Major cyber trends in 2017 The most significant attacks this year were executed by organized cybercrime groups and nation-state actors Over the last two years, cyberspace has become a prominent medium for fighting between countries. Among the major global cyber actors, Russia is both the most significant nation-state actor, and the most prolific habitat for […]
Read MoreCharming Kitten: Iranian Cyber Espionage Against Human Rights Activists, Academic Researchers and Media Outlets
Charming Kitten is an Iranian cyberespionage group operating since approximately 2014. This report exposes their vast espionage apparatus, active during 2016-2017. We present incidents of company impersonation, made up organizations and individuals, spear phishing and watering hole attacks. We analyze their exploitation, delivery, and command-and-control infrastructure, and expose DownPaper, a malware developed by the attackers, […]
Read MoreLeetMX – a Yearlong Cyber-Attack Campaign Against Targets in Latin America
leetMX is a widespread cyber-attack campaign originating from Mexico and focused on targets in Mexico, El Salvador, and other countries in Latin America, such as Guatemala, Argentina and Costa Rica.
leetMX infrastructure includes 27 hosts and domains used for malware delivery or for command and control. Hundreds of malware samples have been used, most are Remote Access Trojans and keyloggers.
Iranian Threat Agent Greenbug Impersonates Israeli High-Tech and Cyber Security Companies
Iranian Threat Agent Greenbug has been registering domains similar to those of Israeli High-Tech and Cyber Security Companies. By pivoting off the registration details and servers data of the two domains we discovered others registered by the threat agent. Eight contain the name of Israeli high-tech and cyber security companies and one of a Saudi Arabian testing & commissioning of major electrical equipment company.
Read MoreRecent ISMAgent Samples and Infrastructure by Iranian Threat Group GreenBug
Recently we detected new samples and Infrastructure of ISMAgent, a trojan in use by Iranian Threat Group GreenBug. Interestingly, as part of the delivery mechanism, the malware is disguised as a base64 digital certificate and decoded via certutil.exe. This post describes the new campaign. change managment.dot Sample change managment.dot (812d3c4fddf9bb81d507397345a29bb0) exploits CVE-2017-0199 and calls the following URL: http://www.msoffice-cdn[.]com/updatecdnsrv/prelocated/owa/auth/template.rtf
Read MoreThe Economy Behind Phishing Websites Creation
The main aim of this research is to understand and describe the eco-systems of fake websites developers and designers, and the basic economy behind creation of fake websites that impersonate legitimate websites of banks, credit cards companies and corporations. Mostly, the aim of those fake websites is stealing credential (banking or corporate) or credit cards […]
Read MoreOperation Wilted Tulip – Exposing a Cyber Espionage Apparatus
CopyKittens is a cyberespionage group that has been operating since at least 2013. In November 2015, ClearSky and Minerva Labs published the first public report exposing its activity [1]. In March 2017, ClearSky published a second report exposing further incidents, some of which impacted the German Bundestag [2]. In this report, Trend Micro and ClearSky expose […]
Read MoreRecent Winnti Infrastructure and Samples
On July 17, 2017, we detected a malicious document in VirusTotal exploiting CVE-2017-0199. By pivoting off of the infrastructure we learned that it is related to Winnti, a Chinese threat actor that is mostly targeting the gaming industry. Below we outline initial findings. The malicious file, named curriculum vitae.rtf (58c66b3ddbc0df9810119bb688ea8fb0) was uploaded from Turkey. Its content is […]
Read MoreThe Rainmaker, Philadelphia and Stampado Ransomware Vendor is Expanding his Services
ClearSky conducts consistent monitoring of various Darknet actors and communities, including specific actors that develop and sell malware, exploits, bots and ransomware. We have recently encountered very aggressive jabber spam campaign, advertising the “Philadelphia” ransomware. As Brian Krebs wrote in one of his recent post, Philadelphia is a ransomware-as-a-service crime ware package that is sold […]
Read MoreTargeted Attacks in the Middle East Using KASPERAGENT and MICROPSIA
Over the past few months ClearSky has been collaborating with Palo Alto Networks on preventing and detecting targeted attacks in the Middle East using two relatively new Microsoft Windows malware families which we call KASPERAGENT and MICROPSIA. In addition, our research has uncovered evidence of links between attacks using these two new malware families and […]
Read More