Research
Lightning Framework: New Undetected “Swiss Army Knife” Linux Malware ⚡
Lightning Framework is a new undetected Swiss Army Knife-like Linux malware that has modular plugins and the ability to install rootkits. Year...
OrBit: New Undetected Linux Threat Uses Unique Hijack of Execution Flow
Linux is a popular operating system for servers and cloud infrastructures, and as such it’s not a surprise that it attracts threat...
YTStealer Malware: “YouTube Cookies! Om Nom Nom Nom”
The Stage: The Dark Web Market for YouTube Account Access In 2006, the term “data is the new oil” was coined. Ever...
Symbiote Deep-Dive: Analysis of a New, Nearly-Impossible-to-Detect Linux Threat
Symbiote is a new Linux® malware we discovered that acts in a parasitic nature, infecting other running processes to inflict damage on...
Elephant Framework Delivered in Phishing Attacks Against Ukrainian Organizations
A recently developed malware framework called Elephant is being delivered in targeted spear phishing campaigns using spoofed Ukrainian governmental email addresses. The...
New Conversation Hijacking Campaign Delivering IcedID
This post describes the technical analysis of a new campaign detected by Intezer’s research team, which initiates attacks with a phishing email...
Targeted Phishing Attack against Ukrainian Government Expands to Georgia
In May 2021, Fortinet published a report about the early stages of an ongoing phishing attack against the Ukrainian government. The attack, initially...
Global Phishing Campaign Targets Energy Sector and its Suppliers
Our research team has found a sophisticated campaign, active for at least one year, targeting large international companies in the energy, oil...
How We Escaped Docker in Azure Functions
Summary of Findings What is Azure Functions? Technical Analysis Proof of Concept Why Does this Matter? Summary of Findings In previous months...
A Rare Look Inside a Cryptojacking Campaign and its Profit
Intro Linux threats are becoming more frequent. A common type of Linux threat is cryptojacking, which is the unauthorized use of an...
Operation ElectroRAT: Attacker Creates Fake Companies to Drain Your Crypto Wallets
Already with thousands of victims. Intro With Bitcoin on the rise and a market exceeding billions of dollars, cryptocurrency has attracted threat actors...
Early Bird Catches the Worm: New Golang Worm Drops XMRig Miner on Servers
Intro In early December, we discovered a new, undetected worm written in Golang. This worm continues the popular 2020 trend of multi-platform malware developed...
A Zebra in Gopher's Clothing: Russian APT Uses COVID-19 Lures to Deliver Zebrocy
Summary In November, we uncovered COVID-19 phishing lures that were used to deliver the Go version of Zebrocy. Zebrocy is mainly used...
Stantinko’s Proxy After Your Apache Server
Intro It is common for threat actors to evolve their Linux malware. BlackTech with their new ELF_PLEAD malware and Winnti’s PWNLNX tool are recent examples....
A Storm is Brewing: IPStorm Now Has Linux Malware
Introduction The development of cross-platform malware is not new, however, we continue to observe a number of malware that were previously documented only...
VB2020 - Advanced Pasta Threat: Mapping Malware Use of Open Source Offensive Security Tools
The term Offensive Security Tool, also known as OST, is a controversial subject within the InfoSec community. It often sparks fierce debate...
The Evolution of APT15’s Codebase 2020
The Ke3chang group, also known as APT15, is an alleged Chinese government-backed cluster of teams known to target various high-profile entities spanning...
Kaiji: New Chinese Linux malware turning to Golang
It is not often that you see a botnet’s tooling written from scratch. The Internet of things (IoT) botnet ecosystem is relatively well-documented by...
TTPs matrix for Linux cloud servers
Checklist for protecting your Linux cloud servers against cyber attacks Taking inspiration from the MITRE ATT&CK® framework, we have developed a matrix categorizing...
Search for revealing strings in Intezer Analyze
Accelerate your file investigations with new and improved string reuse capabilities in Intezer Analyze Users of Intezer Analyze may have noticed new...
Fantastic payloads and where we find them
Attackers have long used evasion features in their malware to avoid detection by security products and analysis systems. One of the most...
New Iranian Campaign Tailored to US Companies Utilizes an Updated Toolset
Introduction Our researchers Paul Litvak and Michael Kajilolti have discovered a new campaign conducted by APT34 employing an updated toolset. Based on uncovered...
Linux Rekoobe Operating with New, Undetected Malware Samples
Introduction Our research team has identified new versions of an old Linux malware known as Rekoobe, a minimalistic trojan with a complex CNC...
