Thought Leadership

Apr 25, 2020

SafeBreach Hacker’s Playbook Updated for Maze Ransomware


Maze Ransomware was initially identified in May of 2019 and since then has caused havoc to municipalities and businesses around the world.

Maze has been used in Germany, Italy, and more recently in the US. Numerous techniques were used for infiltration, with the most frequently seen being exploit kits of Fallout and Spelevo, RDP, or impersonating an email using a Word attachment that contains malicious macros. The latest attack against Cognizant shows that Maze-based attacks have evolved to breach data before they encrypt the user’s device and use the data to extort payment.

There is much speculation about the threat group behind these attacks. Some speculate it is a group called TA2101, identified by Proofpoint. There is interesting evidence that points to Russian groups as there is a language check and the malware will exit without impact to the device for CIS countries, plus the C2 Communication is with Russian IP addresses. Others feel that it could be Korean groups using Russian IP addresses to throw off the trace. But one thing is for sure, they have perfected their craft and perfected it quickly.

The threat group is brazen enough to have a web site to name and shame their victims that have refused to pay. The website provides samples of their stolen data.

How SafeBreach is protecting your organization

The SafeBreach Labs is a dedicated offensive team that ensures the SafeBreach platform has all the latest attacks to test your defenses. SafeBreach supplies holistic remediation to help your teams quickly close up security gaps.

SafeBreach Labs team is dedicated to keeping you informed as Maze attacks evolve with:

  1. Attack methods added to the Hacker’s PlaybookTM.
  2. Informing our customer base via email, blogs, and platform notifications.
  3. Adding the Maze attack methods to the appropriate threat group once the actors have been identified.
  4. Responding with updates to the Hacker’s Playbook within 48 hours of new US-CERT.

The Hacker’s Playbook has been updated with 400 new attacks to test your defenses against Maze to cover the following areas of the kill-chain:

Infiltration

SafeBreach simulates the initial infection vector for MAZE related attacks, including malicious email and direct malware download. These attacks should be blocked by secure email gateways, secure web gateways, next-generation firewalls, intrusion prevention/detection systems (IPS / IDS) or other perimeter security controls.

Propagation

SafeBreach simulates the propagation and internal transfer of MAZE related attacks, including internal email and HTTP/S malware transfer. These attacks should be blocked by secure email gateways, next-generation firewalls, or intrusion detection/prevention systems (IPS / IDS).

Host Infection

SafeBreach simulates writing MAZE related malware to a local disk. This phase should be blocked by endpoint security controls.

C&C Communications

SafeBreach simulates Maze related communication with an external malicious server. This phase should be blocked by intrusion prevention/detection systems (IPS / IDS) or other perimeter security controls.

The new attack methods for Maze Ransomware are already in the SafeBreach Hacker’s Playbook and ready to be run across your simulators. From the Known Attack Series report, select the Maze Ransom attacks in the wild report and there is an option to Run Simulations which will run all the attack methods.

Full list of new attacks added to the Hacker’s Playbook™:

