large-logo-mcafee-dark

Threat Landscape Dashboard

Assessing today's threats and the relationships between them

Top 10 Campaigns

Campaigns Description
Operation Taiwan High-Tech Ecosystem The Chimera APT group targeted the high-tech sector in Taiwan starting in late 2018 and throughout 2019. The attackers focused on extracting sensitive information including documents related to integrated circuits, software development kits, and source code. The campaign used various malware including injectors, remote access tools, backdoors, and compression utilities for execution, persistence, defense evasion, and data exfiltration.
Operation BackConfig Government and military organizations in South Asia were targeted with the BackConfig custom trojan by the Hangover threat group. Legitimate websites were compromised to distribute a weaponized Microsoft Excel document which required the victim to enable macros to start the installation process. The operation used various techniques for persistence, privilege escalation, and defense evasion including BITS jobs, hidden files and directories, scheduled task, and self-signed digital certificates.
Operation Greenbug Telecom Providers Telecommunication companies in South Asia were targeted by the Greenbug espionage group with multiple backdoors, webshells, and stagers to steal credentials and sensitive information. The threat actor used malicious CHM files during the initial infection vector and legitimate sysadmin tools such as Plink and Bitvise to proxy the connections back to command and control servers. During the operation the group also used legitimate tools including Mimikatz, Cobalt Strike, and Metasploit and various ...
Operation Outlaw is Back The Outlaw Hacking Group infected multiple regions around the world with a new version of malicious software known as ShellBot. The malware contains a crypto-currency miner and a ssh backdoor with multiple variants appearing on the threat landscape since at least 2005. The latest variant includes a new IRC server and Monero pools and like past versions is focused on Linux servers. The malicious files are spread across four directories and contain code which executes either certain days or at reb...
Operation Aria-body Backdoor The Naikon threat actor targeted the government sector in the Asia Pacific region with the Aria-body backdoor. The APT used several infection chains during the operation which included weaponized RTF files, legitimate executables, malicious DLLs, and executable files as loaders. The group hosted their infrastructure on Alibaba, used GoDaddy as the registrar, and reused IP addresses across multiple domains. The operation used multiple techniques for persistence and defense evasion via the Startup...
Operation Zoom WebMonitor A legitimate Zoom installer was discovered downloading the RevCode WebMonitor remote administration tool onto the systems of unsuspecting users. The application was not hosted on Zoom's official download site or on official app stores. The backdoor used during the attack performs a range of commands including modifying, deleting, and adding registry keys and files, and exfiltrating system information. The malware checks for debugging and security tools, virtual environments, and specific fil...
Operation Grandoreiro A new banking trojan known as Grandoreiro was discovered targeting entities in Brazil, Mexico, Spain, and Peru. The threat actor behind the attacks is known to use counterfeit websites mimicking fake Java or Flash updates and recently added the COVID-19 pandemic to their arsenal. The initial infection vector is distributed through spam emails with malicious links to direct users to the fake sites. The malicious software is capable of exfiltrating a range of sensitive data including keystrokes, s...
Operation Mobile Device Manager A new campaign was discovered using a company’s Mobile Device Manager (MDM) server to distribute malware to mobile devices. The malicious software could perform a range of tasks including sending a list of files and applications to the actor's command and control server and using TeamViewer to control the infected device remotely. The malware used during the operation was a variant of the Cerberus Banking Trojan for Android with the first version appearing on the threat landscape mid-2019.
Operation Gamaredon Covid-19 A campaign was discovered targeting the European region with spear-phishing emails using the coronavirus pandemic as a lure. After the malicious attachment was opened by the victim a document template was downloaded from the Internet which contained malicious macro code. A registry run key was created for persistence to make sure the malicious code ran each time the infected system started. Sensitive information was obfuscated and exfiltrated over commonly used ports to the attacker's comman...
Operation COVID-19 PoetRAT An unknown threat actor targeted the government and energy sectors in Azerbaijan with malicious Microsoft Word documents to steal sensitive information from victims. The payload used during the operation was a remote access trojan written in Python and known as PoetRAT. The adversary used a range of post exploitation tools to monitor drive paths, exfiltrate sensitive data, record the victim's webcam, log keystrokes, steal credentials, escalate privileges, create files and directories, and pe...