CTT Report Hub
3.41K subscribers
9.74K photos
6 videos
67 files
13.4K links
Threat Intelligence Report Hub
Download Telegram
#ParsedReport
15-09-2022

Gamaredon APT targets Ukrainian government agencies in new campaign

http://blog.talosintelligence.com/2022/09/gamaredon-apt-targets-ukrainian-agencies.html

Actors/Campaigns:
Gamaredon (motivation: cyber_espionage)

Threats:
Gammaload
Gammasteel
Giddome

Industry:
Government

Geo:
Ukrainian, Russian, Russia, Ukraine

TTPs:
Tactics: 2
Technics: 0

IOCs:
File: 7
Url: 24
Domain: 4
Registry: 2
Hash: 13
IP: 1

Softs:
microsoft office

Algorithms:
xor

Functions:
Get-IP

Platforms:
x86

Links:
https://github.com/Cisco-Talos/IOCs/tree/main/2022/09
#ParsedReport
15-09-2022

Webworm: Espionage Attackers Testing and Using Older Modified RATs

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/webworm-espionage-rats

Actors/Campaigns:
Webworm (motivation: cyber_espionage)

Threats:
Gh0st_rat
Trochilus_rat
9002
Plugx_rat
Ghostnet

Industry:
Aerospace, Energy, Government

Geo:
Georgia, Korea, Asian, Russia, Mongolia

IOCs:
Hash: 17
File: 7
Path: 7

Algorithms:
lzw

Win API:
LoadLibraryA, CreateProcessAsUserW
#ParsedReport
15-09-2022

From the Front Lines \| Slam! Anatomy of a Publicly-Available Ransomware Builder

https://www.sentinelone.com/blog/from-the-front-lines-slam-anatomy-of-a-publicly-available-ransomware-builder

Threats:
Slam
Uac_bypass_technique
Uacme
Multiplug
Dyre
Icedid
Alpha_mbr_tool

Industry:
Education

Geo:
Spanish

TTPs:

IOCs:
File: 6
IP: 1
Path: 2
Hash: 46

Softs:
vssadmin, bcdedit

Algorithms:
aes-256
#ParsedReport
15-09-2022

Phishing Campaign Targets Greek Banking Users

https://blog.cyble.com/2022/09/14/phishing-campaign-targets-greek-banking-users

Industry:
Financial, Government

Geo:
Greek, Greece, Singapore, Dubai, Georgia, Australia, Greeces, India

TTPs:
Tactics: 1
Technics: 3

IOCs:
Url: 12
IP: 1

Languages:
javascript
#ParsedReport
15-09-2022

PrivateLoader: the loader of the prevalent ruzki PPI service

https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service

Actors/Campaigns:
Shell_crew

Threats:
Privateloader
Ruzki_actor
Traffer
Dead_drop_technique
Redline_stealer
Vidar_stealer
Raccoon_stealer
Socelars
Fabookie
Ytstealer
Agent_tesla
Phoenix_keylogger
Stop
Danabot
Smokeloader
Xmrig_miner
Glupteba
Dcrat_rat
Netsupportmanager_rat
Nymaim

Industry:
Financial

Geo:
Czechia, Russia, Russian, Germany

TTPs:
Tactics: 2
Technics: 9

IOCs:
IP: 13
Url: 12
Hash: 20

Softs:
telegram, windows defender, discord

Algorithms:
xor

Languages:
php, python

Links:
https://github.com/SEKOIA-IO/Community/blob/main/IOCs/20220914\_privateloader\_IOC.csv
#ParsedReport
16-09-2022

PAC_Requestor and Golden Ticket Attacks

https://www.varonis.com/blog/pac_requestor-and-golden-ticket-attacks

Threats:
Golden_ticket_technique
Mimikatz
Rubeus_tool

CVEs:
CVE-2021-42287 [Vulners]
Vulners: Score: 6.5, CVSS: 4.2,
Vulners: Exploitation: True
X-Force: Risk: 7.5
X-Force: Patch: Official fix
Soft:
- microsoft windows server 2008 (r2, -, -)
- microsoft windows server 2012 (r2, -)
- microsoft windows server 2016 (-, 2004)
- microsoft windows server 2019 (-)
- microsoft windows server 2022 (*)
have more...

