April 2, 2019 | Tom Hegel

Xwo - A Python-based bot scanner

Jaime Blasco and Chris Doman collaborated on this blog. Overview: Recently, AT&T Alien Labs identified a new malware family that is actively scanning for exposed web services and default passwords. Based on our findings we are calling it “Xwo” - taken from its primary module name. It is likely related to the previously reported malware families…

March 25, 2019 | James Quinn

The odd case of a Gh0stRAT variant

This is a guest post by independent security researcher James Quinn. This will be Part 1 of a series titled Reversing Gh0stRAT Variants.  As 2018 drew to a close and 2019 took over, I began to see a different behavior from SMB malware authors.  Instead of massive, multi-staged cryptocurrency miners, I began to see more small, covert RATs serving…

March 14, 2019 | Tom Hegel

Making it Rain - Cryptocurrency Mining Attacks in the Cloud

By Chris Doman and Tom Hegel Organizations of all sizes have made considerable shifts to using cloud-based infrastructure for their day-to-day business operations. However, cloud security hasn't always kept up with cloud adoption, and that leaves security gaps that hackers are more than happy to take advantage of. One of the most widely observed objectives of attacking an organization'…

March 6, 2019 | Chris Doman

Internet of Termites

Termite is a tool used to connect together chains of machines on a network. You can run Termite on a surprising number of platforms including mobile devices, routers, servers and desktops. That means it can be used used to bounce a connection between multiple machines, to maintain a connection that otherwise wouldn’t be possible: Termite is a useful…

March 5, 2019 | Javier Ruiz

Troubleshooting TrickBot and RevengeRAT Malware with USM Anywhere

MITRE ATT&CK™ (Adversarial Tactics, Techniques and Common Knowledge) is a framework for understanding attackers’ behaviors and actions. We are pleased to announce that AlienVault USM Anywhere and Open Threat Exchange (OTX)  now include MITRE ATT&CK™ information. By mapping alarms to their corresponding ATT&CK techniques,…

January 31, 2019 | Tawnya Lancaster

APT10 Group Targets Multiple Sectors, But Seems to Really Love MSSPs

Threat Actors That Don’t Discriminate  When it comes to threat actors and the malware variants they use, let’s talk dating — or rather, the way people date — because one could argue there are marked similarities between the two. You see, there are criminal groups who have a “type,” i.e. using malware…

January 20, 2019 | Kate Brew

Reverse Engineering Malware

The Alien Labs team does a lot of malware analysis as a part of their security research. I interviewed a couple members of our Labs team, including Patrick Snyder, Eddie Lee, Peter Ewane and Krishna Kona, to learn more about how they do it. Here are some of the approaches and tools and techniques they use for reverse engineering malware,…

December 20, 2018 | Tawnya Lancaster

Let’s Chat: Healthcare Threats and Who’s Attacking

Healthcare is under fire and there’s no sign of the burn slowing. Look, it’s no secret that hackers have been targeting hospitals and other healthcare providers for several years — and probably no surprise that healthcare is one of the top target industries for cybercrime in 2018. In the US alone, in fact, more than 270 data breaches affecting nearly 12 million…

December 17, 2018 | Javier Ruiz

Malware Analysis using Osquery | Part 3

In part 1 of this blog series, we analyzed malware behaviour, and, in part 2, we learned how to detect persistence tricks used in malware attacks. Still, there are more types of events that we can observe with Osquery when malicious activity happens. So, in the last blog post of the series, we will discuss how to detect another example of a…

October 29, 2018 | James Quinn

MadoMiner Part 2 - Mask

This is a guest post by independent security researcher James Quinn.       If you have not yet read the first part of the MadoMiner analysis, please do so now.  This analysis will pick up where Part 1 left off, while also including  a brief correction.  The x64 version of the Install module was…

October 18, 2018 | Jose Manuel Martin

Detecting Empire with USM Anywhere

Empire is an open source post-exploitation framework that acts as a capable backdoor on infected systems.  It provides a management platform for infected machines. Empire can deploy PowerShell and Python agents to infect both Windows and Linux systems. Empire can: Deploy fileless agents to perform command and control. Exploit vulnerabilities to escalate privileges. Install itself for persistence. Steal user…

October 8, 2018 | Chris Doman

Delivery (Key)Boy

Introduction Below we’ve outlined the delivery phase of some recent attacks by KeyBoy, a group of attackers believed to operate out of China. They were first identified in 2013 targeting governments and NGOs in South East Asia. Their primary targeting continues to this day, though they have also been known to target more diverse victims such as the energy…