Anvilogic Forge Threat Research Reports
Here you can find an accumulation of trending threats published weekly by the Anvilogic team.
We curate threat intelligence to provide situational awareness and actionable insights
Atomic detections that serve as the foundation of our detection framework.
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
Conti & LockBit Leads Ransomware Comparison
Trend Micro's analysis of ransomware groups from November 2019 to March 2022 compares the most prominent groups, Conti and LockBit. During this period, Conti was associated with 805 identified victims, while LockBit had 666, and Maze had 330. Since August 2020, Conti has consistently led in monthly victim counts, initially maintaining double-digit figures. LockBit's activity surged in July 2021, matching Conti's double-digit victim counts. Geographically, Conti heavily targets North American entities, followed by Europe, accounting for 93% of its victims. LockBit has a more dispersed target profile, with North America and Europe representing 68% of its victims. Both groups evenly target top industry categories, showing no specific industry trend.
Fraudulent Copyright Themed Emails From LockBit Ransomware Identified
ASEC analysis reveals that LockBit ransomware is being distributed through fraudulent emails warning of copyright infringement. The phishing emails contain a compressed file with an NSIS script file disguised as a PDF. Upon execution, the ransomware establishes persistence by modifying the run key, deleting shadow copies, and terminating services, then encrypts removable, fixed, and RAM disk drives.
Chinese-Speaking Threat Actors Target ICS
Kaspersky ICS CERT researchers have identified a threat campaign beginning as early as March 2021, targeting the logistics, transportation, telecommunication, and industrial sectors in Malaysia, Pakistan, and Afghanistan. Discovered in mid-October 2021, the campaign involved the ShadowPad backdoor affecting industrial control systems, specifically engineering computers in building automation systems of a telecom company in Pakistan. Attackers gained initial access by exploiting the Microsoft Exchange vulnerability CVE-2021-26855 (ProxyLogon). Their techniques included deploying Cobalt Strike, using certutil to download files, web shells, procdump, mimikatz, and BAT scripts for credential access and data collection. Persistence was achieved by scripting data collection and scheduling it to run daily. The activity is attributed to a Chinese-speaking group potentially linked to HAFNIUM.
Hacktivist Group Attack Three Iranian Steel Companies
On June 27, 2022, the hacktivist group "Gonjeshke Darande" attacked three Iranian steel companies, deploying wiper malware and causing significant damage. Operations at Khuzestan Steel, one of Iran’s largest steel companies, were suspended. The group, also known for a 2021 attack on Iran's railway system, has been tracked by SentinelOne under various aliases.
Black Basta Initiates Intrusion Featuring Qakbot to Exploit PrintNightmare Vulnerability
Since April 2022, Trend Micro has been tracking the Black Basta ransomware group, uncovering an intrusion involving Qakbot deployment via a malicious Excel document. The group exploited the PrintNightmare (CVE-2021-1675) vulnerability to gain initial access, using regsvr32.exe to execute Qakbot DLLs, performing process injection into explorer.exe, and creating persistence with a scheduled task. Additional payloads included fileless PowerShell scripts to execute Cobeacon, the Coroxy backdoor, and Netcat for lateral movement, all leading to the eventual ransomware deployment.
Tropic Trooper's "Unorthodox" Infection Chain
Check Point Research tracks Tropic Trooper's unorthodox infection chain targeting Chinese-speaking countries. The attack uses the Nimbda loader, SMS Bomber, and TROJ_YAHOYAH malware. The chain involves shellcode injection, GitHub/Gitee communication, and persistence via Windows run key. The goal remains unclear, but the attack uses a trojanized SMS Bomber for misdirection.
.png)
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
.png)
Whitepapers
The World's Best SOC Teams Use Anvilogic
.png)
.svg)
.svg)
.svg)
.svg)
.svg)
