Research Categories | Anomali Blog
Get COVID-19 Cyber Security Resources Learn More

BLOG

Category: Research

Research

Anomali Suspects that China-Backed APT Pirate Panda May Be Seeking Access to Vietnam Government Data Center

Authored by: Sara Moore, Joakim Kennedy, Parthiban R, and Rory GouldThe Anomali Threat Research Team detected a spear phishing email targeting government employees in the Municipality of Da Nang, Vietnam. The email contained a malicious Microsoft Excel document which drops a malicious Dynamic-Link Library (DLL) providing the actor with...
Read More


Research

COVID-19 Themed HawkEye Phishing Campaign Targets Healthcare Sector: Dissection of the MalDoc and the Two-Way Approach

OverviewThreat actors continue to utilize COVID-19-themed lures to distribute malware as the world responds to the Coronavirus pandemic. Anomali researchers have identified a phishing campaign that is distributing HawkEye malware via Rich Text Format (RTF) documents. This campaign is interesting because HawkEye is a commodity malware with customizable...
Read More


Research

Anomali Aggregates Open Source Threat Intelligence to Fight COVID-19-themed Cyber Attacks

Every noteworthy world event is seen by cyber threat actors as an opportunity, and the Coronavirus (COVID-19) has proven to be no different. In response to the growing volume of COVID-19-themed cyber attacks we are seeing, Anomali has been working to collect, curate, and distribute the clear and concise...
Read More


Research

COVID-19 Themes Are Being Utilized by Threat Actors of Varying Sophistication

Authored by: Gage Mele, Parthiban R., and Tara GouldThe Tactics, Techniques and Procedures (TTPs) Are Known but the Content Is Coronavirus-ThemedOverviewThreat actors are utilizing the global spread of COVID-19 (Coronavirus) to conduct malicious activity. As the world responds to this threat in various ways, actors are...
Read More


Research

APTs & Threat Actors That May Increase Hostile Activity Due to Elimination of Iranian General Quassem Suleimani

The Anomali Threat Research Team monitors the global cyberthreat landscape continually. Our experts focus on geographies of interest, provide around-the-clock intelligence on adversaries, and guidance on how to defend networks and people against cyberattacks.Anomali has been monitoring the Middle East long before the current situation with Iran developed. For...
Read More


Research

Phishing Campaign Targets Login Credentials of Multiple US, International Government Procurement Services

OverviewThe Anomali Threat Research Team identified a credential harvesting campaign designed to steal login details from multiple government procurement services. The procurement services are used by many public and private sector organisations to match buyers and suppliers. In this campaign, attackers spoofed sites for multiple international government departments, email...
Read More


Research

Malicious Activity Aligning with Gamaredon TTPs Targets Ukraine

OverviewThe Anomali Threat Research (ATR) team has identified malicious activity that we believe is being conducted by the Russia-sponsored Advanced Persistent Threat (APT) group Gamaredon (Primitive Bear). Some of the documents have been discussed by other researchers.[1] This Gamaredon campaign appears to have begun in mid-October 2019 and is ongoing...
Read More


Research

The Lure of PSD2

OverviewThe Payment Services Directive (PSD) was adopted within the European Union in 2007. PSD is a directive aimed at regulating payment services with the intention to make cross-border payments in the EU as easy, efficient and secure as payments within a member state. PSD2 builds on the previous legislation in...
Read More


Research

Leashing Cerberus

OverviewCerberus is an Android banking trojan first reported on by ThreatFabric in June 2019 that may have been active since at least 2017. The malware is for sale on a Russian hacking forum called xss[.]is where the actors behind its development are selling licenses for the service from $4000 - $12000. This...
Read More


Research

Illicit Cryptomining Threat Actor Rocke Changes Tactics, Now More Difficult to Detect

SummaryRocke, a China-based cryptomining threat actor, has changed its Command and Control (C2) infrastructure away from Pastebin to a self-hosted solution during the summer of 2019. The setup scripts were hosted on the domains “lsd.systemten[.]org” and “update.systemten[.]org” as pastes. In September 2019, the...
Read More


