#ParsedReport
16-09-2022
It's Time to PuTTY! DPRK Job Opportunity Phishing via WhatsApp
https://www.mandiant.com/resources/blog/dprk-whatsapp-phishing
Actors/Campaigns:
Unc4034
Dream_job
Duke
Threats:
Putty_tool
Yash_rat
Airdry
Themida_tool
Daveshell
Process_injection_technique
Vmprotect_tool
Beacon
Cuteloop_loader
Geo:
Korean, Korea, Dprk
TTPs:
Tactics: 5
Technics: 14
IOCs:
File: 11
IP: 1
Path: 8
Hash: 7
Url: 3
Softs:
telnet client
Algorithms:
rc4, aes-256, base64, aes-128, cbc, aes, xor
Win API:
WinExec
Links:
16-09-2022
It's Time to PuTTY! DPRK Job Opportunity Phishing via WhatsApp
https://www.mandiant.com/resources/blog/dprk-whatsapp-phishing
Actors/Campaigns:
Unc4034
Dream_job
Duke
Threats:
Putty_tool
Yash_rat
Airdry
Themida_tool
Daveshell
Process_injection_technique
Vmprotect_tool
Beacon
Cuteloop_loader
Geo:
Korean, Korea, Dprk
TTPs:
Tactics: 5
Technics: 14
IOCs:
File: 11
IP: 1
Path: 8
Hash: 7
Url: 3
Softs:
telnet client
Algorithms:
rc4, aes-256, base64, aes-128, cbc, aes, xor
Win API:
WinExec
Links:
https://github.com/monoxgas/sRDIGoogle Cloud Blog
DPRK Job Opportunity Phishing via WhatsApp | PuTTY Utility | Google Cloud Blog
DPRK job opportunity phishing scam. UNC4034 establishes communication with a victim over WhatsApp and lures them to download a malicious ISO package.
#ParsedReport
16-09-2022
BianLian: A new golan based cross functional ransomware in action. Attack Flow
https://www.secureblink.com/cyber-security-news/bian-lian-a-new-golan-based-cross-functional-ransomware-in-action
Threats:
Hydra
Proxyshell_vuln
Bespoke
Winrm_tool
Industry:
Education, Financial, Healthcare
Geo:
America, Australia
CVEs:
CVE-2021-31207 [Vulners]
Vulners: Score: 6.5, CVSS: 1.7,
Vulners: Exploitation: True
X-Force: Risk: 6.6
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
CVE-2021-34473 [Vulners]
Vulners: Score: 10.0, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
CVE-2021-34523 [Vulners]
Vulners: Score: 7.5, CVSS: 3.4,
Vulners: Exploitation: True
X-Force: Risk: 9
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
IOCs:
File: 5
Hash: 1
Softs:
microsoft exchange server
Algorithms:
aes
Win API:
GetProcAddress, CreateThread, GetDriveTypeW, FindFirstFileW, FindNextFileW, MoveFileExW
Languages:
golang
16-09-2022
BianLian: A new golan based cross functional ransomware in action. Attack Flow
https://www.secureblink.com/cyber-security-news/bian-lian-a-new-golan-based-cross-functional-ransomware-in-action
Threats:
Hydra
Proxyshell_vuln
Bespoke
Winrm_tool
Industry:
Education, Financial, Healthcare
Geo:
America, Australia
CVEs:
CVE-2021-31207 [Vulners]
Vulners: Score: 6.5, CVSS: 1.7,
Vulners: Exploitation: True
X-Force: Risk: 6.6
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
CVE-2021-34473 [Vulners]
Vulners: Score: 10.0, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
CVE-2021-34523 [Vulners]
Vulners: Score: 7.5, CVSS: 3.4,
Vulners: Exploitation: True
X-Force: Risk: 9
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
IOCs:
File: 5
Hash: 1
Softs:
microsoft exchange server
Algorithms:
aes
Win API:
GetProcAddress, CreateThread, GetDriveTypeW, FindFirstFileW, FindNextFileW, MoveFileExW
Languages:
golang
Vulners Database
CVE-2021-31207 - vulnerability database | Vulners.com
CVE-2021-31207 is one of the ProxyShell chain affecting on-premises Microsoft Exchange Server, enabling post-auth arbitrary-file-write that can lead to remote code execution. Exploitation chains documented in FireEye and related advisories describe ...