  • 2298 – Malicious C2 Communication
  • 4277 – Resolution of domains connected to Maze malware
  • 4278 – Pre-execution phase of MAZE related malware (614949) (Host-Level)
  • 4279 – Write MAZE related malware to disk (614949) (Host-Level)
  • 4280 – Transfer of MAZE related malware over HTTP/S (614949) (Lateral Movement)
  • 4281 – Transfer of MAZE related malware over HTTP/S (614949) (Infiltration)
  • 4282 – Email MAZE related malware as a ZIP attachment (614949) (Lateral Movement)
  • 4283 – Email MAZE related malware as a ZIP attachment (614949) (Infiltration)
  • 4284 – Write MAZE related malware to disk (e40a2b) (Host-Level)
  • 4285 – Transfer of MAZE related malware over HTTP/S (e40a2b) (Lateral Movement)
  • 4286 – Transfer of MAZE related malware over HTTP/S (e40a2b) (Infiltration)
  • 4287 – Email MAZE related malware as a ZIP attachment (e40a2b) (Lateral Movement)
  • 4288 – Email MAZE related malware as a ZIP attachment (e40a2b) (Infiltration)
  • 4289 – Write MAZE related malware to disk (d8a336) (Host-Level)
  • 4290 – Transfer of MAZE related malware over HTTP/S (d8a336) (Lateral Movement)
  • 4291 – Transfer of MAZE related malware over HTTP/S (d8a336) (Infiltration)
  • 4292 – Email MAZE related malware as a ZIP attachment (d8a336) (Lateral Movement)
  • 4293 – Email MAZE related malware as a ZIP attachment (d8a336) (Infiltration)
  • 4294 – Write MAZE related malware to disk (04d006) (Host-Level)
  • 4295 – Transfer of MAZE related malware over HTTP/S (04d006) (Lateral Movement)
  • 4296 – Transfer of MAZE related malware over HTTP/S (04d006) (Infiltration)
  • 4297 – Email MAZE related malware as a ZIP attachment (04d006) (Lateral Movement)
  • 4298 – Email MAZE related malware as a ZIP attachment (04d006) (Infiltration)
  • 4299 – Pre-execution phase of MAZE related malware (25ce9b) (Host-Level)
  • 4300 – Write MAZE related malware to disk (25ce9b) (Host-Level)
  • 4301 – Transfer of MAZE related malware over HTTP/S (25ce9b) (Lateral Movement)
  • 4302 – Transfer of MAZE related malware over HTTP/S (25ce9b) (Infiltration)
  • 4303 – Email MAZE related malware as a ZIP attachment (25ce9b) (Lateral Movement)
  • 4304 – Email MAZE related malware as a ZIP attachment (25ce9b) (Infiltration)
  • 4305 – Pre-execution phase of MAZE related malware (9be70b) (Host-Level)
  • 4306 – Write MAZE related malware to disk (9be70b) (Host-Level)
  • 4307 – Transfer of MAZE related malware over HTTP/S (9be70b) (Lateral Movement)
  • 4308 – Transfer of MAZE related malware over HTTP/S (9be70b) (Infiltration)
  • 4309 – Email MAZE related malware as a ZIP attachment (9be70b) (Lateral Movement)
  • 4310 – Email MAZE related malware as a ZIP attachment (9be70b) (Infiltration)
  • 4311 – Write MAZE related malware to disk (d6cd57) (Host-Level)
  • 4312 – Transfer of MAZE related malware over HTTP/S (d6cd57) (Lateral Movement)
  • 4313 – Transfer of MAZE related malware over HTTP/S (d6cd57) (Infiltration)
  • 4314 – Email MAZE related malware as a ZIP attachment (d6cd57) (Lateral Movement)
  • 4315 – Email MAZE related malware as a ZIP attachment (d6cd57) (Infiltration)
  • 4316 – Write MAZE related malware to disk (1e3c7b) (Host-Level)
  • 4317 – Transfer of MAZE related malware over HTTP/S (1e3c7b) (Lateral Movement)
  • 4318 – Transfer of MAZE related malware over HTTP/S (1e3c7b) (Infiltration)
  • 4319 – Email MAZE related malware as a ZIP attachment (1e3c7b) (Lateral Movement)
  • 4320 – Email MAZE related malware as a ZIP attachment (1e3c7b) (Infiltration)
  • 4321 – Write MAZE related malware to disk (719d18) (Host-Level)
  • 4322 – Transfer of MAZE related malware over HTTP/S (719d18) (Lateral Movement)
  • 4323 – Transfer of MAZE related malware over HTTP/S (719d18) (Infiltration)
  • 4324 – Email MAZE related malware as a ZIP attachment (719d18) (Lateral Movement)
  • 4325 – Email MAZE related malware as a ZIP attachment (719d18) (Infiltration)
  • 4326 – Pre-execution phase of MAZE related malware (6b81e5) (Host-Level)
  • 4327 – Write MAZE related malware to disk (6b81e5) (Host-Level)
  • 4328 – Transfer of MAZE related malware over HTTP/S (6b81e5) (Lateral Movement)
  • 4329 – Transfer of MAZE related malware over HTTP/S (6b81e5) (Infiltration)
  • 4330 – Email MAZE related malware as a ZIP attachment (6b81e5) (Lateral Movement)
  • 4331 – Email MAZE related malware as a ZIP attachment (6b81e5) (Infiltration)
  • 4332 – Pre-execution phase of MAZE related malware (45a747) (Host-Level)
  • 4333 – Write MAZE related malware to disk (45a747) (Host-Level)
  • 4334 – Transfer of MAZE related malware over HTTP/S (45a747) (Lateral Movement)
  • 4335 – Transfer of MAZE related malware over HTTP/S (45a747) (Infiltration)
