The following article is co-authored by threat intelligence researchers from HYAS and Advanced Intelligence and cross-posted to both websites. Much has been written about the many families of ransomware over the past several years. Some of these ransomware families are operated by successful and disciplined criminal enterprises that function like any technology-focused business with developers, testers, and recruiters. The Ryuk family of ransomware has been particularly successful in economic terms as well as having a disruptive impact on many industries around the world. This article outlines some of the financial findings related to the group that might be useful for a broad audience.

HYAS Intel Team

January 7, 2021

The capabilities and possible victims of the recent SolarWinds hack and the SunBurst backdoor are becoming clearer as the cybersecurity community continues to investigate the attack. HYAS has performed our own research, collected data leveraging our unique sources, and we wanted to share some unique insights that add to the industry’s understanding of this attack. This blog delves into the infrastructure used by SunBurst to compromise targets and points out another network monitoring solution that may have been compromised. 

HYAS Intel Team

December 23, 2020

Summary Roaming Mantis is a Chinese-speaking threat actor group that has been active since at least 2017. The group primarily targets the customers of financial institutions with smishing attacks that deliver the FakeSpy (aka Moqhao) Android trojan, which is designed to steal its victims’ information. From October to November 2020, HYAS Intelligence Services observed a Roaming Mantis campaign targeting a Japanese and Turkish bank that stole the banking credentials of their customers, which were then used in credential stuffing attacks on the banks’ websites.    HYAS analysis of the Roaming Mantis campaign revealed extensive abuse of Dynamic DNS (DDNS) services with over 15,000 DNS domains used to host campaign infrastructure from which the actors launched their attacks. Threat Analysis Overview Threat actors frequently abuse Dynamic DNS (DDNS) services and infrastructure for malicious purposes such as distributing malware, command & control (C2) infrastructure, or phishing campaigns. The low cost of DDNS services and the capability they provide threat actors to quickly build, customize, and operationalize domains and C2 infrastructure for campaigns makes them an attractive option. In addition, DDNS services provide threat actors with a cover of anonymity as no publicly available registration information is required compared to traditional domain registration. HYAS Intelligence Services regularly observes threat actor abuse of DDNS services in various campaigns to launch and carry out attacks. This threat report details how the Roaming Mantis threat actor group has targeted financial institutions in Japan and Turkey and provides suggested mitigation measures. 

HYAS Intel Team

December 14, 2020