#technique
Stealing Access Tokens From Office Desktop Applications
https://mrd0x.com/stealing-tokens-from-office-applications/?no-cache=1
Stealing Access Tokens From Office Desktop Applications
https://mrd0x.com/stealing-tokens-from-office-applications/?no-cache=1
Mrd0X
Security Research | mr.d0x
Providing security research and red team techniques
#technique
Maquerade any legitimate Windows binary by changing some fields in the PEB structure
https://github.com/D1rkMtr/MasqueradingPEB
Maquerade any legitimate Windows binary by changing some fields in the PEB structure
https://github.com/D1rkMtr/MasqueradingPEB
#ParsedReport
19-09-2022
Fake Telegram site delivering RAT aimed at Chinese Users
https://blog.cyble.com/2022/09/17/fake-telegram-site-delivering-rat-aimed-at-chinese-users
Threats:
Dll_sideloading_technique
Process_injection_technique
Uac_bypass_technique
Geo:
Georgia, Dubai, Australia, India, Chinese, Singapore
TTPs:
Tactics: 7
Technics: 8
IOCs:
File: 12
Path: 1
Url: 1
Hash: 2
Softs:
telegram, windows defender, android, macos, chrome, qqbrowser, internet explorer, windows service
Functions:
Shellex, SeDebugPrivilege
Platforms:
x86
19-09-2022
Fake Telegram site delivering RAT aimed at Chinese Users
https://blog.cyble.com/2022/09/17/fake-telegram-site-delivering-rat-aimed-at-chinese-users
Threats:
Dll_sideloading_technique
Process_injection_technique
Uac_bypass_technique
Geo:
Georgia, Dubai, Australia, India, Chinese, Singapore
TTPs:
Tactics: 7
Technics: 8
IOCs:
File: 12
Path: 1
Url: 1
Hash: 2
Softs:
telegram, windows defender, android, macos, chrome, qqbrowser, internet explorer, windows service
Functions:
Shellex, SeDebugPrivilege
Platforms:
x86
Cyble
Fake Telegram site delivering RAT aimed at Chinese Users
Cyble Research and Intelligence Labs analyzes a fake Telegram Site delivering Remote Access Trojans to Chinese users.
#ParsedReport
19-09-2022
MS-SQL FARGO (Mallox). FARGO Ransomware (Mallox) is being distributed to vulnerable MS-SQL servers
https://asec.ahnlab.com/ko/38849
Threats:
Mallox
Globeimposter
Remcos_rat
Cobalt_strike
Asyncrat_rat
Ransomware/win.ransom.c5153317
Dropper/win.dotnet.c5237010
Malware/mdp.download.m1197
IOCs:
File: 6
Hash: 4
Url: 1
Softs:
ms-sql, mysql
19-09-2022
MS-SQL FARGO (Mallox). FARGO Ransomware (Mallox) is being distributed to vulnerable MS-SQL servers
https://asec.ahnlab.com/ko/38849
Threats:
Mallox
Globeimposter
Remcos_rat
Cobalt_strike
Asyncrat_rat
Ransomware/win.ransom.c5153317
Dropper/win.dotnet.c5237010
Malware/mdp.download.m1197
IOCs:
File: 6
Hash: 4
Url: 1
Softs:
ms-sql, mysql
