Author: Curt Wilson

Curt Wilson
Curt Wilson is a Senior Threat Intelligence Analyst with Arbor Networks in the Arbor Security Engineering Response Team (ASERT) and has been with Arbor Networks since 2011 and is currently focused on Threat Intelligence related to targeted attack campaigns, financial threats, and DDoS activity. Mr. Wilson's initial explorations with Commodore VIC-20 and Commodore 64 systems in the early 80's evolved through systems and network administration towards a security-centric focus including defending and assessing networks, consulting for individuals, businesses and enterprises, and a decade in the higher education space to include senior technical and leadership roles. In addition to these roles, Mr. Wilson has written about security issues for years and has been interviewed by numerous media outlets including the New York Times and others on cyber security matters. Additionally, Mr. Wilson enjoys presenting at prominent security conferences since 2005 including the Kaspersky Security Analyst Summit 2016, the Microsoft Digital Crimes Consortium, Internet Security Operations and Intelligence (ISOI), and various private conferences and events for network defenders, analysts, industry groups and law enforcement. Professional interests include threat intelligence, malware analysis, reverse engineering, cybercrime mitigation, collaboration, and full-spectrum security and threat research.

Flokibot Invades PoS: Trouble in Brazil

Introduction Threat actors salivate at the thought of an increased volume of credit and debit card transactions flowing through endpoints they have compromised with card-stealing malware. While there are many distinct malware families that scrape unencrypted process memory to obtain cards, some of these malware […]

Read more

Analysis of CryptFile2 Ransomware Server

Download ASERT Threat Intelligence Report 2016-06 here This report describes several elements of a ransomware staging system using the Nemucod malware to deliver CryptFile2 (aka Hydracrypt.A and Win32/Filecoder.HydraCrypt.C) ransomware, an ongoing threat since at least mid-March of 2016. This report reveals TTP’s (tactics, techniques, procedures) of […]

Read more

Diving Into Buhtrap Banking Trojan Activity

Cyphort recently published an article about the Buhtrap banking trojan [], targeting users of Russian and Ukrainian banks as reported in March of 2016 by Group-IB []. Cyphort’s insightful article analyzes the compromise chain from the website eurolab[.]ua, directing users via an apparently injected HTML […]

Read more

The Four Element Sword Engagement

Ongoing APT activity against Tibetans, Hong Kong and Taiwanese interests

In “The Four Element Sword Engagement (Full Report)”, Arbor ASERT reveals recent ongoing APT activity likely associated with long-running threat campaigns against Tibetans, Hong Kong, Taiwanese interests and human rights workers. We presume the existence of associated malcode, dubbed the Four Element Sword Builder, which is being used to weaponize RTF documents for use in these campaigns. A sample of twelve different targeted exploitation incidents (taken from a larger set of activity) are described along any discovered connections to previously documented threat campaigns.

Read more

Defending the White Elephant

Click here to download the full report that includes attack details, TTPs and indicators of compromise.   Myanmar is a country currently engaged in an important political process. A pro-democracy reform took place in 2011 which has helped the government create an atmopshere conducive to investor […]

Read more

DD4BC DDoS Extortion Threat Activity

For the last year or so, an individual or organization calling itself DD4BC (‘DDoS for Bitcoin’) has been rapidly increasing both the frequency and scope of its DDoS extortion attempts, shifting target demographics from Bitcoin exchanges to online casinos and betting shops and, most recently, to prominent financial […]

Read more