Anvilogic Forge Threat Research Reports
Here you can find an accumulation of trending threats published weekly by the Anvilogic team.
We curate threat intelligence to provide situational awareness and actionable insights
Atomic detections that serve as the foundation of our detection framework.
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
Colibri Loader
Malwarebytes has provided an analysis of Colibri Loader, a malware that appeared in underground forums in August 2021. Marketed to those with high traffic and limited time, Colibri Loader was recently observed delivering the Vidar information stealer. The attack chain begins with a malicious document triggering PowerShell to download Colibri Loader via BitsTransfer. Depending on the Windows version (7 or 10), the malware's directory location and scheduled task vary. The Windows 10 version achieves persistence by running PowerShell with a hidden window and exploiting the Get-Variable cmdlet by using a malicious executable named Get-Variable.exe. This technique leverages the default WindowsApps path to execute the malicious binary instead of the legitimate PowerShell cmdlet, demonstrating how adversaries can achieve persistence.
IcedID Spreads with Compromised Microsoft Exchange Servers
Intezer has observed a new IcedID malware campaign utilizing compromised Microsoft Exchange servers to send hijacked email threads for increased legitimacy. Historically a banking trojan, IcedID has evolved into a malware loader. The latest infection chain uses a zip file containing a malicious ISO with a DLL and LNK file, which, when executed, uses regsvr32 to deploy the malware.
eSentire Conti Leaks Analysis
eSentire's Threat Response Unit (TRU) analyzed Conti ransomware group leaks from 2021 and 2022, revealing their organized structure, use of operational manuals, and reliance on tools like Cobalt Strike, Mimikatz, and various LOLBins. The data leaks show Conti's detailed and efficient intrusion procedures.
Connecticut Airport Hit with Cyberattack
A cyberattack on Bradley International Airport's website, disclosed by CyberKnow and the Connecticut Airport Authority, occurred on March 29, 2022. Attackers left messages indicating the attack was in response to the Russia-Ukraine conflict, including statements like 'when the supply of weapons to Ukraine stops, attacks on the information structure of your country will instantly stop' and 'America, no one is afraid of you.' The U.S. Cybersecurity & Infrastructure Security Agency (CISA) reports no evidence of a data breach. While CyberKnow attributed the attack to the Russian threat actor group Killnet, the exact perpetrators remain undetermined.
APT36's Transparent Tribe Campaign
Cisco Talos reports that Pakistan-based APT36 (Mythic Leopard) has been targeting Indian government and military entities since June 2021 with the Transparent Tribe campaign. Methods include fraudulent installers, malicious documents with Covid-19 themes, and archive files. Key payloads are CrimsonRAT, a python-based stager, and a .NET-based implant.
Lapsus$ Hacks Globant
Information Technology and Software company Globant has been breached by the Lapsus$ group, resulting in the leak of 70GB of data, including source code and admin passwords. Clients like BNP Paribas, Facebook, Abbott, Stifel, and DHL are potentially affected. Researchers from VX-Underground and Comparitech suggest the breach was due to poor password hygiene. Despite recent arrests, Lapsus$ continues its operations, undeterred.
.png)
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
.png)
Whitepapers
The World's Best SOC Teams Use Anvilogic
.png)
.svg)
.svg)
.svg)
.svg)
.svg)
