Research

Cybereason has brought the world’s brightest minds from the military, government intelligence, and enterprise security to uncover emerging threats across the globe.

PortDoor: New Chinese APT Backdoor Attack Targets Russian Defense Sector

In a highly targeted operation by a Chinese APT, a newly discovered backdoor dubbed PortDoor is being used in attacks targeting a Russian defense contractor...

April 30, 2021 / 7 minute read

Cybereason vs. Avaddon Ransomware

Cybereason Nocturnus Team has been tracking the Avaddon Ransomware since June 2020 and the double extortion model...

April 27, 2021 / 4 minute read

Prometei Botnet Exploiting Microsoft Exchange Vulnerabilities

The multi-stage cryptocurrency botnet has been observed exploiting the Microsoft Exchange vulnerabilities associated with the HAFNIUM attacks to penetrate networks...

April 22, 2021 / 15 minute read

Cybereason vs. DarkSide Ransomware

DarkSide ransomware follows the double extortion trend where the threat actors first exfiltrate the data and threaten to make it public if the ransom demand is not paid, rendering backing up data as a precaution against a ransomware attack moot...

April 1, 2021 / 6 minute read

Cybereason vs. NetWalker Ransomware

The NetWalker ransomware has been targeting organizations in the US and Europe including several healthcare organizations, despite several known threat actors publicly claiming to abstain from targeting such organizations due to COVID-19.

February 16, 2021 / 4 minute read

Cybereason vs. RansomEXX Ransomware

The Cybereason Nocturnus Team has been tracking the activity around the RansomEXX, being used as a part of multi-staged human-operated attacks targeting various government related entities and tech companies.

January 26, 2021 / 4 minute read

Cybereason vs. Conti Ransomware

Since first emerging in May 2020, the ransomware operators (aka. the Conti Gang) claim to have over 150 successful attacks with millions in extortion fees. Download the Indicator's of Compromise to search for Conti in your own environment.

January 12, 2021 / 5 minute read

Amazon Gift Card Offer Serves Up Dridex Banking Trojan

Over the course of December, 2020, the Cybereason Nocturnus Team has been tracking down cyber crime campaigns related to the holiday season, and more specifically to online shopping. Download the Indicator's of Compromise to search for Dridex in your own environment.

December 24, 2020 / 6 minute read

Cybereason vs. Clop Ransomware

In the past few months, the Cybereason Nocturnus team has been tracking the activity of the Clop ransomware, a variant of CryptoMix ransomware. Download the Indicator's of Compromise to search for Clop in your own environment.

December 23, 2020 / 3 minute read

Cybereason vs. SolarWinds Supply Chain Attack

On December 13, 2020, IT infrastructure management provider SolarWinds issued a Security Advisory regarding their SolarWinds Orion Platform after experiencing a “highly sophisticated” supply chain attack.

December 22, 2020 / 2 minute read

Molerats APT: New Malware and Techniques in Middle East Espionage Campaign

Security researchers observed a politically motivated APT called “Molerats” using three new malware variants to conduct espionage in the Middle East. Download the Indicator's of Compromise to search for Molerats in your own environment.

December 15, 2020 / 3 minute read

Cybereason vs. Ryuk Ransomware

Ryuk ransomware is most often seen as the final payload in a larger targeted attack against a corporation, and since its return in September, it has been mainly delivered via TrickBot or BazarLoader infections.

December 10, 2020 / 3 minute read

New Malware Arsenal Abusing Cloud Platforms in Middle East Espionage Campaign

The Cybereason Nocturnus Team has identified an active espionage campaign employing three previously unidentified malware variants that use Facebook, Dropbox, Google Docs and Simplenote for command & control and the exfiltration of data from targets across the Middle East.

December 9, 2020 / 2 minute read

Cybereason vs. MedusaLocker Ransomware

There have been reports of MedusaLocker attacks across multiple industries, especially the healthcare industry which suffered a great deal of ransomware attacks during the COVID-19 pandemic.

