Detecting DNS implants: Old kitten, new tricks – A Saitama Case Study

Max Groot & Ruud van Luijk TL;DR A recently uncovered malware sample dubbed ‘Saitama’ was uncovered by security firm Malwarebytes in a weaponized document, possibly targeted towards the Jordan government. This Saitama implant uses DNS as its sole Command and Control channel and utilizes long sleep times and (sub)domain randomization to evade detection. As no … Continue reading Detecting DNS implants: Old kitten, new tricks – A Saitama Case Study →

Top of the Pops: Three common ransomware entry techniques

by Michael Mathews Ransomware has been a concern for everyone over the past several years because of its impact to organisations with the added pressure of extortion and regulatory involvement. However, the question always arises as to how we prevent it. Prevention is better than cure and hindsight is a virtue. This blog post aims … Continue reading Top of the Pops: Three common ransomware entry techniques →

Climbing Mount Everest: Black-Byte Bytes Back?

In the Threat Pulse released in November 2021 we touched on Everest Ransomware group. This latest blog documents the TTPs employed by a group who were observed deploying Everest ransomware during a recent incident response engagement.

Flubot: the evolution of a notorious Android Banking Malware

Originally published June 29, 2022 on the Fox-IT blog Authored by Alberto Segura (main author) and Rolf Govers (co-author) Summary Flubot is an Android based malware that has been distributed in the past 1.5 years inEurope, Asia and Oceania affecting thousands of devices of mostly unsuspecting victims.Like the majority of Android banking malware, Flubot abuses … Continue reading Flubot: the evolution of a notorious Android Banking Malware →

Shining the Light on Black Basta

This blog post documents some of the TTPs employed by a threat actor group who were observed deploying Black Basta ransomware during a recent incident response engagement, as well as a breakdown of the executable file which performs the encryption.

Metastealer – filling the Racoon void

MetaStealer is a new information stealer variant designed to fill the void following Racoon stealer suspending operations in March of this year.

North Korea’s Lazarus: their initial access trade-craft using social media and social engineering

This blog post documents some of the actions taken during the initial access phase for an attack attributed to Lazarus, along with analysis of the malware that was utilised during this phase.

Adventures in the land of BumbleBee – a new malicious loader

BUMBLEBEE is a new malicious loader that is being used by several threat actors and has been observed to download different malicious samples. This post provides our initial analysis

LAPSUS$: Recent techniques, tactics and procedures

This post describes the techniques, tactics and procedures we observed during recent LAPSUS$ incidents.

Conti-nuation: methods and techniques observed in operations post the leaks

This post describes the methods and techniques we observed during recent incidents that took place after the Coni data leaks.