Blogs by Ashwin

  To know more about it, you can go through my detailed document by clicking  here Overview Agent Tesla is an advanced spyware Remote Access Trojan (RAT) written for the .NET framework and has been active seen 2014. It can easily steal sensitive information from an infected machine and collect data like keystrokes as well as login credentials used in various browsers while also mailing clients linked with the victim's machine.  Tactics & Techniques As stated above, this malware spreads through phishing emails and once it enters into the system, it hides itself with the help of various techniques which makes it difficult to detect it before any damage. After the successful breach, Agent Tesla extracts all the information related to search engines like login credentials, keystrokes, screenshots, etc. in order to compromise the users' accounts. It main targets are the industries related to energy, logistics, finance, government sector, etc. Prevention In order to mitigate the

  To know more about it, you can go through my detailed document by clicking  here Overview Agent Smith is an Android mobile malware that performs fraudulent activities by changing the legitimate applications on devices with their malicious versions. It has approximately infected more than 25 million devices till now and mainly targets India, Saudi Arabia, UK, USA, and other Asian countries. Attack Technique Although, Agent Smith is generally used for financial gain via bogus advertisements, it can also be used for other harmful purposes like banking credential thefts and there is a long list of ways for this malware to harm a user's device. There are following steps involved in its attack: Firstly, a Dropper app invites or attracts a victim to download it voluntarily. Then, this app starts to install its malware that does malicious patching and app updates. Lastly, when the target app is identified, it will patch it with malicious ads modules, replace, and reinstall it as if it

  To know more about it, you can go through my detailed document by clicking  here Overview ADVSTORESHELL was extensively used by APT28 also known as Fancy Bear as a backdoor spying agent (between 2012 and 2016) generally for long-term espionage. Its main target was prominent personalities, aerospace industries, government sector, etc. and allows them to stealthily attack their victims. Attacks As APT28 is a Russian espionage group, it has used malwares like ADVSTORESHELL in order to attack Eastern European governments and militaries, US government sectors, many enemies of Putin and the Kremlin in various countries and whatnot. Fancy Bear also switches it techniques and modifies its methods to avoid detection.  Remedy The following techniques may be of great help in the defense against ADVSTORESHELL as well as the other similar threats: Identifying the digital shadow assets, along with the cloud hosts, with the help of Attack Surface Management solution.  Always keeping track of the pa

  To know more about it, you can go through my detailed document by clicking  here Overview Adups is a Chinese software pre-installed onto Android devices, in order to monitor user behavior and send sensitive information to a Chinese server without the consent of the user. This spyware made in 2012, have targeted as much as 700 million low-end Android devices till now. It is also a globally popular FOTA (Firmware Over The Air) provider for end-to-end device management and software solutions.  Types of Attacks Adups can perform following tasks- SMS Recording  SMS Transmission IMEI Exfiltration IMSI Transmission Call Log Transmission  Call Contact Information Transmission Location Collection & Transmission Command Injection Remote User Application Update Remote User Application Install Transmit Installed Applications List Transfer Application Execution Order  Programmatic Firmware Update Remote Execution & Privilege Escalation (Without user's consent) Transfer IP Address In f

  To know more about it, you can go through my detailed document by clicking  here Overview AdFind can be termed as a command-line Active Directory query tool which comprises of tools loke dsquery, dsget, 1dp, etc. along with some other nice features. Although it is generally used for legitimate purposes, but, it can also be accessed by threat actors to post-exploit Active Directory reconnaissance. Features Some of the salient features of AdFind are as follows: Flawless listing- It list all the commands that can be executed with the supported parameters while launching a program and you easily work with this one according to the security measures of the Active Directory. Various Options Presented- The output options contains the parameters of objects' list count or the objects' name while various extended documentations can be accessed directly from console. Simple & Straightforward AD Query Tool- Although AdFind is not the most reliable tool for Active Directory, but, it c

  To know more about it, you can go through my detailed document by clicking  here Overview PLATINUM make use of various backdoors to infect or attack a computer, one of them is adbupd, which is considered as a non-essential file for Windows OS and not likely to cause any problems. However, it can be used as a backdoor to send corrupted files, if not handled carefully. Features Some of its salient features are as follows: It can be automatically installed in various file names within the Program Files directory. Plug-ins can be supported in order to modularize functionality. The OpenSSL library is present to support encryption while sending or receiving data. There is also a functionality to copy cmd.exe. This configuration file is same as the original Dipsind family. It can use various methods for persistence, like, using WMI/MOF compiled scripts. Identity Although the original identity of the PLATINUM attacker is still unknown, we can deduce the following factors: Using Multiple Back

  To know more about it, you can go through my detailed document by clicking  here Overview ACAD/Medre.A is basically a worm written in AutoLISP (a dialect used in AutoCAD) capable of stealing operational information via collecting AutoCAD files with drawings. This worm has an immense capacity to be used as an industrial espionage. For example the attack of this worm may result in automatic sending of all the new designs or files to the operator of this malware leading a lot of money loss to the legitimate owner as the cybercriminals have the designs even before they are introduced in the market. Functions This worm performs following key functions: It can copy itself to various locations so that it can install and spread quickly throughout the system. It steals AutoCAD drawings from the infected systems. Tactics The ACAD/Medre.A spreads rapidly through your system or network and uses following tactics to carry out its attack: It can detect all AutoCAD files with the DWG extension and

