Threat reports

Looking for More Signs of Nitrogen in the DNS

Nitrogen, a malware first seen in 2023,¹ again resurfaced in a campaign targeting system administrators in North America.²

Jumping off a published list of 13 IoCs, 11 domains and two IP addresses to be exact, the TIP research team found more connected artifacts, specifically:

Digging Deep to Examine the Roots of the Glupteba UEFI Bootkit

Glupteba has been in use for more than a decade now. As it turns out, its Unified Extensible Firmware Interface (UEFI) bootkit component is the reason why.

An in-depth analysis of the Glupteba UEFI bootkit identified 12 domains as indicators of compromise (IoCs).¹ We used them as jump-off points for further investigation that led to the discovery of:

DarkGate RAT Comes into the DNS Spotlight

DarkGate existed behind the curtains in the past, being mistakenly clumped with other remote access Trojans (RATs) out there. It has finally come into the light via an in-depth analysis that identified eight indicators of compromise (IoCs) related to the threat.¹

The Threat Intelligence Platform (TIP) research team sought to find more traces of DarkGate, if any, in the DNS and uncovered:

Tracing the DNS Spills of the OilRig Cyber Espionage Group

Known for launching months-long attacks against government agencies and private companies in the Middle East, the OilRig cyber espionage group instigated an eight-month-long intrusion¹ on a Middle Eastern government organization in 2023.

The TIP research team expanded 22 indicators of compromise (IoCs)^1,2,3,4,5,6—16 domains and six IP addresses—related to the attacks. In an effort to help organizations strengthen their threat prevention strategies, we expanded the list of IoCs to uncover other potentially connected artifacts.

A Log4Shell Malware Campaign in the DNS Spotlight

While Apache has long since released a patch for the Log4Shell zero-day vulnerability¹ seven days after its discovery in December 2021,² many organizations may still be vulnerable to its exploitation. Companies that may not be keeping pace in the patching game could thus be at risk of becoming victims of a Log4Shell malware campaign.

The TIP research team recently amassed 64 indicators of compromise (IoCs)—58 domains and six subdomains specifically—related to the attacks. To help organizations beef up their cybersecurity posture, we expanded the list of IoCs to uncover other potentially connected artifacts.

Signs of Ongoing RedLine Stealer Operation Found through a DNS Deep Dive

RedLine Stealer gained prominence for its affordability. But since the exposure of its underlying infrastructure, the malware’s operators may have changed some of their tools and tactics.

The TIP research team recently amassed 53 domains identified as RedLine Stealer indicators of compromise (IoCs), which were then subjected to an expansion analysis that led to the discovery of:

Phisher Abusing .com TLD?

The TIP research team recently discovered a phishing operation that could be amassing .com domains for phishing attacks. We sought to find as many potentially connected artifacts to a single indicator of compromise (IoC)—an email address—via a DNS intel deep dive.

Hot on the DNS Trail of the 16shop Phishing Kit Operators

16shop has been enabling tons of attacks against the customers of high-profile companies since 2018. The good news is that last month, law enforcers nabbed two of its alleged operators in Indonesia and Japan.¹

We couldn’t help but wonder, though, if the arrests mean the end for the phishing kit. To find out, the TIP researchers expanded the list of published indicators of compromise (IoCs)² to identify other web properties that could put users at risk. Our DNS deep dive led to the discovery of:

RedHotel Attack Infrastructure: A DNS Deep Dive

RedHotel has successfully breached at least 17 organizations the world over since their discovery in 2019.¹ Throughout their four or so years of operation, the group has gained renown and a couple of other nicknames, including Aquatic Panda, Bronze University, Charcoal Typhoon, Earth Lusca, and Red Scylla.

WhiteSnake Stealer Serpentines through the DNS

Stealing sensitive and confidential information, especially from networks with robust security, is hard even for the wiliest of cyber attackers. Most often than not, they also need help.

Enter WhiteSnake stealer, which unlike its forebears, can reportedly pilfer data across platforms—web browsers, email clients, gaming portals, chat apps, and crypto wallets, among various others.¹ Topping all that off, it’s sold for a meager price tag.

TIP researchers expanded a published list of IoCs comprising 28 IP addresses through a DNS deep dive and found:

Tracing Truebot’s Roots through a DNS Deep Dive

It’s a must for threat actors to cover their tracks, and Truebot does just that.

