#ParsedReport
15-09-2022
Attackers Continue to Abuse Google Sites and Microsoft Azure to Host Cryptocurrency Phishing
https://www.netskope.com/blog/attackers-continue-to-abuse-google-sites-and-microsoft-azure-to-host-cryptocurrency-phishing
Threats:
Kraken
Lampion
Asyncrat_rat
IOCs:
Url: 95
Softs:
coinbase
15-09-2022
Attackers Continue to Abuse Google Sites and Microsoft Azure to Host Cryptocurrency Phishing
https://www.netskope.com/blog/attackers-continue-to-abuse-google-sites-and-microsoft-azure-to-host-cryptocurrency-phishing
Threats:
Kraken
Lampion
Asyncrat_rat
IOCs:
Url: 95
Softs:
coinbase
Netskope
Attackers Continue to Abuse Google Sites and Microsoft Azure to Host Cryptocurrency Phishing
Summary On August 9, 2022, we released a blog post about a phishing campaign where attackers were abusing Google Sites and Microsoft Azure Web Apps to
#ParsedReport
15-09-2022
Notepad++. Using NOTEPAD ++ plugins for evasion and persistence
https://1275.ru/ioc/672/ispolzovanie-plaginov-notepad-dlya-ukloneniya-i-persistentnosti/?from=rss
Threats:
Strongpity
IOCs:
Hash: 1
15-09-2022
Notepad++. Using NOTEPAD ++ plugins for evasion and persistence
https://1275.ru/ioc/672/ispolzovanie-plaginov-notepad-dlya-ukloneniya-i-persistentnosti/?from=rss
Threats:
Strongpity
IOCs:
Hash: 1
SEC-1275-1
Использование плагинов Notepad++ для уклонения и персистентности - SEC-1275-1
Использование плагинов Notepad++ для уклонения и персистентности - Аналитики команды Cybereason GSOC проанализировали специфическую технику, использующую плагины Notepad++ для сохранения и обхода механизмов безопасности
#ParsedReport
15-09-2022
Gamaredon APT targets Ukrainian government agencies in new campaign
http://blog.talosintelligence.com/2022/09/gamaredon-apt-targets-ukrainian-agencies.html
Actors/Campaigns:
Gamaredon (motivation: cyber_espionage)
Threats:
Gammaload
Gammasteel
Giddome
Industry:
Government
Geo:
Ukrainian, Russian, Russia, Ukraine
TTPs:
Tactics: 2
Technics: 0
IOCs:
File: 7
Url: 24
Domain: 4
Registry: 2
Hash: 13
IP: 1
Softs:
microsoft office
Algorithms:
xor
Functions:
Get-IP
Platforms:
x86
Links:
15-09-2022
Gamaredon APT targets Ukrainian government agencies in new campaign
http://blog.talosintelligence.com/2022/09/gamaredon-apt-targets-ukrainian-agencies.html
Actors/Campaigns:
Gamaredon (motivation: cyber_espionage)
Threats:
Gammaload
Gammasteel
Giddome
Industry:
Government
Geo:
Ukrainian, Russian, Russia, Ukraine
TTPs:
Tactics: 2
Technics: 0
IOCs:
File: 7
Url: 24
Domain: 4
Registry: 2
Hash: 13
IP: 1
Softs:
microsoft office
Algorithms:
xor
Functions:
Get-IP
Platforms:
x86
Links:
https://github.com/Cisco-Talos/IOCs/tree/main/2022/09Cisco Talos Blog
Gamaredon APT targets Ukrainian government agencies in new campaign
Cisco Talos discovered Gamaredon APT activity targeting users in Ukraine with malicious LNK files distributed in RAR archives.
#ParsedReport
15-09-2022
Webworm: Espionage Attackers Testing and Using Older Modified RATs
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/webworm-espionage-rats
Actors/Campaigns:
Webworm (motivation: cyber_espionage)
Threats:
Gh0st_rat
Trochilus_rat
9002
Plugx_rat
Ghostnet
Industry:
Aerospace, Energy, Government
Geo:
Georgia, Korea, Asian, Russia, Mongolia
IOCs:
Hash: 17
File: 7
Path: 7
Algorithms:
lzw
Win API:
LoadLibraryA, CreateProcessAsUserW
15-09-2022
Webworm: Espionage Attackers Testing and Using Older Modified RATs
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/webworm-espionage-rats
Actors/Campaigns:
Webworm (motivation: cyber_espionage)
Threats:
Gh0st_rat
Trochilus_rat
9002
Plugx_rat
Ghostnet
Industry:
Aerospace, Energy, Government
Geo:
Georgia, Korea, Asian, Russia, Mongolia
IOCs:
Hash: 17
File: 7
Path: 7
Algorithms:
lzw
Win API:
LoadLibraryA, CreateProcessAsUserW
Security
Webworm: Espionage Attackers Testing and Using Older Modified RATs
The attackers are working on a number of malware threats, some of which have been used in attacks while others are in pre-deployment or testing stages.
