#ParsedReport
20-09-2022
Microsoft Exchange servers backdoored with OwlProxy
https://www.telsy.com/microsoft-exchange-servers-backdoored-with-owlproxy-fuscom-dll
Actors/Campaigns:
Chimera
Threats:
Owlproxy
Proxylogon_exploit
Gelsemium
Sessionmanager
Timestomp_technique
Geo:
Chinese
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 3
Hash: 2
Softs:
microsoft exchange, windows service
Algorithms:
base64, xor
Functions:
ServiceMain, parse_and_decrypt_url, CreateEvent
Win API:
HttpAddUrl, HttpReceiveHttpRequest, WSAStartup, HttpSendHttpResponse, HttpSendResponseEntityBody
Languages:
php
20-09-2022
Microsoft Exchange servers backdoored with OwlProxy
https://www.telsy.com/microsoft-exchange-servers-backdoored-with-owlproxy-fuscom-dll
Actors/Campaigns:
Chimera
Threats:
Owlproxy
Proxylogon_exploit
Gelsemium
Sessionmanager
Timestomp_technique
Geo:
Chinese
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 3
Hash: 2
Softs:
microsoft exchange, windows service
Algorithms:
base64, xor
Functions:
ServiceMain, parse_and_decrypt_url, CreateEvent
Win API:
HttpAddUrl, HttpReceiveHttpRequest, WSAStartup, HttpSendHttpResponse, HttpSendResponseEntityBody
Languages:
php
Telsy
Microsoft Exchange servers backdoored with OwlProxy - Telsy
Telsy observed malicious activity in the Microsoft Exchange infrastructure. The analysis revealed a malicious DLL called "fuscom.dll".
#ParsedReport
20-09-2022
Meeting the Ministrer
https://www.fortinet.com/blog/threat-research/konni-rat-phishing-email-deploying-malware
Actors/Campaigns:
Apt37
Threats:
Konni
Vba/agent.aif!tr
Industry:
Government
Geo:
Russian, Japan, Dprk, Russia, China, Korea, Ukraine
IOCs:
File: 2
Domain: 1
IP: 1
Hash: 3
Softs:
microsoft powerpoint, microsoft office
Algorithms:
zip
20-09-2022
Meeting the Ministrer
https://www.fortinet.com/blog/threat-research/konni-rat-phishing-email-deploying-malware
Actors/Campaigns:
Apt37
Threats:
Konni
Vba/agent.aif!tr
Industry:
Government
Geo:
Russian, Japan, Dprk, Russia, China, Korea, Ukraine
IOCs:
File: 2
Domain: 1
IP: 1
Hash: 3
Softs:
microsoft powerpoint, microsoft office
Algorithms:
zip
Fortinet Blog
Meeting the “Ministrer”
FortiGuard Labs discovered an unassuming phishing email that attempts to deploy malware. The actions used to execute this strategy are consistent with Konni, a RAT that has been tied to the group A…
#ParsedReport
20-09-2022
The Evolution of the Chromeloader Malware
https://blogs.vmware.com/security/2022/09/the-evolution-of-the-chromeloader-malware.html
Threats:
Chromeloader
Credential_stealing_technique
Zipbomb_technique
Enigma_tool
Industry:
Media, Government
IOCs:
Path: 2
File: 37
Registry: 9
Domain: 9
Url: 2
Softs:
macos, chrome, node.js, chromium, utorrent, bittorrent
Algorithms:
base64, zip
Functions:
OpenSubtitles
Languages:
javascript
20-09-2022
The Evolution of the Chromeloader Malware
https://blogs.vmware.com/security/2022/09/the-evolution-of-the-chromeloader-malware.html
Threats:
Chromeloader
Credential_stealing_technique
Zipbomb_technique
Enigma_tool
Industry:
Media, Government
IOCs:
Path: 2
File: 37
Registry: 9
Domain: 9
Url: 2
Softs:
macos, chrome, node.js, chromium, utorrent, bittorrent
Algorithms:
base64, zip
Functions:
OpenSubtitles
Languages:
javascript
VMware Security Blog
The Evolution of the Chromeloader Malware
The VMware Carbon Black MDR team goes in depth on the latest variants of the Chromeloader malware and how to detect them.
