PT ESC Threat Intelligence

11 April 2021

PaaS, or how hackers evade antivirus software

Malware is one of the main tools of any hacking group. Depending on the level of qualification and the specifics of operation, hackers can use both publicly available tools (such as the Cobalt Strike framework) and their own developments. Creating a unique set of tools for each attack requires huge resources; therefore, hackers tend to reuse malware in different operations and also share it with other groups. The mass use of the same tool inevitably leads to its getting on the radar of antivirus companies, which, as a result, reduces its efficiency. To prevent it from happening, hackers use code packing, encryption, and mutation techniques. Such techniques can often be handled by separate tools called crypters or sometimes simply packers. In this article, we will use the example of the RTM banking trojan to discuss which packers attackers can use, how they complicate detection of the malware, and what other malware they can pack.
Read full report
13 January 2021

Higaisa or Winnti? APT41 backdoors, old and new

The PT Expert Security Center regularly spots emerging threats to information security, including both previously known and newly discovered malware. During such monitoring in May 2020, we detected several samples of new malware that at first glance would seem to belong to the Higaisa group. But detailed analysis pointed to the Winnti group (also known as APT41, per FireEye) of Chinese origin. Subsequent monitoring led us to discover a number of new malware samples used by the group in recent attacks. These include various droppers, loaders, and injectors; Crosswalk, ShadowPad, and PlugX backdoors; and samples of a previously undescribed backdoor that we have dubbed FunnySwitch. We can confidently state that some of these attacks were directed at a number of organizations in Russia and Hong Kong. In this article, we will share the results of our investigation of these samples and related network infrastructure, as well as overlaps with previously described attacks.
Read full report
26 November 2020

Investigation with a twist: an accidental APT attack and averted data destruction

In late April 2020, a client invited the CSIRT incident response team at the Positive Technologies Expert Security Center (PT ESC) to investigate a network compromise that resulted in encryption of files on servers and employee workstations. We initially assumed that this was yet another attack on corporate networks with a common variety of ransomware. However, what we found was different: this intrusion was the work of a well-known Asian APT group implicated in cyberespionage against government targets. The initial successful compromise had taken place two years prior. In this article, we will share the results of our investigation of this targeted attack, which started with the compromise of a foreign office. Ultimately, we succeeded in bringing the infrastructure back to a secure condition and reversing the damage that had been done.
Read full report
18 June 2020

The eagle eye is back: old and new backdoors from APT30

On April 8, 2020, our pros at the PT Expert Security Center detected signs of life from a well-known cybercriminal group. Network signatures for dynamic malware analysis on a popular site lit up for APT30—a group that had not been on radar screens for some time. This inspired us to start looking. APT30 has been in the public eye since a report by our colleagues at FireEye back in 2015. The group primarily attacks government targets in South and Southeast Asia (including India, Thailand, and Malaysia) for cyberespionage purposes. Their toolkit has been in development since at least 2005. We find it interesting that we see both old and well-known tools dating back over a decade, as well as continuity in network resources. In this article, we will look at new versions of already known Trojans, the features of the group's recently detected malware, and network infrastructure.
Read full report
15 June 2020

Cobalt: tactics and tools update

Specialists from PT Expert Security Center has been monitoring the activity of the Cobalt group since 2016. Today, the group is attacking financial institutions around the world. Over the past year, the Cobalt group has not only modified its main CobInt tools and COM-DLL dropper in conjunction with the more_eggs JavaScript backdoor but also used new delivery methods and new techniques to bypass protection at the initial stage of the attack. In this article, we would like to talk about new group tactics, delivery methods, and changes mainly in malware.
Read full report
3 June 2020

COVID-19 and New Year greetings: an investigation into the tools and methods used by the Higaisa group

In March 2020 specialists from the PT Expert Security Center conducted an analysis on the activities of the APT group Higaisa. This group was first studied by security analysts at Tencent in November 2019. In that analysis, Tencent specialists reached the conclusion that Higaisa has its origins in South Korea. The group, which is still active today, can be tracked all the way back to 2009. With the recent prevalence of the coronavirus (COVID-19) pandemic, many APT groups, including Gamaredon, SongXY, TA428, Lazarus, Konni, and Winnti, have been using the topic of COVID-19 in their email distributions. Higaisa is no exception. This article is an investigation into one of the malicious files created by Higaisa. The file was discovered by security experts on March 11 while conducting another study on information security threats. The file is also compared with earlier files, and observed changes are noted and analyzed.
Read full report
27 May 2020

Studying Donot Team

APT group called Donot Team (aka APT-C-35, SectorE02) has been active since at least 2012. The attackers hunt for confidential information and intellectual property. The hackers' targets include countries in South Asia, in particular, state sector of Pakistan. In 2019, we noticed their activity in Bangladesh, Thailand, India, Sri Lanka, the Philippines, and outside of Asia, in places like Argentina, the United Arab Emirates, and Great Britain. For several months, we have been monitoring changes in the code of this group's malicious loaders. In this article, we will review one of the attack vectors, will talk about the loaders in more detail, and will touch upon the peculiarity of the network infrastructure.
Read full report
25 May 2020

Operation TA505: twins. Part 4

In the beginning of September we detected some malware downloaders packed by the group's unique PE packer described in one of our earlier articles. At first glance the downloaders appeared similar to the well-known stagers of the FlawedAmmyy backdoor. However, closer analysis proved otherwise. The less-than-cutting-edge coding techniques we found in them pointed the way to payloads that were implemented to a rather higher standard of quality. This article will provide a detailed look at the detected malware and draw parallels with what is already known.
Read full report
23 May 2020

Operation TA505: network infrastructure. Part 3

This article examines the most characteristic network infrastructure indicators of the TA505 group, as well as intersections between TA505 and another hacker group, Buhtrap.
Read full report
1
2
3
4

Get in touch

Fill in the form and our specialists
will contact you shortly