Earlier today the Israel Defense Forces (IDF) uncovered a campaign they attribute to Hamas, in which fake Facebook profiles were used to lure soldiers to install Android malware. ClearSky has been monitoring this campaign and would like to share indicators related to it. We were unable to find technical similarities or infrastructure overlap with a known […]
Read MoreAyatollah BBC – An Iranian Disinformation Operation Against Western Media Outlets
Monitoring Iranian activity in cyberspace, we have uncovered an online propaganda-and-disinformation operation, containing dozens of websites that impersonate western media outlets. At the center of the operation is the BBC Persian website. We call this operation Ayatollah BBC. We estimate that the main objective of the operation is to undermine the credibility of western media […]
Read MoreCyber Intelligence 2017 Summary Report
Major cyber trends in 2017 The most significant attacks this year were executed by organized cybercrime groups and nation-state actors Over the last two years, cyberspace has become a prominent medium for fighting between countries. Among the major global cyber actors, Russia is both the most significant nation-state actor, and the most prolific habitat for […]
Read MoreCharming Kitten: Iranian Cyber Espionage Against Human Rights Activists, Academic Researchers and Media Outlets
Charming Kitten is an Iranian cyberespionage group operating since approximately 2014. This report exposes their vast espionage apparatus, active during 2016-2017. We present incidents of company impersonation, made up organizations and individuals, spear phishing and watering hole attacks. We analyze their exploitation, delivery, and command-and-control infrastructure, and expose DownPaper, a malware developed by the attackers, […]
Read MoreLeetMX – a Yearlong Cyber-Attack Campaign Against Targets in Latin America
leetMX is a widespread cyber-attack campaign originating from Mexico and focused on targets in Mexico, El Salvador, and other countries in Latin America, such as Guatemala, Argentina and Costa Rica.
leetMX infrastructure includes 27 hosts and domains used for malware delivery or for command and control. Hundreds of malware samples have been used, most are Remote Access Trojans and keyloggers.
Iranian Threat Agent Greenbug Impersonates Israeli High-Tech and Cyber Security Companies
Iranian Threat Agent Greenbug has been registering domains similar to those of Israeli High-Tech and Cyber Security Companies. By pivoting off the registration details and servers data of the two domains we discovered others registered by the threat agent. Eight contain the name of Israeli high-tech and cyber security companies and one of a Saudi Arabian testing & commissioning of major electrical equipment company.
Read MoreRecent ISMAgent Samples and Infrastructure by Iranian Threat Group GreenBug
Recently we detected new samples and Infrastructure of ISMAgent, a trojan in use by Iranian Threat Group GreenBug. Interestingly, as part of the delivery mechanism, the malware is disguised as a base64 digital certificate and decoded via certutil.exe. This post describes the new campaign. change managment.dot Sample change managment.dot (812d3c4fddf9bb81d507397345a29bb0) exploits CVE-2017-0199 and calls the following URL: http://www.msoffice-cdn[.]com/updatecdnsrv/prelocated/owa/auth/template.rtf
Read MoreThe Economy Behind Phishing Websites Creation
The main aim of this research is to understand and describe the eco-systems of fake websites developers and designers, and the basic economy behind creation of fake websites that impersonate legitimate websites of banks, credit cards companies and corporations. Mostly, the aim of those fake websites is stealing credential (banking or corporate) or credit cards […]
Read MoreOperation Wilted Tulip – Exposing a Cyber Espionage Apparatus
CopyKittens is a cyberespionage group that has been operating since at least 2013. In November 2015, ClearSky and Minerva Labs published the first public report exposing its activity [1]. In March 2017, ClearSky published a second report exposing further incidents, some of which impacted the German Bundestag [2]. In this report, Trend Micro and ClearSky expose […]
Read MoreRecent Winnti Infrastructure and Samples
On July 17, 2017, we detected a malicious document in VirusTotal exploiting CVE-2017-0199. By pivoting off of the infrastructure we learned that it is related to Winnti, a Chinese threat actor that is mostly targeting the gaming industry. Below we outline initial findings. The malicious file, named curriculum vitae.rtf (58c66b3ddbc0df9810119bb688ea8fb0) was uploaded from Turkey. Its content is […]
Read More