Softs:
active directory
#ParsedReport
16-09-2022

URSA trojan is back with a new dance. Overview

https://seguranca-informatica.pt/ursa-trojan-is-back-with-a-new-dance/#.YySetnbP02w

Threats:
Mispadu
Grandoreiro
Lampion
Passview_tool
Kraken
Javali
Skeleton_operation
Cyberchef_tool
Dll_injection_technique

Industry:
Financial

Geo:
American, Honduras, Usa, Chile, Colombia, Brazil, Bolivia, Portugal, Peru, Paraguay, Spain, America, Portuguese, Ecuador, Mexico, Spanish, Argentina

IOCs:
File: 13
Hash: 24
Path: 6
Url: 2

Softs:
coinbase

Algorithms:
zip

Functions:
SetFore, onClick, sub_10001C30, sub_100001880

Win API:
SendMessage, ShowWindow, WinExec

Languages:
php, delphi, autoit, javascript

YARA: Found
#ParsedReport
16-09-2022

The Good, the Bad and the Ugly in Cybersecurity Week 38

https://www.sentinelone.com/blog/the-good-the-bad-and-the-ugly-in-cybersecurity-week-38-4

Actors/Campaigns:
Cleaver
Tunnelvision
Dream_job
Lazarus

Threats:
Proxyshell_vuln
Putty_tool
Themida_tool

Industry:
Transport, Energy, Healthcare, Aerospace

Geo:
Irans, Korean

IOCs:
File: 3
Url: 3
Path: 2

Softs:
microsoft exchange, microsoft teams, macos
#ParsedReport
16-09-2022

Threat Alert: New Malware in the Cloud By TeamTNT

https://blog.aquasec.com/new-malware-in-the-cloud-by-teamtnt

Actors/Campaigns:
Teamtnt

Threats:
Kangaroo
Cronb
Nautilus
Quantum_locker
Netstat_tool
Diamorphine_rootkit
Masscan_tool
Zgrab_scanner_tool
Pnscan_tool
Tsunami_botnet

Industry:
Financial

Geo:
German

IOCs:
Domain: 2
IP: 2
Hash: 1

Softs:
docker, redis, alpine, debian, systemd

Algorithms:
base64, ecdlp

Links:
https://github.com/wafferz
#ParsedReport
16-09-2022

It's Time to PuTTY! DPRK Job Opportunity Phishing via WhatsApp

https://www.mandiant.com/resources/blog/dprk-whatsapp-phishing

Actors/Campaigns:
Unc4034
Dream_job
Duke

Threats:
Putty_tool
Yash_rat
Airdry
Themida_tool
Daveshell
Process_injection_technique
Vmprotect_tool
Beacon
Cuteloop_loader

Geo:
Korean, Korea, Dprk

TTPs:
Tactics: 5
Technics: 14

IOCs:
File: 11
IP: 1
Path: 8
Hash: 7
Url: 3

Softs:
telnet client

Algorithms:
rc4, aes-256, base64, aes-128, cbc, aes, xor

Win API:
WinExec

Links:
https://github.com/monoxgas/sRDI
#ParsedReport
16-09-2022

BianLian: A new golan based cross functional ransomware in action. Attack Flow

https://www.secureblink.com/cyber-security-news/bian-lian-a-new-golan-based-cross-functional-ransomware-in-action

Threats:
Hydra
Proxyshell_vuln
Bespoke
Winrm_tool

Industry:
Education, Financial, Healthcare

Geo:
America, Australia

CVEs:
CVE-2021-31207 [Vulners]
Vulners: Score: 6.5, CVSS: 1.7,
Vulners: Exploitation: True
X-Force: Risk: 6.6
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)

CVE-2021-34473 [Vulners]
Vulners: Score: 10.0, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)

CVE-2021-34523 [Vulners]
Vulners: Score: 7.5, CVSS: 3.4,
Vulners: Exploitation: True
X-Force: Risk: 9
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)


IOCs:
File: 5
Hash: 1

Softs:
microsoft exchange server

Algorithms:
aes

Win API:
GetProcAddress, CreateThread, GetDriveTypeW, FindFirstFileW, FindNextFileW, MoveFileExW

Languages:
golang