APT

September 24, 2019

THREAT RESEARCH

How Tortoiseshell created a fake veteran hiring website to host malware

Cisco Talos recently discovered a threat actor attempting to take advantage of Americans who may be seeking a job, especially military veterans. The actor, previously identified by Symantec as Tortoiseshell, deployed a website called hxxp://hiremilitaryheroes[.]com that posed as a website to help U.…

July 9, 2019

THREAT RESEARCH

Sea Turtle Keeps on Swimming

By Danny Adamitis with contributions from Paul Rascagneres. Executive summary After several months of activity, the actors behind the “Sea Turtle” DNS hijacking campaign are not slowing down. Cisco Talos recently discovered new details that suggest they regrouped after we published our i…

April 23, 2019

THREAT RESEARCH

DNSpionage brings out the Karkoff

In November 2018, Cisco Talos discovered an attack campaign, called DNSpionage, in which threat actors created a new remote administrative tool that supports HTTP and DNS communication with the attackers’ command and control(C2). Since then, there have been several other public reports of addi…

April 17, 2019

THREAT RESEARCH

DNS Hijacking Abuses Trust In Core Internet Service

This blog post discusses the technical details of a state-sponsored attack manipulating DNS systems. While this incident is limited to targeting primarily national security organizations in the Middle East and North Africa, and we do not want to overstate the consequences of this specific campaign,…

November 27, 2018

THREAT RESEARCH

DNSpionage Campaign Targets Middle East

This blog post was authored by Warren Mercer and Paul Rascagneres. Executive Summary Cisco Talos recently discovered a new campaign targeting Lebanon and the United Arab Emirates (UAE) affecting .gov domains, as well as a private Lebanese airline company. Based on our research, it’s clear that…

May 31, 2018

THREAT RESEARCH

NavRAT Uses US-North Korea Summit As Decoy For Attacks In South Korea

This blog post is authored by Warren Mercer and Paul Rascagneres with contributions from Jungsoo An. Executive Summary Talos has discovered a new malicious Hangul Word Processor (HWP) document targeting Korean users. If a malicious document is opened, a remote access trojan that we’re calling…

April 26, 2018

THREAT RESEARCH

GravityRAT – The Two-Year Evolution Of An APT Targeting India

This blog post is authored by Warren Mercer and Paul Rascagneres. Summary Today, Cisco Talos is uncovering a new piece of malware, which has remained under the radar for the past two years while it continues to be developed. Several weeks ago, we identified the use of the latest version of this RAT…

January 15, 2018

THREAT RESEARCH

Korea In The Crosshairs

This blog post is authored by Warren Mercer and Paul Rascagneres and with contributions from Jungsoo An. This article exposes the malicious activities of Group 123 during 2017. We assess with high confidence that Group 123 was responsible for the following six campaigns: “Golden Time” c…

December 19, 2017

THREAT RESEARCH

Virus Bulletin Publication And Presentation

Virus Bulletin conference is a well regarded intimate technical conference focused on malware research. It provides a good balance between listening to technical talks and spending time exchanging experiences with colleagues from different companies; all working on the same task of making our comput…