Fight Against the Bald Eagle in the Fog -RELAYING, COOPERATING AND SPECIFIC CONTRIBUTION

阅读中文版 1. Overview On February 12, 2024, SentinelOne, an American cybersecurity company, released a report entitled “China’s Cyber Revenge/Why the PRC Fails to Back Its Claims of Western Espionage” in its official website[1] (hereinafter referred to as “SentinelOne Rep……

Continue Reading

Analysis of phishing attacks by “X Elephant” group against scientific research institutions in china

1.Overview Recently, Antiy CERT (Security Research and Emergency Response Center) discovered during daily email monitoring that overseas APT attack organizations imitated the official organization of our “慧眼行动” and sent phishing emails to relevant scientific research institutions ……

Continue Reading

Analysis of the recent attack activities by the “SwimSnake” black-market group targeting finance personnel and e-commerce customer service

1.Overview Recently, Antiy CERT has detected a new round of phishing attacks by the “SwimSnake” black-market group (associated with the “Silver Fox” gang), targeting finance personnel and customer service representatives of small businesses on platforms such as Kuaishou, D……

Continue Reading

Analysis of LockBit Ransomware Samples and Considerations for Defense Against Targeted Ransomware

1.Overview Recently, there has been an incident involving a financial institution falling victim to a ransomware attack. Information from various sources indicates a close association with the LockBit ransomware attack group. The use of the term “close association” by the Antiy CERT i……

Continue Reading

PlayCrypt Analysis

1.Overview Recently, Antiy CERT has monitored an active trend of PLAY ransomware incidents. PLAY ransomware, also known as PlayCrypt, was developed and operated by Balloonfly[1] and was first discovered in June 2022. The ransomware is mainly spread through phishing emails and vulnerabilities, and……

Continue Reading

Monographic analysis report on the Natrix Group

1、Overview The Natrix Group has been active since the second half of 2022, launching a multitude of attack campaigns against domestic users. The Natrix Group spreads a wide variety of malware variants, rapidly updates its evasion techniques, frequently changes its infrastructure, and targets a w……

Continue Reading

Antiy Research Institute and Key Laboratory of Ministry of Education of Symbolic Computation and Knowledge Engineering, Jilin University Jointly Establish Joint Laboratory of Cyber Security Threat Knowledge Engineering

Antiy Research Institute and Key Laboratory of Ministry of Education of Symbolic Computation and Knowledge Engineering, Jilin University jointly establish Joint Laboratory of Cyber Security Threat Knowledge Engineering. Both sides will work together to promote the frontier research of knowledge en……

Continue Reading

Analysis of Cyberattacks against the National Bank of Malawi

1、Overview Recently, Antiy CERT (Computer Emergency Response Team) found a number of samples of phishing email attacks against the National Bank of Malawi during the relevant security incidents. The Republic of Malawi is a landlocked country in southeastern Africa with a land area of 118,000……

Continue Reading

Antiy Released Technical Analysis of Industrial Control Malware TRISIS

1、Overview In August 2017, Antiy listed TRISIS (also known as TRITON or HATMAN), a malware targeting industrial control system, as a threat that needs to be analyzed and focused based on comprehensive intelligence research and judgment, and named it "TRISIS". The malicious code w……

Continue Reading

Be Aware of New Variant of AgentTesla Commercial Keylogger

一、Overview Recently, Antiy CERT discovered a new variant of Agent Tesla commercial keylogger. Agent Tesla was originally a simple keylogger that recorded every keystroke of the user and sent it back to the attacker’s server. Since 2014, the developers have added more features to it, t……

Continue Reading

Be Aware of FlawedAmmyy Remote Control Trojan Spread by Spam

1、Overview Recently, Antiy CERT (Computer Emergency Response Team) discovered a new type of remote access Trojan when sorting out network security incidents. The Trojan/Win32.RA-based belongs to the "FlawedAmmyy" family and is a modified version of the remote control software Ammyy……