#ParsedReport
15-09-2022
From the Front Lines \| Slam! Anatomy of a Publicly-Available Ransomware Builder
https://www.sentinelone.com/blog/from-the-front-lines-slam-anatomy-of-a-publicly-available-ransomware-builder
Threats:
Slam
Uac_bypass_technique
Uacme
Multiplug
Dyre
Icedid
Alpha_mbr_tool
Industry:
Education
Geo:
Spanish
TTPs:
IOCs:
File: 6
IP: 1
Path: 2
Hash: 46
Softs:
vssadmin, bcdedit
Algorithms:
aes-256
15-09-2022
From the Front Lines \| Slam! Anatomy of a Publicly-Available Ransomware Builder
https://www.sentinelone.com/blog/from-the-front-lines-slam-anatomy-of-a-publicly-available-ransomware-builder
Threats:
Slam
Uac_bypass_technique
Uacme
Multiplug
Dyre
Icedid
Alpha_mbr_tool
Industry:
Education
Geo:
Spanish
TTPs:
IOCs:
File: 6
IP: 1
Path: 2
Hash: 46
Softs:
vssadmin, bcdedit
Algorithms:
aes-256
SentinelOne
From the Front Lines | Slam! Anatomy of a Publicly-Available Ransomware Builder
The barrier to entry into the world of ransomware and cybercrime has never been lower, and even low-level threats can be surprisingly effective.
#ParsedReport
15-09-2022
Phishing Campaign Targets Greek Banking Users
https://blog.cyble.com/2022/09/14/phishing-campaign-targets-greek-banking-users
Industry:
Financial, Government
Geo:
Greek, Greece, Singapore, Dubai, Georgia, Australia, Greeces, India
TTPs:
Tactics: 1
Technics: 3
IOCs:
Url: 12
IP: 1
Languages:
javascript
15-09-2022
Phishing Campaign Targets Greek Banking Users
https://blog.cyble.com/2022/09/14/phishing-campaign-targets-greek-banking-users
Industry:
Financial, Government
Geo:
Greek, Greece, Singapore, Dubai, Georgia, Australia, Greeces, India
TTPs:
Tactics: 1
Technics: 3
IOCs:
Url: 12
IP: 1
Languages:
javascript
Cyble
Phishing Campaign Targets Greek Banking Users
Cyble Research and Intelligence Labs analyzes a sophisticated phishing campaign targeting Greek bank users.
#ParsedReport
15-09-2022
PrivateLoader: the loader of the prevalent ruzki PPI service
https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service
Actors/Campaigns:
Shell_crew
Threats:
Privateloader
Ruzki_actor
Traffer
Dead_drop_technique
Redline_stealer
Vidar_stealer
Raccoon_stealer
Socelars
Fabookie
Ytstealer
Agent_tesla
Phoenix_keylogger
Stop
Danabot
Smokeloader
Xmrig_miner
Glupteba
Dcrat_rat
Netsupportmanager_rat
Nymaim
Industry:
Financial
Geo:
Czechia, Russia, Russian, Germany
TTPs:
Tactics: 2
Technics: 9
IOCs:
IP: 13
Url: 12
Hash: 20
Softs:
telegram, windows defender, discord
Algorithms:
xor
Languages:
php, python
Links:
15-09-2022
PrivateLoader: the loader of the prevalent ruzki PPI service
https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service
Actors/Campaigns:
Shell_crew
Threats:
Privateloader
Ruzki_actor
Traffer
Dead_drop_technique
Redline_stealer
Vidar_stealer
Raccoon_stealer
Socelars
Fabookie
Ytstealer
Agent_tesla
Phoenix_keylogger
Stop
Danabot
Smokeloader
Xmrig_miner
Glupteba
Dcrat_rat
Netsupportmanager_rat
Nymaim
Industry:
Financial
Geo:
Czechia, Russia, Russian, Germany
TTPs:
Tactics: 2
Technics: 9
IOCs:
IP: 13
Url: 12
Hash: 20
Softs:
telegram, windows defender, discord
Algorithms:
xor
Languages:
php, python
Links:
https://github.com/SEKOIA-IO/Community/blob/main/IOCs/20220914\_privateloader\_IOC.csvSekoia.io Blog
PrivateLoader: the loader of the prevalent ruzki PPI service
PrivateLoader is a downloader malware family. It is used as part of a PPI service, to deliver payloads of multiple malware families.
