• Home
  • Authors
  • Cybereason Global SOC Team

About Cybereason Global SOC Team

Cybereason Global SOC Team

The Cybereason Global SOC Team delivers 24/7 Managed Detection and Response services to customers on every continent. Led by cybersecurity experts with experience working for government, the military and multiple industry verticals, the Cybereason Global SOC Team continuously hunts for the most sophisticated and pervasive threats to support our mission to end cyberattacks on the endpoint, across the enterprise, and everywhere the battle moves.

All posts by Cybereason Global SOC Team

THREAT ANALYSIS REPORT: Abusing Notepad++ Plugins for Evasion and Persistence

Cybereason GSOC team analysts have analyzed a specific technique that abuses Notepad++ plugins to evade security mechanisms, achieve persistence and deploy backdoors on targeted machines...

September 14, 2022 / 4 minute read

THREAT ANALYSIS REPORT: PlugX RAT Loader Evolution

PlugX is a post-exploitation modular RAT (Remote Access Trojan), which is known for its multiple functionalities such as data exfiltration, keystroke grabbing, backdoor functionality, and utilizing DLL-Sideloading techniques for evading security solutions...

September 8, 2022 / 10 minute read

THREAT ANALYSIS REPORT: Ragnar Locker Ransomware Targeting the Energy Sector

Ragnar Locker is a ransomware family with security evasion capabilities which is targeting the energy sector and recently claimed to have breached DESFA, a Greek pipeline company...

September 1, 2022 / 8 minute read

THREAT ALERT: HavanaCrypt Ransomware Masquerading as Google Update

First observed in June 2022 in the wild, HavanaCrypt Ransomware masquerades as a legitimate Google Chrome update with sophisticated anti-analysis techniques and other functionality that may be used for data exfiltration and privilege escalation...

August 22, 2022 / 5 minute read

THREAT ALERT: Inside the Redeemer 2.0 Ransomware

A new and improved Redeemer 2.0 ransomware version was released on an underground forum and is described by the developers as a “C++ no dependency ransomware with no privacy intrusions” targeting the Windows OS with support for Windows 11 systems...

August 19, 2022 / 2 minute read

THREAT ANALYSIS REPORT: Bumblebee Loader – The High Road to Enterprise Domain Control

Cybereason GSOC observed distribution of the Bumblebee Loader and post-exploitation activities including privilege escalation, reconnaissance and credential theft. Bumblebee operators use the Cobalt Strike framework throughout the attack and abuse credentials for privilege escalation to access Active Directory, as well as abusing a domain administrator account to move laterally, create local user accounts and exfiltrate data...

August 17, 2022 / 10 minute read

THREAT ANALYSIS REPORT: LockBit 2.0 - All Paths Lead to Ransom

LockBit 2.0 ransomware attackers are constantly evolving and making detection, investigation, and prevention more complex by disabling EDR and other security products and deleting the evidence to stifle forensics attempts...

July 7, 2022 / 16 minute read

THREAT ALERT: Raspberry Robin Worm Abuses Windows Installer and QNAP Devices

Raspberry Robin involves a worm that spreads over USB devices or shared folders, leveraging compromised QNAP (Network Attached Storage or NAS) devices as stagers and an old but still effective method of using “LNK” shortcut files to lure its victims...

July 7, 2022 / 5 minute read

THREAT ALERT: Follina/MSDT Microsoft Office Vulnerability

A Microsoft Office code execution vulnerability dubbed “Follina” allows delivery of malware without needing the victim to allow macro execution and is very likely to be mass-exploited. The Cybereason Defense Platform detects and prevents the exploitation of Follina and enables effective hunting of this vulnerability...

June 22, 2022 / 3 minute read

THREAT ANALYSIS REPORT: SocGholish and Zloader – From Fake Updates and Installers to Owning Your Systems

This report provides unique insight into SocGholish and Zloader attacks and provides an overview of the common tactics and techniques in SocGholish infections...

April 25, 2022 / 14 minute read

THREAT ALERT: Emotet Targeting Japanese Organizations

The surge of Emotet attacks targeting Japanese organizations in the first quarter of 2022 is a continuation of the earlier Emotet activity, with some changes in the malware deployment process. The Cybereason XDR Platform detects and blocks Emotet malware...