Continue Reading

“GreenSpot”Operations Grow For Many Years

1、Overview In the past few years, various APT attacks against China have been monitored, analyzed and tracked by Antiy Labs, disclosing the activities and toolsets of many APT groups, such as the “APT-TOCS” (http://www.antiy.com/response/APT-TOCS.html), “White Elephant”……

Continue Reading

DON’T BE PANIC WHEN YOU RECEIVE A SCAM EMAIL FROM “YOURSELF”

1、Overview      Antiy CERT has recently received feedback from customers who received scam emails from themselves, extorting bitcoin. Analysis on this event revealed that it was a new fraud since October.      Since the sender addres……

Continue Reading

Technical Analysis of Industrial Control Malware TRISIS

Technical Analysis of Industrial Control Malware TRISIS Antiy CERT 1、Overview In August 2017, based on comprehensive intelligence research and judgment, Antiy Computer Emergency Response Team (Antiy CERT) analyzed malware TRISIS (also known as TRITON, HATMAN) that targeted industrial control ……

Continue Reading

A Hidden Way of Malware on Android

A Hidden Way of Malware on Android Background In Android operation system, APK is the ZIP format file that contains several normal files and executable files. In a normal APK file, the compressed root directory includes a DEX executable file named classes.dex, and it may contain a shared object fi……

Continue Reading

Challenge Caused by DLL Hijacking Malware against Active Defense Technology

Challenge Caused by DLL Hijacking Malware against Active Defense Technology The malware, taking advantage of DLL to hijack vulnerabilities, which appeared in 2000 has began to make further use of normal signature software to confront active defense now. This method has become more and more popular……

Continue Reading

The Encoding Rules about Floating-point Instruction

The Encoding Rules about Floating-point Instruction Recently, we find that some samples call floating-point instruction when OPCODE extracting some samples. The existing disassemble machine has no support for the floating-point instruction, so the support needs to be added. However, we have some d……

Continue Reading

Processor Class A vulnerability Meltdown and Specter FAQ

Processor Class A vulnerability Meltdown and Specter FAQ After Antiy analyzed “Processor Class A vulnerability Meltdown and Specter Analysis Report”[2]on January 4 and January 5, some users have asked about the impact of the Class A vulnerability event Methods and how to detect the problem, thus i……

Continue Reading

“Meltdown” in the Eyes of a Hardware Security Engineer

“Meltdown” in the Eyes of a Hardware Security Engineer Download This article is written by Doctor Tbsoft of Antiy Micro–electronics and Embedded Technology R&D Center. Modern Computer Architecture and CPU Microarchitecture Modern computer architecture is basically based on von Neumann Archit……

Continue Reading

2017 GLOBAL BOTNET DDOS ATTACK THREAT REPORT

2017 Global botnet DDoS attack threat report Antiy Capture Wind Team & Telecom Yundi 1. Overview The report was jointly released by Antiy Honey net Capture Group and China Telecom DamDDoS. Based on monitoring data by ACS(Antiy Capture System) and Telecom DamDDoS, it mainly focuses on DDoS att……

Continue Reading

Update: Herds of Elephants Attacking over Everest

Update: Herds of Elephants Attacking over Everest Anity CERT Draft: 17:00 PM July 1, 2017 Published: 18:00 PM July 9, 2017 Updated: 16:00 PM Dec. 29, 2017   Abstract: Antiy publishes a reserve report, which analyzes the attacking background from multiple groups and ponders over the scientifi……

Continue Reading

COMPREHENSIVE ANALYTICAL REPORT ON THE MAJOR VULNERABILITY DISCOVERED IN WPA2 WI-FI SECURITY PROTOCOL

Comprehensive Analytical Report on the Major Vulnerability Discovered in WPA2 WI-FI Security Protocol     Download Draft: 22:08 PM October 17, 2017 Published: 12:00 PM October 23, 2017 Updated: 12:00 PM October 23, 2017  1          Overview October 15, Mathy Vanhoef, postdoctoral secu……

