Threat Research
Stay on top of the latest threat research, information on in-the-wild cyber attacks and cyber operations from Juniper Threat Labs.
Latest Articles
Satan Ransomware used in Multi-Platform Cryptomining and Ransomware Campaign

Satan Ransomware used in Multi-Platform Cryptomining and Ransomware Campaign

Juniper Threat Labs has been monitoring a campaign that delivered multiple stages of malware to install a cryptocurrency miner and ransomware. On March 16, 2019, we identified a surge in attacks that target an Apache Struts vulnerability to deliver their payload.

Read more...

Juniper Employee
Anatomy of the Bulehero Cryptomining Botnet

Anatomy of the Bulehero Cryptomining Botnet

Juniper Threat Labs recently discovered an attack campaign that installs a cryptominer and also spreads on the network. This campaign is interesting as one of  its technique is using the infamous EternalBlue exploit and DoublePulsar backdoor.

 

The attack campaign starts with an HTTP request that attempts to exploit several vulnerabilities of Web Application servers. Recently, this group has been active as they have added the ThinkPHP exploit to their arsenal. This exploit was seen to be used for other campaigns as well as seen by an earlier Alibaba threat report. The following section will detail the exploits and malware the threat actors are using for this campaign.

 

Read more...

Juniper Employee
Troldesh Campaign:  Ransomware with Cryptominer in tow

Troldesh Campaign: Ransomware with Cryptominer in tow

Juniper Threat Labs was recently investigating and analyzing the resurgence of Troldesh ransomware and during our investigation, we gained a few insights into their operation. What we found is that the threat actors implemented a coordinated operation by using other modules to distribute their malware. They use a CMS bruteforcer module that is responsible for infecting loosely configured CMS sites that are used as download servers. They monetized their operation via ransomware and cryptomining. They also use TOR for all of their network communication to give them anonymity.

 

 

Read more...

Juniper Employee
Container Malware: Miners Go Docker Hunting In The Cloud

Container Malware: Miners Go Docker Hunting In The Cloud

The advent of microservices has led to us witnessing containers take the cloud by storm. But, this boom in the container-cloud relationship is exposing security issues that are inviting malware into the party as well. Juniper Threat Labs recently discovered an infection in the wild that hunts for misconfigured publicly exposed Docker services in the cloud and infects them with containers that run Monero miners.

Read more...

Juniper Employee
HoneyProcs : Going Beyond Honeyfiles for Deception on Endpoints

HoneyProcs : Going Beyond Honeyfiles for Deception on Endpoints

Deploying detection solutions on an endpoint host comes with constraints - limited availability of CPU, memory, disk and other resources, stability constraints, policy adherence and restrictions, the need to be non-intrusive to the user, the host OS and other applications on the host.

Read more...

Juniper Employee
Virobot Ransomware

Virobot Ransomware

Juniper Threat Labs has been monitoring the activity of a botnet, which is now being referred to as ViroBot by TrendMicro in their blog, and would like to share additional information that can provide insight into the TTP (techniques, tactics and procedure) of the threat actor. During our investigation, we also found a Unix keylogger related to this threat actor. The keylogger is a 64-bit ELF malware, and at the time of this writing, it has 0 hits on Virustotal. This blog shares technical aspects of both the Windows and Unix malware.

Read more...

Juniper Employee
Top Kudoed Members
Latest Comments
threatresearch | 10-13-2019
Re: RCE Attacks Targeting Misconfigured Open PHP-FPM
By  vidyasp
threatresearch | 09-28-2018
Re: Kronos - The Banking Chronicle
threatresearch | 05-24-2018
Re: VPNFilter: a nation state campaign for surveillance and destruction
By  omarg