Where you AT?: Indicators of lateral movement using at.exe on Windows 7 systems

Dell SecureWorks Counter Threat Unit™ (CTU) analysts were recently engaged with a client thought to have been compromised by a threat group CTU researchers have named Threat Group-0416 (TG-0416) . Various artifacts from the initial phases of the incident provided strong indications of the existence of this particular threat group within the client’s infrastructure. TG-0416 is a stealthy and extremely successful Advanced Persistent Threat (APT) group known to target a broad range of verticals since at least 2009, including technology, industrial, manufacturing, human rights groups, government, pharmaceutical, and medical technology.

Redefining “advanced persistent” adversaries?

Since the beginning of 2013, the popular press has documented many major information security intrusions and attacks. These stories have included veiled hints that the amount of sophistication suggests the intrusions are perpetrated by “advanced persistent” adversaries who must be sponsored by nation-states. Dell SecureWorks Counter Threat Unit™ (CTU) researchers have drawn a different conclusion based on evidence left behind from recent persistent intrusions in well-secured organizations.

Threat Group-0110 targets manufacturing and financial organizations via phishing

Since the evening of July 21, 2014, Dell SecureWorks Counter Threat Unit™ (CTU) researchers have observed a threat group the CTU research team refers to as Threat Group-0110 (TG-0110)[i] phishing many organizations in the manufacturing and financial verticals. TG-0110 is known for using the Pirpi backdoor to access endpoints. Pirpi can search for and exfiltrate files, run other executable files, and execute commands. It also has reverse shell capabilities.

Gameover Zeus re-emerges without peer-to-peer capability

Dell SecureWorks CTU(TM) researchers have observed the distribution of a modified version of the Gameover Zeus malware. The global Gameover Zeus infrastructure was disrupted in late May 2014 by law enforcement and private industry partners during Operation Tovar. The infrastructure, including its peer-to-peer (P2P) network, remains under the control of those organizations and is not available to the threat actors who originally operated it. The new version observed in distribution on July 10, 2014 has jettisoned the P2P component in favor of a centralized command and control (C2) infrastructure that is based on a domain generation algorithm (DGA).

Hacker Hijacks Synology NAS Boxes for Dogecoin Mining Operation, Reaping Half Million Dollars in Two Months

As early as February 8th of this year, computer users began to notice their Synology Network Attached Storage (NAS) boxes were performing sluggishly and had a very high CPU usage. As a result, investigations ensued and eventually a Facebook post, directed at Synology, was made. Ultimately, it was discovered that the cause of the excessive resource consumption was due to illegitimate software that had infected the systems, which ironically, was stored in a folder labeled “PWNED.”

Endpoint Security & Special Guest Robert O’Neill at Gartner Summit

We are thrilled to announce former Navy SEAL Team Leader Robert O’Neill as our special guest at this year’s Gartner Security and Risk Management Summit in National Harbor, Maryland. If you are attending our discussions and activities around endpoint security, cyber security or our other information security services, be sure to swing by our hospitality […]

Operation Tovar: Dell SecureWorks Contributes to Efforts Targeting Gameover Zeus and CryptoLocker

Dell SecureWorks partnered with international law enforcement and industry to take proactive action against the infrastructure of the Gameover Zeus botnet and the CryptoLocker ransomware, as well as the operators responsible for these threats. This action has been named Operation Tovar. Law enforcement organizations including the Federal Bureau of Investigation (FBI), the UK’s National Crime Agency, and Europol’s European Cybercrime Center (EC3) seized infrastructure assets relating to these threats, while technical measures were enacted to neutralize the command and control (C2) infrastructure.

APT Campaign Leverages the Cueisfry Trojan and Microsoft Word Vulnerability CVE-2014-1761

Dell SecureWorks Counter Threat Unit™ (CTU) researchers discovered the Cueisfry first-stage downloader trojan while analyzing a spearphishing message sent to an email account belonging to an intelligence-related group in Japan. The message was part of an Advanced Persistent Threat (APT) campaign targeting government officials and economic institutions in Southeast Asia.

Online Tools

  • Print this Page
  • Share This Resource