Threat Intelligence

Introduction Phobos ransomware has been previously observed impersonating the well-known malware research community Vx-Underground. Initial access methods for Phobos are varied, but it has been known for exploiting software vulnerabilities, launching phishing campaigns to spread malicious payloads, and accessing hosts through external services such as brute forcing RDP. Despite its significant operational impact, with Phobos accounting for a notable 4% of all submissions to the ID Ransomware service in 2023, it hasn’t achieved the notoriety of other Ransomware-as-a-Service (RaaS) operations like Lockbit or REvil....

This post details my analysis of AgentTesla and ZGRat malware samples, examining their behaviour, capabilities, and the indicators of compromise they leave behind. Overview The analysis revealed a sophisticated malware operation using both AgentTesla and ZGRat, with data exfiltration capabilities and persistence mechanisms. The malware authors implemented various techniques to evade detection while harvesting sensitive information from infected systems. Configuration Analysis The configuration analysis revealed SMTP credentials likely used for exfiltrating data:...