Cracking Cobalt Strike: Taking Down Malicious Cybercriminal Infrastructure with Threat Intelligence

Cracking Cobalt Strike Taking Down Malicious Cybercriminal Infrastructure with Threat Intelligence By Joao Marques, John Fokker and Leandro Velasco · July 3, 2024 Introduction In a significant global effort to combat cybercrime, law enforcement agencies from around the world have joined forces to...

The Bug Report - June 2024 Edition

The Bug Report - June 2024 Edition By Jonathan Omakun & Tobi Olawale · June 27, 2024 Why am I Here Welcome back to The Bug Report, the "so hot the server fans are sweating" edition! For those who are new to our monthly adventure, every month, our dedicated Advanced Research Center vulnerability...

Info Stealing Campaign Uses DLL Sideloading Through Legitimate Cisco Webex’s Binaries for Initial Execution and Defense Evasion

Info Stealing Campaign Uses DLL Sideloading Through Legitimate Cisco Webex’s Binaries for Initial Execution and Defense Evasion By Ale Houspanossian · June 17, 2024 Case Summary It was a quiet Monday morning in March 2024 when the EDR researchers with our Trellix Advanced Research Center identifi...

DarkGate again but... Improved?

DarkGate again but... Improved? By Ernesto Fernández Provecho · June 3, 2024 Executive summary During 2023, DarkGate made a comeback with a version full of new features, becoming one of the most preferred Remote Access Trojans RATs by malicious actors. However, this momentum also required...

A Catalog of Hazardous AV Sites – A Tale of Malware Hosting

A Catalog of Hazardous AV Sites – A Tale of Malware Hosting By Trellix · May 23, 2024 This blog was written by Gurumoorthi Ramanathan Executive summary In mid-April 2024, Trellix Advanced Research Center team members observed multiple fake AV sites hosting highly sophisticated malicious files suc...

Tale of Greatness: Journey Through Dark Roads

Tale of Greatness: Journey Through Dark Roads By Daksh Kapur, Vihar Shah, Pooja Khyadgi · May 22, 2024 Cybercriminals have a new weapon in their arsenal: Greatness, a PaaS tool specifically designed to steal your Microsoft 365 login credentials. First detected in mid-2022, it allows attackers to...

Pouring Acid Rain

Pouring Acid Rain By Trellix · April 30, 2024 This blog was written by Max Kersten In two recent major geopolitical conflicts, in Ukraine and in Israel, wipers - malware used to destroy access to files and commonly used to halt telecom operations - were used to destroy digital infrastructure. The...

The Bug Report - April 2024 Edition

The Bug Report - April 2024 Edition By Jonathan Omakun and Tobi Olawale· April 29, 2024 Why am I here? Just when you thought it was safe to go back into the digital waters, out pops another series of rogue waves in the form of CVEs! It's like that beach vacation you planned to get away from it al...

The LockBit’s Attempt to Stay Relevant, Its Imposters and New Opportunistic Ransomware Groups

The LockBit’s Attempt to Stay Relevant, Its Imposters and New Opportunistic Ransomware Groups By Jambul Tologonov and John Fokker · April 11, 2024 The Trellix Advanced Research Center has recently observed an uptick of LockBit-related cyber activity surrounding vulnerabilities in ScreenConnect...

SuperSize Me

SuperSize Me By Floser Bacurio Jr., Bernadette Canubas, Michaelo Oliveros · April 02, 2024 Introduction Cyber attackers are always finding new ways to outsmart security systems and distribute malware effectively. We discovered an interesting detection evasion technique of delivering archive files...

Midnight Blizzard Attack Detection in Trellix Helix

Midnight Blizzard Attack Detection in Trellix Helix By Ian Shefferman · March 18, 2024 On January 25, 2024, Microsoft reported a breach of their systems by the Russian APT group Midnight Blizzard, also known as APT29 and Cozy Bear. The attackers performed a password spray, compromised a Microsoft...

The Dark Side of Innovation: Cybercriminals and Their Adoption of GenAI

The Dark Side of Innovation: Cybercriminals and Their Adoption of GenAI By Jambul Tologonov and John Fokker · March 06, 2024 In the ever-evolving threat landscape, the Trellix Advanced Research Center has been at the forefront of understanding and combating the dual-edged sword of Generative...

