Termite is a tool used to connect together chains of machines on a network. You can run Termite on a surprising number of platforms including mobile devices, routers, servers and desktops. That means it can be used used to bounce a connection between multiple machines, to maintain a connection that otherwise wouldn’t be possible: Termite is a useful…
Introduction Below we’ve outlined the delivery phase of some recent attacks by KeyBoy, a group of attackers believed to operate out of China. They were first identified in 2013 targeting governments and NGOs in South East Asia. Their primary targeting continues to this day, though they have also been known to target more diverse victims such as the energy…
By Chris Doman, Fernando Martinez and Jaime Blasco We took a brief look at some documents recently discussed and reviewed by researchers in South Korea over the past week. The malware is linked to Lazarus, a reportedly North Korean group of attackers. One malicious document appears to be targeting members of a recent G20 Financial Meeting, seeking coordination of the…
Written By Chris Doman and Jaime Blasco Introduction Recently, an ActiveX zero-day was discovered on the website of a South Korea think tank that focuses on national security. Whilst ActiveX controls are disabled on most systems, they are still enabled on most South Korean machines due to mandates by the South Korean government.…
Written in collaboration wih Fernando Martinez One of the biggest malware-trends of 2018 has been the increasing variety of crypto-currency malware targeting servers. One family of mining malware, we’ve termed “MassMiner”, stands out as a worm that not only spreads itself through number of different exploits, but also brute-forces access to Microsoft SQL Servers. It surprised us…
WannaCry was incredibly destructive. The attackers made about $150,000 - but the total damage caused by WannaCry has been estimated in the billions of dollars. There is strong evidence linking WannaCry to a group of hackers known as ‘Lazarus’, reportedly operating out of the DPRK (North Korea). Whilst WannaCry is perhaps the most famous attack by Lazarus, it isn…
By Javvad Malik and Chris Doman This is the third of a three-part series on trends identified by AlienVault in 2017. Part 1 focused on exploits and part 2 addressed malware. This part will discuss threat actors and patterns we have detected with OTX. Which threat actors should I be most concerned about? Which threat actors your organization should be most concerned…
By Javvad Malik and Christopher Doman This is the second of a three part series on trends identified by AlienVault. Part 1 focused on the exploits tracked by OTX. This blog will talk about the malware, and Part 3 will discuss trends we’re seeing in threat actors. Which malware should I be most concerned about? Most security incidents that a…
By Javvad Malik and Christopher Doman Introduction Every year, AlienVault records billions of anonymised security events from our customers. This telemetry can be aggregated to establish macro trends. And for many years, we have also been comprehensively recording other vendors' threat reports in our Open Threat Exchange (OTX) platform. We have combined these two data-sets to help…
AlienVault labs recently analysed an application compiled on Christmas Eve 2017. It is an Installer for software to mine the Monero crypto-currency. Any mined currency is sent to Kim Il Sung University in Pyongyang, North Korea. The Installer copies a file named intelservice.exe to the system. The filename intelservice.exe is often associated with…
We previously reported on SamSam ransomware charging high ransoms for infected servers. But SamSam isn’t the only ransomware out there charging eye-watering amounts to decrypt business servers. Initial reports of a new variant of ransomware called LockCrypt started in June of this year. In October we saw an increase in infections. LockCrypt doesn’t have heavy code…
Recently we came across a new variant of the malware ServStart. ServStart is primarily used by attackers located in China, in a mix of targeted and opportunistic attacks. The attackers are hosting the ServStart malware on a file server that is open for anyone to view. The open file server at http://222.186.11[.]182:9999 The Rar Archive One of the…
