In just two months, Black Basta has added nearly 50 victims to their list, making them one of the more prominent ransomware gangs. The attackers infiltrate and move laterally throughout the network in a fully-developed RansomOps attack. The Cybereason Nocturnus Team assesses the threat level as HIGH SEVERITY given the destructive potential of the attacks...

June 24, 2022 / 6 minute read

The AI-driven Cybereason XDR Platform detects and blocks MountLocker ransomware which launched back in September 2020. Since then, the attackers have rebranded the operation as AstroLocker, XingLocker, and now in its current phase, the Quantum Locker...

May 9, 2022 / 5 minute read

Cybereason recently an attack assessed to be the work of Chinese APT Winnti that operated undetected, siphoning intellectual property and sensitive data - the two companion reports examine the tactics and techniques of the overall campaign as well as more detailed analysis of the malware arsenal and exploits used...

May 4, 2022 / 4 minute read

Cybereason investigated multiple intrusions targeting technology and manufacturing companies located in Asia, Europe and North America. Based on the findings of our investigation, it appears that the goal behind these intrusions was to steal sensitive intellectual property for cyber espionage purposes...

May 4, 2022 / 11 minute read

This research zeroes in on the Winnti malware arsenal and includes analysis of the observed malware and the complex Winnti infection chain, including evasive maneuvers and stealth techniques that are baked-in to the malware code...

May 4, 2022 / 19 minute read

This APT-C-23 campaign involves of two previously undocumented malware strains dubbed Barb(ie) Downloader and BarbWire Backdoor, which use an enhanced stealth mechanism to remain undetected - in addition, Cybereason observed an upgraded version of an Android implant dubbed VolatileVenom...

April 6, 2022 / 11 minute read

BlackCat Ransomware gained notoriety quickly leaving a trail of destruction behind it, among its recent victims are German oil companies, an Italian luxury fashion brand and a Swiss Aviation company. Cybereason XDR detects and blocks BlackCat Ransomware...

March 1, 2022 / 7 minute read

Ukrainian officials attributed the attack to Russia “preparing the ground” for a military invasion with nasty wipers dubbed WhisperGate and HermeticWiper. Cybereason Anti-Ransomware and Anti-MBR corruption technology detects and blocks WhisperGate and HermeticWiper...

February 15, 2022 / 2 minute read

Prior to the deployment of the Lorenz ransomware, the attackers attempt to infiltrate and move laterally throughout the organization, carrying out a fully-developed RansomOps attack - the Cybereason XDR Platform fully detects and prevents the Lorenz ransomware...

February 8, 2022 / 7 minute read

Cybereason discovered an undocumented RAT dubbed StrifeWater attributed to Iranian APT Moses Staff who deploy destructive ransomware following network infiltration and the exfiltration of sensitive data...

February 1, 2022 / 7 minute read

Cybereason discovered a new toolset developed by Iranian APT Phosphorus which revealed a connection to Memento ransomware and includes the newly discovered PowerLess Backdoor that evades detection by running PowerShell in a .NET context...

February 1, 2022 / 8 minute read

The highly-targeted attacks against aerospace and telecoms firms by new Iranian threat actor MalKamak includes newly discovered malware that evaded security tools since 2018 and abuses Dropbox services for command and control...

October 6, 2021 / 16 minute read

Following the rise of the new LockBit2.0 and the attack against the global IT company Accenture, this report provides detailed information about the attack process and how the Cybereason Defense Platform detects and prevents this threat at several stages...

August 24, 2021 / 6 minute read

Cybereason discovered several previously unidentified attack campaigns targeting the telecoms industry across Southeast Asia assessed to be the work of several prominent Chinese APT groups...

August 3, 2021 / 27 minute read

The Cybereason Defense Platform detects and prevents Prometheus ransomware, a relatively new variant first observed in February of 2021 that has impacted more than 40 companies...

July 15, 2021 / 10 minute read

In a highly targeted operation by a Chinese APT, a newly discovered backdoor dubbed PortDoor is being used in attacks targeting a Russian defense contractor...

April 30, 2021 / 7 minute read

Cybereason Nocturnus Team has been tracking the Avaddon Ransomware since June 2020 and the double extortion model...

April 27, 2021 / 4 minute read

DarkSide ransomware follows the double extortion trend where the threat actors first exfiltrate the data and threaten to make it public if the ransom demand is not paid, rendering backing up data as a precaution against a ransomware attack moot...

April 1, 2021 / 6 minute read

The NetWalker ransomware has been targeting organizations in the US and Europe including several healthcare organizations, despite several known threat actors publicly claiming to abstain from targeting such organizations due to COVID-19.

February 16, 2021 / 4 minute read

The Cybereason Nocturnus Team has been tracking the activity around the RansomEXX, being used as a part of multi-staged human-operated attacks targeting various government related entities and tech companies.

