Posts created by: Tom Lancaster

Our latest research shows attacks against Middle East government Sharepoint servers using a newly patched vulnerability. In our blog, we provide details of the tools and tactics, explain how we believe these connect to the Emissary Panda threat group, correlate our findings with those of the Saudi Arabian National Cyber Security Center and the Canadian Center for Cyber Security, and provide indicators of compromise (IoCs) from our research.

Unit 42 has discovered a new version of CardinalRat which we first discovered in 2016. This new version targets financial technology companies, primarily in Israel. It includes new anti-analysis capabilities, including the use of steganography. In addition to our research, we include a new Python script to decrypt the steganographic payload.

Inception targets Europe with year old office vulnerability. Read the full report.

Unit 42 uncovers DarkHydrus, a new threat actor group targeting Middle East government.

Unit 42 investigates the RANCOR group’s use of DDKONG and PLAINTEE malware families to deliver targeted espionage attacks in South East Asia

Unit 42 goes inside the coop with new analysis and additional information on malicious HenBox applications

Unit 42 discovers HenBox, an Android Malware family masquerading as legitimate apps on third-party app stores.

Unit 42 gives a walkthrough of the analysis of the VERMIN malware, details links between the activity observed, and IOCs for all activity discovered.

Unit 42 discovers MuddyWater, a threat group targeting entities in the Middle East and beyond.

Unit 42 examines the continued effectiveness of Paranoid PlugX malware.

This post explores how the attackers attempt to gain a foothold into target networks before briefly describing the malware families used.

Taiwan has been a regular target of cyber espionage threat actors for a number of years. Reasons for Taiwan being targeted range from being one of the sovereign states of the disputed South China Sea region to its emerging economy and growth with Taiwan being one of the most innovative countries in the High-Tech industry

Introduction When malware wants to communicate home, most use domain names, allowing them to resolve host names to IP addresses of their servers. In order to increase the likelihood of their malware successfully communicating home, cyber espionage threat actors are increasingly abusing legitimate web services, in lieu of DNS lookups to retrieve a command and