azure […]
Zloader Trojan (also known as Zeus Sphinx and Terdot) was initially spotted in August 2015. It is based on the Zeus v2 Trojan’s leaked source code and cybercriminals used it in attacks on financial organizations across the globe collecting sensitive data via web injections. In early 2018, the use of this banking Trojan in the […]
This week in our digest there are rules exclusively developed by participants of the Threat Bounty Program. Threat actor behind the recent Ursnif variant possibly conducts targeted cybercrime operations that are still ongoing. At the heart of these campaigns is a variant of the Ursnif Trojan that was repurposed as a downloader and reconnaissance tool […]
QakBot banking trojan (aka QBot) has been used in attacks on organizations for over 10 years, and its authors continuously monitor threat landscape trends adding new features or removing them if they don’t work properly. In 2017, this malware possessed worm-like capabilities and was capable of locking Active Directory users to make additional damage to […]
COVID-19 is by far the most popular topic exploited by cybercriminals in phishing and malspam campaigns. Recently, attackers have found a new and effective way to convince the user to open a malicious attachment. Researchers at IBM X-Force discovered a malicious campaign that used emails pretended to be messages from the U.S. Department of Labor. […]
Last week, CISA, FBI, and DoD released malware analysis reports on recently discovered tools of the notorious Lazarus group that perform operations in the interests of the North Korean government. The malware variants, called COPPERHEDGE, TAINTEDSCRIBE, and PEBBLEDASH, can be used for reconnaissance and deleting confidential information on target systems. TAINTEDSCRIBE malware is used as […]
NetWire is a publicly-available Remote Access Trojan that is a part of the NetWiredRC malware family used by cybercriminals since 2012. Its primary functionality is focused on credentials stealing and keylogging, but it also has remote control capabilities. Adversaries often distribute NetWire through malspam and phishing emails. In a recent campaign, cybercriminals targeted users in […]
We start the week with a new rule from Emir Erdogan – HawkEye Multiple Detection (Covid19 Themed Phishing Campaign). This malware is also known as Predator Pain steals a variety of sensitive information from the infected system, including bitcoin wallet information and credentials to browsers and mail clients. The stealer is capable of taking screenshots […]
This digest includes rules from both members of the Threat Bounty Program and the SOC Prime Team. Letās start with rules by Arunkumar Krishna which will debut in our Rule Digest with CVE-2020-0932: A Remote Code Execution Bug in Microsoft SharePoint. CVE-2020-0932 was patched in April, it allows authenticated users to execute arbitrary code on […]
This week we want to highlight the community Sigma rule by Emir Erdogan that helps detect Nefilim/Nephilim ransomware used in destructive attacks. This ransomware family was first discovered two months ago, and its code is based on NEMTY ransomware which emerged last summer as a public affiliate program. It looks like NEMTY forked into two […]