RansomHouse am See

RansomHouse am See By Pham Duy Phuc in collaboration with Noël Keijzer and Michaël Schrijver from Northwave · February 14, 2024 This blog was also written by Max Kersten Ransom gangs make big bucks by extorting victims, which sadly isn’t new. Their lucrative business allows them not only to live...

Cyberattack on Democracy: Escalating Cyber Threats Immediately Ahead of Taiwan’s 2024 Presidential Election

Cyberattack on Democracy: Escalating Cyber Threats Immediately Ahead of Taiwan’s 2024 Presidential Election By Anne An · February 13, 2024 Preface Cybersecurity has become an integral part of election security. Nation-state actors and other politically motivated groups are likely to try to...

The Psychology of Phishing: Unraveling the Success Behind Phishing Attacks and Effective Countermeasures

The Psychology of Phishing: Unraveling the Success Behind Phishing Attacks and Effective Countermeasures By Tomer Shloman · February 1, 2024 Phishing is one of the most sneaky and widespread attacks in the constantly changing world of cybersecurity threats. This form of cyber attack, deceiving...

The Ongoing Saga of Job-Themed Attacks

The Ongoing Saga of Job-Themed Attacks By Daksh Kapur and Alfred Alvarado · January 23, 2024 Figure 1 - Job Themed Cyberattacks Attribution at the Bottom In late 2023, Trellix Security Researchers identified an ongoing trend where cybercriminals exploit job-themed attack vectors to target both jo...

The Ongoing Saga of Job-Themed Attacks

The Ongoing Saga of Job-Themed Attacks By Daksh Kapur and Alfred Alvarado · January 23, 2024 Figure 1 - Job Themed Cyberattacks Attribution at the Bottom In late 2023, Trellix Security Researchers identified an ongoing trend where cybercriminals exploit job-themed attack vectors to target both jo...

JAVA-based Sophisticated Stealer Using Discord Bot as EventListener

JAVA-Based Sophisticated Stealer Using Discord Bot as EventListener By Gurumoorthi Ramanathan · January 18, 2024 Executive Summary: In mid-November 2023, Trellix Advanced Research Center team members observed a Java-based stealer being spread through cracked software zip files using JDABuilder...

JAVA-based Sophisticated Stealer Using Discord Bot as EventListener

JAVA-Based Sophisticated Stealer Using Discord Bot as EventListener By Trellix · January 18, 2024 This blog was written by Gurumoorthi Ramanathan Executive Summary: In mid-November 2023, Trellix Advanced Research Center team members observed a Java-based stealer being spread through cracked...

The evolution of the Kuiper ransomware

Kuiper Ransomware’s Evolution By Max Kersten · January 17, 2024 The Golang-based Kuiper ransomware is presented as an opportunity for other criminals to make money by ransoming one or more targets. Additionally, RobinHood, the actor behind Kuiper, states that help with operations can be provided...

The evolution of the Kuiper ransomware

Kuiper Ransomware’s Evolution By Trellix · January 17, 2024 This blog was written by Max Kersten The Golang-based Kuiper ransomware is presented as an opportunity for other criminals to make money by ransoming one or more targets. Additionally, RobinHood, the actor behind Kuiper, states that help...

Saints Turned Evil

Saints Turned Evil By Sushant Kumar Arya, Daksh Kapur and Rohan Shah · January 02, 2024 Attribution at the Bottom As technology advances, attackers are constantly developing new evasion mechanisms to bypass security products and stay one step ahead of security vendors and their products. We have...

The Anatomy of HTML Attachment Phishing

The Anatomy of HTML Attachment Phishing: One Code, Many Variants By Mathanraj Thangaraju, Niranjan Hegde, and Sijo Jacob · June 14, 2023 Introduction Phishing is the malevolent practise of pretending to be a reliable entity in electronic communication to steal sensitive data, such as login...

Saints Turned Evil

Saints Turned Evil By Daksh Kapur and Rohan Shah · January 2, 2024 This blog was also written by Sushant Kumar Arya Attribution at the Bottom As technology advances, attackers are constantly developing new evasion mechanisms to bypass security products and stay one step ahead of security vendors...

Cybercrooks leveraging anti automation toolkit for phishing campaigns

Cybercrooks Leveraging Anti Automation Toolkit for Phishing Campaigns By Vihar Shah and Rohan Shah · December 18, 2023 Threat actors have a track record of abusing tools hosted on GitHub for malicious purposes. Last year we showed how attackers abused Python’s tarfile module. Trellix Advanced...

