APT32 / OceanLotus on ASEAN Affairs

APT32 / OceanLotus on ASEAN Affairs

OceanLotus (aka APT32) is a very active hacking group. It operates especially in the area of south-east Asia and, according to the security community, it is close to the Vietnamese government. Over the time, many intrusion attempts and data breach have been attributed to it. As for the more purely technical aspects, the group seems very well supported and often adopts advanced tactics and techniques in order to lower the probability of detection. In my personal opinion, the members of this group … [Read more]

jRAT += Houdini: New Year 2019

jRAT += Houdini: New Year 2019

In the late evening of 08-01-2019 a phishing document related to the Ministry of Defense of Turkey has been captured in the wild and caught my attention (md5: 0d3b1c3c4287fe12399dc29d88905e9c). Further investigations led to believe that a new malicious campaign aimed to the spreading of HWorm + jRat variants is raising up in these last days. Insights The phishing document (md5: 0d3b1c3c4287fe12399dc29d88905e9c) tries to attract the curiosity of the potential victims through a file name that … [Read more]

APT28 / Sofacy – SedUploader under the Christmas tree

APT28 / Sofacy - SedUploader under the Christmas tree

Another APT28 / Sofacy supposed decoy document related to defence and security sector [md5: f8a778d21003098075c9aef8ed58c6c3] has been captured in the wild yesterday evening. It's likely targeting at least one eastern europe country. The spear-phishing document collected seems to work primarly through the use of macro code to complete the cycle of infection. An image related to the decoy document is reported following:It seems similar, for some pieces of internal code, to the document … [Read more]

Shamoon / DiskTrack Malware IoC for recent Oil & Gas Energy sector attack

A variant of Shamoon malware crippled more than 300 company's computer of Saipem, the italian Oil & Gas services firm. Yesterday, a new variant of this malware has been upload on Virus Total platform from Italy (md5: b41f586fc9c95c66f0967f1592641a85 ). The sample seems to have not been compiled recently (2011-11-28 14:53:13). The malware variant under analysis presents the Arabic language ID support which is in line with previous Shamoon version. It has the capabilities to overwrite the MBR … [Read more]

APT28 / Fancy Bear still targeting military institutions

APT28 / Fancy Bear still targeting military institutions

APT28, aka Fancy Bear, the famous hacker group believed to be state-sponsored from Russia, seems to be targeting NATO partners / defense / military institutions / affairs in these hours. Spear-phishing emails with attached a malicious document referring to a "nato simulation" event (the name of the doc is "NATO Simulation.doc"), seem to be used to try to compromise some institutional entities (likely from east europe). The hunting group involved in the analysis of this event is composed by … [Read more]

APT29 threat group seems to be back targeting US public / gov /defense sector

APT29, the well known hacking group, seems to be back with slightly different tactical and technical procedures to conduct its last cyber operation. In the late evening of 15  / 11, some malicious documents likely to be referred to the group in question have been submitted to a major online malware analysis platform (Virus Total - @DrunkBinary credits for the first discovery). The analyzed decoy document retrieved by me is clearly referring to a DoS (Department of State) PDF form that is shown … [Read more]

Update: Hands in the MuddyWater – Playing with Iranian Cyber-Espionage Campaign

This is an update of previous post "Hands in the MuddyWater - Playing with Iranian Cyber-Espionage Campaign". Because someone asked me to show DNS hits statistics for all the compromized domain names serving this cyber-espionage campaign, following there are the missing two:Three days data 26-29 /10         Note that "hits" can be referred to, in this case, to normal web browsing also (legitimate … [Read more]

Hands in the MuddyWater – Playing with Iranian Cyber-Espionage Campaign

MuddyWater is likely a state sponsored hacking group targeting Saudi Arabia, Iraq, Israel, United Arab Emirates, Georgia, India, Pakistan, Turkey and the United States. It is linked by the security community to  the iranian Government, and its operations are heavily evolving over  the last months.The following is an informal report about one recent malware related to the "MuddyWater" APT campaign.Recap IoC:dn: … [Read more]