January 26, 2021 / 4 minute read

Since first emerging in May 2020, the ransomware operators (aka. the Conti Gang) claim to have over 150 successful attacks with millions in extortion fees. Download the Indicator's of Compromise to search for Conti in your own environment.

January 12, 2021 / 5 minute read

Over the course of December, 2020, the Cybereason Nocturnus Team has been tracking down cyber crime campaigns related to the holiday season, and more specifically to online shopping. Download the Indicator's of Compromise to search for Dridex in your own environment.

December 24, 2020 / 6 minute read

The Cybereason Nocturnus team has been tracking the activity of the Cl0p ransomware, a variant of CryptoMix ransomware. Download the Indicator's of Compromise to search for Cl0p in your own environment...

December 23, 2020 / 3 minute read

Ryuk ransomware is most often seen as the final payload in a larger targeted attack against a corporation, and since its return in September, it has been mainly delivered via TrickBot or BazarLoader infections.

December 10, 2020 / 3 minute read

The Cybereason Nocturnus Team has identified an active espionage campaign employing three previously unidentified malware variants that use Facebook, Dropbox, Google Docs and Simplenote for command & control and the exfiltration of data from targets across the Middle East.

December 9, 2020 / 2 minute read

Egregor is a newly identified ransomware variant that was first discovered in September, 2020, and has recently been identified in several sophisticated attacks on organizations worldwide, including the games industry giants Crytek and Ubisoft. 

November 26, 2020 / 5 minute read

There have been reports of MedusaLocker attacks across multiple industries, especially the healthcare industry which suffered a great deal of ransomware attacks during the COVID-19 pandemic.

November 19, 2020 / 4 minute read

The Cybereason Nocturnus Team has identified an active campaign targeting customers of a larger e-commerce platform with newly identified multi-stage malware that evades antivirus tools dubbed Chaes. 

November 18, 2020 / 2 minute read

The Cybereason Nocturnus Team has been tracking a North Korean cyber espionage group known as Kimsuky and has identified a new spyware suite along with new attack infrastructure.

November 2, 2020 / 14 minute read

Cybereason Nocturnus Team members Daniel Frank and Lior Rochberger will be presenting a session titled, Anchor, Bazar, and the Trickbot Connection, examining some new developments regarding a familiar threat actor.

September 22, 2020 / 1 minute read

Nocturnus has been tracking the Evilnum group, targeting financial technology companies to spy and steal passwords, documents, browser cookies, email credentials and more.

September 3, 2020 / 9 minute read

Learn how the Bazar malware is sent via phishing emails that take advantage of the ongoing coronavirus pandemic, employee payroll reports, and customer complaints.

July 16, 2020 / 14 minute read

The Cybereason Nocturnus team is investigating a new campaign involving FakeSpy, an Android mobile malware used to steal SMS messages, send SMS messages, steal financial data, read account information and contact lists, steal application data, and do much more.

July 1, 2020 / 10 minute read

The Valak Malware is a sophisticated malware that can steal enterprise mailing information and passwords along with the enterprise certificate. This has the potential to access critical enterprise accounts, causing damage to organizations, brand degradation, and ultimately a loss of consumer trust. 

May 28, 2020 / 13 minute read

The Cybereason Nocturnus team is investigating EventBot, a new type of Android mobile malware. EventBot abuses accessibility features to steal user data from financial applications, read user SMS messages, and steal SMS messages to allow the malware to bypass two-factor authentication.

April 30, 2020 / 12 minute read

Cybereason’s Nocturnus team is continuing to observe hundreds of phishing attacks that use coronavirus-themed files and domains to distribute malware and infect victims all over the world.

March 18, 2020 / 5 minute read

Cybereason Nocturnus is investigating a campaign where attackers are trojanizing multiple hacking tools with njRat, allowing the attackers to completely take over the victim’s machine.

March 10, 2020 / 8 minute read

Our kernel team researches how to reliably authenticate in kernel mode using ci.dll.

March 5, 2020 / 8 minute read

Cybereason's Nocturnus team has been tracking recent espionage campaigns specifically directed at entities and individuals in the Palestinian territories.

February 13, 2020 / 7 minute read

Cybereason's Nocturnus team has been tracking recent espionage campaigns specifically directed at entities and individuals in the Palestinian territories.

February 13, 2020 / 11 minute read

Cybereason is following an active campaign to deliver multiple different types of malware to victims all over the world. This attack is able to steal data, mine for cryptocurrency, and in specific cases deliver ransomware.

February 5, 2020 / 9 minute read

Cybereason Nocturnus detected a series of attacks that started with a TrickBot infection and progressed into a hacking operation targeting sensitive financial systems using a new variant of Anchor_DNS and a new malware dubbed Anchor.

December 11, 2019 / 15 minute read

Nocturnus is tracking a new keylogger called Phoenix, packed with a myriad of information-stealing features extending far beyond logging keystrokes.

November 20, 2019 / 11 minute read

Nocturnus has investigated infections of the Raccoon stealer including its origin, team members, business model, and marketing efforts. We also cover Racoon's current capabilities and delivery methods, with a look into their future plans for the malware.

