SilverTerrier – 2018 Nigerian Business Email Compromise

Our latest ongoing research into the Silver Terrier Nigerian threat actors shows that attacks increased by 54 percent in 2018 as targeting of high-tech firms and manufacturers surged.
We also show how attackers are using more sophisticated tools like information stealers, remote access tools and obfuscating malware so that it’s only detected 58% of the time. Unit 42 has observed
1.1 million attacks with more than 51,000 malware samples over the four years we have been monitoring this threat actor.

Behind the Scenes with OilRig

Unit 42 digs into the recent OilRig data dump and finds new information on the breadth of attacks and OilRig’s toolset. Our analysis show OilRig attacks are broader than previously thought: 97 organizations in 27 countries, including the Middle East and China and 18 industries – including government, technology, telecommunications and transportation.

BabyShark Malware Part Two – Attacks Continue Using KimJongRAT and PCRat

In February 2019, Unit 42 published a blog about the BabyShark malware family and the associated spear phishing campaigns targeting U.S. national think tanks. Since that publication, malicious attacks leveraging BabyShark have continued through March and April 2019. The attackers expanded targeting to the cryptocurrency industry, showing that those behind these attacks also have interests in financial gain.

Don’t Panic Podcast – Watering Hole Attacks

Unit 42 leaders Ryan Olson and Rick Howard present another another episode of their “Don’t Panic” podcast, where they break down the big issues in cyber security and tell you why you don’t need to panic. This week’s episode is about Watering Hole attacks. This technique involves compromising specific websites to target their readers with malware.

Takedowns and Adventures in Deceptive Affiliate Marketing

At Palo Alto Networks, Unit 42 analyzes threats across the spectrum – from nation state all the way down to Florida state. In this blog, I’ll be covering two aspects of multi-year affiliate marketing spam campaigns designed to deceive individuals, scam, and profit off of people’s desire to change their lives.First, I’ll provide an overview of a spam campaign sent to some customers that led me down this more than two year rabbit hole, and then dig into the inner workings. This blog covers a number of topics: data collection, analysis, and enumeration of infrastructure. These efforts allowed us to map out thousands of compromised servers and abused domains and hundreds of compromised accounts, resulting in a collaborative effort with GoDaddy to take down over 15,000 subdomains being used across these campaigns.

Exploits in the Wild for WordPress Social Warfare Plugin CVE-2019-9978

Unit 42 releases new details on two vulnerabilities in Social Warfare (CVE-2019-9978). Both vulnerabilities are present in all versions of Social Warfare prior to 3.5.3: an estimated 42,000 websites are potentially vulnerable. Unit 42 researchers found five compromised sites actively used for hosting malicious exploit code, which allows the attackers to control more websites. In this blog post we provide new details on the root cause of the vulnerabilities, proof of concept code (PoC) to demonstrate the vulnerability, and information on attacks we observed in the wild as well as the scope of vulnerable sites.

Aggah Campaign:, BlogSpot, and Pastebin Used for C2 in Large Scale Campaign

In March 2019, Unit 42 began looking into an attack campaign that appeared to be primarily focused on organizations within a Middle Eastern country. Further analysis revealed that this activity is likely part of a much larger campaign impacting not only that region but also the United States, and throughout Europe and Asia. In this blog, we outline our findings around a new campaign we’ve named the Aggah Campaign based on the actor’s alias “hagga”.

DNS Tunneling in the Wild: Overview of OilRig’s DNS Tunneling

On March 15, Unit 42 published a blog providing an overview of DNS tunneling and how malware can use DNS queries and answers to act as a command and control channel. To supplement this blog, we have decided to describe a collection of tools that rely on DNS tunneling used by an adversary known as OilRig.

Using Wireshark: Identifying Hosts and Users

When a host is infected or otherwise compromised, security professionals need to quickly review packet captures of suspicious network traffic to identify affected hosts and users. This tutorial offers tips on how to gather pcap data using Wireshark, the widely used network protocol analysis tool.

Born This Way? Origins of LockerGoga

A Unit 42 analysis of LockerGoga ransomware samples reveals that its developers have added new features to the malware, which was used in a string of attacks on industrial firms.

Cardinal RAT Sins Again, Targets Israeli Fin-Tech Firms

Unit 42 has discovered a new version of CardinalRat which we first discovered in 2016. This new version targets financial technology companies, primarily in Israel. It includes new anti-analysis capabilities, including the use of steganography. In addition to our research, we include a new Python script to decrypt the steganographic payload.

Sorry, no results were found.
loader gif

Get updates on Unit 42

Sign up to receive the latest news, cyber threat intelligence and research from Unit 42

Follow us on