  • 4336 – Email MAZE related malware as a ZIP attachment (45a747) (Lateral Movement)
  • 4337 – Email MAZE related malware as a ZIP attachment (45a747) (Infiltration)
  • 4338 – Write MAZE related malware to disk (4acba1) (Host-Level)
  • 4339 – Transfer of MAZE related malware over HTTP/S (4acba1) (Lateral Movement)
  • 4340 – Transfer of MAZE related malware over HTTP/S (4acba1) (Infiltration)
  • 4341 – Email MAZE related malware as a ZIP attachment (4acba1) (Lateral Movement)
  • 4342 – Email MAZE related malware as a ZIP attachment (4acba1) (Infiltration)
  • 4343 – Pre-execution phase of MAZE related malware (f51e03) (Host-Level)
  • 4344 – Write MAZE related malware to disk (f51e03) (Host-Level)
  • 4345 – Transfer of MAZE related malware over HTTP/S (f51e03) (Lateral Movement)
  • 4346 – Transfer of MAZE related malware over HTTP/S (f51e03) (Infiltration)
  • 4347 – Email MAZE related malware as a ZIP attachment (f51e03) (Lateral Movement)
  • 4348 – Email MAZE related malware as a ZIP attachment (f51e03) (Infiltration)
  • 4349 – Pre-execution phase of MAZE related malware (5f6cd6) (Host-Level)
  • 4350 – Write MAZE related malware to disk (5f6cd6) (Host-Level)
  • 4351 – Transfer of MAZE related malware over HTTP/S (5f6cd6) (Lateral Movement)
  • 4352 – Transfer of MAZE related malware over HTTP/S (5f6cd6) (Infiltration)
  • 4353 – Email MAZE related malware as a ZIP attachment (5f6cd6) (Lateral Movement)
  • 4354 – Email MAZE related malware as a ZIP attachment (5f6cd6) (Infiltration)
  • 4355 – Pre-execution phase of MAZE related malware (327362) (Host-Level)
  • 4356 – Write MAZE related malware to disk (327362) (Host-Level)
  • 4357 – Transfer of MAZE related malware over HTTP/S (327362) (Lateral Movement)
  • 4358 – Transfer of MAZE related malware over HTTP/S (327362) (Infiltration)
  • 4359 – Email MAZE related malware as a ZIP attachment (327362) (Lateral Movement)
  • 4360 – Email MAZE related malware as a ZIP attachment (327362) (Infiltration)
  • 4361 – Pre-execution phase of MAZE related malware (10247f) (Host-Level)
  • 4362 – Write MAZE related malware to disk (10247f) (Host-Level)
  • 4363 – Transfer of MAZE related malware over HTTP/S (10247f) (Lateral Movement)
  • 4364 – Transfer of MAZE related malware over HTTP/S (10247f) (Infiltration)
  • 4365 – Email MAZE related malware as a ZIP attachment (10247f) (Lateral Movement)
  • 4366 – Email MAZE related malware as a ZIP attachment (10247f) (Infiltration)
  • 4367 – Pre-execution phase of MAZE related malware (a6ac82) (Host-Level)
  • 4368 – Write MAZE related malware to disk (a6ac82) (Host-Level)
  • 4369 – Transfer of MAZE related malware over HTTP/S (a6ac82) (Lateral Movement)
  • 4370 – Transfer of MAZE related malware over HTTP/S (a6ac82) (Infiltration)
  • 4371 – Email MAZE related malware as a ZIP attachment (a6ac82) (Lateral Movement)
  • 4372 – Email MAZE related malware as a ZIP attachment (a6ac82) (Infiltration)
  • 4373 – Pre-execution phase of MAZE related malware (49d45f) (Host-Level)
  • 4374 – Write MAZE related malware to disk (49d45f) (Host-Level)
  • 4375 – Transfer of MAZE related malware over HTTP/S (49d45f) (Lateral Movement)
  • 4376 – Transfer of MAZE related malware over HTTP/S (49d45f) (Infiltration)
  • 4377 – Email MAZE related malware as a ZIP attachment (49d45f) (Lateral Movement)
  • 4378 – Email MAZE related malware as a ZIP attachment (49d45f) (Infiltration)
  • 4379 – Write MAZE related malware to disk (3935ef) (Host-Level)
  • 4380 – Transfer of MAZE related malware over HTTP/S (3935ef) (Lateral Movement)
  • 4381 – Transfer of MAZE related malware over HTTP/S (3935ef) (Infiltration)
  • 4382 – Email MAZE related malware as a ZIP attachment (3935ef) (Lateral Movement)
  • 4383 – Email MAZE related malware as a ZIP attachment (3935ef) (Infiltration)
  • 4384 – Pre-execution phase of MAZE related malware (2a6c60) (Host-Level)
  • 4385 – Write MAZE related malware to disk (2a6c60) (Host-Level)
  • 4386 – Transfer of MAZE related malware over HTTP/S (2a6c60) (Lateral Movement)
  • 4387 – Transfer of MAZE related malware over HTTP/S (2a6c60) (Infiltration)
  • 4388 – Email MAZE related malware as a ZIP attachment (2a6c60) (Lateral Movement)
  • 4389 – Email MAZE related malware as a ZIP attachment (2a6c60) (Infiltration)
  • 4390 – Write MAZE related malware to disk (0f4bd4) (Host-Level)
  • 4391 – Transfer of MAZE related malware over HTTP/S (0f4bd4) (Lateral Movement)
  • 4392 – Transfer of MAZE related malware over HTTP/S (0f4bd4) (Infiltration)
  • 4393 – Email MAZE related malware as a ZIP attachment (0f4bd4) (Lateral Movement)
  • 4394 – Email MAZE related malware as a ZIP attachment (0f4bd4) (Infiltration)
  • 4395 – Pre-execution phase of MAZE related malware (067f1b) (Host-Level)
