Category Archives: CTU Research

Threat Group-0110 targets manufacturing and financial organizations via phishing

Since the evening of July 21, 2014, Dell SecureWorks Counter Threat Unit™ (CTU) researchers have observed a threat group the CTU research team refers to as Threat Group-0110 (TG-0110)[i] phishing many organizations in the manufacturing and financial verticals. TG-0110 is known for using the Pirpi backdoor to access endpoints. Pirpi can search for and exfiltrate files, run other executable files, and execute commands. It also has reverse shell capabilities.

Gameover Zeus re-emerges without peer-to-peer capability

Dell SecureWorks CTU(TM) researchers have observed the distribution of a modified version of the Gameover Zeus malware. The global Gameover Zeus infrastructure was disrupted in late May 2014 by law enforcement and private industry partners during Operation Tovar. The infrastructure, including its peer-to-peer (P2P) network, remains under the control of those organizations and is not available to the threat actors who originally operated it. The new version observed in distribution on July 10, 2014 has jettisoned the P2P component in favor of a centralized command and control (C2) infrastructure that is based on a domain generation algorithm (DGA).

Hacker Hijacks Synology NAS Boxes for Dogecoin Mining Operation, Reaping Half Million Dollars in Two Months

As early as February 8th of this year, computer users began to notice their Synology Network Attached Storage (NAS) boxes were performing sluggishly and had a very high CPU usage. As a result, investigations ensued and eventually a Facebook post, directed at Synology, was made. Ultimately, it was discovered that the cause of the excessive resource consumption was due to illegitimate software that had infected the systems, which ironically, was stored in a folder labeled “PWNED.”

Using Unicode to hide malware within the file system

Dell SecureWorks Counter Threat Unit™ (CTU) analysts previously observed the use of Unicode characters within the Windows Registry to obscure the presence of malware on a system. Similar techniques can be used within the file system. CTU analysts examined a system infected with the Win32/Vercuser.B worm, which was obscured, in part, through the use of a Unicode character.

How to Hide Malware in Unicode

Unicode character sets are used throughout Windows systems, largely to make it easier to present the same information (warning messages, alerts, notices, etc.) in different languages. Windows applications, including the Windows Explorer shell, understand Unicode character sets, control characters, and know how to present them to the user. This functionality can also be subverted for malicious purposes in order to hide the presence of malware, often in plain sight.

Dell SecureWorks’ Brand Surveillance Team Warns Organizations of Hacktivists and Disgruntled Employees Mounting Multi-Prong Cyber Attacks, not Just DoS Attacks

Hactivists, disgruntled employees, and other cyber threat actors intent on sabotaging an organization, are expanding their tactics beyond Distributed Denial of Service (DDoS) attacks, warns Dell SecureWorks’ Enterprise Brand and Executive Threat Surveillance team. This team is constantly monitoring social media sites, forums, and other public information sources, looking for conversations and other indicators that a customer’s brand or its executives might be the target of a cyber-attack. Using their highly honed investigative skills, the team has worked numerous cases where they have obtained solid intelligence of an attack being planned by the threat actors. Dell SecureWorks has then worked with the organizations to quickly shut down the attack before it could happen or implemented countermeasures to block the attack, effectively protecting the organization’s infrastructure, assets and brand.

DNS Amplification Variation Used in Recent DDoS Attacks (Update)

Attackers typically rely on large botnets to generate distributed denial of service (DDoS) traffic; however, there are additional ways to amplify attack traffic. The DNS amplification attack is a popular form of DDoS that relies on exploitation of publicly accessible open DNS servers to deluge victims with DNS response traffic.

The Mobile Cyber Threat; Go Away, We Are Not Compatible

The way we engage with and use technology each day is changing. We wake up, we check our smartphones. We travel to work and we read the news on our tablets. We get to work and we move to our PCs or laptops. This convenience comes with a heavy cost if security is compromised. And since we use so many devices to exchange data and threats have become highly evolved, a compromise is likely.

Learning from Cyber Security Competitions (NECCDC edition)

The Northeast Collegiate Cyber Defense Competition (NECCDC) is a three-day event designed to give college students the opportunity to handle the challenges of administering and defending a mock corporate network infrastructure. This year, Dell SecureWorks was a sponsor of the event. Winning teams from the NECCDC and other regional qualifying rounds are invited to take part in a national championship.

Rats in a Sinking Server

At the 2013 RSA security conference in San Francisco, Dell SecureWorks Counter Threat Unit™ (CTU) researchers will present some new techniques we have found around sinkholing. We believe these techniques will assist security researchers in their work.

Online Tools

  • Print this Page
  • Share This Resource