#ParsedReport
20-09-2022
New Malware Campaign Targets Zoom Users
https://blog.cyble.com/2022/09/19/new-malware-campaign-targets-zoom-users
Threats:
Vidar_stealer
Arkei_stealer
Beacon
Industry:
E-commerce, Financial
Geo:
Dubai, Australia, Georgia, India, Singapore
TTPs:
Tactics: 7
Technics: 13
IOCs:
Domain: 6
Url: 3
File: 2
Path: 2
IP: 3
Hash: 1
Softs:
zoom, telegram
20-09-2022
New Malware Campaign Targets Zoom Users
https://blog.cyble.com/2022/09/19/new-malware-campaign-targets-zoom-users
Threats:
Vidar_stealer
Arkei_stealer
Beacon
Industry:
E-commerce, Financial
Geo:
Dubai, Australia, Georgia, India, Singapore
TTPs:
Tactics: 7
Technics: 13
IOCs:
Domain: 6
Url: 3
File: 2
Path: 2
IP: 3
Hash: 1
Softs:
zoom, telegram
#ParsedReport
21-09-2022
ASEC Weekly Malware Statistics (September 5th, 2022 September 11th, 2022)
https://asec.ahnlab.com/en/38942
Threats:
Cloudeye
Formbook
Agent_tesla
Remcos_rat
Nanocore_rat
Lokibot_stealer
Smokeloader
Clipboard_grabbing_technique
Industry:
Transport
Geo:
Korea
IOCs:
Url: 30
File: 15
Email: 4
Softs:
nsis installer, discord
Languages:
visual_basic
21-09-2022
ASEC Weekly Malware Statistics (September 5th, 2022 September 11th, 2022)
https://asec.ahnlab.com/en/38942
Threats:
Cloudeye
Formbook
Agent_tesla
Remcos_rat
Nanocore_rat
Lokibot_stealer
Smokeloader
Clipboard_grabbing_technique
Industry:
Transport
Geo:
Korea
IOCs:
Url: 30
File: 15
Email: 4
Softs:
nsis installer, discord
Languages:
visual_basic
ASEC BLOG
ASEC Weekly Malware Statistics (September 5th, 2022 – September 11th, 2022) - ASEC BLOG
The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from September 5th, 2022 (Monday) to September 11th, 2022 (Sunday). For the main category…
#ParsedReport
21-09-2022
Video of Blocking Latest Magniber Ransomware Using V3 (AMSI + Memory Scan)
https://asec.ahnlab.com/en/39030
Threats:
Magniber
IOCs:
Hash: 2
Languages:
javascript
21-09-2022
Video of Blocking Latest Magniber Ransomware Using V3 (AMSI + Memory Scan)
https://asec.ahnlab.com/en/39030
Threats:
Magniber
IOCs:
Hash: 2
Languages:
javascript
ASEC BLOG
Video of Blocking Latest Magniber Ransomware Using V3 (AMSI + Memory Scan) - ASEC BLOG
The ASEC analysis team introduced the Magniber variants in the blog posted on September 15th. From September 16th, the Magniber ransomware script, whilst still a javascript, has its file extension changed from *.jse to *.js. As Magniber changed to javascript…
#ParsedReport
21-09-2022
Native function and Assembly Code Invocation
