ESET APT Activity Report Q4 2022–Q1 2023
An overview of the activities of selected APT groups investigated and analyzed by ESET Research in Q4 2022 and Q1 2023
Education? B. Eng. Electical Engineering / M. Eng. Computer Engineering
Highlights of your career? My career highlight at ESET was able to present research I conducted at conferences such as Virus Bulletin and ZeroNights.
Position and history at ESET? I joined ESET in 2011. I am a malware researcher in the Security Intelligence program.
What malware do you hate the most? Win32/SpyEye. It was the first investigation I did when I joined ESET and, while it was a good learning experience, I still resent it ;)
Favorite activities? I love playing with my kids, cycling, jogging and playing the piano.
What is your golden rule for cyberspace? Be paranoid enough.
When did you get your first computer and what kind was it? My dad got me my first computer – a Commodore-64 – in 1988.
Favorite computer game/activity? My favorite computer game is the EA NHL series.
An overview of the activities of selected APT groups investigated and analyzed by ESET Research in Q4 2022 and Q1 2023Jean-Ian Boutin
An overview of the activities of selected APT groups investigated and analyzed by ESET Research in T3 2022Jean-Ian Boutin
An overview of the activities of selected APT groups investigated and analyzed by ESET Research in T2 2022Jean-Ian Boutin
ESET researchers provided technical analysis, statistical information, and known command and control server domain names and IP addressesJean-Ian Boutin and Tomáš Procházka
Throughout its monitoring, ESET analyzed thousands of malicious samples every month to help this effortJean-Ian Boutin
Active APT group adds cunning remote template injectors for Word and Excel documents; unique Outlook mass-mailing macroJean-Ian Boutin
ESET research reveals notorious crime group also conducting espionage campaigns for the past five yearsJean-Ian Boutin
International law enforcement swoops on fake ad viewing outfitJean-Ian Boutin
Wauchos is an extensible bot that allows its owner to create and use custom plugins. However, there are some plugins that are widely available and that are used by many different botnets.Jean-Ian Boutin
The Turla espionage group is still using watering hole techniques to redirect potentially interesting victims to their C&C infrastructure.Jean-Ian Boutin
Today, ESET has released a white paper on RTM, a cybercrime group that has been relentlessly targeting businesses in Russia and neighboring countries.Jean-Ian Boutin and Matthieu Faou
ESET's Anton Cherepanov Jean-Ian Boutin discuss their paper, titled Modern Attacks on Russian Financial Institutions, which was published earlier this year.Anton Cherepanov and Jean-Ian Boutin
Earlier this week coordinated law enforcement action took down the Avalanche fast-flux network. ESET has been assisting in the cleanup.Jean-Ian Boutin
Law enforcement agencies from around the globe, aided by Microsoft security researchers, today announced the disruption of one of the most widely distributed malware families – Win32/Dorkbot.Jean-Ian Boutin
The free version of Ammyy's remote administrator software were being served a bundle that contained an NSIS installer used by the gang behind Operation Buhtrap.Jean-Ian Boutin
A banking trojan, detected by ESET as Win32/Brolux.A, is targeting Japanese internet banking users and spreading through at least two vulnerabilities: a Flash vulnerability leaked in the Hacking Team hack and the so-called unicorn bug, a vulnerability in Internet Explorer.Jean-Ian Boutin and Anton Cherepanov
The Operation Buhtrap campaign targets a wide range of Russian banks, used several different code signing certificates and implements evasive methods to avoid detection.Jean-Ian Boutin
Last month, we presented “The Evolution of Webinject” in Seattle at the 24th Virus Bulletin conference. This blog post will go over its key findings and provide links to the various material that has been released in the last few weeks.Jean-Ian Boutin
iBanking is a malicious Android application that when installed on a mobile phone is able to spy on its user’s communications. This bot has many interesting phone-specific capabilities, including capturing incoming and outgoing SMS messages, redirecting incoming voice calls, and even capturing audio using the device’s microphone.Jean-Ian Boutin
The first sign we saw of this malware was in mid-May 2013, but it is still very active, and uses Android to bypass two-factor authentication systems. It clearly seeks to infect Dutch computers - 75% of detections come from this region.Jean-Ian Boutin