Brunhilda DaaS Malware: Analysis Report
This report is based on an analysis of the Brunhilda dropper service which is detected by The PRODAFT Threat Intelligence (PTI) Team.
Brunhilda is a dropper service that utilizes the Google Play Store to distribute various malware. While cybercrime groups tend to start operating as MaaS businesses, currently there is an upward trend of DaaS (Dropper as a Service) variations.
Applications used to distribute malware are analyzed in detail. Cybercrime groups started developing DaaS platforms to quickly monetize their business, as it is easy to replace the distributed malware while maintaining a low profile.
Relevant IoCs are included in the report for further research.
More reports
Smoke and Mirrors: Understanding The Workings of Wazawaka
Wazawaka has recently risen to prominence within the Threat Intelligence (TI) community, emerging as a key player in the dynamic digital threat landscape. Wazawaka is currently under scrutiny for his alleged involvement in cybercriminal activities, prompting concerns across the cyber realm.
This research provides a comprehensive analysis of Wazawaka’s background, affiliations, and tactics in the threat landscape associated with his activities. It includes information about Wazawaka’s team and his close relations with other threat actors.
The structure of Wazawaka’s team and its choice of third-party ransomware-as-a-service vendors provide in-depth insights into the current state of the cybercriminal industry as a whole. This research is vital for information security leaders who wish to improve their risk management models and boost cyber resilience against sophisticated threats.
Nomadic Octopus: Paperbug Campaign
This report explores the operational environment of the Nomadic Octopus espionage group's Tajikistan Campaign: Paperbug.
According to victim analysis, the group targets high-ranking government officials, telecommunication services, and public service infrastructures. The types of compromised machines range from individuals' computers to OT devices. These targets make operation "Paperbug" intelligence-driven.
The environment itself is built with fundamental functionality. This makes the attribution challenging; it leaves little room for comments. However, the findings were sufficient to profile this group in this case.
RIG Exploit Kit: In-depth Analysis
RIG EK is a financially-motivated program that has been active since 2014. Although it has yet to substantially change its exploits in its more recent activity, the type and version of the malware the threat actors distribute constantly change. The frequency of updating samples ranges from weekly to daily updates.
This report aims to provide insight into how RIG EK operates, what kinds of malware it distributes, and how the distribution happens.
The PTI team has identified and gained visibility of the infrastructure of RKIT, which revealed threat actors’ inner workings and their identities.
FIN7 Unveiled: A Deep Dive into Notorious Cybercrime Gang
The highly active threat group FIN7 has been continuously broadening its cybercrime horizons and recently added ransomware to its attack arsenal.
FIN7 group is known to hold a notorious status due to their achievement in deploying extensive backdoors in leveraging software supply chains, distributing malicious USB sticks, and cooperating with other groups.
PTI team obtained visibility into the inner workings of the FIN7 threat group and managed to gain information about their organizational structures, identities, attack vectors, infrastructures, proof-supported affiliations with other ransomware groups (such as DarkSide, who were behind the Colonial Pipeline attack in 2021), victim targeting, and other relevant observations. All of the findings are supported by translated conversations among the members of FIN7, including screenshots of their infrastructures.
You can download the full version of the report and the summary of the most important findings.