ASEC BLOG
취약한 MS-SQL 서버를 대상으로 유포 중인 FARGO 랜섬웨어 (Mallox) - ASEC BLOG
ASEC 분석팀은 취약한 MS-SQL 서버를 대상으로 유포되는 악성 코드들을 지속해서 모니터링하고 있다. 최근 FARGO 랜섬웨어가 취약한 MS-SQL 서버를 대상으로 유포 중인 것을 확인하였다. FARGO 랜섬웨어는 GlobeImposter 랜섬웨어와 함께 취약한 MS-SQL 서버를 대상으로 유포되는 대표적인 랜섬웨어이며 과거에는 .mallox 확장자를 사용함에 따라 Mallox 랜섬웨어라고도 불린다. – [ASEC 블로그] 취약한 MS-SQL 서버를…
#ParsedReport
19-09-2022
New Malware Campaign Targets Zoom Users
https://blog.cyble.com/2022/09/19/new-malware-campaign-targets-zoom-users
Threats:
Vidar_stealer
Arkei_stealer
Beacon
Industry:
Financial, E-commerce
Geo:
Georgia, India, Singapore, Dubai, Australia
TTPs:
Tactics: 7
Technics: 13
IOCs:
Domain: 6
Url: 3
File: 2
Path: 2
IP: 3
Hash: 1
Softs:
zoom, telegram
19-09-2022
New Malware Campaign Targets Zoom Users
https://blog.cyble.com/2022/09/19/new-malware-campaign-targets-zoom-users
Threats:
Vidar_stealer
Arkei_stealer
Beacon
Industry:
Financial, E-commerce
Geo:
Georgia, India, Singapore, Dubai, Australia
TTPs:
Tactics: 7
Technics: 13
IOCs:
Domain: 6
Url: 3
File: 2
Path: 2
IP: 3
Hash: 1
Softs:
zoom, telegram
#ParsedReport
19-09-2022
Ransomware Roundup: Ragnar Locker Ransomware
https://www.fortinet.com/blog/threat-research/ransomware-roundup-ragnar-locker-ransomware
Threats:
Ragnarlocker
Logmein_tool
Powerplant
Lockbit
Maze
Filecoder
W32/delshad.gbt!tr.ransom
Kryptik_trojan
W32/deapax.k!tr.ransom
W32/cryptor.a!tr.ransom
Ramnit
Industry:
Financial, Petroleum, Government, Healthcare
Geo:
America, Greece, Asia
CVEs:
CVE-2017-0213 [Vulners]
Vulners: Score: 1.9, CVSS: 5.4,
Vulners: Exploitation: True
X-Force: Risk: 7
X-Force: Patch: Official fix
Soft:
- microsoft windows 10 (1607, -, 1511, 1703)
- microsoft windows rt 8.1 (*)
- microsoft windows server 2012 (-, r2)
- microsoft windows server 2008 (r2, *)
- microsoft windows 8.1 (*)
have more...
IOCs:
File: 1
Hash: 55
Algorithms:
salsa20
19-09-2022
Ransomware Roundup: Ragnar Locker Ransomware
https://www.fortinet.com/blog/threat-research/ransomware-roundup-ragnar-locker-ransomware
Threats:
Ragnarlocker
Logmein_tool
Powerplant
Lockbit
Maze
Filecoder
W32/delshad.gbt!tr.ransom
Kryptik_trojan
W32/deapax.k!tr.ransom
W32/cryptor.a!tr.ransom
Ramnit
Industry:
Financial, Petroleum, Government, Healthcare
Geo:
America, Greece, Asia
CVEs:
CVE-2017-0213 [Vulners]
Vulners: Score: 1.9, CVSS: 5.4,
Vulners: Exploitation: True
X-Force: Risk: 7
X-Force: Patch: Official fix
Soft:
- microsoft windows 10 (1607, -, 1511, 1703)
- microsoft windows rt 8.1 (*)
- microsoft windows server 2012 (-, r2)
- microsoft windows server 2008 (r2, *)
- microsoft windows 8.1 (*)
have more...
