Threat Intelligence

This publication is part of our Annual Threat Monitor report that was released on the 8th of Febuary 2023. The Annual threat Monitor report can be found here. Authored by Alberto Segura Introduction Hydra, also known as BianLian, has been one of the most active mobile banking malware families in…

This blog looks to build on the work of other security research done by SecureWorks and PwC with firsthand experience of TTPs used in a recent incident where ShadowPad was deployed. ShadowPad is a modular remote access trojan (RAT) which is thought to be used almost exclusively by China-Based threat…

Authored by Alberto Segura (main author) and Mike Stokkel (co-author) Editor’s note: This post was originally published on the Fox-IT blog. Introduction  After we discovered in February 2022 the SharkBotDropper in Google Play posing as a fake Android antivirus and cleaner, now we have detected a new version of this…

This post explores some of the TTPs employed by a threat actor who were observed deploying LockBit 3.0 ransomware during an incident response engagement.

Max Groot Ruud van Luijk TL;DR A recently uncovered malware sample dubbed ‘Saitama’ was uncovered by security firm Malwarebytes in a weaponized document, possibly targeted towards the Jordan government. This Saitama implant uses DNS as its sole Command and Control channel and utilizes long sleep times and (sub)domain randomization to…

by Michael Mathews Ransomware has been a concern for everyone over the past several years because of its impact to organisations with the added pressure of extortion and regulatory involvement. However, the question always arises as to how we prevent it. Prevention is better than cure and hindsight is a…

In the Threat Pulse released in November 2021 we touched on Everest Ransomware group. This latest blog documents the TTPs employed by a group who were observed deploying Everest ransomware during a recent incident response engagement.

Originally published June 29, 2022 on the Fox-IT blog Authored by Alberto Segura (main author) and Rolf Govers (co-author) Summary Flubot is an Android based malware that has been distributed in the past 1.5 years inEurope, Asia and Oceania affecting thousands of devices of mostly unsuspecting victims.Like the majority of…

This blog post documents some of the TTPs employed by a threat actor group who were observed deploying Black Basta ransomware during a recent incident response engagement, as well as a breakdown of the executable file which performs the encryption.

MetaStealer is a new information stealer variant designed to fill the void following Racoon stealer suspending operations in March of this year.

This blog post documents some of the actions taken during the initial access phase for an attack attributed to Lazarus, along with analysis of the malware that was utilised during this phase.

BUMBLEBEE is a new malicious loader that is being used by several threat actors and has been observed to download different malicious samples. This post provides our initial analysis

This post describes the techniques, tactics and procedures we observed during recent LAPSUS$ incidents.

This post describes the methods and techniques we observed during recent incidents that took place after the Coni data leaks.

Since we published about identifying Cobalt Strike Team Servers in the wild just over three years ago, we’ve collected over 128,000 beacons from over 24,000 active Team Servers. Today, RIFT is making this extensive beacon dataset publicly available in combination with the open-source release of dissect.cobaltstrike, our Python library for…

NCC Group’s Cyber Incident Response Team (CIRT) have responded to several extortion cases recently involving the threat actor Karakurt.  During these investigations NCC Group CIRT have identified some key indicators that the threat actor has breached an environment and want to share this information to assist the cyber security community.

Note: This blogpost will be live-updated with new information. NCC Group’s RIFT is intending to publish PCAPs of different exploitation methods in the near future – last updated December 15th at 17:30 UTC tl;dr In the wake of the CVE-2021-44228, CVE-2021-45046 and CVE-2021-44832 (a.k.a. Log4Shell) vulnerability publication, NCC Group’s RIFT immediately…

For the past few months, NCC Group has been tracking very closely the operations of TA505 and the development of different projects (e.g. Clop) by them. During our research, we encountered a number of binary files that we have attributed to the developer(s) of ‘Grace’ (i.e. FlawedGrace), a remote administration…

