July 6, 2021 | Fernando Martinez

Lazarus campaign TTPs and evolution

Executive summary AT&T Alien Labs™ has observed new activity that has been attributed to the Lazarus adversary group potentially targeting engineering job candidates and/or employees in classified engineering roles within the U.S. and Europe. This assessment is based on malicious documents believed to have been delivered by Lazarus during the last few months (spring 2021). However,…

July 1, 2021 | Fernando Martinez

REvil’s new Linux version

This blog was jointly authored with Ofer Caspi. Executive summary The ransomware-as-a-service (RaaS) operation behind REvil have become one of the most prolific and successful threat groups since the ransomware first appeared in May 2019. REvil has been primarily used to target Windows systems. However, new samples have been identified targeting Linux systems. AT&T Alien Labs™ is…

June 22, 2021 | Ofer Caspi

Darkside RaaS in Linux version

Executive summary AT&T Alien Labs recently analyzed the Linux version of the Darkside ransomware, one of the most active ransomware in the last quarter. Shortly after hitting Colonial Pipeline, Darkside developers announced they would be closing operations. Key Points: Unlike common Linux ransomwares which mostly zip files with a password, Darkside encrypts files using crypto libraries. This likely…

June 14, 2021 | Fernando Martinez

Malware hosting domain Cyberium fanning out Mirai variants

Executive summary AT&T Alien Labs has observed the Mirai variant botnet, known as Moobot, scanning for known but uncommon vulnerabilities in Tenda routers, resulting in a considerable peak in our internal telemetry. The research associated with this peak resulted in the discovery of a malware hosting domain, providing several different Mirai variants, like Moobot and Satori. Key points: …

May 24, 2021 | Fernando Martinez

AWS IAM security explained

Executive summary AWS Policies are a key foundation in good cloud security, but they are often overlooked. In this blog, we take a quick look on some AWS Policies, particularly for Identity and Access Management (IAM), that could become problematic if not properly managed. We'll discuss how they can be used against us to generate attacks like:…

April 15, 2021 | Dax Morrow

The rise of QakBot

This blog was jointly written with Ofer Caspi. Some of the links in this blog require an OTX account, and the QakBot infrastructure tracker will require readers to be customers with access to the Threat Intel subscription.. Thanks to the following researchers and the MalwareBazaar Project: @0verfl0w_   @_alex_il_   @malware_traffic   @lazyactivist192 …

January 27, 2021 | Ofer Caspi

TeamTNT delivers malware with new detection evasion tool

Executive Summary AT&T Alien Labs™ has identified a new tool from the TeamTNT adversary group, which has been previously observed targeting exposed Docker infrastructure for cryptocurrency mining purposes and credential theft. The group is using a new detection evasion tool, copied from open source repositories. The purpose of this blog is to share new technical intelligence…

January 13, 2021 | Tom Hegel

A Global Perspective of the SideWinder APT

AT&T Alien Labs has conducted an investigation on the adversary group publicly known as SideWinder in order to historically document its highly active campaigns and identify a more complete picture of targets, motivations, and objectives. Through our investigation, we have uncovered a collection of activity targeting government and business throughout South Asia and East Asia spanning many years.…

January 7, 2021 | Ofer Caspi

Malware using new Ezuri memory loader

This blog was written by Ofer Caspi and Fernando Martinez of AT&T Alien Labs Multiple threat actors have recently started using a Go language (Golang) tool to act as a packer and avoid Antivirus detection. Additionally, the Ezuri memory loader tool acts as a malware loader and executes its payload in memory, without writing the file to disk.…

May 19, 2020 | Dax Morrow

TrickBot BazarLoader In-Depth

Ofer Caspi, a fellow Alien Labs researcher, co-authored this blog. Executive Summary AT&T Alien Labs actively tracks the TrickBot group through an automated malware analysis system, hunting, and in-depth technical research. On April 20th, 2020 independent security researchers “pancak3lullz” (@pancak3lullz) and Vitali Kremez (@VK_Intel) posted a Tweet regarding two new TrickBot modules aptly named …

May 11, 2020 | Tawnya Lancaster

A HIPAA Compliance Checklist

Five steps to ensuring the protection of patient data and ongoing risk management. Maintaining security and compliance with HIPAA, the Health Insurance Portability and Accountability Act, is growing ever more challenging. The networks that house protected health information (PHI or ePHI) are becoming larger and more complex — especially as organizations move data to the cloud. At the same time,…

April 14, 2020 | Ashley Graves

Slack phishing attacks using webhooks

Background Slack is a cloud-based messaging platform that is commonly used in workplace communications. It is feature-rich, offering additional functionality such as video calling and screen sharing in addition to a marketplace containing thousands of third-party applications and add-ons. Slack Incoming Webhooks allow you to post messages from your applications to Slack. By specifying a unique URL, your message body,…