#ParsedReport
06-06-2022
Will the Real Msiexec Please Stand Up? Exploit Leads to Data Exfiltration
https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration
Threats:
Plink
Industry:
Financial, Healthcare
CVEs:
CVE-2021-44077 [Vulners]
Vulners: Score: 7.5, CVSS: 4.4,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- zohocorp manageengine servicedesk plus (11.1, 11.1, 11.1, 11.1, 11.1, 11.1, 11.1, 11.1, 11.2, 11.2, 11.2, 11.2, 11.2, 11.2, 11.2, 11.2, 11.2, 11.2, 11.2, 11.2, 11.3, 11.3, 11.3, 11.3, 11.3, 11.3)
- zohocorp manageengine servicedesk plus msp (10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, le10.5)
- zohocorp manageengine supportcenter plus (11.0, 11.0, 11.0, 11.0, 11.0, 11.0, 11.0, 11.0, 11.0, 11.0, 11.0, 11.0, 11.0, 11.0, le11.0)
TTPs:
Tactics: 11
Technics: 12
IOCs:
IP: 13
Path: 8
File: 9
Registry: 2
Url: 1
Hash: 5
YARA: Found
SIGMA: Found
Links:
06-06-2022
Will the Real Msiexec Please Stand Up? Exploit Leads to Data Exfiltration
https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration
Threats:
Plink
Industry:
Financial, Healthcare
CVEs:
CVE-2021-44077 [Vulners]
Vulners: Score: 7.5, CVSS: 4.4,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- zohocorp manageengine servicedesk plus (11.1, 11.1, 11.1, 11.1, 11.1, 11.1, 11.1, 11.1, 11.2, 11.2, 11.2, 11.2, 11.2, 11.2, 11.2, 11.2, 11.2, 11.2, 11.2, 11.2, 11.3, 11.3, 11.3, 11.3, 11.3, 11.3)
- zohocorp manageengine servicedesk plus msp (10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, le10.5)
- zohocorp manageengine supportcenter plus (11.0, 11.0, 11.0, 11.0, 11.0, 11.0, 11.0, 11.0, 11.0, 11.0, 11.0, 11.0, 11.0, 11.0, le11.0)
TTPs:
Tactics: 11
Technics: 12
IOCs:
IP: 13
Path: 8
File: 9
Registry: 2
Url: 1
Hash: 5
YARA: Found
SIGMA: Found
Links:
https://github.com/horizon3ai/CVE-2021-44077The DFIR Report
Will the Real Msiexec Please Stand Up? Exploit Leads to Data Exfiltration
In this multi-day intrusion, we observed a threat actor gain initial access to an organization by exploiting a vulnerability in ManageEngine SupportCenter Plus. The threat actor, discovered files o…
#ParsedReport
06-06-2022
Atlassian Vulnerability CVE-2022-26134
https://cyberint.com/blog/research/cve-2022-26134
Threats:
Cobalt_strike
Behinder
Chinachopper
Meterpreter_tool
Geo:
China
CVEs:
CVE-2018-11776 [Vulners]
Vulners: Score: 9.3, CVSS: 4.8,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- apache struts (le2.5.16, le2.3.34)
CVE-2021-26084 [Vulners]
Vulners: Score: 7.5, CVSS: 7.3,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- atlassian confluence (<6.13.23, <7.4.11, <7.11.6)
- atlassian confluence server (<7.12.5)
- atlassian data center (<6.13.23, <7.4.11)
- atlassian jira data center (<7.11.6, <7.12.5)
CVE-2022-26134 [Vulners]
Vulners: Score: Unknown, CVSS: PENDING,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Official fix
TTPs:
Tactics: 1
Technics: 0
IOCs:
Hash: 2
IP: 15
YARA: Found
Links:
06-06-2022
Atlassian Vulnerability CVE-2022-26134
https://cyberint.com/blog/research/cve-2022-26134
Threats:
Cobalt_strike
Behinder
Chinachopper
Meterpreter_tool
Geo:
China
CVEs:
CVE-2018-11776 [Vulners]
Vulners: Score: 9.3, CVSS: 4.8,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- apache struts (le2.5.16, le2.3.34)
CVE-2021-26084 [Vulners]
Vulners: Score: 7.5, CVSS: 7.3,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- atlassian confluence (<6.13.23, <7.4.11, <7.11.6)
- atlassian confluence server (<7.12.5)
- atlassian data center (<6.13.23, <7.4.11)
- atlassian jira data center (<7.11.6, <7.12.5)
CVE-2022-26134 [Vulners]
Vulners: Score: Unknown, CVSS: PENDING,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Official fix
TTPs:
Tactics: 1
Technics: 0
IOCs:
Hash: 2
IP: 15
YARA: Found
Links:
https://github.com/Freakboy/BehinderCyberint
Atlassian Vulnerability CVE-2022-26134
Atlassian released a security advisory on a zero-day vulnerability in all versions of the Confluence Server and Data Center that is already being exploited.
