Research Categories | Anomali Blog

BLOG

Category: Research

Research

Phishing Campaign Targets Login Credentials of Multiple US, International Government Procurement Services

OverviewThe Anomali Threat Research Team identified a credential harvesting campaign designed to steal login details from multiple government procurement services. The procurement services are used by many public and private sector organisations to match buyers and suppliers. In this campaign, attackers spoofed sites for multiple international government departments, email...
Read More


Research

Malicious Activity Aligning with Gamaredon TTPs Targets Ukraine

OverviewThe Anomali Threat Research (ATR) team has identified malicious activity that we believe is being conducted by the Russia-sponsored Advanced Persistent Threat (APT) group Gamaredon (Primitive Bear). Some of the documents have been discussed by other researchers.[1] This Gamaredon campaign appears to have begun in mid-October 2019 and is ongoing...
Read More


Research

The Lure of PSD2

OverviewThe Payment Services Directive (PSD) was adopted within the European Union in 2007. PSD is a directive aimed at regulating payment services with the intention to make cross-border payments in the EU as easy, efficient and secure as payments within a member state. PSD2 builds on the previous legislation in...
Read More


Research

Leashing Cerberus

OverviewCerberus is an Android banking trojan first reported on by ThreatFabric in June 2019 that may have been active since at least 2017. The malware is for sale on a Russian hacking forum called xss[.]is where the actors behind its development are selling licenses for the service from $4000 - $12000. This...
Read More


Research

Illicit Cryptomining Threat Actor Rocke Changes Tactics, Now More Difficult to Detect

SummaryRocke, a China-based cryptomining threat actor, has changed its Command and Control (C2) infrastructure away from Pastebin to a self-hosted solution during the summer of 2019. The setup scripts were hosted on the domains “lsd.systemten[.]org” and “update.systemten[.]org” as pastes. In September 2019, the...
Read More


Research

China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations

OverviewThe Anomali Threat Research Team has identified an ongoing campaign which it believes is being conducted by the China-based threat group, Mustang Panda. The team first revealed these findings on Wednesday, October 2, during Anomali Detect 19, the company’s annual user conference, in a session titled: “Mustang Panda...
Read More


Research

Suspected North Korean Cyber Espionage Campaign Targets Multiple Foreign Ministries and Think Tanks

revised on August 22, 2019Anomali researchers recently observed a site masquerading as a login page for a diplomatic portal linked to the French government. Further analysis of the threat actor’s infrastructure uncovered a broader phishing campaign targeting three different countries’ Ministry of Foreign Affairs agencies. Also targeted were...
Read More


Research

Anomali Harris Poll: Ransomware Hits 1 in 5 Americans

Most Voters to Consider Candidates' Cybersecurity Records in Future ElectionsCybercriminals have been using ransomware to profit off of unprepared victims for more than a decade. Ransomware rose to infamy when the WannaCry and NotPetya attacks struck the world. Recently, attackers have collected more than a million dollars from the...
Read More


Research

Suspected BITTER APT Continues Targeting Government of China and Chinese Organizations

The Anomali Threat Research Team discovered a phishing site impersonating a login page for the Ministry of Foreign Affairs of the People's Republic of China email service. When visitors attempt to login to the fraudulent page, they are presented with a pop-up verification message asking users to close their...
Read More


Research

Threat Actors Utilizing eCh0raix Ransomware Change NAS Targeting

IntroductionOn July 23, 2019, Synology Inc., a Taiwan-based Network Attached Storage (NAS) company, posted an advisory on safeguarding internet-connected Synology NAS devices from Ransomware attacks.[1] The storage devices are encrypted after attackers successfully brute-forcing administrator credentials by using default credentials or dictionary attacks. There are also public reports of ransomware and...
Read More


