April 15, 2021 | Dax Morrow

The rise of QakBot

This blog was jointly written with Ofer Caspi. Some of the links in this blog require an OTX account, and the QakBot infrastructure tracker will require readers to be customers with access to the Threat Intel subscription.. Thanks to the following researchers and the MalwareBazaar Project: @0verfl0w_   @_alex_il_   @malware_traffic   @lazyactivist192 …

January 27, 2021 | Ofer Caspi

TeamTNT delivers malware with new detection evasion tool

Executive Summary AT&T Alien Labs™ has identified a new tool from the TeamTNT adversary group, which has been previously observed targeting exposed Docker infrastructure for cryptocurrency mining purposes and credential theft. The group is using a new detection evasion tool, copied from open source repositories. The purpose of this blog is to share new technical intelligence…

January 13, 2021 | Tom Hegel

A Global Perspective of the SideWinder APT

AT&T Alien Labs has conducted an investigation on the adversary group publicly known as SideWinder in order to historically document its highly active campaigns and identify a more complete picture of targets, motivations, and objectives. Through our investigation, we have uncovered a collection of activity targeting government and business throughout South Asia and East Asia spanning many years.…

January 7, 2021 | Ofer Caspi

Malware using new Ezuri memory loader

This blog was written by Ofer Caspi and Fernando Martinez of AT&T Alien Labs Multiple threat actors have recently started using a Go language (Golang) tool to act as a packer and avoid Antivirus detection. Additionally, the Ezuri memory loader tool acts as a malware loader and executes its payload in memory, without writing the file to disk.…

May 19, 2020 | Dax Morrow

TrickBot BazarLoader In-Depth

Ofer Caspi, a fellow Alien Labs researcher, co-authored this blog. Executive Summary AT&T Alien Labs actively tracks the TrickBot group through an automated malware analysis system, hunting, and in-depth technical research. On April 20th, 2020 independent security researchers “pancak3lullz” (@pancak3lullz) and Vitali Kremez (@VK_Intel) posted a Tweet regarding two new TrickBot modules aptly named …

May 11, 2020 | Tawnya Lancaster

A HIPAA Compliance Checklist

Five steps to ensuring the protection of patient data and ongoing risk management. Maintaining security and compliance with HIPAA, the Health Insurance Portability and Accountability Act, is growing ever more challenging. The networks that house protected health information (PHI or ePHI) are becoming larger and more complex — especially as organizations move data to the cloud. At the same time,…

April 14, 2020 | Ashley Graves

Slack phishing attacks using webhooks

Background Slack is a cloud-based messaging platform that is commonly used in workplace communications. It is feature-rich, offering additional functionality such as video calling and screen sharing in addition to a marketplace containing thousands of third-party applications and add-ons. Slack Incoming Webhooks allow you to post messages from your applications to Slack. By specifying a unique URL, your message body,…

April 3, 2020 | Amy Pace

The Power of Community to Fight COVID-19 Cyber Threats

Cybercriminals are taking advantage of the fear and uncertainty surrounding the current global health and economic situation as well as sudden shifts and exposures in IT environments to launch COVID-19 related attack campaigns. The bad guys are moving full-steam ahead in their efforts to lure victims by playing on their fears. Fortunately, the security community is banding together to take…

March 27, 2020 | Ashley Graves

SIEM and security monitoring for Kubernetes explained

Photo by chuttersnap on Unsplash Kubernetes (K8s) is an open-source system for automating deployment, scaling, and management of containerized applications. It has recently seen rapid adoption across enterprise environments. Many environments rely on managed Kubernetes services such as Google Kubernetes Engine (GKE) and Amazon Elastic Kubernetes Service (EKS) to take advantage of the benefits of both…

March 26, 2020 | Chris Doman

Sharepoint vulnerability exploited in the wild

The CVE-2019-0604 (Sharepoint) exploit and what you need to know AT&T Alien Labs has seen a number of reports of active exploitation of a vulnerability in Microsoft Sharepoint (CVE-2019-0604). One report by the Saudi Cyber Security Centre appears to be primarily targeted at organisations within the kingdom. An earlier report by the Canadian Cyber Security Centre…

February 4, 2020 | Javier Ruiz

Why should you use correlation rules on top of traditional signatures?

The AT&T Cybersecurity Alien Labs team is in charge of writing correlation rules and releasing threat intelligence updates on a day-to-day basis. When researchers in the team find new malware families or threats, we always try to find the best approach to keep our customers protected. In this blog, we will look into some of the differences between…

January 15, 2020 | Fernando Martinez

Alien Labs 2019 Analysis of Threat Groups Molerats and APT-C-37

In 2019, several industry analyst reports confused the threat groups Molerats and APT-C-37 due to their similarity, and this has led to some confusion and inaccuracy of attribution. For example, both groups target the Middle East and North Africa region (with a special emphasis on Palestine territories). And, they both approach victims through the use of phishing emails that contain decoy…