#ParsedReport
07-06-2022
Shining the Light on Black Basta. Summary
https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta
Threats:
Blackbasta (tags: ransomware)
Qakbot
Cobalt_strike
Beacon
Psexec_tool
TTPs:
Tactics: 5
Technics: 0
IOCs:
File: 11
Registry: 2
Path: 6
IP: 1
Hash: 2
07-06-2022
Shining the Light on Black Basta. Summary
https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta
Threats:
Blackbasta (tags: ransomware)
Qakbot
Cobalt_strike
Beacon
Psexec_tool
TTPs:
Tactics: 5
Technics: 0
IOCs:
File: 11
Registry: 2
Path: 6
IP: 1
Hash: 2
Nccgroup
Cyber Security Research
Cutting-edge cyber security research from NCC Group. Find public reports, technical advisories, analyses, & other novel insights from our global experts.
#ParsedReport
07-06-2022
Android Malware Distributed Via Smishing. Banking Trojan Targets Spanish BBVA Bank Customers
https://blog.cyble.com/2022/06/06/android-malware-distributed-via-smishing
Industry:
Financial
Geo:
Spanish, Spain
TTPs:
Tactics: 4
Technics: 1
IOCs:
File: 3
Url: 5
Hash: 2
07-06-2022
Android Malware Distributed Via Smishing. Banking Trojan Targets Spanish BBVA Bank Customers
https://blog.cyble.com/2022/06/06/android-malware-distributed-via-smishing
Industry:
Financial
Geo:
Spanish, Spain
TTPs:
Tactics: 4
Technics: 1
IOCs:
File: 3
Url: 5
Hash: 2
Cyble
Android Malware Distributed Via Smishing
Cyble analyzes a variant of Android malware targeting Spanish BBVA customers through a banking Trojan delivered via Smishing.
#ParsedReport
07-06-2022
AppleSeed Disguised as Wi-Fi Router Firmware Installer Being Distributed
https://asec.ahnlab.com/en/34978
Actors/Campaigns:
Kimsuky
Threats:
Appleseed (tags: malware, dropper, rat, backdoor)
Meterpreter_tool
Filecoder
Tightvnc_tool
Metasploit_tool
Blister_loader
IOCs:
File: 5
Path: 4
Hash: 5
Url: 3
Functions Names: 1
07-06-2022
AppleSeed Disguised as Wi-Fi Router Firmware Installer Being Distributed
https://asec.ahnlab.com/en/34978
Actors/Campaigns:
Kimsuky
Threats:
Appleseed (tags: malware, dropper, rat, backdoor)
Meterpreter_tool
Filecoder
Tightvnc_tool
Metasploit_tool
Blister_loader
IOCs:
File: 5
Path: 4
Hash: 5
Url: 3
Functions Names: 1
ASEC BLOG
AppleSeed Disguised as Wi-Fi Router Firmware Installer Being Distributed - ASEC BLOG
On May 26th, the ASEC analysis team discovered the distribution of AppleSeed disguised as a Wi-Fi router firmware installer. Previously discovered AppleSeed strains were mainly distributed by disguising themselves as normal document or image files. The dropper…
#ParsedReport
07-06-2022
Caution! Microsoft Office Zero-day Vulnerability Follina (CVE-2022-30190)
https://asec.ahnlab.com/en/34998
Threats:
Follina_vuln (tags: malware)
CVEs:
CVE-2022-30190 [Vulners]
Vulners: Score: 9.3, CVSS: PENDING,
Vulners: Exploitation: Unknown
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft windows server 2012 (r2, -)
- microsoft windows 10 (1607, -, 20h2, 1809, 21h1, 21h2)
- microsoft windows 8.1 (-)
- microsoft windows server 2016 (-)
- microsoft windows server 2008 (-, r2)
have more...