Pepijn Hack, Cybersecurity Analyst, Fox-IT, part of NCC Group Zong-Yu Wu, Threat Analyst, Fox-IT, part of NCC Group Abstract Organizations worldwide continue to face waves of digital extortion in the form of targeted ransomware. Digital extortion is now classified as the most prominent form of cybercrime and the most devastating…

NCC Group’s global Cyber Incident Response Team has observed an increase in Clop ransomware victims in the past weeks. The surge can be traced back to a vulnerability in SolarWinds Serv-U that is being abused by the TA505 threat actor. TA505 is a known cybercrime threat actor, who is known…

In this post, we discuss our work in cracking the hashed passwords being sent over NLA connections to ascertain those supplied by threat actors.

Over the past few months NCC Group has observed an increasing number of data breach extortion cases, where the attacker steals data and threatens to publish said data online if the victim decides not to pay. Given the current threat landscape, most notable is the absence of ransomware or any…

NCC Group’s Incident Response team observed a new variant of the FiveHands ransomware, deployed by an affiliate leveraging publicly available tools to progress their attack. This blog post aims to describe the developments in the ransomware variant and the techniques used by the affiliate.

NCC Group CIRT has responded to a large number of ransomware cases where frequently the open source tool Rclone being used for data exfiltration. We provide some techniques for detection.

by fumik0_ the RIFT TL:DR Our Research and Intelligence Fusion Team have been tracking the Gozi variant RM3 for close to 30 months. In this post we provide some history, analysis and observations on this most pernicious family of banking malware targeting Oceania, the UK, Germany and Italy.  We’ll start with an overview of its origins and current operations before…

Today we are releasing some statistics around deployment of Pulse Connect Secure versions in the wild. The hope is that by releasing these statistics we can help to highlight the risk around outdated versions of PCS, which are being actively exploited by malicious actors. We have also shared the raw…

This post discusses NCC Group observed in the wild exploitation attempts and detection logic for the F5 BIG-IP/BIG-IQ iControl REST API vulnerabilities CVE-2021-22986

NCC Group's Research and Intelligence Fusion Team analyze a recent shellcode execution method used by Lazarus Group

tl;dr NCC Group and Fox-IT have been tracking a threat group with a wide set of interests, from intellectual property (IP) from victims in the semiconductors industry through to data from the airline industry. In their intrusions they regularly abuse cloud services from Google and Microsoft to achieve their goals.…

We wanted to build a mechanism to capture all the passwords used (successful or not) against RDP to ascertain potential sources of credential theft and if they are organisation specific. This post provides the background on an approach and the steps to build such a system.

Threat Intel Analyst: Antonis Terefos (@Tera0017)Data Scientist: Anne Postma (@A_Postma) 1. Introduction TA505 is a sophisticated and innovative threat actor, with plenty of cybercrime experience, that engages in targeted attacks across multiple sectors and geographies for financial gain. Over time, TA505 evolved from a lesser partner to a mature, self-subsisting…

NCC Group is today releasing three months of honeypot web traffic data related to the F5 CVE-2020-5902 and Citrix CVE-2020-8193, CVE-2020-8195 and CVE-2020-8196 exploitation events from earlier in 2020. Our objective is to enable all threat intelligence researchers to gain further understanding and contribute back to the community.

Citrix disclosed on July 7th, 2020 a number of vulnerabilities in the Application Delivery Controller. This blog is a summary of what we know as the situation develops.

CVE-2020-5902 was disclosed on June 1, 2020 by F5 Networks in K52145254 as a CVSS 10.0 remote code execution vulnerability in the Big-IP administrative interface. By June 3, 2020 NCC Group observed active exploitation. This blog is a summary of what we know as the situation develops.