IOCs:
File: 1
Hash: 55
Algorithms:
salsa20
Fortinet Blog
Ransomware Roundup: Ragnar Locker Ransomware
The latest edition of the Ransomware Roundup from FortiGuard Labs covers the Ragnar Locker ransomware. Read to learn more about protections.…
#ParsedReport
20-09-2022
Microsoft and VMware Warn of Ongoing Chromeloader Malware Campaign
https://socradar.io/microsoft-and-vmware-warn-of-ongoing-chromeloader-malware-campaign
Actors/Campaigns:
Dev-0796
Threats:
Chromeloader
Zipbomb_technique
Enigma_tool
IOCs:
File: 4
Domain: 83
Algorithms:
zip
Functions:
OpenSubtitles
Languages:
javascript
20-09-2022
Microsoft and VMware Warn of Ongoing Chromeloader Malware Campaign
https://socradar.io/microsoft-and-vmware-warn-of-ongoing-chromeloader-malware-campaign
Actors/Campaigns:
Dev-0796
Threats:
Chromeloader
Zipbomb_technique
Enigma_tool
IOCs:
File: 4
Domain: 83
Algorithms:
zip
Functions:
OpenSubtitles
Languages:
javascript
SOCRadar® Cyber Intelligence Inc.
Microsoft and VMware Warn of Ongoing Chromeloader Malware Campaign
Microsoft and VMware cautioned users about a widely spread Chromeloader malware campaign. The malware is said to have evolved and become...
#ParsedReport
20-09-2022
Microsoft Exchange servers backdoored with OwlProxy
https://www.telsy.com/microsoft-exchange-servers-backdoored-with-owlproxy-fuscom-dll
Actors/Campaigns:
Chimera
Threats:
Owlproxy
Proxylogon_exploit
Gelsemium
Sessionmanager
Timestomp_technique
Geo:
Chinese
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 3
Hash: 2
Softs:
microsoft exchange, windows service
Algorithms:
base64, xor
Functions:
ServiceMain, parse_and_decrypt_url, CreateEvent
Win API:
HttpAddUrl, HttpReceiveHttpRequest, WSAStartup, HttpSendHttpResponse, HttpSendResponseEntityBody
Languages:
php
20-09-2022
Microsoft Exchange servers backdoored with OwlProxy
https://www.telsy.com/microsoft-exchange-servers-backdoored-with-owlproxy-fuscom-dll
Actors/Campaigns:
Chimera
Threats:
Owlproxy
Proxylogon_exploit
Gelsemium
Sessionmanager
Timestomp_technique
Geo:
Chinese
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 3
Hash: 2
Softs:
microsoft exchange, windows service
Algorithms:
base64, xor
Functions:
ServiceMain, parse_and_decrypt_url, CreateEvent
Win API:
HttpAddUrl, HttpReceiveHttpRequest, WSAStartup, HttpSendHttpResponse, HttpSendResponseEntityBody
Languages:
php
Telsy
Microsoft Exchange servers backdoored with OwlProxy - Telsy
Telsy observed malicious activity in the Microsoft Exchange infrastructure. The analysis revealed a malicious DLL called "fuscom.dll".
