Author

Daniel Stepanic

Elastic Security Labs Team Principal Security Researcher, Malware


Articles

Under the SADBRIDGE with GOSAR: QUASAR Gets a Golang Rewrite

Under the SADBRIDGE with GOSAR: QUASAR Gets a Golang Rewrite

Elastic Security Labs share details about the SADBRIDGE loader and GOSAR backdoor, malware used in campaigns targeting Chinese-speaking victims.

Katz and Mouse Game:  MaaS Infostealers Adapt to Patched Chrome Defenses

Katz and Mouse Game: MaaS Infostealers Adapt to Patched Chrome Defenses

Elastic Security Labs breaks down bypass implementations from the infostealer ecosystem’s reaction to Chrome 127's Application-Bound Encryption scheme.

BITS and Bytes: Analyzing BITSLOTH, a newly identified backdoor

BITS and Bytes: Analyzing BITSLOTH, a newly identified backdoor

Elastic Security Labs identified a novel Windows backdoor leveraging the Background Intelligent Transfer Service (BITS) for C2. This malware was found during a recent activity group tracked as REF8747.

Dipping into Danger: The WARMCOOKIE backdoor

Dipping into Danger: The WARMCOOKIE backdoor

Elastic Security Labs observed threat actors masquerading as recruiting firms to deploy a new malware backdoor called WARMCOOKIE. This malware has standard backdoor capabilities, including capturing screenshots, executing additional malware, and reading/writing files.

Globally distributed stealers

Globally distributed stealers

This article describes our analysis of the top malware stealer families, unveiling their operation methodologies, recent updates, and configurations. By understanding the modus operandi of each family, we better comprehend the magnitude of their impact and can fortify our defences accordingly.

Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID

Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID

Elastic Security Labs has observed an uptick in a recent emerging loader known as LATRODECTUS. This lightweight loader packs a big punch with ties to ICEDID and may turn into a possible replacement to fill the gap in the loader market.

PIKABOT, I choose you!

PIKABOT, I choose you!

Elastic Security Labs observed new PIKABOT campaigns, including an updated version. PIKABOT is a widely deployed loader malicious actors utilize to distribute additional payloads.

Unmasking a Financial Services Intrusion: REF0657

Unmasking a Financial Services Intrusion: REF0657

Elastic Security Labs details an intrusion leveraging open-source tooling and different post-exploitation techniques targeting the financial services industry in South Asia.

Getting gooey with GULOADER: deobfuscating the downloader

Getting gooey with GULOADER: deobfuscating the downloader

Elastic Security Labs walks through the updated GULOADER analysis countermeasures.

Dancing the night away with named pipes - PIPEDANCE client release

Dancing the night away with named pipes - PIPEDANCE client release

In this publication, we will walk through this client application’s functionality and how to get started with the tool.

Introducing the REF5961 intrusion set

Introducing the REF5961 intrusion set

The REF5961 intrusion set discloses three new malware families targeting ASEAN members. The threat actor leveraging this intrusion set continues to develop and mature their capabilities.

Revisiting BLISTER: New development of the BLISTER loader

Revisiting BLISTER: New development of the BLISTER loader

Elastic Security Labs dives deep into the recent evolution of the BLISTER loader malware family.

Elastic charms SPECTRALVIPER

Elastic charms SPECTRALVIPER

Elastic Security Labs has discovered the P8LOADER, POWERSEAL, and SPECTRALVIPER malware families targeting a national Vietnamese agribusiness. REF2754 shares malware and motivational elements of the REF4322 and APT32 activity groups.

Elastic Security Labs discovers the LOBSHOT malware

Elastic Security Labs discovers the LOBSHOT malware

Elastic Security Labs is naming a new malware family, LOBSHOT. LOBSHOT propagates and infiltrates targeted networks through Google Ads and hVNC sessions to deploy backdoors masquerading as legitimate application installers.

Elastic users protected from SUDDENICON’s supply chain attack

Elastic users protected from SUDDENICON’s supply chain attack

Elastic Security Labs is releasing a triage analysis to assist 3CX customers in the initial detection of SUDDENICON, a potential supply-chain compromise affecting 3CX VOIP softphone users.

BLISTER Loader

BLISTER Loader

The BLISTER loader continues to be actively used to load a variety of malware.

Thawing the permafrost of ICEDID Summary

Thawing the permafrost of ICEDID Summary

Elastic Security Labs analyzed a recent ICEDID variant consisting of a loader and bot payload. By providing this research to the community end-to-end, we hope to raise awareness of the ICEDID execution chain, capabilities, and design.

PHOREAL Malware Targets the Southeast Asian Financial Sector

PHOREAL Malware Targets the Southeast Asian Financial Sector

Elastic Security discovered PHOREAL malware, which is targeting Southeast Asia financial organizations, particularly those in the Vietnamese financial sector.

