CTT Report Hub
3.41K subscribers
9.74K photos
6 videos
67 files
13.4K links
Threat Intelligence Report Hub
Download Telegram
#ParsedReport
16-09-2022

Threat Alert: New Malware in the Cloud By TeamTNT

https://blog.aquasec.com/new-malware-in-the-cloud-by-teamtnt

Actors/Campaigns:
Teamtnt

Threats:
Kangaroo
Cronb
Nautilus
Quantum_locker
Netstat_tool
Diamorphine_rootkit
Masscan_tool
Zgrab_scanner_tool
Pnscan_tool
Tsunami_botnet

Industry:
Financial

Geo:
German

IOCs:
Domain: 2
IP: 2
Hash: 1

Softs:
docker, redis, alpine, debian, systemd

Algorithms:
base64, ecdlp

Links:
https://github.com/wafferz
#ParsedReport
16-09-2022

It's Time to PuTTY! DPRK Job Opportunity Phishing via WhatsApp

https://www.mandiant.com/resources/blog/dprk-whatsapp-phishing

Actors/Campaigns:
Unc4034
Dream_job
Duke

Threats:
Putty_tool
Yash_rat
Airdry
Themida_tool
Daveshell
Process_injection_technique
Vmprotect_tool
Beacon
Cuteloop_loader

Geo:
Korean, Korea, Dprk

TTPs:
Tactics: 5
Technics: 14

IOCs:
File: 11
IP: 1
Path: 8
Hash: 7
Url: 3

Softs:
telnet client

Algorithms:
rc4, aes-256, base64, aes-128, cbc, aes, xor

Win API:
WinExec

Links:
https://github.com/monoxgas/sRDI
#ParsedReport
16-09-2022

BianLian: A new golan based cross functional ransomware in action. Attack Flow

https://www.secureblink.com/cyber-security-news/bian-lian-a-new-golan-based-cross-functional-ransomware-in-action

Threats:
Hydra
Proxyshell_vuln
Bespoke
Winrm_tool

Industry:
Education, Financial, Healthcare

Geo:
America, Australia

CVEs:
CVE-2021-31207 [Vulners]
Vulners: Score: 6.5, CVSS: 1.7,
Vulners: Exploitation: True
X-Force: Risk: 6.6
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)

CVE-2021-34473 [Vulners]
Vulners: Score: 10.0, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)

CVE-2021-34523 [Vulners]
Vulners: Score: 7.5, CVSS: 3.4,
Vulners: Exploitation: True
X-Force: Risk: 9
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)


IOCs:
File: 5
Hash: 1

Softs:
microsoft exchange server

Algorithms:
aes

Win API:
GetProcAddress, CreateThread, GetDriveTypeW, FindFirstFileW, FindNextFileW, MoveFileExW

Languages:
golang
#technique

Maquerade any legitimate Windows binary by changing some fields in the PEB structure

https://github.com/D1rkMtr/MasqueradingPEB
#ParsedReport
19-09-2022

Fake Telegram site delivering RAT aimed at Chinese Users

https://blog.cyble.com/2022/09/17/fake-telegram-site-delivering-rat-aimed-at-chinese-users

Threats:
Dll_sideloading_technique
Process_injection_technique
Uac_bypass_technique

Geo:
Georgia, Dubai, Australia, India, Chinese, Singapore

TTPs:
Tactics: 7
Technics: 8

IOCs:
File: 12
Path: 1
Url: 1
Hash: 2

Softs:
telegram, windows defender, android, macos, chrome, qqbrowser, internet explorer, windows service

Functions:
Shellex, SeDebugPrivilege

Platforms:
x86
#ParsedReport
19-09-2022

New Malware Campaign Targets Zoom Users

https://blog.cyble.com/2022/09/19/new-malware-campaign-targets-zoom-users

Threats:
Vidar_stealer
Arkei_stealer
Beacon

Industry:
Financial, E-commerce

Geo:
Georgia, India, Singapore, Dubai, Australia

TTPs:
Tactics: 7
Technics: 13

IOCs:
Domain: 6
Url: 3
File: 2
Path: 2
IP: 3
Hash: 1

Softs:
zoom, telegram
#ParsedReport
19-09-2022

Ransomware Roundup: Ragnar Locker Ransomware

https://www.fortinet.com/blog/threat-research/ransomware-roundup-ragnar-locker-ransomware

Threats:
Ragnarlocker
Logmein_tool
Powerplant
Lockbit
Maze
Filecoder
W32/delshad.gbt!tr.ransom
Kryptik_trojan
W32/deapax.k!tr.ransom
W32/cryptor.a!tr.ransom
Ramnit

Industry:
Financial, Petroleum, Government, Healthcare

Geo:
America, Greece, Asia

CVEs:
CVE-2017-0213 [Vulners]
Vulners: Score: 1.9, CVSS: 5.4,
Vulners: Exploitation: True
X-Force: Risk: 7
X-Force: Patch: Official fix
Soft:
- microsoft windows 10 (1607, -, 1511, 1703)
- microsoft windows rt 8.1 (*)
- microsoft windows server 2012 (-, r2)
- microsoft windows server 2008 (r2, *)
- microsoft windows 8.1 (*)
have more...