Cybercrooks leveraging anti automation toolkit for phishing campaigns

Cybercrooks Leveraging Anti Automation Toolkit for Phishing Campaigns By Vihar Shah and Rohan Shah · December 18, 2023 Threat actors have a track record of abusing tools hosted on GitHub for malicious purposes. Last year we showed how attackers abused Python’s tarfile module. Trellix Advanced...

Detecting and Visualizing Lateral Movement Attacks with Trellix XDR

Detecting and Visualizing Lateral Movement Attacks with Trellix XDR By Chintan Shah, Maulik Maheta, Ajeeth S · December 13, 2023 Executive summary With Organizations deploying multiple security controls and solutions on their network and endpoints, there is a significant gap in the way threat...

Scanning Danger: Unmasking the Threats of Quishing

Scanning Danger: Unmasking the Threats of Quishing By Shyava Tripathi, Raghav Kapoor and Rohan Shah · December 07, 2023 Phishing, a prevalent cybercrime worldwide, is responsible for as much as 90 percent of data breaches, making it a significant avenue for the theft of sensitive credentials and...

Scanning Danger: Unmasking the Threats of Quishing

Scanning Danger: Unmasking the Threats of Quishing By Shyava Tripathi and Rohan Shah · December 7, 2023 This blog was also written by Raghav Kapoor Phishing, a prevalent cybercrime worldwide, is responsible for as much as 90 percent of data breaches, making it a significant avenue for the theft o...

Akira Ransomware

Akira Ransomware By Alexandre Mundo, Max Kersten · November 29, 2023 First discovered in early 2023, Akira ransomware seemed to be just another ransomware family that entered the market. Its continued activity and numerous victims are our main motivators to investigate the malware’s inner working...

Akira Ransomware

Akira Ransomware By Trellix · November 29, 2023 This blog was also written by Alexandre Mundo and Max Kersten First discovered in early 2023, Akira ransomware seemed to be just another ransomware family that entered the market. Its continued activity and numerous victims are our main motivators t...

The Continued Evolution of the DarkGate Malware-as-a-Service

The Continued Evolution of the DarkGate Malware-as-a-Service By Ernesto Fernández Provecho, Pham Duy Phuc, Ciana Driscoll and Vinoo Thomas · November 21, 2023 On September 2023, the Trellix Security Operations Center SOC successfully detected and stopped an attack against Musarubra, the holding...

The Continued Evolution of the DarkGate Malware-as-a-Service

The Continued Evolution of the DarkGate Malware-as-a-Service By Ernesto Fernández Provecho, Pham Duy Phuc, Ciana Driscoll and Vinoo Thomas · November 21, 2023 On September 2023, the Trellix Security Operations Center SOC successfully detected and stopped an attack against Musarubra, the holding...

CVE-2023-38831: Navigating the Threat Landscape of the Latest Security Vulnerability

CVE-2023-38831: Navigating the Threat Landscape of the Latest Security Vulnerability By Trellix · November 9, 2023 This blog was written by Neeraj Kumar Singh Executive Summary In August 2023, WinRAR released a security patch to address a remote code execution vulnerability in WinRAR's ZIP archiv...

CVE-2023-38831: Navigating the Threat Landscape of the Latest Security Vulnerability

CVE-2023-38831: Navigating the Threat Landscape of the Latest Security Vulnerability By Neeraj Kumar Singh · November 09, 2023 Executive Summary In August 2023, WinRAR released a security patch to address a remote code execution vulnerability in WinRAR's ZIP archive. The vulnerability, known as...

Trellix 2024 Threat Predictions

Trellix 2024 Threat Predictions By Trellix · October 30, 2023 Introduction This last year we have seen upheaval across the cybersecurity landscape. The need for effective, worldwide threat intelligence continues to grow as geopolitical and economic developments create an increasingly complicated...

Trellix 2024 Threat Predictions

Trellix 2024 Threat Predictions By Trellix · October 30, 2023 Introduction This last year we have seen upheaval across the cybersecurity landscape. The need for effective, worldwide threat intelligence continues to grow as geopolitical and economic developments create an increasingly complicated...

