_OperationLayover | TA2541 in SNIP3 campaign

OperationLayover also called TA2541 is a group that uses SNIP3 loader to attack targets related to the transport, aviation, and travel sectors around the world. A group that first appeared in 2013. Using Malware-as-a-service and Cryper-as-a-service Malware campaign models to attack their opponents, using these models have orchestrated and constantly updated executions. The group is originate from Nigeria, as a large number of VPNs have been seen being used from this country to launch attacks. Their main motivation is information theft and espionage by performing various exfiltration methods.

_Overview

RagnarLocker is a Ransomware normally associated with the group Viking Spider whose InitialAccess is varied, but as usual, they perform direct attacks trying to exploit systems or after the abuse of legitimate applications or by implanting malware inside these, after these movements, the most common is to gain maximum access and control within the attacked company to encrypt as many computers as possible.

_Overview

NanoCore is a RAT (Remote Admin Tool) used by cybercriminal groups such as APT33 (Refined Kitten) whose InitialAccess is varied, although it has been most commonly used through fake emails with .zipx extensions or with fake formats, which is commonly called phishing (T1566) or in this case, since it contains a file in the email and its objective is execution on disk to go further, it would be more accurate to call it Spearphishing (T1566.001).

The main potential of NanoCore is usually to steal data from the computer and user once it has gained access to the disk, but once it is inside, it could perform any action from the outside, and, of course it depends of version.

To this analysis, I have divided into two parts, which is usually a common practice in which we observe first statically everything we can get in the shortest possible time and then a dynamic in which we will see how it behaves, although, we will lose information if we do not monitor properly or not debug.

_Babuk | Babyk Ransomware

One of the biggest current threats in terms of cybersecurity and the one that most concerns companies today is the Ransomware attack, its power be on encrypting as much as posible, regarding some exclusions and try to expand into a company to do as much damage as possible and request a ransom based on extortion. Babuk a ransomware with a short lifespan, is the first one in 2021.

Distinguished by a little perfected behaviour, it has already appeared in some companies, requesting for ransoms, like all the previous Ransomwares.

An example of this is the attack to Serco and PhoneHouse, in which, after cypher computers, they requested near 100.000$ through Bitcoin, the extorsión tryies to publicy sensitive and privacy content about clients, something that would cause any company to lose customers