Turla is an APT group allegedly linked to the intelligence service FSB (Federal Security Service) from the Russian Federation. This threat actor is specifically in the Center 16 unit, which carries out the collection of radio-electronic intelligence on communications facilities. Moreover, the Center 16 is in charge of intercepting, decrypting and processing the electronic message […]
New invitation from APT29 to use CCleaner
Last month of May we were talking about the new APT29 campaign that we called “Information”. Recently, just a week ago, an unknown actor used similar techniques to APT29. This time APT29 is once again the focus after new techniques were identified in their operations. This post details the new techniques observed, in particular: SVG […]
New tricks of APT29 – update on the CERT.PL report
A new sample has been uploaded to VirusTotal, and its characteristics strongly resemble QUARTERRIG, a malware recently analyzed by CERT.PL and linked to APT29. In said analysis, the campaign was named “Note“. Based on the aforementioned report, the purpose of this post is to show the new features of this new campaign that we named […]
Cyber Threat Intelligence Report – Trends Q4 2022
During the last quarter of 2022, the Lab52 team has conducted an in-depth analysis of the threats that have been active during the period, focusing on information from both public and private sources, as well as studying the geopolitical context in order to anticipate potential campaigns. Below is the report for the quarter, which includes […]
Analyzing the encryption method of emerging ransomware families
Cyble has recently published an analysis of AXLocker ransomware, a new ransomware that has been seen for the first time in november this month. As the article explains, the ransomware encrypts and exfiltrates data using discord. In this report we will focus on the encryption routine of this new artifact, which we can see in […]
Complete dissection of an APK with a suspicious C2 Server
During our analysis of the Penquin-related infrastructure we reported in our previous post, we paid special attention to the malicious binaries contacting these IP addresses, since as we showed in the analysis, they had been used as C2 of other threats used by Turla. One threat that makes contact with the 82.146.35[.]240 address in particular […]