Tag: malware

Introduction  Threat actors' consistency over time represents an indication of effectiveness and experience, resulting in an increasing risk for targeted companies.  The Yoroi Malware ZLAB is tracking the threat actor Aggah (TH-157) since 2019, along with PaloAlto UNIT42, HP and Juniper Networks, and the persistency of its malicious operation over time reveals a structured information stealing infrastructure, a worldwide campaign capable of quickly varying its distribution technique.  We discovered new data theft and reconnaissance operations targeting multiple victims worldwide, including Ukraine, Lithuania, and Italy. The whole campaign impacted hundreds of victims and lasted for two months. CERT Yoroi was able to track the malware […]

Proto: N011221. Con la presente CERT-Yoroi intende informarla riguardo una nuova ondata di attacchi di portata globale diretta a tutti applicativi JavaEE che utilizzano la libreria di logging Log4J. La vulnerabilità è nota con identificativo CVE-2021-44228 e nota con l’alias “Log4Shell”.  A causa di lacune nella fase di acquisizione e deserializzazione dei log, il flusso di esecuzione del componente JNDI gestito dalla libreria Log4J può essere alterato inserendo nei log applicativi una specifica stringa malevola.   In particolare, un attaccante […]

Introduction  Contrasting the malware delivery is hard. Cyber attackers evolve their techniques frequently, but a major trend remained constant: Microsoft Office and Excel documents represent the favorite delivery method many cyber criminals use to inoculate malware into private and public companies. This technique is extremely flexible and both opportunistic and APT actors abuse it.  In the last months, we monitored with particular attention several attack waves adopting a new delivery technique: binary libraries directly loaded by Microsoft Excel, just in one click. This emergent delivery technique leverages XLL files, a particular file type containing a Microsoft Excel application ready to be loaded. […]

Introduction  Cybercrime is today the first threat for businesses and actors are still evolving their malicious business models. In fact, the criminal ecosystem goes beyond the Malware-as-a-Service, many malware developers are increasing their dangerousness by providing infrastructure rental services included in the malicious software fee. This trend is slowly widening the audience of new hackers joining the criminal communities. As Malware ZLAB we constantly monitor this trend to ensure defense capabilities to constituency and partner organizations rely on Yoroi's services to defend their business, and recently we noticed […]

Introduction  When threat actors evolve, their tools do so. Observing the evolution of the threats we track during our cyber defense operations is part of what we do to secure our customers. Back in 2019, the Yoroi’s Malware ZLAB unit discovered a complete new malware implant named “JsOutProx” (TH-264), a complex JavaScript-based RAT used to attack financial institutions in the APAC area.   In the last two years, the evolution of this implant was clear. After our initial discovery, many security research teams started monitoring this elusive […]

Introduction  Tracking threat actors in the long run is a fundamental part of the cyber threat intelligence program we run at Yoroi, few years ago we began monitoring a particular actor who started offensive operations even in the Italian landscape: Aggah (TH-157), who launched malicious campaign such as the  Roma225 and the RG ones against the Italian manufacturing vertical. At that time, even UNIT42 was closely monitoring that actor, unveiling a large scale operation threatening also United States, Europe and Asia.  The recent operation we tracked was designed […]

Introduction  Ransomware confirms to be one of the most pervasive threats of the last years. We saw during these last years the infamous phenomenon of Double Extorsion, where well-organized cyber-criminal groups perform highly sophisticated red team operations to achieve the highest level of privileges inside the perimeter of victim networks and, before releasing the ransomware, they steal all the sensitive data to extort the target the payment […]

Introduction Nowadays malware attacks work like a complex industry based on their own supply chains, data providers, access brokers and craftsmen developing and maintaining intrusion tools. During our monitoring operations we frequently face malware samples based on known families and code-bases, mangled and then used to conduct even more sophisticated attacks.  Recently, we intercepted a […]

Introduction Cyber criminals are always looking for new ways to infiltrate companies, new techniques, or maybe only creative arrangement of known tricks to achieve their objective. In some of our previous blog posts, we documented how cyber criminals are investing their efforts on creating more and sophisticated code protectors to hide malicious software, and in […]

Introduction 2020 was a really intense year in terms of APT activities, in fact it brought us new evidence of sophisticated campaigns targeting Enterprises organization across Europe and also Italy. In particular the threat group we track as TH-239, also mentioned as UNC1945 by FireEye security researchers, has been one of the sneakiest.  We discussed […]

Proto: N041220. Con la presente Yoroi intende informarla riguardo un nuovo trend di attacco verso firmware UEFI/BIOS. Questa tecnica di attacco fa uso di appositi strumenti e codici finalizzati a leggere, scrivere o cancellare il firmware UEFI/BIOS di un dispositivo.  Questa tipologia di attacco era in passato limitata a scenari di attacco avanzati filo governativi, […]

Introduction The modern cyber threat landscape hides nasty surprises for companies, especially for the most structured and complex companies. Many times, threat actors develop very dangerous and effective techniques using tools and technologies in a smart, unattended way.  This is the case of a particular cyber criminal group operating cyber intrusion against one of the […]