#ParsedReport
20-09-2022
Meeting the Ministrer
https://www.fortinet.com/blog/threat-research/konni-rat-phishing-email-deploying-malware
Actors/Campaigns:
Apt37
Threats:
Konni
Vba/agent.aif!tr
Industry:
Government
Geo:
Russian, Japan, Dprk, Russia, China, Korea, Ukraine
IOCs:
File: 2
Domain: 1
IP: 1
Hash: 3
Softs:
microsoft powerpoint, microsoft office
Algorithms:
zip
20-09-2022
Meeting the Ministrer
https://www.fortinet.com/blog/threat-research/konni-rat-phishing-email-deploying-malware
Actors/Campaigns:
Apt37
Threats:
Konni
Vba/agent.aif!tr
Industry:
Government
Geo:
Russian, Japan, Dprk, Russia, China, Korea, Ukraine
IOCs:
File: 2
Domain: 1
IP: 1
Hash: 3
Softs:
microsoft powerpoint, microsoft office
Algorithms:
zip
Fortinet Blog
Meeting the “Ministrer”
FortiGuard Labs discovered an unassuming phishing email that attempts to deploy malware. The actions used to execute this strategy are consistent with Konni, a RAT that has been tied to the group A…
#ParsedReport
20-09-2022
The Evolution of the Chromeloader Malware
https://blogs.vmware.com/security/2022/09/the-evolution-of-the-chromeloader-malware.html
Threats:
Chromeloader
Credential_stealing_technique
Zipbomb_technique
Enigma_tool
Industry:
Media, Government
IOCs:
Path: 2
File: 37
Registry: 9
Domain: 9
Url: 2
Softs:
macos, chrome, node.js, chromium, utorrent, bittorrent
Algorithms:
base64, zip
Functions:
OpenSubtitles
Languages:
javascript
20-09-2022
The Evolution of the Chromeloader Malware
https://blogs.vmware.com/security/2022/09/the-evolution-of-the-chromeloader-malware.html
Threats:
Chromeloader
Credential_stealing_technique
Zipbomb_technique
Enigma_tool
Industry:
Media, Government
IOCs:
Path: 2
File: 37
Registry: 9
Domain: 9
Url: 2
Softs:
macos, chrome, node.js, chromium, utorrent, bittorrent
Algorithms:
base64, zip
Functions:
OpenSubtitles
Languages:
javascript
VMware Security Blog
The Evolution of the Chromeloader Malware
The VMware Carbon Black MDR team goes in depth on the latest variants of the Chromeloader malware and how to detect them.
#ParsedReport
20-09-2022
New Malware Campaign Targets Zoom Users
https://blog.cyble.com/2022/09/19/new-malware-campaign-targets-zoom-users
Threats:
Vidar_stealer
Arkei_stealer
Beacon
Industry:
E-commerce, Financial
Geo:
Dubai, Australia, Georgia, India, Singapore
TTPs:
Tactics: 7
Technics: 13
IOCs:
Domain: 6
Url: 3
File: 2
Path: 2
IP: 3
Hash: 1
Softs:
zoom, telegram
20-09-2022
New Malware Campaign Targets Zoom Users
https://blog.cyble.com/2022/09/19/new-malware-campaign-targets-zoom-users
Threats:
Vidar_stealer
Arkei_stealer
Beacon
Industry:
E-commerce, Financial
Geo:
Dubai, Australia, Georgia, India, Singapore
TTPs:
Tactics: 7
Technics: 13
IOCs:
Domain: 6
Url: 3
File: 2
Path: 2
IP: 3
Hash: 1
Softs:
zoom, telegram
#ParsedReport
21-09-2022
ASEC Weekly Malware Statistics (September 5th, 2022 September 11th, 2022)
https://asec.ahnlab.com/en/38942
Threats:
Cloudeye
Formbook
Agent_tesla
Remcos_rat
Nanocore_rat
Lokibot_stealer
Smokeloader
Clipboard_grabbing_technique
Industry:
Transport
Geo:
Korea
IOCs:
Url: 30
File: 15
Email: 4
Softs:
nsis installer, discord
Languages:
visual_basic
21-09-2022
ASEC Weekly Malware Statistics (September 5th, 2022 September 11th, 2022)
https://asec.ahnlab.com/en/38942
Threats:
Cloudeye
Formbook
Agent_tesla
Remcos_rat
Nanocore_rat
Lokibot_stealer
Smokeloader
Clipboard_grabbing_technique
Industry:
Transport
Geo:
Korea
IOCs:
Url: 30
File: 15
Email: 4
Softs:
nsis installer, discord
Languages:
visual_basic
ASEC BLOG
