Backdoor Returns: Bandook is a type of RAT that appeared between 2015 and 2017 in campaigns dubbed Operation Manul and Dark Caracal. During the year 2020, Bandook has resurfaced, and analysis suggests the backdoor being developed and provided by a third-party service. Systems are infected when users get tricked into downloading a malicious script, which in turn downloads and execute a sequence of payloads to finally install the backdoor. The backdoor itself is equipped with tooling that provides screen captures and remote file manipulation.

TrickBot Banker: TrickBot is one of the most popular type of trojan. It started first in 2016 as a banking trojan and has evolved with spyware capabilities. It is customisable to make it more effective and profitable. This means that not all TrickBot infections will be the same. TrickBot is not openly advertised, but is only distributed across an elite group of criminals in the underground. TrickBot infects machine most often through malicious documents. Once installed on a target system, TrickBot will download other types of malware.

APT32 Group: APT32, also known as OceanLotus, is a known threat group that was first identified in 2012 in an attack that targeted Chinese entities. After which the groups targets expanded to various countries across Asia. The threat group has mostly focused on seeking intellectual property as well monetary gain but have targeted Journalists and dissidents. Tactics, Techniques, and Procedures have included the use of custom tools as well as commodity malware including Goopy, KOMPROGO, PHOREAL, SOUNDBITE, WINDSHIELD, Cobalt Strike beacons, PowerShell-based tools, and Mimikatz.

Remcos RAT: Remcos is a remote access technology that is developed and maintained by the cyber security firm BreakingSecurity. It is advertised as a legitimate tool which allows remote control and surveillance of a target machine. Remcos is available as freeware and a fee based professional version and has been widely available in criminal forums since the second half of 2016. Features such as a keylogger, camera capture, microphone access and remote control made the software attractive to criminals. Due to the nefarious use of Remcos it is labeled as malware and has most recently been seen delivered through malspam campaigns that aim to compromise systems.

Turla: Based on OSINT, TTP, and malware analysis, results are received and assessed on a daily basis. The Threat Activity events, in particular, share the indicators that cannot be tied to a specific dedicated operation or name but indicate malicious activity by the threat actor group, in this case, possibly the Turla group. Turla threat group has infected victims in over 45 countries, spanning a range of industries including government, embassies, military, education, research, and pharmaceutical companies since 2004. The heightened activity was seen in mid-2015. Turla is known for conducting watering hole and spear-phishing campaigns and leveraging in-house tools and malware. Turla’s espionage platform is mainly used against Windows machines but has also been seen used against macOS and Linux machines.

Conti Ransomware: The Conti ransomware family was discovered using multiple techniques to find files to attack and how the encryption process is carried out. The malware uses multiple threads to encrypt files at a faster rate compared to other ransomware families and contains command-line options to scan for local files as well as remote files over SMB shares. Conti also uses the Windows Restart Manager to free up files that are open by various applications. The ransomware uses AES-256 encryption and requires the victim to email the threat actor for the decryption key. Variants of the malware post stolen data from entities who refuse to pay the ransom.

Donot Group: The APT group Donot (also known as APT-C-35, Donot Team) has been active for several years, the exact start date is still unknown. The attackers are interested in confidential information and intellectual property. APT-C-35 targets mostly countries in South Asia; Bangladesh, Thailand, India, Sri Lanka, the Philippines in particular, state sector of Pakistan and outside of Asia, in places like Argentina, the United Arab Emirates, and Great Britain. Donot Team is known for utilizing multiple attack vectors to gain a foothold on targets of interest, from developing Android malware for mobile devices to malspam campaigns delivering malicious documents. The maldocs contain embedded DLL’s and often referenced geopolitical themes, for example: “The New US Administration”. Donot Team’s development of mobile malware included fake Android APKs that were meant to exploit Google’s Cloud messaging service, bypass detection and act as a Command-And-Control (C2). The origin of Donot Team is unclear; however, it is speculated that Donot Team may have ties to India due to targets of interest, analysis of malware code and infrastructure re-use.

Phobos Ransomware: The Phobos ransomware uses AES encryption and adds various extensions to infected files. Phobos was identified late 2017 with new variants discovered throughout 2019 and into 2020. Victim’s are required to communicate with the threat actor(s) via email at one of many email addresses used to obtain a decryption key. Analysis of Phobos has identified similarities shared with other ransomware families such as Dharma and CrySiS.

Egregor Ransomware: Egregor ransomware exfiltrates sensitive information before encrypting files and gives the victim three days to contact the threat actor or the stolen data will be posted online. The malicious software is a variant of the Sekhmet ransomware family and uses multiple techniques to bypass defense measures including obfuscation, software packing, and sandbox evasion. The ransom note reports the actor is willing to provide security recommendations to the victim to avoid being breached again.