Reports

At the end of 2021, we inspected UEFI firmware that was tampered with to embed a malicious code we dub MoonBounce. In this report we describe how the MoonBounce implant works and how it is connected to APT41.

It appears that BlueNoroff shifted focus from hitting banks and SWIFT-connected servers to solely cryptocurrency businesses as the main source of the group’s illegal income.

The ScarCruft group (also known as APT37 or Temp.Reaper) is a nation-state sponsored APT actor. Recently, we had an opportunity to perform a deeper investigation on a host compromised by this group.

In this report we provide details on a malicious VBS implant distributed via MS Excel droppers and a fake “Kaspersky Update Agent” which we attribute to WIRTE APT who may be linked to Gaza Cybergang.

Securelist Categories

APT reports

Lazarus targets defense industry with ThreatNeedle

Sunburst backdoor – code overlaps with Kazuar

Lazarus covets COVID-19-related intelligence

Sunburst: connecting the dots in the DNS requests

Archive

Kaspersky Security Analyst Summit 2016: The Live Blog

Social Media Wall: TheSAS2016

Malware wallpaper calendars for 2012

Malware Calendar Wallpaper for December 2011

DDoS reports

DDoS attacks in Q3 2021

DDoS attacks in Q2 2021

DDoS attacks in Q1 2021

DDoS attacks in Q4 2020

Events

How we took part in MLSEC and (almost) won

Lyceum group reborn

Wake me up till SAS summit ends

Targeted Malware Reverse Engineering Workshop follow-up. Part 2

Incidents

CVE-2021-44228 vulnerability in Apache Log4j library

Exploitation of the CVE-2021-40444 vulnerability in MSHTML

Triada Trojan in WhatsApp mod

Arrests of members of Tetrade seed groups Grandoreiro and Melcoz

Industrial threats

PseudoManuscrypt: a mass-scale spyware attack campaign

Threat landscape for industrial automation systems in H1 2021

Threat landscape for industrial automation systems. Statistics for H2 2020

Attacks on industrial enterprises using RMS and TeamViewer: new data

Congratulations, you’ve won! The reality behind online lotteries

Keyloggers: How they work and how to detect them (Part 1)

Scammers’ delivery service: exclusively dangerous

Reports

MoonBounce: the dark side of UEFI firmware

The BlueNoroff cryptocurrency hunt is still on

ScarCruft surveilling North Korean defectors and human rights activists

WIRTE’s campaign in the Middle East ‘living off the land’ since at least 2019

Subscribe to our weekly e-mails