logo_itb_purple

Inside The Lab HarfangLab EDR

Loading...
image
CYBER THREAT INTELLIGENCE

AllaSenha: AllaKore variant leverages Azure cloud C2 to steal banking details in Latin America

Identifier: TRR240501. Summary Earlier in May, our security product spotted a malicious payload, which was tentatively delivered to a computer in Brazil, via an intricate infection chain involving Python scripts and a Delphi-developed loader. The final malicious payload, that we…

29 min
MuddyWater_Ongoing_RMM_Campaign
CYBER THREAT INTELLIGENCE

MuddyWater campaign abusing Atera Agents

Identifier: TRR240402. Summary We have been closely monitoring the activities of the Iranian state-sponsored threat actor MuddyWater since the beginning of 2024. Our investigations reveal an active campaign that has been ramping up since October 2023, aligning with the Hamas…

18 min
APR31 indictment heading
CYBER THREAT INTELLIGENCE

Analysis of the APT31 indictment

Identifier: TRR240401  On March 25, 2024, the U.S. Department of Justice (DoJ) released an indictment of seven hackers associated with APT31, a “hacking group in support of China’s Ministry of State Security” (MSS) which has been active for 14 years.…

14 min
featured_raspberry_robin_emulator
CYBER THREAT INTELLIGENCE

Raspberry Robin and its new anti-emulation trick

Reported for the first time by Red Canary in 2021, Raspberry Robin was the 9th most prevalent threat in 2023 according to their “2024 Threat Detection Report”. Starting as a worm, it evolved to become an initial access broker for…

9 min
A comprehensive analysis of I-Soon's commercial offering
CYBER THREAT INTELLIGENCE

A comprehensive analysis of I-Soon’s commercial offering

Identifier: TRR240301. Key Findings I-Soon’s commercial offering reveals that their main issue is processing collected data, not breaching their targets in the first place. Their products leverage deep learning to help them sort and classify stolen documents. The company appears…

38 min
samecoin-header
CYBER THREAT INTELLIGENCE

Hamas-linked SameCoin campaign malware analysis

Identifier: TRR240201. Summary Following an X post by IntezerLab about an attack campaign that they dubbed “SameCoin”, we analyzed the samples they discovered and found a few identical variants. The infection vector appears to be an email impersonating the Israeli…

17 min
banner
CYBER THREAT INTELLIGENCE

Compromised routers are still leveraged as malicious infrastructure to target government organizations in Europe and Caucasus

Identifier: TRR240101. On 2023-12-28, the Ukrainian government computer emergency and incident response team (CERT-UA) described a malicious espionage campaign that targeted government organizations in Ukraine. CERT-UA attributed the campaign to the APT28 threat-actor (aka Sofacy, Fancy Bear, etc.). The malicious…

20 min
predictions_bg
CYBER THREAT INTELLIGENCE

2024 Threatscape report

As we step into 2024, we anticipate a year that is poised to set several significant precedents. In this blogpost, we provide our Threatscape report, presenting our predictions for the global threats that lie ahead in the upcoming year. These…

9 min
aot_background
CYBER THREAT INTELLIGENCE

An introduction to reverse engineering .NET AOT applications

About a month ago, we started seeing reports on activities from DuckTail , a cybercrime outfit reportedly based in Vietnam. Detonating one of the samples, we observed that a new account was being created on the analysis machine, followed by…

12 min
ITL-Machine-learning
ARTIFICIAL INTELLIGENCE

Machine Learning to identify malicious strings in a file

Why bother with strings? When analyzing a new sample found “inthewild”, it may make sense to extract the strings within it to identify IP addresses, domains, log files or C&C server signatures. For example, if an Artificial Intelligence model such…

9 min
ITL-Operations
OPERATIONS

How many slices of pizza do you need to appear in MITRE?

“We don’t see you in MITRE.” “Your solution hasn’t even been benchmarked, so how can anyone know what you’re REALLY worth?” “Anyway, it’s impossible for a French player to be as good as the Americans…” … okay, okay, that’s enough…

8 min
TaskLoader
CYBER THREAT INTELLIGENCE

Loaders galore – Taskloader at the root of a Pay-per-Install infection chain

In June 2023, we’ve observed multiple alerts that seemingly came from different sources. A quick search through our telemetry allowed us to identify multiple infected machines across our clients. Although they would sometimes present different behaviour, the initial infection vector…

21 min