Continue Reading

IN-DEPTH ANALYSIS REPORT ON WANNACRY RANSOMWARE

IN-DEPTH ANALYSIS REPORT ON WANNACRY RANSOMWARE Antiy CERT Draft: May 13, 2017 05:38 Published: May 13, 2017 05:38 Updated: June 6, 2017 19:00 1          Overview May 12, 2017(8 p.m.), Antiy CERT found that a large scale of ransomware infection incidents broke out. As of May 13(11p.m.), the infe……

Continue Reading

Antiy Responses to Ransomware WannaCry FAQ 3

Antiy Responses to Ransomware WannaCry FAQ 3 Antiy CERT 1.Why WannaCry is named “魔窟” in Chinese? After the outbreak of WannaCry ransomware, there appears several version of Chinese name for the ransomware, such as “香菇”, “不哭”,but these names can not reflect the relat……

Continue Reading

Antiy Responses to Ransomware WannaCry FAQ 2

Antiy Responses to Ransomware WannaCry FAQ 2 Antiy CERT 1.I found that someone has said that the author of ransomware “Wannacry” apologized in a sudden and released the main decryption key that can decrypt encrypted documents on the Internet. Is this true? False. It is the main key of ransomware ……

Continue Reading

Antiy Responses to Ransomware WannaCry FAQ 1

Antiy Responses to Ransomware WannaCry FAQ  1 (Antiy CERT) This morning (May 13), Antiy released the report named as “Antiy takes emergency response to the global outbreak of ransomware WannaCry ”. Many customers have questions related to this event, so we put the high-frequency ones together in……

Continue Reading

New Ransomware Breaks Out Globally, Antiy Releases Emergency Analysis and Solutions

On May 12, 2017(Beijing time), the global outbreak of large-scale ransomware incident happened at about 8:00 p.m. According to BBC news, this kind of ransomware came out in many parts of the world today, the users must pay high ransom (like Bitcoin) for decrypting data; a number of hospitals in UK……

Continue Reading

ANALYSIS OF GENERIC PASSWORD FOUND IN CRYPTKEEPER

ANALYSIS OF GENERIC PASSWORD FOUND IN CRYPTKEEPER Antiy CERT Draft: February 02, 2017, 15:00 Published: February 02, 2017, 15:00 Updated: February 02, 2017, 15:00 Background On January 31, 2017, an article entitled “Cryptkeeper Linux Encryption App Fails at Job, Has One Letter Skeleton Key -……

Continue Reading

THE ANALYSIS OF EQUATION DRUG —THE FOURTH ANALYSIS REPORT OF EQUATION GROUP

the Analysis of EQUATION DRUG —the FOURTH analysis REPORT OF Equation group Antiy CERT Download   Draft: January 13, 2017 16:00 Published: January 16, 2017 10:00 Updated: January 25, 2017 14:30   Words for This Version On the basis of previously published reports, Antiy CERT has provid……

Continue Reading

FROM EQUATION TO EQUATIONS

         FROM EQUATION TO EQUATIONS Revealing the multi-platform operational capability of Equation Group                 Antiy CERT     Download Draft: Jan. 15, 2014 16:43 (UTC+8) Published: Nov. 4, 2016 10:00 (UTC+8) Updated: Nov. 4, 2016 13:00 (UTC+8) 1 Background From February 2015, An……

Continue Reading

The Dances of White Elephant – A Cyber Attack from South Asian Subcontinent

The Dances of White Elephant – A Cyber Attack from South Asian Subcontinent PDF Download Antiy CERT  First version: 17:00, July 1, 2016 First release: 10:00, July 10, 2016 Updated version: 15:00, July 18, 2016   1 Overview During the past four years, engineers from Antiy Labs have paid clos……