  • 4396 – Write MAZE related malware to disk (067f1b) (Host-Level)
  • 4397 – Transfer of MAZE related malware over HTTP/S (067f1b) (Lateral Movement)
  • 4398 – Transfer of MAZE related malware over HTTP/S (067f1b) (Infiltration)
  • 4399 – Email MAZE related malware as a ZIP attachment (067f1b) (Lateral Movement)
  • 4400 – Email MAZE related malware as a ZIP attachment (067f1b) (Infiltration)
  • 4401 – Pre-execution phase of MAZE related malware (7a84d1) (Host-Level)
  • 4402 – Write MAZE related malware to disk (7a84d1) (Host-Level)
  • 4403 – Transfer of MAZE related malware over HTTP/S (7a84d1) (Lateral Movement)
  • 4404 – Transfer of MAZE related malware over HTTP/S (7a84d1) (Infiltration)
  • 4405 – Email MAZE related malware as a ZIP attachment (7a84d1) (Lateral Movement)
  • 4406 – Email MAZE related malware as a ZIP attachment (7a84d1) (Infiltration)
  • 4407 – Pre-execution phase of MAZE related malware (de346f) (Host-Level)
  • 4408 – Write MAZE related malware to disk (de346f) (Host-Level)
  • 4409 – Transfer of MAZE related malware over HTTP/S (de346f) (Lateral Movement)
  • 4410 – Transfer of MAZE related malware over HTTP/S (de346f) (Infiltration)
  • 4411 – Email MAZE related malware as a ZIP attachment (de346f) (Lateral Movement)
  • 4412 – Email MAZE related malware as a ZIP attachment (de346f) (Infiltration)
  • 4413 – Pre-execution phase of MAZE related malware (4674a5) (Host-Level)
  • 4414 – Write MAZE related malware to disk (4674a5) (Host-Level)
  • 4415 – Transfer of MAZE related malware over HTTP/S (4674a5) (Lateral Movement)
  • 4416 – Transfer of MAZE related malware over HTTP/S (4674a5) (Infiltration)
  • 4417 – Email MAZE related malware as a ZIP attachment (4674a5) (Lateral Movement)
  • 4418 – Email MAZE related malware as a ZIP attachment (4674a5) (Infiltration)
  • 4419 – Write MAZE related malware to disk (0d8b74) (Host-Level)
  • 4420 – Transfer of MAZE related malware over HTTP/S (0d8b74) (Lateral Movement)
  • 4421 – Transfer of MAZE related malware over HTTP/S (0d8b74) (Infiltration)
  • 4422 – Email MAZE related malware as a ZIP attachment (0d8b74) (Lateral Movement)
  • 4423 – Email MAZE related malware as a ZIP attachment (0d8b74) (Infiltration)
  • 4424 – Pre-execution phase of MAZE related malware (ee654f) (Host-Level)
  • 4425 – Write MAZE related malware to disk (ee654f) (Host-Level)
  • 4426 – Transfer of MAZE related malware over HTTP/S (ee654f) (Lateral Movement)
  • 4427 – Transfer of MAZE related malware over HTTP/S (ee654f) (Infiltration)
  • 4428 – Email MAZE related malware as a ZIP attachment (ee654f) (Lateral Movement)
  • 4429 – Email MAZE related malware as a ZIP attachment (ee654f) (Infiltration)
  • 4430 – Pre-execution phase of MAZE related malware (20ea5a) (Host-Level)
  • 4431 – Write MAZE related malware to disk (20ea5a) (Host-Level)
  • 4432 – Transfer of MAZE related malware over HTTP/S (20ea5a) (Lateral Movement)
  • 4433 – Transfer of MAZE related malware over HTTP/S (20ea5a) (Infiltration)
  • 4434 – Email MAZE related malware as a ZIP attachment (20ea5a) (Lateral Movement)
  • 4435 – Email MAZE related malware as a ZIP attachment (20ea5a) (Infiltration)
  • 4436 – Write MAZE related malware to disk (5badaf) (Host-Level)
  • 4437 – Transfer of MAZE related malware over HTTP/S (5badaf) (Lateral Movement)
  • 4438 – Transfer of MAZE related malware over HTTP/S (5badaf) (Infiltration)
  • 4439 – Email MAZE related malware as a ZIP attachment (5badaf) (Lateral Movement)
  • 4440 – Email MAZE related malware as a ZIP attachment (5badaf) (Infiltration)
  • 4441 – Pre-execution phase of MAZE related malware (dee863) (Host-Level)
  • 4442 – Write MAZE related malware to disk (dee863) (Host-Level)
  • 4443 – Transfer of MAZE related malware over HTTP/S (dee863) (Lateral Movement)
  • 4444 – Transfer of MAZE related malware over HTTP/S (dee863) (Infiltration)
  • 4445 – Email MAZE related malware as a ZIP attachment (dee863) (Lateral Movement)
  • 4446 – Email MAZE related malware as a ZIP attachment (dee863) (Infiltration)
  • 4447 – Pre-execution phase of MAZE related malware (e5feb4) (Host-Level)
  • 4448 – Write MAZE related malware to disk (e5feb4) (Host-Level)
  • 4449 – Transfer of MAZE related malware over HTTP/S (e5feb4) (Lateral Movement)
  • 4450 – Transfer of MAZE related malware over HTTP/S (e5feb4) (Infiltration)
  • 4451 – Email MAZE related malware as a ZIP attachment (e5feb4) (Lateral Movement)
  • 4452 – Email MAZE related malware as a ZIP attachment (e5feb4) (Infiltration)
  • 4453 – Pre-execution phase of MAZE related malware (a540ff) (Host-Level)
  • 4454 – Write MAZE related malware to disk (a540ff) (Host-Level)
  • 4455 – Transfer of MAZE related malware over HTTP/S (a540ff) (Lateral Movement)