Authors: Nikolaos Pantazopoulos, Stefano Antenucci (@Antelox), Michael Sandee and in close collaboration with NCC’s RIFT. About the Research and Intelligence Fusion Team (RIFT):RIFT leverages our strategic analysis, data science, and threat hunting capabilities to create actionable threat intelligence, ranging from IOCs and detection capabilities to strategic reports on tomorrow’s threat…

Publicly discovered in late April 2020, the Team9 malware family (also known as ‘Bazar’) appears to be a new malware being developed by the group behind Trickbot. Even though the development of the malware appears to be recent, the developers have already developed two components with rich functionality. The purpose…

Earlier last month saw the publication an IETF draft NCC Group co-wrote with the UK's National Cyber Security Center titled 'Indicators of Compromise (IoCs) and Their Role in Attack Defence'

Last Update: Marc 19th, 2020 at 11:26 UTC Overview Threat actors attempting to capitalize on current events, pandemics and global anxiety is nothing new, as was previously seen with malicious campaigns related to the 2019 climate strikes and demonstrations as well as the 2018 FIFA World Cup tournament. By relying…

Introduction A few weeks ago we published a config decrypter[1] for a sample that we believe is related with the Chafer group. Chafer is a well-known group which has primarily been operating in the Middle East. Their arsenal includes several custom-made tools, variants of the Remexi malware and open-source/publically available…

This is a short blog post on the PNG Dropper malware that has been developed and used by the Turla Group [1]. The PNG Dropper was first discovered back in August 2017 by Carbon Black researchers. Back in 2017 it was being used to distribute Snake, but recently NCC Group…

In July 2018 a security researcher named Simon Choi reported that a group, which goes by the name Group123 (also known as APT37 or Reaper), used spear-phishing emails to spread their malicious payload [1]. Shortly afterwards it was revealed that the attacker was using an exploit for a vulnerability in…

Ben Humphrey – Malware Researcher In late April 2018, NCC Group researchers discovered a small number of documents exploiting CVE-2017-8570 and dropping the same payload. The purpose of these documents is to install a Remote Access Trojan (RAT) on the victims’ machine. This article gives a deep analysis of both…

Introduction Hacking groups linked to the Chinese state are not a new threat. In fact, for the last couple years they have tended to be the most active along with Russian state affiliated hacking groups. One of these groups is the ‘Emissary Panda’ group, also known as TG-3390, APT 27…

During a forensic investigation in March 2018 we were able to retrieve some files which appeared to be linked with a well-known group named Iron Tiger. From our research, we believe that the perpetrator hasn’t shown any advanced technical capabilities in this attack. In fact, the main goal was to…

In May 2017, NCC Group’s Incident Response team reacted to an ongoing incident where our client, which provides a range of services to UK Government, suffered a network compromise involving the advanced persistent threat group APT15. APT15 is also known as, Ke3chang, Mirage, Vixen Panda GREF and Playful Dragon. A…

In the first days of 2018, a number of vulnerabilities were disclosed that are present in many modern-day CPUs. In this blog post we address the most frequently asked questions about Spectre and Meltdown with a focus on providing you with actionable guidance about what to do. This post is…

In November, US-CERT published two alerts about malicious activity by the North Korean government, referred to as HIDDEN COBRA [1][2]. These alerts addressed the remote administration tool FALLCHILL and a Trojan called Volgmer. We’ll focus on the latter in this blog post. Volgmer is a backdoor Trojan that was designed…

Earlier this week ESET released a paper[1] about Gazer, a new toolset associated with a sophisticated attack group. One interesting quote from the paper stood out: “The compilation date appears to be 2002 but is likely to be faked because the certificate was issued in 2015″ This led to an…

In a recent blog post, Fortinet discussed a new version of Poison Ivy[1] spreading through malicious PowerPoint files. The PowerPoint file includes a .NET loader in a stream which goes on to load a variant of Poison Ivy. But there is some debate regarding whether this is a pure Poison…

On Tuesday 27 June, we saw another outbreak of ransomware. This blog is live and will be updated as we know more. The ransomware is currently being discussed as a variant of Petya, which also modifies the Master Boot Record (MBR), although this ransomware also has traits similar to WannaCry in…

NCC Group is currently aware of a zero-day vulnerability targeting Microsoft Office users which is being exploited in the wild by a number of threat actors including organised criminal gangs. NCC Group has identified various samples exploiting this issue from as far back as 2016. Click here to see NCC…

