LockBit is a major player in the ransomware scene and has contributed heavily for this cyber-crime model to become one of the most popular and imitated in the threats landscape. The version 2.0 of its project entered the scene in July 2021 showing immediately the potential to become one of the leading syndicate in this “business”. The collective distinguished itself for having pointed out some distintive technical characteristics of its product and for several public statements where the speed and efficiency of its ransomware have been defined, by gang representatives, “unmatched” if compared ..read more

Cozy Bear (aka Nobelium, APT29, The Dukes) is a well-resourced, highly dedicated and organized cyberespionage group that is believed to work in support of the decision-making process of Russian government since at least 2008. Nobelium primarily targets western governments and related organizations, with a particular focus on government, diplomat, political and think tank sectors.  Recently we analyzed several spear-phishing campaigns linked with this adversary that involve the usage of a side-loaded DLL through signed software (like Adobe suite) and legitimate webservices (like Dropbox ..read more

NOTICE After additional reviews, the team at Cluster25 has determined that the code commonality identified in the two analyzed samples contained in this blog post was coincidental. The code they had in common is aligned with Microsoft standard libraries, and therefore common for use. In this blog post, Cluster25 outlines a code match between two samples from different threat actors for clarification. BLOGPOST Cluster25 researchers, during a comparative analysis performed at the beginning of March 2022, found evidence that suggests a possible relationships between a piece of malware belongin ..read more

For a few months Cluster25 collected and analyzed several malicious activities which then were internally linked with the threat actor known as UNC1151 (aka GhostWriter), an adversary believed to be linked to the Belarusian government. In July 2020 Mandiant Threat Intelligence released a public report about an ongoing influence campaign named “GhostWriter“. The campaign was addressed to audiences in Lithuania, Latvia and Poland making use of critical messages against the NATO’s presence in Eastern Europe. In addition to this type of operations, UNC1151 seems to be further active also in the c ..read more

INTRODUCTION On 23.02.2022 one of our partners received a very specific targeted spear-phishing email message which leads into luring the victim to download fake video chat application. The infection chain appears to be composed of 2 (two) stages: a first one in which the victim receives an email containing a URL that leads to the download of a malicious MSI installation package. A second one in which the MSI installation package goes download a copy of the RuRAT malware along with the legitimate Trillian application. INSIGHTS The email message was well crafted into tricking the victim towards ..read more

 INTRODUCTION On 25.02.2022 cybercrime group Conti published the following statement on their shame blog: The post was redacted several hours later with another one having more neutral tones, condemning the war and disaffiliating itself with the government while however emphasizing sentiments against the west. The post retained its threats of retaliation against critical infrastructure belonging to any Russia aggressor. After that on 28.02.2022, likely one of the Conti members (or just a Ukrainian security researcher) published a first archive with internal valuable data and informati ..read more

Cluster25 analyzed a recent attack linked to the North Korean APT group “Konni” targeting Russian diplomatic sector using a spear phishing theme for New Year’s Eve festivities as lure. Once the malicious email attachment is opened and executed, a chain composed by multiple stages is triggered, allowing actor to install an implant belonging to the Konni RAT family as final payload. Download Cluster25 Report The post North Korean Group “KONNI” Targets the Russian Diplomatic Sector with new Versions of Malware Implants appeared first on Cluster25 ..read more

Dharma, a family of ransomware first spotted in 2016, is a malicious program that encrypts a victim’s files and takes as hostage the data on demand for the ransom payment to restore the data back. It belongs to a fairly widespread ransomware family that has been successful over time, especially due to the many variants related to it and the fact that it has often represented the basis for R-a-a-S (Ransomware-as-a-Service) programs. C25 Intelligence reports from where Dharma variants have been operated during 2020, its evolution and how to defend against this threat. Download Cluster25 Re ..read more