Anvilogic Forge Threat Research Reports

CISA Advisory - BlackByte Ransomware

Ukraine & Russia Cyber Update

The CISA advisory on the Ukraine-Russia crisis highlights Russian threat actors targeting vulnerabilities in Oracle Weblogic, Exchange, Cisco, VMware, and Citrix. The attacks focus on critical infrastructure, particularly OT/ICS networks. MITRE ATT&CK framework-based TTPs are detailed. Joint CISA-FBI advisory reveals U.S. Cleared Defense Contractors are targets for sensitive information theft since January 2020.

Trickbot Fading and Conti Rises

AdvIntel reports Trickbot's decline, with Conti absorbing its key developers and investing in new tools like BazarBackdoor. Conti has grown rapidly, aiming to monopolize the cyber threat market. Despite Trickbot's detectability, its threat remains, raising concerns about Conti's expanding capabilities and future operations.

Trending regsvr32 & Squiblydoo Technique

Uptycs reports a rise in the use of regsvr32 combined with the Squiblydoo technique, allowing attackers to load COM scriptlets from the internet, bypassing security measures. Over 500 samples were found, mainly using Microsoft Excel, RTF, and Word documents to register OCX files and execute malicious code.

RedLine Stealer Spreading from Illegitimate Windows 11 Upgrade

HP's research uncovers RedLine Stealer malware disguised as a Windows 11 installer. Registered in January 2022, the fake Microsoft page distributes a malicious zip file, leading to data theft once executed. The campaign involves encoded PowerShell commands and disguised DLL files for payload delivery.

Threat Group, TA402/Molerats & NimbleMamba Malware

ProofPoint reports TA402/Molerats targeting Middle Eastern governments, think tanks, and a state-affiliated airline since late 2021. Using geofencing and phishing emails, the group distributes NimbleMamba malware and BrittleBush trojans. Geofencing directs non-targets to benign sites, while Dropbox is used for C2 communication without geofencing.