XZ BackDoor (CVE-2024-3094): a Multi-Year Effort by an Advanced Threat Actor
With this post I would like to provide a technical dive and considerations about the recently disclosed XZ BackDoor vulnerability (CVE-2024-3094). This vulnerability, which affects the XZ Utils library, a...
A {Black}Cat and mouse game: How the gang’s operators have ‘unseized’ their Dedicated Leak Site
In recent days, the FBI was entrenched in a virtual struggle against the ransomware group known as ALPHV / BlackCat. This engagement unfolded subsequent to the FBI gaining control of the underlying infrastructure...
Under the shellcode of the ‘Operation Duck Hunt’. Analysis of the FBI’s ducks killer.
The “Duck Hunt” operation refers to a specific operation called “Operation Duck Hunt” that disrupted the Qakbot botnet. The Qakbot botnet was a sophisticated network of compromised computers that was...
Rhysida: An old / new threat in the ransomware landscape
Rhysida is a relatively new ransomware group operating as a R-a-a-S (Ransomware-as-a-Service) provider. The corresponding ransomware has the particularity of making use of LibTomCrypt, a cryptographic library that allows attackers to leverage...
ALPHV / BlackCat: Threat Assessment and Profile
BlackCat / ALPHV is known for high-profile attacks like those conducted against the italian luxury brand Moncler, the aviation company Swissport and more recently against GSE (Gestore Servizi Energetici SpA). The ransomware payload includes a lot of advanced features...
Reverse and Hunt: Between the jumps of ArguePatch
ARGUEPATCH is a patched version of a legitimate component of the Hex-Rays IDA Pro software. In detail it’s the remote IDA debugger server named win32_remote.exe and it’s basically designed to act as a loader by reading and...
Industroyer2: The ICS-capable malware re-emerges in order to cause critical services disruption
A few days ago a new variant of an ICS-capable malware known as Industroyer has been employed during a cyber-attack conducted against industrial control systems (ICS) responsible for the management and control of power...
The BigBoss Rules: Something about one of the Uroburos’ RPC-based backdoors
BigBoss is one of the RPC-based backdoors used by Uroburos (aka Turla, Snake, Venomous Bear, Pacifier). It was first spotted out in 2018 and was observed to include new features in the last quarter...
Revil / Sodinokibi ransomware delivered through Kaseya VSA supply-chain attack
On July 2, 2021, Kaseya issued a notice stating that the company was experiencing a potential cyber attack against the VSA suite. The company itself advised that the on-prem customers servers should...
Affiliates vs Hunters: Fighting the “DarkSide”
On August 2020 a new type of malware, belonging to the Ransomware category, appeared in the cyber threat landscape. Threat actor responsible for its development called it “DarkSide” and , like others piece of malware...