Cyentia Cybersecurity Research Library
  • Sources
  • Tags
  • About
  • Sponsors
  • More from Cyentia

Backdoor

Below you will find reports with the tag of “Backdoor”

image from Evidence Aurora Operation Still Active: Supply Chain Attack Through CCleaner

Evidence Aurora Operation Still Active: Supply Chain Attack Through CCleaner

This post provides information related to supply chain infections.

Added: November 15, 2018
image from MM Core In-Memory Backdoor Returns as "BigBoss" and "SillyGoose"

MM Core In-Memory Backdoor Returns as "BigBoss" and "SillyGoose"

In this blog we will detail our discovery of the next two versions of MM Core, namely “BigBoss” (2.2-LNK) and “SillyGoose” (2.3-LNK). Attacks using “BigBoss” appear likely to have occurred since mid-2015, whereas “SillyGoose” appears to have been distributed since September 2016. Both versions still appear to be active.

(more available)
Added: November 15, 2018
image from FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings

FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings

In late February 2017, FireEye as a Service (FaaS) identified a spear phishing campaign that appeared to be targeting personnel involved with United States Securities and Exchange Commission (SEC) filings at various organizations. Based on multiple identified overlaps in infrastructure and the use of similar tools, tactics, and procedures (TTPs), we have high confidence that this campaign is associated with the financially motivated threat group tracked by FireEye as FIN7.

(more available)
Added: November 15, 2018
image from Spear Phishing Techniques Used in Attacks Targeting the Mongolian Government

Spear Phishing Techniques Used in Attacks Targeting the Mongolian Government

FireEye recently observed a sophisticated campaign targeting individuals within the Mongolian government. Targeted individuals that enabled macros in a malicious Microsoft Word document may have been infected with Poison Ivy, a popular remote access tool (RAT) that has been used for nearly a decade for key logging, screen and video capture, file transfers, password theft, system administration, traffic relaying, and more.

(more available)
Added: November 15, 2018
image from Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations

Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations

Cyber espionage actors, now designated by FireEye as APT32 (OceanLotus Group), are carrying out intrusions into private sector companies across multiple industries and have also targeted foreign governments, dissidents, and journalists. FireEye assesses that APT32 leverages a unique suite of fully-featured malware, in conjunction with commercially-available tools, to conduct targeted operations that are aligned with Vietnamese state interests.

(more available)
Added: November 15, 2018
image from APT29 Domain Fronting With TOR

APT29 Domain Fronting With TOR

This blog post takes a look at APT29 Domain Fronting with Tor.

Added: November 15, 2018
image from Win32/Industroyer

Win32/Industroyer

This report offers insight into the Win32/Industroyer a new threat for industrial control systems.

Added: November 15, 2018
image from TeleBots are back: Supply-chain attacks against Ukraine

TeleBots are back: Supply-chain attacks against Ukraine

The latest Petya-like outbreak has gathered a lot of attention from the media. However, it should be noted that this was not an isolated incident: this is the latest in a series of similar attacks in Ukraine. This blogpost reveals many details about the Diskcoder.C (aka ExPetr, PetrWrap, Petya, or NotPetya) outbreak and related information about previously unpublished attacks.

(more available)
Added: November 15, 2018
image from Gazing at Gazer: Turla's New Second Stage Backdoor

Gazing at Gazer: Turla's New Second Stage Backdoor

Herein we release our analysis of a previously undocumented backdoor that has been targeted against embassies and consulates around the world leads us to attribute it, with high confidence, to the Turla group. Turla is a notorious group that has been targeting governments, government officials and diplomats for years. They are known to run watering hole and spearphishing campaigns to better pinpoint their targets. Although this backdoor has been actively deployed since at least 2016, it has not been documented anywhere. Based on strings found in the samples we analyzed, we have named this backdoor “Gazer”.

(more available)
Added: November 15, 2018
image from Carbon Paper: Peering into Turla's second stage backdoor

Carbon Paper: Peering into Turla's second stage backdoor

“The Turla espionage group has been targeting various institutions for many years. Recently, we found several new versions of Carbon, a second stage backdoor in the Turla group arsenal. Last year, a technical analysis of this component was made by Swiss GovCERT.ch as part of their report detailing the attack that a defense firm owned by the Swiss government, RUAG, suffered in the past. This blog post highlights the technical innovations that we found in the latest versions of Carbon we have discovered.”