In this blog post we will take a brief look at the remote access Trojan (RAT) used by a group called Greenbug[1]. According to Symantec, an APT group used this RAT – along with other tools – to collect user information which was later used when executing the wiper malware…

Introduction Securely erasing media is an important process for any IT department. There are numerous methods of ensuring that sensitive data is removed before items are reissued or disposed. And the removal of such data is also mandated by various standards such as ISO 27001, which states:  A.11.2.7 – “All…

NCC Group’s Cyber Defence Operations team has released a technical note about the Derusbi Server variant, which we encountered on an engagement at the end of last year. The Derusbi Server variant is typically associated with advanced attackers (APT groups) and was the most sophisticated attempt to retain persistence on…

tl;dr This is my analysis of the recent pre-auth Samba remote tracked by CVE-2015-0240[1]. It doesn’t appear to be very exploitable to me, but I’d love to be proven wrong. Note that since the time when I originally did this analysis someone has released their own PoC and analysis [8]…

Executive Summary An alert about a severe vulnerability discovered by the Qualys security team was issued on Tuesday, January 27 2015. This vulnerability allows a local or remote attacker to execute code within the context of an application linked with certain versions of the glibc library. The vulnerability is triggered by a…

Introduction With the festive season currently in full swing, it is easy to get lost in people’s generosity and giving spirit. Many cyber criminals are currently taking advantage of this fact, and so is NCC Group’s red team, but with a difference – we are providing simulations of an attack…

Background freenode is a large IRC network providing services to Free and Open Source Software communities, and in September the freenode staff team blogged about a potential compromise of an IRC server. NCC Group’s Cyber Defence Operations team provided pro bono digital forensic and reverse engineering services to assist the freenode…

Current event – 1.1 of post This is a current event and as such the blog post is subject to change over the course of a couple of days as we performed further supplementary research and analysis by NCC Group’s Cyber Defence Operations and Security Consulting divisions. v1.1 – updated…

Introduction Since the BadUSB talk [1] by Karsten Nohl and Jakob Lell at Black Hat USA in August there has been much discussion about the implications of this class of USB attack. The discussions gained additional momentum when Adam Caudill and Brandon Wilson investigated the attack further and publicly released…

Current event – 1.2 of post This is a current event and as such the blog post is subject to change over the course of the next few days  as we perform further supplementary research and analysis by NCC Group’s Cyber Defence Operations and Security Consulting divisions. v1.2 – Link…

Introduction In May 2014 FireEye[1]and Crowdstrike[2] produced reports about the activities of “Flying Kitten”, otherwise known as the Ajax Security Team. In July 2014 NCC Group’s Cyber Defence Operations team encountered several executables in our malware zoo that appear to be updated versions of the “Stealer” malware reported by FireEye…

Archived current event – v1.2 of post This was a current event and as such this blog post was subject to change as we performed further supplementary research and analysis. 1.2: Updated to include Struts v1 1.1: Final public release of this blog post 1.0: Initial version Background The Struts…

Previous current event – v1.8 of post This was a current event and as such the blog post was subject to change over the course of a couple of days as we performed further supplementary research and analysis. 1.8: Update to include Bro detection and further analysis. This is likely…

I’ve been re-reading the Mandiant report on the notorious APT1 group, and it occurred to me that the tools and techniques used by this relatively unsophisticated (but very successful) group are similar to those used by penetration testers. That isn’t to say that penetration testers, or pen testers as they are colloquially…

This threat brief discusses a security issue noted by NCC Group in September 2012 relating to the use of ASP.NET forms authentication in a shared / cloud hosting environment. If virtual hosting is used to make multiple applications on the same IIS server available at different domain names, then a…

Back in 2010 Seth Fogie noted that certain car manufactures were sending out USB devices. These USB devices presented themselves as keyboards in order to inject key strokes into the computer to which they were attached. Why a keyboard? Well in order to circumvent security controls designed to stop the automatic execution of…