CTT Report Hub
3.41K subscribers
9.74K photos
6 videos
67 files
13.4K links
Threat Intelligence Report Hub
Download Telegram
#ParsedReport
15-09-2022

Webworm: Espionage Attackers Testing and Using Older Modified RATs

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/webworm-espionage-rats

Actors/Campaigns:
Webworm (motivation: cyber_espionage)

Threats:
Gh0st_rat
Trochilus_rat
9002
Plugx_rat
Ghostnet

Industry:
Aerospace, Energy, Government

Geo:
Georgia, Korea, Asian, Russia, Mongolia

IOCs:
Hash: 17
File: 7
Path: 7

Algorithms:
lzw

Win API:
LoadLibraryA, CreateProcessAsUserW
#ParsedReport
15-09-2022

From the Front Lines \| Slam! Anatomy of a Publicly-Available Ransomware Builder

https://www.sentinelone.com/blog/from-the-front-lines-slam-anatomy-of-a-publicly-available-ransomware-builder

Threats:
Slam
Uac_bypass_technique
Uacme
Multiplug
Dyre
Icedid
Alpha_mbr_tool

Industry:
Education

Geo:
Spanish

TTPs:

IOCs:
File: 6
IP: 1
Path: 2
Hash: 46

Softs:
vssadmin, bcdedit

Algorithms:
aes-256
#ParsedReport
15-09-2022

Phishing Campaign Targets Greek Banking Users

https://blog.cyble.com/2022/09/14/phishing-campaign-targets-greek-banking-users

Industry:
Financial, Government

Geo:
Greek, Greece, Singapore, Dubai, Georgia, Australia, Greeces, India

TTPs:
Tactics: 1
Technics: 3

IOCs:
Url: 12
IP: 1

Languages:
javascript
#ParsedReport
15-09-2022

PrivateLoader: the loader of the prevalent ruzki PPI service

https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service

Actors/Campaigns:
Shell_crew

Threats:
Privateloader
Ruzki_actor
Traffer
Dead_drop_technique
Redline_stealer
Vidar_stealer
Raccoon_stealer
Socelars
Fabookie
Ytstealer
Agent_tesla
Phoenix_keylogger
Stop
Danabot
Smokeloader
Xmrig_miner
Glupteba
Dcrat_rat
Netsupportmanager_rat
Nymaim

Industry:
Financial

Geo:
Czechia, Russia, Russian, Germany

TTPs:
Tactics: 2
Technics: 9

IOCs:
IP: 13
Url: 12
Hash: 20

Softs:
telegram, windows defender, discord

Algorithms:
xor

Languages:
php, python

Links:
https://github.com/SEKOIA-IO/Community/blob/main/IOCs/20220914\_privateloader\_IOC.csv
#ParsedReport
16-09-2022

PAC_Requestor and Golden Ticket Attacks

https://www.varonis.com/blog/pac_requestor-and-golden-ticket-attacks

Threats:
Golden_ticket_technique
Mimikatz
Rubeus_tool

CVEs:
CVE-2021-42287 [Vulners]
Vulners: Score: 6.5, CVSS: 4.2,
Vulners: Exploitation: True
X-Force: Risk: 7.5
X-Force: Patch: Official fix
Soft:
- microsoft windows server 2008 (r2, -, -)
- microsoft windows server 2012 (r2, -)
- microsoft windows server 2016 (-, 2004)
- microsoft windows server 2019 (-)
- microsoft windows server 2022 (*)
have more...

Softs:
active directory
#ParsedReport
16-09-2022

URSA trojan is back with a new dance. Overview

https://seguranca-informatica.pt/ursa-trojan-is-back-with-a-new-dance/#.YySetnbP02w

Threats:
Mispadu
Grandoreiro
Lampion
Passview_tool
Kraken
Javali
Skeleton_operation
Cyberchef_tool
Dll_injection_technique

Industry:
Financial

Geo:
American, Honduras, Usa, Chile, Colombia, Brazil, Bolivia, Portugal, Peru, Paraguay, Spain, America, Portuguese, Ecuador, Mexico, Spanish, Argentina

IOCs:
File: 13
Hash: 24
Path: 6
Url: 2

Softs:
coinbase

Algorithms:
zip

Functions:
SetFore, onClick, sub_10001C30, sub_100001880

Win API:
SendMessage, ShowWindow, WinExec

Languages:
php, delphi, autoit, javascript

YARA: Found
#ParsedReport
16-09-2022

The Good, the Bad and the Ugly in Cybersecurity Week 38

https://www.sentinelone.com/blog/the-good-the-bad-and-the-ugly-in-cybersecurity-week-38-4

Actors/Campaigns:
Cleaver
Tunnelvision
Dream_job
Lazarus

Threats:
Proxyshell_vuln
Putty_tool
Themida_tool

Industry:
Transport, Energy, Healthcare, Aerospace

Geo:
Irans, Korean

IOCs:
File: 3
Url: 3
Path: 2

Softs:
microsoft exchange, microsoft teams, macos
#ParsedReport
16-09-2022

Threat Alert: New Malware in the Cloud By TeamTNT

https://blog.aquasec.com/new-malware-in-the-cloud-by-teamtnt

Actors/Campaigns:
Teamtnt

Threats:
Kangaroo
Cronb
Nautilus
Quantum_locker
Netstat_tool
Diamorphine_rootkit
Masscan_tool
Zgrab_scanner_tool
Pnscan_tool
Tsunami_botnet

