Anvilogic Forge Threat Research Reports
Here you can find an accumulation of trending threats published weekly by the Anvilogic team.
We curate threat intelligence to provide situational awareness and actionable insights
Atomic detections that serve as the foundation of our detection framework.
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
Moncler - Ransomware Attack
In December 2021, Italian fashion giant Moncler disclosed a ransomware attack by AlphV/BlackCat, leading to operational disruptions and data breaches. The attack caused temporary outages and prioritized shipments once logistics systems were restored. The compromised data includes information related to customers, employees, former employees, suppliers, consultants, and business partners, but not payment information. Moncler refused to pay the ransom, citing it would go against its founding principles.
FIN8 Connection to White Rabbit Ransomware
In December 2021, White Rabbit ransomware was identified in an attack on a US bank. Potentially linked to the FIN8 group, it shares similarities with Egregor ransomware, requiring a command-line password for payload decryption. TrendMicro's telemetry revealed a PowerShell download via Cobalt Strike. White Rabbit targets remain few, suggesting ongoing testing by threat actors.
Diavol Ransomware and TrickBot Group
The FBI's latest report links Diavol ransomware to the TrickBot group, noting shared tactics and malware usage, including unique system IDs and Anchor DNS. The group has compromised entities with ransom demands from $10,000 to $500,000, though no data leaks have been observed.
APT41 UEFI Malware MoonBounce
Kaspersky reports that APT41 is using the highly persistent MoonBounce UEFI firmware implant, which resides in the SPI flash memory of the motherboard. The implant operates filelessly, initiating from the CORE_DXE component during the UEFI boot sequence and reaching out to a C2 server for further payloads. The implant was first identified in spring 2021, with evidence suggesting espionage activity starting as early as 2020.
Chinese Cyber-Espionage Group Earth Lusca
TrendMicro has identified the Chinese cyber-espionage group Earth Lusca, which conducts undercover operations on institutions of interest to the Chinese government while also engaging in financially motivated activities. Since mid-2021, Earth Lusca has targeted a wide range of industries, including education, finance (specifically cryptocurrency), gambling, government, news, telecommunications, and religion. The group employs watering hole attacks, spear-phishing campaigns, and exploits public-facing vulnerabilities such as ProxyShell and Oracle vulnerabilities to gain initial access.
WhisperGate
Palo Alto Unit42 reports on WhisperGate malware, targeting Ukraine since January 13, 2022. WhisperGate includes Stage1.exe, which overwrites master boot records, and Stage2.exe, an in-memory implant retrieving malicious files from Discord. The malware employs LOLBINs and anti-analysis techniques for evasion.
.png)
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
.png)
Whitepapers
The World's Best SOC Teams Use Anvilogic
.png)
.svg)
.svg)
.svg)
.svg)
.svg)