March 7, 2022 / 3 minute read

THREAT ANALYSIS REPORT: All Paths Lead to Cobalt Strike - IcedID, Emotet and QBot

The Cybereason GSOC delivers details on three recently observed attack scenarios where fast-moving malicious actors used the malware loaders IcedID, QBot and Emotet to deploy the Cobalt Strike framework on the compromised systems...

February 10, 2022 / 13 minute read

THREAT ANALYSIS REPORT: Inside the LockBit Arsenal - The StealBit Exfiltration Tool

This report provides analysis on the evolution of configuration and implementation aspects of the StealBit malware developed by the LockBit ransomware group to exfiltrate sensitive data from targets for double extortion purposes…

December 16, 2021 / 20 minute read

THREAT ALERT: The Return of Emotet

Since the first Twitter post about this most recent discovery, the team at G DATA and the Cybereason SOC team have seen multiple Emotet samples in the wild, particularly between November 21-23, confirming that Emotet is reemerging...

December 9, 2021 / 3 minute read

THREAT ANALYSIS REPORT: From Shathak Emails to the Conti Ransomware

The ITG23 group is partnering with the TA551 (Shatak) threat group to distribute ITG23’s TrickBot and BazarBackdoor malware which attackers use to deploy Conti ransomware on compromised systems...

November 9, 2021 / 10 minute read

THREAT ANALYSIS REPORT: Snake Infostealer Malware

This report provides an overview of key features of the Snake #malware and similarities discovered in the staging mechanisms with two other information-stealing malware variants, FormBook and Agent Tesla...

October 28, 2021 / 16 minute read

THREAT ALERT: Malicious Code Implant in the UAParser.js Library

A threat actor has implanted malicious code in UAParser.js, a JavaScript library that parses User-Agent data where the implanted code deploys cryptocurrency-mining and information-stealing malware on compromised systems...

October 27, 2021 / 3 minute read

Running Robust Managed Detection and Response Services

Looking into how the SOC fits into the business in addition to identifying the specific use-cases will help a team define and create an effective operation and service delivery...

October 4, 2021 / 6 minute read

Threat Analysis Report: Inside the Destructive PYSA Ransomware

The PYSA ransomware gang uses tools like Koadic, PsExec and Mimikatz for credential theft and lateral movement before executing PowerShell scripts that stop or remove system security mechanisms like Windows Defender...

September 27, 2021 / 10 minute read

Threat Analysis Report: PrintNightmare and Magniber Ransomware

The Cybereason GSOC Team details infections with a recent version of the Magniber ransomware in which the initial attack vector is the exploitation of the notorious PrintNightmare vulnerability...

September 22, 2021 / 15 minute read

THREAT ALERT: Microsoft MSHTML Remote Code Execution Vulnerability

The Cybereason GSOC Managed Detection and Response (MDR) team is investigating CVE-2021-40444, a critical vulnerability in the Microsoft Hypertext Markup Language (MSHTML) web content rendering engine that Microsoft Office applications use...

September 10, 2021 / 3 minute read

THREAT ALERT: Microsoft Exchange ProxyShell Exploits and LockFile Ransomware

The exploitation of the ProxyShell vulnerabilities enables attackers to execute arbitrary commands on compromised systems, which may lead to full system compromise and/or the deployment of malware...

August 30, 2021 / 3 minute read

THREAT ALERT: PrintNightmare Critical Vulnerability in Windows Print Spooler

PrintNightmare is a critical vulnerability in the Windows Print Spooler service that allows attackers to execute arbitrary code on target systems with administrative privileges...

July 2, 2021 / 3 minute read

THREAT ALERT: SolarMarker Backdoor

SolarMarker enables attackers to execute commands, PowerShell scripts, and Windows executables on compromised systems, and to deploy additional malware...

June 23, 2021 / 3 minute read

THREAT ALERT: LemonDuck Crypto-Mining Malware

LemonDuck is a cryptocurrency-mining malware that in addition to mining, also spreads in a network after the initial infection with the goal to increase the number of systems that participate in its mining pool. ..

May 19, 2021 / 3 minute read

THREAT ALERT: N3tw0rm Ransomware Campaign

The campaign uses a disk space filler utility, a scenario not typical for ransomware where the disk space filler utility continuously writes files on a victim’s hard disk volumes until no free disk space is left available...

May 10, 2021 / 2 minute read