  • 4456 – Transfer of MAZE related malware over HTTP/S (a540ff) (Infiltration)
  • 4457 – Email MAZE related malware as a ZIP attachment (a540ff) (Lateral Movement)
  • 4458 – Email MAZE related malware as a ZIP attachment (a540ff) (Infiltration)
  • 4459 – Pre-execution phase of MAZE related malware (bba288) (Host-Level)
  • 4460 – Write MAZE related malware to disk (bba288) (Host-Level)
  • 4461 – Transfer of MAZE related malware over HTTP/S (bba288) (Lateral Movement)
  • 4462 – Transfer of MAZE related malware over HTTP/S (bba288) (Infiltration)
  • 4463 – Email MAZE related malware as a ZIP attachment (bba288) (Lateral Movement)
  • 4464 – Email MAZE related malware as a ZIP attachment (bba288) (Infiltration)
  • 4465 – Pre-execution phase of MAZE related malware (9751ae) (Host-Level)
  • 4466 – Write MAZE related malware to disk (9751ae) (Host-Level)
  • 4467 – Transfer of MAZE related malware over HTTP/S (9751ae) (Lateral Movement)
  • 4468 – Transfer of MAZE related malware over HTTP/S (9751ae) (Infiltration)
  • 4469 – Email MAZE related malware as a ZIP attachment (9751ae) (Lateral Movement)
  • 4470 – Email MAZE related malware as a ZIP attachment (9751ae) (Infiltration)
  • 4471 – Write MAZE related malware to disk (eecd29) (Host-Level)
  • 4472 – Transfer of MAZE related malware over HTTP/S (eecd29) (Lateral Movement)
  • 4473 – Transfer of MAZE related malware over HTTP/S (eecd29) (Infiltration)
  • 4474 – Email MAZE related malware as a ZIP attachment (eecd29) (Lateral Movement)
  • 4475 – Email MAZE related malware as a ZIP attachment (eecd29) (Infiltration)
  • 4476 – Write MAZE related malware to disk (0bfc9f) (Host-Level)
  • 4477 – Transfer of MAZE related malware over HTTP/S (0bfc9f) (Lateral Movement)
  • 4478 – Transfer of MAZE related malware over HTTP/S (0bfc9f) (Infiltration)
  • 4479 – Email MAZE related malware as a ZIP attachment (0bfc9f) (Lateral Movement)
  • 4480 – Email MAZE related malware as a ZIP attachment (0bfc9f) (Infiltration)
  • 4481 – Write MAZE related malware to disk (90ae5c) (Host-Level)
  • 4482 – Transfer of MAZE related malware over HTTP/S (90ae5c) (Lateral Movement)
  • 4483 – Transfer of MAZE related malware over HTTP/S (90ae5c) (Infiltration)
  • 4484 – Email MAZE related malware as a ZIP attachment (90ae5c) (Lateral Movement)
  • 4485 – Email MAZE related malware as a ZIP attachment (90ae5c) (Infiltration)
  • 4486 – Pre-execution phase of MAZE related malware (0d0a6f) (Host-Level)
  • 4487 – Write MAZE related malware to disk (0d0a6f) (Host-Level)
  • 4488 – Transfer of MAZE related malware over HTTP/S (0d0a6f) (Lateral Movement)
  • 4489 – Transfer of MAZE related malware over HTTP/S (0d0a6f) (Infiltration)
  • 4490 – Email MAZE related malware as a ZIP attachment (0d0a6f) (Lateral Movement)
  • 4491 – Email MAZE related malware as a ZIP attachment (0d0a6f) (Infiltration)
  • 4492 – Write MAZE related malware to disk (78ae24) (Host-Level)
  • 4493 – Transfer of MAZE related malware over HTTP/S (78ae24) (Lateral Movement)
  • 4494 – Transfer of MAZE related malware over HTTP/S (78ae24) (Infiltration)
  • 4495 – Email MAZE related malware as a ZIP attachment (78ae24) (Lateral Movement)
  • 4496 – Email MAZE related malware as a ZIP attachment (78ae24) (Infiltration)
  • 4497 – Pre-execution phase of MAZE related malware (11cbdb) (Host-Level)
  • 4498 – Write MAZE related malware to disk (11cbdb) (Host-Level)
  • 4499 – Transfer of MAZE related malware over HTTP/S (11cbdb) (Lateral Movement)
  • 4500 – Transfer of MAZE related malware over HTTP/S (11cbdb) (Infiltration)
  • 4501 – Email MAZE related malware as a ZIP attachment (11cbdb) (Lateral Movement)
  • 4502 – Email MAZE related malware as a ZIP attachment (11cbdb) (Infiltration)
  • 4503 – Write MAZE related malware to disk (51f987) (Host-Level)
  • 4504 – Transfer of MAZE related malware over HTTP/S (51f987) (Lateral Movement)
  • 4505 – Transfer of MAZE related malware over HTTP/S (51f987) (Infiltration)
  • 4506 – Email MAZE related malware as a ZIP attachment (51f987) (Lateral Movement)
  • 4507 – Email MAZE related malware as a ZIP attachment (51f987) (Infiltration)
  • 4508 – Pre-execution phase of MAZE related malware (0fb01d) (Host-Level)
  • 4509 – Write MAZE related malware to disk (0fb01d) (Host-Level)
  • 4510 – Transfer of MAZE related malware over HTTP/S (0fb01d) (Lateral Movement)
  • 4511 – Transfer of MAZE related malware over HTTP/S (0fb01d) (Infiltration)
  • 4512 – Email MAZE related malware as a ZIP attachment (0fb01d) (Lateral Movement)
  • 4513 – Email MAZE related malware as a ZIP attachment (0fb01d) (Infiltration)
  • 4514 – Write MAZE related malware to disk (5cada5) (Host-Level)
