X-Industry

A new phishing campaign has been observed delivering Remote Access Trojans (RAT) such as VCURMS and STRRAT using a malicious Java-based downloader.  The attackers stored malware on public services like Amazon Web Services (AWS) and GitHub, employing a commercial protector to avoid detection of the malware, an unusual aspect of the campaign is VCURMS' use of a Proton Mail email address ("sacriliage@proton[.]me") for communicating with a command-and-control (C2) server.

The attack chain commences

Activity Summary - Week Ending on 4 February 2022:

• Red Sky Alliance identified 39,538 connections from new IP’s checking in with our Sinkholes
• Amazon IP hit
• Analysts identified 3,544 new IP addresses participating in various Botnets
• STRRAT RAT
• Molerats APT
• 47 Tbps DDoS Attack
• Ransomware Operators
• US Public Safety being Targeted
• Maritime Cranes & the Supply Chain
• US Water Protection
• Shipment & Delivery Scams

Link to full report: IR-22-035-001_weekly035.pdf

Shipping is an indispensable part of modern life.  It is the lifeblood of the global economy, with numerous large companies (and their equally large container ships) perpetually moving goods from one corner of the earth to the other to provide consumers and industries with the necessities of life.  Due to the critical importance of shipping and receiving goods to most organizations, threat actors often use shipping as a lure for phishing emails: such as false invoices, changes in shipping delive

Red Sky Alliance performs queries of our backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails.  Email subject line Motor Vessel (MV) or Motor Tanker (MT) keyword usage is a common lure to entice users in the maritime industry to open emails containing malicious attachments.  Red Sky Alliance is providing this list of Motor Vessels in which Red Sky Alliance directly observed the vessel being impersonated, with assoc

Activity Summary - Week Ending 10 September 2021:

• Red Sky Alliance identified 47,398 connections from new unique IP addresses- Sinkholes
• Analysts identified 1,034 new IP addresses participating in various Botnets
• 4 unique email accounts compromised with Keyloggers were used to log into Personal Accounts
• Sality Malware Variant seen 42252 times this past week
• Hive Ransomware Alert
• STRRAT RAT
• FIN7 again
• Microsoft and $20 billion in Cyber Security
• South Korea and TrickBot Arrest
• To SOAR, or to SIEM

The old trick of using a Trojan horse to deceive is still in vogue and using cyber as the lure.  A massive phishing campaign is distributing what looks like ransomware but is in fact trojan malware that creates a backdoor into Windows systems to steal usernames, passwords, and other information from victims.  Detailed by cybersecurity researchers at Microsoft, the latest version of the Java-based STRRAT malware is being sent out via a large email campaign, which uses compromised email accounts t