2019: A Year-in-Review
What an amazing year it has been for us at Intezer! The company nearly doubled in size, we added several new important...
ChinaZ Updates Toolkit by Introducing New, Undetected Malware
Introduction ChinaZ is a Chinese cybercrime group and the author of several DDoS malware. We have profiled this group in a previous...
Exploring the Chinese DDoS Threat Landscape [Research Report]
Distributed denial-of-service attacks were on the rise in 2018 and continuing into 2019, ranging from a high volume of Mirai attacks to...
ACBackdoor: Analysis of a New Multiplatform Backdoor
Introduction We have discovered an undetected Linux backdoor which does not have any known connections to other threat groups. VirusTotal detection rate...
PureLocker: New Ransomware-as-a-Service Being Used in Targeted Attacks Against Servers
Analysis by Intezer and IBM X-Force points its origins to a Malware-as-a-Service (MaaS) provider utilized by the Cobalt Gang and FIN6 attack...
Mapping the Connections Inside Russia's APT Ecosystem
This research is a joint effort conducted by Omri Ben-Bassat from Intezer and Itay Cohen from Check Point Research. Prologue пролог If...
Russian Cybercrime Group FullofDeep Behind QNAPCrypt Ransomware Campaigns
Introduction We previously reported on how we managed to temporarily shut down 15 operative QNAPCrypt ransomware campaigns targeting Linux-based file storage systems...
Why we Should be Paying More Attention to Linux Threats
In a previous post we wrote for the Retail and Hospitality Information Sharing and Analysis Center (RH-ISAC), we discussed the emergence of...
MoP - "Master of Puppets" - Advanced malware tracking framework revealed at BlackHat Arsenal 2019.
At BlackHat Arsenal 2019 Intezer’s researcher, Omri Ben-Bassat, revealed open-source tool called MoP (“Master of Puppets”) which is a framework for reverse...
Watching the WatchBog: New BlueKeep Scanner and Linux Exploits
Overview We have discovered a new version of WatchBog—a cryptocurrency-mining botnet operational since late 2018—that we suspect has compromised more than 4,500 Linux...
EvilGnome: Rare Malware Spying on Linux Desktop Users
Introduction Linux desktop remains an unpopular choice among mainstream desktop users, making up a little more than 2% of the desktop operating system...
How We Seized 15 Active Ransomware Campaigns Targeting Linux File Storage Servers
Introduction It is rare to see ransomware being used to target the Linux operating system. However, cyber criminals seem to adapt to...
Executable and Linkable Format 101 Part 4: Dynamic Linking
This is a new post in our Executable and Linkable Format (ELF) 101 series, where the goal is to spread awareness about the...
HiddenWasp Malware Stings Targeted Linux Systems
Overview • Intezer has discovered a new, sophisticated malware that we have named “HiddenWasp”, targeting Linux systems. • The malware is still...
Technical Analysis: Pacha Group Competing against Rocke Group for Cryptocurrency Mining Foothold on the Cloud
Pacha Group is a crypto-mining threat actor we at Intezer discovered and profiled in a blog post published on February 28, 2019....
War on the Cloud: Cybercriminals Competing for Cryptocurrency Mining Foothold
The Pacha Group is a threat actor discovered by Intezer and profiled in a blog post published on February 28, 2019. Dating back...
Technical Analysis: Pacha Group Deploying Undetected Cryptojacking Campaigns on Linux Servers
Introduction Cryptomining malware, also known as cryptojacking or cryptocurrency mining malware, refers to software developed to take over a computer’s resources and...
Pacha Group, A New Threat Actor Deploying Undetected Cryptojacking Campaigns on Linux Servers
Key Takeaways: • Intezer has evidence of a new threat actor, calling it Pacha Group, which has been deploying undetected cryptojacking campaigns...
ChinaZ Revelations: Revealing ChinaZ Relationships with other Chinese Threat Actor Groups
Introduction Distributed denial-of-service (DDoS) attacks were on the rise in 2018, ranging from a high volume of Mirai attacks to more sophisticated...
Muhstik Botnet Reloaded: New Variants Targeting phpMyAdmin Servers
The Muhstik botnet was first exposed by Netlab360 researchers in May 2018. This botnet targeted mainly GPON routers. At Intezer we found that Muhstik is extending its spectrum...
The Researchers' View: Insights from Leading Global Security Researchers
At Intezer information sharing is a key component of our makeup and reflected in our technology. In the spirit of industry collaboration...