November 19, 2020 / 4 minute read

Novel Chaes Malware Underscores Heightened E-Commerce Risk This Holiday Season

The Cybereason Nocturnus Team has identified an active campaign targeting customers of a larger e-commerce platform with newly identified multi-stage malware that evades antivirus tools dubbed Chaes. 

November 18, 2020 / 2 minute read

Back to the Future: Inside the Kimsuky KGH Spyware Suite

The Cybereason Nocturnus Team has been tracking a North Korean cyber espionage group known as Kimsuky and has identified a new spyware suite along with new attack infrastructure.

November 2, 2020 / 14 minute read

No Rest for the Wicked: Evilnum Unleashes PyVil RAT

In this research, we dive into the recent activity of the Evilnum group and explore its new infection chain and tools.

September 3, 2020 / 9 minute read

A Bazar of Tricks: Following Team9’s Development Cycles

In this analysis, our Nocturnus research team shows how the Bazar malware is sent via phishing emails that take advantage of the ongoing coronavirus pandemic, employee payroll reports, and customer complaints.

July 16, 2020 / 14 minute read

FakeSpy Masquerades as Postal Service Apps Around the World

The Cybereason Nocturnus team is investigating a new campaign involving FakeSpy, an Android mobile malware used to steal SMS messages, send SMS messages, steal financial data, read account information and contact lists, steal application data, and do much more.

July 1, 2020 / 10 minute read

Cybereason’s Newest Honeypot Shows How Multistage Ransomware Attacks Should Have Critical Infrastructure Providers on High Alert

Earlier this year, Cybereason launched its latest honeypot to analyze the tactics, techniques, and procedures used by state-sponsored groups and cyber crime actors to target critical infrastructure providers.

June 11, 2020 / 6 minute read

Valak: More than Meets the Eye

The Valak Malware is a sophisticated malware that can steal enterprise mailing information and passwords along with the enterprise certificate. This has the potential to access critical enterprise accounts, causing damage to organizations, brand degradation, and ultimately a loss of consumer trust. 

May 28, 2020 / 13 minute read

EventBot: A New Mobile Banking Trojan is Born

The Cybereason Nocturnus team is investigating EventBot, a new type of Android mobile malware. EventBot abuses accessibility features to steal user data from financial applications, read user SMS messages, and steal SMS messages to allow the malware to bypass two-factor authentication.

April 30, 2020 / 12 minute read

Who's Hacking the Hackers: No Honor Among Thieves

Cybereason Nocturnus is investigating a campaign where attackers are trojanizing multiple hacking tools with njRat, allowing the attackers to completely take over the victim’s machine.

March 10, 2020 / 8 minute read

New Cyber Espionage Campaigns Targeting Palestinians - Part 2: The Discovery of the New, Mysterious Pierogi Backdoor

Cybereason's Nocturnus team has been tracking recent espionage campaigns specifically directed at entities and individuals in the Palestinian territories.

February 13, 2020 / 7 minute read

New Cyber Espionage Campaigns Targeting Palestinians - Part 1: The Spark Campaign

Cybereason's Nocturnus team has been tracking recent espionage campaigns specifically directed at entities and individuals in the Palestinian territories.

February 13, 2020 / 11 minute read

The Hole in the Bucket: Attackers Abuse Bitbucket to Deliver an Arsenal of Malware

Cybereason is following an active campaign to deliver multiple different types of malware to victims all over the world. This attack is able to steal data, mine for cryptocurrency, and in specific cases deliver ransomware.

February 5, 2020 / 9 minute read

Dropping Anchor: From a TrickBot Infection to the Discovery of the Anchor Malware

Cybereason Nocturnus detected a series of targeted attacks against high-profile targets that uses a new variant of Anchor_DNS and a new malware dubbed Anchor.

December 11, 2019 / 15 minute read

Phoenix: The Tale of the Resurrected Keylogger

Cybereason’s Nocturnus team is tracking a new keylogger gaining traction among cybercriminals called Phoenix. Read about it and its reception in the underground here.

