PT ESC Threat Intelligence

Investigation with a twist: an accidental APT attack and averted data destruction

In late April 2020, a client invited the CSIRT incident response team at the Positive Technologies Expert Security Center (PT ESC) to investigate a network compromise that resulted in encryption of files on servers and employee workstations. We initially assumed that this was yet another attack on corporate networks with a common variety of ransomware. However, what we found was different: this intrusion was the work of a well-known Asian APT group implicated in cyberespionage against government targets. The initial successful compromise had taken place two years prior. In this article, we will share the results of our investigation of this targeted attack, which started with the compromise of a foreign office. Ultimately, we succeeded in bringing the infrastructure back to a secure condition and reversing the damage that had been done.
Read full report

The eagle eye is back: old and new backdoors from APT30

On April 8, 2020, our pros at the PT Expert Security Center detected signs of life from a well-known cybercriminal group. Network signatures for dynamic malware analysis on a popular site lit up for APT30—a group that had not been on radar screens for some time. This inspired us to start looking. APT30 has been in the public eye since a report by our colleagues at FireEye back in 2015. The group primarily attacks government targets in South and Southeast Asia (including India, Thailand, and Malaysia) for cyberespionage purposes. Their toolkit has been in development since at least 2005. We find it interesting that we see both old and well-known tools dating back over a decade, as well as continuity in network resources. In this article, we will look at new versions of already known Trojans, the features of the group's recently detected malware, and network infrastructure.
Read full report

Cobalt: tactics and tools update

Specialists from PT Expert Security Center has been monitoring the activity of the Cobalt group since 2016. Today, the group is attacking financial institutions around the world. Over the past year, the Cobalt group has not only modified its main CobInt tools and COM-DLL dropper in conjunction with the more_eggs JavaScript backdoor but also used new delivery methods and new techniques to bypass protection at the initial stage of the attack. In this article, we would like to talk about new group tactics, delivery methods, and changes mainly in malware.
Read full report

COVID-19 and New Year greetings: an investigation into the tools and methods used by the Higaisa group

In March 2020 specialists from the PT Expert Security Center conducted an analysis on the activities of the APT group Higaisa. This group was first studied by security analysts at Tencent in November 2019. In that analysis, Tencent specialists reached the conclusion that Higaisa has its origins in South Korea. The group, which is still active today, can be tracked all the way back to 2009. With the recent prevalence of the coronavirus (COVID-19) pandemic, many APT groups, including Gamaredon, SongXY, TA428, Lazarus, Konni, and Winnti, have been using the topic of COVID-19 in their email distributions. Higaisa is no exception. This article is an investigation into one of the malicious files created by Higaisa. The file was discovered by security experts on March 11 while conducting another study on information security threats. The file is also compared with earlier files, and observed changes are noted and analyzed.
Read full report

Studying Donot Team

APT group called Donot Team (aka APT-C-35, SectorE02) has been active since at least 2012. The attackers hunt for confidential information and intellectual property. The hackers' targets include countries in South Asia, in particular, state sector of Pakistan. In 2019, we noticed their activity in Bangladesh, Thailand, India, Sri Lanka, the Philippines, and outside of Asia, in places like Argentina, the United Arab Emirates, and Great Britain. For several months, we have been monitoring changes in the code of this group's malicious loaders. In this article, we will review one of the attack vectors, will talk about the loaders in more detail, and will touch upon the peculiarity of the network infrastructure.
Read full report

Operation TA505: twins. Part 4

In the beginning of September we detected some malware downloaders packed by the group's unique PE packer described in one of our earlier articles. At first glance the downloaders appeared similar to the well-known stagers of the FlawedAmmyy backdoor. However, closer analysis proved otherwise. The less-than-cutting-edge coding techniques we found in them pointed the way to payloads that were implemented to a rather higher standard of quality. This article will provide a detailed look at the detected malware and draw parallels with what is already known.
Read full report

Operation TA505: network infrastructure. Part 3

This article examines the most characteristic network infrastructure indicators of the TA505 group, as well as intersections between TA505 and another hacker group, Buhtrap.
Read full report

Operation TA505: investigating the ServHelper backdoor with NetSupport RAT. Part 2

At the end of July 2019, we encountered an interesting piece of malware distributed by the TA505 group, and on July 22, 2019 uploaded it into ANY.RUN to put it through a dynamic analysis. Viewing the results, two anomalies attracted our attention—in addition to the tags usually displayed for TA505 ServHelper, the "netsupport" tag also appeared; additionally, the NetSupport RAT was listed among network signature events. This might seem strange at first glance, since the ServHelper backdoor already provides attackers with a significant amount of control over their victims' computers. To get a better understanding of what's going on, let's take a closer look at how the malware functions.
Read full report

Operation TA505: how we analyzed new tools from the creators of the Dridex trojan, Locky ransomware, and Neutrino botnet

The Threat Intelligence team at the Positive Technologies Expert Security Center has been keeping a close eye on the TA505 cybercrime group for the last six months. The malefactors are drawn towards finance, with targets scattered in dozens of countries on multiple continents.
Read full report
1
2
3
4
5

Get in touch

Fill in the form and our specialists
will contact you shortly