2023-02-06 19:46   Cyber Threat Intelligence Report – Trends Q4 2022    #lab52 #威胁情报 During the last quarter of 2022, the Lab52 team has conducted an in-depth analysis of the threats that have been active during the period, focusing on information from both public and private sources, as well as studying the geopolitical context in order to anticipate potential campaigns. Below is t

2022-11-29 18:02   Analyzing the encryption method of emerging ransomware families    #lab52 #威胁情报 Cyble has recently published an analysis of AXLocker ransomware, a new ransomware that has been seen for the first time in november this month. As the article explains, the ransomware encrypts and exfiltrates data using discord. In this report we will focus on the encryption routine of this new arti

2022-07-06 18:00   NATO Summit 2022: The perfect pretext to launch a cybercampaign    #lab52 #威胁情报 S2Grupo’s Threat Hunting team has carried out an investigation on the occasion of the NATO summit held in Madrid on June 29th and 30th on possible APT group campaigns that could have targeted this event. In this line, we have investigated those domains that had as part of the name any of the k

2022-06-21 17:00   MuddyWater’s “light” first-stager targetting Middle East    #lab52 #威胁情报 Since the last quarter of 2020 MuddyWater has mantained a “long-term” infection campaign targeting Middle East countries. We have gathered samples from November 2020 to January 2022, and due to the recent samples found, it seems that this campaign might still be currently active. The lat

2022-04-01 20:28   Complete dissection of an APK with a suspicious C2 Server    #lab52 #威胁情报 During our analysis of the Penquin-related infrastructure we reported in our previous post, we paid special attention to the malicious binaries contacting these IP addresses, since as we showed in the analysis, they had been used as C2 of other threats used by Turla. One threat that makes contact wi

2022-03-25 00:25   Another cyber espionage campaign in the Russia-Ukrainian ongoing cyber attacks    #lab52 #威胁情报 From lab52, in connection to the latest events related to the Russia’s ongoing cyberattacks in Ukraine, beyond destructive artifacts seen like Wipers and others, a new wave of malicious office documents (hereinafter maldocs) has been observed attempting to compromise systems leveraging a variant of

2022-03-09 21:19   Very very lazy Lazyscripter’s scripts: double compromise in a single obfuscation    #lab52 #威胁情报 In July of 2021, we identified an infection campaign targeting important European entities. During this investigation we could identify the threat actor behind these attacks as LazyScripter, an emerging APT group pointed by MalwareBytes in February 2021. Through our analysis, we could track their ac

2022-02-28 17:28   Looking for Penquins in the Wild    #lab52 #威胁情报 During 2020 Leonardo analysts discovered and published a very in depth analysis of a threat known as Penquin, attributed to the APT group Turla. 32-bit samples of this threat had been detected and analyzed by Kaspersky before, but the analysis in this most recent publication was focused on a new 64-

2022-01-24 18:00   New TransparenTribe Operation: Targeting India with weaponized COVID-19 lure documents    #lab52 #威胁情报 Over the last months, lab52 has been researching an attack campaign which targets government and military personnel of India. In fact, targeting the Indian government seems to be one of the key indicators of the group that may be behind this attack. Furthermore, some of the artifacts and infrastruct

2022-01-12 16:21   TokyoX: DLL side-loading an unknown artifact (Part 2)    #lab52 #威胁情报 As we mentioned in the previous post, we have performed an analysis of the threat which, lacking further information, we have not been able to identify it as a known threat. Thus, for the moment, we will keep referring to it as TokyoX. This threat can only be found in memory, since it is encrypted [

2022-01-11 01:07   TokyoX: DLL side-loading an unknown artifact    #lab52 #威胁情报 During Christmas holidays, Lab52 has been analyzing a sample which loads an artifact that we have decided to refer to as “TokyoX” since no similarities have been found as to any known malware, which we usually detect in open sources. However, we cannot confirm so far that it is indeed a new family o

2021-12-14 20:58   Cuba Ransomware Analysis    #lab52 #威胁情报 Due to the recent warning published by the FBI about Cuba ransomware (original FBI warning no longer available online for unknown reasons), from Lab52 we decided to publish some information about this ransomware family. Despite the fact that the ransomware has been named Cuba, there is no clear evid

2021-09-28 16:37   Winter Vivern – all Summer    #lab52 #威胁情报 In July, 2021, Lab52 found a currently active infection campaign (domain still up at the time of thi

2021-07-05 18:56   Quick review of Babuk ransomware builder    #lab52 #威胁情报 Last week, the builder for the Babuk ransomware family was leaked online. Lab52 has obtained and ana

2021-05-17 20:15   Literature lover targeting Colombia with LimeRAT    #lab52 #威胁情报 In the middle of the current brouhaha in Colombia, besides the intense hacktivism activity, some act