Mark Lechtik

Senior Security Researcher at Kaspersky`s GReAT

Mark Lechtik is a Senior Security Researcher at Kaspersky`s GReAT, based in Israel. He is mainly engaged with malware analysis and threat intelligence. Formerly, Mark reverse engineered a bunch of North Korean anti-viruses, and spoke about it in a few conferences. Today he is mostly engaged with breaking down malware and understanding the nitty gritty of APT campaigns.

@_marklech_

Mark Lechtik

Reports

In this report, we compare the ROADSWEEP ransomware and ZEROCLEARE wiper versions used in two waves of attacks against Albanian government organizations.

While hunting for less common Deathstalker intrusions, we identified a new Janicab variant used in targeting legal entities in the Middle East throughout 2020.

This is our latest summary of advanced persistent threat (APT) activities, focusing on events that we observed during Q3 2022.

In the second part of this report, we discuss improvements made to the LODEINFO backdoor shellcode in 2022.

Mark Lechtik

MoonBounce: the dark side of UEFI firmware

MosaicRegressor: Lurking in the Shadows of UEFI

Operation TunnelSnake

GhostEmperor: From ProxyLogon to kernel mode

LuminousMoth APT: Sweeping attacks for the chosen few

Publications

MoonBounce: the dark side of UEFI firmware

Lyceum group reborn

GhostEmperor: From ProxyLogon to kernel mode

LuminousMoth APT: Sweeping attacks for the chosen few

Operation TunnelSnake

The leap of a Cycldek-related threat actor

MosaicRegressor: Lurking in the Shadows of UEFI

Cycldek: Bridging the (air) gap

External Publications

MosaicRegressor: Lurking in the Shadows of UEFI

Cycldek: Chronicles of the Goblin (slides from CARO Workshop 2020)

The North Korean AV Anthology (slides from AVAR 2019)

Reports

Ransomware and wiper signed with stolen certificates

DeathStalker targets legal entities with new Janicab variant

APT trends report Q3 2022

APT10: Tracking down LODEINFO 2022, part II

Subscribe to our weekly e-mails