Author

Remco Sprooten


Articles

Betting on Bots: Investigating Linux malware, crypto mining, and gambling API abuse

Betting on Bots: Investigating Linux malware, crypto mining, and gambling API abuse

The REF6138 campaign involved cryptomining, DDoS attacks, and potential money laundering via gambling APIs, highlighting the attackers' use of evolving malware and stealthy communication channels.

An Elastic approach to large-scale dynamic malware analysis

An Elastic approach to large-scale dynamic malware analysis

This research reveals insights into some of the large-scale malware analysis performed by Elastic Security Labs, and complements research related to the Detonate framework.

NAPLISTENER: more bad dreams from developers of SIESTAGRAPH

NAPLISTENER: more bad dreams from developers of SIESTAGRAPH

Elastic Security Labs observes that the threat behind SIESTAGRAPH has shifted priorities from data theft to persistent access, deploying new malware like NAPLISTENER to evade detection.

Elastic users protected from SUDDENICON’s supply chain attack

Elastic users protected from SUDDENICON’s supply chain attack

Elastic Security Labs is releasing a triage analysis to assist 3CX customers in the initial detection of SUDDENICON, a potential supply-chain compromise affecting 3CX VOIP softphone users.

REF2924: how to maintain persistence as an (advanced?) threat

REF2924: how to maintain persistence as an (advanced?) threat

Elastic Security Labs describes new persistence techniques used by the group behind SIESTAGRAPH, NAPLISTENER, and SOMNIRECORD.

PHOREAL Malware Targets the Southeast Asian Financial Sector

PHOREAL Malware Targets the Southeast Asian Financial Sector

Elastic Security discovered PHOREAL malware, which is targeting Southeast Asia financial organizations, particularly those in the Vietnamese financial sector.

Update to the REF2924 intrusion set and related campaigns

Update to the REF2924 intrusion set and related campaigns

Elastic Security Labs is providing an update to the REF2924 research published in December of 2022. This update includes malware analysis of the implants, additional findings, and associations with other intrusions.

FLARE-ON 9 Solutions:

FLARE-ON 9 Solutions:

This year's FLARE-ON consisted of 11 different reverse engineering challenges with a range of interesting binaries. We really enjoyed working on these challenges and have published our solutions here to Elastic Security Labs.

EMOTET Dynamic Configuration Extraction

EMOTET Dynamic Configuration Extraction

Elastic Security Labs discusses the EMOTET trojan and is releasing a tool to dynamically extract configuration files using code emulators.

Doing time with the YIPPHB dropper

Doing time with the YIPPHB dropper

Elastic Security Labs outlines the steps collect and analyze the various stages of the REF4526 intrusion set. This intrusion set uses a creative approach of Unicode icons in Powershell scripts to install a loader, a dropper, and RAT implants.

Elastic protects against data wiper malware targeting Ukraine: HERMETICWIPER

Elastic protects against data wiper malware targeting Ukraine: HERMETICWIPER

Analysis of the HERMETICWIPER malware targeting Ukranian organizations.