Dec 24, 2022APT41 — The spy who failed to encrypt meThis blog post is based on our recent investigation into one of APT41’s operations against an unnamed German company from the financial sector. The company contacted us in March 2022 after discovering a ransom note (as presented below) on several of its servers. The threat actor tried to encrypt multiple…Dfir18 min readDfir18 min read
Nov 16, 2022HZ RAT goes ChinaWalking down the Royal Road as we did in one of our previous posts, another by-catch of our Yara rule caught our attention. Turns out we found HZ Rat — a lesser known Trojan. The malware we analyse in this article initially aroused curiosity because the payload of the RTF…Trojan15 min readTrojan15 min read
Nov 8, 2022#ShortAndMalicious: StrelaStealer aims for mail credentialsIn our newest category #ShortAndMalicious DCSO CyTec aims to briefly highlight new and interesting samples we come across in our daily hunt for malware. For the first entry in the series, we take a brief look at an undocumented custom malware we have been analysing under the moniker “StrelaStealer” (“Стрела”…Malware4 min readMalware4 min read
Oct 11, 2022Tracking down MaggieIn our recent blog post “MSSQL, meet Maggie” we shared our research on a novel backdoor malware targeting Microsoft SQL servers that DCSO CyTec refers to as “Maggie“. Maggie can be summarised as malware that comes in form of an “Extended Stored Procedure” DLL, a special type of extension used…Dfir7 min readDfir7 min read
Oct 4, 2022MSSQL, meet MaggieContinuing our monitoring of signed binaries, DCSO CyTec recently found a novel backdoor malware targeting Microsoft SQL servers. The malware comes in form of an “Extended Stored Procedure” DLL, a special type of extension used by Microsoft SQL servers. Once loaded into a server by an attacker, it is controlled…Malware Analysis6 min readMalware Analysis6 min read
Jul 25, 2022Attack Chain Déjà-vu: The infection vector used by SVCReady, Gozi and IcedIDEarly June 2022, HP Threat Research published a blog post about a newly discovered malware named SVCReady, notable for using Word document properties to store shellcode used in its attack chain. DCSO CyTec has been observing similar attack chains since the beginning of March 2022 at the earliest, previously used…Malware Analysis5 min readMalware Analysis5 min read
May 23, 2022A deal with the devil: Analysis of a recent Matanbuchus sampleMatanbuchus is the name given to a Malware-as-a-Service sold on Russian-speaking cybercriminal forums. Starting at a rental price of $2,500, the malware consists of an obfuscated two-stage loader which has been deployed in conjunction with Qakbot and Cobalt Strike payloads. Last year, Unit42 observed the malware used in activity targeting…Malware Analysis6 min readMalware Analysis6 min read
Apr 14, 2022404 — File still foundIn early February 2022, we came across a tweet from ShadowChasing1 identifying a SideWinder-related word document which referenced a template URL. In this article, we share our insights from investigating the file and other infrastructure connected to it. First Look The file mentioned in the tweet is named ‘Briefing on Ongoing…Apt9 min readApt9 min read
