_Overview

Tofsee is a malware used for mass campaigns, which does not have an associated group or actor. It has gone through different phases, but has generally been used to create Botnets or SpamBots, as well as mining actions. The starting point of Tofsee is usually a Loader or an email using the SpearPhishing technique that will launch the malware. It has been in all its stages a really worked malware, with code obfuscations, packaged samples, anti-analysis techniques, which led to a backdoor to perform minings taking advantage of the botnet features or to perform Spam.

_Machete Weapons: Lokibot

Machete is a group that currently has no associated country, but it is believed that its origin or part of it belongs to Spanish-speaking countries. This group began operating in 2010 and this year has had a major impact in many countries, being particular in this area, as it attacks a large number of them, with an emphasis on Latin America, Spain and Russia.

Being their main targets defense departments, government entities and companies dedicated to energy and telecommunications, they gain initial access using the social engineering distribution method, with a great eagerness for Spear-Phishing emails, although they have also been seen exploiting vulnerabilities, once they have gained access, the phases vary depending on the malware they use, but the main objective is to generate persistence, open connections outside creating a secure channel and steal information from the victim that will exfiltrate through the previously created channel.

_Overview

SilentBuilder is a campaign that is being used to launch bankers such as Emotet to increase the Epoch5 botnet as well as the usual tasks of this malware. The similarities between other loaders that launch Emotet and that, once the banker is in our computer, tries to contact C&C, we could understand that this is a typical modus operandi of the criminal group Mummy Spider or TA542.

_Overview

SysJoker is a backdoor which appeare for the first time at the beginning of 2022 whose power resides in being cross-platform. Its main objective is to install itself in our computer and perform espionage and/or data theft tasks. Currently it has not yet been attributed to any group or campaign.

_OperationLayover | TA2541 in SNIP3 campaign

OperationLayover also called TA2541 is a group that uses SNIP3 loader to attack targets related to the transport, aviation, and travel sectors around the world. A group that first appeared in 2013. Using Malware-as-a-service and Cryper-as-a-service Malware campaign models to attack their opponents, using these models have orchestrated and constantly updated executions. The group is originate from Nigeria, as a large number of VPNs have been seen being used from this country to launch attacks. Their main motivation is information theft and espionage by performing various exfiltration methods.

_Overview

RagnarLocker is a Ransomware normally associated with the group Viking Spider whose InitialAccess is varied, but as usual, they perform direct attacks trying to exploit systems or after the abuse of legitimate applications or by implanting malware inside these, after these movements, the most common is to gain maximum access and control within the attacked company to encrypt as many computers as possible.

_Overview

NanoCore is a RAT (Remote Admin Tool) used by cybercriminal groups such as APT33 (Refined Kitten) whose InitialAccess is varied, although it has been most commonly used through fake emails with .zipx extensions or with fake formats, which is commonly called phishing (T1566) or in this case, since it contains a file in the email and its objective is execution on disk to go further, it would be more accurate to call it Spearphishing (T1566.001).

The main potential of NanoCore is usually to steal data from the computer and user once it has gained access to the disk, but once it is inside, it could perform any action from the outside, and, of course it depends of version.

To this analysis, I have divided into two parts, which is usually a common practice in which we observe first statically everything we can get in the shortest possible time and then a dynamic in which we will see how it behaves, although, we will lose information if we do not monitor properly or not debug.

_Babuk | Babyk Ransomware

One of the biggest current threats in terms of cybersecurity and the one that most concerns companies today is the Ransomware attack, its power be on encrypting as much as posible, regarding some exclusions and try to expand into a company to do as much damage as possible and request a ransom based on extortion. Babuk a ransomware with a short lifespan, is the first one in 2021.

Distinguished by a little perfected behaviour, it has already appeared in some companies, requesting for ransoms, like all the previous Ransomwares.

An example of this is the attack to Serco and PhoneHouse, in which, after cypher computers, they requested near 100.000$ through Bitcoin, the extorsión tryies to publicy sensitive and privacy content about clients, something that would cause any company to lose customers