CTT Report Hub
3.41K subscribers
9.74K photos
6 videos
67 files
13.4K links
Threat Intelligence Report Hub
Download Telegram
#ParsedReport
16-09-2022

BianLian: A new golan based cross functional ransomware in action. Attack Flow

https://www.secureblink.com/cyber-security-news/bian-lian-a-new-golan-based-cross-functional-ransomware-in-action

Threats:
Hydra
Proxyshell_vuln
Bespoke
Winrm_tool

Industry:
Education, Financial, Healthcare

Geo:
America, Australia

CVEs:
CVE-2021-31207 [Vulners]
Vulners: Score: 6.5, CVSS: 1.7,
Vulners: Exploitation: True
X-Force: Risk: 6.6
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)

CVE-2021-34473 [Vulners]
Vulners: Score: 10.0, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)

CVE-2021-34523 [Vulners]
Vulners: Score: 7.5, CVSS: 3.4,
Vulners: Exploitation: True
X-Force: Risk: 9
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)


IOCs:
File: 5
Hash: 1

Softs:
microsoft exchange server

Algorithms:
aes

Win API:
GetProcAddress, CreateThread, GetDriveTypeW, FindFirstFileW, FindNextFileW, MoveFileExW

Languages:
golang
#technique

Maquerade any legitimate Windows binary by changing some fields in the PEB structure

https://github.com/D1rkMtr/MasqueradingPEB
#ParsedReport
19-09-2022

Fake Telegram site delivering RAT aimed at Chinese Users

https://blog.cyble.com/2022/09/17/fake-telegram-site-delivering-rat-aimed-at-chinese-users

Threats:
Dll_sideloading_technique
Process_injection_technique
Uac_bypass_technique

Geo:
Georgia, Dubai, Australia, India, Chinese, Singapore

TTPs:
Tactics: 7
Technics: 8

IOCs:
File: 12
Path: 1
Url: 1
Hash: 2

Softs:
telegram, windows defender, android, macos, chrome, qqbrowser, internet explorer, windows service

Functions:
Shellex, SeDebugPrivilege

Platforms:
x86
#ParsedReport
19-09-2022

New Malware Campaign Targets Zoom Users

https://blog.cyble.com/2022/09/19/new-malware-campaign-targets-zoom-users

Threats:
Vidar_stealer
Arkei_stealer
Beacon

Industry:
Financial, E-commerce

Geo:
Georgia, India, Singapore, Dubai, Australia

TTPs:
Tactics: 7
Technics: 13

IOCs:
Domain: 6
Url: 3
File: 2
Path: 2
IP: 3
Hash: 1

Softs:
zoom, telegram
#ParsedReport
19-09-2022

Ransomware Roundup: Ragnar Locker Ransomware

https://www.fortinet.com/blog/threat-research/ransomware-roundup-ragnar-locker-ransomware

Threats:
Ragnarlocker
Logmein_tool
Powerplant
Lockbit
Maze
Filecoder
W32/delshad.gbt!tr.ransom
Kryptik_trojan
W32/deapax.k!tr.ransom
W32/cryptor.a!tr.ransom
Ramnit

Industry:
Financial, Petroleum, Government, Healthcare

Geo:
America, Greece, Asia

CVEs:
CVE-2017-0213 [Vulners]
Vulners: Score: 1.9, CVSS: 5.4,
Vulners: Exploitation: True
X-Force: Risk: 7
X-Force: Patch: Official fix
Soft:
- microsoft windows 10 (1607, -, 1511, 1703)
- microsoft windows rt 8.1 (*)
- microsoft windows server 2012 (-, r2)
- microsoft windows server 2008 (r2, *)
- microsoft windows 8.1 (*)
have more...

IOCs:
File: 1
Hash: 55

Algorithms:
salsa20
#ParsedReport
20-09-2022

Microsoft Exchange servers backdoored with OwlProxy

https://www.telsy.com/microsoft-exchange-servers-backdoored-with-owlproxy-fuscom-dll

Actors/Campaigns:
Chimera

Threats:
Owlproxy
Proxylogon_exploit
Gelsemium
Sessionmanager
Timestomp_technique

Geo:
Chinese

TTPs:
Tactics: 1
Technics: 0

IOCs:
File: 3
Hash: 2

Softs:
microsoft exchange, windows service

Algorithms:
base64, xor

Functions:
ServiceMain, parse_and_decrypt_url, CreateEvent

Win API:
HttpAddUrl, HttpReceiveHttpRequest, WSAStartup, HttpSendHttpResponse, HttpSendResponseEntityBody

Languages:
php
#ParsedReport
20-09-2022

Meeting the Ministrer

https://www.fortinet.com/blog/threat-research/konni-rat-phishing-email-deploying-malware

