We found cyberespionage group TICK targeting critical systems and enterprises, attempting to steal information to benefit this APT group’s sponsor. In this research brief, we show the timeline of the group’s activities and malware development, as well as the technical analyses of the new malware families, modified tools, and upgraded malware routines.
Read More
We recently saw a malicious spam campaign that has AutoIT-compiled payloads – the trojan spy Negasteal or Agent Tesla (detected by Trend Micro as TrojanSpy.Win32.NEGASTEAL.DOCGC), and remote access trojan (RAT) Ave Maria or Warzone (TrojanSpy.Win32.AVEMARIA.T) – in our honeypots. The upgrading of payloads from a typical trojan spy to a more insidious RAT may indicate that the cybercriminals behind this campaign are moving towards deploying more destructive (and lucrative) payloads, such as ransomware, post-reconnaissance.
Read MoreWe found a spam campaign that uses compromised devices to attack vulnerable web servers. From the devices, attackers use a PHP script to send an email with an embedded link to a scam site to specific email addresses. The use of compromised devices for attacks make attribution difficult, and attackers can have repeated access to the server even after patching.
Read More
Despite having an apparent lull in the first half of 2019, phishing will remain a staple in a cybercriminal’s arsenal, and they’re not going to stop using it. The latest example is a phishing campaign dubbed Heatstroke, based on a variable found in their phishing kit code. Heatstroke demonstrates how far phishing techniques have evolved — from merely mimicking legitimate websites and using diversified social engineering tactics — with its use of more sophisticated techniques such as steganography.
Read More
TA505 continues to wreak as much havoc for maximized profits. Still using ServHelper and FlawedAmmyy, they continue to make small changes: targeting other countries, entities, or the combination of techniques used for deployment with each campaign.
Read More