Mathieu Tartare

#ESETresearch uncovered a new campaign of the #Winnti Group targeting #HongKong universities with ShadowPad and Winnti. @mathieutartare https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/ … 1/3pic.twitter.com/d57V1rhBR1

https://twitter.com/m0n0sapiens/status/1201520018418274305 …pic.twitter.com/KsaztopWZ3

After years of relying on click fraud, ad injection, social network fraud and credential stealing, #Stantinko botnet has started to mine #Monero. Today, #ESETresearch dives deeper into Stantinko's new #cryptomining business model. https://www.welivesecurity.com/2019/11/26/stantinko-botnet-adds-cryptomining-criminal-activities/ …pic.twitter.com/od7rBMxyeO

For a while now, @ESETresearch has been tracking the activities of the #WinntiGroup. Recently, we discovered a backdoor targeting #MSSQL, allowing attackers to maintain a very discreet foothold inside compromised organizations. @welivesecurity --> https://bit.ly/2pD3M9b pic.twitter.com/w0ql9QD4En

skip-2.0 exhibits multiple similarities with other tools from the #Winnti Group's arsenal: VMProtected launcher RC5-encrypted payload with key derived from Volume ID Custom packer Inner-Loader injector hooking procedure #ESETresearch @mathieutartare 3/3pic.twitter.com/mHIILVkBDk

#ESETResearch discovered an undocumented #MSSQL Server backdoor called skip-2.0 and part of the #Winnti Group's arsenal that allows to bypass normal authentication by using a magic password. @mathieutartare https://www.welivesecurity.com/2019/10/21/winnti-group-skip2-0-microsoft-sql-server-backdoor/ … 1/3pic.twitter.com/un1nkEeveY

Wskip-2.0 targets #MSSQL Server 11 and 12 which are the most commonly used versions according to @censysio's data #ESETresearch @mathieutartare https://www.welivesecurity.com/2019/10/21/winnti-group-skip2-0-microsoft-sql-server-backdoor/ … 2/3pic.twitter.com/YN5UhREmCs

#ESETresearch discovers a trojanized #Tor Browser distributed by #cybercriminals to steal bitcoins from #darknet market buyers. @cherepanov74 fighting #cybercrime everywhere! https://www.welivesecurity.com/2019/10/18/fleecing-onion-trojanized-tor-browser/ …pic.twitter.com/60omVfNMr5

We found some code similarity between #PolyglotDuke and #OnionDuke #ESETresearch 4/4pic.twitter.com/HFynR3QkrO

Full paper: https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf … As always, IoCs and @MISPProject event are available on our GitHub account: https://github.com/eset/malware-ioc/tree/master/dukes … The attackers reused Miniduke that was first described 6 years ago. 3/4pic.twitter.com/aRdIIHOHEN

#ESETresearch discovered 3 new malware families part of the #Dukes/#APT29 arsenal: #PolyglotDuke, #RegDuke and #FatDuke Twitter, Reddit as C&C C&C communications in pictures 3 European MFAs + 1 embassy in Washington, DC 2013 to June 2019 https://www.welivesecurity.com/2019/10/17/operation-ghost-dukes-never-left/ … 2/4pic.twitter.com/w3GfKbVyzH

Despite being implicated in the #DNC hack in 2016, the #Dukes APT group managed to stay under the radar for several years. Yet, as newest #ESETresearch uncovers, they never ceased their #espionage activities. @matthieu_faou @nyx__o @mathieutartare https://www.welivesecurity.com/2019/10/17/operation-ghost-dukes-never-left/ … 1/4pic.twitter.com/7znw2HDyFZ

#ESETresearch: PortReuse uses techniques similar to the #Winnti malware, such as waiting for a magic packet and modular architecture, but is a different beast. https://www.welivesecurity.com/2019/10/11/connecting-dots-exposing-arsenal-methods-winnti/ …pic.twitter.com/VvEjsxmDFy

#ESETresearch: Before you all say it wrong, we pronounce #Winnti “Win N.T.I”, not “Winn T.I.”. (While we are at it, it’s GIF not JIF.) If you run an online casino and server component is called “GameServer_NewPoker.exe”, you may be compromised by Winnti. https://www.welivesecurity.com/2019/10/11/connecting-dots-exposing-arsenal-methods-winnti/ …pic.twitter.com/3LjEr8xHeY

#ESETresearch #Winnti For attackers, changing a string is easy, but changing a whole structure requires more resources. That’s why we try to use the techniques they use to hunt for their arsenal. Sometimes, it works.pic.twitter.com/0hJoCIgchQ