IOCs:
File: 3
Registry: 2
Url: 1
Hash: 2
Functions Names: 1
07-06-2022
Caution! Microsoft Office Zero-day Vulnerability Follina (CVE-2022-30190)
https://asec.ahnlab.com/en/34998
Threats:
Follina_vuln (tags: malware)
CVEs:
CVE-2022-30190 [Vulners]
Vulners: Score: 9.3, CVSS: PENDING,
Vulners: Exploitation: Unknown
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft windows server 2012 (r2, -)
- microsoft windows 10 (1607, -, 20h2, 1809, 21h1, 21h2)
- microsoft windows 8.1 (-)
- microsoft windows server 2016 (-)
- microsoft windows server 2008 (-, r2)
have more...
IOCs:
File: 3
Registry: 2
Url: 1
Hash: 2
Functions Names: 1
ASEC BLOG
Caution! Microsoft Office Zero-day Vulnerability Follina (CVE-2022-30190) - ASEC BLOG
A new vulnerability named Follina (CVE-2022-30190) has been revealed. According to Microsoft, it is a remote code execution vulnerability that occurs when the URL protocol is used to call MSDT in calling applications such as Microsoft Word. With the privileges…
#ParsedReport
07-06-2022
Bozon Ransomware
https://labs.k7computing.com/index.php/bozon-ransomware
Threats:
Simay_rat
IOCs:
File: 10
Registry: 1
Hash: 2
07-06-2022
Bozon Ransomware
https://labs.k7computing.com/index.php/bozon-ransomware
Threats:
Simay_rat
IOCs:
File: 10
Registry: 1
Hash: 2
K7 Labs
Bozon Ransomware - K7 Labs
In one of the enterprise incidents, we came across an interesting ransomware issue. Unfortunately we could not recover the sample […]
#ParsedReport
07-06-2022
SVCReady: A New Loader Gets Ready
https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself
Actors/Campaigns:
Shathak (tags: malware)
Threats:
Gozi (tags: rat)
Beacon
Icedid
TTPs:
Tactics: 2
Technics: 0
IOCs:
File: 2
Registry: 2
Hash: 54
Domain: 8
Url: 2
Functions Names: 3
07-06-2022
SVCReady: A New Loader Gets Ready
https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself
Actors/Campaigns:
Shathak (tags: malware)
Threats:
Gozi (tags: rat)
Beacon
Icedid
TTPs:
Tactics: 2
Technics: 0
IOCs:
File: 2
Registry: 2
Hash: 54
Domain: 8
Url: 2
Functions Names: 3
HP Wolf Security
SVCReady: A New Loader Gets Ready | HP Wolf Security
Don’t let cyber threats get the best of you. Read our post, SVCReady: A New Loader Gets Ready, to learn more about cyber threats and cyber security.
