archive

malware

  1. Storm Cloud on the Horizon: GIMMICK Malware Strikes at macOS

    In late 2021, Volexity discovered an intrusion in an environment monitored as part of its Network Security Monitoring service. Volexity detected a system running frp, otherwise known as fast reverse proxy, and subsequently detected internal port scanning shortly afterward. This traffic was determined to be unauthorized and the system, a MacBook Pro running macOS 11.6 (Big Sur), was isolated for further forensic analysis. Volexity was able to run Surge Collect to acquire system memory (RAM) and select files of interest from the machine for analysis. This led to the discovery of a macOS variant of a malware implant Volexity calls GIMMICK. Volexity has encountered Windows versions of the malware family on several previous occasions. GIMMICK is used in targeted attacks by Storm Cloud, a Chinese espionage threat actor known to attack organizations across Asia. It is a feature-rich, multi-platform malware family that uses public cloud hosting services (such as Google […]

  2. Dark Halo Leverages SolarWinds Compromise to Breach Organizations

    Volexity is releasing additional research and indicators associated with compromises impacting customers of the SolarWinds Orion software platform. Volexity has also published a guide for responding to the SolarWinds breach, and how to detect, prevent, and remediate this supply chain attack. On Sunday, December 13, 2020, FireEye released a blog detailing an alleged compromise to the company SolarWinds. This compromise involved a backdoor being distributed through an update to SolarWind’s Orion software product. FireEye attributed this activity to an unknown threat actor it tracks as UNC2452. Volexity has subsequently been able to tie these attacks to multiple incidents it worked in late 2019 and 2020 at a US-based think tank. Volexity tracks this threat actor under the name Dark Halo. At one particular think tank, Volexity worked three separate incidents involving Dark Halo. In the initial incident, Volexity found multiple tools, backdoors, and malware implants that had allowed the attacker to remain undetected for […]

  3. OceanLotus: Extending Cyber Espionage Operations Through Fake Websites

    Since Volexity’s 2017 discovery that OceanLotus was behind a sophisticated massive digital surveillance campaign, the threat group has continued to evolve. In 2019, Volexity gave a presentation at RSA Conference that provided a historic and up-to-date look at various operations of the Vietnamese threat actor OceanLotus. Notably, the presentation revealed that, for years, OceanLotus set up and operated multiple activist, news, and anti-corruption websites. At first glance, it appeared these were real websites that had been compromised. These fake websites were convincingly legitimate and allowed OceanLotus to have full control over the tracking of and attacks against website visitors. The most popular of these websites even had a corresponding Facebook page with over 20,000 followers. Shortly after the presentation was given, these websites were shut down or abandoned. However, old habits and successful techniques die hard. Volexity has identified multiple new attack campaigns being launched by OceanLotus via multiple fake […]