Malware Analysis Reports for Malware Management

Feb 2019 - CheckPoint - SpeakUp: A New Undetected Backdoor Linux Trojan

• https://research.checkpoint.com/speakup-a-new-undetected-backdoor-linux-trojan/

Dec 2018 - ESET - First Sednit UEFI Rootkit unveiled

• https://mirror.netcologne.de/CCC/congress/2018/slides-pdf/35c3-9561-first_sednit_uefi_rootkit_unveiled.pdf

Sept 2018 - PROOFPOINT - New modular downloaders fingerprint systems - Part 3: CobInt

• https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-3-cobint

Aug 2018 - PROOFPOINT - New modular downloaders fingerprint systems - Part 2: AdvisorsBot

• https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-2-advisorsbot

Aug 2018 - PROOFPOINT - New modular downloaders fingerprint systems, prepare for more - Part 1: Marap (.IQY files)

• https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-prepare-more-part-1-marap

Aug 2018 - ESET - Turla Outlook Backdoor

• https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf

Apr 2018 - Symantec - New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia

• https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia

Mar 2018 - FireEye - Exploring the Depths of Cmd.exe Obfuscation and Detection Techniques

• https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/dosfuscation-report.pdf

Jan 2018 - MalPedia - Get reports and info on various malware families and their actors - MORE REPORTS

• https://malpedia.caad.fkie.fraunhofer.de/families

Dec 2017 - RSA - THE SHADOWS OF GHOSTS INSIDE THE RESPONSE OF A UNIQUE CARBANAK INTRUSION

• https://www.rsa.com/content/dam/en/white-paper/the-shadows-of-ghosts-carbanak-report.pdf

Nov 2017 - Minerva Labs - “Emotet goes more evasive

• https://blog.minerva-labs.com/emotet-goes-more-evasive

Oct 2017 - FireEye - Significant FormBook Distribution Campaigns Impacting the U.S. and South Korea

• https://www.fireeye.com/blog/threat-research/2017/10/formbook-malware-distribution-campaigns.html

Oct 2017 - Talos - “Cyber Conflict” Decoy Document Used In Real Cyber Conflict - Latest APT28 attack

• http://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html

Mar 2017 - Palo Alto - Pulling back the Curtains on EncodedCommand PowerShell Attacks

• http://researchcenter.paloaltonetworks.com/2017/03/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/

Mar 2017 - Symantec - The increased use of PowerShell in Attacks

• https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/increased-use-of-powershell-in-attacks-16-en.pdf

Mar 2017 - Kaspersky - From Shamoon to StoneDrill

• https://securelist.com/files/2017/03/Report_Shamoon_StoneDrill_final.pdf

Feb 2017 - Kaspersky - Fileless attacks against enterprise networks ( A GREAT reason to do good logging, it would catch this)

• https://securelist.com/blog/research/77403/fileless-attacks-against-enterprise-networks/

Aug 2016 - SecureWorks - Malware lingers with BITS

• https://www.secureworks.com/blog/malware-lingers-with-bits

Aug 2016 - Kaspersky - Project Sauron  - Top level cyber-espionage platform covertly extracts encrypted government comms

• https://securelist.com/analysis/publications/75533/faq-the-projectsauron-apt/

Mar 2016 - Fortinet - Dridex's New and Undiscovered Recipes

• http://blog.fortinet.com/post/what-s-cooking-dridex-s-new-and-undiscovered-recipes

Mar 2016 - SANS ISC - Analysis of the Cyber Attack on the Ukrainian Power Grid

• http://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf

Feb 2016 - FireEye/Mandiant - M-Trends 2016 - Good overview of Mandiant Consulting findings in 2015

• https://www2.fireeye.com/rs/848-DID-242/images/Mtrends2016.pdf

Feb 2016 - TrendLabs - FightPOS get worm routine

• http://documents.trendmicro.com/assets/threat-reports/fighterpos-malware-gets-worm-routine_ver2.pdf

Feb 2016 - InfoSec Institute - PoS Malware:  All you need to know - Good list of many of the PoS malware variants with details

• http://resources.infosecinstitute.com/pos-malwareall-you-need-to-know/

Jan 2016 - ZScaler - Malicious Office Files Dropping Kasidet and Dridex

• https://www.zscaler.com/blogs/research/malicious-office-files-dropping-kasidet-and-dridex