Distributed via a Traffic Distribution System (TDS), a Truebot intrusion began with several page redirects that ended with dropping a Master Boot Record (MBR) killer wiper onto a victim’s computer. The final payload? The users’ data got exfiltrated to a remote server and erased from the source. Worse, while some victims were prompted to reboot, the more unfortunate were left with inoperable systems.¹

Jumping off a published list of IoCs (three domains and five IP addresses, to be exact),² the TIP researchers found:

Potential Traces of Aurora Spread Via Windows Security Update Malvertisements in the DNS

Aurora first made news headlines in December 2022 when it was used as the final payload for fake software installer campaigns.¹ It recently resurfaced, now being spread via malvertisements that redirected users to a supposed Windows security update page. Should their download finish, they end up with Aurora-infected computers.²

Malwarebytes Labs identified 23 indicators of compromise (IoCs), which we subjected to an expansion analysis that found:

Uncovering Stolen Card E-Shops Using DNS Intelligence

Credit card numbers and other personally identifiable information (PII) unknowingly given to phishers can end up for sale on the ever-growing number of stolen card e-shops today.

Security researcher Dancho Danchev collated 20 email addresses belonging to known carders via OSINT research. Using these addresses as jump-off points, TIP researchers uncovered:

Gauging the Scale of an Active Ransomware Gang's Infrastructure

Many already know that ransomware operators can earn hundreds of millions each year.¹ But what they may be unaware of is that 75% of a gang’s earnings go to their affiliates.²

Dancho Danchev identified three email addresses that belonged to ransomware affiliates, along with 21 domains that figured in their campaigns. Using these indicators of compromise (IoCs) as jump-off points, TIP researchers were able to identify other artifacts, namely:

Profiling a Massive Portfolio of Domains Involved in Ransomware Campaigns

Ransomware is a real and immense threat that can cost organizations millions or, worse, their reputation after a potential data exposure.

To help the cybersecurity community and law enforcement agencies with threat attribution, detection, and disruption, TIP researchers analyzed a sample taken from 62,000+ domains known to be involved in ransomware campaigns. Our key findings include:

From Data Breach to Phishing to Lapsus$: Cyber Attacks That Echoed in 2022

Every year, the cybersecurity landscape evolves and unbelievably expands with new and more sophisticated attack tactics.

Despite that, malicious actors may leave imprints that enrich threat intelligence sources. To demonstrate, TIP researchers dove into three of the most significant cybersecurity incidents of 2022. Our key findings include:

Black Friday and Cyber Monday Bring on the Scariest Sales

Black Friday and Cyber Monday typically reel in the biggest profits for shops across North America. It’s only natural then for cybercriminals the world over to take advantage of the events.¹

A Call for Help May Lead to Malware: BazarCall IoC Analysis and Expansion

Recently seen callback phishing tactics highlight threat actors’ manipulative skills. They bait potential victims using urgent emails then employ legitimate-looking domains and web pages when victims call back for help. 

Should Cracks and Keygens Remain a Cybersecurity Concern?

Many users, particularly those that don’t want to spend tons of money on software licenses, still troop to crack and keygen sites. While not all of them are malicious, many of their offerings could put individuals and companies at great risk.¹  

XCSSET Shows How Threat Actors Cope with OS Changes, Does Away with Python Like macOS

XCSSET first appeared in 2020.¹ But it fell off cybersecurity researchers’ radar last year after macOS Monterey discontinued its support for Python—the malware’s primary language. Since April this year, however, XCSSET minus Python has resurfaced.²

Matanbuchus with Cobalt Strike: Not Your Favorite Combo

A malware-as-a-service (MaaS) package called “Matanbuchus” was found dropping Cobalt Strike beacons, allowing threat actors to communicate with the compromised network.¹

Phishing Automated through Chatbots, We Found Potentially Connected Domains

There is a new phishing tactic that employs chatbots to automate credential theft and increase the legitimacy of phishing sites. Bleeping Computer¹ mentioned only one IoC, a cybersquatting subdomain targeting DHL.

Don’t Hit That Update Button Just Yet, It Could Lead to Malware Infection

Microsoft regularly pushes out updates, sometimes even upgrades, for its software in an effort to heighten their security and fix bugs. But it’s also usual, too, to see news about threat actors taking advantage of the huge Windows user base by rolling out updates that are actually malware in disguise.

A Look at Actinium/Gamaredon’s Infrastructure: More Artifacts Revealed

Nearly-a-decade-old advanced persistent threat (APT) group Actinium/Gamaredon seemed to have gained a new lease on life as they recently resurfaced to target several Ukrainian organizations.¹

When Safe Doesn’t Mean Threat-Free, Watch Out for Rogue Internet Safety Sites

Threat actors will capitalize on anything, even sites that hint at promoting digital safety, to spread mayhem. We looked at thousands of Internet safety-themed domains and subdomains in commemoration of Safer Internet Day¹ to identify how many of them may not be worth trusting.

Q2 2021 Paypal Phishing & Typosquatting Report

PayPal phishing attacks are highly prevalent and the company remains one of the most impersonated brands. As typosquatting domains are often associated with phishing and impersonation attacks, Threat Intelligence Platform (TIP) prepared the Q2 2021 PayPal Phishing Report. 

In this report, we uncovered PayPal-related domains and subdomains registered or added within the period.