Anvilogic Forge Threat Research Reports
Here you can find an accumulation of trending threats published weekly by the Anvilogic team.
We curate threat intelligence to provide situational awareness and actionable insights
Atomic detections that serve as the foundation of our detection framework.
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
SEO Poisoning dropping malware
Mandiant Managed Defense reports an SEO poisoning campaign distributing BATLOADER malware and ATERA software. Malicious webpages use Traffic Direction System (TDS) to evade detection, with infection chains involving native tools and DLL files. Techniques overlap with the Conti playbooks, but attribution remains unknown.
Phosphorus/APT32 New PowerLess Trojan
Cybereason reports that Iranian group Phosphorus/APT35 is using the new PowerLess Trojan and exploiting Log4Shell vulnerabilities. The Trojan avoids detection by running PowerShell in a .NET context, downloading additional payloads for information theft. There are potential links between this activity and Memento ransomware based on infrastructure overlaps.
News Corp Cyberattack
News Corp reported a January 2022 cyberattack by hackers aligned with a foreign government. The attackers accessed emails and documents of employees, including journalists. Affected News Corp properties include Fox News, The Wall Street Journal, New York Post, and News UK. Data exfiltration was confirmed, though full impact details are undisclosed.
MuddyWater ATP Group
Cisco Talos research reveals that the Iranian APT group MuddyWater, linked to Iran's Ministry of Intelligence and Security (MOIS), is targeting users in Turkey. The group uses malicious PDFs, Office documents, and Windows executables to gain initial access. MuddyWater leverages living-off-the-land binaries (LoLBins) like VBS scripts and DLLs to evade detection. Persistence is established through registry key modifications, and the group uses canarytokens to track code execution and implement anti-analysis methods. These tokens notify the attacker when an object is opened, adding layers of evasion and control.
Koxic Ransomware
Cyble Research Labs analyzes Koxic ransomware, detailing its process of collecting system information, modifying registry keys, and tampering with system defenses. The ransomware terminates security applications, deletes shadow copies, and collects sensitive information, which is exfiltrated before encryption. Encrypted files are given the extension "KOXIC_KLIBD," and a ransomware note is distributed to victim hosts.
Conti Ransomware Hits KP Snacks
On January 28th, 2022, British snacks producer KP Snacks was compromised by the Conti ransomware gang. The attack resulted in the compromise and leak of sensitive documents, including employee records and financial documents. Due to the disruption to its supply chain, KP Snacks has notified markets that there may be shortages and delivery delays or cancellations, with the impact expected to last until the end of March.
.png)
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
.png)
Whitepapers
The World's Best SOC Teams Use Anvilogic
.png)
.svg)
.svg)
.svg)
.svg)
.svg)
