During the day I’ve been thinking about what have just happened in South Korea. We have published earlier today a quick blog post about how the wiper payload works. It is a very simple piece of code that overwrites the MBR (Master Boot Record) making the affected system unable to start after reboot. Other companies have … Read more
Information about the South Korean banks and media systems attacks
March 20th, 2013 | Posted by in News - (0 Comments)As many of you would probably know several South Korean banks and media companies have been affected by an attack that has wiped several systems. It seems the South Korean security company Nshc has published more details on his Facebook Page Based on the samples we collected, the malware overwrites the MBR (Master Boot Record) … Read more
Latest Adobe PDF exploit used to target Uyghur and Tibetan activists
March 14th, 2013 | Posted by in APT | Attacks | Exploits | IP Reputation | Malware | News | Snort - (Comments Off)Last month Adobe released a fix to patch a vulnerability that was being exploited in the wild. Kaspersky found that the 0day was being used by a very sophisthicated group to target different governments using a malware called MiniDuke. Alienvault Labs have detected that a different group of attackers have been using this vulnerability to target … Read more
Cyber espionage campaign against the Uyghur community, targeting MacOSX systems
February 13th, 2013 | Posted by in APT | Attacks | Blog | Code | Exploits | Malware | News - (Comments Off)During the last few days together with our colleagues from Kaspersky Lab we have been investigating a new strain of spearphishing mails sent to the Uyghur community. You can read their analysis here. The mails sent contain a Microsoft Office .doc file that exploits MS09-027 affecting Microsoft Office for Mac, this is the same exploit used in other attacks we discovered … Read more
Yara rules for APT1/Comment Crew malware arsenal
February 20th, 2013 | Posted by jaime.blasco in APT | Attacks | Forensics | Malware - (Comments Off)I’m sure all of you have heard about Mandiant’s APT1 report published yesterday. As many of you probably know we have been tracking and exposing this group for a long time as well as other individuals and companies in the security industry. A couple of examples are: - Win32/Coswid - Unveiling a spearphishing campaign and possible ramifications … Read more →
apt1, CommentCrew, fireeye, VolatilityJSUnpack, yara