Inside the Open Directory of the “You Dun” Threat Group
Key Takeaways The DFIR Report Services Reports such as this one are part of our All Intel service and are categorized as Threat Actor Insights. Private Threat Briefs: Over 20 … Read More
Search Results for: process injection
IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment
Key Takeaways The DFIR Report Services → Click here to access the DFIR Lab related to this report ← Five new sigma rules were created from this report and added … Read More
Lets Open(Dir) Some Presents: An Analysis of a Persistent Actor’s Activity
This report is a little different than our typical content. We were able to analyze data from a perspective we typically don’t get to see… a threat actor’s host! In … Read More
SELECT XMRig FROM SQLServer
In March 2022, we observed an intrusion on a public-facing Microsoft SQL Server. The end goal of this intrusion was to deploy a coin miner. Although deploying a coin miner … Read More
Hancitor Continues to Push Cobalt Strike
First observed in 2014, Hancitor (also known as Chanitor and Tordal) is a downloader trojan that has been used to deliver multiple different malware such as Pony, Vawtrak, and DELoader. … Read More
WebLogic RCE Leads to XMRig
Intro This report will review an intrusion where, the threat actor took advantage of a WebLogic remote code execution vulnerability (CVE-2020–14882) to gain initial access to the system before installing … Read More
Bazar, No Ryuk?
Intro In the fall of 2020, Bazar came to prominence when several campaigns delivered Ryuk ransomware. While Bazar appeared to drop-off in December, new campaigns have sprung up recently, using … Read More