Earth Preta Spear-Phishing Governments Worldwide

Credit to Author: Nick Dai| Date: Fri, 18 Nov 2022 00:00:00 +0000

We break down the cyberespionage activities of advanced persistent threat (APT) group Earth Preta, observed in large-scale attack deployments that began in March. We also show the infection routines of the malware families they use to infect multiple sectors worldwide: TONEINS, TONESHELL, and PUBLOAD.

Read more

Pilfered Keys: Free App Infected by Malware Steals Keychain Data

Credit to Author: Luis Magisa| Date: Wed, 16 Nov 2022 00:00:00 +0000

Open-source applications are a practical way to save money while keeping up with your productivity. However, this can be abused by threat actors to steal your data. Find out how one app was used to gather information of Apple users.

Read more

CVE-2019-8561: A Hard-to-Banish PackageKit Framework Vulnerability in macOS

Credit to Author: Mickey Jin| Date: Fri, 11 Nov 2022 00:00:00 +0000

This blog entry details our investigation of CVE-2019-8561, a vulnerability that exists in the macOS PackageKit framework, a component used to install software installer packages (PKG files).

Read more

Hack the Real Box: APT41’s New Subgroup Earth Longzhi

Credit to Author: Hara Hiroaki| Date: Wed, 09 Nov 2022 00:00:00 +0000

We looked into the campaigns deployed by a new subgroup of advanced persistent threat (APT) group APT41, Earth Longzhi. This entry breaks down the technical details of the campaigns in full as presented at HITCON PEACE 2022 in August.

Read more

TeamTNT Returns — Or Does It?

Credit to Author: Sunil Bharti| Date: Wed, 19 Oct 2022 00:00:00 +0000

Our honeypots caught malicious cryptocurrency miner samples targeting the cloud and containers, and its routines are reminiscent of the routines employed by cybercriminal group TeamTNT, which was said to have quit in November 2021. Our investigation shows that another threat actor group, WatchDog, might be mimicking TeamTNT’s arsenal.

Read more

Where is the Origin?: QAKBOT Uses Valid Code Signing

Credit to Author: Hitomi Kimura| Date: Thu, 27 Oct 2022 00:00:00 +0000

Code signing certificates help us assure the file’s validity and legitimacy. However, threat actors can use that against us. In this blog, discover how QAKBOT use such tactic and learn ways how to prevent it.

Read more

LV Ransomware Exploits ProxyShell in Attack on a Jordan-based Company

Credit to Author: Mohamed Fahmy| Date: Tue, 25 Oct 2022 00:00:00 +0000

Our blog entry provides a look at an attack involving the LV ransomware on a Jordan-based company from an intrusion analysis standpoint

Read more

TeamTNT Returns – or Does It?

Credit to Author: Sunil Bharti| Date: Wed, 19 Oct 2022 00:00:00 +0000

Our honeypots caught malicious cryptocurrency miner samples targeting the cloud and containers, and its routines are reminiscent of the routines employed by cybercriminal group TeamTNT, which was said to have quit in November 2021. Our investigation shows that another threat actor group, WatchDog, might be mimicking TeamTNT’s arsenal.

Read more