October 24, 2019 / 14 minute read

The Nocturnus team has identified variants of Glupteba that made use of an extensive arsenal, including LOLBins and a cryptocurrency miner.

September 12, 2019 / 15 minute read

Cybereason has been tracking REvil/Sodinokibi since 2019 - the Cybereason Defense Platform detects and blocks this nasty ransomware that struck meatpacker JBS...

August 5, 2019 / 8 minute read

We take a closer look at the Spelevo exploit, its infection method, and the new direction attackers are taking the Shade ransomware to make money while avoiding publicity.

July 23, 2019 / 5 minute read

Attackers are turning even the most common activities into a possible threat. As the latest example of that trend, the attack presented in this research shows how everyday browsing can be exploited dynamically by threat actors in order to install the AZORult Infostealer.

July 3, 2019 / 5 minute read

In 2018, the Cybereason Nocturnus team identified Operation Soft Cell, an advanced, persistent attack targeting global telecommunications providers.

June 25, 2019 / 16 minute read

We have found an active malware that uses LOLBins and delivers customized payloads called Adobe Worm Faker.

June 20, 2019 / 11 minute read

There’s an active, ongoing campaign exploiting a widespread vulnerability in linux email servers. Read about the attack first here.

June 13, 2019 / 6 minute read

Ransomware is not a new form of attack, but GandCrab has upgraded it to be more dynamic and harder to resolve.

May 7, 2019 / 5 minute read

In this research, we introduce a meticulously planned, malicious operation against a financial institution in April of 2019 by TA505.

April 25, 2019 / 11 minute read

The Cybereason team has identified a campaign that incorporates Emotet, TrickBot, and the Ryuk ransomware. This malware adapts Emotet to drop TrickBot, and adapts TrickBot to not only steal data but also download the Ryuk ransomware.

April 2, 2019 / 5 minute read

The Cybereason team has uncovered a severe threat that adapts Emotet to drop TrickBot, and adapts TrickBot to not only steal data but also download the Ryuk ransomware. This attack steals personal information, passwords, mail files, browser data, and registry keys before ransoming the victims data.

April 2, 2019 / 15 minute read

The Cybereason research team observed a new campaign involving Ursnif in the beginning of 2019 attacking users in Japan across multiple customer environments. This Ursnif variant has enhanced stealing modules focused on taking data from mail clients and email credentials stored in browsers.

March 12, 2019 / 4 minute read

In this research we dissect a new Ursnif Variant using language checks and steganography to evade detection. It features a stealthy persistence mechanism, revamped information-stealing modules focusing on mail clients and cryptocurrency.

March 12, 2019 / 10 minute read

In this malware research, we explain one of the most recent and unique campaigns involving the Astaroth trojan. This Trojan and information stealer affected Europe and especially Brazil through the abuse of native OS processes and the exploitation of security-related products.

February 13, 2019 / 4 minute read

In this report, we explore a recent campaign involving the Astaroth information stealing trojan, chiefly affecting Brazil through the abuse of native OS processes.

February 13, 2019 / 10 minute read

Cybereason detected an evasive infection technique used to spread a variant of the Ramnit banking Trojan as part of an Italian spam campaign. We investigate this attack, its use of sLoad, and its adoption of LOLbins to minimize discovery.

January 3, 2019 / 13 minute read

Cybereason’s Nocturnus team mapped out the multi-stage malware distribution infrastructure behind Brazilian financial malware and found that Brazilian-made malware have become pervasive and target over 60 banks in nearly a dozen countries throughout Latin America, Spain and Portugal.

November 29, 2018 / 19 minute read

In the past few weeks, the Cybereason SOC has detected multiple Betabot (aka Neurevt) infections in customer environments. This blog will look at the infection chain and delve into Betabot’s self-defense mechanisms using telemetry data gathered from multiple customer endpoints.

October 3, 2018 / 6 minute read

Cybereason's Nocturnus Research team analyzes campaigns targeting the Brazilian financial sector, focusing on infection vectors and the threat actor's toolset and techniques.

September 18, 2018 / 7 minute read

The WannaMine Cryptominer, which uses the EternalBlue exploits, is still active although a patch that fixes these well-known vulnerabilities was released last March.

September 14, 2018 / 5 minute read

Cybereason researchers discovered a .NET dropper/crypter. Here's how they reverse engineered it.

September 10, 2018 / 7 minute read

With application whitelisting being integrated into an OS’s security stack, attackers need more creative ways to use their tools without getting detected. In this incident observed by Cybereason, DLL hijacking was used to run Mimikatz using a process that was signed and verified by Oracle.

June 24, 2018 / 3 minute read

Cybereason researchers discovered a credstealer written with AutoHotKey that masquerades as Kaspersky Antivirus and spreads through infected USB drives. We’ve named it Fauxpersky.

March 28, 2018 / 6 minute read