Bvp47 Technical Details Report II
https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group_ii.en.pdf
https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group_ii.en.pdf
#ParsedReport
16-09-2022
PAC_Requestor and Golden Ticket Attacks
https://www.varonis.com/blog/pac_requestor-and-golden-ticket-attacks
Threats:
Golden_ticket_technique
Mimikatz
Rubeus_tool
CVEs:
CVE-2021-42287 [Vulners]
Vulners: Score: 6.5, CVSS: 4.2,
Vulners: Exploitation: True
X-Force: Risk: 7.5
X-Force: Patch: Official fix
Soft:
- microsoft windows server 2008 (r2, -, -)
- microsoft windows server 2012 (r2, -)
- microsoft windows server 2016 (-, 2004)
- microsoft windows server 2019 (-)
- microsoft windows server 2022 (*)
have more...
Softs:
active directory
16-09-2022
PAC_Requestor and Golden Ticket Attacks
https://www.varonis.com/blog/pac_requestor-and-golden-ticket-attacks
Threats:
Golden_ticket_technique
Mimikatz
Rubeus_tool
CVEs:
CVE-2021-42287 [Vulners]
Vulners: Score: 6.5, CVSS: 4.2,
Vulners: Exploitation: True
X-Force: Risk: 7.5
X-Force: Patch: Official fix
Soft:
- microsoft windows server 2008 (r2, -, -)
- microsoft windows server 2012 (r2, -)
- microsoft windows server 2016 (-, 2004)
- microsoft windows server 2019 (-)
- microsoft windows server 2022 (*)
have more...
Softs:
active directory
Varonis
Fighting Golden Ticket Attacks with Privileged Attribute Certificate (PAC)
Learn how and why to control the Active Directory Environment state with PACRequestorEnforcement, the implications of doing so and how to detect Golden Ticket attacks happening in your network.
#ParsedReport
16-09-2022
V3 (AMSI + ). Latest Magniverse Ransomware V3 Class Video (AMSI + Memory Diagnosis)
https://asec.ahnlab.com/ko/38854
Threats:
Magniber
IOCs:
File: 4
Hash: 2
Languages:
javascript, java
16-09-2022
V3 (AMSI + ). Latest Magniverse Ransomware V3 Class Video (AMSI + Memory Diagnosis)
https://asec.ahnlab.com/ko/38854
Threats:
Magniber
IOCs:
File: 4
Hash: 2
Languages:
javascript, java
ASEC BLOG
최신 매그니베르 랜섬웨어 V3 차단 영상 (AMSI + 메모리진단) - ASEC BLOG
ASEC 분석팀은 지난 09/08 블로그를 통해 매그니베르 변형에 대한 내용을 소개하였다. 금일부터는 매그니베르 랜섬웨어 스크립트가 자바 스크립트 인것은 동일하지만, 확장자가 기존 *.jse에서 *.js로 변경되었다. 매그니베르가 09/08을 기점으로 자바 스크립트로 바뀌면서 동작 방식 또한 기존과 달라졌다. 현재 유포 중인 자바 스크립트 파일 내부에는 [그림 2]와 같은 닷넷 DLL이 포함되어 매그니베르 쉘코드를 실행 중인 프로세스에 인젝션 한다. 최신…
#ParsedReport
16-09-2022
ASEC (20220905 \~ 20220911). ASEC Weekly Malware Statistics (20220905 \~ 20220911)
https://asec.ahnlab.com/ko/38815
Threats:
Cloudeye
Postealer
Formbook
Agent_tesla
Remcos_rat
Nanocore_rat
Azorult
Lokibot_stealer
Smokeloader
Clipboard_grabbing_technique
Industry:
Transport
Geo:
Korea
IOCs:
File: 22
Url: 30
Email: 4
Softs:
nsis installer, discord
Languages:
visual_basic
16-09-2022
ASEC (20220905 \~ 20220911). ASEC Weekly Malware Statistics (20220905 \~ 20220911)
https://asec.ahnlab.com/ko/38815
Threats:
Cloudeye
Postealer
Formbook
Agent_tesla
Remcos_rat
Nanocore_rat