  To know more about it, you can go through my detailed document by clicking  here Overview Although Azure AD, which is heavily utilized by Microsoft Office 365 and around 2900 other third-party programs, is usually thought to be secure, there are some significant identification, authentication, and other security issues that shouldn't be ignored. AADInternals is one such program, a PowerShell-based framework used for managing, listing, and manipulating Azure AD that is freely accessible on GitHub. As the name implies, it has to do with on-premises and cloud services, and the features could lead to security problems such the creation of backdoor users, password theft, encryption key theft, etc. Misuses of AADInternals If not handled appropriately, AADInternals can be quickly exploited by bad actors. For example, if identity data is synchronised between on-premises AD and Azure AD, the applications utilized may enable an attacker to target and steal sensitive data from the victim Az

  To know more about it, you can go through my detailed document by clicking  here Overview 4H RAT (Remote Access Trojan) is a malware used by Putter Panda (associated with Chinese Shadow army) which is a hacker organization that mainly attacks American and European government organizations in order to globally strengthen the technological foothold of the country.  Tactics They log-in into various social media accounts such as Gmail, Twitter, Facebook, etc. and lure the victims to download the malware that would eventually be used to breach into new systems. Once the victims clicks on the malware embedded documents, the attackers gain control over their PCs through which they gain access to all the sensitive data like blueprints, customer lists, etc. They mainly targets aerospace companies, satellite and remote sensing technology, etc. Defensive Measures: Training- As humans tend to make mistakes in an IT industry, a regular social engineering awareness training is recommended, so that

  To know more about it, you can go through my detailed document by clicking  here Overview APT32 or OceanLotus is a Vietnamese hacker group famous for targeting political dissidents, government officials, and businesses linked with Vietnam. It had reportedly attacked Ministry of Emergency Management as well as the Wuhan Municipal government of China in 2020 to obtain information about Covid-19 pandemic.  APT32 also spreads malware via Google Play Store, fake news websites, facebook pages and also launches spyware attacks on Vietnamese Human Rights Activists. APT32 Targets on Private Companies A European corporation was attacked in 2014 before constructing a manufacturing facility in Vietnam. Some of the Vietnamese as well as foreign companies related to network security, technology infrastructure, banking, media, etc. were compromised in 2016.  A Global hospitality industry developer networks (partnering-up with Vietnam) were attacked in mid-2016. Two other subsidiaries of U.S.A. and

  To know more about it, you can go through my detailed document by clicking  here Overview It is suspected to be an Iranian cyber espionage threat group, active since 2013. There main targets have been the multiple aviation and energy sectors of USA, Saudi Arabia, South Korea, etc. They are also known as Refined Kitten by Crowdstrike, Magnallium by Dragos, and Holmium by Microsoft. Targets APT33 has targeted multiple industries through various techniques: Spear Phishing- They can send corrupted emails to an employee of the targeted industry with a link seemingly showing a job description or any other information relevant to the individual. They have sent hundreds of these type of emails to the targeted individuals in 2016. Domain Masquerading- APT33 may masquerade as a domain of the organizations (like Saudi Arabia's aviation company and a western company) who are in a type of partnership in order to train, maintain, and support Saudi's military and commercial fleet.  They can

  To know more about it, you can go through my detailed document by clicking  here Overview APT38 is a North Korean backed cyber threat group, that has actively targeted banks, financial institutions, casinos, cryptocurrency exchanges, SWIFT system endpoints, ATMs, etc. in various countries since 2014. Some of their significant as well as destructive attacks include the Bank of Bangladesh heist of 2016 which resulted in stolen $81 million, the attack on Bancomext and Banco de Chile in 2018, etc.  Targeting Pattern This cyber threat group has targeted more than 16 organizations in at least 13 countries which indicates that the group is very large and laced with extensive resources. Some of their target details are as follows: The total number of targeted organizations may be higher due to the low incident reporting rate from the affected organization. Their attacks are always planned, they are subtle in their operations with mixed operating system environments, they always use custom-ma

  To know more about it, you can go through my detailed document by clicking  here Overview APT39 is also known as Chafer or Remix Kitten is a cyberespionage Threat group suspected to be supported by Iranian Government with the help of a front company Rana Intelligence Computing since 2014. Its primary targets have always been the travel, hospitality, telecommunication industries across Middle East & Persian Gulf, Spain, US, Australia, etc. Attack Methods It generally uses the following attack methods or tools: Spearphishing Malicious attachments URLs infected with POWBAT Vulnerable web servers Custom backdoors Mimikatz SQL injections RDP, SSH, data compression before exfiltration, etc. Remedy The following measures may help in the prevention and mitigation of this malware: Regular application update is necessary in order to protect against known vulnerabilities; User input validation should be employed so that local as well as remote file inclusion vulnerabilities can be restricte

  To know more about it, you can go through my detailed document by clicking  here Overview It is a Remote Access Tool or Trojan (RAT) that is programmed in C++ and used by Putter Panda (which is a Chinese Threat Group). Types of Attacks All Kinds of RATs are generally very difficult to detect and they provide total control to the attacker remotely. They can be used to steal any kind of sensitive information, spy on a victim, remotely control the infected computers, etc. Mostly they attack via Spear phishing or social engineering attacks and are not easy to detect because: They can easily open legitimate network ports on an infected machine which appear benign to most of the security products. They are capable of faking as a legitimate commercial remote administration tool. Their operations don't resemble any type of common malware technique. Conclusion Although it is very difficult to detect RATs as they look like a commercial remote administration software, but, they can be detec