Twice around the dance floor - Elastic discovers the PIPEDANCE backdoor

Twice around the dance floor - Elastic discovers the PIPEDANCE backdoor

Elastic Security Labs is tracking an active intrusion into a Vietnamese organization using a recently discovered triggerable, multi-hop backdoor we are calling PIPEDANCE. This full-featured malware enables stealthy operations through the use of named

FLARE-ON 9 Solutions:

FLARE-ON 9 Solutions:

This year's FLARE-ON consisted of 11 different reverse engineering challenges with a range of interesting binaries. We really enjoyed working on these challenges and have published our solutions here to Elastic Security Labs.

SiestaGraph: New implant uncovered in ASEAN member foreign ministry

SiestaGraph: New implant uncovered in ASEAN member foreign ministry

Elastic Security Labs is tracking likely multiple on-net threat actors leveraging Exchange exploits, web shells, and the newly discovered SiestaGraph implant to achieve and maintain access, escalate privilege, and exfiltrate targeted data.

Exploring the REF2731 Intrusion Set

Exploring the REF2731 Intrusion Set

The Elastic Security Labs team has been tracking REF2731, an 5-stage intrusion set involving the PARALLAX loader and the NETWIRE RAT.

Operation Bleeding Bear

Operation Bleeding Bear

Elastic Security verifies new destructive malware targeting Ukraine: Operation Bleeding Bear

Detection rules for SIGRed vulnerability

Detection rules for SIGRed vulnerability

The SIGRed vulnerability impacts all systems leveraging the Windows DNS server service (Windows 2003+). To defend your environment, we recommend implementing the detection logic included in this blog post using technology like Elastic Security.

ICEDIDs network infrastructure is alive and well

ICEDIDs network infrastructure is alive and well

Elastic Security Labs details the use of open source data collection and the Elastic Stack to analyze the ICEDID botnet C2 infrastructure.

Elastic protects against data wiper malware targeting Ukraine: HERMETICWIPER

Elastic protects against data wiper malware targeting Ukraine: HERMETICWIPER

Analysis of the HERMETICWIPER malware targeting Ukranian organizations.

Extracting Cobalt Strike Beacon Configurations

Extracting Cobalt Strike Beacon Configurations

Part 2 - Extracting configurations from Cobalt Strike implant beacons.

CUBA Ransomware Campaign Analysis

CUBA Ransomware Campaign Analysis

Elastic Security observed a ransomware and extortion campaign leveraging a combination of offensive security tools, LOLBAS, and exploits to deliver the CUBA ransomware malware.

LUNA Ransomware Attack Pattern Analysis

LUNA Ransomware Attack Pattern Analysis

In this research publication, we'll explore the LUNA attack pattern — a cross-platform ransomware variant.

A close look at the advanced techniques used in a Malaysian-focused APT campaign

A close look at the advanced techniques used in a Malaysian-focused APT campaign

Our Elastic Security research team has focused on advanced techniques used in a Malaysian-focused APT campaign. Learn who’s behind it, how the attack works, observed MITRE attack® techniques, and indicators of compromise.

Playing defense against Gamaredon Group

Playing defense against Gamaredon Group

Learn about the recent campaign of a Russia-based threat group known as Gamaredon Group. This post will review these details and provide detection strategies.

Going Coast to Coast - Climbing the Pyramid with the Deimos Implant

Going Coast to Coast - Climbing the Pyramid with the Deimos Implant

The Deimos implant was first reported in 2020 and has been in active development; employing advanced analysis countermeasures to frustrate analysis. This post details the campaign TTPs through the malware indicators.

FORMBOOK Adopts CAB-less Approach

FORMBOOK Adopts CAB-less Approach

Campaign research and analysis of an observed FORMBOOK intrusion attempt.

Collecting and operationalizing threat data from the Mozi botnet

Collecting and operationalizing threat data from the Mozi botnet

The Mozi botnet is an ongoing malware campaign targeting unsecured and vulnerable networking devices. This post will showcase the analyst journey of collecting, analyzing, and operationalizing threat data from the Mozi botnet.

Detection and response for the actively exploited ProxyShell vulnerabilities

Detection and response for the actively exploited ProxyShell vulnerabilities

In the last week, Elastic Security has observed the exploitation of Microsoft Exchange vulnerabilities associated with ProxyShell. Review the post to find newly released details about this activity.

Collecting Cobalt Strike Beacons with the Elastic Stack

Collecting Cobalt Strike Beacons with the Elastic Stack

Part 1 - Processes and technology needed to extract Cobalt Strike implant beacons

Embracing offensive tooling: Building detections against Koadic using EQL

Embracing offensive tooling: Building detections against Koadic using EQL

Find new ways to build behavioral detections against post-exploitation frameworks such as Koadic using Event Query Language (EQL).