Industry:
Financial

Geo:
German

IOCs:
Domain: 2
IP: 2
Hash: 1

Softs:
docker, redis, alpine, debian, systemd

Algorithms:
base64, ecdlp

Links:
https://github.com/wafferz
#ParsedReport
16-09-2022

It's Time to PuTTY! DPRK Job Opportunity Phishing via WhatsApp

https://www.mandiant.com/resources/blog/dprk-whatsapp-phishing

Actors/Campaigns:
Unc4034
Dream_job
Duke

Threats:
Putty_tool
Yash_rat
Airdry
Themida_tool
Daveshell
Process_injection_technique
Vmprotect_tool
Beacon
Cuteloop_loader

Geo:
Korean, Korea, Dprk

TTPs:
Tactics: 5
Technics: 14

IOCs:
File: 11
IP: 1
Path: 8
Hash: 7
Url: 3

Softs:
telnet client

Algorithms:
rc4, aes-256, base64, aes-128, cbc, aes, xor

Win API:
WinExec

Links:
https://github.com/monoxgas/sRDI
#ParsedReport
16-09-2022

BianLian: A new golan based cross functional ransomware in action. Attack Flow

https://www.secureblink.com/cyber-security-news/bian-lian-a-new-golan-based-cross-functional-ransomware-in-action

Threats:
Hydra
Proxyshell_vuln
Bespoke
Winrm_tool

Industry:
Education, Financial, Healthcare

Geo:
America, Australia

CVEs:
CVE-2021-31207 [Vulners]
Vulners: Score: 6.5, CVSS: 1.7,
Vulners: Exploitation: True
X-Force: Risk: 6.6
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)

CVE-2021-34473 [Vulners]
Vulners: Score: 10.0, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)

CVE-2021-34523 [Vulners]
Vulners: Score: 7.5, CVSS: 3.4,
Vulners: Exploitation: True
X-Force: Risk: 9
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)


IOCs:
File: 5
Hash: 1

Softs:
microsoft exchange server

Algorithms:
aes

Win API:
GetProcAddress, CreateThread, GetDriveTypeW, FindFirstFileW, FindNextFileW, MoveFileExW

Languages:
golang
#technique

Maquerade any legitimate Windows binary by changing some fields in the PEB structure

https://github.com/D1rkMtr/MasqueradingPEB
#ParsedReport
19-09-2022

Fake Telegram site delivering RAT aimed at Chinese Users

https://blog.cyble.com/2022/09/17/fake-telegram-site-delivering-rat-aimed-at-chinese-users

Threats:
Dll_sideloading_technique
Process_injection_technique
Uac_bypass_technique

Geo:
Georgia, Dubai, Australia, India, Chinese, Singapore

TTPs:
Tactics: 7
Technics: 8

IOCs:
File: 12
Path: 1
Url: 1
Hash: 2

Softs:
telegram, windows defender, android, macos, chrome, qqbrowser, internet explorer, windows service

Functions:
Shellex, SeDebugPrivilege

Platforms:
x86
#ParsedReport
19-09-2022

New Malware Campaign Targets Zoom Users

https://blog.cyble.com/2022/09/19/new-malware-campaign-targets-zoom-users

Threats:
Vidar_stealer
Arkei_stealer
Beacon

Industry:
Financial, E-commerce

Geo:
Georgia, India, Singapore, Dubai, Australia

TTPs:
Tactics: 7
Technics: 13

IOCs:
Domain: 6
Url: 3
File: 2
Path: 2
IP: 3
Hash: 1

Softs:
zoom, telegram
#ParsedReport
19-09-2022

Ransomware Roundup: Ragnar Locker Ransomware

https://www.fortinet.com/blog/threat-research/ransomware-roundup-ragnar-locker-ransomware

Threats:
Ragnarlocker
Logmein_tool
Powerplant
Lockbit
Maze
Filecoder
W32/delshad.gbt!tr.ransom
Kryptik_trojan
W32/deapax.k!tr.ransom
W32/cryptor.a!tr.ransom
Ramnit

Industry:
Financial, Petroleum, Government, Healthcare

Geo:
America, Greece, Asia

CVEs:
CVE-2017-0213 [Vulners]
Vulners: Score: 1.9, CVSS: 5.4,
Vulners: Exploitation: True
X-Force: Risk: 7
X-Force: Patch: Official fix
Soft:
- microsoft windows 10 (1607, -, 1511, 1703)
- microsoft windows rt 8.1 (*)
- microsoft windows server 2012 (-, r2)
- microsoft windows server 2008 (r2, *)
- microsoft windows 8.1 (*)
have more...

IOCs:
File: 1
Hash: 55

Algorithms:
salsa20