White Papers

OceanLotus continues its activity particularly targeting company and government networks in East-Asian countries. A few months ago, we discovered and analyzed one of their latest backdoors. Several tricks are being used to convince the user to execute the backdoor, to slow down its analysis and to avoid detection. These techniques will be discussed in detail in this white paper.

Microsoft Windows XP is perhaps Microsoft’s most-storied operating system.  Released in 2001, just a year after the release of Microsoft Windows 2000, it was meant to fix Microsoft’s cycle of releasing separate operating systems for consumers—based on Windows 95— and operating systems for enterprises—based on Windows NT—with a single unified operating system for use by everyone. Combining the reliability of the Windows NT kernel with the multimedia subsystem of Windows 9x, it would be equally usable whether at work or at play. So, how well did Microsoft execute on this vision from so long ago? In April 2014, Windows XP was installed on about 30% of our customers’ desktop computers. As of March 2018, Windows XP accounts is installed on about 5,5% of those systems. While this may seem like a small percentage, it is 10 times the number of computers running Windows XP's successor, Windows Vista, which today accounts for a mere sub-1% of usage.

In 2017, cryptocurrencies became a booming industry, attracting the attention of not only new users, but also cybercriminals. As the fraudsters came rushing to the newly crowded cryptocurrency space, users, businesses, and exchanges have found themselves the target of various fraud schemes – from phishing scams, through hacks, to surreptitious crypto-mining on compromised devices and, as of late 2017, via browsers. Cybercrime targeting cryptocurrency has recently become so rampant that regulators have issued multiple warnings on cryptocurrency scams; Facebook banned all cryptocurrency ads on its platform; and insurers have started to offer protection against cryptocurrency theft.

Malware writers have also begun to use more sophisticated methods to spread their infected apps  To avoid the unwanted attention, attackers have started to encrypt malicious payloads, burying them deeper in the application – often moving them to the assets folder, typically used for pictures or other necessary contents

Turla is one of the longest-known state-sponsored cyberespionage groups, with well-known victims such as the US Department of Defense in 2008. The group owns a large toolset that is generally divided into several categories: the most advanced malware is only deployed on machines that are the most interesting to the attackers. Their espionage platform is mainly used against Windows machines, but also against macOS and Linux machines with various backdoors and a rootkit.

Thanks to its strong anti-analysis measures, the FinFisher spyware has gone largely unexplored. Despite being a prominent surveillance tool, only partial analyses have been published on its more recent samples. Things were put in motion in the summer of 2017 with ESET’s analysis of FinFisher surveillance campaigns that ESET had discovered in several countries.

The world is changing in front of our eyes. Where facts, truth and honesty were once our most valuable assets, nowadays, alternative-facts, post-truths and outright lies reign. Unfortunately, the cybersecurity industry is no exception to this trend.

To get a global view of the Stantinko ecosystem, you need a lot of the pieces of the puzzle. The more we dug and tracked Stantinko, the more we could collect those pieces and put them together.