Actors/Campaigns:
Apt37

Threats:
Konni
Vba/agent.aif!tr

Industry:
Government

Geo:
Russian, Japan, Dprk, Russia, China, Korea, Ukraine

IOCs:
File: 2
Domain: 1
IP: 1
Hash: 3

Softs:
microsoft powerpoint, microsoft office

Algorithms:
zip
#ParsedReport
20-09-2022

The Evolution of the Chromeloader Malware

https://blogs.vmware.com/security/2022/09/the-evolution-of-the-chromeloader-malware.html

Threats:
Chromeloader
Credential_stealing_technique
Zipbomb_technique
Enigma_tool

Industry:
Media, Government

IOCs:
Path: 2
File: 37
Registry: 9
Domain: 9
Url: 2

Softs:
macos, chrome, node.js, chromium, utorrent, bittorrent

Algorithms:
base64, zip

Functions:
OpenSubtitles

Languages:
javascript
#ParsedReport
20-09-2022

New Malware Campaign Targets Zoom Users

https://blog.cyble.com/2022/09/19/new-malware-campaign-targets-zoom-users

Threats:
Vidar_stealer
Arkei_stealer
Beacon

Industry:
E-commerce, Financial

Geo:
Dubai, Australia, Georgia, India, Singapore

TTPs:
Tactics: 7
Technics: 13

IOCs:
Domain: 6
Url: 3
File: 2
Path: 2
IP: 3
Hash: 1

Softs:
zoom, telegram
#ParsedReport
21-09-2022

ASEC Weekly Malware Statistics (September 5th, 2022 September 11th, 2022)

https://asec.ahnlab.com/en/38942

Threats:
Cloudeye
Formbook
Agent_tesla
Remcos_rat
Nanocore_rat
Lokibot_stealer
Smokeloader
Clipboard_grabbing_technique

Industry:
Transport

Geo:
Korea

IOCs:
Url: 30
File: 15
Email: 4

Softs:
nsis installer, discord

Languages:
visual_basic
#ParsedReport
21-09-2022

Native function and Assembly Code Invocation

https://research.checkpoint.com/2022/native-function-and-assembly-code-invocation

Threats:
Grief
Dumpulator_tool
Unicorn
Miniduke
Medusalocker
Minidump_tool
Process_hacker_tool

IOCs:
Hash: 1
File: 19

Softs:
process explorer, speakeasy, qemu

Functions:
APPCALL_MANUAL, SetCondBPonRet, cleanup_appcall

Win API:
MiniDumpWriteDump

Languages:
python

Platforms:
x86

Links:
https://github.com/mrexodia/MiniDumpPlugin
https://github.com/unicorn-engine/unicorn
https://github.com/unicorn-engine/unicorn/tree/master/bindings/python
https://github.com/mrexodia/dumpulator
#ParsedReport
21-09-2022

NetSupport RAT Distributed Via SocGholish

https://blog.cyble.com/2022/09/21/netsupport-rat-distributed-via-socgholish

Actors/Campaigns:
Fakeupdates

Threats:
Netsupportmanager_rat
Socgholish_loader
Cobalt_strike
Beacon
Dll_sideloading_technique
Process_injection_technique

Geo:
Dubai, India, Australia, Georgia, Singapore

TTPs:
Tactics: 6
Technics: 12

IOCs:
File: 3
Path: 1
Url: 4
IP: 2
Hash: 6

Softs:
microsoft teams, chrome

Algorithms:
gzip, zip

Languages:
javascript
#ParsedReport
21-09-2022

Domain Shadowing: A Stealthy Use of DNS Compromise for Cybercrime

https://unit42.paloaltonetworks.com/domain-shadowing

Threats:
Credential_harvesting_technique
Dns_hijacking_technique

Geo:
Japan, Australia, Russia, Japanese

IOCs:
Domain: 14
IP: 6
Url: 1
Email: 1

Platforms:
apple
#ParsedReport
21-09-2022

Technical Analysis of Crytox Ransomware. Key points

https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware

Threats:
Upx_tool
Win64.ransom.crytox

Geo:
Netherlands

IOCs:
Hash: 13
Registry: 2
Path: 1
File: 8

Softs:
vssadmin

Algorithms:
aes, aes-cbc

Functions:
ShChangeNotify

Win API:
CryptGenKey, SeBackupPrivilege, SeRestorePrivilege, WNetOpenEnumW, WNetEnumResourceW, GetLogicalDrives, GetTickCount

Platforms:
intel, x86

Links:
https://github.com/uTox/uTox
#ParsedReport
21-09-2022

Threat Actors Continue to Abuse Google Tag Manager for Payment Card e-Skimming

https://www.recordedfuture.com/threat-actors-continue-to-abuse-google-tag-manager-for-payment-card-e-skimming

Actors/Campaigns:
Magecart

Industry:
E-commerce, Financial

IOCs:
Domain: 2

Algorithms:
xor

Languages:
javascript