  • 4515 – Transfer of MAZE related malware over HTTP/S (5cada5) (Lateral Movement)
  • 4516 – Transfer of MAZE related malware over HTTP/S (5cada5) (Infiltration)
  • 4517 – Email MAZE related malware as a ZIP attachment (5cada5) (Lateral Movement)
  • 4518 – Email MAZE related malware as a ZIP attachment (5cada5) (Infiltration)
  • 4519 – Pre-execution phase of MAZE related malware (24da3c) (Host-Level)
  • 4520 – Write MAZE related malware to disk (24da3c) (Host-Level)
  • 4521 – Transfer of MAZE related malware over HTTP/S (24da3c) (Lateral Movement)
  • 4522 – Transfer of MAZE related malware over HTTP/S (24da3c) (Infiltration)
  • 4523 – Email MAZE related malware as a ZIP attachment (24da3c) (Lateral Movement)
  • 4524 – Email MAZE related malware as a ZIP attachment (24da3c) (Infiltration)
  • 4525 – Pre-execution phase of MAZE related malware (b34569) (Host-Level)
  • 4526 – Write MAZE related malware to disk (b34569) (Host-Level)
  • 4527 – Transfer of MAZE related malware over HTTP/S (b34569) (Lateral Movement)
  • 4528 – Transfer of MAZE related malware over HTTP/S (b34569) (Infiltration)
  • 4529 – Email MAZE related malware as a ZIP attachment (b34569) (Lateral Movement)
  • 4530 – Email MAZE related malware as a ZIP attachment (b34569) (Infiltration)
  • 4531 – Write MAZE related malware to disk (fb5de6) (Host-Level)
  • 4532 – Transfer of MAZE related malware over HTTP/S (fb5de6) (Lateral Movement)
  • 4533 – Transfer of MAZE related malware over HTTP/S (fb5de6) (Infiltration)
  • 4534 – Email MAZE related malware as a ZIP attachment (fb5de6) (Lateral Movement)
  • 4535 – Email MAZE related malware as a ZIP attachment (fb5de6) (Infiltration)
  • 4536 – Pre-execution phase of MAZE related malware (a9da83) (Host-Level)
  • 4537 – Write MAZE related malware to disk (a9da83) (Host-Level)
  • 4538 – Transfer of MAZE related malware over HTTP/S (a9da83) (Lateral Movement)
  • 4539 – Transfer of MAZE related malware over HTTP/S (a9da83) (Infiltration)
  • 4540 – Email MAZE related malware as a ZIP attachment (a9da83) (Lateral Movement)
  • 4541 – Email MAZE related malware as a ZIP attachment (a9da83) (Infiltration)
  • 4542 – Pre-execution phase of MAZE related malware (db617d) (Host-Level)
  • 4543 – Write MAZE related malware to disk (db617d) (Host-Level)
  • 4544 – Transfer of MAZE related malware over HTTP/S (db617d) (Lateral Movement)
  • 4545 – Transfer of MAZE related malware over HTTP/S (db617d) (Infiltration)
  • 4546 – Email MAZE related malware as a ZIP attachment (db617d) (Lateral Movement)
  • 4547 – Email MAZE related malware as a ZIP attachment (db617d) (Infiltration)
  • 4548 – Write MAZE related malware to disk (e9d2bc) (Host-Level)
  • 4549 – Transfer of MAZE related malware over HTTP/S (e9d2bc) (Lateral Movement)
  • 4550 – Transfer of MAZE related malware over HTTP/S (e9d2bc) (Infiltration)
  • 4551 – Email MAZE related malware as a ZIP attachment (e9d2bc) (Lateral Movement)
  • 4552 – Email MAZE related malware as a ZIP attachment (e9d2bc) (Infiltration)
  • 4553 – Pre-execution phase of MAZE related malware (a9524d) (Host-Level)
  • 4554 – Write MAZE related malware to disk (a9524d) (Host-Level)
  • 4555 – Transfer of MAZE related malware over HTTP/S (a9524d) (Lateral Movement)
  • 4556 – Transfer of MAZE related malware over HTTP/S (a9524d) (Infiltration)
  • 4557 – Email MAZE related malware as a ZIP attachment (a9524d) (Lateral Movement)
  • 4558 – Email MAZE related malware as a ZIP attachment (a9524d) (Infiltration)
  • 4559 – Pre-execution phase of MAZE related malware (0165be) (Host-Level)
  • 4560 – Write MAZE related malware to disk (0165be) (Host-Level)
  • 4561 – Transfer of MAZE related malware over HTTP/S (0165be) (Lateral Movement)
  • 4562 – Transfer of MAZE related malware over HTTP/S (0165be) (Infiltration)
  • 4563 – Email MAZE related malware as a ZIP attachment (0165be) (Lateral Movement)
  • 4564 – Email MAZE related malware as a ZIP attachment (0165be) (Infiltration)
  • 4565 – Write MAZE related malware to disk (62172b) (Host-Level)
  • 4566 – Transfer of MAZE related malware over HTTP/S (62172b) (Lateral Movement)
  • 4567 – Transfer of MAZE related malware over HTTP/S (62172b) (Infiltration)
  • 4568 – Email MAZE related malware as a ZIP attachment (62172b) (Lateral Movement)
  • 4569 – Email MAZE related malware as a ZIP attachment (62172b) (Infiltration)
  • 4570 – Write MAZE related malware to disk (845659) (Host-Level)
  • 4571 – Transfer of MAZE related malware over HTTP/S (845659) (Lateral Movement)
  • 4572 – Transfer of MAZE related malware over HTTP/S (845659) (Infiltration)
  • 4573 – Email MAZE related malware as a ZIP attachment (845659) (Lateral Movement)
  • 4574 – Email MAZE related malware as a ZIP attachment (845659) (Infiltration)