https://research.checkpoint.com/2022/native-function-and-assembly-code-invocation
Threats:
Grief
Dumpulator_tool
Unicorn
Miniduke
Medusalocker
Minidump_tool
Process_hacker_tool
IOCs:
Hash: 1
File: 19
Softs:
process explorer, speakeasy, qemu
Functions:
APPCALL_MANUAL, SetCondBPonRet, cleanup_appcall
Win API:
MiniDumpWriteDump
Languages:
python
Platforms:
x86
Links:
21-09-2022
Native function and Assembly Code Invocation
https://research.checkpoint.com/2022/native-function-and-assembly-code-invocation
Threats:
Grief
Dumpulator_tool
Unicorn
Miniduke
Medusalocker
Minidump_tool
Process_hacker_tool
IOCs:
Hash: 1
File: 19
Softs:
process explorer, speakeasy, qemu
Functions:
APPCALL_MANUAL, SetCondBPonRet, cleanup_appcall
Win API:
MiniDumpWriteDump
Languages:
python
Platforms:
x86
Links:
https://github.com/mrexodia/MiniDumpPlugin
https://github.com/unicorn-engine/unicorn
https://github.com/unicorn-engine/unicorn/tree/master/bindings/python
https://github.com/mrexodia/dumpulatorCheck Point Research
Native function and Assembly Code Invocation - Check Point Research
Introduction For a reverse engineer, the ability to directly call a function from the analyzed binary can be a shortcut that bypasses a lot of grief. While in some cases it is just possible to understand the function logic and reimplement it in a higher-level…
#ParsedReport
21-09-2022
NetSupport RAT Distributed Via SocGholish
https://blog.cyble.com/2022/09/21/netsupport-rat-distributed-via-socgholish
Actors/Campaigns:
Fakeupdates
Threats:
Netsupportmanager_rat
Socgholish_loader
Cobalt_strike
Beacon
Dll_sideloading_technique
Process_injection_technique
Geo:
Dubai, India, Australia, Georgia, Singapore
TTPs:
Tactics: 6
Technics: 12
IOCs:
File: 3
Path: 1
Url: 4
IP: 2
Hash: 6
Softs:
microsoft teams, chrome
Algorithms:
gzip, zip
Languages:
javascript
21-09-2022
NetSupport RAT Distributed Via SocGholish
https://blog.cyble.com/2022/09/21/netsupport-rat-distributed-via-socgholish
Actors/Campaigns:
Fakeupdates
Threats:
Netsupportmanager_rat
Socgholish_loader
Cobalt_strike
Beacon
Dll_sideloading_technique
Process_injection_technique
Geo:
Dubai, India, Australia, Georgia, Singapore
TTPs:
Tactics: 6
Technics: 12
IOCs:
File: 3
Path: 1
Url: 4
IP: 2
Hash: 6
Softs:
microsoft teams, chrome
Algorithms:
gzip, zip
Languages:
javascript
Cyble
Cyble - NetSupport RAT Distributed Via SocGholish
Cyble Research and Intelligence Labs analyzes how NetSupport RAT is delivered to victims through SocGholish.
