ASERT team
Author Archives: ASERT team
- Home → Author's archive:
ASERT team
Lojack Becomes a Double-Agent
Executive Summary ASERT recently discovered Lojack agents containing malicious C2s. These hijacked agents pointed to suspected Fancy Bear (a.k.a. APT28, Pawn Storm) domains. The InfoSec community and the U.S. government have both attributed Fancy Bear activity to Russian espionage activity. Fancy Bear actors typically choose […]Innaput Actors Utilize Remote Access Trojan Since 2016, Presumably Targeting Victim Files
Overview ASERT recently identified a campaign targeting commercial manufacturing in the US and potentially Europe in late 2017. The threat actors used phishing and downloader(s) to install a Remote Access Trojan (RAT) ASERT calls InnaputRAT on the target’s machine. The RAT contained a series of […]Innaput Actors Utilize Remote Access Trojan Since 2016, Presumably Targeting Victim Files
Overview ASERT recently identified a campaign targeting commercial manufacturing in the US and potentially Europe in late 2017. The threat actors used phishing and downloader(s) to install a Remote Access Trojan (RAT) ASERT calls InnaputRAT on the target’s machine. The RAT contained a series of […]Donot Team Leverages New Modular Malware Framework in South Asia
Authors: Dennis Schwarz and Jill Sopko Special thanks to Richard Hummel and Hardik Modi for their contributions on this post. Key Findings ASERT discovered a new modular malware framework, we call yty, that focuses on file collection, screenshots, and keylogging. We believe the threat actors, Donot […]Donot Team Leverages New Modular Malware Framework in South Asia
Authors: Dennis Schwarz and Jill Sopko Special thanks to Richard Hummel and Hardik Modi for their contributions on this post. Key Findings ASERT discovered a new modular malware framework, we call yty, that focuses on file collection, screenshots, and keylogging. We believe the threat actors, Donot […]The ARC of Satori
Authors: Pete Arzamendi, Matt Bing, and Kirk Soluk. Satori, the heir-apparent to the infamous IOT malware Mirai, was discovered by researchers in December 2017. The word “satori” means “enlightenment” or “understanding” in Japanese, but the evolution of the Satori malware has brought anything but clarity. […]The ARC of Satori
Authors: Pete Arzamendi, Matt Bing, and Kirk Soluk Satori, the heir-apparent to the infamous IOT malware Mirai, was discovered by researchers in December 2017. The word “satori” means “enlightenment” or “understanding” in Japanese, but the evolution of the Satori malware has brought anything but clarity. […]Reaper Madness
On October 19th, a team of security researchers warned of a new IoT Botnet that had already infected “an estimated million organizations” and that was poised to “take down the internet”. This report was subsequently picked up by the press and spread quickly via social media. […]Reaper Madness
On October 19th, a team of security researchers warned of a new IoT Botnet that had already infected “an estimated million organizations” and that was poised to “take down the internet”. This report was subsequently picked up by the press and spread quickly via social media. […]Change All Your Passwords, Right Now!
by Steinthor Bjarnason, Senior ASERT Security Analyst & Roland Dobbins, ASERT Principal Engineer CloudFlare are probably best known as a DDoS mitigation service provider, but they also operate one of the largest Content Delivery Networks (CDNs) on the Internet. Many popular Web sites, mobile apps, etc. make use of the CloudFlare CDN, which hosts content […]On the Economics, Propagation, and Mitigation of Mirai
By Kirk Soluk and Roland Dobbins In late November of 2016, a new Mirai variant emerged that leveraged a propagation mechanism different from the Telnet-based brute forcing mechanism originally provided in the leaked Mirai source code. This new variant exploits vulnerable implementations of the TR-064/TR-069 protocol used by ISPs to remotely manage their customer’s broadband […]On the Economics, Propagation, and Mitigation of Mirai
By Kirk Soluk and Roland Dobbins In late November of 2016, a new Mirai variant emerged that leveraged a propagation mechanism different from the Telnet-based brute forcing mechanism originally provided in the leaked Mirai source code. This new variant exploits vulnerable implementations of the TR-064/TR-069 […]TrickBot Banker Insights
A new banking trojan, TrickBot, has seemingly risen from the ashes left behind by the November 2015 takedown of Dyreza/Dyre infrastructure and the arrests of threat actors identified by Russian authorities. Dyreza was used to target customers of over 1000 U.S. and U.K. banks and other companies during the peak of operations. Researchers at Threat Geek […]Annual Security Survey – Call for Participation
It’s that time again! Arbor Networks is opening its 12th annual Worldwide Infrastructure Security Report survey. Findings from this survey are compiled and analyzed to provide insights on a comprehensive range of issues from threat detection and incident response to staffing, budgets and partner relationships. A copy of the report will be sent to all participants. We […]On DNS and DDoS
The global DNS infrastructure provides the critical function of mapping seeming random sets of numbers in IP addresses (like 1.1.1.1) to a name that an Internet consumer may recognize (like www.myfavoritestore.com). To scale to a global level, the DNS system was designed as a multi-level reference network that would allow any user on the Internet […]Rio Olympics Take the Gold for 540gb/sec Sustained DDoS Attacks!
by Roland Dobbins, Principal Engineer & Kleber Carriello, Senior Consulting Engineer When organizing a huge, high-profile event like the Olympics, there are always chances for things to go wrong – and, given human nature, we tend to simply accept it as a given when things go as planned, and to notice and highlight difficulties in […]Dumping Core: Analytical Findings on Trojan.Corebot
Download the full report here. The Corebot banking trojan was initially discovered and documented last year by researchers at Security Intelligence. Since then, it has evolved rapidly and, in terms of capabilities such as browser-based web injections, it is now similar to the dominant banking malware such as Zeus, Neverquest, and Dyreza although its actual impact to date is […]Dumping Core: Analytical Findings on Trojan.Corebo
Download the full report here.
The Corebot banking trojan was initially discovered and documented last year by researchers at Security Intelligence. Since then, it has evolved rapidly and, in terms of capabilities such as browser-based web injections, it is now similar to the dominant banking malware such as Zeus, Neverquest, and Dyreza although its actual impact to date is nowhere close.
ASERT has been studying and monitoring Corebot since shortly after it was initially documented and an in-depth analysis of Corebot’s inner workings are provided in this threat intelligence report, including coverage of its cryptography, network behavior, and banking targets.
The Big Bong Theory: Conjectures on a Korean Banking Trojan
Download the full report here. ASERT has been analyzing samples of a banking trojan targeting South Korean financial institutions. We call the banker “Big Bong” and provide, in this threat intelligence report, an in-depth behavioral analysis of the malware from builder to bot and from installation to exfiltration including obfuscation techniques, certificate use, and VPN-based […]The Big Bong Theory: Conjectures on a Korean Banking Trojan
Download the full report here.
ASERT has been analyzing samples of a banking trojan targeting South Korean financial institutions. We call the banker “Big Bong” and provide, in this threat intelligence report, an in-depth behavioral analysis of the malware from builder to bot and from installation to exfiltration including obfuscation techniques, certificate use, and VPN-based network communications. A goal hypothesis is put forth – “The Big Bong Theory,” including some background on the South Korean banking infrastructure. This intelligence report will be of interest to security researchers, incident responders, and anyone interested in advanced malware analysis.