Blogs by Ashwin

  To know more about it, you can go through my detailed document by clicking  here Overview Attor, a Windows-based espionage platform with a complex architecture mainly targets governments and diplomats in Eastern Europe as well as Russian social network users as they seek information related to diplomatic missions and governmental institutions. As its GSM plugin make use of AT command protocol as well as Tor for its network communications, it was named 'Attor'. Sophisticated Attor Although its not clear who uses Attor for their malicious purposes, it's pretty much clear that some of the world's most sophisticated espionage players use it as it is made of highly modularized architecture which 'revolves' around a central component called a dispatcher. It also uses encryptions to hide the modules which is rarely seen. It is capable of (but not limited to) performing following tasks: Take screenshots,  Record audio, Upload files to a remote server, Set up a SOCKS p

  To know more about it, you can go through my detailed document by clicking  here Overview Astaroth is a trojan known for stealthily stealing sensitive information with the help of user credentials and targets the countries like Europe, Brazil, and throughout Latin America. It was first detected in 2017 due to its abundant cybersecurity attacks in South America. It is extensively used in fileless malwares to corrupt the memory of the computer as well as secretly download and launch malware payloads in the network. How Does it Works? It arrives in the computer through various malicious links like spam emails and once the user clicks on that link, it kick-starts the procedure of downloading the malicious trojan which can steal sensitive information via web browsers and log keystrokes.  Prevention As Astaroth spreads via internet, portable drives, and phishing emails, the following steps may help in preventing against it: Always verify the statements from any unknown sources before openi

  To know more about it, you can go through my detailed document by clicking  here Overview Asacub is a banking trojan and alike the other banking trojans, it steals money from the victim's bank account via SMS messages from already compromised devices. It was first recognized in 2015 and targeting the Android users since then. Although it generally targets Russia, but, there are evidences that it also targets banks of various countries like USA, Poland, the Czech Republic, Ukraine, etc. How Does it Spreads? The threat actors of Asacub covers their creation in the guise of MMS or SMS application with generic names like, 'Message', 'Avito Offer', 'Photo', 'SMS Message', etc. and urges the users to download an '.APK' file in order to view its content, that always contains payload of the Asacub Banking Trojan and if the users fall for it, then they can easily perform their malicious activities, and even if the users doesn't fall into the tra

  To know more about it, you can go through my detailed document by clicking  here Overview Arp can easily show and modify the information related to a system's Address Resolution Protocol (ARP) cache. ARP is a system used for mapping a dynamic IP address into a permanent physical machine address in a Local Area Network (LAN) and usually works between the second and third layers of the Open Systems Interconnection (OSI) model.  How Does it Works? Every time a host needs to transmit a packet to another host in the LAN, it always queries the ARP cache for the MAC address since it maintains a list of all the IP addresses and their corresponding MAC addresses. If it does, the request is processed further; if not, a request for network addresses is submitted, and an ARP operation is carried out. Attacks on ARP Attacks like ARP Spoofing, also known as ARP poison routing or ARP cache poisoning, are frequently successful against LANs that use ARP. By sending false ARP messages across the n

  To know more about it, you can go through my detailed document by clicking  here Overview Aria-body is a backdoor extensively used by Naikon APT, a Chinese-speaking adversary since 2017 and make use of the victim's infrastructure to attack the other targets. They generally targets Government-owned companies as well as the ministries of foreign affairs, science and technology of various countries like Australia, the Philippines, Vietnam, Thailand, Myanmar, Brunei, etc. There attacks have increased since 2019 with the help of the other APTs, and their victims' network serves as the command and control (C2) server. Techniques & Tactics Aria-body backdoor follows following pattern: Firstly, it pose its email and document as an official government one with the required information for the target (which is generally the data stolen from the other compromised systems). Then, it adds a downloader to the document for Aria-body in order to gain access to the target's network. A

  To know more about it, you can go through my detailed document by clicking  here Overview The ASPXSpy malware is a web shell modified by Threat Group-3390 as a backdoor payload, which allows the attackers to control the compromised Windows server as well as fetch, install, and execute other malware payloads on the already infected system. It can also open specific ports on the compromised system, which may result in more damage. Remedy The following techniques may be of great help in the defense against ASPXSpy as well as the other similar threats: Identifying the digital shadow assets, along with the cloud hosts, with the help of Attack Surface Management solution.  Always keeping track of the passwords conditions in your organization at all times (mainly under peak conditions). Taking quick actions on all the alerts provided by your Threat Intelligence or Digital Risk Protection platforms. Keeping track of all the potential weaknesses on your internet infrastructure such as expired