#ParsedReport
21-09-2022
NSIS LockBit 3.0. NSIS -type Lockbit 3.0 ransomware
https://asec.ahnlab.com/ko/39071
Threats:
Lockbit
Ransom/mdp.event.m4353
Geo:
Korean
IOCs:
File: 1
Hash: 2
Softs:
ws security center servic
21-09-2022
NSIS LockBit 3.0. NSIS -type Lockbit 3.0 ransomware
https://asec.ahnlab.com/ko/39071
Threats:
Lockbit
Ransom/mdp.event.m4353
Geo:
Korean
IOCs:
File: 1
Hash: 2
Softs:
ws security center servic
ASEC BLOG
입사지원 위장 메일로 유포 중인 NSIS형태의 LockBit 3.0 랜섬웨어 - ASEC BLOG
ASEC 분석팀은 LockBit 2.0 랜섬웨어가 메일을 통해 유포되고 있음을 지난 2월, 6월에 걸쳐 블로그에 게시한 바 있는데, 새로운 버전의 LockBit 3.0 랜섬웨어가 유사 방식을 통해 여전히 다수 유포 중 임을 알리고자 한다. 지난 6월에는 저작권 사칭 메일로 다수 유포가 되었던 반면 최근에는 입사지원 관련으로 위장한 피싱 메일을 통해 유포 중이다. 위 메일 캡처와 같이 첨부된 압축 파일명 자체에 압축 비밀번호가 명시된 경우가 있지만, 압축…
#ParsedReport
21-09-2022
Domain Shadowing: A Stealthy Use of DNS Compromise for Cybercrime
https://unit42.paloaltonetworks.com/domain-shadowing
Threats:
Credential_harvesting_technique
Dns_hijacking_technique
Geo:
Japan, Australia, Russia, Japanese
IOCs:
Domain: 14
IP: 6
Url: 1
Email: 1
Platforms:
apple
21-09-2022
Domain Shadowing: A Stealthy Use of DNS Compromise for Cybercrime
https://unit42.paloaltonetworks.com/domain-shadowing
Threats:
Credential_harvesting_technique
Dns_hijacking_technique
Geo:
Japan, Australia, Russia, Japanese
IOCs:
Domain: 14
IP: 6
Url: 1
Email: 1
Platforms:
apple
Unit 42
Domain Shadowing: A Stealthy Use of DNS Compromise for Cybercrime
Domain shadowing is a special case of DNS hijacking where attackers stealthily create malicious subdomains under compromised domain names.
#ParsedReport
21-09-2022
Technical Analysis of Crytox Ransomware. Key points
https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware
Threats:
Upx_tool
Win64.ransom.crytox
Geo:
Netherlands
IOCs:
Hash: 13
Registry: 2
Path: 1
File: 8
Softs:
vssadmin
Algorithms:
aes, aes-cbc
Functions:
ShChangeNotify
Win API:
CryptGenKey, SeBackupPrivilege, SeRestorePrivilege, WNetOpenEnumW, WNetEnumResourceW, GetLogicalDrives, GetTickCount
Platforms:
intel, x86
Links:
21-09-2022
Technical Analysis of Crytox Ransomware. Key points
https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware
Threats:
Upx_tool
Win64.ransom.crytox
Geo:
Netherlands
IOCs:
Hash: 13
Registry: 2
Path: 1
File: 8
Softs:
vssadmin
Algorithms:
aes, aes-cbc
Functions:
ShChangeNotify
Win API:
CryptGenKey, SeBackupPrivilege, SeRestorePrivilege, WNetOpenEnumW, WNetEnumResourceW, GetLogicalDrives, GetTickCount
Platforms:
intel, x86
Links:
https://github.com/uTox/uToxZscaler
Technical Analysis of Crytox Ransomware | Zscaler Blog
Technical Analysis of Crytox Ransomware: A multi-stage ransomware with a weak key generation algorithm. Read more.