Discord, I Want to Play a Game

Discord, I Want to Play a Game By Ernesto Fernández Provecho and David Pastor Sanz Threatray · October 16, 2023 Discord is the first choice for gamers when they want to chat with some friends while playing an online computer game. Moreover, it is also a major choice for users that simply want to...

Discord, I Want to Play a Game

Discord, I Want to Play a Game By Ernesto Fernández Provecho and David Pastor Sanz Threatray · October 16, 2023 Discord is the first choice for gamers when they want to chat with some friends while playing an online computer game. Moreover, it is also a major choice for users that simply want to...

Peeling off QR Code Phishing Onion

Peeling off QR Code Phishing Onion: Revealing the Hidden Layers of Deceit By Neel H. Pathak and Pratik Sunil Kadam · October 10, 2023 Introduction: Malicious actors always seek innovative ways to bypass detection. The Trellix Advanced Research Center recently noticed an attack campaign with an...

Peeling off QR Code Phishing Onion

Peeling off QR Code Phishing Onion: Revealing the Hidden Layers of Deceit By Neel H. Pathak and Pratik Sunil Kadam · October 10, 2023 Introduction: Malicious actors always seek innovative ways to bypass detection. The Trellix Advanced Research Center recently noticed an attack campaign with an...

Rhysida Ransomware

Rhysida Ransomware By Alexandre Mundo, Max Kersten, and Leandro Velasco · October 9, 2023 New ransomware victims are made every day by ransom gangs with a variety of ransomware malware families, one of which is the Rhysida ransomware family. Within this blog, an anonymised version of an attack by...

Rhysida Ransomware

Rhysida Ransomware By Leandro Velasco · October 9, 2023 This blog was also written by Alexandre Mundo and Max Kersten New ransomware victims are made every day by ransom gangs with a variety of ransomware malware families, one of which is the Rhysida ransomware family. Within this blog, an...

Storm-0324: An access for the RaaS Threat Actor (Sangria Tempest)

Storm-0324 to Sangria Tempest Leads to Ransomware Capabilities By Gurumoorthi Ramanathan · October 5, 2023 Executive Summary: In early July 2023, the threat actor that Microsoft calls “Storm-0324” was observed sending a phishing message through Microsoft Teams. Storm-0324 is a financially motivat...

Storm-0324: An access for the RaaS Threat Actor (Sangria Tempest)

Storm-0324 to Sangria Tempest Leads to Ransomware Capabilities By Trellix · October 5, 2023 This blog was written by Gurumoorthi Ramanathan Executive Summary: In early July 2023, the threat actor that Microsoft calls “Storm-0324” was observed sending a phishing message through Microsoft Teams...

QakBot's Endgame: The Final Move Before the Takedown

QakBot's Endgame: The Final Move Before the Takedown By Daksh Kapur, Nico Paulo Yturriaga and Alfred Alvarado · September 06, 2023 Figure 1 Attribution at the bottom Qakbot, known under aliases like QBot, QuakBot, and Pinkslipbot, represents an intricately advanced malware strain that has...

The Bug Report – August 2023 Edition

The Bug Report – August 2023 Edition By Charles McFarland · September 06, 2023 Why am I here? Welcome back to The Bug Report, the hotter-than-hell Texas edition! For those still unfamiliar with our monthly escapades, every month our trusty Advanced Research Center vulnerability research team...

The Bug Report – August 2023 Edition

The Bug Report – August 2023 Edition By Trellix · September 6, 2023 This blog was written by Charles McFarland Why am I here? Welcome back to The Bug Report, the hotter-than-hell Texas edition! For those still unfamiliar with our monthly escapades, every month our trusty Advanced Research Center...

QakBot's Endgame: The Final Move Before the Takedown

QakBot's Endgame: The Final Move Before the Takedown By Daksh Kapur, Nico Paulo Yturriaga and Alfred Alvarado · September 06, 2023 Figure 1 Attribution at the bottom Qakbot, known under aliases like QBot, QuakBot, and Pinkslipbot, represents an intricately advanced malware strain that has...

Supply Chain Security Leaders Collaborate to Help Developers Choose Open-Source

Supply Chain Security Leaders Collaborate to Help Developers Choose Open-Source By Trellix, Checkmarx and Illustria · September 05, 2023 Working together to keep open source safe At the beginning of 2023, top researchers from industry-leading companies established the Supply Chain Attack Research...