Thursday, July 20, 2017

Financially Motivated APT-style Actors Target Retail & Hospitality

A new wave of financially motivated, APT-style group, of cyber threat actors are targeting large restaurant chains with phishing emails containing malicious attachments. As early as April 2017, a new wave of the group's activity has been targeting the retail and hospitality sectors. The APT-style group has been active since 2015 and is known for their use of the Carbanak malware. The most recent campaigns leverage two new RTF droppers to deliver a variant of a known backdoor. Early campaigns were known for targeting financial institutions and banks; in 2015, targeting European banks through a banking application called the Internet Front End Banking System (iFOBS). This report describes TTPs leveraged in the recent campaigns...READ MORE

Wapack Labs has cataloged and reported extensively on APTs, cyber threat actors, phishing, malware, financial institutions, and Carbanak in the past. An archive of related reporting can be found in the Red Sky Alliance portal.



Posted by at
Labels: , , , , , , , , , , , , ,

Tuesday, July 18, 2017

NotPetya: Ransomware Or Russian Wiper?

Creators of the NotPetya (also known as Petya, PetrWrap, Petya.A, Win32/Diskcoder.Petya.C, EternalPetya, Nyetya, and exPetr) continue to present NotPetya as “simple ransomware.” The developers have moved received bitcoins, sent payments to Pastebin and DeepPaste associated wallets, contacted the public, and apparently were able to decrypt one short NotPetya encrypted file. At the same time, NotPetya creators did not use the original Petya ransomware source code, and likely left no remedy for most users to recover their encrypted data, despite showing them the ransom note. These observations, together with targeting and comparative TTP data for XData and BlackEnergy3 Killdisk, allow Wapack analysts to attribute NotPetya as likely belonging to Russian APT. The Petya/NotPetya operation is likely another Russian APT targeted disruption of Ukrainian IT infrastructure and possibly an intelligence operation - yet masked as a ransomware case. At the same time, it is probable that Petya and NotPetya actors may have a master key to decrypt user files; in case the targeted disk was not destroyed and system information is available...READ MORE

Wapack Labs has cataloged and reported extensively on Petya/NotPetya, ransomware, BlackEnergy, Russian APT, wiper malware, and Ukrainian attacks in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

Posted by at
Labels: , , , , , , , , , , , , , , ,

Monday, July 17, 2017

Below the noise of Petya - Loki Bot Credential Stealing Malware


In late June 2017, Wapack Labs identified a malicious email targeting a Ukrainian FI (Financial Institution) to deliver a credential stealing malware called Loki Bot. This incident happened at the same time as the Petya/NotPetya Ransomware.

Get your copy here. 

Loki Bot samples and C2’s were reported as being Petya/NotPetya ransomware. Further confusion resulted when AV detections began identifying Loki Bot as Petya/NotPetya. Loki Bot is sold in underground Tor marketplaces and can steal passwords from browsers, FTP/SSH applications, email accounts and crypto-coin wallets. Wapack Labs was able to sinkhole malicious Loki Bot C2 domains for further analysis. 

This report discusses the misattribution of Loki Bot, along with technical details of analyzed Loki Bot samples including analysis regarding the sinkholed domains and indicators of compromise.

We normally don't publish analysis in its entirety. My team has requested that we post this analysis on the blog for broader situational awareness. 

Enjoy.



Posted by at

Friday, July 14, 2017

Petya/NotPetya and Really Not Petya - Loki Bot Credential Stealing Malware


In late June 2017, Wapack Labs identified a malicious email targeting Ukrainian Financial Institutions (FI) to deliver a credential stealing malware called Loki Bot. This incident happened at the same time as the Petya/NotPetya Ransomware outbreak, which also targeted Ukrainian banking infrastructure. Possibly due to the confusion generated during the initial Petya/NotPetya outbreak, Loki Bot samples and C2s were reported as being Petya/NotPetya ransomware. Further confusion resulted when Anti-virus (AV) detections began identifying Loki Bot as Petya/NotPetya. Loki Bot is sold in underground Tor marketplaces and can steal passwords from browsers, File Transfer Protocol (FTP) applications, email accounts, and crypto-coin wallets. This report discusses the misattribution of Loki Bot, along with technical details of analyzed Loki Bot samples

 Get the full report here. 
Wapack Labs has cataloged and reported extensively on Loki Bot, and Loki RAT, in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

Posted by at
Labels: , , , , , , , , ,

Tuesday, July 4, 2017

Happy Fourth of July!

I was traveling Saturday, so I didn't get to post...

Today when we're all enjoying hot dogs and hamburgers and corn on the cob and all things American, which is exactly what we should be doing, remember, we're the...
Land of the free BECAUSE of the brave.

…and tomorrow? Back to protecting cyber in the free world…

 Have a great Fourth of July!
Jeff
Posted by at
Subscribe to: Posts (Atom)