large-logo-mcafee-dark

Threat Landscape Dashboard

Assessing today's threats and the relationships between them

Top 10 Campaigns

Campaign Description
Operation Evilnum The APT group behind the Evilnum malware has been in operation since at least 2018 and are known to attack financial technology companies. The group’s targets remain the same, but the tools and procedures used have evolved over time. The actor makes use of custom malware combined with tools purchased, most likely from the dark web.
Operation ServHelper TA505 The ServHelper backdoor, which has ties to the TA505 threat group, was discovered dropping a hidden crypto miner. The digital miner, known as LoudMiner, is installed in a virtual environment to evade anti-virus detection but is only installed if the endpoint has more than 5 GB of available physical memory. The malicious software uses various techniques including PowerShell, obfuscation, DLL hijacking, and cmd.exe for execution, defense evasion, and persistence.
Operation GoldenSpy Chapter Two In mid-2020 companies in China were targeted with the GoldenSpy malware hidden inside of legitimate tax software. A few weeks later an uninstaller for the malware was discovered hosted on one of the actor's original command and control servers. The software was automatically downloaded by the tax product and removed any reference of GoldenSpy including stopping processes and deleting files and registry entries. A second version of the uninstaller was also discovered but used Base64 encoding ...
Operation Malaysia 2020 A targeted campaign against the government sector of Malaysia was discovered using malicious Microsoft Word documents to infect users with a backdoor and exfiltrate sensitive information. The malevolent attachments used the Malaysian political crisis as lures to convince unsuspecting victims to open the files. Once opened the malware downloaded a remote template and executed VBA code to drop base64-encoded DLLs to multiple locations. Various techniques were used for defense evasion and persisten...
Operation Favicon EXIF Data A skimming operation was discovered hiding malicious code within EXIF metadata on multiple websites to steal names, credit card data, and billing addresses from input fields on the infected sites. The stolen information is Base64 encoded and exfiltrated as an image file to the attacker's command and control servers. The campaign has ties to the Magecart Group who has been in operation for many years and have attacked multiple high-profile organizations in the past.
Operation XORDDoS And Kaiji Exposed Docker containers were targeted with malware capable of performing distributed denial of service attacks or turning the infected system into a botnet. The malicious software captured system details including running processes, CPU information, directories, and network data. Various techniques were used during the attacks including scripting, obfuscation, software packing, and the command line interface.
Operation Tetrade The Tetrade Campaign consisted of four banking trojan families which attacked users located across the world. The malware is attributed to criminals located in Brazil and have been on the threat landscape since at least 2015. The malicious software, labeled as Guildma, Javali, Melcoz, and Grandoreiro, used a range of techniques for defense evasion including anti-debugging, anti-virtualization, obfuscation, DLL side-loading, DGA's, and BITS jobs. The malware was distributed through phishing e...
Operation Vaccine Development The APT29 threat group, also known as Cozy Bear, targeted a range of sectors across Canada, Great Britain, and the United States. The campaign focused on entities involved in COVID-19 vaccine development including the government, diplomacy, think-tank, healthcare, and energy domains. The cyber espionage group used malware labeled WellMess, WellMail, and SoreFang to steal sensitive data, install malicious software, execute shell commands, and run scripts. APT29 used spear-phishing emails and expl...
Operation Shlayer A new variant of the Shlayer malware that affects macOS X has been observed in the wild. In 2020 a newly identified variant of the trojan was seen being delivered through search engine results. Once the malicious link was clicked the user would be taken through multiple redirects and finally presented with an Adobe Flash Player update. The end user is given instructions on how to download and install the Adobe Flash update, however the legitimate update is bundled with adware and spyware that is...
Operation M00nD3V Logger A data stealer was discovered being sold on underground forums named "M00nD3V Logger''. The Trojan searches for a range of information on the victim's machine including keystrokes, clipboard data, screenshots, video, and credentials from web browsers. The malware exfiltrates the information to the actor's command and control server over alternative protocols including SMTP and FTP. The malicious software is delivered either in malicious attachments or compromised websites an...