  To know more about it, you can go through my detailed document by clicking  here Overview Appleseed is a type of backdoor extensively used by the North Korean threat actors Kimsuky APT (also knows as Thallium, Black Banshee, and Velvet Chollima) to mainly target South Korean government, academic, and commercial sectors since at least 2021. It make use of phishing websites, malicious documents, and scripts to target high profile people in South Korea government. How Does It Works? This backdoor generally uses two layer command structure in order to communicate to its command and control server i.e. the first one is the type of command that's required to be executed on the victim, and the second one is only used when the first layer is in upload data mode as well as defines the type of upload. AppleSeed mainly targets the South Korean government people like: Ministry of Foreign Affairs, Republic of Korea First Secretary Ministry of Foreign Affairs, Republic of Korea Second Secretar

  To know more about it, you can go through my detailed document by clicking  here Overview AppleJeus malware discovered in 2018, is a family of downloaders containing trojanized cryptocurrency applications. It is used by Lazarous group and targets - companies related to the energy, telecommunications, finanace, technology, and government sectors, as well as the countries like USA, UK, South Korea, Australia, brazil, New Zealand, Russia, etc. Its known to distribute FALLCHILL RAT. How Does It Works? The Lazarous Group spreads this malicious software via a fake app that appears as a cryptocurrency trading application and when the malware infects your device, it can easily terminate itself, download as well as execute files from the command and control server, execute shell commands, etc. All-in-all it provides total control of the infected device to the threat actors. Moreover, it can also steal banking information, passwords, perform identity theft, install additional malware, etc. Pre

  To know more about it, you can go through my detailed document by clicking  here Overview Anubis is a type of Android malware initially made for cyber espionage, but now, it's being used as a banking trojan. This trojan aims at collecting as much data about the victim as possible by simply intercepting the SMSs, keylogging, file exfiltration, screen monitoring, GPS data collection, etc. in order to abuse the device's accessibility services.  How Does It Works? After successfully launching itself, the trojan immediately connects with the command and control server and automatically downloads an application to start a proxy. After that, a fraudulent message appears on the screen to disable the Google Play Protect which gives the attacker full control. After completing these steps, the threat actors can extract whatever information they want and corrupt the network environment. It is believed that their main targets are the U.S. banks like Bank of America, U.S. Bank, Capital One

  To know more about it, you can go through my detailed document by clicking  here   Overview AndroRAT is a program that permits a third party to steal the sensitive information as well as control your device remotely. Although this tool can allow you connect and control any Android device from a PC, it is still based on an old vulnerability and can serve as a backdoor.  Feature & Functions AndroRAT offers following features and functions: It can check the contacts and information. It can easily check the call logs. It will have access to all the messages sent and received. It can view the GPS location. It can perform real-time monitoring of the device's received messages and microphone. It can capture photos from the camera. It can send text messages. The URLs can be opened in the web browser. It can also vibrate the device. Prevention: Training-  As humans tend to make mistakes in an IT industry, a regular social engineering awareness training is recommended, so that, they ca

  To know more about it, you can go through my detailed document by clicking  here Overview AndroidOS/MallLocker.B is a ransomware targeting Android devices, and easily available for download on various online forums and third-party websites. It doesn't actually corrupt the victim's files, but only prevents your access to the rest of the phone by showing a ransom note generally designed to appear as the local police is telling you that, you have committed a crime and should pay a fine. This is one of the most popular forms of ransomware on Android devices. How does it works? In order to show the ransom note, this ransomware uses two mechanisms: Firstly, it abuses the "call" notification by showing a window that usually covers the entire screen with details of the incoming call. Next, it abuses the "onUserLeaveHint()" function by simply keeping its ransom note on the foreground and preventing the user from leaving it. Features According to the Microsoft's

