A Threat Actor Targeting Cryptocurrency Exchanges In this research, we present a hidden and persistent group, that has been targeting crypto-exchanges, mainly in the US and Japan since as early as 2018. The actor has successfully stolen millions’ worth of cryptocoins. We named it as “CryptoCore” (or “Crypto-gang”), aka “Dangerous Password”, “Leery Turtle”. The CryptoCore […]
Read MoreFox Kitten – Widespread Iranian Espionage-Offensive Campaign
During the last quarter of 2019, ClearSky research team has uncovered a widespread Iranian offensive campaign which we call “Fox Kitten Campaign”; this campaign is being conducted in the last three years against dozens of companies and organizations in Israel and around the world. Read the full Report: Fox Kitten – Widespread Iranian Espionage-Offensive Campaign […]
Read MoreThe Kittens Are Back in Town 2 – Charming Kitten Campaign Keeps Going on, Using New Impersonation Methods
On the 15th of September 2019, we have published a report[1] about a sharp increase in Charming Kitten attacks against researchers from the US, Middle East, and France, focusing on Iranian academic researchers, Iranian dissidents in the US. In our last report, we exposed a new cyber espionage campaign that was conducted in July 2019. […]
Read MoreIranian APT group ‘MuddyWater’ Adds Exploits to Their Arsenal
In recent months, there has been considerable unrest in the Iranian cybersphere. Highly sensitive data about Iranian APT groups were leaked, exposing abilities, strategies, and attack tools. The main medium for this leak was a telegram channel. The first leak uncovered attack frameworks and web shells of APT-34 (Known as OilRig group). This was followed […]
Read MoreGlobal Iranian Disinformation Operation
Throughout 2018, Clearsky Cyber Security has uncovered several disinformation campaigns operated by Iran (As can be seen in Ayatollah BBC report). Below, we provide an overview of a large-scale fake news infrastructure promoting Iranian global interests comprised of at least 98 fake media outlets; each with its own websites, social media accounts, and pages that […]
Read MoreInfrastructure and Samples of Hamas’ Android Malware Targeting Israeli Soldiers
Earlier today the Israel Defense Forces (IDF) uncovered a campaign they attribute to Hamas, in which fake Facebook profiles were used to lure soldiers to install Android malware. ClearSky has been monitoring this campaign and would like to share indicators related to it. We were unable to find technical similarities or infrastructure overlap with a known […]
Read MoreAyatollah BBC – An Iranian Disinformation Operation Against Western Media Outlets
Monitoring Iranian activity in cyberspace, we have uncovered an online propaganda-and-disinformation operation, containing dozens of websites that impersonate western media outlets. At the center of the operation is the BBC Persian website. We call this operation Ayatollah BBC. We estimate that the main objective of the operation is to undermine the credibility of western media […]
Read MoreLeetMX – a Yearlong Cyber-Attack Campaign Against Targets in Latin America
leetMX is a widespread cyber-attack campaign originating from Mexico and focused on targets in Mexico, El Salvador, and other countries in Latin America, such as Guatemala, Argentina and Costa Rica.
leetMX infrastructure includes 27 hosts and domains used for malware delivery or for command and control. Hundreds of malware samples have been used, most are Remote Access Trojans and keyloggers.
Iranian Threat Agent Greenbug Impersonates Israeli High-Tech and Cyber Security Companies
Iranian Threat Agent Greenbug has been registering domains similar to those of Israeli High-Tech and Cyber Security Companies. By pivoting off the registration details and servers data of the two domains we discovered others registered by the threat agent. Eight contain the name of Israeli high-tech and cyber security companies and one of a Saudi Arabian testing & commissioning of major electrical equipment company.
Read MoreRecent ISMAgent Samples and Infrastructure by Iranian Threat Group GreenBug
Recently we detected new samples and Infrastructure of ISMAgent, a trojan in use by Iranian Threat Group GreenBug. Interestingly, as part of the delivery mechanism, the malware is disguised as a base64 digital certificate and decoded via certutil.exe. This post describes the new campaign. change managment.dot Sample change managment.dot (812d3c4fddf9bb81d507397345a29bb0) exploits CVE-2017-0199 and calls the following URL: http://www.msoffice-cdn[.]com/updatecdnsrv/prelocated/owa/auth/template.rtf
Read More