  • 4575 – Pre-execution phase of MAZE related malware (0f1cbf) (Host-Level)
  • 4576 – Write MAZE related malware to disk (0f1cbf) (Host-Level)
  • 4577 – Transfer of MAZE related malware over HTTP/S (0f1cbf) (Lateral Movement)
  • 4578 – Transfer of MAZE related malware over HTTP/S (0f1cbf) (Infiltration)
  • 4579 – Email MAZE related malware as a ZIP attachment (0f1cbf) (Lateral Movement)
  • 4580 – Email MAZE related malware as a ZIP attachment (0f1cbf) (Infiltration)
  • 4581 – Write MAZE related malware to disk (f5aaa9) (Host-Level)
  • 4582 – Transfer of MAZE related malware over HTTP/S (f5aaa9) (Lateral Movement)
  • 4583 – Transfer of MAZE related malware over HTTP/S (f5aaa9) (Infiltration)
  • 4584 – Email MAZE related malware as a ZIP attachment (f5aaa9) (Lateral Movement)
  • 4585 – Email MAZE related malware as a ZIP attachment (f5aaa9) (Infiltration)
  • 4586 – Write MAZE related malware to disk (421821) (Host-Level)
  • 4587 – Transfer of MAZE related malware over HTTP/S (421821) (Lateral Movement)
  • 4588 – Transfer of MAZE related malware over HTTP/S (421821) (Infiltration)
  • 4589 – Email MAZE related malware as a ZIP attachment (421821) (Lateral Movement)
  • 4590 – Email MAZE related malware as a ZIP attachment (421821) (Infiltration)
  • 4591 – Write MAZE related malware to disk (7566be) (Host-Level)
  • 4592 – Transfer of MAZE related malware over HTTP/S (7566be) (Lateral Movement)
  • 4593 – Transfer of MAZE related malware over HTTP/S (7566be) (Infiltration)
  • 4594 – Email MAZE related malware as a ZIP attachment (7566be) (Lateral Movement)
  • 4595 – Email MAZE related malware as a ZIP attachment (7566be) (Infiltration)
  • 4596 – Pre-execution phase of MAZE related malware (e35ffe) (Host-Level)
  • 4597 – Write MAZE related malware to disk (e35ffe) (Host-Level)
  • 4598 – Transfer of MAZE related malware over HTTP/S (e35ffe) (Lateral Movement)
  • 4599 – Transfer of MAZE related malware over HTTP/S (e35ffe) (Infiltration)
  • 4600 – Email MAZE related malware as a ZIP attachment (e35ffe) (Lateral Movement)
  • 4601 – Email MAZE related malware as a ZIP attachment (e35ffe) (Infiltration)
  • 4602 – Write MAZE related malware to disk (4d98e0) (Host-Level)
  • 4603 – Transfer of MAZE related malware over HTTP/S (4d98e0) (Lateral Movement)
  • 4604 – Transfer of MAZE related malware over HTTP/S (4d98e0) (Infiltration)
  • 4605 – Email MAZE related malware as a ZIP attachment (4d98e0) (Lateral Movement)
  • 4606 – Email MAZE related malware as a ZIP attachment (4d98e0) (Infiltration)
  • 4607 – Pre-execution phase of MAZE related malware (0e03b7) (Host-Level)
  • 4608 – Write MAZE related malware to disk (0e03b7) (Host-Level)
  • 4609 – Transfer of MAZE related malware over HTTP/S (0e03b7) (Lateral Movement)
  • 4610 – Transfer of MAZE related malware over HTTP/S (0e03b7) (Infiltration)
  • 4611 – Email MAZE related malware as a ZIP attachment (0e03b7) (Lateral Movement)
  • 4612 – Email MAZE related malware as a ZIP attachment (0e03b7) (Infiltration)
  • 4613 – Write MAZE related malware to disk (996fec) (Host-Level)
  • 4614 – Transfer of MAZE related malware over HTTP/S (996fec) (Lateral Movement)
  • 4615 – Transfer of MAZE related malware over HTTP/S (996fec) (Infiltration)
  • 4616 – Email MAZE related malware as a ZIP attachment (996fec) (Lateral Movement)
  • 4617 – Email MAZE related malware as a ZIP attachment (996fec) (Infiltration)
  • 4618 – Write MAZE related malware to disk (4e1f7d) (Host-Level)
  • 4619 – Transfer of MAZE related malware over HTTP/S (4e1f7d) (Lateral Movement)
  • 4620 – Transfer of MAZE related malware over HTTP/S (4e1f7d) (Infiltration)
  • 4621 – Email MAZE related malware as a ZIP attachment (4e1f7d) (Lateral Movement)
  • 4622 – Email MAZE related malware as a ZIP attachment (4e1f7d) (Infiltration)
  • 4623 – Write MAZE related malware to disk (c84b2c) (Host-Level)
  • 4624 – Transfer of MAZE related malware over HTTP/S (c84b2c) (Lateral Movement)
  • 4625 – Transfer of MAZE related malware over HTTP/S (c84b2c) (Infiltration)
  • 4626 – Email MAZE related malware as a ZIP attachment (c84b2c) (Lateral Movement)
  • 4627 – Email MAZE related malware as a ZIP attachment (c84b2c) (Infiltration)
  • 4628 – Write MAZE related malware to disk (b6da1a) (Host-Level)
  • 4629 – Transfer of MAZE related malware over HTTP/S (b6da1a) (Lateral Movement)
  • 4630 – Transfer of MAZE related malware over HTTP/S (b6da1a) (Infiltration)
  • 4631 – Email MAZE related malware as a ZIP attachment (b6da1a) (Lateral Movement)
  • 4632 – Email MAZE related malware as a ZIP attachment (b6da1a) (Infiltration)
  • 4633 – Pre-execution phase of MAZE related malware (a0ec83) (Host-Level)
  • 4634 – Write MAZE related malware to disk (a0ec83) (Host-Level)
