All Articles (181)

2649984548?profile=RESIZE_710xHuawei CEO, Ren Zhengfei

On 15 May 2019, US President Trump declared a national emergency over the dangers of importing technology from adversary countries, a move universally understood to be targeted at the Chinese corporation Huawei Technologies.  The “ban” on Huawei is being enacted by the US Department of Commerce, charged by the White House with deciding on the mechanisms of blocking Huawei’s connections to the US. The ban hurts Huawei in two ways: by closing the US market to Huawei equipm


Mirai is a self-propagating malware that infects networked devices and turns them into remotely controlled bots.  Targets include devices in the Internet of Things (IoT) such as IP cameras and home routers and access is achieved with either software exploits or via authentication with factory default credentials. Mirai is frequently updated to include new exploits making it difficult to mitigate.

This report provides cluster trending on infrastructure over the past several weeks from this repor

On 7-9 May 2019, Wapack Labs detected an increase in malicious emails with the spoofed sender field  Hackers deliver malicious attachments under the pretense of an incoming SWIFT transfer (Figure 1).


Figure 1. Email text spoofing HHH Marine Services on 8 May 2019.

The attackers use the popular malware Lokibot.  Wapack Labs detected communications of these samples to known and new Lokibot C2s:

  • kbfvzoboss[.]bid/alien/fre.php
  • carlos-tevez[.]gq/raphael/fre.php
  • uenajrkja[.]ml/ch


On 1 May 2019, Russian President Vladimir Putin signed “Internet sovereignty” bill.  New requirements to use ISPs to track traffic origin will likely force traffic decryption and support of internal censorship efforts.  In the future, Russia will develop its own DNS system to conduct special Internet controls.  Currently, LinkedIn is banned in Russia.  Russian national payment system, Mir, was developed after several Russian banks were denied services by US-based Visa and MasterCard.  Future st

Beware of Evil Clippy! Evil Clippy (EC) is a malicious tool that modifies Microsoft Office documents at the file format level. EC generates malicious versions of documents that are able to evade antivirus engines that use static analysis and manual inspection of macro scripts for detection. EC does this by taking advantage of undocumented features, unclear specifications, and deviations from intended implementations.

2405230492?profile=RESIZE_180x180Research Overview

Background: The detonation of a nuclear weapon at high altitude or in space (~30 km or more above the earth’s surface) can generate an intense electromagnetic pulse (EMP) referred to as a high-altitude EMP or HEMP. HEMP can propagate to the earth and impact various ground-based technological systems such as the electric power grid. Depending on the height of the explosion above the earth’s surface and the yield of the weapon, the resulting HEMP can be characterized by three haz

RDPwrap is a very popular open source third-party Windows Remote Desktop Protocol (RDP) tool offered by Stas’M’Corp from Moscow, Russia. Wapack Labs discovered that RDPWrap creates a local Denial-of-Service (DoS) vulnerability on Windows 10 systems, which could allow an attacker on the system to terminate users RDP sessions. By allowing the attacker to terminate RDP sessions without warning, it is particularly dangerous if the attacker notices an administrator on the system via RDP;and does not

Remote Desktop Protocol (RDP) Inception is a popular RDP attack that is used to laterally infect computers on a network. RDP is a popular method for Windows Systems Administrators to remotely access systems they manage. As a result, it has become a frequent target for attackers. This report provides technical details on the RDP inception attack.

IR-19-060-002 RDP Inception.pdf

A Windows Remote Desktop Protocol (RDP) Man-in-The-Middle (MiTM) attack occurs when an attacker has positioned themselves to be on the same subnet as the victim; and proceeds intercepting/tampering with the victims RDP session traffic. Windows RDP servers offer some security mechanisms against MiTM attacks on clients, such as Enhanced TLS and Credential Security Support Provider (CredSSP) protocol, but adversaries can easily bypass these features.

