Ransomware Report: Unveiling Trends in Attack Payouts and Negotiations
Ransomware attacks represent a significant cybersecurity threat, affecting various sectors and individuals. This study examines a comprehensive dataset of ransomware payments and chat logs to better understand the strategies and...
Unveiling AzzaSec Ransomware: Technical insights into the group’s locker.
AzzaSec emerged as an Italian hacktivist group leveraging ransomware to further their political and ideological objectives. In recent days a lot of media attention has been dedicated to this group,...
Unveiling Obfuscated Batch Scripts: From UTF-8 to UTF-16 BOM Conversion
This morning I observed an Internet Shortcut file (sha256:0817cd8b0118e2f023342ad016ef443fd4c2e4657a373f9023807a231d16b0fa – Fattura Elettronica 11817929720.url) designed to compromise an Italian organization, containing these instructions: The .lnk file in its turn showed the...
A Reverse Engineer’s journey with PowerShell and XWorm
Every now and then you come across new malware variants and find something that attracts a little attention. A few days ago I acquired a VBS file, directed via a...
Under the shellcode of the ‘Operation Duck Hunt’. Analysis of the FBI’s ducks killer.
The “Duck Hunt” operation refers to a specific operation called “Operation Duck Hunt” that disrupted the Qakbot botnet. The Qakbot botnet was a sophisticated network of compromised computers that was...
Rhysida: An old / new threat in the ransomware landscape
Rhysida is a relatively new ransomware group operating as a R-a-a-S (Ransomware-as-a-Service) provider. The corresponding ransomware has the particularity of making use of LibTomCrypt, a cryptographic library that allows attackers to leverage...
Reverse and Hunt: Between the jumps of ArguePatch
ARGUEPATCH is a patched version of a legitimate component of the Hex-Rays IDA Pro software. In detail it’s the remote IDA debugger server named win32_remote.exe and it’s basically designed to act as a loader by reading and...
Industroyer2: The ICS-capable malware re-emerges in order to cause critical services disruption
A few days ago a new variant of an ICS-capable malware known as Industroyer has been employed during a cyber-attack conducted against industrial control systems (ICS) responsible for the management and control of power...
The BigBoss Rules: Something about one of the Uroburos’ RPC-based backdoors
BigBoss is one of the RPC-based backdoors used by Uroburos (aka Turla, Snake, Venomous Bear, Pacifier). It was first spotted out in 2018 and was observed to include new features in the last quarter...
Affiliates vs Hunters: Fighting the “DarkSide”
On August 2020 a new type of malware, belonging to the Ransomware category, appeared in the cyber threat landscape. Threat actor responsible for its development called it “DarkSide” and , like others piece of malware...