Continue Reading

TECHNOLOGICAL AND CHARACTERISTIC ANALYSIS OF NEW VARIANT OF RANSOMWARE FAMILY TESLACRYPT

Technological and characteristic analysis of new variant of Ransomware family TeslaCrypt Antiy CERT download First Edition: 17:44, Apr.7, 2016 Pub Date: 14:23, Apr.8, 2016 Update: 10:07, Apr.8, 2016 1 Introduction Antiy CERT recently found a new variant of ransomware TeslaCrypt, named TeslaCrypt ……

Continue Reading

Comprehensive Analysis Report on Ukraine Power System Attacks

Comprehensive Analysis Report on Ukraine Power System Attacks     1 Event Overview   December 23, 2015, the Ukrainian power sector suffered malware attacks. Ukrainian news media TSN reported on the 24th: “At least three power regions were attacked, leading to hours of blackou……

Continue Reading

FIRST BITCOIN RANSOMWARE WITH CHINESE PROMPTS“LOCKY”

First Bitcoin ransomware with chinese prompts“locky” Antiy CERT Download First Edition: 9:26, Feb.18, 2016 Pub Date: 14:04, Feb.19, 2016 Update: 14:04, Feb.19, 2016     1          Introduction   Antiy CERT found a new kind of ransomware named “Locky” that can encrypt more than 100……

Continue Reading

2015 Network Security Retrospect and Prospect

2015 Network Security Retrospect and Prospect 2015 Antiy Annual Security Report Antiy CERT Download       First Edition: 14:21, Dec 8, 2015 Pub Date: 09:00, Jan 7, 2016 Update: 17:30, Jan 7, 2016     Content   Introduction The Layered APT                        Th……

Continue Reading

A TROJAN THAT CAN MODIFY THE HARD DISK FIRMWARE ——A Discovery to the Attack Components of the EQUATION Group

A Trojan That Can Modify the Hard Disk Firmware ——A Discovery to the Attack Components of the EQUATION Group Antiy Labs Time of the first version: 10:00 a.m. March 5, 2015 The updated time of this version: 09:45 a.m. March 9, 2015   1. Background   According to the emergency study, An……

Continue Reading

An Analysis on the Principle of CVE-2015-8651

An Analysis on the Principle of CVE-2015-8651 Antiy PTA Team 0x00 Preface   On December 28, 2015, Adobe issued a security announcement that they have repaired 19 vulnerabilities in one breath. The vulnerability CVE-2015-8651 submitted by Huawei security research department was mentioned in t……

Continue Reading

AN ANALYSIS REPORT OF DDOS SAMPLE WITH THE DIGITAL SIGNATURE

An Analysis Report of DDoS Sample with the Digital Signature By Antiy PTA Team 1    Overview   Recently, a malicious DDoS program with the expired signature has been detected by Antiy PTA team through the situation awareness system. The digital signature of the sample is stole from NHN USA I……

Continue Reading

AN ANALYSIS ON TARGETED TROJAN ATTACK WITH “INTERVIEW” AS A SOCIAL ENGINEERING TOOL

An Analysis on Targeted Trojan Attack with “Interview” as a Social Engineering Tool By Antiy CERT Download   First release: December 3, 2015, 10:21 Update: December 5, 2015, 5:21   1. Overview   In the evening of December 2, 2015, Antiy earlier-warning monitor system perceived the……

Continue Reading

AN ANALYSIS REPORT OF BLACKMAILER TROJAN SPREAD BY EMAILING JS SCRIPT

An Analysis Report of Blackmailer Trojan Spread by Emailing JS Script By Antiy PTA Group Download First draft: December 4, 2015, 11: 11 1      Introduction   A new blackmailer variant email with new transmission characters was captured by Antiy Threat Situational Awareness System on Decembe……

Continue Reading

Analysis and Review of Xcode Unofficial Supply Chain Pollution Incident (XcodeGhost)

