Anvilogic Forge Threat Research Reports
Here you can find an accumulation of trending threats published weekly by the Anvilogic team.
We curate threat intelligence to provide situational awareness and actionable insights
Atomic detections that serve as the foundation of our detection framework.
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
Crypto.com Data Breach
Crypto.com, one of the largest cryptocurrency trading platforms, disclosed a data breach on January 17th, 2022, compromising at least 483 customer accounts. Users reported unauthorized withdrawals, prompting the company to suspend transactions and implement additional security measures. Crypto.com's CEO Kris Marszalek confirmed that no customer funds were lost, and affected customers were fully reimbursed. The breach involved unauthorized withdrawals totaling 4,836.26 ETH, 443.93 BTC, and approximately US$66,200 in other currencies. The company revoked all customers’ 2FA tokens, causing a 14-hour downtime for the withdrawal infrastructure.
Web Page Archive Files
NetSkope Threat Labs has identified malicious Microsoft Office documents using Web Page Archive files (.mht/.mhtml) in recent attacks. These files, potentially linked to APT32/OceanLotus, contain VBS code that drops DLL files and creates a scheduled task. The DLL injects itself into another process and runs rundll32 indefinitely, sending data to a C2 server on Glitch.
Signed DLL Campaigns / Polyglot
Researchers Jason Reaves and Joshua Platt detail campaigns using polyglotting to bypass security by embedding VBScript in signed DLLs. Malicious installers distribute malware such as AterAgent RAT, Zloader, Gozi, and Cobalt Strike. These scripts alter Windows Defender, invoke PowerShell downloads, modify the registry, and execute shutdown commands.
ProxyShell Exploited with DatopLoader Leading to Qakbot
Cybereason reports the emergence of DatopLoader malware following the exploitation of ProxyShell and Exchange vulnerabilities. DatopLoader delivers Qakbot, establishing persistence and conducting reconnaissance using native tools and AdFind. The attack also involves lateral movement with Cobalt Strike via PsExec and credential access through registry hive collection.
MuddyWater Part of Iranian Intelligence Activities
U.S. Cyber Command connects MuddyWater to Iran's MOIS, revealing the group's focus on surveillance and espionage against Middle Eastern, European, and North American nations. MOIS conducts domestic and international surveillance through embassy agents, targeting regime opponents and anti-regime activists.
Microsoft Defender Weakness
SentinelOne researchers have identified a weakness in Microsoft Defender that allows local attackers to query the registry and find excluded locations. This vulnerability enables attackers to plant malware in these excluded directories without detection. Group Policy settings can also be queried from the registry tree, giving attackers greater visibility into the network. Tests by BleepingComputer showed that executing malware from an excluded folder resulted in no action from Defender, while executing from a non-excluded location triggered a block. This issue affects Windows 10 versions 21H1 and 21H2 but not Windows 11.
.png)
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
.png)
Whitepapers
The World's Best SOC Teams Use Anvilogic
.png)
.svg)
.svg)
.svg)
.svg)
.svg)