Azorult
Lokibot_stealer
Smokeloader
Clipboard_grabbing_technique
Industry:
Transport
Geo:
Korea
IOCs:
File: 22
Url: 30
Email: 4
Softs:
nsis installer, discord
Languages:
visual_basic
ASEC BLOG
ASEC 주간 악성코드 통계 (20220905 ~ 20220911) - ASEC BLOG
ASEC 분석팀에서는 ASEC 자동 분석 시스템 RAPIT 을 활용하여 알려진 악성코드들에 대한 분류 및 대응을 진행하고 있다. 본 포스팅에서는 2022년 9월 5일 월요일부터 9월 11일 일요일까지 한 주간 수집된 악성코드의 통계를 정리한다. 대분류 상으로는 인포스틸러가 47.1%로 1위를 차지하였으며, 그 다음으로는 다운로더 악성코드가 32.7%, 백도어 12.5%, 랜섬웨어 7.7%로 집계되었다. Top 1 – GuLoader 21.2%를 차지하는…
#ParsedReport
16-09-2022
URSA trojan is back with a new dance. Overview
https://seguranca-informatica.pt/ursa-trojan-is-back-with-a-new-dance/#.YySetnbP02w
Threats:
Mispadu
Grandoreiro
Lampion
Passview_tool
Kraken
Javali
Skeleton_operation
Cyberchef_tool
Dll_injection_technique
Industry:
Financial
Geo:
American, Honduras, Usa, Chile, Colombia, Brazil, Bolivia, Portugal, Peru, Paraguay, Spain, America, Portuguese, Ecuador, Mexico, Spanish, Argentina
IOCs:
File: 13
Hash: 24
Path: 6
Url: 2
Softs:
coinbase
Algorithms:
zip
Functions:
SetFore, onClick, sub_10001C30, sub_100001880
Win API:
SendMessage, ShowWindow, WinExec
Languages:
php, delphi, autoit, javascript
YARA: Found
16-09-2022
URSA trojan is back with a new dance. Overview
https://seguranca-informatica.pt/ursa-trojan-is-back-with-a-new-dance/#.YySetnbP02w
Threats:
Mispadu
Grandoreiro
Lampion
Passview_tool
Kraken
Javali
Skeleton_operation
Cyberchef_tool
Dll_injection_technique
Industry:
Financial
Geo:
American, Honduras, Usa, Chile, Colombia, Brazil, Bolivia, Portugal, Peru, Paraguay, Spain, America, Portuguese, Ecuador, Mexico, Spanish, Argentina
IOCs:
File: 13
Hash: 24
Path: 6
Url: 2
Softs:
coinbase
Algorithms:
zip
Functions:
SetFore, onClick, sub_10001C30, sub_100001880
Win API:
SendMessage, ShowWindow, WinExec
Languages:
php, delphi, autoit, javascript
YARA: Found
#ParsedReport
16-09-2022
The Good, the Bad and the Ugly in Cybersecurity Week 38
https://www.sentinelone.com/blog/the-good-the-bad-and-the-ugly-in-cybersecurity-week-38-4
Actors/Campaigns:
Cleaver
Tunnelvision
Dream_job
Lazarus
Threats:
Proxyshell_vuln
Putty_tool
Themida_tool
Industry:
Transport, Energy, Healthcare, Aerospace
Geo:
Irans, Korean
IOCs:
File: 3
Url: 3
Path: 2
Softs:
microsoft exchange, microsoft teams, macos
16-09-2022
The Good, the Bad and the Ugly in Cybersecurity Week 38
https://www.sentinelone.com/blog/the-good-the-bad-and-the-ugly-in-cybersecurity-week-38-4
Actors/Campaigns:
Cleaver
Tunnelvision
Dream_job
Lazarus
Threats:
Proxyshell_vuln
Putty_tool
Themida_tool
Industry:
Transport, Energy, Healthcare, Aerospace
Geo:
Irans, Korean
IOCs:
File: 3
Url: 3
Path: 2
Softs:
microsoft exchange, microsoft teams, macos
SentinelOne
The Good, the Bad and the Ugly in Cybersecurity - Week 38
OFAC sanctions IRGC-linked threat actors, Lazarus APT targets "Dream Job" hunters at Amazon, and remote login Teams vulnerability left out of Patch Tuesday.
