Anvilogic Forge Threat Research Reports
Here you can find an accumulation of trending threats published weekly by the Anvilogic team.
We curate threat intelligence to provide situational awareness and actionable insights
Atomic detections that serve as the foundation of our detection framework.
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
Conti's Chats Leaked
Conti chats stored from a Jabber Communication System were leaked by a Ukrainian security researcher, as reported by BleepingComputer. The leaks follow Conti's recent announcement of siding with Russia in the Ukrainian conflict. The validity of the leaked messages is confirmed by AdvIntel CEO Vitali Kremez and security firm Hold Security. The leaked data, dating back to January 21st, 2021, includes 60,694 messages contained in 393 JSON files. These conversations provide insights into the gang's activities, including previously unreported victims, private data leak URLs, bitcoin addresses, and discussions about their operations.
Trojan.Killdisk/HermeticWiper, Disk-Wiping Malware
Symantec reports on Killdisk/HermeticWiper, a disk-wiping malware discovered on February 24, 2022. The malware damages the Master Boot Record, making recovery impossible. A Lithuanian organization was infiltrated in November 2021, with staged files and persistence set up. The attack included certutil checks, credential collection, and PowerShell scripts, culminating in a wiper attack.
TA2541
ProofPoint tracks TA2541 targeting aviation, aerospace, transportation, and defense industries since 2017. The group uses phishing emails with malicious links to download RATs like AsyncRAT, NetWire, and Parallax. Techniques include PowerShell downloads, process injection, and persistence through startup directories and scheduled tasks.
Meyer Corporation Ransomware Attack
On October 25, 2021, Meyer Corporation, a cookware distributor, suffered a ransomware attack, as reported by BleepingComputer. The incident review completed on December 1, 2021, identified the compromise of employee data, including names, addresses, dates of birth, social security numbers, passports, and government ID numbers. Subsidiaries such as Hestan Commercial Corporation and Hestan Vineyards were also affected. While Meyer Corporation's notification lacks specific details, BleepingComputer linked the attack to the Conti ransomware group, which posted 2% of the stolen data on their extortion site.
Financial Fraud with Exchange Vulnerabilities
Since September 2021, Squirrelwaffle malware has been exploiting Microsoft Exchange ProxyLogon and ProxyShell vulnerabilities. According to Sophos, hijacked emails are used to spread the malware and commit financial fraud by creating "typo-squatted" domains and sending fraudulent payment requests. The attackers gain access to victims' payments by manipulating email threads.
Emotet Changes Infection Tactic
Palo Alto Unit42 has identified a new infection tactic used by Emotet malware. The attack begins with phishing emails containing hijacked email threads and delivers an Excel file with an obfuscated macro. Activating the macro downloads an HTML application, which then executes two stages of PowerShell to deploy the final Emotet payload.
.png)
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
.png)
Whitepapers
The World's Best SOC Teams Use Anvilogic
.png)
.svg)
.svg)
.svg)
.svg)
.svg)
