Anvilogic Forge Threat Research Reports
Here you can find an accumulation of trending threats published weekly by the Anvilogic team.
We curate threat intelligence to provide situational awareness and actionable insights
Atomic detections that serve as the foundation of our detection framework.
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
Chaos Ransomware Aligns with Russia
Fortinet has identified the Chaos ransomware group aligning with Russia in the Ukraine conflict. This is evident from the negative messages about the Ukraine government displayed after encryption is completed. The arrival vector for the malware is undetermined but is likely through email or forum posts. The variant investigated by Fortinet, compiled on May 16th, 2022, functions as a potential file destroyer, offering no recovery options for affected files and deleting shadow copies from impacted workstations.
Gootloader Infection
Red Canary provides details on Gootloader malware, which uses compromised WordPress sites and SEO poisoning to distribute malicious ZIP files. The attack targets enterprise victims, initiating with a JavaScript file that checks for Active Directory and downloads DLL payloads. The malware establishes persistence via the registry and scheduled tasks using PowerShell, culminating in the execution of commands to deploy payloads like Cobalt Strike Beacon.
Conti Group is Defunct
AdvIntel, known for tracking Conti activity, has discovered the shutdown of Conti ransomware operations. Critical ransom features were removed from the Conti News blog, including the infrastructure for negotiations, data uploads, and hosting of stolen data. These shutdown activities began on May 19th, 2022. Conti's leadership had anticipated this moment, using the attack on Costa Rica as a cover. Despite the shutdown, the threat from Conti remains, as the group transitions to a more decentralized network structure. AdvIntel outlines four types of sub-groups that may continue Conti's operations, focusing on data exfiltration over encryption. This transition is particularly evident in groups like Karakurt and BlackByte, signaling a shift towards data theft without the need for ransomware lockers.
Ursnif Phishing Campaigns
Qualys reviews Ursnif malware, targeting banking, financial services, and government sectors through phishing emails. Ursnif steals credentials and downloads additional payloads. The malware uses Excel and zip attachments to infect victims, leveraging current events and impersonating government authorities.
Phishing with World Health Organization Themes
ProofPoint identifies a phishing campaign using World Health Organization themes to distribute the Nerbian remote access trojan (RAT). Starting April 26th, 2022, the campaign targets entities in Italy, Spain, and the UK. Emails contain malicious documents that, once executed, deploy the RAT and establish persistence for further payloads.
Increased Threats to Managed Service Providers
The Five Eyes intelligence alliance, comprising the US, UK, Australia, Canada, and New Zealand, has issued a warning to managed service providers (MSPs) about rising cyber threats. These threats, including ransomware and cyber espionage, often exploit the trust relationships between MSPs and their customers. The advisory recommends hardening defenses, enabling MFA, segregating networks, and regularly updating and backing up systems to mitigate risks.
.png)
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
.png)
Whitepapers
The World's Best SOC Teams Use Anvilogic
.png)
.svg)
.svg)
.svg)
.svg)
.svg)
