A hunting query to identify post-exploitation activities Customized Detection Strategy (DeStra) to detect future exploitation attempts On the 11th of March, Microsoft reported an active exploitation campaign of several zero-day vulnerabilities affecting on-premise versions of Microsoft Exchange Servers allegedly from a state-sponsored adversary, HAFNIUM. The attack starts by exploiting vulnerabilities — CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and […]
Category Archives: Malware
Leonardo S.p.A. Data Breach Analysis
ReaQta Threat Intelligence Team identified the malware used in an exfiltration operation against the defence contractor Leonardo S.p.A. The analysis of the malware, which we dubbed Fujinama, highlights its capabilities for data theft and exfiltration while maintaining a reasonably low-profile.
Dridex: the secret in a PostMessage()
Dridex is a well-known banking malware that evolves constantly. This time we analyze a new variant that uses an effective technique to bypass security solutions.
ReaQta Launches ReaQta-EON and Hive-Guard
Introducing two new additions to the ReaQta suite of solutions, ReaQta-EON and Hive Guard.
Meet HIVE GUARD: The Anti-Malware Module
ReaQta’s Anti-malware module Hive Guard adds pre-execution dynamic emulation, behavioral heuristics and signature-based prevention combined with a new A.I. based analysis module.
Oil and Gas Supply-chain Phishing Campaign
ReaQta has been tracking an extensive and long running spear-phishing campaign, targeting the supply-chain in the Oil & Gas industry, most likely for espionage purposes. The campaign started in 2018 and it’s still running today, with a new wave began on the first week of May. It is carefully prepared and executed, with attackers taking […]
MITRE ATT&CK Evaluation Confirms ReaQta-Hive Advanced Detection Capabilities
The attack unfolded over 2 days in which the attackers gradually moved deeper into the network after obtaining initial access. The vast majority of operations were carried out using powershell, as opposed to custom tools and malware, in order to maintain a low detection profile. The evaluation goal is to show how tested solutions respond to the attack and what kind of visibility is provided along the entire kill-chain.
Attackers are Starting to Exploit Vulnerable Drivers – Are Defenders Ready?
Criminal actors are now using a bug in a legitimate driver to launch RobbinHood, a new type of ransomware that can escape detection as it operates at kernel level. Understanding how RobbinHood works is key to understanding how to stop novel kind of attacks relying on trusted components.
Ave_Maria Malware: there's more than meets the eye
Introduction AVE_MARIA, a malware used in phishing campaigns and so far identified only as an info-stealer, appears to be more complex and insidious, offering a wide range of capabilities, from privilege escalation to camera exfiltration, RDP connections, email extraction and more. For the past few months we have been monitoring various phishing campaign delivering AVE_MARIA […]
Silence group targeting Russian Banks via Malicious CHM
In November 2018 we followed up on a tweet mentioning a potential malicious code disseminated in CHM (Microsoft Compiled HTML Help). A preliminary analysis caught the attention of our Threat Analysis and Intelligence team as it yielded interesting data that, among other things, shows that the attack campaign was targeting employees from financial entities, specifically […]
