SecureList

NOVEMBER 26, 2021

In June, more than six months after DarkHalo had gone dark, we observed the DNS hijacking of multiple government zones of a CIS member state that allowed the attacker to redirect traffic from government mail servers to computers under their control – probably achieved by obtaining credentials to the control panel of the victims’ registrar.

Malware 100

Malware Banking Energy and Utilities Accountability 100

SecureList

MAY 31, 2021

We believe that the most significant aspect of the Ecipekac malware is that the encrypted shellcodes are inserted into digitally signed DLLs without affecting the validity of the digital signature. Ransomware encrypting virtual hard disks. When this technique is used, some security solutions cannot detect these implants.

Malware 109

Malware Adware Encryption Architecture 109

SecureList

APRIL 27, 2021

Although Lyceum still prefers taking advantage of DNS tunneling, it appears to have replaced the previously documented.NET payload with a new C++ backdoor and a PowerShell script that serve the same purpose. The contents are disguised as GIF image files, but contain encrypted commands from the C2 server and command execution results.

Malware 142

Malware Spyware Government Social Engineering 142