leetMX is a widespread cyber-attack campaign originating from Mexico and focused on targets in Mexico, El Salvador, and other countries in Latin America, such as Guatemala, Argentina and Costa Rica.
leetMX infrastructure includes 27 hosts and domains used for malware delivery or for command and control. Hundreds of malware samples have been used, most are Remote Access Trojans and keyloggers.
Iranian Threat Agent Greenbug Impersonates Israeli High-Tech and Cyber Security Companies
Iranian Threat Agent Greenbug has been registering domains similar to those of Israeli High-Tech and Cyber Security Companies. By pivoting off the registration details and servers data of the two domains we discovered others registered by the threat agent. Eight contain the name of Israeli high-tech and cyber security companies and one of a Saudi Arabian testing & commissioning of major electrical equipment company.
Read MoreRecent ISMAgent Samples and Infrastructure by Iranian Threat Group GreenBug
Recently we detected new samples and Infrastructure of ISMAgent, a trojan in use by Iranian Threat Group GreenBug. Interestingly, as part of the delivery mechanism, the malware is disguised as a base64 digital certificate and decoded via certutil.exe. This post describes the new campaign. change managment.dot Sample change managment.dot (812d3c4fddf9bb81d507397345a29bb0) exploits CVE-2017-0199 and calls the following URL: http://www.msoffice-cdn[.]com/updatecdnsrv/prelocated/owa/auth/template.rtf
Read MoreThe Economy Behind Phishing Websites Creation
The main aim of this research is to understand and describe the eco-systems of fake websites developers and designers, and the basic economy behind creation of fake websites that impersonate legitimate websites of banks, credit cards companies and corporations. Mostly, the aim of those fake websites is stealing credential (banking or corporate) or credit cards […]
Read MoreOperation Wilted Tulip – Exposing a Cyber Espionage Apparatus
CopyKittens is a cyberespionage group that has been operating since at least 2013. In November 2015, ClearSky and Minerva Labs published the first public report exposing its activity [1]. In March 2017, ClearSky published a second report exposing further incidents, some of which impacted the German Bundestag [2]. In this report, Trend Micro and ClearSky expose […]
Read MoreRecent Winnti Infrastructure and Samples
On July 17, 2017, we detected a malicious document in VirusTotal exploiting CVE-2017-0199. By pivoting off of the infrastructure we learned that it is related to Winnti, a Chinese threat actor that is mostly targeting the gaming industry. Below we outline initial findings. The malicious file, named curriculum vitae.rtf (58c66b3ddbc0df9810119bb688ea8fb0) was uploaded from Turkey. Its content is […]
Read MoreThe Rainmaker, Philadelphia and Stampado Ransomware Vendor is Expanding his Services
ClearSky conducts consistent monitoring of various Darknet actors and communities, including specific actors that develop and sell malware, exploits, bots and ransomware. We have recently encountered very aggressive jabber spam campaign, advertising the “Philadelphia” ransomware. As Brian Krebs wrote in one of his recent post, Philadelphia is a ransomware-as-a-service crime ware package that is sold […]
Read MoreTargeted Attacks in the Middle East Using KASPERAGENT and MICROPSIA
Over the past few months ClearSky has been collaborating with Palo Alto Networks on preventing and detecting targeted attacks in the Middle East using two relatively new Microsoft Windows malware families which we call KASPERAGENT and MICROPSIA. In addition, our research has uncovered evidence of links between attacks using these two new malware families and […]
Read MoreJerusalem Post and other Israeli websites compromised by Iranian threat agent CopyKitten
On 29 March 2017 the German Federal Office for Information Security (BSI) said in a statement that the website of Israeli newspaper Jerusalem Post was manipulated and linked to a harmful third party. Below is a Google translation of the statement: “After the cyber attack on the German Bundestag in 2015, some protective functions that the BSI […]
Read More