PT ESC Threat Intelligence
Fake attachment. Roundcube mail server attacks exploit CVE-2024-37383 vulnerability
Roundcube Webmail is an open-source email client written in PHP. Its extensive functionality and the convenient access it gives users to email accounts via a browser—without the need for full-fledged email clients—have made it popular among commercial and government organizations worldwide. However, this popularity also makes it an attractive target for cybercriminals who quickly adapt exploits once they become publicly known, aiming to steal credentials and corporate email communications.
Read full reportDarkHotel. A cluster of groups united by common techniques
Read full reportAsia's SMS stealers: 1,000 bots and one study
Attackers have increasingly started using Telegram as a control server (C2). One example is the Lazy Koala group, which we recently discovered and set out to study. While researching bots on Telegram, we found that many are from Indonesia. We were struck by the huge numbers of messages and victims, and how new bots and chats seem to appear on Telegram by the day, so we decided to get to the bottom of this "Indonesian tsunami."
Read full reportExCobalt: GoRed, the hidden-tunnel technique
While responding to an incident at one of our clients, the PT ESC CSIRT team discovered a previously unknown backdoor written in Go, which we attributed to a cybercrime gang dubbed ExCobalt.
Read full reportHellhounds: Operation Lahat. Part 2
In November 2023, the team at the Positive Technologies Expert Security Center (PT ESC) released their first research report on attacks by the hitherto-unknown group Hellhounds on Russian companies' infrastructure: Operation Lahat. The report focused on the group's attacks on Linux hosts that relied on a new backdoor known as Decoy Dog. Hellhounds carried on attacks on organizations located in Russia, scoring at least 48 confirmed victims by Q2 2024.
Read full reportPositive Technologies detects a series of attacks via Microsoft Exchange Server
While responding to an incident, the Incident Response team of Positive Technologies Expert Security Center (PT ESC) discovered an unknown keylogger embedded in the main Microsoft Exchange Server page of one of our customers. This keylogger was collecting account credentials into a file accessible via a special path from the internet. The team identified over 30 victims, most of whom were linked to government agencies across various countries. According to our data, the first compromise occurred in 2021. Without additional data, we can't attribute these attacks to a specific group; however, most victims are located in Africa and the Middle East.
Read full reportSteganoAmor campaign: TA558 mass-attacking companies and public institutions all around the world
Researchers from the Positive Technologies Expert Security Center discovered more than three hundred attacks worldwide, which they confidently attributed to the well-known TA558 group.
As originally described by researchers at ProofPoint, TA558 is a relatively small financially motivated cybercrime group that has attacked hospitality and tourism organizations mainly in Latin America, but has also been identified behind attacks on North America and Western Europe. According to the researchers, the group has been active since at least 2018.
In the attacks that we studied, the group made extensive use of steganography by sending VBSs, PowerShell code, as well as RTF documents with an embedded exploit, inside images and text files. Interestingly, most of the RTF documents and VBSs have names like greatloverstory.vbs, easytolove.vbs, iaminlovewithsomeoneshecuteandtrulyyoungunluckyshenotundersatnd_howmuchiloveherbutitsallgreatwithtrueloveriamgivingyou.doc, and others, associated with love, which is why we dubbed the campaign "SteganoAmor".
Read full reportLazyStealer: sophisticated does not mean better
In the first quarter of 2024, specialists from Positive Technologies Expert Security Center (PT ESC) detected a series of attacks targeting government organizations in Russia, Belarus, Kazakhstan, Uzbekistan, Kyrgyzstan, Tajikistan, and Armenia. We could not find any links to known groups that used the same techniques. The main goal of the attack was stealing credentials for various services from computers used by public servants. We dubbed the group "Lazy Koala"—for the unsophisticated techniques they used and after the name of the user who controlled the Telegram bots that received the stolen data. The malware that powered the attacks, which we named "LazyStealer", proved productive despite a simple implementation. We could not ascertain the infection vector, but all signs pointed to phishing. All the victims were notified directly about the compromise.
Read full reportHellhounds: operation Lahat
In 2023, our Positive Technologies computer security incident response team (PT CSIRT) discovered that a certain power company was compromised by the Decoy Dog trojan. According to the PT CSIRT investigation, Decoy Dog has been actively used in cyberattacks on Russian companies and government organizations since at least September 2022. This trojan was previously discussed by NCIRCC, Infoblox, CyberSquatting, and Solar 4RAYS.
However, the sample we found on the victim’s host was a new modification of the trojan, which the adversaries altered in such a way as to make it harder to detect and analyze.
As far as we can tell, the APT group Hellhounds that uses Decoy Dog only targets organizations located in Russia. Remarkably, the attackers were using the command-and-control (C2) server maxpatrol[.]net to impersonate Positive Technologies MaxPatrol products.
Read full reportA pirated program downloaded from a torrent site infected hundreds of thousands of users
When searching for necessary software, users often visit seemingly safe websites and torrent trackers to download, install and use programs. But are these programs truly safe? Illegal software could contain threats of all kinds, from miners to complex rootkits. The danger of malware spreading through dubious software downloads is not new and has now reached a global scale. Let’s discuss this, taking the study of a specific attack as an example.
In August 2023, our SOC, using MaxPatrol SIEM, detected abnormal network activity. The incident response team (PT CSIRT) was engaged. Upon analyzing the incident, we established that a user from the X company was compromised by a relatively simple yet previously unknown malware. In the investigation, no traces of phishing, external perimeter breach, or any other techniques were found—the user just installed a program downloaded from a torrent site.
Read full reportGet in touch
Fill in the form and our specialists
will contact you shortly