12 Months of Fighting Cybercrime & Defending Enterprises | SentinelLabs 2021 Review

It’s been a busy year for the SentinelLabs research team, with 45 posts published throughout 2021 on crimeware, APT actors, software vulnerabilities, and macOS malware, not to mention releasing a few community tools for reverse engineering and threat hunting.

Ransomware and APT actors have dominated much of our year, along with some spectacular vulnerabilities that have impacted enterprises worldwide. We’ve seen novel attacks targeting macOS and threat actors setting their sights on Docker containers and cloud workloads.

As ever, you can find all our research and threat intelligence posts over at SentinelLabs, but for a quick recap on some of the main highlights, take a scroll through our 2021 timeline below.


In early January, we broke news of macOS.OSAMiner, a long-running cryptominer campaign targeting macOS users. What made this particular campaign so effective at staying undetected for at least five years was its use of run-only AppleScripts. SentinelLabs’ research showed how researchers can reverse these opaque executables and revealed previously hidden IoCs.

FADE DEAD | Adventures in Reversing Malicious Run-Only AppleScripts


Zeoticus ransomware was causing trouble prior to 2021 but had received little attention from researchers. Unusually, Zeoticus executes fully even if the device is air-gapped or fails to have internet connectivity. SentinelLabs detailed how this Windows-specific malware had evolved, and described its execution and persistence methods.

Zeoticus 2.0 | Ransomware With No C2 Required

In February, SentinelLabs also revealed a privilege escalation vulnerability in Microsoft’s flagship security product, Windows Defender. The bug, CVE-2021-24092, had remained unreported for 12 years and likely affected around a billion devices.


More macOS malware came to light in March in the form of SentinelLabs’ discovery of XcodeSpy, a targeted attack on iOS software developers using Apple’s Xcode IDE. A malicious Xcode project was found to be installing a customized backdoor with the ability to record the victim’s microphone, camera and keyboard.

New macOS Malware XcodeSpy Targets Xcode Developers with EggShell Backdoor


While Windows vulnerabilities are a fairly common occurrence, SentinelLabs’ report of a new NTLM relay attack was, surprisingly, classed as a “Won’t Fix” by Microsoft in April. The vulnerability affects every Windows system and could allow attackers to escalate privileges from user to domain admin.

Relaying Potatoes: Another Unexpected Privilege Escalation Vulnerability in Windows RPC Protocol

On the crimeware front, this month SentinelLabs also published an update on Avaddon RaaS and detailed APT activity relating to Zebrocy.


As we kicked into the summer months, adversary activity also started to ramp up beginning with Agrius, a new threat actor SentinelLabs observed operating against targets in Israel. Agrius actors dropped a novel wiper named ‘Apostle’, which later evolved into a fully functional ransomware.

From Wiper to Ransomware | The Evolution of Agrius

Also in May, SentinelLabs researchers disclosed CVE-2021-21551, a single CVE to track multiple BIOS driver privilege escalation flaws impacting hundreds of millions of Dell computers.


Building off earlier research around APT actor Nobelium (aka APT29, The Dukes), SentinelLabs discovered that the same threat actor (tracked by SentinelLabs as ‘NobleBaron’) was engaged in supply-chain attack activity via a poisoned update installer for electronic keys used by the Ukrainian government.

NobleBaron | New Poisoned Installers Could Be Used In Supply Chain Attacks

Also this month, SentinelLabs presented evidence that an attack on Russia’s FSB that had been widely-attributed to Western “Five Eyes” agencies was far more likely to have been of Chinese origin, probably from threat actor TA428.


Cyberwar took an unusual turn in July when Iran’s train system was paralyzed by an attack from a mysterious wiper. The attackers taunted the Iranian government as hacked displays instructed passengers to direct their complaints to the phone number of the Iranian Supreme Leader Khamenei’s office. SentinelLabs researchers were able to reconstruct the majority of the attack chain and sketch the outline of a new adversary.

MeteorExpress | Mysterious Wiper Paralyzes Iranian Trains with Epic Troll

This month also saw the Labs team disclose CVE-2021-3438 – a high severity flaw in HP, Samsung, and Xerox printer drivers – and offer an in-depth analysis of Conti ransomware.


ShadowPad is a privately sold modular malware platform and used in infamous campaigns such as CCleaner, NetSaran and the ASUS supply-chain attacks. SentinelLabs researchers produced a ground-breaking report on the origin, use and ecosystem of ShadowPad.

ShadowPad | A Masterpiece of Privately Sold Malware in Chinese Espionage

One of the busiest months of the year for our researchers, August also saw us dislose a massive macOS adware campaign undetected by Apple, a ransomware campaign targeting healthcare providers, and HotCobalt – a denial-of-service vulnerability affecting Cobalt Strike.


In another in-depth investigation into cyberespionage and APT activity, SentinelLabs broke the story of a Turkish-nexus threat actor that targeted journalists to place malware and incriminating documents on their devices immediately prior to their arrest.

EGoManiac | An Unscrupulous Turkish-Nexus Threat Actor

We also reported on new variants of both Apostle ransomware and the Zloader banking trojan, as well as disclosing CVE-2021-3437.


Both Karma ransomware and Spook ransomware were new players in 2021’s ransomware ecosystem. Karma has targeted numerous enterprises across different industries this year. SentinelLabs explored the links between Karma and other well known malware families such as NEMTY and JSWorm.

Karma Ransomware | An Emerging Threat With A Hint of Nemty Pedigree

Meanwhile, SentinelLab’s investigation into Spook ransomware found that the operator published details of all victims regardless of whether they paid or not.


APTs targeting macOS are a far rarer sight than on Windows, but this November saw news break of a targeted attack against pro-democracy activists in Hong Kong with a novel macOS malware dubbed “Macma”. SentinelLabs dove in and revealed further IoCs not previously reported to aid defenders and threat hunters.

Infect If Needed | A Deeper Dive Into Targeted Backdoor macOS.Macma

SentinelLabs also disclosed multiple separate vulnerabilities this month: CVE-2021-43267 – a remote Linux kernel heap overflow – and the related VirtualBox vulnerabilities CVE-2021-2145, CVE-2021-2310, and CVE-2021-2442.


Unsurprisingly, we rounded out the year with yet another novel ransomware threat. While most actors in this space have adopted the double-extortion method – demand a ransom for encrypted files, then threaten to leak the data if the victim doesn’t pay up – the operators behind Rook were particularly candid about their motivations, stating “We desperately need a lot of money”. SentinelLabs researchers offered the first technical write up of Rook, covering both high-level features and its ties to Babuk ransomware.

New Rook Ransomware Feeds Off the Code of Babuk

We also discovered and disclosed multiple vulnerabilities in AWS and other major cloud services that implement USB over Ethernet.


2021 was some year for everyone involved in fighting cybercrime and defending enterprises. From APTs and bugs to malware and ransomware, we’ve all had plenty to do to keep up with the unfolding cybersecurity threats this year. SentinelLabs continues in its commitment to keep you up to date with the latest research and threat intelligence.

We’ll be back shortly after the New Year. In the meantime, we wish everyone a happy and secure New Year and 2022. Be sure to keep your organization, endpoints, network and cloud infrastructure safe with SentinelOne’s award-winning Singularity platform, and keep your security team up-to-date with SentinelLabs’ original and timely research.