PT ESC Threat Intelligence

TaxOff: um, you've got a backdoor...

In Q3 2024, the Positive Technologies Expert Security Center (PT ESC) TI Department discovered a series of attacks on Russian government agencies. We were unable to establish any connection with known groups using the same techniques. The main goal was espionage and gaining a foothold to follow through on further attacks. We dubbed the group TaxOff because of their legal and finance-related phishing emails leading to a backdoor written in at least C++17, which we named Trinper after the artifact used to communicate with C2.
Read full report

DarkHotel. A cluster of groups united by common techniques

In early September 2024, specialists at the Threat Intelligence (TI) Department of Positive Technologies Expert Security Center (PT ESC) uncovered a suspicious VHDX virtual disk image—an extremely rare occurrence when viewing a data stream. Following analysis of the VHDX and all its associated files, they were able to attribute the attack to the APT-C-60 group. ThreatBook experts described one of the latest similar campaigns in July 2023. However, the PT ESC team has found some differences from that earlier campaign both in the file hierarchy on the disk and in the commands and tools used. In this article, we have outlined the structure of the files on the virtual disk, the analysis of the attack chain, the search for additional files, the reasons why we believe this attack can be attributed to the APT-C-60 group, as well as how these attackers are connected to the DarkHotel group.
Read full report

Fake attachment. Roundcube mail server attacks exploit CVE-2024-37383 vulnerability

Roundcube Webmail is an open-source email client written in PHP. Its extensive functionality and the convenient access it gives users to email accounts via a browser—without the need for full-fledged email clients—have made it popular among commercial and government organizations worldwide. However, this popularity also makes it an attractive target for cybercriminals who quickly adapt exploits once they become publicly known, aiming to steal credentials and corporate email communications.
Read full report

Asia's SMS stealers: 1,000 bots and one study

Attackers have increasingly started using Telegram as a control server (C2). One example is the Lazy Koala group, which we recently discovered and set out to study. While researching bots on Telegram, we found that many are from Indonesia. We were struck by the huge numbers of messages and victims, and how new bots and chats seem to appear on Telegram by the day, so we decided to get to the bottom of this "Indonesian tsunami."
Read full report

ExCobalt: GoRed, the hidden-tunnel technique

While responding to an incident at one of our clients, the PT ESC CSIRT team discovered a previously unknown backdoor written in Go, which we attributed to a cybercrime gang dubbed ExCobalt.
Read full report

Hellhounds: Operation Lahat. Part 2

In November 2023, the team at the Positive Technologies Expert Security Center (PT ESC) released their first research report on attacks by the hitherto-unknown group Hellhounds on Russian companies' infrastructure: Operation Lahat. The report focused on the group's attacks on Linux hosts that relied on a new backdoor known as Decoy Dog. Hellhounds carried on attacks on organizations located in Russia, scoring at least 48 confirmed victims by Q2 2024.
Read full report

Positive Technologies detects a series of attacks via Microsoft Exchange Server

While responding to an incident, the Incident Response team of Positive Technologies Expert Security Center (PT ESC) discovered an unknown keylogger embedded in the main Microsoft Exchange Server page of one of our customers. This keylogger was collecting account credentials into a file accessible via a special path from the internet. The team identified over 30 victims, most of whom were linked to government agencies across various countries. According to our data, the first compromise occurred in 2021. Without additional data, we can't attribute these attacks to a specific group; however, most victims are located in Africa and the Middle East.
Read full report

SteganoAmor campaign: TA558 mass-attacking companies and public institutions all around the world

Researchers from the Positive Technologies Expert Security Center discovered more than three hundred attacks worldwide, which they confidently attributed to the well-known TA558 group. As originally described by researchers at ProofPoint, TA558 is a relatively small financially motivated cybercrime group that has attacked hospitality and tourism organizations mainly in Latin America, but has also been identified behind attacks on North America and Western Europe. According to the researchers, the group has been active since at least 2018. In the attacks that we studied, the group made extensive use of steganography by sending VBSs, PowerShell code, as well as RTF documents with an embedded exploit, inside images and text files. Interestingly, most of the RTF documents and VBSs have names like greatloverstory.vbs, easytolove.vbs, iaminlovewithsomeoneshecuteandtrulyyoungunluckyshenotundersatnd_howmuchiloveherbutitsallgreatwithtrueloveriamgivingyou.doc, and others, associated with love, which is why we dubbed the campaign "SteganoAmor".
Read full report

LazyStealer: sophisticated does not mean better

In the first quarter of 2024, specialists from Positive Technologies Expert Security Center (PT ESC) detected a series of attacks targeting government organizations in Russia, Belarus, Kazakhstan, Uzbekistan, Kyrgyzstan, Tajikistan, and Armenia. We could not find any links to known groups that used the same techniques. The main goal of the attack was stealing credentials for various services from computers used by public servants. We dubbed the group "Lazy Koala"—for the unsophisticated techniques they used and after the name of the user who controlled the Telegram bots that received the stolen data. The malware that powered the attacks, which we named "LazyStealer", proved productive despite a simple implementation. We could not ascertain the infection vector, but all signs pointed to phishing. All the victims were notified directly about the compromise.
Read full report

Hellhounds: operation Lahat

In 2023, our Positive Technologies computer security incident response team (PT CSIRT) discovered that a certain power company was compromised by the Decoy Dog trojan. According to the PT CSIRT investigation, Decoy Dog has been actively used in cyberattacks on Russian companies and government organizations since at least September 2022. This trojan was previously discussed by NCIRCC, Infoblox, CyberSquatting, and Solar 4RAYS. However, the sample we found on the victim’s host was a new modification of the trojan, which the adversaries altered in such a way as to make it harder to detect and analyze. As far as we can tell, the APT group Hellhounds that uses Decoy Dog only targets organizations located in Russia. Remarkably, the attackers were using the command-and-control (C2) server maxpatrol[.]net to impersonate Positive Technologies MaxPatrol products.
Read full report

Get in touch

Fill in the form and our specialists
will contact you shortly