Skip to content

Blog · research & analysis

Latest analysis

·Defence

Eradicating WannaMine and Restoring Corporate Security

In 2021, Fortgale conducted an Incident Response operation to eradicate the WannaMine malware from the systems of an Italian company operating in the industrial sector. The malware proliferated across several hundred systems, exploiting a variety of propagation techniques. Upon installation, WannaMine initiates cryptocurrency mining activities, leading to substantial disruptions in the company’s operations due to … Read more

Read the analysis
·Emerging Threats

Malware Qakbot — March 2022 Compromises

In recent weeks, consistent with previously documented activity (background), we have observed a general increase in compromise activity across monitored environments. Criminal groups deploy malware for multiple objectives: Ransomware execution, sensitive data exfiltration, and credential harvesting. Qakbot — documented in detail under MITRE ATT&CK S0650 — is consistently used for all three. Unlike previous campaigns, … Read more

Read the analysis
·Emerging Threats

Mass exploitation of VMware Horizon

On 2021-12-23 the Fortgale team identified a massive exploitation campaign targeting VMware Horizon deployments. The attack chain consists of Log4Shell (CVE-2021-44228) exploitation followed by deployment of a backdoor inside the corporate Horizon servers — granting persistent Remote Command Execution (T1190 — Exploit Public-Facing Application). The threat actor executes a PowerShell command (T1059.001) to interact with … Read more

Read the analysis
·Emerging Threats

Log4j — how to protect your systems (CVE-2021-44228)

During the first weeks of December 2021 we observed attacks targeting the Apache Log4j library. On 2021-12-12, an official security advisory disclosed a critical Remote Command Execution vulnerability — CVE-2021-44228 (T1190 — Exploit Public-Facing Application). Any vulnerable system exposed to the public network is to be considered compromised given the volume of mass-exploitation activity observed … Read more

Read the analysis
·Emerging Threats

Agent Tesla — December 6, 2021 malware campaign

Agent Tesla is a spyware that exfiltrates information from victim systems by capturing keystrokes and user actions (T1056.001 — Keylogging). Built on the .NET framework, it transmits stolen data to a command-and-control (C2) server. Agent Tesla extracts credentials and stored data from web browsers, email clients, and FTP clients (T1555.003 — Credentials from Web Browsers, … Read more

Read the analysis
·Emerging Threats

E-commerce under attack — Nginx web-shell campaign

In recent days we observed a series of attacks targeting e-commerce platforms running the Nginx web server. Researchers identified, during an investigation into a CronRAT malware compromise, the execution of a previously undocumented malware family — NginRAT — which evades the leading security solutions by injecting its own code into legitimate Nginx worker processes (T1055.012 … Read more

Read the analysis
Blog home