Paleontology: The Unknown Origins of Lazarus Malware
INTRODUCTION As seen by security researchers across the world and proven in a joint research by McAfee and Intezer, Lazarus, one of...
APT37: Final1stspy Reaping the FreeMilk
Researchers at Palo Alto Networks recently published a report regarding the NOKKI malware, which has shared code with KONNI and, although not in...
Intezer Analyze™ ELF Support Release: Hakai Variant Case Study
ELF SUPPORT We would like to proudly announce that Intezer Analyze™ now supports genetic malware analysis for ELF binaries! You may now...
Prince of Persia: The Sands of Foudre
Introduction In the past couple years, Palo Alto Networks reported on the “Prince of Persia” malware campaign which is believed to be...
Examining Code Reuse Reveals Undiscovered Links Among North Korea’s Malware Families
This research is a joint effort of Christiaan Beek, lead scientist & sr. principal engineer at McAfee, and Jay Rosenberg, senior security researcher...
Mitigating Emotet, The Most Common Banking Trojan
Recently, Proofpoint released a fairly surprising report, stating that Banking Trojans have surpassed Ransomware as the top malware threat found in email....
MirageFox: APT15 Resurfaces With New Tools Based On Old Ones
APT15 Background Coincidentally, following the recent hack of a US Navy contractor and theft of highly sensitive data on submarine warfare, we...
Digital Certificates- When the Chain of Trust is Broken
As stated in a previous blog entry, it is common for malware authors to sign malicious files with “legitimate” digital certificates in...
Iron Cybercrime Group Under The Scope
In April 2018, while monitoring public data feeds, we noticed an interesting and previously unknown backdoor using HackingTeam’s leaked RCS source code....
Executable and Linkable Format 101 Part 3: Relocations
In our previous post, we went through the concept of symbols and their functionality. In this post we will introduce the concept...
Yet Another Distraction? A New Version of North Korean Ransomware Hermes Has Emerged
Detecting Reused Ransomware Whether we’re dealing with a criminal threat actor looking to steal money from their victims using ransomware or malware...
Executable and Linkable Format 101. Part 2: Symbols
In our previous post, we focused on understanding the relationship between sections and segments, which serve as the foundation for understanding the...
Executable and Linkable Format 101 - Part 1 Sections and Segments
This marks the first of several blog posts that will focus on Executable and Linkable Format (ELF) files. In this series, we’ll...
BLOCKBUSTED: Lazarus, Blockbuster, and North Korea
As we have proven in previous research blog posts, malware authors often reuse the same code. This evolution of code and code...
IcedID Banking Trojan Shares Code with Pony 2.0 Trojan
IBM X-Force recently released an excellent report on a new banking trojan named IcedID that is being distributed using computers already infected...
Silence of the Moles
Kaspersky Labs published a technical analysis of a new malware, Silence that is aimed at attacking financial institutions. After uploading the loader...
Intezer Uncovers Connection Between CCleaner Hack & Chinese Hackers: Aurora Operation
Since my last post, we have found new evidence in the next stage payloads of the CCleaner supply chain attack that provide...
NotPetya Returns as Bad Rabbit
Large scale cyber attacks seem to be happening once a month these days. Originally discovered by ESET (https://www.welivesecurity.com/2017/10/24/kiev-metro-hit-new-variant-infamous-diskcoder-ransomware/), Ukrainian and Russian organizations...
North Korea and Iran Use CodeProject to Develop Their Malware
Software developers and malware authors share a desire to work smart, not hard In the software development world, engineers frequently use ready-made...
Evidence Aurora Operation Still Active Part 2: More Ties Uncovered Between CCleaner Hack & Chinese Hackers
Since my last post, we have found new evidence in the next stage payloads of the CCleaner supply chain attack that provide...
Evidence Aurora Operation Still Active: Supply Chain Attack Through CCleaner
Recently, there have been a few attacks with a supply chain infection, such as Shadowpad being implanted in many of Netsarang’s products,...
New Variants of Agent.BTZ/ComRAT Found: The Threat That Hit The Pentagon In 2008 Still Evolving; Part 2/2
Our previous blog post was a short brief of new Agent.BTZ variants that we found. This second part in the series will...
New Variants of Agent.BTZ/ComRAT Found: The Threat That Hit The Pentagon In 2008 Still Evolving; Part 1/2
Agent.BTZ–also known as ComRAT–is one of the world’s oldest known state-sponsored threats, mainly known for the 2008 Pentagon breach. Technically speaking, Agent.BTZ...