IP Reputation Analysis Report – August 2017

October 3, 2017 | NSFOCUS

Executive Overview There was a 34.06% increase in number of IP addresses globally in the NSFOCUS IP Reputation databases this month compared to both the beginning of the year and post WannaCry and Petya (33.17% through July). Globally the number of Botnets did not change significantly. However, the overall percentage of Botnets compared to other […]

Phantom Squad – DDoS Threat

September 26, 2017 | Adeline Zhang

Overview It appears that the new syndicate of the Armada Collective referred to as the Phantom Squad is planning to launch a global DDoS attack on September 30th.  Below you will find a screenshot of the mass spear-phishing email that has been distributed to many organization and companies around the world. They are currently asking […]

Struts 2 S2-052 REST Plug-in Remote Code Execution Vulnerability Analysis

September 8, 2017 | Adeline Zhang

Overview On September 5, 2017, Apache Struts released the latest security bulletin announcing that the REST plug-in in Apache Struts 2.5.x and some 2.x versions is prone to a high-risk remote code execution vulnerability, which has been assigned CVE-2017-9805 (S2-052). When using an XStream handler with an instance of XStream for deserialization, the REST plug-in […]

Analysis of Phishing Attacks Targeting Ukrainian Banks

September 1, 2017 | Adeline Zhang

Overview On August 17, 2017, the National Bank of Ukraine (NBU) warned financial institutions in the country about a potential cyberattack. The virus would exploit the CVE-2015-2545 vulnerability to cause remote code execution by sending emails with the code disguised as a Microsoft Word document. Subsequently, a cybersecurity institution found traces of such an attack […]

Joao Malware Analysis

August 31, 2017 | Adeline Zhang

Overview Security researchers from the security firm ESET spotted a piece of malware dubbed Joao targeting gamers. This malware is found inside an Aeria game installation pack provided by a third party. Upon the start of a game, this malware runs in the background, sending the victim’s machine information to the attacker, including the operating […]

Moyou Trojan Analysis

August 31, 2017 | Adeline Zhang

Overview On August 2, 2017, ANTIY discovered a new DDoS trojan and dubbed it Moyou. After obtaining the related sample, NSFOCUS conducted a detailed analysis of the trojan. Sample Analysis The following figure shows the detection result of NSFOCUS Threat Analysis Center (TAC). The sample obtains the C&C server address ( by reading data from […]

H1 2017 Cybersecurity Insights

August 29, 2017 | Devika Jain

Overview This year a significant amount of security events such as WannaCry, Petya, and NotPetya occurred adversely affecting a wide variety of social and economic activities. To mitigate threats brought by such events IT and security teams have spared no effort in combating against such attacks for the security and protection of their organizations. It […]

Remote Access Trojan KONNI Targeting North Korea Technical Analysis and Solution

August 18, 2017 | wangyang2

This July a remote access trojan (RAT) KONNI was discovered to be involved in a cyberattack targeting North Korea, which was presumably linked to South Korea. This RAT spreads mainly through phishing emails. Specifically, the attacker first tries to have a powershell script executed via an .scr file, and then downloads the malware of an […]

Dumbo Exploit Project

August 4, 2017 | Devika Jain

Overview This week WikiLeaks published a document outlining another leaked hacking tool developed by the CIA (Central Intelligence Agency). The exploit titled ‘Dumbo’ possesses the capability of remotely managing and altering video and audio recordings on Windows XP systems.  At the moment, the malware is only able to successfully run on 32-bit Windows XP, Vista, […]

North Korea’s Hidden Cobra Attack Campaign

June 23, 2017 | Devika Jain

Overview Hidden Cobra has recently been the term given to North Korea’s DDoS botnet attack infrastructure primarily orchestrated by the infamous Lazarus Group and Guardians of Peace. The term is coined by the collaborative efforts conducted on behalf of the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI).  Alert (TA17-164A) has […]