Analysis and Review of Xcode Unofficial Supply Chain Pollution Incident (XcodeGhost) AVL TEAM & ANTIY CERT     First release time: Sep. 20, 2015,22:00 Updating time: Sep. 30, 2015,8:41     Abstract   Xcode is the integrated development tool (IDE) running on Mac OS ……

Continue Reading

A LARGE NUMBER OF SERVERS BY HFS ARE EXPLOITED TO SPREAD MALWARE

A large number of servers by HFS are exploited to spread malware Antiy CERT Download First publish time: 17:00, Sep 15, 2015. Update time: 17:00, Sep 15, 2015.   1      Production Recently, the third generation Honeypot Wind-capture System of Antiy captured a downloader sample. After the s……

Continue Reading

UNCOVERING THE FACE OF RANSOMWARE

UNCOVERING THE FACE OF RANSOMWARE ——Antiy CERT Download 1          Introduction Recently, more and more security threats posed by ransomware, researchers from Antiy Labs felt obliged to investigate them to uncover the face of ransomware. September 2013, SecureWorks, the threat response departmen……

Continue Reading

Association Analysis on Some Group Mail Samples Using Social Engineering Techniques

Association Analysis on Some Group Mail Samples Using Social Engineering Techniques Antiy Labs First release time: 16:37, April 28, 2015 Update time of this version: 16:37, May 27, 2015   Contents   1       Background 2       Analysis of E-mail  2.1        Extraction of Metadata of the……

Continue Reading

ANALYSIS ON APT-TO-BE ATTACK THAT FOCUSING ON CHINA’S GOVERNMENT AGENCY

Analysis on APT-to-be Attack That Focusing on China’s Government Agency Antiy CERT Download First release time: 14:32, May 27, 2015 Updated time of this version: 14:32, May 27, 2015   Contents   1       Background 2       Analysis on incident sample 2.1         Leading files and……

Continue Reading

COMPREHENSIVE ANALYSIS REPORT ON TROJAN/ANDROID.EMIAL.AS[RMT,PRV,EXP], “PHOTO ALBUM”

COMPREHENSIVE ANALYSIS REPORT ON TROJAN/ANDROID.EMIAL.AS[RMT,PRV,EXP], “PHOTO ALBUM” Download AVL Mobile Security Team of Antiy     First Release Time: 15:02 May 15, 2015 Update Time of This Version: 21:13 May 15, 2015 Current Latest Version: V2.1   1          Overvie……

Continue Reading

Analysis on the Encryption Techniques of EQUATION Components

First Edition: April 16, 2015 Second Update Version: April 18, 2015   Antiy analysis team has started the analysis of “EQUATION” since February 2015. After the report of the first article, the subsequent analysis did not make more progress or even highlight. Based on this situat……

Continue Reading

Analysis on DDoS Attack Organization- “Chicken_mm”

ShadowHunter Team of Antiy Labs Abstract   This article focuses on a cross-platform DDoS attack organization called “Chicken_mm” and gives an analysis. DDoS tools developed by this organization use SSH weak passwords and server vulnerabilities to control many Linux chickens……

Continue Reading

Review of the Year of 2014, the Moment of Network Security

——The annual report of network security in 2014 Security Research and Emergency Response Center of Antiy Labs   Download Contents 1 PROLOGUE 2 APT 3 SEVERE VUNERABILITIES 4 THE GENERALIZATION AND DISTRIBUTION OF SECURITY THREATS 5 DATA BREACH 6 MALWARE ON PC PLATFORM 7 THE STATISTICS OF MAL……

Continue Reading

The Remote Execution Vulnerability of IIS Reoccurred: Watch out for the New Codered

Security Research and Emergency Response Center of Antiy Labs Release: 00:37, April 16, 2015 Latest version: 08:10, April 16, 2015   Introduction to the vulnerability Microsoft has patched several vulnerabilities in April 2015, which involved Windows, OFFICE, IE, IIS and so on. The amounts ……

Continue Reading