Posts created by: Rob Downs

In this second part of Unit 42’s Cybercrime Underground blog series, we dive into the cybercrime forum ecosystem and focus on observed cybercriminal roles, as well as prevalent tools and services bought and sold in the underground. The goal of this post is not to provide an exhaustive directory, but rather to provide additional context

This post is the first in a series by Unit 42 covering the cybercrime underground. Cybercrime persists as an epidemic that continues to worsen every year, with associated impacts and losses steadily growing. In this series, we’ll explore actors, motivations, and the current threat landscape. Some of what contributes to the growth of the cybercrime

Ransomware persists as one of the top crimeware threats thus far into 2016. While the use of document-based macros for ransomware distribution remains relatively uncommon, a new family calling itself “Locky” has borrowed the technique from the eminently successful Dridex to maximize its target base. We first learned of Locky through Invincea and expanded on

Introduction The Sofacy group, also known as APT28 and Sednit, is a fairly well known cyber espionage group believed to have ties to Russia. Their targets have spanned all across the world, with a focus on government, defense organizations and various Eastern European governments. There have been numerous reports on their activities, to the extent

In part three of the Adversaries and Their Motivations blog series, we’ll explore the following top-level actor motivations: Cyber Warfare, Cyber Terrorism, and Cyber Mischief. Even Fuzzier Boundaries The high-level actor motivations covered earlier in this blog series introduced challenges in identifying and attributing activity between Cyber Espionage, Cyber Crime, and Cyber Hacktivism. Analysis of

This post is the second in a blog series describing adversaries and their motivations. In part two of the series, we’ll explore the following top-level actor motivations: Cyber Espionage, Cyber Crime, and Cyber Hacktivism. Adversary Operational Maturity, Targeting, and Key Roles Before we start, there are some additional concepts that add context to exploring malicious

This blog is the first in a series describing adversaries and their motivations. This part in the series presents underlying concepts and the value proposition for exploring who is attacking a network and why.

Malicious actors employ a range of tools to achieve their objectives. One of the most damaging activities an actor pursues is the theft of authentication information, whether it applies to business or personal accounts. Unless specifically mitigated, this theft often allows an unauthorized actor to masquerade as the victim, either achieving immediate gains or creating

After Brian Krebs reported the September arrests of alleged key figures in the cyber crime gang that developed and operated Dridex, Unit 42 observed a marked decrease in activity related to this banking Trojan – at least until today.  Dridex re-entered the threat landscape with a major e-mail phishing campaign. Leveraging the Palo Alto Networks

In late October, we began examination of a VBA-initiated Infostealer campaign. This blog post follows up on additional information we gathered on related malware and associated actors. Pivot On Initial Predator Pain Sample C2 In our previous post, we identified two Command and Control (C2) fully qualified domain names (FQDNs) for the initial Predator Pain

The Asprox/Kuluoz malware family has a special place in our hearts at Palo Alto Networks. This botnet-related Trojan malware has evolved from its 2007 roots into a simple and yet robust mass e-mail phishing threat that is the origin of a significant percentage of Internet spam today. This post further explores trends for this malware

While Microsoft documents that leverage malicious, embedded Visual Basic for Applications (VBA) macros are not a new thing, their use has noticeably increased this year, thanks in part to their simplicity and effectiveness. Some threat actors commonly use this class of malware to drop a second stage payload on victim systems. Even though Microsoft attempts

Session Traversal Utilities for NAT (STUN) is a network protocol with standardized methods that enables an internal network address space host employing Network Address Translation (NAT) to determine its Internet-facing/public IP address. STUN has several legitimate uses, including enablement of NAT traversal for voice over IP (VOIP), messaging, video, and other IP-based interactive communication. As

Recently, we found email accounts from top universities across the world being sold on Taobao, the largest consumer-to-consumer (C2C) e-commerce platform in China. Advertised uses for these accounts included registering for special accounts under software developer programs, receiving student discounts or coupons from retailers, and obtaining access to academic databases.  This post describes the scope,

Last week, we reported on attacks observed against East Asia that used Google Code for command and control (C2). As follow-on to that work, we pivoted on the C2 indicators of compromise (IoCs) within our WildFire platform, looking for additional malicious activity. One sample in particular caught our attention, downloaded on June 18 from 211.233.89.182