November 20, 2019 / 11 minute read

Hunting Raccoon: The New Masked Bandit on the Block

Since April 2019, the Cybereason Nocturnus team has investigated infections of the Raccoon stealer in the wild across organizations. Read about it here.

October 24, 2019 / 14 minute read

Glupteba Expands Operation and Toolkit with LOLBins And Cryptominer

The Nocturnus team has identified variants of Glupteba that made use of an extensive arsenal, including LOLBins and a cryptocurrency miner.

September 12, 2019 / 15 minute read

Sodinokibi: The Crown Prince of Ransomware

In April 2019, the Cybereason Nocturnus team analyzed a new type of evasive ransomware dubbed Sodinokibi.

August 5, 2019 / 7 minute read

Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers

In 2018, the Cybereason Nocturnus team identified an advanced, persistent attack targeting global telecommunications providers. Read about it first here.

June 25, 2019 / 16 minute read

New Pervasive Worm Exploiting Linux Exim Server Vulnerability

There’s an active, ongoing campaign exploiting a widespread vulnerability in linux email servers. Read about the attack first here.

June 13, 2019 / 6 minute read

Threat Actor TA505 Targets Financial Enterprises Using LOLBins and a New Backdoor Malware

In this research, we introduce a meticulously planned, malicious operation against a financial institution in April of 2019 by TA505.

April 25, 2019 / 11 minute read

A One-two Punch of Emotet, TrickBot, & Ryuk Stealing & Ransoming Data

The Cybereason team has identified a campaign that incorporates Emotet, TrickBot, and the Ryuk ransomware. This malware adapts Emotet to drop TrickBot, and adapts TrickBot to not only steal data but also download the Ryuk ransomware.

April 2, 2019 / 5 minute read

Triple Threat: Emotet Deploys TrickBot to Steal Data & Spread Ryuk

The Cybereason team has uncovered a severe threat that adapts Emotet to drop TrickBot, and adapts TrickBot to not only steal data but also download the Ryuk ransomware. This attack steals personal information, passwords, mail files, browser data, and registry keys before ransoming the victims data.

April 2, 2019 / 15 minute read

New Ursnif Variant Targets Japan Packed with New Features

In this research we dissect a recent campaign that uses language checks and steganography to evade detection. The new variant features a stealthy persistence mechanism, revamped information-stealing modules focusing on mail clients and cryptocurrency, and targets Japanese security products.

March 12, 2019 / 10 minute read

Astaroth Malware Uses Legitimate OS and Antivirus Processes to Steal Passwords and Personal Data

In this report, we explain one of the most recent and unique campaigns involving the Astaroth trojan. This Trojan and information stealer was recognized in Europe and chiefly affected Brazil through the abuse of native OS processes and the exploitation of security-related products.

February 13, 2019 / 10 minute read

LOLbins and trojans: How the Ramnit Trojan spreads via sLoad in a cyberattack

Cybereason detected an evasive infection technique used to spread a variant of the Ramnit banking Trojan as part of an Italian spam campaign. We investigate this attack, its use of sLoad, and its adoption of LOLbins to minimize discovery.

January 3, 2019 / 13 minute read

Pervasive Brazilian Financial Malware Targets Bank Customers in Latin America and Europe

Cybereason’s Nocturnus team mapped out the multi-stage malware distribution infrastructure behind Brazilian financial malware and found that Brazilian-made malware have become pervasive and target over 60 banks in nearly a dozen countries throughout Latin America, Spain and Portugal.

November 29, 2018 / 19 minute read

WannaMine Cryptominer that uses EternalBlue still active

The WannaMine Cryptominer, which uses the EternalBlue exploits, is still active although a patch that fixes these well-known vulnerabilities was released last March.

September 14, 2018 / 5 minute read

The Anatomy of a .NET Malware Dropper

Attackers don't need sophisticated tools to create effective malware. Basic tools work just fine. Case in point: Cybereason researchers discovered a .NET dropper/crypter. Here's how they reverse engineered it.

September 10, 2018 / 7 minute read