  To know more about it, you can go through my detailed document by clicking  here Overview ANDROID_ANSERVER.A is a type of malware that make use of encrypted content in a blog site for command and control. It appears as an e-book reader app that can be easily downloaded from any Chinese app store, and asks for following permission after its installation: Access network settings Access the internet Control the vibrate alert Disable key locks Make a call Read low-level log files Read and write contact details Restart apps Wake the device Write, read, receive, and send SMS The above long list of permissions, can only suggest that the said "app" is actually a malware and can be easily recognized by the web tinkerers.  How does it works? After the successful installation of the malware, the connection between the two command and control servers is established, in which, one is a remote site (mostly used in these cases), and the other one is a weblog containing encrypted informati

  To know more about it, you can go through my detailed document by clicking  here Overview Androi/Chuli.A is an Android malware especially designed to infiltrate some Tibetan Activists and the other high-profile human rights activists via a spearphishing email with an attachment. It can steal the infected device's information to send it to the server, and this information may include: Contacts data GPS coordinates Phone call logs Stored SMS messages Network communication Hardware controls System tools, etc. Tactics & Techniques This malware can enter into your system via various methods, such as: Installing apps from unknown or unverified download sites.  Exploitation of vulnerabilities. Being dropped or download by another malware, etc. After its successful installation as well as launching, the malware can easily compromise the device as well as its connected network. Prevention You can easily protect your devices from compromising, by configuring and enabling the following

  To know more about it, you can go through my detailed document by clicking  here Overview Android/AdDisplay.Ashas is a type of adware abundantly found in the multiple apps of google store. After successfully launched, this app communicates with C&C server and send data (like language, number of installed apps, etc.) of the infected device to the operator in order to display fraudulent ads. Techniques & Tactics In order to attack stealthily, the threat actors follow the steps given below: Firstly, the attackers or the app determines if they will be tested by the Google Play security mechanism, and if they does, then, the app will not trigger the adware payload or vice versa. After launching, the app can also set custom delays between the displaying ads which will not be detected, as typical test methods takes around 10 minutes to test any kind of unwanted behavior. The app can also hide its icon by creating a shortcut and when a user tries to delete it, only the shortcut will

  To know more about it, you can go through my detailed document by clicking  here Overview Anchor is a sophisticated backdoor malware, active since 2018, used with TrickBot installations, and generally targets high profile victims. As it is connected with TrickBot, many experts think that it's manufactured by the same developers. Features Some of the main features of Anchor are: The TrickBot-Anchor Relation- As stated above, Anchor is somewhat connected with TrickBot, so, many organizations generally investigate its attacks against financial, manufacturing, and retail businesses, using this point-of-view. Targets POS Systems- It generally targets POS systems stealing sensitive information from the victim's network. Uses New Malware- There are many variants that are new or undocumented, extensively used, and are also related to TrickBot. Uses Known Tools For Reconnaissance & Lateral Movement- Familiar tools such as, PowerShell, Meterpreter, Empire, Cobalt Strike, etc. are u

  To know more about it, you can go through my detailed document by clicking  here Overview Allwinner is a Chinese-based company that provides processors for Android and other devices. About 15 SoC processors have been released by it for use in Android phones, video cameras, car DVRs, etc.  However, according to reports, a Linux kernel given to be used in various devices, contained a backdoor and this backdoor allows any installed app full access to your system, which is a high risk to all the devices containing this kernel. Types of Attacks It can perform following tasks- SMS Recording  SMS Transmission IMEI Exfiltration IMSI Transmission Call Log Transmission  Call Contact Information Transmission Location Collection & Transmission Command Injection Remote User Application Update Remote User Application Install Transmit Installed Applications List Transfer Application Execution Order  Programmatic Firmware Update Remote Execution & Privilege Escalation (Without user's con

  To know more about it, you can go through my detailed document by clicking  here Overview Agent.BTZ or Autorun is a worm that generally spreads through USBs. Although, it was initially thought to be related with China but, it's still not clear if it is really related to China or Russia. This worm has attacked a US military base at Middle-East via an infected USB attached to a laptop linked with the United States Central Command which took nearly 14 months to clear from the military networks.  Tactics Whenever the operators of Agent.BTZ recognize their targets, such as, military networks, they quickly take action by gaining remote control and installing other malicious tools to steal important documents. Characteristics Some of its main characteristics are: It is used to steal or exfiltrate sensitive information or documents. It is deployed with the help of access methods like PowerStallion, PowerShell backdoor, etc.  It can perform so many actions on a compromised computer, like,