#ParsedReport
07-06-2022
Closing the Door: DeadBolt Ransomware Locks Out Vendors With Multitiered Extortion Scheme. Indicators of compromise (IOCs)
https://www.trendmicro.com/en_us/research/22/f/closing-the-door-deadbolt-ransomware-locks-out-vendors-with-mult.html
Threats:
Deadbolt (tags: vpn, rat, ransomware, malware)
Qnapcrypt (tags: ransomware)
Revil (tags: ransomware)
Blister_loader
Ctb_locker
Industry:
Financial, Iot
IOCs:
Hash: 13
File: 4
Coin: 2
YARA: Found
Links:
07-06-2022
Closing the Door: DeadBolt Ransomware Locks Out Vendors With Multitiered Extortion Scheme. Indicators of compromise (IOCs)
https://www.trendmicro.com/en_us/research/22/f/closing-the-door-deadbolt-ransomware-locks-out-vendors-with-mult.html
Threats:
Deadbolt (tags: vpn, rat, ransomware, malware)
Qnapcrypt (tags: ransomware)
Revil (tags: ransomware)
Blister_loader
Ctb_locker
Industry:
Financial, Iot
IOCs:
Hash: 13
File: 4
Coin: 2
YARA: Found
Links:
https://github.com/merces/entropyTrend Micro
Closing the Door DeadBolt Ransomware Locks Out Vendors With Multitiered Extortion Scheme
#ParsedReport
07-06-2022
Anti-sandbox and enterprise-targeted attacks identified by CHM malware
https://asec-ahnlab-com.translate.goog/ko/35072/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=ru&_x_tr_pto=wapp
Threats:
Revbshell (tags: malware)
Akdoor (tags: malware)
Trojan/win.generic.c5025270 (tags: malware)
Dropper/win.agent.c5028107 (tags: malware)
Geo:
Korea
IOCs:
File: 3
Hash: 5
07-06-2022
Anti-sandbox and enterprise-targeted attacks identified by CHM malware
https://asec-ahnlab-com.translate.goog/ko/35072/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=ru&_x_tr_pto=wapp
Threats:
Revbshell (tags: malware)
Akdoor (tags: malware)
Trojan/win.generic.c5025270 (tags: malware)
Dropper/win.agent.c5028107 (tags: malware)
Geo:
Korea
IOCs:
File: 3
Hash: 5
ASEC BLOG
CHM 악성코드에서 확인된 안티 샌드박스 및 기업 타겟 공격 - ASEC BLOG
ASEC 분석팀은 최근 국내 유포 중인 CHM 악성코드에서 안티 샌드박스 기법이 적용된 유형과 기업을 타겟으로 하는 유형이 존재하는 것을 확인하였다. 두 유형 모두 지난 3월과 5월, 아래 ASEC 블로그를 통해 소개한 유형이다. 먼저, 안티 샌드박스 기법이 적용된 CHM 유형은 악성 VBE 파일을 드롭하기 전에 사용자 PC 환경을 검사하게 된다. 악성 CHM 파일 내부에 포함된 HTML 코드는 아래와 같으며, HTML 은 정상 프로그램(EXE)과 악성…
#ParsedReport
07-06-2022
Bumblebee Loader on The Rise
https://blog.cyble.com/2022/06/07/bumblebee-loader-on-the-rise
Threats:
Bumblebee (tags: ransomware, rat, phishing, spam, malware)
Cobalt_strike (tags: malware, rat, spam, ransomware)
Beacon (tags: spam, malware, rat, ransomware)
Conti
Bazarbackdoor
Meterpreter_tool
Sliver_tool
TTPs:
Tactics: 7
Technics: 10
IOCs:
File: 5
Path: 2
IP: 4
Hash: 7
Functions Names: 5
07-06-2022
Bumblebee Loader on The Rise
https://blog.cyble.com/2022/06/07/bumblebee-loader-on-the-rise
Threats:
Bumblebee (tags: ransomware, rat, phishing, spam, malware)
Cobalt_strike (tags: malware, rat, spam, ransomware)
Beacon (tags: spam, malware, rat, ransomware)
Conti
Bazarbackdoor
Meterpreter_tool
Sliver_tool
TTPs:
Tactics: 7
Technics: 10
IOCs:
File: 5
Path: 2
IP: 4
Hash: 7
Functions Names: 5
Cyble
Cyble - Bumblebee Loader On The Rise
Cyble analyzes Bumblebee, a new malware variant on the rise that delivers Cobalt Strike Beacons and other malware onto victim systems.
