Cyentia Cybersecurity Research Library
  • Sources
  • Tags
  • About
  • Sponsors
  • More from Cyentia

C2

Below you will find reports with the tag of “C2”

image from BlackOasis APT and new targeted attacks leveraging zeroday exploit

BlackOasis APT and new targeted attacks leveraging zeroday exploit

This post discusses the following event - “On October 10, 2017, Kaspersky Lab’s advanced exploit prevention systems identified a new Adobe Flash zero day exploit used in the wild against our customers. "

(more available)
Added: November 15, 2018
image from The Full Shamoon: How the Devastating Malware Was Inserted Into Networks

The Full Shamoon: How the Devastating Malware Was Inserted Into Networks

Researchers from the IBM X-Force Incident Response and Intelligence Services (IRIS) team identified a missing link in the operations of a threat actor involved in recent Shamoon malware attacks against Gulf state organizations. These attacks, which occurred in November 2016 and January 2017, reportedly affected thousands of computers across multiple government and civil organizations in Saudi Arabia and elsewhere in Gulf states. Shamoon is designed to destroy computer hard drives by wiping the master boot record (MBR) and data irretrievably, unlike ransomware, which holds the data hostage for a fee.

(more available)
Added: November 15, 2018
image from MM Core In-Memory Backdoor Returns as "BigBoss" and "SillyGoose"

MM Core In-Memory Backdoor Returns as "BigBoss" and "SillyGoose"

In this blog we will detail our discovery of the next two versions of MM Core, namely “BigBoss” (2.2-LNK) and “SillyGoose” (2.3-LNK). Attacks using “BigBoss” appear likely to have occurred since mid-2015, whereas “SillyGoose” appears to have been distributed since September 2016. Both versions still appear to be active.

(more available)
Added: November 15, 2018
image from FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings

FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings

In late February 2017, FireEye as a Service (FaaS) identified a spear phishing campaign that appeared to be targeting personnel involved with United States Securities and Exchange Commission (SEC) filings at various organizations. Based on multiple identified overlaps in infrastructure and the use of similar tools, tactics, and procedures (TTPs), we have high confidence that this campaign is associated with the financially motivated threat group tracked by FireEye as FIN7.

(more available)
Added: November 15, 2018
image from Privileges and Credentials: Phished at the Request of Counsel

Privileges and Credentials: Phished at the Request of Counsel

In May and June 2017, FireEye observed a phishing campaign targeting at least seven global law and investment firms. We have associated this campaign with APT19, a group that we assess is composed of freelancers, with some degree of sponsorship by the Chinese government. APT19 used three different techniques to attempt to compromise targets. In early May, the phishing lures leveraged RTF attachments that exploited the Microsoft Windows vulnerability described in CVE 2017-0199. Toward the end of May, APT19 switched to using macro-enabled Microsoft Excel (XLSM) documents. In the most recent versions, APT19 added an application whitelisting bypass to the XLSM documents. At least one observed phishing lure delivered a Cobalt Strike payload. As of the writing of this blog post, FireEye had not observed post-exploitation activity by the threat actors, so we cannot assess the goal of the campaign. We have previously observed APT19 steal data from law and investment firms for competitive economic purposes. This purpose of this blog post is to inform law firms and investment firms of this phishing campaign and provide technical indicators that their IT personnel can use for proactive hunting and detection.

(more available)
Added: November 15, 2018
image from Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations

Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations

Cyber espionage actors, now designated by FireEye as APT32 (OceanLotus Group), are carrying out intrusions into private sector companies across multiple industries and have also targeted foreign governments, dissidents, and journalists. FireEye assesses that APT32 leverages a unique suite of fully-featured malware, in conjunction with commercially-available tools, to conduct targeted operations that are aligned with Vietnamese state interests.

(more available)
Added: November 15, 2018
image from Crashoverride

Crashoverride

Dragos, Inc. was notified by the Slovak anti-virus firm ESET of an ICS tailored malware on June 8th, 2017. The Dragos team was able to use this notification to find samples of the malware, identify new functionality and impact scenarios, and confirm that this was the malware employed in the December 17th, 2016 cyber-attack on the Kiev, Ukraine transmission substation which resulted in electric grid operations impact. This report serves as an industry report to inform the electric sector and security community of the potential implications of this malware and the appropriate details to have a nuanced discussion.

(more available)
Added: November 15, 2018
image from Uri Terror attack & Kashmir Protest Themed spear phishing emails targeting Indian Embassies and Indian Ministry of external affairs

Uri Terror attack & Kashmir Protest Themed spear phishing emails targeting Indian Embassies and Indian Ministry of external affairs

“In my previous blog I posted details of a cyber attack targeting Indian government organizations. This blog post describes another attack campaign where attackers used the Uri terror attack and Kashmir protest themed spear phishing emails to target officials in the Indian Embassies and Indian Ministry of External Affairs (MEA). In order to infect the victims, the attackers distributed spear-phishing emails containing malicious word document which dropped a malware capable of spying on infected systems. The email purported to have been sent from legitimate email ids. The attackers spoofed the email ids associated with Indian Ministry of Home Affairs to send out email to the victims. Attackers also used the name of the top-ranking official associated with Minister of Home affairs in the signature of the email, this is to make it look like the email was sent by a high-ranking Government official associated with Ministry of Home Affairs (MHA).”

(more available)
Added: November 15, 2018
image from Cyber Attack Targeting Indian Navy’s Submarine and Warship Manufacturer

Cyber Attack Targeting Indian Navy’s Submarine and Warship Manufacturer

“In my previous blog posts I described attack campaigns targeting Indian government organizations, and Indian Embassies and Ministry of External affairs. In this blog post I describe a new attack campaign where cyber espionage group targeted the users of Mazagon Dock Shipbuilders Limited (also called as ship builder to the nation). Mazagon Dock Shipbuilders Limited (MDL) is a Public Sector Undertaking of Government of India (Ministry of Defence) and it specializes in manufacturing warships and submarines for the Indian Navy.”

