Phishing Campaign Targets the Medical Research Community

phishing campaign

Overview of TIR-20210411 This report is about a well-known threat targeting the medical research community in both the United States and Israel. The threat actor is based out of Iran with ties to the Iranian military. The campaign involves phishing notable targets with the promise of viewing an exclusive report. Tactics, Techniques, and Procedures The […]

Two Vulnerabilities Affect FireEye EX 3500

phishing campaign

Overview of CVE-2021-28970 and CVE-2021-28969 This report is about two vulnerabilities affecting FireEye EX 3500. Successful exploitation of this vulnerability may allow the attacker to view, add, modify, or delete information in the back-end database. If your company uses this FireEye EX 3500 e-mail security appliance product, it is highly recommended that vendor supplied patches […]

Overview of the Crypter-as-a-Service, HCrypt

phishing campaign

TIR-20210329 Overview This report is an overview of the crypter-as-a-service, HCrypt. Similar to ransomware-as-a-service, HCrypt is sold to less technical malicious actors. The end goal of this malware is installation of a user-defined RAT (remote access trojan) on the victim machine. Creation and scale of the malware have been attributed to malware author NYANxCAT, who […]

Zoom Screen-Sharing Vulnerability Displays Unauthorized Information

phishing campaign

Overview of Zoom Vulnerability TIR-20210321 This report is about a vulnerability found in the popular virtual meeting application known as Zoom. The vulnerability has no known patch at the time this report was written. The vulnerability may allow users in the meeting to see information on a screen-share that they were not authorized to view. […]

Three Recently Reported Azure LoLBins Help Attackers Evade Detection

phishing campaign

Overview of TIR-20210313 This report spotlights three recently reported Azure Living-off-the-land binaries (LoLBins) that could be used by attackers to evade detection while escalating privileges and performing other malicious activities on a targeted network. Because of the threat posed by an attacker accessing these legitimate tools, it is critical that admins take the appropriate precautionary […]

Operation Exchange Marauder: Mass Exploitation of Microsoft Exchange

phishing campaign

Operation Exchange Marauder: Mass Exploitation of On-Prem Exchange Servers On March 2, 2021, Microsoft released a series of emergency security patches for Exchange Server 2019, 2016, 2013, and 2010. The fact that Exchange 2010 is end-of-life, yet Microsoft still released a security patch for it, underscores the severity and urgency of this threat. The security […]

Darkside Ransomware Overview

Darkside Ransomware

TIR-20210307 Overview This report is an overview of Darkside Ransomware. DarkSide is a Ransomware-as-a-Service (RaaS) which primarily targets Windows systems but also has the ability to target Linux OS variants. A Russian-speaking cybercriminal using the handle ‘darksupp’ has posted several announcements regarding Darkside including an official recruitment for affiliates to participate in the Darkside RaaS […]

New Variant of MassLogger Trojan Malware Targets Microsoft Outlook & Google Chrome

Darkside Ransomware

Overview of MassLogger v3 This report is about recent malware campaigns utilizing the MassLogger trojan (written in .NET). Previously we have covered features of MassLogger in TIR-20200821. However, recent research has revealed a new variant of the malware, dubbed MassLogger v3 by Avast. The primary goal of these campaigns is credential exfiltration, targeting popular applications […]

New Phishing Campaign Uses Morse Code to Avoid Detection

Darkside Ransomware

Overview of TIR-20210221 This report is about a new phishing campaign that uses a unique method of obfuscation to avoid detection by traditional security appliances. The method of obfuscation is Morse code which is used to hide URLs. Given its ability to successfully bypass security tooling this campaign is quite dangerous if a user is […]

High Severity Windows Vulnerabilities Impact Windows Client & Windows Server OS Versions 7 and Above

Darkside Ransomware

Overview of CVE-2021-24074, CVE-2021-24094, and CVE-2021-24086 This report is about three high severity Windows TCP/IP vulnerabilities tracked as CVE-2021-24074, CVE-2021-24094, and CVE-2021-24086. All three are exploitable by a remote, unauthenticated attacker and impact Windows Client and Windows Server OS versions 7 and above. Successful exploitation could result in significant system downtime and the exfiltration of sensitive […]