97 reports
Talos describes WannaCry as a worm-like ransomware campaign that scanned TCP port 445 across local and internet-facing systems, exploited the MS17-010 SMB vulnerability with EternalBlue, and used DOUBLEPULSAR to install the ransomware payload. The malware…
WannaCry ransomware spread globally by exploiting SMBv2 remote code execution on unpatched Microsoft Windows systems, using the EternalBlue exploit released in the Shadow Brokers dump. Kaspersky telemetry recorded more than 45,000 attempted infections acr…
Comae described WannaCry as a ransomware outbreak affecting more than 70 countries, including Telefonica in Spain and the NHS in England, while noting an update about links to Lazarus Group. The malware used MS17-010 SMB exploitation and DOUBLEPULSAR chec…
KONNI campaigns observed from 2014 to 2017 used spear-phishing attachments and social engineering to make victims open .scr droppers that displayed decoy documents before executing malware. The malware evolved from a one-time information stealer into a mu…
Unit 42 links newly observed malicious Word documents and payloads targeting Korean-speaking individuals to Lazarus activity previously described in Operation Blockbuster. The documents likely arrived through spear phishing, used Korean decoy content, and…
ROKRAT was delivered through spear-phishing emails carrying malicious HWP documents themed around Korean reunification and North Korea, including one sent through a compromised Yonsei University mail server. The documents embedded EPS objects exploiting C…
Kaspersky links Lazarus and its Bluenoroff subgroup to financial-sector intrusions, including watering-hole attacks against banks and activity connected to SWIFT-related theft operations. Bluenoroff is described as focusing on financial gain, targeting ba…
Kaspersky links tools used against SWIFT-supporting banking systems to Lazarus Group’s broader lateral-movement arsenal based on forensic investigations at banks in two countries. The report separates Bluenoroff as a financially focused Lazarus unit that …
Symantec's 2017 Internet Security Threat Report excerpt provides broad 2016 threat-trend context rather than usable Appleworm-specific evidence. It highlights targeted attacks, financial cybercrime, ransomware, exploit kits, IoT botnets, mobile threats, c…
RATANKBA appeared in a large watering-hole campaign that compromised legitimate websites visited by banks and other enterprises, with affected organizations spanning financial services, telecoms, IT, insurance, aviation, education, and multiple regions. I…
Talos analyzes a Korean HWP malicious document themed around analysis of North Korea's 2017 New Year address and apparently impersonating South Korea's Ministry of Unification. The document embedded OLE objects that dropped PE files when users clicked lin…
BAE Systems analyzed malware and watering-hole infrastructure tied to a wave of bank attacks that earlier reporting had linked to the Lazarus threat actor. The examined samples included an encrypted backdoor loaded by a DLL, decrypted with XOR and RC4 rou…
ESET examined targeted malware delivered through watering-hole attacks against Polish banks and related financial targets, including redirects from compromised financial regulator websites. The payload chain used multi-stage droppers and loaders, dynamic …