The intelligence in this week’s iteration discuss the following threats: FIN7, Gandcrab,Hidden Cobra, Rootkits, and Turla. The IOCs related to these stories are attached to the Community Threat Briefing and can be used to check your logs for potential malicious activity.
Top-Tier Russian Hacking Collective Claims Breaches of Three Major Anti-Virus Companies (May 9, 2019)A Russian hacking collective named “Fxmsp” have claimed responsibility for breaching three anti-virus companies. The hack extracted source, dev documents, software base code, and security plugins from the companies, apparently totaling 30 terabytes worth of data. “Fxmsp” have a history of targeting corporate networks, generating an estimated profit of 1 million USD from selling corporate breaches, using resellers. Known TTPs of the group include accessing networks using remote desktop protocol servers, however recently claiming to have developed a credential-stealing botnet in order to set usernames and passwords from secured systems.Click here for Anomali recommendationMITRE ATT&CK: [MITRE ATT&CK] Remote Access Tools (T1219)
Malware Analysis Report (AR19-129A) (May 9, 2019)A Malicious Analysis Report (MAR) has been released by the US DHS and FBI detailing a malware used by the North Korean government. The malware named “ELECTRICFISH” uses a custom protocol to allow traffic between a source and target IP address from a Windows executable file. Once a connection is established, a funneling session is initiated with a proxy server used to bypass required authentication. With this type of malware, the attacker is able to steal information from the victim’s system, sending it to servers contro ..