Jan 2016 - Arbor Networks Blog on Uncovering the Seven Pointed Dagger - Trochilus RAT

• http://www.arbornetworks.com/blog/asert/uncovering-the-seven-pointed-dagger/

• http://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-2015-08-Uncovering-the-Seven-Point-Dagger.pdf

Jan 2016 - EmsiSoft Blog on Ransom32 Java cross platform Ransomware

• http://blog.emsisoft.com/2016/01/01/meet-ransom32-the-first-javascript-ransomware/

2015 - F-Secure repo of whitepapers on Advanced Malware (Regin, BlackEnergy, CozyDuke and many others)

• https://www.f-secure.com/en/web/labs_global/whitepapers

Dec 2015 - HackerHurricane - Dridex Analysis shows tricky shutdown and boot up persistence and how to detect and clean it

• http://hackerhurricane.blogspot.com/2015/12/december-dridex-variant-and-best-way-to.html

Dec 2015 - Pro PoS, Threat Spotlight: Holiday Greetings from Pro PoS – Is your payment card data someone else’s Christmas present?

• http://blog.talosintel.com/2015/12/pro-pos.html#more

Dec 2015 - Nemesis, Thriving Beyond The Operating System: Financial Threat Group Targets Volume Boot Record

• https://www.fireeye.com/blog/threat-research/2015/12/fin1-targets-boot-record.html

Nov 2015 - Destover, Toolset linked to Destover Attacker’s arsenal helps them to broaden attack surface

• https://www.damballa.com/damballa-discovers-new-toolset-linked-to-destover-attackers-arsenal-helps-them-to-broaden-attack-surface/

Oct 2015 - iSight Partners ModPoS: MALWARE BEHAVIOR, CAPABILITIES AND COMMUNICATIONS

• iSight Partners report on ModPoS

Sept 2015 - PaloAlto Networks - Chinese actors use '3102' malware on attacks of US Governemnt and EU media.  Similar to the '9002' malware of 2014

• http://researchcenter.paloaltonetworks.com/2015/09/chinese-actors-use-3102-malware-in-attacks-on-us-government-and-eu-media/

Sept 2015 - DrWeb finds MWZLesson POS Malware using parts of older malware

• http://news.drweb.com/show/?i=9615&lng=en&c=5

Sept 2015 - IBM Security Shifu Banking Malware attacking Japanese banks

• https://securityintelligence.com/shifu-masterful-new-banking-trojan-is-attacking-14-japanese-banks/

Aug 2015 - Arbor Networks Blog on Defending the White Elephant - PlugX

• http://www.arbornetworks.com/blog/asert/defending-the-white-elephant/

• http://pages.arbornetworks.com/rs/082-KNA-087/images/ASERT%20Threat%20Intelligence%20Brief%202015-05%20PlugX%20Threat%20Activity%20in%20Myanmar.pdf

Aug 2015 - Symantec - Regin: Top-tier espionage tool enables stealthy surveillance

• http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/regin-analysis.pdf

Aug 2015 - SecureWorks - Revealing the Cyber-Kraken - Multiple Verticals

• http://www.secureworks.com/resources/blog/revealing-the-cyber-kraken/

Aug 2015 - SecureWorks - Threat Group 3390 - Multiple verticals

• http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/

July 2015 - FireEye Hammertoss, Cyber Threat Group APT29

• https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf

June 2015 - Duqu 2.1 Kaspersky Labs updates their research

• https://securelist.com/files/2015/06/The_Mystery_of_Duqu_2_0_a_sophisticated_cyberespionage_actor_returns.pdf

Feb 2015 - Carbanak - Kaspersky The Great bank Robbery

• Kaspersky Report on the Carbanak Banking Trojan

Aug 2014 - Analysis of Dridex / Cridex / Feodo / Bugat

• http://stopmalvertising.com/malware-reports/analysis-of-dridex-cridex-feodo-bugat.html

Linux:  

IptabLes/IptabLex (linux)

• http://blog.malwaremustdie.org/2014/06/mmd-0025-2014-itw-infection-of-elf.html

• http://storage.pardot.com/9892/121392/TA_DDos_Binary___Bot_IptabLes_v6_US.pdf

MAC:

OSXGetShell

http://www.symantec.com/security_response/writeup.jsp?docid=2013-020412-3611-99&tabid=2
WINDOWS:

BackOff - Retail PoS

https://www.us-cert.gov/ncas/alerts/TA14-212A
http://blog.trendmicro.com/trendlabs-security-intelligence/new-pos-malware-backoff-targets-us/
http://www.invincea.com/2014/09/analysis-of-backoff-pos-malware-gripping-the-retail-sector-reveals-lack-of-sophistication-in-malware/
 

CryptoLocker - Crypto

http://www.secureworks.com/cyber-threat-intelligence/threats/cryptolocker-ransomware

https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/24000/PD24786/en_US/McAfee_Labs_Threat_Advisory_Ransom_Cryptolocker.pdf

Chewbacca - Retail PoS

https://blogs.rsa.com/rsa-uncovers-new-pos-malware-operation-stealing-payment-card-personal-information/

Dexter/Project Hook - Retail Pos

http://www.arbornetworks.com/asert/wp-content/uploads/2013/12/Dexter-and-Project-Hook-Break-the-Bank.pdf

BlackPoS/Kaptoxa - Retail PoS

http://www.securitycurrent.com/resources/files/KAPTOXA-Point-of-Sale-Compromise.pdf (iSight Partners)

http://blogs.mcafee.com/mcafee-labs/analyzing-the-target-point-of-sale-malware

https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/24000/PD24927/en_US/McAfee_Labs_Threat_Advisory_EPOS_Data_Theft.pdf

http://securityintelligence.com/target-data-breach-kaptoxa-pos-malware/

Red October

http://securelist.com/analysis/publications/36740/red-october-diplomatic-cyber-attacksinvestigation/

http://securelist.com/analysis/36830/red-october-detailed-malware-description-1-first-stage-of-attack/

SysPrep/Cryptbase.dll Priv Escalation

http://www.symantec.com/security_response/earthlink_writeup.jsp?docid=2014-050812-0239-99

The Snake/ Uroburos

http://info.baesystemsdetica.com/rs/baesystems/images/snake_whitepaper.pdf
http://www.viruslist.com/sp/analysis?pubid=207271262
WinNTI (Discovered by us in June 2012 using this methodology)

http://securelist.com/analysis/internal-threats-reports/37029/winnti-more-than-just-a-game/
Mandiant APT1

http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf
Shady Rat

http://www.symantec.com/connect/blogs/truth-behind-shady-rat
Duqu

http://www.kaspersky.com/about/press/major_malware_outbreaks/duqu
http://www.secureworks.com/cyber-threat-intelligence/threats/duqu/
http://www.symantec.com/outbreak/?id=stuxnet
Stuxnet

http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf

http://www.codeproject.com/Articles/246545/Stuxnet-Malware-Analysis-Paper

http://www.eset.com/us/resources/white-papers/Stuxnet_Under_the_Microscope.pdf

https://www.mandiant.com/blog/stuxnet-memory-analysis-ioc-creation/

Gameover Zeus

http://www.secureworks.com/cyber-threat-intelligence/threats/The_Lifecycle_of_Peer_to_Peer_Gameover_ZeuS/

Zues/SpyEye

http://www.ioactive.com/pdfs/ZeusSpyEyeBankingTrojanAnalysis.pdf

Gauss

http://securelist.com/analysis/36620/gauss-abnormal-distribution/

Mini-Flame

http://securelist.com/blog/virus-watch/31730/miniflame-aka-spe-elvis-and-his-friends-5/

SkyWiper/Flame

http://securelist.com/blog/incidents/34216/full-analysis-of-flames-command-control-servers-27/

http://www.academia.edu/2394954/Flame_Malware_Analysis

http://securelist.com/blog/incidents/33002/flame-replication-via-windows-update-mitm-proxy-server-18/

http://www.crysys.hu/skywiper/skywiper.pdf

ZeroAccess

http://nakedsecurity.sophos.com/zeroaccess2/

http://www.symantec.com/security_response/writeup.jsp?docid=2011-071314-0410-99&tabid=2

Shamoon

http://securelist.com/blog/incidents/57854/shamoon-the-wiper-copycats-at-work/

http://securelist.com/blog/incidents/57784/shamoon-the-wiper-further-details-part-ii/

Wiper

http://www.secureworks.com/cyber-threat-intelligence/threats/wiper-malware-analysis-attacking-korean-financial-sector/