ASEC Weekly Malware Statistics (September 5th, 2022 – September 11th, 2022) - ASEC BLOG
The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from September 5th, 2022 (Monday) to September 11th, 2022 (Sunday). For the main category…
#ParsedReport
21-09-2022
Video of Blocking Latest Magniber Ransomware Using V3 (AMSI + Memory Scan)
https://asec.ahnlab.com/en/39030
Threats:
Magniber
IOCs:
Hash: 2
Languages:
javascript
21-09-2022
Video of Blocking Latest Magniber Ransomware Using V3 (AMSI + Memory Scan)
https://asec.ahnlab.com/en/39030
Threats:
Magniber
IOCs:
Hash: 2
Languages:
javascript
ASEC BLOG
Video of Blocking Latest Magniber Ransomware Using V3 (AMSI + Memory Scan) - ASEC BLOG
The ASEC analysis team introduced the Magniber variants in the blog posted on September 15th. From September 16th, the Magniber ransomware script, whilst still a javascript, has its file extension changed from *.jse to *.js. As Magniber changed to javascript…
#ParsedReport
21-09-2022
Native function and Assembly Code Invocation
https://research.checkpoint.com/2022/native-function-and-assembly-code-invocation
Threats:
Grief
Dumpulator_tool
Unicorn
Miniduke
Medusalocker
Minidump_tool
Process_hacker_tool
IOCs:
Hash: 1
File: 19
Softs:
process explorer, speakeasy, qemu
Functions:
APPCALL_MANUAL, SetCondBPonRet, cleanup_appcall
Win API:
MiniDumpWriteDump
Languages:
python
Platforms:
x86
Links:
21-09-2022
Native function and Assembly Code Invocation
https://research.checkpoint.com/2022/native-function-and-assembly-code-invocation
Threats:
Grief
Dumpulator_tool
Unicorn
Miniduke
Medusalocker
Minidump_tool
Process_hacker_tool
IOCs:
Hash: 1
File: 19
Softs:
process explorer, speakeasy, qemu
Functions:
APPCALL_MANUAL, SetCondBPonRet, cleanup_appcall
Win API:
MiniDumpWriteDump
Languages:
python
Platforms:
x86
Links:
https://github.com/mrexodia/MiniDumpPlugin
https://github.com/unicorn-engine/unicorn
https://github.com/unicorn-engine/unicorn/tree/master/bindings/python
https://github.com/mrexodia/dumpulatorCheck Point Research
Native function and Assembly Code Invocation - Check Point Research
Introduction For a reverse engineer, the ability to directly call a function from the analyzed binary can be a shortcut that bypasses a lot of grief. While in some cases it is just possible to understand the function logic and reimplement it in a higher-level…
#ParsedReport
21-09-2022
NetSupport RAT Distributed Via SocGholish
https://blog.cyble.com/2022/09/21/netsupport-rat-distributed-via-socgholish
Actors/Campaigns:
Fakeupdates
Threats:
Netsupportmanager_rat
Socgholish_loader
Cobalt_strike
Beacon
Dll_sideloading_technique
Process_injection_technique
Geo:
Dubai, India, Australia, Georgia, Singapore
TTPs:
Tactics: 6
Technics: 12
IOCs:
File: 3
Path: 1
Url: 4
IP: 2
Hash: 6
Softs:
microsoft teams, chrome
Algorithms:
gzip, zip
Languages:
javascript
21-09-2022
NetSupport RAT Distributed Via SocGholish
https://blog.cyble.com/2022/09/21/netsupport-rat-distributed-via-socgholish
Actors/Campaigns:
Fakeupdates
Threats:
Netsupportmanager_rat
Socgholish_loader
Cobalt_strike
Beacon
Dll_sideloading_technique
Process_injection_technique
Geo:
Dubai, India, Australia, Georgia, Singapore
TTPs:
Tactics: 6
Technics: 12
IOCs:
File: 3
Path: 1
Url: 4
IP: 2
Hash: 6
Softs:
microsoft teams, chrome
Algorithms:
gzip, zip
Languages:
javascript
Cyble
Cyble - NetSupport RAT Distributed Via SocGholish
Cyble Research and Intelligence Labs analyzes how NetSupport RAT is delivered to victims through SocGholish.
