Diavol Ransomware
In the past, threat actors have used BazarLoader to deploy Ryuk and Conti ransomware, as reported on many occasions. In this intrusion, however, a BazarLoader infection resulted in deployment of … Read More
CONTInuing the Bazar Ransomware Story
In this report we will discuss a case from early August where we witnessed threat actors utilizing BazarLoader and Cobalt Strike to accomplish their mission of encrypting systems with Conti … Read More
Exchange Exploit Leads to Domain Wide Ransomware
In late September, we observed an intrusion in which initial access was gained by the threat actor exploiting multiple vulnerabilities in Microsoft Exchange. The threat actors in this case were … Read More
From Zero to Domain Admin
Intro This report will go through an intrusion from July that began with an email, which included a link to Google’s Feed Proxy service that was used to download a … Read More
IcedID to XingLocker Ransomware in 24 hours
Intro Towards the end of July, we observed an intrusion that began with IcedID malware and ended in XingLocker ransomware, a Mountlocker variant. XingLocker made its first appearance in early … Read More
BazarLoader and the Conti Leaks
Intro In July, we observed an intrusion that started from a BazarLoader infection and lasted approximately three days. The threat actor’s main priority was to map the domain network, while … Read More
BazarLoader to Conti Ransomware in 32 Hours
Intro Conti is a top player in the ransomware ecosystem, being listed as 2nd overall in the Q2 2021 Coveware ransomware report. The groups deploying this RaaS have only grown … Read More
Cobalt Strike, a Defender’s Guide
Intro In our research, we expose adversarial Tactics, Techniques and Procedures (TTPs) as well as the tools they use to execute their mission objectives. In most of our cases, we … Read More
Trickbot Leads Up to Fake 1Password Installation
Intro Over the past years, Trickbot has established itself as modular and multifunctional malware. Initially focusing on bank credential theft, the Trickbot operators have extended its capabilities. More recently, Trickbot … Read More
BazarCall to Conti Ransomware via Trickbot and Cobalt Strike
Intro This report will go through an intrusion that went from an Excel file to domain wide ransomware. The threat actors used BazarCall to install Trickbot in the environment which … Read More
IcedID and Cobalt Strike vs Antivirus
Intro Although IcedID was originally discovered back in 2017, it did not gain in popularity until the latter half of 2020. We have now analyzed a couple ransomware cases in … Read More
Hancitor Continues to Push Cobalt Strike
First observed in 2014, Hancitor (also known as Chanitor and Tordal) is a downloader trojan that has been used to deliver multiple different malware such as Pony, Vawtrak, and DELoader. … Read More
From Word to Lateral Movement in 1 Hour
Introduction In May 2021, we observed a threat actor conducting an intrusion utilizing the IcedID payloads for initial access. They later performed a number of techniques from host discovery to … Read More
WebLogic RCE Leads to XMRig
Intro This report will review an intrusion where, the threat actor took advantage of a WebLogic remote code execution vulnerability (CVE-2020–14882) to gain initial access to the system before installing … Read More
Conti Ransomware
Introduction First seen in May 2020, Conti ransomware has quickly become one of the most common ransomware variants, according to Coveware. As per Coveware’s Quarterly Ransomware Report (Q1 2021), Conti … Read More
Trickbot Brief: Creds and Beacons
Intro “TrickBot malware—first identified in 2016—is a Trojan developed and operated by a sophisticated group of cybercrime actors. The cybercrime group initially designed TrickBot as a banking trojan to steal … Read More
Sodinokibi (aka REvil) Ransomware
Intro Sodinokibi (aka REvil) has been one of the most prolific ransomware as a service (RaaS) groups over the last couple years. The ransomware family was purported to be behind … Read More
Bazar Drops the Anchor
Intro The malware identified as Anchor first entered the scene in late 2018 and has been linked to the same group as Trickbot, due to similarities in code and usage … Read More
Laravel Apps Leaking Secrets
An attacker logged in through RDP a few days ago to run a “smtp cracker” that scans a list of IP addresses or URLs looking for misconfigured Laravel systems. These … Read More
Bazar, No Ryuk?
Intro In the fall of 2020, Bazar came to prominence when several campaigns delivered Ryuk ransomware. While Bazar appeared to drop-off in December, new campaigns have sprung up recently, using … Read More
All That for a Coinminer?
A threat actor recently brute forced a local administrator password using RDP and then dumped credentials using Mimikatz. They not only dumped LogonPasswords but they also exported all Kerberos tickets. … Read More