Anvilogic Forge Threat Research Reports
Here you can find an accumulation of trending threats published weekly by the Anvilogic team.
We curate threat intelligence to provide situational awareness and actionable insights
Atomic detections that serve as the foundation of our detection framework.
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
CronRAT
CronRAT is a remote access trojan that hides in the calendar system of a Linux server by scheduling tasks on the non-existent day of February 31st to evade detection. Discovered by security vendor Sansec, CronRAT has been found on multiple online stores. Its capabilities include fileless execution, timing modulation, anti-tampering checksums, control via binary obfuscated protocol, launching a tandem RAT in a separate Linux subsystem, a control server disguised as 'Dropbear SSH' service, and payloads hidden in legitimate CRON scheduled task names.
APT37 and Chinotto Malware
Kaspersky identifies North Korean APT37 targeting South Korean journalists, defectors, and human rights activists using Chinott malware. Distributed via watering holes, spear-phishing, and smishing, Chinott variants in PowerShell, Windows, and Android share command and control schemes based in HTTP. Capabilities include registry modification, persistence through PowerShell, and file collection.
APT31 SoWaT Route Implant
Imp0rtp3 research details APT31's use of the SoWaT router implant, which functions as a client or server using TLS for communication. The implant supports 16 commands, including a killswitch that activates if no connections are made within 24 hours. The report also highlights APT31's use of Operational Relay Boxes (ORBs) in their network operations involving hacked routers.
UNC2190 - Arcane and Sabbath
Mandiant's research on UNC2190 (Arcane/Sabbath) reveals the group's targeting of critical infrastructure in the US and Canada, along with sectors in education, health, and natural resources. Using ROLLCOAST ransomware, UNC2190 employs multifaceted extortion, data theft, and backup destruction. Notably, no ROLLCOAST code has been found for two years.
WIRTE Group
Kaspersky reports the WIRTE group is using Excel 4.0 macros to target high-profile entities, particularly in the Middle East. The attacks involve phishing campaigns, LotL techniques, and a PowerShell implant called LitePower. There's low confidence attribution linking WIRTE to the Gaza Cybergang.
Vestas Wind Systems Impacted by Cyberattack
Vestas Wind Systems, a wind turbine manufacturer, was hit by a cyberattack on November 19th, 2021. The company is working to restore internal IT systems, with investigations ongoing. Preliminary findings indicate no impact on customer or supply chain operations.
.png)
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
.png)
Whitepapers
The World's Best SOC Teams Use Anvilogic
.png)
.svg)
.svg)
.svg)
.svg)
.svg)