#ParsedReport
21-09-2022
NSIS LockBit 3.0. NSIS -type Lockbit 3.0 ransomware
https://asec.ahnlab.com/ko/39071
Threats:
Lockbit
Ransom/mdp.event.m4353
Geo:
Korean
IOCs:
File: 1
Hash: 2
Softs:
ws security center servic
21-09-2022
NSIS LockBit 3.0. NSIS -type Lockbit 3.0 ransomware
https://asec.ahnlab.com/ko/39071
Threats:
Lockbit
Ransom/mdp.event.m4353
Geo:
Korean
IOCs:
File: 1
Hash: 2
Softs:
ws security center servic
ASEC BLOG
입사지원 위장 메일로 유포 중인 NSIS형태의 LockBit 3.0 랜섬웨어 - ASEC BLOG
ASEC 분석팀은 LockBit 2.0 랜섬웨어가 메일을 통해 유포되고 있음을 지난 2월, 6월에 걸쳐 블로그에 게시한 바 있는데, 새로운 버전의 LockBit 3.0 랜섬웨어가 유사 방식을 통해 여전히 다수 유포 중 임을 알리고자 한다. 지난 6월에는 저작권 사칭 메일로 다수 유포가 되었던 반면 최근에는 입사지원 관련으로 위장한 피싱 메일을 통해 유포 중이다. 위 메일 캡처와 같이 첨부된 압축 파일명 자체에 압축 비밀번호가 명시된 경우가 있지만, 압축…
#ParsedReport
21-09-2022
Domain Shadowing: A Stealthy Use of DNS Compromise for Cybercrime
https://unit42.paloaltonetworks.com/domain-shadowing
Threats:
Credential_harvesting_technique
Dns_hijacking_technique
Geo:
Japan, Australia, Russia, Japanese
IOCs:
Domain: 14
IP: 6
Url: 1
Email: 1
Platforms:
apple
21-09-2022
Domain Shadowing: A Stealthy Use of DNS Compromise for Cybercrime
https://unit42.paloaltonetworks.com/domain-shadowing
Threats:
Credential_harvesting_technique
Dns_hijacking_technique
Geo:
Japan, Australia, Russia, Japanese
IOCs:
Domain: 14
IP: 6
Url: 1
Email: 1
Platforms:
apple
Unit 42
Domain Shadowing: A Stealthy Use of DNS Compromise for Cybercrime
Domain shadowing is a special case of DNS hijacking where attackers stealthily create malicious subdomains under compromised domain names.
#ParsedReport
21-09-2022
Technical Analysis of Crytox Ransomware. Key points
https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware
Threats:
Upx_tool
Win64.ransom.crytox
Geo:
Netherlands
IOCs:
Hash: 13
Registry: 2
Path: 1
File: 8
Softs:
vssadmin
Algorithms:
aes, aes-cbc
Functions:
ShChangeNotify
Win API:
CryptGenKey, SeBackupPrivilege, SeRestorePrivilege, WNetOpenEnumW, WNetEnumResourceW, GetLogicalDrives, GetTickCount
Platforms:
intel, x86
Links:
21-09-2022
Technical Analysis of Crytox Ransomware. Key points
https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware
Threats:
Upx_tool
Win64.ransom.crytox
Geo:
Netherlands
IOCs:
Hash: 13
Registry: 2
Path: 1
File: 8
Softs:
vssadmin
Algorithms:
aes, aes-cbc
Functions:
ShChangeNotify
Win API:
CryptGenKey, SeBackupPrivilege, SeRestorePrivilege, WNetOpenEnumW, WNetEnumResourceW, GetLogicalDrives, GetTickCount
Platforms:
intel, x86
Links:
https://github.com/uTox/uToxZscaler
Technical Analysis of Crytox Ransomware | Zscaler Blog
Technical Analysis of Crytox Ransomware: A multi-stage ransomware with a weak key generation algorithm. Read more.