RSA research

Kingslayer – A Supply Chain Attack

Today, RSA is publishing new research on a sophisticated software supply-chain attack – dubbed “Kingslayer”. RSA Research investigated the source of suspicious, observed beaconing thought to be associated with targeted malware. In the course of their investigation, RSA discovered a sophisticated software supply-chain attack involving a Trojan inserted in otherwise legitimate software; software that is…

Schoolbell: Class is in Session

by Kent Backman and Kevin Stear, RSA Research Backstory If a sophisticated exploitation campaign is broad enough, it will attract the attention of multiple threat researchers. Such is the case of the malicious, multi-faceted exploitation campaign and botnet RSA Research has dubbed “Schoolbell.” In this blog, RSA will build on existing industry research and dig…

From the Archives: Automation of Fraud – The Voxis Platform

During the recent months RSA  FirstWatch has identified a growing demand for tools to automate fraud related operations among the cybercriminals in their online communities and blackmarkets. Voxis is a fraudulent platform used by criminals to monetize stolen credit card credentials and increase their illicit revenues by automating fake transactions through multiple payment gateways. The FirstWatch…

Terracotta VPN: Enabler of Advanced Threat Anonymity

Today, RSA Research published an in-depth report on a commercial VPN network, originating in China, which we are calling “Terracotta”.  It is being used as a launch platform for APT actors including the now well-known Shell_Crew / Deep Panda group (which RSA exposed in a January 2014 report, http://www.emc.com/collateral/white-papers/h12756-wp-shell-crew.pdf ). Terracotta’s network of 1500+ VPN…

Attacking a POS Supply Chain: Part 1

Among FirstWatch’s regular threat seeking tasks is hunting for incidents of specific targeting. Recently, we came across an email exploit attempt, aimed at a European Point of Sales (POS) vendor.  In this post we will show links to a recently publicized PoS malware campaign, and describe possible threat motivations behind this or other POS vendor…

Zeus Toolkit infected with a Ramnit Worm

RSA Research monitors and analyzes the malicious activity of online cybercrime infrastructures on an ongoing basis. In a recent discovery, the lab’s researchers studied the workings of a customized Zeus Trojan Admin panel, which had apparently picked up a Ramnit worm that infects any machine that installs the Zeus Panther Admin panel. A History Lesson…