Summary of Findings What is Azure Functions? Technical Analysis Proof of Concept Why Does this Matter? Summary of Findings In previous months...
Intro Linux threats are becoming more frequent. A common type of Linux threat is cryptojacking, which is the unauthorized use of an...
Already with thousands of victims. Intro With Bitcoin on the rise and a market exceeding billions of dollars, cryptocurrency has attracted threat actors...
Intro In early December, we discovered a new, undetected worm written in Golang. This worm continues the popular 2020 trend of multi-platform malware developed...
Summary In November, we uncovered COVID-19 phishing lures that were used to deliver the Go version of Zebrocy. Zebrocy is mainly used...
Intro It is common for threat actors to evolve their Linux malware. BlackTech with their new ELF_PLEAD malware and Winnti’s PWNLNX tool are recent examples....
Introduction The development of cross-platform malware is not new, however, we continue to observe a number of malware that were previously documented only...
The term Offensive Security Tool, also known as OST, is a controversial subject within the InfoSec community. It often sparks fierce debate...
The Ke3chang group, also known as APT15, is an alleged Chinese government-backed cluster of teams known to target various high-profile entities spanning...
It is not often that you see a botnet’s tooling written from scratch. The Internet of things (IoT) botnet ecosystem is relatively well-documented by...
Checklist for protecting your Linux cloud servers against cyber attacks Taking inspiration from the MITRE ATT&CK® framework, we have developed a matrix categorizing...
Accelerate your file investigations with new and improved string reuse capabilities in Intezer Analyze Users of Intezer Analyze may have noticed new...
Attackers have long used evasion features in their malware to avoid detection by security products and analysis systems. One of the most...
Introduction Our researchers Paul Litvak and Michael Kajilolti have discovered a new campaign conducted by APT34 employing an updated toolset. Based on uncovered...
Introduction Our research team has identified new versions of an old Linux malware known as Rekoobe, a minimalistic trojan with a complex CNC...
What an amazing year it has been for us at Intezer! The company nearly doubled in size, we added several new important...
Introduction ChinaZ is a Chinese cybercrime group and the author of several DDoS malware. We have profiled this group in a previous...
Distributed denial-of-service attacks were on the rise in 2018 and continuing into 2019, ranging from a high volume of Mirai attacks to...
Introduction We have discovered an undetected Linux backdoor which does not have any known connections to other threat groups. VirusTotal detection rate...
Analysis by Intezer and IBM X-Force points its origins to a Malware-as-a-Service (MaaS) provider utilized by the Cobalt Gang and FIN6 attack...
This research is a joint effort conducted by Omri Ben-Bassat from Intezer and Itay Cohen from Check Point Research. Prologue пролог If...
Introduction We previously reported on how we managed to temporarily shut down 15 operative QNAPCrypt ransomware campaigns targeting Linux-based file storage systems...
In a previous post we wrote for the Retail and Hospitality Information Sharing and Analysis Center (RH-ISAC), we discussed the emergence of...
At BlackHat Arsenal 2019 Intezer’s researcher, Omri Ben-Bassat, revealed open-source tool called MoP (“Master of Puppets”) which is a framework for reverse...
Overview We have discovered a new version of WatchBog—a cryptocurrency-mining botnet operational since late 2018—that we suspect has compromised more than 4,500...
Introduction Linux desktop remains an unpopular choice among mainstream desktop users, making up a little more than 2% of the desktop operating system...
Introduction It is rare to see ransomware being used to target the Linux operating system. However, cyber criminals seem to adapt...
This is a new post in our Executable and Linkable Format (ELF) 101 series, where the goal is to spread awareness about the...
Overview • Intezer has discovered a new, sophisticated malware that we have named “HiddenWasp”, targeting Linux systems. • The malware is...
Pacha Group is a crypto-mining threat actor we at Intezer discovered and profiled in a blog post published on February 28, 2019....
The Pacha Group is a threat actor discovered by Intezer and profiled in a blog post published on February 28, 2019. Dating back...
Introduction Cryptomining malware, also known as cryptojacking or cryptocurrency mining malware, refers to software developed to take over a computer’s resources and...
Key Takeaways: • Intezer has evidence of a new threat actor, calling it Pacha Group, which has been deploying undetected cryptojacking campaigns...
Introduction Distributed denial-of-service (DDoS) attacks were on the rise in 2018, ranging from a high volume of Mirai attacks to more sophisticated...
The Muhstik botnet was first exposed by Netlab360 researchers in May 2018. This botnet targeted mainly GPON routers. At Intezer we found that Muhstik is extending its spectrum...
At Intezer information sharing is a key component of our makeup and reflected in our technology. In the spirit of industry collaboration...
INTRODUCTION As seen by security researchers across the world and proven in a joint research by McAfee and Intezer, Lazarus, one of...
Researchers at Palo Alto Networks recently published a report regarding the NOKKI malware, which has shared code with KONNI and, although not in...
ELF SUPPORT We would like to proudly announce that Intezer Analyze™ now supports genetic malware analysis for ELF binaries! You may now...
Introduction In the past couple years, Palo Alto Networks reported on the “Prince of Persia” malware campaign which is believed to be...
This research is a joint effort of Christiaan Beek, lead scientist & sr. principal engineer at McAfee, and Jay Rosenberg, senior security researcher...
Recently, Proofpoint released a fairly surprising report, stating that Banking Trojans have surpassed Ransomware as the top malware threat found in email....
APT15 Background Coincidentally, following the recent hack of a US Navy contractor and theft of highly sensitive data on submarine warfare, we...
As stated in a previous blog entry, it is common for malware authors to sign malicious files with “legitimate” digital certificates in...
In April 2018, while monitoring public data feeds, we noticed an interesting and previously unknown backdoor using HackingTeam’s leaked RCS source code....
In our previous post, we went through the concept of symbols and their functionality. In this post we will introduce the concept...
Detecting Reused Ransomware Whether we’re dealing with a criminal threat actor looking to steal money from their victims using ransomware or malware...
In our previous post, we focused on understanding the relationship between sections and segments, which serve as the foundation for understanding the...
Introduction This marks the first of several blog posts that will focus on Executable and Linkable Format (ELF) files. In this series,...
As we have proven in previous research blog posts, malware authors often reuse the same code. This evolution of code and code...
IBM X-Force recently released an excellent report on a new banking trojan named IcedID that is being distributed using computers already infected...
Kaspersky Labs published a technical analysis of a new malware, Silence that is aimed at attacking financial institutions. After uploading the loader...
Since my last post, we have found new evidence in the next stage payloads of the CCleaner supply chain attack that provide...
Large scale cyber attacks seem to be happening once a month these days. Originally discovered by ESET (https://www.welivesecurity.com/2017/10/24/kiev-metro-hit-new-variant-infamous-diskcoder-ransomware/), Ukrainian and Russian organizations...
Software developers and malware authors share a desire to work smart, not hard In the software development world, engineers frequently use ready-made...
Since my last post, we have found new evidence in the next stage payloads of the CCleaner supply chain attack that provide...
Recently, there have been a few attacks with a supply chain infection, such as Shadowpad being implanted in many of Netsarang’s products,...
Our previous blog post was a short brief of new Agent.BTZ variants that we found. This second part in the series will...
Agent.BTZ–also known as ComRAT–is one of the world’s oldest known state-sponsored threats, mainly known for the 2008 Pentagon breach. Technically speaking, Agent.BTZ...