TIR-19-056-001 RDP MiTM.pdf

Remote Desktop Protocol (RDP) serves as an entry point for an attacker that desires to move laterally throughout an organization via RDP session hijacking. In order to persist and consistently be able to access the compromised RDP account an attacker must place a backdoor on the system. Attackers use binary replacement and registry debugger methods to backdoor RDP and other popular Windows accessibility services: osk.exe, Magnify.exe, Narrorator.exe, DisplaySwitch.exe, AtBroker.exe. Sticky Keys

2271211259?profile=RESIZE_710xThe People’s Republic of China has claimed the whole of the South China Sea as its sovereign territory ever since coming to power in 1949.  However, several other countries have historical claims over some of the islands, and the Law of the Sea Treaty gives several of these countries rights to economic zones that overlap with Chinese claims.  This has led to conflict between China and the United States, which supports the claims of its allies to parts of the South China Sea under international l

During the time frame 26 March 2019 until 18 April 2019, leaker Lab_Dookhtegan dumped information, photos, and source code allegedly belonging to APT34 / OilRig via their Telegram messenger channel.  The leak highlights Iran’s heavy use of ASP web shells on compromised exchange servers to launch attacks and exfiltration via DNS.  Several tools from APT34 / OilRig were released (high confidence): PoisonFrog, base.aspx, webmask_dns, FoxPanel222 nodeJS phishing kit, HighShell, HyperShell, MinionPro

2210160469?profile=RESIZE_710xIn April 2019, Krebs reported that Wipro, an Indian IT outsourcing company, was the victim a successful cyber attack by suspected state-sponsored actors.  The actors leveraged ScreenConnect, a remote administration tool, to gain access to various Wipro systems which were then used as launching points for additional attacks against Wipro’s customers. The follow-on attacks consisted of a phishing campaign capturing data as part of gift card fraud operation.

Additional open sources reported this at

In February 2019, conflict between India and Pakistan over the disputed territory of Kashmir escalated into the worst violence there is decades.  An Islamic extremist suicide bomber with a vehicle packed with explosives attacked an Indian police convoy in Kashmir, killing 40.  This provoked a military response by India, with Indian Air Force fighter jets carrying out a bombing raid into Pakistan proper for the first time since 1971.  India claimed they were attacking a terrorist camp, but no inj

Ursnif, aka Gozi, is a popular Info-stealing malware that first emerged during 2012. Since then the malware has undergone several variations with the latest distribution using word document attachments with malicious Powershell commands. A new Ursnif campaign was recently observed targeting customers for various financial institutions in the US, Canada, and Italy.


Wapack Labs observed malicious email trending on CTAC which detected an uptick in Darwish Trading Company (DTC) spoofing.  Hackers pretend to be from this Qatari company as it has a wide range of business activities to include servicing the oil and gas sector.  During 29 March 2019 – 3 April 2019, these samples were seen delivering Lokibot and PonyLoader malware.



Figure 1. Malicious .doc attachment in an email spoofing Darwish Trading Company

The Darwish Trading Company (DTC) has a w


Loki is a very popular bot/stealer malware which has been for sale in the underground since 2015.  In 2017, two hackers from the Russian hacking forum cracked Loki and released a cracked builder.  Once the cracked builder was released new unofficial versions of Loki were found for sale in novice English speaking forums for less than the original version. 

This report provides details on the following Loki variants:

  • Loki 1.6 & 2.0 by Carter
  • Loki 1.7 (1.6 Cracked) by Abbat-v &
Summary Beginning in August of 2017, a new cryptocurrency mining botnet, dubbed Smominru, started propagating via the recently leaked Eternal Blue exploit. Smominru, aka MyKings, is characterized by the targeting of Windows systems using WMI as a file-less persistence mechanism. As of March 2019, Smominru showed no signs of slowing down. Wapack Labs has identified approximately 316K victims connecting to Smominru infrastructure over a period of 6 days. This report provides a high-level overview

China’s need for energy has skyrocketed over the last 20 years as the country has gotten richer and the middle class—now 400 million—has grown into a significant segment of the population.  Energy demands are not being met by domestic production, so China is now a net importer of oil, natural gas, and coal.

China’s energy source mix has traditionally been dominated by coal, but the share of energy produced by coal is dropping.  China is highly dependent on imported oil, which makes up about 68 p


Hackers are using “SWIFT monetary transfer” themed files to lure users into opening them.  These files have been identified malicious.  Wapack Labs studied a sample group of SWIFT-themed malicious files during a 30 days period in February-March 2019.  Nearly half are classified as Lokibot, and 12 percent were detected exploiting CVE-2017-11882 "Microsoft Office Memory Corruption Vulnerability."  Most of the samples were submitted from either Ukraine, the Czech Republic or the US.  In seve