Monday, 4 April 2022

Russian SaintBear Group Attacked Ukrainian Government Agencies Using GraphSteel & GrimPlant malware

 

Summary


  • Name: ‘Заборгованість по зарплаті.xls’

  • Discovered in March 2022

  • Was used in attacks against Ukrainian government agencies

  • Used to download GraphSteel and GrimPlant (a.k.a. Elephant) malware

  • Spreads via phishing emails as ‘.xls’ file with malicious VisualBasic script

  • ‘.xls’ file contains the encoded payload

  • Extracted file has PE64 format and written in Golang, downloads one file from the remote server

  • The downloaded file is PE64 and written in Golang. It downloads GraphSteel and GrimPlant malware.

  • The attack has been attributed to UAC-0056 also known as SaintBear, UNC2589, and TA471 which is known to attack Ukraine and Georgia since 2021. 

Thursday, 17 March 2022

Analysis of CaddyWiper

 

Summary


  • Name: CaddyWiper

  • Discovered in March 2022

  • Was used in a targeted attack in Ukraine

  • Deployed via Microsoft Active Directory GPO

  • Corrupts files and disk partitions

  • PE32 sample written in C++

  • Compiled on the same day when it was deployed on targeted systems in Ukraine

by Denis Popov

Wednesday, 26 January 2022

Analysis of WhisperGate

 

Summary of the attack

  • Name: WhisperGate

  • Discovered in January 2022

  • Used in a targeted attack against the Ukrainian government websites on the 14th of January, 2022

  • Overwrites the contents of files with the fixed number of bytes

  • Rewrites MBR, corrupts victims’ files, downloads and drops its own files

  • Corrupted files have a random 4-byte extension

  • Comes with 2 stages, PE64 written in C++ and .NET application with fake digital signatures

  • The third stage is .NET DLL, which is downloaded at runtime


                                                                                                by Denis Popov and Alexander Adamov

Friday, 2 October 2020

Reinforcement Learning for Anti-Ransomware Testing



ML models have recommended themselves as a powerful tool for cyberdefense. AI/ML is heavily used in antiviruses (EDR), Next-Gen Firewalls, and SIEM (SOAR) solutions to solve the classification problem as well as to discover anomalous behavior that may indicate a presence of an attacker with the help of Supervised and Unsupervised Learning. Deep Learning helps to filter spam emails and mark fake news to protect users against disinformation [1].

Thursday, 26 March 2020

AI and Cybersecurity. Part 4 - Clustering URLs


In Part 3, we tried to apply the feature scaling and dimensionality reduction techniques to the dataset with phishing and benign URLs. As a result, we were able to clearly see the distribution of URLs between two classes based on four attributes: registrar, country, lifetime, and protocol.

But what if we don’t have labels (phishing and benign) for the Internet links in the beginning. Will ML still work to detect phishing attacks? In this case, we may come to unsupervised learning, in particular, clustering. Clustering enables grouping objects of unknown classes according to common features so that we do not need labeled data for a training set.

Wednesday, 18 March 2020

AI and Cybersecurity. Part 3 - Dimensionality Reduction and Feature Scaling

In the previous post, we created a binary classifier for detecting phishing URLs. Here, we're going to continue exploring the data with visualization techniques.

Monday, 16 March 2020

AI and Cybersecurity. Part 2 - Detecting Phishing URLs with ML

hack fraud card code computer credit crime cyber data hacker identity information internet password phishing pile privacy protection safety secure spy steal technology thief green cartoon text product line font illustration human behavior angle clip art graphics computer wallpaper

In Part 1, we already got acquainted with AI paradigms and the main ML approaches: supervised, unsupervised, and reinforcement learning. Even though the unsupervised learning approach looks more attractive as you do not need to pre-mark the data for training, supervised learning can be seen as a more precise instrument for detecting malicious objects such as phishing URLs once we have enough labeled data.