  • 4635 – Transfer of MAZE related malware over HTTP/S (a0ec83) (Lateral Movement)
  • 4636 – Transfer of MAZE related malware over HTTP/S (a0ec83) (Infiltration)
  • 4637 – Email MAZE related malware as a ZIP attachment (a0ec83) (Lateral Movement)
  • 4638 – Email MAZE related malware as a ZIP attachment (a0ec83) (Infiltration)
  • 4639 – Write MAZE related malware to disk (557f62) (Host-Level)
  • 4640 – Transfer of MAZE related malware over HTTP/S (557f62) (Lateral Movement)
  • 4641 – Transfer of MAZE related malware over HTTP/S (557f62) (Infiltration)
  • 4642 – Email MAZE related malware as a ZIP attachment (557f62) (Lateral Movement)
  • 4643 – Email MAZE related malware as a ZIP attachment (557f62) (Infiltration)
  • 4644 – Write MAZE related malware to disk (a1b165) (Host-Level)
  • 4645 – Transfer of MAZE related malware over HTTP/S (a1b165) (Lateral Movement)
  • 4646 – Transfer of MAZE related malware over HTTP/S (a1b165) (Infiltration)
  • 4647 – Email MAZE related malware as a ZIP attachment (a1b165) (Lateral Movement)
  • 4648 – Email MAZE related malware as a ZIP attachment (a1b165) (Infiltration)
  • 4649 – Pre-execution phase of MAZE related malware (ec672b) (Host-Level)
  • 4650 – Write MAZE related malware to disk (ec672b) (Host-Level)
  • 4651 – Transfer of MAZE related malware over HTTP/S (ec672b) (Lateral Movement)
  • 4652 – Transfer of MAZE related malware over HTTP/S (ec672b) (Infiltration)
  • 4653 – Email MAZE related malware as a ZIP attachment (ec672b) (Lateral Movement)
  • 4654 – Email MAZE related malware as a ZIP attachment (ec672b) (Infiltration)
  • 4655 – Pre-execution phase of MAZE related malware (a5a0e5) (Host-Level)
  • 4656 – Write MAZE related malware to disk (a5a0e5) (Host-Level)
  • 4657 – Transfer of MAZE related malware over HTTP/S (a5a0e5) (Lateral Movement)
  • 4658 – Transfer of MAZE related malware over HTTP/S (a5a0e5) (Infiltration)
  • 4659 – Email MAZE related malware as a ZIP attachment (a5a0e5) (Lateral Movement)
  • 4660 – Email MAZE related malware as a ZIP attachment (a5a0e5) (Infiltration)
  • 4661 – Write MAZE related malware to disk (bedebb) (Host-Level)
  • 4662 – Transfer of MAZE related malware over HTTP/S (bedebb) (Lateral Movement)
  • 4663 – Transfer of MAZE related malware over HTTP/S (bedebb) (Infiltration)
  • 4664 – Email MAZE related malware as a ZIP attachment (bedebb) (Lateral Movement)
  • 4665 – Email MAZE related malware as a ZIP attachment (bedebb) (Infiltration)
  • 4666 – Pre-execution phase of MAZE related malware (be15c8) (Host-Level)
  • 4667 – Write MAZE related malware to disk (be15c8) (Host-Level)
  • 4668 – Transfer of MAZE related malware over HTTP/S (be15c8) (Lateral Movement)
  • 4669 – Transfer of MAZE related malware over HTTP/S (be15c8) (Infiltration)
  • 4670 – Email MAZE related malware as a ZIP attachment (be15c8) (Lateral Movement)
  • 4671 – Email MAZE related malware as a ZIP attachment (be15c8) (Infiltration)
  • 4672 – Write MAZE related malware to disk (96d885) (Host-Level)
  • 4673 – Transfer of MAZE related malware over HTTP/S (96d885) (Lateral Movement)
  • 4674 – Transfer of MAZE related malware over HTTP/S (96d885) (Infiltration)
  • 4675 – Email MAZE related malware as a ZIP attachment (96d885) (Lateral Movement)
  • 4676 – Email MAZE related malware as a ZIP attachment (96d885) (Infiltration)
  • 4677 – Pre-execution phase of MAZE related malware (c43296) (Host-Level)
  • 4678 – Write MAZE related malware to disk (c43296) (Host-Level)
  • 4679 – Transfer of MAZE related malware over HTTP/S (c43296) (Lateral Movement)
  • 4680 – Transfer of MAZE related malware over HTTP/S (c43296) (Infiltration)
  • 4681 – Email MAZE related malware as a ZIP attachment (c43296) (Lateral Movement)
  • 4682 – Email MAZE related malware as a ZIP attachment (c43296) (Infiltration)
  • 4683 – Pre-execution phase of MAZE related malware (f65722) (Host-Level)
  • 4684 – Write MAZE related malware to disk (f65722) (Host-Level)
  • 4685 – Transfer of MAZE related malware over HTTP/S (f65722) (Lateral Movement)
  • 4686 – Transfer of MAZE related malware over HTTP/S (f65722) (Infiltration)
  • 4687 – Email MAZE related malware as a ZIP attachment (f65722) (Lateral Movement)
  • 4688 – Email MAZE related malware as a ZIP attachment (f65722) (Infiltration)
  • 4689 – Pre-execution phase of MAZE malware (Host-Level)
  • 4690 – Write MAZE malware to disk (Host-Level)
  • 4691 – Transfer of MAZE malware over HTTP/S (Lateral Movement)
  • 4692 – Transfer of MAZE malware over HTTP/S (Infiltration)
  • 4693 – Email MAZE malware as a ZIP attachment (Lateral Movement)
  • 4694 – Email MAZE malware as a ZIP attachment (Infiltration)

Get the latest
research and news