DNS Tunneling in the Wild: Overview of OilRig’s DNS Tunneling

On March 15, Unit 42 published a blog providing an overview of DNS tunneling and how malware can use DNS queries and answers to act as a command and control channel. To supplement this blog, we have decided to describe a collection of tools that rely on DNS tunneling used by an adversary known as OilRig.

Using Wireshark: Identifying Hosts and Users

When a host is infected or otherwise compromised, security professionals need to quickly review packet captures of suspicious network traffic to identify affected hosts and users. This tutorial offers tips on how to gather pcap data using Wireshark, the widely used network protocol analysis tool.

Born This Way? Origins of LockerGoga

A Unit 42 analysis of LockerGoga ransomware samples reveals that its developers have added new features to the malware, which was used in a string of attacks on industrial firms.

Cardinal RAT Sins Again, Targets Israeli Fin-Tech Firms

Unit 42 has discovered a new version of CardinalRat which we first discovered in 2016. This new version targets financial technology companies, primarily in Israel. It includes new anti-analysis capabilities, including the use of steganography. In addition to our research, we include a new Python script to decrypt the steganographic payload.

DNS Tunneling: how DNS can be (ab)used by malicious actors

DNS is a critical foundation of the Internet that makes it possible to get to websites without entering numerical IP addresses. The power that makes DNS beneficial for everyone also creates potential for abuse. Unit 42 researchers explain how attackers can abuse DNS to hide their tracks and steal data using a technique known as “DNS Tunneling.” This research can help organizations understand DNS-based threats and the risks they pose to their environment.

Operation Comando: How to Run a Cheap and Effective Credit Card Business

In December 2018, Palo Alto Networks Unit 42 researchers identified an ongoing campaign with a strong focus on the hospitality sector, specifically on hotel reservations. Although our initial analysis didn’t show any novel or advanced techniques, we did observe strong persistence during the campaign that triggered our curiosity.

New Python-Based Payload MechaFlounder Used by Chafer

In November 2018 the Chafer threat group targeted a Turkish government entity reusing infrastructure that they used in campaigns reported earlier in 2018. Unit 42 has observed Chafer activity since 2016, however, Chafer has been active since at least 2015. This new secondary payload is Python-based and compiled into executable form using the PyInstaller utility. We’ve also identified code overlap with OilRig’s Clayside VBScript but at this time track Chafer and OilRig as separate threat groups. We have named this payload MechaFlounder for tracking purposes.

Multiple ArtraDownloader Variants Used by BITTER to Target Pakistan

Since at least 2015, a suspected South Asian threat grouping known as BITTER has been targeting Pakistan and Chinese organizations using variants of a previously unreported downloader. We have named this malware family ArtraDownloader. Starting in September 2018 and continuing through the beginning of 2019, BITTER launched a wave of attacks targeting Pakistan and Saudi Arabia. This is the first reported instance of BITTER targeting Saudi Arabia.

Unit 42 Vulnerability Research Team Discovers 23 New Vulnerabilities February 2019 Disclosures – Adobe and Microsoft

As part of Unit 42’s ongoing threat research, we can now disclose that Palo Alto Networks Unit 42 threat researchers have discovered 23 new vulnerabilities addressed by the Adobe Product Security Incident Response Team (PSIRT) as part of their February 2019 APSB19-07 security update release and 2 vulnerabilities addressed by the Microsoft Security Response Center (MSRC) as part of their February 2019 security update release.  Severity ratings ranged from Important to Critical for each of these vulnerabilities.

New BabyShark Malware Targets U.S. National Security Think Tanks

In February 2019, Palo Alto Networks Unit 42 researchers identified spear phishing emails sent in November 2018 containing new malware that shares infrastructure with playbooks associated with North Korean campaigns. The emails had a malicious Excel macro document attached, which when executed led to a new Microsoft Visual Basic (VB) script-based malware family which we are dubbing “BabyShark”.

Shifting in the Wind: WINDSHIFT Attacks Target Middle Eastern Governments

In August of 2018, DarkMatter released a report entitled “In the Trails of WINDSHIFT APT”, which unveiled a threat actor with TTPs very similar to those of Bahamut. Subsequently, two additional articles (here and here) were released by Objective-See which provide an analysis of some validated WINDSHIFT samples targeting OSX systems. Unit 42 was able to identify and correlate additional attacker activity and can now provide specific details on a targeted WINDSHIFT attack as it unfolded at a Middle Eastern government agency.

Sorry, no results were found.
loader gif

Get updates on Unit 42

Sign up to receive the latest news, cyber threat intelligence and research from Unit 42

Follow us on