All Articles (158)

On 31 January 2018, South Korea’s Computer Emergency Response Team (KR-CERT) published an advisory about an Adobe Flash zero-day vulnerability being exploited in the wild. On 1 February 2018, Adobe released an advisory confirming the vulnerability exists in Adobe Flash Player. The vulnerability is dubbed, “CVE-2018-4878.”
Researchers have unveiled a powerful spyware variant that provides attackers complete control of the target device remotely. The malware was first seen in 2014. It has evolved over time, from simple un-obfuscated malware in the beginning, to sophisticated multi-stage spyware that provides attackers full remote control of the infected device.
The XXIII Olympic Winter Games, hosted in PyeongChang, South Korea, commence on 9 February 2018. Wapack Labs observed two compromised individuals, infected with AZORult malware, logging into the official Olympic Winter Games portal, pyeongchang2018.com. AZORult is a Trojan horse which steals information from a compromised system. After installation, AZORult begins looking for sensitive data; browser cookies, usernames and passwords, system information, and autocomplete fields.


Actor Type: II
Serial: TR-18-026-001
Countries: all
Report Date: 20180126

Dark Caracal APT Group

Researchers have identified an Advanced Persistent Threat group (APT) identified as Dark Caracal (DC).  DC claims to have stolen hundreds of gigabytes of data…

Zyklon is a family of malware which first emerged in early 2016 before going dormant until January 2017. Attackers then exploited several vulnerabilities in the Microsoft Office software suite in order to spread Zyklon malware.


Actor Type: II
Serial: TR-18-024-001
Countries: IN, CN
Report Date: 20180124

Iranian APT Groups


APT34 is involved in long-term cyber espionage operations largely focused in the Middle East.  This threat group has targeted a wide…

A security researcher has made public a vulnerability in Apple’s MacOS operating system which allows an attacker to take complete control of the system. The vulnerability was made public on 31 December 2017 by a researcher who is identified as, “Siguza.”
Wapack Labs is monitoring the developments in the ongoing Iran protests. Wapack analysts continue to observe an increase in Internet restriction and disabling of communication applications; Facebook, Twitter, Telegram, Google, WhatsApp, and Signal. To date, ProtonMail’s free VPN service for Android phones, and Psiphon, an app that circumnavigates network firewalls, are the only means of providing anonymity for Iranian citizens.


Actor Type: II
Serial: TR-18-009-001
Countries: IN, CN
Report Date: 20180109

Bypassing Antivirus using Amber (Reflective PE Packer)

Amber is a proof-of-concept tool used for bypassing antivirus software.  Amber uses techniques that convert Portable Executables (PEs) to reflectively load those PEs.  This can be used as a multi-stage payload for infection on…

Meltdown and Spectre are two major flaws that affect all modern computers based on processors from Intel, AMD and ARM. Discovered and named by the team of security researchers as part of Google Project Zero, both of these flaws potentially allow hackers to steal personal data from computers, including cloud servers and mobile devices. The disclosure date for the flaws was January 9, 2018 but due to premature reports, growing speculation and risk of exploitation, the information was revealed…
Wapack Labs analysts have been monitoring the recent demonstrations in Iran involving discontent toward the Islamic Republic seated in the aftermath of the 1979 Revolution. Iranian dissidents and activists took to the streets by the thousands, chanting slogans like “We don’t want an Islamic Republic” and “Death to the dictator”, as they tore down pictures of Supreme Leader Khamenei and set fire to the Governor’s office.
Wapack Labs has been monitoring Iranian cyber activity for several years, specifically the evolving OilRig and Greenbug campaigns. Their adoption of a cyber operational paradigm involving both cyber hacktivism and cyber espionage tactics resembles cyber activity patterns employed by Chinese APT groups, whereby different groups perform different campaigns, with multiple teams conducting separate phases of a cyber campaign. With President Trump’s refusal to re-certify Iran’s compliance with the…