(more available)
Added: November 15, 2018
image from TRISIS Malware

TRISIS Malware

In mid-November 2017, the Dragos, Inc. team discovered ICS-tailored malware deployed against at least one victim in the Middle East. The team identifies this malware as TRISIS because it targets Schneider Electric’s Triconex safety instrumented system (SIS) enabling the replacement of logic in final control elements. TRISIS is highly targeted and likely does not pose an immediate threat to other Schneider Electric customers, let alone other SIS products. Importantly, the malware leverages no inherent vulnerability in Schneider Electric products. However, this capability, methodology, and tradecraft in this very specific event may now be replicated by other adversaries and thus represents an addition to industrial asset owner and operators’ threat models.

(more available)
Added: November 15, 2018
image from Crashoverride

Crashoverride

Dragos, Inc. was notified by the Slovak anti-virus firm ESET of an ICS tailored malware on June 8th, 2017. The Dragos team was able to use this notification to find samples of the malware, identify new functionality and impact scenarios, and confirm that this was the malware employed in the December 17th, 2016 cyber-attack on the Kiev, Ukraine transmission substation which resulted in electric grid operations impact. This report serves as an industry report to inform the electric sector and security community of the potential implications of this malware and the appropriate details to have a nuanced discussion.

(more available)
Added: November 15, 2018
image from The Deception Project: A New Japanese-Centric Threat

The Deception Project: A New Japanese-Centric Threat

“In an effort to expose a common problem we see happening in the industry, Cylance® would like to shed some light on just how easy it is to fake attribution. The key factor we should focus on, as an industry, is determining HOW an attacker can take down an organization, rather than focusing only on the WHO. Once we can identify how the attack happened, we can focus on what’s really important – prevention.”

(more available)
Added: November 15, 2018
image from A Large Scale Cyber Espionage APT in Asia

A Large Scale Cyber Espionage APT in Asia

The investigation of a massive cyber espionage APT (Advanced Persistent Threat) became a game of one-upmanship between attackers and defenders. Dubbed Operation Cobalt Kitty, the APT targeted a global corporation based in Asia with the goal of stealing proprietary business information. The threat actor targeted the company’s top-level management by using sophisticated spear-phishing attacks as the initial penetration vector, ultimately compromising the computers of vice presidents, senior directors and other key personnel in the operational departments. During Operation Cobalt Kitty, the attackers compromised more than 40 PCs and servers, including the domain controller, file servers, Web application server and database server.

(more available)
Added: November 15, 2018
image from Operation Cobalt Kitty

Operation Cobalt Kitty

This report offers a threat actor profile and indicators of compromise around the OceanLotusGroup actor.

Added: November 15, 2018
image from Operation Electric Powder - Who is Targeting Israel Electric Company

Operation Electric Powder - Who is Targeting Israel Electric Company

From April 2016 until at least February 2017, attackers have been spreading malware via fake Facebook profiles and pages, breached websites, self-hosted and cloud based websites. Various artifacts indicate that the main target of this campaign is IEC – Israel Electric Company. These include domains, file names, Java package names, and Facebook activity. We dubbed this campaign “Operation Electric Powder“.

(more available)
Added: November 15, 2018
image from Dissecting the APT28 Mac OS X Payload

Dissecting the APT28 Mac OS X Payload

This report analyzes the Mac specific malware from APT28 named Trojan.MAC.APT28

Added: November 12, 2018
image from Taiwan Heist: Lazarus Tools and Ransomware

Taiwan Heist: Lazarus Tools and Ransomware

Malware utilizing known Lazarus group tools was used in a heist of a Taiwan bank. This Malware was later uploaded to several repositories. This post analyses and summarizes the uploaded Malware from the repositories.

(more available)
Added: November 12, 2018
image from Lazarus & Watering-hole attacks

Lazarus & Watering-hole attacks

This report provides an outline of the attacks against Polish banks based what was shared in the article, and BAE Systems’ additional findings.

(more available)
Added: November 12, 2018
image from Lazarus' False Flag Malware

Lazarus' False Flag Malware

The post contains Analysis on a wave of attacks targeting banks as well as the falsified origins of said attacks.

(more available)
Added: November 12, 2018
image from 2016 Hacked Website Report Q1

2016 Hacked Website Report Q1

This is an annual report that discusses the latest malware and hacking trends in compromised websites.

Added: October 26, 2018
  • ««
  • «
  • 2
  • 3
  • 4
  • 5
  • 6
  • »
  • »»
© Cyentia Institute 2025
Library updated: July 1, 2025 12:08 UTC (build b1d7be4)