#ParsedReport
07-06-2022
Decrypted: TaRRaK Ransomware. Behavior of the ransomware
https://decoded.avast.io/threatresearch/decrypted-tarrak-ransomware
Threats:
Tarrak (tags: ransomware, malware)
IOCs:
File: 2
07-06-2022
Decrypted: TaRRaK Ransomware. Behavior of the ransomware
https://decoded.avast.io/threatresearch/decrypted-tarrak-ransomware
Threats:
Tarrak (tags: ransomware, malware)
IOCs:
File: 2
Avast Threat Labs
Decrypted: TaRRaK Ransomware - Avast Threat Labs
The TaRRaK ransomware appeared in June of 2021. This ransomware contains many coding errors, so we decided to publish a small blog about them. Samples of this ransomware were spotted in our user base, so we also created a decryptor for this ransomware. Skip…
#ParsedReport
08-06-2022
Unknown APT group has targeted Russia repeatedly since Ukraine invasion
https://blog.malwarebytes.com/threat-intelligence/2022/05/unknown-apt-group-has-targeted-russia-repeatedly-since-ukraine-invasion
Actors/Campaigns:
Shell_crew
Pirate_panda
Lazarus
Threats:
Log4shell_vuln (tags: malware, phishing)
Ollvm_tool
Bogus_control_technique
Sakula_rat
Trickbot
Bazarbackdoor
Industry:
Media, Telco, Government
Geo:
Saudi, Chinese, Ukraine, Russia, Russian
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 9
Path: 2
Domain: 4
IP: 5
Hash: 48
Functions Names: 8
Links:
08-06-2022
Unknown APT group has targeted Russia repeatedly since Ukraine invasion
https://blog.malwarebytes.com/threat-intelligence/2022/05/unknown-apt-group-has-targeted-russia-repeatedly-since-ukraine-invasion
Actors/Campaigns:
Shell_crew
Pirate_panda
Lazarus
Threats:
Log4shell_vuln (tags: malware, phishing)
Ollvm_tool
Bogus_control_technique
Sakula_rat
Trickbot
Bazarbackdoor
Industry:
Media, Telco, Government
Geo:
Saudi, Chinese, Ukraine, Russia, Russian
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 9
Path: 2
Domain: 4
IP: 5
Hash: 48
Functions Names: 8
Links:
https://github.com/wolfSSL/wolfsslhttps://github.com/obfuscator-llvm/obfuscator/wiki/Bogus-Control-Flowhttps://github.com/obfuscator-llvm/obfuscatorhttps://github.com/wolfSSL/wolfssl/blob/c9ae021427fd21f1a91e4020bf50bb3573c15abe/src/x509.c#L4539https://github.com/zephyrproject-rtos/zephyr/blob/main/subsys/net/lib/http/http\_parser.cMalwarebytes
Unknown APT group has targeted Russia repeatedly since Ukraine invasion
An in-depth look at the attack chain used by an unknown APT group that has launched four campaigns against Russian targets since February.
#ParsedReport
08-06-2022
New Technique Used by Attackers in NPM to Avoid Detection. Intro
https://checkmarx.com/blog/new-technique-used-by-attackers-in-npm-to-avoid-detection
IOCs:
File: 1
Email: 14
08-06-2022
New Technique Used by Attackers in NPM to Avoid Detection. Intro
https://checkmarx.com/blog/new-technique-used-by-attackers-in-npm-to-avoid-detection
IOCs:
File: 1
Email: 14
Checkmarx.com
New Technique Used by Attackers in NPM to Avoid Detection
Checkmarx SCS team recently detected several malicious NPM packages using a new evasion technique, enhancing dependency confusion attacks to help malicious packages avoid detection.
#ParsedReport
08-06-2022
Attackers Exploit MSDT Follina Bug to Drop RAT, Infostealer
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/follina-msdt-exploit-malware
Threats:
Follina_vuln (tags: trojan, stealer, rat, malware)
Asyncrat_rat (tags: malware)
CVEs:
CVE-2022-30190 [Vulners]
Vulners: Score: 9.3, CVSS: PENDING,
Vulners: Exploitation: Unknown
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft windows server 2012 (r2, -)
- microsoft windows 10 (1607, -, 1809, 20h2, 21h1, 21h2)
- microsoft windows 8.1 (-)
- microsoft windows server 2016 (-)
- microsoft windows server 2008 (-, r2)
have more...
