Giovanni Vigna

Author Archives: Giovanni Vigna

Death of Emotet

Cybercrime campaigns can last days or months, but the malicious actors behind them can be active for years. 

As it’s often difficult to have first-hand information about the evolution of specific gangs (e.g., changes in membership and leadership, or motivations behind actions), the threat intelligence community generally resorts to tracking the most observable aspects of these criminal enterprises: the malware that is delivered to the victims and the infrastructure that is used to control compromised systems and collect sensitive information. 

Malware campaigns are almost always trans-national in terms of both targets and infrastructure, covering multiple countries and sometimes spanning multiple continents. Therefore, it’s difficult to carry out coordinated law enforcement efforts (especially given that many law enforcement agencies are already stretched thin), and the defenses against these threats are primarily localized to specific countries or organizations. 

However, sometimes the cyber threats are so egregious that they trigger the attention of a large group of people, resulting in major takedown operations such as 2011’s “Operation Ghost Click” or the Microsoft-led takedown of the TrickBot infrastructure in October 2020. 

It was one of these efforts, and a historical one in this case, that brought down Emotet at the end of January 2021 — a feat that many considered impossible. 

“Operation Ladybird” saw the law enforcement agencies of multiple countries (including the US, the UK, Canada, Germany, France, the Netherlands, Ukraine, and Lithuania) cooperate to eradicate the Emotet infrastructure (see Figure 1). 

Emotet, introduced in 2014 as a banking Trojan, has been Continue reading

Navigating Supply-Chain Vulnerabilities with a Zero-Trust Architecture

In light of the SolarWinds breach, we want to help our customers who may have questions on how a Zero Trust Architecture can act as an effective approach to limit the impact of such attacks. VMware has been steadfastly monitoring the evolving situation as we learn more about the supply chain compromise.  

The SolarWinds Compromise 

At this point, the consensus is that organizations with a SolarWinds product that downloaded the SolarWinds-Core-v2019.4.5220-Hotfix5.msp update package should consider themselves breached and start an investigation. In addition, given the extent of the breach, every organization that uses SolarWinds products should be on alert for the possibility of an intrusion.   

Note that the update package was signed on March 24, 2020, which means that the victims of this attacks might have been compromised in late March or early April 2020. Once the attackers successfully compromised the SolarWinds Orion hosts, they may have moved laterally to the hosts monitored by the tool, and possibly beyond those hosts by using additional credentials collected in the exploitation process. Some actions to be taken in order to address this breach are provided by DHS CISA’s Continue reading

Trick or Threat: Ryuk ransomware targets the health care industry


A recent report [1] from the Cybersecurity and Infrastructure and Security Agency (CISA) has alerted the public about possible forthcoming ransomware attacks that target the health industry.
This report has raised concerns [2] especially because of the current pandemic, which has strained the resources of hospitals and care centers. As a consequence, a ransomware attack, in addition to crippling a healthcare provider’s infrastructure, might actually put at risk the lives of patients.

The advisory describes in detail the tactics, techniques, and procedures (TTPs) followed by the malicious actors who, at the moment, seem to be associated with Russian crime groups.
The attack uses a number of malware components, such as TrickBot, BazarLoader, Ryuk, and Cobalt Strike, in order to compromise networks, create bridgeheads, and then move laterally so that, eventually, a ransomware attack can be successfully carried out.

In the rest of this report, we present the characteristics of the various components of the attacks. We look at both the actual malware components (i.e., the code that performs the malicious actions), as well as the network evidence associated with their actions. Even though a number of these components (as well as similar ones) have been covered previously Continue reading

Evolution of Excel 4.0 (XL4) Macro Weaponization Presentation

What is Virus Bulletin?

Virus Bulletin (often abbreviated as “VB”) is a magazine devoted to the discussion of malware and spam and has been around over 30 years. It is the forum in which security researchers and professionals discuss and share new directions in both the development of and protection against malware and spam. VB’s annual conference is almost as old as the magazine and has traditionally takes place in late September or early October each year.

VB2020 localhost

Why Attend VB2020?

As always, this year’s VB conference covers a broad spectrum of topics by some of the most talented security researchers in the world. Included in the agenda is a paper published by three members of our VMware Threat Analysis Unit discussing how the weaponization of XL4 macros in Excel has evolved.

Excel 4.0 (XL4) macros have become increasingly popular for attackers, as many security vendors struggle to play catchup and detect them properly. This technique provides attackers with a simple and reliable method to get a foothold on a target network, as it simply represents an abuse of a legitimate 30-year-old feature of Excel and does not rely on any vulnerability or exploit to be successful.

Register to attend Continue reading