IOCs:
File: 1
Hash: 55

Algorithms:
salsa20
#ParsedReport
20-09-2022

Microsoft Exchange servers backdoored with OwlProxy

https://www.telsy.com/microsoft-exchange-servers-backdoored-with-owlproxy-fuscom-dll

Actors/Campaigns:
Chimera

Threats:
Owlproxy
Proxylogon_exploit
Gelsemium
Sessionmanager
Timestomp_technique

Geo:
Chinese

TTPs:
Tactics: 1
Technics: 0

IOCs:
File: 3
Hash: 2

Softs:
microsoft exchange, windows service

Algorithms:
base64, xor

Functions:
ServiceMain, parse_and_decrypt_url, CreateEvent

Win API:
HttpAddUrl, HttpReceiveHttpRequest, WSAStartup, HttpSendHttpResponse, HttpSendResponseEntityBody

Languages:
php
#ParsedReport
20-09-2022

Meeting the Ministrer

https://www.fortinet.com/blog/threat-research/konni-rat-phishing-email-deploying-malware

Actors/Campaigns:
Apt37

Threats:
Konni
Vba/agent.aif!tr

Industry:
Government

Geo:
Russian, Japan, Dprk, Russia, China, Korea, Ukraine

IOCs:
File: 2
Domain: 1
IP: 1
Hash: 3

Softs:
microsoft powerpoint, microsoft office

Algorithms:
zip
#ParsedReport
20-09-2022

The Evolution of the Chromeloader Malware

https://blogs.vmware.com/security/2022/09/the-evolution-of-the-chromeloader-malware.html

Threats:
Chromeloader
Credential_stealing_technique
Zipbomb_technique
Enigma_tool

Industry:
Media, Government

IOCs:
Path: 2
File: 37
Registry: 9
Domain: 9
Url: 2

Softs:
macos, chrome, node.js, chromium, utorrent, bittorrent

Algorithms:
base64, zip

Functions:
OpenSubtitles

Languages:
javascript
#ParsedReport
20-09-2022

New Malware Campaign Targets Zoom Users

https://blog.cyble.com/2022/09/19/new-malware-campaign-targets-zoom-users

Threats:
Vidar_stealer
Arkei_stealer
Beacon

Industry:
E-commerce, Financial

Geo:
Dubai, Australia, Georgia, India, Singapore

TTPs:
Tactics: 7
Technics: 13

IOCs:
Domain: 6
Url: 3
File: 2
Path: 2
IP: 3
Hash: 1

Softs:
zoom, telegram
#ParsedReport
21-09-2022

ASEC Weekly Malware Statistics (September 5th, 2022 September 11th, 2022)

https://asec.ahnlab.com/en/38942

Threats:
Cloudeye
Formbook
Agent_tesla
Remcos_rat
Nanocore_rat
Lokibot_stealer
Smokeloader
Clipboard_grabbing_technique

Industry:
Transport

Geo:
Korea

IOCs:
Url: 30
File: 15
Email: 4

Softs:
nsis installer, discord

Languages:
visual_basic
#ParsedReport
21-09-2022

Native function and Assembly Code Invocation

https://research.checkpoint.com/2022/native-function-and-assembly-code-invocation

Threats:
Grief
Dumpulator_tool
Unicorn
Miniduke
Medusalocker
Minidump_tool
Process_hacker_tool

IOCs:
Hash: 1
File: 19

Softs:
process explorer, speakeasy, qemu

Functions:
APPCALL_MANUAL, SetCondBPonRet, cleanup_appcall

Win API:
MiniDumpWriteDump

Languages:
python

Platforms:
x86

Links:
https://github.com/mrexodia/MiniDumpPlugin
https://github.com/unicorn-engine/unicorn
https://github.com/unicorn-engine/unicorn/tree/master/bindings/python
https://github.com/mrexodia/dumpulator
#ParsedReport
21-09-2022

NetSupport RAT Distributed Via SocGholish

https://blog.cyble.com/2022/09/21/netsupport-rat-distributed-via-socgholish

Actors/Campaigns:
Fakeupdates

Threats:
Netsupportmanager_rat
Socgholish_loader
Cobalt_strike
Beacon
Dll_sideloading_technique
Process_injection_technique

Geo:
Dubai, India, Australia, Georgia, Singapore

TTPs:
Tactics: 6
Technics: 12

IOCs:
File: 3
Path: 1
Url: 4
IP: 2
Hash: 6

Softs:
microsoft teams, chrome

Algorithms:
gzip, zip

Languages:
javascript