(more available)
Added: November 15, 2018
image from Cyber Attack Impersonating Identity of Indian Think Tank to Target Central Bureau of Investigation (CBI) and Possibly Indian Army Officials

Cyber Attack Impersonating Identity of Indian Think Tank to Target Central Bureau of Investigation (CBI) and Possibly Indian Army Officials

“In my previous blog posts I posted details of cyber attacks targeting Indian Ministry of External Affairs and Indian Navy’s Warship and Submarine Manufacturer. This blog post describes another attack campaign where attackers impersonated identity of Indian think tank IDSA (Institute for Defence Studies and Analyses) and sent out spear-phishing emails to target officials of the Central Bureau of Investigation (CBI) and possibly the officials of Indian Army.”

(more available)
Added: November 15, 2018
image from The Deception Project: A New Japanese-Centric Threat

The Deception Project: A New Japanese-Centric Threat

“In an effort to expose a common problem we see happening in the industry, Cylance® would like to shed some light on just how easy it is to fake attribution. The key factor we should focus on, as an industry, is determining HOW an attacker can take down an organization, rather than focusing only on the WHO. Once we can identify how the attack happened, we can focus on what’s really important – prevention.”

(more available)
Added: November 15, 2018
image from A Large Scale Cyber Espionage APT in Asia

A Large Scale Cyber Espionage APT in Asia

The investigation of a massive cyber espionage APT (Advanced Persistent Threat) became a game of one-upmanship between attackers and defenders. Dubbed Operation Cobalt Kitty, the APT targeted a global corporation based in Asia with the goal of stealing proprietary business information. The threat actor targeted the company’s top-level management by using sophisticated spear-phishing attacks as the initial penetration vector, ultimately compromising the computers of vice presidents, senior directors and other key personnel in the operational departments. During Operation Cobalt Kitty, the attackers compromised more than 40 PCs and servers, including the domain controller, file servers, Web application server and database server.

(more available)
Added: November 15, 2018
image from Operation Cobalt Kitty

Operation Cobalt Kitty

This report offers a threat actor profile and indicators of compromise around the OceanLotusGroup actor.

Added: November 15, 2018
image from Iranian Threat Agent Greenbug Impersonates Israeli HighTech and Cyber Security Companies

Iranian Threat Agent Greenbug Impersonates Israeli HighTech and Cyber Security Companies

This report offers insight into the Iranian threat agent Greenbug.

Added: November 15, 2018
image from Operation Electric Powder - Who is Targeting Israel Electric Company

Operation Electric Powder - Who is Targeting Israel Electric Company

From April 2016 until at least February 2017, attackers have been spreading malware via fake Facebook profiles and pages, breached websites, self-hosted and cloud based websites. Various artifacts indicate that the main target of this campaign is IEC – Israel Electric Company. These include domains, file names, Java package names, and Facebook activity. We dubbed this campaign “Operation Electric Powder“.

(more available)
Added: November 15, 2018
image from Operation Wilted Tulip

Operation Wilted Tulip

CopyKittens is a cyberespionage group that has been operating since at least 2013. In November 2015, ClearSky and Minerva Labs published1 the first public report exposing its activity. In March 2017, ClearSky published a second report2 exposing further incidents, some of which impacted the German Bundestag. In this report, Trend Micro and ClearSky expose a vast espionage apparatus spanning the entire time the group has been active. It includes recent incidents as well as older ones that have not been publicly reported; new malware; exploitation, delivery and command and control infrastructure; and the group’s modus operandi. We dubbed this activity Operation Wilted Tulip

(more available)
Added: November 15, 2018
image from Iranian Threat Agent OilRig Delivers Digitally Signed Malware Impersonates University of Oxford

Iranian Threat Agent OilRig Delivers Digitally Signed Malware Impersonates University of Oxford

Iranian threat agent OilRig has been targeting multiple organisations in Israel and other countries in the Middle East since the end of 2015. In recent attacks they set up a fake VPN Web Portal and targeted at least five Israeli IT vendors, several financial institutes, and the Israeli Post Office. This report offers insight into this threat.

(more available)
Added: November 15, 2018
image from Charming Kitten

Charming Kitten

Iranian cyber espionage against human rights activists, academic researchers and media outlets -and the HBO hacker connection

Added: November 15, 2018
image from Insider Information An intrusion campaign targeting Chinese language news sites

Insider Information An intrusion campaign targeting Chinese language news sites

This report reveals a campaign of reconnaissance, phishing, and malware operations that use content and domains made to mimic Chinese language news websites

(more available)
Added: November 12, 2018
image from "Super Clean Plus" Is Anything But: Popular Cleanup App Hides Malicious Intent

"Super Clean Plus" Is Anything But: Popular Cleanup App Hides Malicious Intent

This paper analyzes a cleanup app that is actually malicious.

Added: October 26, 2018
image from 2018 Annual Cybersecurity Report

2018 Annual Cybersecurity Report

In the executive summary, this report asks, “What if defenders could see the future?” it then goes on to say that defenders can see what’s on the horizon and many clues are out there and obvious. The entire report seeks to outline ways in which defenders can see the future.

(more available)
Added: October 26, 2018
  • ««
  • «
  • 3
  • 4
  • 5
  • 6
  • 7
  • »
  • »»
© Cyentia Institute 2025
Library updated: June 30, 2025 20:08 UTC (build b1d7be4)