Posts

Lock -(B)- it : A Tale of Ransomware

-
Image
EXECUTIVE SUMMARY              * LockBit is one of the world's most active ransomware group connected to various high-profile attacks. This Blog consists of below Intel related to LockBit Group                                     • LockBit & Underground Forums                  • Affiliates & Partners                 • LockBit Blog - Leaked Data's                  • LockBit's Builder       LOCKBIT & UNDERGROUND FORUMS        * LockBit's presence in reputed Russian Underground Forums allows it to Hire affiliates for their ransomware & other malware developers as per need. Some of the most interesting  profiles are posted below.   Profiles (LockBit's Pro...
Read more

Analysis of Latin American Bot (Vadokrist) : Part I - Mechanism & Dropper

-
Image
  EXECUTIVE SUMMARY         Vadokrist Trojan aims to steal credentials from victims’ machines and to create banking overlay windows when the victim visits their home banking portals. Here is the list of known Latin American banking Trojans                  • Grandoreiro                  • URSA                  • Javali                   • Vadokrist (aka) Mispadu DISTRIBUTION         Vadokrist is propagated via social engineering schemas – namely, phishing/malscam campaigns TECHNICAL ANALYSIS            Abusing MSI (Windows Installer) was one of the growing threat in cyber ind...
Read more

Analysis of Remote Template Injection used by APT

-
Image
  EXECUTIVE SUMMARY          Attackers are continually trying to find new ways to target users with malware sent via email.Typically, malicious Word documents that are sent as attachments to phishing emails will themselves contain a script or macro that executes malicious code to get initial access. There are numerous techniques used on these malicious docs to bypass anti-virus detection (VBAStomping, obfuscation, etc.). One such method is Remote Template Injection.   TECHNICAL INVESTGATION          Remote template injection was initially found in 2017 , later used by many APT's such as Gamaredon , Lazarus and many more .It was also listed on MITRE (T1221)   In this scenario the template with Macro will be hosted on the attacker's server will get executed when the victim clicks on enable macro   ANALYSIS OF GAMAREDON's SAMPLE            The sample of gamaredon group was f...
Read more