#ParsedReport
16-09-2022
Threat Alert: New Malware in the Cloud By TeamTNT
https://blog.aquasec.com/new-malware-in-the-cloud-by-teamtnt
Actors/Campaigns:
Teamtnt
Threats:
Kangaroo
Cronb
Nautilus
Quantum_locker
Netstat_tool
Diamorphine_rootkit
Masscan_tool
Zgrab_scanner_tool
Pnscan_tool
Tsunami_botnet
Industry:
Financial
Geo:
German
IOCs:
Domain: 2
IP: 2
Hash: 1
Softs:
docker, redis, alpine, debian, systemd
Algorithms:
base64, ecdlp
Links:
16-09-2022
Threat Alert: New Malware in the Cloud By TeamTNT
https://blog.aquasec.com/new-malware-in-the-cloud-by-teamtnt
Actors/Campaigns:
Teamtnt
Threats:
Kangaroo
Cronb
Nautilus
Quantum_locker
Netstat_tool
Diamorphine_rootkit
Masscan_tool
Zgrab_scanner_tool
Pnscan_tool
Tsunami_botnet
Industry:
Financial
Geo:
German
IOCs:
Domain: 2
IP: 2
Hash: 1
Softs:
docker, redis, alpine, debian, systemd
Algorithms:
base64, ecdlp
Links:
https://github.com/wafferzAquasec
Threat Alert: New Malware in the Cloud By TeamTNT
Could TeamTNT be back? Our honeypots were attacked by malware that bears a resemblance to these threat actors and we analyze the possible connection.
#ParsedReport
16-09-2022
Self-spreading stealer attacks gamers via YouTube
https://securelist.com/self-spreading-stealer-attacks-gamers-via-youtube/107407
Threats:
Redline_stealer
Industry:
Financial, Entertainment
IOCs:
File: 7
Path: 1
Url: 10
IP: 1
Softs:
chrome, microsoft edge, discord
Languages:
rust
16-09-2022
Self-spreading stealer attacks gamers via YouTube
https://securelist.com/self-spreading-stealer-attacks-gamers-via-youtube/107407
Threats:
Redline_stealer
Industry:
Financial, Entertainment
IOCs:
File: 7
Path: 1
Url: 10
IP: 1
Softs:
chrome, microsoft edge, discord
Languages:
rust
Securelist
RedLine spreads through ads for cheats and cracks on YouTube
A malicious bundle containing the RedLine stealer and a miner is distributed on YouTube through cheats and cracks ads for popular games.
#ParsedReport
16-09-2022
It's Time to PuTTY! DPRK Job Opportunity Phishing via WhatsApp
https://www.mandiant.com/resources/blog/dprk-whatsapp-phishing
Actors/Campaigns:
Unc4034
Dream_job
Duke
Threats:
Putty_tool
Yash_rat
Airdry
Themida_tool
Daveshell
Process_injection_technique
Vmprotect_tool
Beacon
Cuteloop_loader
Geo:
Korean, Korea, Dprk
TTPs:
Tactics: 5
Technics: 14
IOCs:
File: 11
IP: 1
Path: 8
Hash: 7
Url: 3
Softs:
telnet client
Algorithms:
rc4, aes-256, base64, aes-128, cbc, aes, xor
Win API:
WinExec
Links:
16-09-2022
It's Time to PuTTY! DPRK Job Opportunity Phishing via WhatsApp
https://www.mandiant.com/resources/blog/dprk-whatsapp-phishing
Actors/Campaigns:
Unc4034
Dream_job
Duke
Threats:
Putty_tool
Yash_rat
Airdry
Themida_tool
Daveshell
Process_injection_technique
Vmprotect_tool
Beacon
Cuteloop_loader
Geo:
Korean, Korea, Dprk
TTPs:
Tactics: 5
Technics: 14
IOCs:
File: 11
IP: 1
Path: 8
Hash: 7
Url: 3
Softs:
telnet client
Algorithms:
rc4, aes-256, base64, aes-128, cbc, aes, xor
Win API:
WinExec
Links:
https://github.com/monoxgas/sRDIGoogle Cloud Blog
DPRK Job Opportunity Phishing via WhatsApp | PuTTY Utility | Google Cloud Blog
DPRK job opportunity phishing scam. UNC4034 establishes communication with a victim over WhatsApp and lures them to download a malicious ISO package.
