September 8, 2021 | Ofer Caspi

TeamTNT with new campaign aka “Chimaera”

Executive summary AT&T Alien Labs™ has discovered a new campaign by threat group TeamTNT that is targeting multiple operating systems and applications. The campaign uses multiple shell/batch scripts, new open source tools, a cryptocurrency miner, the TeamTNT IRC bot, and more. Alien Labs research indicates the command and control (C&C) server used in this…

August 23, 2021 | Fernando Dominguez

PRISM attacks fly under the radar

Executive summary AT&T Alien Labs has recently discovered a cluster of Linux ELF executables that have low or zero anti-virus detections in VirusTotal (see example in figure 1), though our internal threat analysis systems have flagged them as malicious.  Upon inspection of the samples, Alien Labs has identified them as modifications of the open-source PRISM backdoor used by…

August 2, 2021 | Ofer Caspi

New sophisticated RAT in town: FatalRat analysis

This blog was written by Ofer Caspi and Javi Ruiz. Summary AT&T Alien Labs™ has recently observed the presence of a new remote access trojan (RAT) malware in its threat analysis systems. The malware, known as FatalRAT (Firstly named by @c3rb3ru5d3d53c), appears to be distributed via forums and Telegram…

July 6, 2021 | Fernando Martinez

Lazarus campaign TTPs and evolution

Executive summary AT&T Alien Labs™ has observed new activity that has been attributed to the Lazarus adversary group potentially targeting engineering job candidates and/or employees in classified engineering roles within the U.S. and Europe. This assessment is based on malicious documents believed to have been delivered by Lazarus during the last few months (spring 2021). However,…

July 1, 2021 | Fernando Martinez

REvil’s new Linux version

This blog was jointly authored with Ofer Caspi. Executive summary The ransomware-as-a-service (RaaS) operation behind REvil have become one of the most prolific and successful threat groups since the ransomware first appeared in May 2019. REvil has been primarily used to target Windows systems. However, new samples have been identified targeting Linux systems. AT&T Alien Labs™ is…

June 22, 2021 | Ofer Caspi

Darkside RaaS in Linux version

Executive summary AT&T Alien Labs recently analyzed the Linux version of the Darkside ransomware, one of the most active ransomware in the last quarter. Shortly after hitting Colonial Pipeline, Darkside developers announced they would be closing operations. Key Points: Unlike common Linux ransomwares which mostly zip files with a password, Darkside encrypts files using crypto libraries. This likely…

June 14, 2021 | Fernando Martinez

Malware hosting domain Cyberium fanning out Mirai variants

Executive summary AT&T Alien Labs has observed the Mirai variant botnet, known as Moobot, scanning for known but uncommon vulnerabilities in Tenda routers, resulting in a considerable peak in our internal telemetry. The research associated with this peak resulted in the discovery of a malware hosting domain, providing several different Mirai variants, like Moobot and Satori. Key points: …

May 24, 2021 | Fernando Martinez

AWS IAM security explained

Executive summary AWS Policies are a key foundation in good cloud security, but they are often overlooked. In this blog, we take a quick look on some AWS Policies, particularly for Identity and Access Management (IAM), that could become problematic if not properly managed. We'll discuss how they can be used against us to generate attacks like:…

April 15, 2021 | Dax Morrow

The rise of QakBot

This blog was jointly written with Ofer Caspi. Some of the links in this blog require an OTX account, and the QakBot infrastructure tracker will require readers to be customers with access to the Threat Intel subscription.. Thanks to the following researchers and the MalwareBazaar Project: @0verfl0w_   @_alex_il_   @malware_traffic   @lazyactivist192 …

January 27, 2021 | Ofer Caspi

TeamTNT delivers malware with new detection evasion tool

Executive Summary AT&T Alien Labs™ has identified a new tool from the TeamTNT adversary group, which has been previously observed targeting exposed Docker infrastructure for cryptocurrency mining purposes and credential theft. The group is using a new detection evasion tool, copied from open source repositories. The purpose of this blog is to share new technical intelligence…

January 13, 2021 | Tom Hegel

A Global Perspective of the SideWinder APT

AT&T Alien Labs has conducted an investigation on the adversary group publicly known as SideWinder in order to historically document its highly active campaigns and identify a more complete picture of targets, motivations, and objectives. Through our investigation, we have uncovered a collection of activity targeting government and business throughout South Asia and East Asia spanning many years.…

January 7, 2021 | Ofer Caspi

Malware using new Ezuri memory loader

This blog was written by Ofer Caspi and Fernando Martinez of AT&T Alien Labs Multiple threat actors have recently started using a Go language (Golang) tool to act as a packer and avoid Antivirus detection. Additionally, the Ezuri memory loader tool acts as a malware loader and executes its payload in memory, without writing the file to disk.…