Research

The eCh0raix Ransomware

IntroductionAnomali researchers have observed a new ransomware family, dubbed eCh0raix, targeting QNAP Network Attached Storage (NAS) devices. QNAP devices are created by the Taiwanese company QNAP Systems, Inc., and contain device storage and media player functionality, amongst others. The devices appear to be compromised by brute forcing...
Read More


Research

Multiple Chinese Threat Groups Exploiting CVE-2018-0798 Equation Editor Vulnerability Since Late 2018

During Anomali Threat Researcher’s tracking of the “Royal Road” Rich Text Format (RTF) weaponizer, commonly used by multiple Chinese threat actors to exploit CVE-2017-11882 and CVE-2018-0802, it was discovered that multiple Chinese threat groups updated their weaponizer to exploit the Microsoft Equation Editor (EE)...
Read More


Research

The InterPlanetary Storm: New Malware in Wild Using InterPlanetary File System’s (IPFS) p2p network

SummaryIn May 2019, a new malware was found in the wild that uses a peer-to-peer (p2p) network on top of InterPlanetary File System’s (IPFS) p2p network. The malware found in the wild targets Windows machines and allows the threat actor to execute any arbitrary PowerShell code...
Read More


Research

Phishing Campaign Impersonates Mexico, Peru, Uruguay Government’s e-Procurement Systems

OverviewIn late May 2019, Anomali researchers discovered a phishing campaign impersonating three Latin American government’s electronic procurement (e-Procurement) systems. The campaign uses convincing looking phishing pages where individuals and companies are invited to bid on public projects with the governments of Mexico, Peru, or Uruguay. The actors or...
Read More


Research

WorrisomeWiki: Is Collaboration Leaving You Exposed to Cyberattacks?

Weighing the Benefits of Project Management Applications Against the RiskDisclaimer: With the sensitive information possibly being leaked by a number of entities and it being hard to discern those intended to be open as opposed to those intended to be private. Anomali has contacted Atlassian to work with and...
Read More


Research

“Bad Tidings” Phishing Campaign Impersonates Saudi Government Agencies and a Saudi Financial Institution

Executive SummaryIn January 2019, researchers from Anomali Labs and Saudi Telecom Company (STC) observed a spike in phishing websites impersonating the Saudi Arabian Ministry of Interior’s e-Service portal known as “Absher”. Further analysis uncovered a broader phishing campaign targeting four different Kingdom of Saudi Arabia government...
Read More


Research

Rocke Evolves Its Arsenal With a New Malware Family Written in Golang

SummaryThe “Rocke group”, a Chinese threat actor group who specializes in cryptojacking, has shifted gears on how they’re stealing your cycles. Rocke is actively updating and pushing a new dropper using Pastebin for Command and Control (C2). Recent updates to the C2 as of March 1...
Read More


Research

Online Bidding-Themed Phishing Campaigns Aims to Trick U.S. Federal Government Contractors

In late February 2019, Anomali Labs researchers discovered a malicious server hosting two separate phishing campaigns targeting government contractors desiring to do business with two U.S. federal government agencies. In both instances, the phisher created faux landing pages mimicking the Department of Transportation eProcurement login portal and the Department of...
Read More


Research

Phishing Campaign Spoofs United Nations and Multiple Other Organizations

Anomali Labs researchers recently discovered a phishing site masquerading as a login page for the United Nations (UN) Unite Unity, a single sign-on (SSO) application used by UN staff. When visitors attempt to login into the fraudulent page, their browser is redirected to an invitation for a film viewing at...
Read More


Research

Phishers Target Texas Department of Transportation Contractors with Online Bidding Scheme

On February 15th, 2019, Anomali Labs researchers found an active phishing page masquerading as a legitimate Texas Department of Transportation (TxDOT) online bidding website. The illegitimate portal <hxxps://www[.]txdot[.]gov[.]us.e-bid.sync.auth.moovindancestudio[.]com/secure/user-login/login[.]php> is being hosted on a suspected compromised server...
Read More


Get the latest threat intelligence news in your email.