On July 17, 2017, we detected a malicious document in VirusTotal exploiting CVE-2017-0199. By pivoting off of the infrastructure we learned that it is related to Winnti, a Chinese threat actor that is mostly targeting the gaming industry. Below we outline initial findings. The malicious file, named curriculum vitae.rtf (58c66b3ddbc0df9810119bb688ea8fb0) was uploaded from Turkey. Its content is […]
ClearSky conducts consistent monitoring of various Darknet actors and communities, including specific actors that develop and sell malware, exploits, bots and ransomware. We have recently encountered very aggressive jabber spam campaign, advertising the “Philadelphia” ransomware. As Brian Krebs wrote in one of his recent post, Philadelphia is a ransomware-as-a-service crime ware package that is sold […]
Over the past few months ClearSky has been collaborating with Palo Alto Networks on preventing and detecting targeted attacks in the Middle East using two relatively new Microsoft Windows malware families which we call KASPERAGENT and MICROPSIA. In addition, our research has uncovered evidence of links between attacks using these two new malware families and […]
On 29 March 2017 the German Federal Office for Information Security (BSI) said in a statement that the website of Israeli newspaper Jerusalem Post was manipulated and linked to a harmful third party. Below is a Google translation of the statement: “After the cyber attack on the German Bundestag in 2015, some protective functions that the BSI […]
Attackers have been trying to breach IEC (Israel Electric Company) in a year-long campaign. From April 2016 until at least February 2017, attackers have been spreading malware via fake Facebook profiles and pages, breached websites, self-hosted and cloud based websites. Various artifacts indicate that the main target of this campaign is IEC – Israel Electric Company. These […]
Iranian threat agent OilRig has been targeting multiple organisations in Israel and other countries in the Middle East since the end of 2015. In recent attacks they set up a fake VPN Web Portal and targeted at least five Israeli IT vendors, several financial institutes, and the Israeli Post Office. Later, the attackers set up […]
Hundreds of customer service centers have been targeted In a campaign going back at least to August 2016. An email is sent to the “contact us” or “customer support” address of an online shop. The sender pretends to be a a customer that has a problem with the online shopping cart or is just asking to […]
Clearsky Security regularly monitors and tracks phishing and fraud campaigns by looking for impersonating domain names. Recently we detected multiple domains impersonating shipping and logistics companies being registered. We suspect that these companies have become the target of Business Email Compromise scams (aka BEC or “CEO fraud”) Targeted organisations include Singaporean Executive Ship Management, VersaCold […]
Since March 2016, numerous credit cards and other details have been stolen during payment from dozens of online shops worldwide. Malicious JavaScript code acting as a form grabber or a simple “cloud based” keylogger was injected into breached shops. As buyers filled in their payment details, the data was captured and sent in real time to […]
Operation DustySky – Part 2 is a follow-up on our DustySky operation report from January 2016. It analyses new attacks by Molerats against targets in Israel, The United States, Egypt, Saudi Arabia, United Arab Emirates and The Palestinian Authority. We elaborate on the scope and targeting of the DustySky campaign and expose new infrastructure and […]