Upon entering the second to the last month of the year, there are a lot of botnets, banking malware, and malware making the news. But one that stands out is Kimsuky. Kimsuky uses various spearphishing and social engineering methods to obtain Initial Access to victim networks. Spearphishing — with a malicious attachment embedded in the email — is the most observed Kimsuky tactic. Read more about it and other malware in this week’s InfoSec articles.

For more articles, check out our #onpatrol4malware blog.


WIZARD SPIDER Update: Resilient, Reactive and Resolute

Source: Crowdstrike

WIZARD SPIDER is an established, high-profile and sophisticated eCrime group, originally known for the creation and operation of the TrickBot banking malware. Read more.

Monthly Threat Actor Group Intelligence Report, August 2020

Source: Red Alert

This is a summary of activity of suspected state sponsored Threat Actor Groups analyzed by the ThreatRecon Team, based on data and information collected from July 21, 2020 to August 20, 2020. Read more.

malicious Microsoft Office documents

Ryuk Ransomware Attacks Continue Following TrickBot Takedown Attempt

Source: Security Week

The threat actor behind the Ryuk ransomware continues to conduct attacks following the recent attempts to disrupt the TrickBot botnet, CrowdStrike reports. Read more.

This new malware uses remote overlay attacks to hijack your bank account

Source: ZDNet

The new malware variant, dubbed Vizom by IBM, is being utilized in an active campaign across Brazil designed to compromise bank accounts via online financial services. Read more.


GravityRAT: The spy returns

Source: SecureList

The spyware GravityRAT used to target the Indian armed forces. The Indian Computer Emergency Response Team (CERT-IN) first discovered the Trojan in 2017. Its creators are believed to be Pakistani hacker groups. Read more.

Defining ATT&CK Data Sources, Part I: Enhancing the Current State

Source: ATT&CK

Discussion around ATT&CK often involves tactics, techniques, procedures, detections, and mitigations, but a significant element is often overlooked: data sources. Data sources for every technique provide valuable context and opportunities to improve your security posture and impact your detection strategy. Read more.


ENISA Threat Landscape – 2020

Source: Enisa

The ENISA, with the support of the European Commission, EU Member States and the CTI Stakeholders Group, has published the 8th annual ETL report, identifying and evaluating the top cyber threats for the period January 2019-April 2020. Read more.

LockBit Ransomware Uses Automation Tools to Pick Targets

Source: Bank Info Security

The operators behind the LockBit ransomware strain use several automation tools and techniques that help the crypto-locking malware spread quickly through a compromised network and assist in picking specific targets. Read more.


North Korean Advanced Persistent Threat Focus: Kimsuky

Source: CISA

Kimsuky uses various spearphishing and social engineering methods to obtain Initial Access to victim networks. Spearphishing—with a malicious attachment embedded in the email—is the most observed Kimsuky tactic. Read more.

Is the Abaddon RAT the first malware using Discord as C&C?

Source: Security Affairs

Abaddon is the first RAT that uses the freeware instant messaging and VoIP app and digital distribution platform Discord as a command & control server. Read more.

Turla uses HyperStack, Carbon, and Kazuar to compromise government entity

Source: Accenture

Turla continues to target government organizations using custom malware, including updated legacy tools, designed to maintain persistence through overlapping backdoor access while evading their victim’s defenses. Read more.


MAR-10310246-2.v1 – PowerShell Script: ComRAT

Source: CISA

FBI has high-confidence that Russian-sponsored APT actor Turla is using ComRAT malware to exploit victim networks. The group is well known for its custom tools and targeted operations. Read more.