IOCs:
File: 3
Hash: 3
08-06-2022
Attackers Exploit MSDT Follina Bug to Drop RAT, Infostealer
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/follina-msdt-exploit-malware
Threats:
Follina_vuln (tags: trojan, stealer, rat, malware)
Asyncrat_rat (tags: malware)
CVEs:
CVE-2022-30190 [Vulners]
Vulners: Score: 9.3, CVSS: PENDING,
Vulners: Exploitation: Unknown
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft windows server 2012 (r2, -)
- microsoft windows 10 (1607, -, 1809, 20h2, 21h1, 21h2)
- microsoft windows 8.1 (-)
- microsoft windows server 2016 (-)
- microsoft windows server 2008 (-, r2)
have more...
IOCs:
File: 3
Hash: 3
Security
Attackers Exploit MSDT Follina Bug to Drop RAT, Infostealer
Symantec has observed threat actors exploiting remote code execution flaw to drop AsyncRAT and information stealer.
#ParsedReport
08-06-2022
Cuba Ransomware Groups New Variant Found Using Optimized Infection Techniques
https://www.trendmicro.com/en_us/research/22/f/cuba-ransomware-group-s-new-variant-found-using-optimized-infect.html
Threats:
Cuba (tags: malware, ransomware)
Bughatch
Ransom.win32.bacucrypt.ypcd2t
Deadbolt
Industry:
Financial
Geo:
Asia
IOCs:
File: 10
Coin: 5
Hash: 1
08-06-2022
Cuba Ransomware Groups New Variant Found Using Optimized Infection Techniques
https://www.trendmicro.com/en_us/research/22/f/cuba-ransomware-group-s-new-variant-found-using-optimized-infect.html
Threats:
Cuba (tags: malware, ransomware)
Bughatch
Ransom.win32.bacucrypt.ypcd2t
Deadbolt
Industry:
Financial
Geo:
Asia
IOCs:
File: 10
Coin: 5
Hash: 1
Trend Micro
Cuba Ransomware Group’s New Variant Found Using Optimized Infection Techniques
Trend Micro Research observed the resurgence of the Cuba ransomware group that launched a new malware variant using different infection techniques compared to past iterations. We discuss our initial findings in this report.
#ParsedReport
08-06-2022
List of available regions. Crypto stealing campaign spread via fake cracked software
https://blog.avast.com/fakecrack-campaign
Actors/Campaigns:
Axiom
Threats:
Fakecrack
Blackseo_technique
Clipboard_changer_technique
Industry:
E-commerce, Financial
Geo:
Indonesia, India, France, Brazil, Japanese
TTPs:
Tactics: 1
Technics: 0
IOCs:
Domain: 20
File: 2
Registry: 1
Hash: 8
IP: 7
Functions Names: 1
08-06-2022
List of available regions. Crypto stealing campaign spread via fake cracked software
https://blog.avast.com/fakecrack-campaign
Actors/Campaigns:
Axiom
Threats:
Fakecrack
Blackseo_technique
Clipboard_changer_technique
Industry:
E-commerce, Financial
Geo:
Indonesia, India, France, Brazil, Japanese
TTPs:
Tactics: 1
Technics: 0
IOCs:
Domain: 20
File: 2
Registry: 1
Hash: 8
IP: 7
Functions Names: 1
Avast
Crypto stealing campaign spread via fake cracked software
Users who download cracked software risk sensitive personal data being stolen by hackers. This is how the FakeCrack campaign is doing its business.
#ParsedReport
08-06-2022
Follina vulnerability (CVE-2022-30190) attack in 'antibacterial film proposal'
https://asec-ahnlab-com.translate.goog/ko/35013/?_x_tr_sl=ko&_x_tr_tl=en&_x_tr_hl=ru&_x_tr_pto=wapp
Threats:
Follina_vuln (tags: malware)
CVEs:
CVE-2022-30190 [Vulners]
Vulners: Score: 9.3, CVSS: PENDING,
Vulners: Exploitation: Unknown
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft windows server 2012 (r2, -)
- microsoft windows 10 (1607, -, 1809, 20h2, 21h1, 21h2)
- microsoft windows 8.1 (-)
- microsoft windows server 2016 (-)
- microsoft windows server 2008 (-, r2)
have more...