#ParsedReport
16-09-2022
BianLian: A new golan based cross functional ransomware in action. Attack Flow
https://www.secureblink.com/cyber-security-news/bian-lian-a-new-golan-based-cross-functional-ransomware-in-action
Threats:
Hydra
Proxyshell_vuln
Bespoke
Winrm_tool
Industry:
Education, Financial, Healthcare
Geo:
America, Australia
CVEs:
CVE-2021-31207 [Vulners]
Vulners: Score: 6.5, CVSS: 1.7,
Vulners: Exploitation: True
X-Force: Risk: 6.6
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
CVE-2021-34473 [Vulners]
Vulners: Score: 10.0, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
CVE-2021-34523 [Vulners]
Vulners: Score: 7.5, CVSS: 3.4,
Vulners: Exploitation: True
X-Force: Risk: 9
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
IOCs:
File: 5
Hash: 1
Softs:
microsoft exchange server
Algorithms:
aes
Win API:
GetProcAddress, CreateThread, GetDriveTypeW, FindFirstFileW, FindNextFileW, MoveFileExW
Languages:
golang
16-09-2022
BianLian: A new golan based cross functional ransomware in action. Attack Flow
https://www.secureblink.com/cyber-security-news/bian-lian-a-new-golan-based-cross-functional-ransomware-in-action
Threats:
Hydra
Proxyshell_vuln
Bespoke
Winrm_tool
Industry:
Education, Financial, Healthcare
Geo:
America, Australia
CVEs:
CVE-2021-31207 [Vulners]
Vulners: Score: 6.5, CVSS: 1.7,
Vulners: Exploitation: True
X-Force: Risk: 6.6
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
CVE-2021-34473 [Vulners]
Vulners: Score: 10.0, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
CVE-2021-34523 [Vulners]
Vulners: Score: 7.5, CVSS: 3.4,
Vulners: Exploitation: True
X-Force: Risk: 9
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
IOCs:
File: 5
Hash: 1
Softs:
microsoft exchange server
Algorithms:
aes
Win API:
GetProcAddress, CreateThread, GetDriveTypeW, FindFirstFileW, FindNextFileW, MoveFileExW
Languages:
golang
Vulners Database
CVE-2021-31207 - vulnerability database | Vulners.com
CVE-2021-31207 is one of the ProxyShell chain affecting on-premises Microsoft Exchange Server, enabling post-auth arbitrary-file-write that can lead to remote code execution. Exploitation chains documented in FireEye and related advisories describe ...
#technique
Stealing Access Tokens From Office Desktop Applications
https://mrd0x.com/stealing-tokens-from-office-applications/?no-cache=1
Stealing Access Tokens From Office Desktop Applications
https://mrd0x.com/stealing-tokens-from-office-applications/?no-cache=1
Mrd0X
Security Research | mr.d0x
Providing security research and red team techniques
#technique
Maquerade any legitimate Windows binary by changing some fields in the PEB structure
https://github.com/D1rkMtr/MasqueradingPEB
Maquerade any legitimate Windows binary by changing some fields in the PEB structure
https://github.com/D1rkMtr/MasqueradingPEB
#ParsedReport
19-09-2022
Fake Telegram site delivering RAT aimed at Chinese Users
https://blog.cyble.com/2022/09/17/fake-telegram-site-delivering-rat-aimed-at-chinese-users
Threats:
Dll_sideloading_technique
Process_injection_technique
Uac_bypass_technique
Geo:
Georgia, Dubai, Australia, India, Chinese, Singapore
TTPs:
Tactics: 7
Technics: 8
IOCs:
File: 12
Path: 1
Url: 1
Hash: 2
Softs:
telegram, windows defender, android, macos, chrome, qqbrowser, internet explorer, windows service
Functions:
Shellex, SeDebugPrivilege
Platforms:
x86
19-09-2022
Fake Telegram site delivering RAT aimed at Chinese Users
https://blog.cyble.com/2022/09/17/fake-telegram-site-delivering-rat-aimed-at-chinese-users
Threats:
Dll_sideloading_technique
Process_injection_technique
Uac_bypass_technique
Geo:
Georgia, Dubai, Australia, India, Chinese, Singapore
TTPs:
Tactics: 7
Technics: 8
IOCs:
File: 12
Path: 1
Url: 1
Hash: 2
Softs:
telegram, windows defender, android, macos, chrome, qqbrowser, internet explorer, windows service
Functions:
Shellex, SeDebugPrivilege
Platforms:
x86
Cyble
Fake Telegram site delivering RAT aimed at Chinese Users
Cyble Research and Intelligence Labs analyzes a fake Telegram Site delivering Remote Access Trojans to Chinese users.