Anvilogic Forge Threat Research Reports
Here you can find an accumulation of trending threats published weekly by the Anvilogic team.
We curate threat intelligence to provide situational awareness and actionable insights
Atomic detections that serve as the foundation of our detection framework.
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
Magecart Abuses Google Tag Manager
The Magecart threat actor group has exploited Google Tag Manager (GTM) by embedding malicious JavaScripts within GTM containers. This abuse allows the execution of JavaScript when a browser loads the container, collecting payment information from unsuspecting buyers through fraudulent payment forms and exfiltrating the data to a remote server. Gemini Advisory, a Recorded Future company, reports that since February 4th, 2021, 316 e-commerce sites have been compromised, resulting in at least 88,000 payment card records being posted for sale on dark web markets.
ANSSI Alerts of Nobelium Targeting French Organizations
ANSSI raised an alert on Nobelium phishing campaigns targeting French entities, with attacks beginning in February 2021 and escalating in May. Compromised French email accounts are used to send weaponized emails to foreign diplomatic sectors, utilizing various hosting providers.
RTF Template Injection
Proofpoint reports increased RTF template injection attacks by APT groups TA423, DoNot Team, and Gamaredon since February 2021. This technique alters RTF file control words to download malicious payloads. Targets include Malaysia's energy exploration and the Ukrainian government. Detection rates remain low, necessitating vigilance.
Yanluowang Ransomware Linked to Thieflock Affiliate
Symantec reports a connection between Yanluowang ransomware and Thieflock, targeting US corporations in various sectors. Yanluowang employs BazarLoader for initial access, PowerShell to enable RDP, and Adfind for reconnaissance, suggesting a shift in allegiances from Thieflock to Yanluowang.
TiltedTemple Campaign, APT27
Palo Alto Unit42 reports APT27's TiltedTemple campaign, exploiting Zoho's ManageEngine ADSelfService Plus (CVE-2021-40539) and ServiceDesk Plus (CVE-2021-44077) vulnerabilities. The threat group developed their own exploit for remote code execution, targeting organizations since September 2021. Exploitation involves specific API requests to deploy and execute payloads.
Microsoft Excel (XLL) Leads to RedLine Info-Stealer
Threat actors are spreading malicious Excel XLL add-ins via public forums and article comment systems to distribute the RedLine information stealer. These XLL files, hosted on Google Drive, function as DLL files executed by Excel, triggering malicious actions. While some tests failed due to incompatible Excel versions, successful sequences involve executing the DLL with regsvr32 or rundll32 to download RedLine using wget.exe, saving it as %UserProfile%\JavaBridge32.exe. The malware achieves persistence by creating an autorun registry entry.
.png)
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
.png)
Whitepapers
The World's Best SOC Teams Use Anvilogic
.png)
.svg)
.svg)
.svg)
.svg)
.svg)
