BlueNoroff introduces new methods bypassing MoTW

BlueNoroff group is a financially motivated threat actor eager to profit from its cyberattack capabilities. We have published technical details of how this notorious group steals cryptocurrency before. We continue to track the group’s activities and this October we observed the adoption of new malware strains in its arsenal. The group usually takes advantage of […]

Continue Reading

Ransomware and wiper signed with stolen certificates

Introduction On July 17, 2022, Albanian news outlets reported a massive cyberattack that affected Albanian government e-services. A few weeks later, it was revealed that the cyberattacks were part of a coordinated effort likely intended to cripple the country’s computer systems. On September 10, 2022, Albanian local news reported a second wave of cyberattacks targeting […]

Continue Reading

If one sheep leaps over the ditch…

Introduction If one sheep leaps over the ditch, the rest will follow. This is an old saying, found in various languages, and it can be applied to ransomware developers. In previous blog posts, we highlighted an increase in the popularity of platform-independent languages and ESXi support, and recently, we wrote about ransomware borrowing these propagation […]

Continue Reading

DTrack activity targeting Europe and Latin America

Introduction DTrack is a backdoor used by the Lazarus group. Initially discovered in 2019, the backdoor remains in use three years later. It is used by the Lazarus group against a wide variety of targets. For example, we’ve seen it being used in financial environments where ATMs were breached, in attacks on a nuclear power […]

Continue Reading

APT10: Tracking down LODEINFO 2022, part II

In the previous publication ‘Tracking down LODEINFO 2022, part I‘, we mentioned that the initial infection methods vary in different attack scenarios and that the LODEINFO shellcode was regularly updated for use with each infection vector. In this article, we discuss improvements made to the LODEINFO backdoor shellcode in 2022. Kaspersky investigated new versions of […]

Continue Reading

APT10: Tracking down LODEINFO 2022, part I

Kaspersky has been tracking activities involving the LODEINFO malware family since 2019, looking for new modifications and thoroughly investigating any attacks utilizing those new variants. LODEINFO is sophisticated fileless malware first named in a blogpost from JPCERT/CC in February 2020. The malware was regularly modified and upgraded by the developers to target media, diplomatic, governmental […]

Continue Reading