IOCs:
File: 10
Url: 6
Path: 2
Hash: 5
08-06-2022
Follina vulnerability (CVE-2022-30190) attack in 'antibacterial film proposal'
https://asec-ahnlab-com.translate.goog/ko/35013/?_x_tr_sl=ko&_x_tr_tl=en&_x_tr_hl=ru&_x_tr_pto=wapp
Threats:
Follina_vuln (tags: malware)
CVEs:
CVE-2022-30190 [Vulners]
Vulners: Score: 9.3, CVSS: PENDING,
Vulners: Exploitation: Unknown
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft windows server 2012 (r2, -)
- microsoft windows 10 (1607, -, 1809, 20h2, 21h1, 21h2)
- microsoft windows 8.1 (-)
- microsoft windows server 2016 (-)
- microsoft windows server 2008 (-, r2)
have more...
IOCs:
File: 10
Url: 6
Path: 2
Hash: 5
ASEC BLOG
'항균필름제안서' 내용의 Follina 취약점(CVE-2022-30190) 공격 - ASEC BLOG
지난 5월 31일, ASEC 분석팀에서는 본 블로그를 통해 MS 오피스 문서파일에 대한 제로데이 취약점인 Follina 에 대해 신속하게 소개한 바 있다. 아직 해당 취약점에 대한 패치가 제공되지 않아 사용자 주의가 요구되는 상황이다. 주의! MS 오피스 제로데이 취약점 Follina (CVE-2022-30190) 안랩은 해당 취약점 이용한 공격시도에 대해 파일진단, 행위진단 관점에서 탐지 룰을 배포한 상황이며, 다양한 자사 제품군(V3, MDS, EDR)에서…
#ParsedReport
08-06-2022
Mars Stealer malware analysis. Mars Stealer targets
https://seguranca-informatica.pt/mars-stealer-malware-analysis/?utm_source=rss&utm_medium=rss&utm_campaign=mars-stealer-malware-analysis
Threats:
Mars_stealer (tags: phishing, malware, trojan, stealer)
Oski_stealer (tags: malware)
Industry:
Financial, Iot
Geo:
Portuguese
IOCs:
File: 4
Functions Names: 1
Links:
08-06-2022
Mars Stealer malware analysis. Mars Stealer targets
https://seguranca-informatica.pt/mars-stealer-malware-analysis/?utm_source=rss&utm_medium=rss&utm_campaign=mars-stealer-malware-analysis
Threats:
Mars_stealer (tags: phishing, malware, trojan, stealer)
Oski_stealer (tags: malware)
Industry:
Financial, Iot
Geo:
Portuguese
IOCs:
File: 4
Functions Names: 1
Links:
https://github.com/sirpedrotavares/SI-LAB-malware/blob/master/mars\_stealer\_decryptor#ParsedReport
08-06-2022
MakeMoney malvertising campaign adds fake update template
https://blog.malwarebytes.com/threat-intelligence/2022/06/makemoney-malvertising-campaign-adds-fake-update-template
Actors/Campaigns:
Makemoney (tags: malware, stealer)
Threats:
Socgholish_loader (tags: malware)
Rig_tool
Rigek_tool
Kpot_stealer
Redline_stealer
Geo:
Russia
IOCs:
Domain: 134
IP: 8
Hash: 1
Functions Names: 1
08-06-2022
MakeMoney malvertising campaign adds fake update template
https://blog.malwarebytes.com/threat-intelligence/2022/06/makemoney-malvertising-campaign-adds-fake-update-template
Actors/Campaigns:
Makemoney (tags: malware, stealer)
Threats:
Socgholish_loader (tags: malware)
Rig_tool
Rigek_tool
Kpot_stealer
Redline_stealer
Geo:
Russia
IOCs:
Domain: 134
IP: 8
Hash: 1
Functions Names: 1
Malwarebytes
MakeMoney malvertising campaign adds fake update template
We catch up with some old acquaintances that just aren't ready to hang up the towel just yet.