Research

China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations

OverviewThe Anomali Threat Research Team has identified an ongoing campaign which it believes is being conducted by the China-based threat group, Mustang Panda. The team first revealed these findings on Wednesday, October 2, during Anomali Detect 19, the company’s annual user conference, in a session titled: “Mustang Panda...
Read More


Research

Suspected North Korean Cyber Espionage Campaign Targets Multiple Foreign Ministries and Think Tanks

revised on August 22, 2019Anomali researchers recently observed a site masquerading as a login page for a diplomatic portal linked to the French government. Further analysis of the threat actor’s infrastructure uncovered a broader phishing campaign targeting three different countries’ Ministry of Foreign Affairs agencies. Also targeted were...
Read More


Research

Anomali Harris Poll: Ransomware Hits 1 in 5 Americans

Most Voters to Consider Candidates' Cybersecurity Records in Future ElectionsCybercriminals have been using ransomware to profit off of unprepared victims for more than a decade. Ransomware rose to infamy when the WannaCry and NotPetya attacks struck the world. Recently, attackers have collected more than a million dollars from the...
Read More


Research

Suspected BITTER APT Continues Targeting Government of China and Chinese Organizations

The Anomali Threat Research Team discovered a phishing site impersonating a login page for the Ministry of Foreign Affairs of the People's Republic of China email service. When visitors attempt to login to the fraudulent page, they are presented with a pop-up verification message asking users to close their...
Read More


Research

Threat Actors Utilizing eCh0raix Ransomware Change NAS Targeting

IntroductionOn July 23, 2019, Synology Inc., a Taiwan-based Network Attached Storage (NAS) company, posted an advisory on safeguarding internet-connected Synology NAS devices from Ransomware attacks.[1] The storage devices are encrypted after attackers successfully brute-forcing administrator credentials by using default credentials or dictionary attacks. There are also public reports of ransomware and...
Read More


Research

The eCh0raix Ransomware

IntroductionAnomali researchers have observed a new ransomware family, dubbed eCh0raix, targeting QNAP Network Attached Storage (NAS) devices. QNAP devices are created by the Taiwanese company QNAP Systems, Inc., and contain device storage and media player functionality, amongst others. The devices appear to be compromised by brute forcing...
Read More


Research

Multiple Chinese Threat Groups Exploiting CVE-2018-0798 Equation Editor Vulnerability Since Late 2018

During Anomali Threat Researcher’s tracking of the “Royal Road” Rich Text Format (RTF) weaponizer, commonly used by multiple Chinese threat actors to exploit CVE-2017-11882 and CVE-2018-0802, it was discovered that multiple Chinese threat groups updated their weaponizer to exploit the Microsoft Equation Editor (EE)...
Read More


Research

The InterPlanetary Storm: New Malware in Wild Using InterPlanetary File System’s (IPFS) p2p network

SummaryIn May 2019, a new malware was found in the wild that uses a peer-to-peer (p2p) network on top of InterPlanetary File System’s (IPFS) p2p network. The malware found in the wild targets Windows machines and allows the threat actor to execute any arbitrary PowerShell code...
Read More


Research

Phishing Campaign Impersonates Mexico, Peru, Uruguay Government’s e-Procurement Systems

OverviewIn late May 2019, Anomali researchers discovered a phishing campaign impersonating three Latin American government’s electronic procurement (e-Procurement) systems. The campaign uses convincing looking phishing pages where individuals and companies are invited to bid on public projects with the governments of Mexico, Peru, or Uruguay. The actors or...
Read More


Research

WorrisomeWiki: Is Collaboration Leaving You Exposed to Cyberattacks?

Weighing the Benefits of Project Management Applications Against the RiskDisclaimer: With the sensitive information possibly being leaked by a number of entities and it being hard to discern those intended to be open as opposed to those intended to be private. Anomali has contacted Atlassian to work with and...
Read More


Subscribe to the Anomali Newsletter—get the latest Anomali updates and cybersecurity news straight to your inbox each month.

Subscribe Now