Introduction The uncertain attribution of the Ukrainian themed malicious document discussed in our past article “APT28 and Upcoming Elections: Possible Interference Signals”, led us to a review of Sofacy’s phishing techniques to confirm or deny the possible involvement of Russian…
Nuova Campagna di Attacco sLoad
Proto: N020419. Con la presente Yoroi desidera informarLa relativamente ad una estesa campagna di attacco rivolta ad aziende ed utenze italiane. Le email fraudolente contengono allegati in formato HTML i quali, una volta aperti, invitano allo scaricamento di un archivio…
APT28 and Upcoming Elections: evidence of possible interference
Introduction In mid-March, a suspicious Office document referencing the Ukraine elections appeared in the wild. This file was uncommon, it seemed carefully prepared and was speaking about who is leading in the elections polls, arguing about the life of the…
Warning: Vulnerabilità in EMS Siemens
Proto: N010419. Con la presente Yoroi desidera informarLa relativamente ad una vulnerabilità all’interno dell’Energy Management System (EMS) Spectrum Power di Siemens, sistema utilizzato in varie realtà ad elevata criticità in ambito manufacturing, energy, chimica, alimentare e agricoltura, gestione acque ed…
LimeRAT spreads in the wild
Introduction Few days ago, Cybaze-Yoroi ZLab team came across an interesting infection chain leveraging several techniques able to defeat traditional security defences and hiding a powerful inner payload able to seriously threaten its victims. The whole infection chain was originated…
Yoroi Welcomes “Yomi: The Malware Hunter”
Nowadays malware represents a powerful tool for cyber attackers and cyber criminals all around the world, with over 856 million of distinct samples identified during the last year it is, with no doubt, one of the major kinds of threat…
Ursnif: The Latest Evolution of the Most Popular Banking Malware
Introduction Few days ago, the researchers of ZLab Yoroi-Cybaze dissected another attack wave of the infamous Ursnif malware, also known as Gozi ISFB, an offspring of the original Gozi which source code was leaked in 2014. Ursnif/Gozi is active from…
Ghidra SRE: The AZORult Field Test
Introduction One of the most anticipated moments in the infosec community during the last few months was, with no doubt, the Ghidra public release. On the 5th of March, at the RSA conference, Ghidra has been presented to the public…
Grave Vulnerabilità in Magento
Proto: N080319. Con la presente Yoroi desidera informarLa relativamente ad una grave vulnerabilità all’interno di Magento, noto framework per la realizzazione di portali e-commerce in PHP recentemente acquistato da Adobe, tra le dieci tecnologie open-source più popolari nel panorama cibernetico…
Decrypting the Qrypter Payload
Introduction During the last weeks, Yoroi’s monitoring operation intercepted some malicious emails required further attention: they were sent to a very few organizations and the contents was specifically tailored for Italian speaking targets. This messages warned the users about imminent…