ClearSky Cyber Security has detected a watering hole attack on at least eight Israeli websites. The attack is highly likely to be orchestrated by a nation-state actor from Iran, with a low confidence specific attribution to Tortoiseshell (also called TA456 or Imperial Kitten). The Infected sites collect preliminary user information through a script. We have […]
Read MoreCONTI Ransomware – Negotiation and Bitcoin Tracking
Originated by the ‘Wizard Spider’ Russian hacking group, CONTI ransomware is an evolution of one of the group’s most successful ransomware – Ryuk. CONTI is a more accessible version of Ryuk, built for distribution by affiliates in a ‘Ransomware as a service’ model. CONTI ransomware was first spotted by cybersecurity teams in May 2020 and […]
Read MoreOperation ‘Kremlin’
Introduction ClearSky researchers identified a malicious “.docx” file that was uploaded to VirusTotal from Russia in mid-December. The file contains an obfuscated URL to a remote template which contains malicious VBA, eventually leading to the execution of VBS on the infected machine. The attack’s purpose is to stealthily exfiltrate information without running any external executables […]
Read MoreOperation Quicksand
During September 2020, we identified a new campaign targeting many prominent Israeli organizations. The campaign was attributed to the Iranian threat actor ‘MuddyWater’ (also known as TEMP.Zagros, Static Kitten and Seedworm). MuddyWater was previously exposed as a contractor for the IRGC (Islamic Republic Guard Corps). ClearSky and Profero comprehensively researched this campaign. During the campaign, […]
Read MoreThe Kittens Are Back in Town 3
During 2017-2019, Clearsky had published several reports about the Iranian APT group “Charming Kitten”. One of the group’s most common attack vectors is impersonating journalists, particularly those from the German “Deutsche Welle” broadcasting company and the “Jewish Journal” magazine. Starting July 2020, we have identified a new TTP of the group, impersonating “Deutsche Welle” and […]
Read MoreClearSky Q1 summary report
We have published our quarterly report for the first quarter of 2020. We mark the outbreak of the COVID-19 virus as a systematic change for most businesses around the world. The immense pressure felt by many companies and organizations has the potential of evolving into “The perfect storm” in terms of ripe conditions for cyber-attacks, combining […]
Read MorePowDesk: PowerShell Script for LANDesk Management Agent Hosts
PowDesk is a simple PowerShell-based script for hosts that run LANDesk Management Agent. This script is compatible with both 32-bit and 64-bit systems and exfiltrates the computer’s name through a PHP page stored at a certain domain name. After analyzing the script behavior, we assess that potential attackers might create a whitelist of companies that […]
Read MoreIranian APT MuddyWater Attack Infrastructure Targeting Kurdish Political Groups and Organizations in Turkey
In our ongoing investigations of Iranian APTs, we recently detected additional documents related to previously attack infrastructures used by the Iranian APT – “MuddyWater”, which we reported on in late November 2018. As a reminder, we identified two domains, that were hacked by the group and used to host the code of POWERSTATS; a malware […]
Read MoreAttacks against Israeli & Palestinian interests
Recently Clearsky’s researchers collaborated with PwC’s intelligence team while investigating Attacks against Israeli & Palestinian interests. The full post can be read at PwC’s Cyber security updates blog. Here’s the excerpt: “This short report details the techniques being used in a series of attacks mostly against Israel-based organisations. The decoy documents and filenames used in the attacks […]
Read More