Introduction ClearSky researchers identified a malicious “.docx” file that was uploaded to VirusTotal from Russia in mid-December. The file contains an obfuscated URL to a remote template which contains malicious VBA, eventually leading to the execution of VBS on the infected machine. The attack’s purpose is to stealthily exfiltrate information without running any external executables […]
Read MoreThe Kittens Are Back in Town Charming Kitten – Campaign Against Academic Researchers
In 2019 ClearSky Cyber Security observed a sharp increase in Charming Kitten attacks, after an absence of a few months and after 2019 Microsoft official complaint against the group for “establishing an internet-based cybertheft operation referred to as ‘Phosphorus’“. Read the full report: The Kittens Are Back in Town Charming Kitten – Campaign Against Academic […]
Read MoreRecent Winnti Infrastructure and Samples
On July 17, 2017, we detected a malicious document in VirusTotal exploiting CVE-2017-0199. By pivoting off of the infrastructure we learned that it is related to Winnti, a Chinese threat actor that is mostly targeting the gaming industry. Below we outline initial findings. The malicious file, named curriculum vitae.rtf (58c66b3ddbc0df9810119bb688ea8fb0) was uploaded from Turkey. Its content is […]
Read MoreRocket Kitten 2 – follow-up on Iran originated cyber-attacks
In the past few months ClearSky and Trend Micro have been monitoring and analyzing the Iranian cyber-attack group known as “Rocket Kitten”. The following report uncovers new attacks performed by the group, its methods and operations. Rocket Kitten has been operating since at least mid-2014. The group operates against numerous targets in the middle-east including Israelis, Iranian exiles, and enemies of Iran. The targets […]
Read MoreThamar Reservoir – An Iranian cyber-attack campaign against targets in the Middle East
This report reviews an ongoing cyber-attack campaign dating back to mid-2014. Additional sources indicate it may date as far back as 2011. We call this campaign Thamar Reservoir, named after one of the targets, Thamar E. Gindin, who exposed new information about the attack and is currently assisting with the investigation. The campaign includes several different attacks with the […]
Read MoreGholee – a “protective edge” themed spear phishing campaign
Introduction During the 2014 Israel–Gaza conflict, dubbed by Israel as “operation protective edge”, a raise in cyber-attacks against Israeli targets was reported. In this report we analyze one case of an operation protective edge themed spear phishing attack. That email contained a malicious excel file, which once opened and its VBA code executed, would infect […]
Read More