#ParsedReport
09-06-2022
Aoqin Dragon \| Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years
https://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years
Actors/Campaigns:
Aoqin_dragon (tags: backdoor, dns, dropper, rat, malware, phishing, trojan)
Threats:
Dll_hijacking_technique (tags: malware)
Themida_packer_tool (tags: backdoor)
Mongall (tags: rat, backdoor, malware)
Heyoka (tags: rat, malware, backdoor, dns)
Beacon (tags: backdoor)
Watering_hole_technique
Industry:
Government, Education, Telco, Aerospace
Geo:
Vietnamese, China, Cambodia, Singapore, Myanmars, Apac, Asia, Australia, Chinese, Vietnam, Malaysia
CVEs:
CVE-2014-6332 [Vulners]
Vulners: Score: 9.3, CVSS: 9.3,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.3
X-Force: Patch: Official fix
Soft:
- microsoft windows server 2008 (r2, r2, -)
- microsoft windows 7 (-)
- microsoft windows vista (-)
- microsoft windows rt (-)
- microsoft windows rt 8.1 (-)
have more...
CVE-2012-0158 [Vulners]
Vulners: Score: 9.3, CVSS: 7.5,
Vulners: Exploitation: True
X-Force: Risk: 9.3
X-Force: Patch: Official fix
Soft:
- microsoft office (2010, 2010, 2003, 2007, 2007)
- microsoft office web components (2003)
- microsoft sql server (2000, 2008, 2008, 2005, 2008, 2008, 2008, 2000, 2005, 2008, 2008, 2005, 2005, 2008, 2008)
- microsoft biztalk server (2002)
- microsoft commerce server (2002, 2007, 2009, 2009)
have more...
CVE-2010-3333 [Vulners]
Vulners: Score: 9.3, CVSS: 9.1,
Vulners: Exploitation: True
X-Force: Risk: 9.3
X-Force: Patch: Official fix
Soft:
- microsoft office (xp, 2008, 2011, 2010, 2004, 2003, 2007)
- microsoft open xml file format converter (*)
TTPs:
Tactics: 8
Technics: 15
IOCs:
Path: 11
File: 9
Hash: 155
IP: 8
Domain: 81
Links:
09-06-2022
Aoqin Dragon \| Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years
https://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years
Actors/Campaigns:
Aoqin_dragon (tags: backdoor, dns, dropper, rat, malware, phishing, trojan)
Threats:
Dll_hijacking_technique (tags: malware)
Themida_packer_tool (tags: backdoor)
Mongall (tags: rat, backdoor, malware)
Heyoka (tags: rat, malware, backdoor, dns)
Beacon (tags: backdoor)
Watering_hole_technique
Industry:
Government, Education, Telco, Aerospace
Geo:
Vietnamese, China, Cambodia, Singapore, Myanmars, Apac, Asia, Australia, Chinese, Vietnam, Malaysia
CVEs:
CVE-2014-6332 [Vulners]
Vulners: Score: 9.3, CVSS: 9.3,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.3
X-Force: Patch: Official fix
Soft:
- microsoft windows server 2008 (r2, r2, -)
- microsoft windows 7 (-)
- microsoft windows vista (-)
- microsoft windows rt (-)
- microsoft windows rt 8.1 (-)
have more...
CVE-2012-0158 [Vulners]
Vulners: Score: 9.3, CVSS: 7.5,
Vulners: Exploitation: True
X-Force: Risk: 9.3
X-Force: Patch: Official fix
Soft:
- microsoft office (2010, 2010, 2003, 2007, 2007)
- microsoft office web components (2003)
- microsoft sql server (2000, 2008, 2008, 2005, 2008, 2008, 2008, 2000, 2005, 2008, 2008, 2005, 2005, 2008, 2008)
- microsoft biztalk server (2002)
- microsoft commerce server (2002, 2007, 2009, 2009)
have more...
CVE-2010-3333 [Vulners]
Vulners: Score: 9.3, CVSS: 9.1,
Vulners: Exploitation: True
X-Force: Risk: 9.3
X-Force: Patch: Official fix
Soft:
- microsoft office (xp, 2008, 2011, 2010, 2004, 2003, 2007)
- microsoft open xml file format converter (*)
TTPs:
Tactics: 8
Technics: 15
IOCs:
Path: 11
File: 9
Hash: 155
IP: 8
Domain: 81
Links:
https://github.com/SentineLabs/aoqin\_dragonSentinelOne
Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years
Targeting organizations in SE Asia and Australia, Aoqin Dragon uses pornographic-themed lures and custom backdoors to conduct espionage operations.