Author

Cyril François


Articles

Disclosing the BLOODALCHEMY backdoor

Disclosing the BLOODALCHEMY backdoor

BLOODALCHEMY is a new, actively developed, backdoor that leverages a benign binary as an injection vehicle, and is a part of the REF5961 intrusion set.

Introducing the REF5961 intrusion set

Introducing the REF5961 intrusion set

The REF5961 intrusion set discloses three new malware families targeting ASEAN members. The threat actor leveraging this intrusion set continues to develop and mature their capabilities.

Elastic charms SPECTRALVIPER

Elastic charms SPECTRALVIPER

Elastic Security Labs has discovered the P8LOADER, POWERSEAL, and SPECTRALVIPER malware families targeting a national Vietnamese agribusiness. REF2754 shares malware and motivational elements of the REF4322 and APT32 activity groups.

Unpacking ICEDID

Unpacking ICEDID

ICEDID is known to pack its payloads using custom file formats and a custom encryption scheme. We are releasing a set of tools to automate the unpacking process and help analysts and the community respond to ICEDID.

BLISTER Loader

BLISTER Loader

The BLISTER loader continues to be actively used to load a variety of malware.

Thawing the permafrost of ICEDID Summary

Thawing the permafrost of ICEDID Summary

Elastic Security Labs analyzed a recent ICEDID variant consisting of a loader and bot payload. By providing this research to the community end-to-end, we hope to raise awareness of the ICEDID execution chain, capabilities, and design.

PHOREAL Malware Targets the Southeast Asian Financial Sector

PHOREAL Malware Targets the Southeast Asian Financial Sector

Elastic Security discovered PHOREAL malware, which is targeting Southeast Asia financial organizations, particularly those in the Vietnamese financial sector.

QBOT Malware Analysis

QBOT Malware Analysis

Elastic Security Labs releases a QBOT malware analysis report covering the execution chain. From this research, the team has produced a YARA rule, configuration-extractor, and indicators of compromises (IOCs).

Update to the REF2924 intrusion set and related campaigns

Update to the REF2924 intrusion set and related campaigns

Elastic Security Labs is providing an update to the REF2924 research published in December of 2022. This update includes malware analysis of the implants, additional findings, and associations with other intrusions.

FLARE-ON 9 Solutions:

FLARE-ON 9 Solutions:

This year's FLARE-ON consisted of 11 different reverse engineering challenges with a range of interesting binaries. We really enjoyed working on these challenges and have published our solutions here to Elastic Security Labs.

Exploring the QBOT Attack Pattern

Exploring the QBOT Attack Pattern

In this research publication, we'll explore our analysis of the QBOT attack pattern — a full-featured and prolific malware family.