This blog looks to build on the work of other security research done by SecureWorks and PwC with firsthand experience of TTPs used in a recent incident where ShadowPad was deployed. ShadowPad is a modular remote access trojan (RAT) which is thought to be used almost exclusively by China-Based threat actors.
Category: Threat Intelligence
Sharkbot is back in Google Play
Authored by Alberto Segura (main author) and Mike Stokkel (co-author) Editor's note: This post was originally published on the Fox-IT blog. Introduction After we discovered in February 2022 the SharkBotDropper in Google Play posing as a fake Android antivirus and cleaner, now we have detected a new version of this dropper active in the Google … Continue reading Sharkbot is back in Google Play
Back in Black: Unlocking a LockBit 3.0 Ransomware Attack
This post explores some of the TTPs employed by a threat actor who were observed deploying LockBit 3.0 ransomware during an incident response engagement.
Detecting DNS implants: Old kitten, new tricks – A Saitama Case Study
Max Groot & Ruud van Luijk TL;DR A recently uncovered malware sample dubbed ‘Saitama’ was uncovered by security firm Malwarebytes in a weaponized document, possibly targeted towards the Jordan government. This Saitama implant uses DNS as its sole Command and Control channel and utilizes long sleep times and (sub)domain randomization to evade detection. As no … Continue reading Detecting DNS implants: Old kitten, new tricks – A Saitama Case Study
Top of the Pops: Three common ransomware entry techniques
by Michael Mathews Ransomware has been a concern for everyone over the past several years because of its impact to organisations with the added pressure of extortion and regulatory involvement. However, the question always arises as to how we prevent it. Prevention is better than cure and hindsight is a virtue. This blog post aims … Continue reading Top of the Pops: Three common ransomware entry techniques
Climbing Mount Everest: Black-Byte Bytes Back?
In the Threat Pulse released in November 2021 we touched on Everest Ransomware group. This latest blog documents the TTPs employed by a group who were observed deploying Everest ransomware during a recent incident response engagement.
Flubot: the evolution of a notorious Android Banking Malware
Originally published June 29, 2022 on the Fox-IT blog Authored by Alberto Segura (main author) and Rolf Govers (co-author) Summary Flubot is an Android based malware that has been distributed in the past 1.5 years inEurope, Asia and Oceania affecting thousands of devices of mostly unsuspecting victims.Like the majority of Android banking malware, Flubot abuses … Continue reading Flubot: the evolution of a notorious Android Banking Malware
Shining the Light on Black Basta
This blog post documents some of the TTPs employed by a threat actor group who were observed deploying Black Basta ransomware during a recent incident response engagement, as well as a breakdown of the executable file which performs the encryption.
Metastealer – filling the Racoon void
MetaStealer is a new information stealer variant designed to fill the void following Racoon stealer suspending operations in March of this year.
North Korea’s Lazarus: their initial access trade-craft using social media and social engineering
This blog post documents some of the actions taken during the initial access phase for an attack attributed to Lazarus, along with analysis of the malware that was utilised during this phase.