Blogs About Threat Research

• The Go language is becoming increasingly popular among threat actors, with attacks starting to appear in 2019
• Morphisec Labs has tracked a new Golang-based (1.17) ransomware variant that appeared starting in late September and continued...

• Morphisec Labs tracked a new MirrorBlast campaign targeting financial services organizations 
• MirrorBlast is delivered via a phishing email that contains malicious links which download a weaponized Excel document
• MirrorBlast has low detections on...

In 2020, Morphisec introduced the Jupyter infostealer, a .NET attack that primarily targets Chromium, Firefox, and Chrome browser data while also maintaining the additional capabilities of a backdoor. 

On July 2, 2021, our Cloud Workload Protection Platform, Morphisec Keep, successfully identified and prevented a REvil ransomware infection in customer domains. This attack was automatically blocked in real time due to Morphisec's proactive...

In the past month, Morphisec has investigated the origin of several increasingly prevalent infostealers. These include Redline, Taurus, Tesla, and Amadey.

As part of our research, we identified pay-per-click (PPC) ads in Google’s search results that...

The Morphisec Labs team has been tracking an ongoing RAT delivery campaign that started in February this year. This campaign is unique in its heavy use of the AutoHotKey scripting language—a fork of the AutoIt language frequently used for testing...

Morphisec has recently monitored a highly sophisticated Crypter-as-a-Service that delivers numerous RAT families onto target machines.

The Crypter is most commonly delivered through phishing emails, which lead to the download of a visual basic...

The developers of the Phobos ransomware have added new fileless and evasive techniques to their arsenal. Constantly keeping their attack up to date helps them bypass detection technologies through several distinct approaches, the latest of which we...

In 2021 Morphisec identified increased usage of the “HCrypt” crypter. In this post, we lockpick “HCrypt”—a crypter as a service marketed as a FUD (fully undetectable) loader for the client's RAT of choice. We chose to dissect the crypter’s...

The MineBridge RAT was first identified in January 2020 by security researchers at FireEye. They observed the backdoor attacking financial institutions in the United States and targets in South Korea as well. MineBridge was initially classified as...

Introducing egregor ransomware

Egregor is considered to be one of the most prolific ransomware threat groups. Yet it gained this reputation in a very short time due to its uncompromising double extortion methodology.

Between January 15 and 20, Morphisec identified a significant campaign targeting multiple German customers in manufacturing. Targeted personnel were redirected to compromised websites that were, and still are, delivering advanced fileless...

Introduction

In this post, we cover the CinaRAT loader's evasive tactics, techniques, and procedures (TTPs), as identified and prevented by Morphisec’s zero-trust endpoint security solution powered by Moving Target Defense technology. 

This report has been updated with assistance from the cybersecurity community.

Morphisec Labs has been tracking FIN7 (Carbanak Group) activity for the past several years. Morphisec’s ability to collect rich forensic data from memory has provided...

An Infostealer is a trojan that is designed to gather and exfiltrate private and sensitive information from a target system. There is a large variety of info stealers active in the wild, some are independent and some act as a modular part of a...

Since early March, the team at Morphisec Labs has been supporting enterprises as they shift to distributed workforces in response to COVID-19. From assisting hospitals with securing their remote workers to uncovering new weaknesses in collaboration...

The Morphisec Labs team has tracked an obfuscated VBScript package in campaigns since March 2020. Initially, the malware campaign was focused on targets within Germany, but has since moved on to additional targets--excluding any IP address within...

During the first week of March, Morphisec intercepted and prevented an advanced Lokibot delivery campaign on some of its customers in the financial sector. While Lokibot has been lately reported to be delivered via impersonation of a known game...

Guloader is a downloader that has been widely used from December 2019. Several security researchers have identified the downloader in the wild, signifying that it has quickly gained popularity among threat actors. When it first appeared, GuLoader...

Following the increase in Parallax RAT campaigns -- the new RAT on the block, Morphisec Labs decided to release more technical details on some of the latest campaigns that the Morphisec Unified Threat Prevention Platform intercepted and prevented...