#ParsedReport
21-09-2022
Threat Actors Continue to Abuse Google Tag Manager for Payment Card e-Skimming
https://www.recordedfuture.com/threat-actors-continue-to-abuse-google-tag-manager-for-payment-card-e-skimming
Actors/Campaigns:
Magecart
Industry:
E-commerce, Financial
IOCs:
Domain: 2
Algorithms:
xor
Languages:
javascript
21-09-2022
Threat Actors Continue to Abuse Google Tag Manager for Payment Card e-Skimming
https://www.recordedfuture.com/threat-actors-continue-to-abuse-google-tag-manager-for-payment-card-e-skimming
Actors/Campaigns:
Magecart
Industry:
E-commerce, Financial
IOCs:
Domain: 2
Algorithms:
xor
Languages:
javascript
#ParsedReport
21-09-2022
Rewards plus: Fake mobile banking rewards apps lure users to install info-stealing RAT on Android devices
https://www.microsoft.com/security/blog/2022/09/21/rewards-plus-fake-mobile-banking-rewards-apps-lure-users-to-install-info-stealing-rat-on-android-devices
Industry:
Financial
Geo:
India, Indian
TTPs:
IOCs:
File: 3
Url: 1
Hash: 4
Softs:
android, microsoft 365 defender, microsoft defender for endpoint
Algorithms:
base64, aes
Functions:
OnCreate, AutoStartService
21-09-2022
Rewards plus: Fake mobile banking rewards apps lure users to install info-stealing RAT on Android devices
https://www.microsoft.com/security/blog/2022/09/21/rewards-plus-fake-mobile-banking-rewards-apps-lure-users-to-install-info-stealing-rat-on-android-devices
Industry:
Financial
Geo:
India, Indian
TTPs:
IOCs:
File: 3
Url: 1
Hash: 4
Softs:
android, microsoft 365 defender, microsoft defender for endpoint
Algorithms:
base64, aes
Functions:
OnCreate, AutoStartService
Microsoft News
Rewards plus: Fake mobile banking rewards apps lure users to install info-stealing RAT on Android devices
A fake mobile banking rewards app delivered through a link in an SMS campaign has been making the rounds, targeting customers of Indian banking institutions. Users who install the mobile app are unknowingly installing an Android malware with remote access…
#ParsedReport
22-09-2022
Analysis Report on Lazarus Groups Rootkit Attack Using BYOVD
https://asec.ahnlab.com/en/38993
Actors/Campaigns:
Lazarus
Threats:
Byovd_technique
Industry:
Healthcare, Financial
Geo:
Koreas, America, Korea, Asia
IOCs:
File: 3
Algorithms:
aes
22-09-2022
Analysis Report on Lazarus Groups Rootkit Attack Using BYOVD
https://asec.ahnlab.com/en/38993
Actors/Campaigns:
Lazarus
Threats:
Byovd_technique
Industry:
Healthcare, Financial
Geo:
Koreas, America, Korea, Asia
IOCs:
File: 3
Algorithms:
aes
ASEC
Analysis Report on Lazarus Group’s Rootkit Attack Using BYOVD - ASEC
Since 2009, Lazarus Group, known to be a group of hackers in North Korea, has been attacking not only Korea but various countries of America, Asia, and Europe. According to AhnLab’s ASD (AhnLab Smart Defense) infrastructure, in early 2022, the Lazarus Group…
#ParsedReport
22-09-2022
Threat Actors Exploit Atlassian ConfluenceRCE Flawto Install Crypto Miners. Threat Actors Exploit Atlassian Confluence RCE Flaw to Install Crypto Miners
https://socradar.io/threat-actors-exploit-atlassian-confluence-rce-flaw-to-install-crypto-miners
Threats:
Hezb
CVEs:
CVE-2022-26134 [Vulners]
Vulners: Score: 7.5, CVSS: 6.8,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- atlassian confluence data center (7.18.0, <7.17.4, <7.16.4, <7.15.2, <7.14.3, <7.13.7, <7.4.17)
- atlassian confluence server (7.18.0, <7.17.4, <7.16.4, <7.15.2, <7.14.3, <7.13.7, <7.4.17)
TTPs:
Tactics: 1
Technics: 12
IOCs:
IP: 4
Url: 8
Hash: 2
Softs:
confluence, curl
22-09-2022
Threat Actors Exploit Atlassian ConfluenceRCE Flawto Install Crypto Miners. Threat Actors Exploit Atlassian Confluence RCE Flaw to Install Crypto Miners
https://socradar.io/threat-actors-exploit-atlassian-confluence-rce-flaw-to-install-crypto-miners
Threats:
Hezb
CVEs:
CVE-2022-26134 [Vulners]
Vulners: Score: 7.5, CVSS: 6.8,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- atlassian confluence data center (7.18.0, <7.17.4, <7.16.4, <7.15.2, <7.14.3, <7.13.7, <7.4.17)
- atlassian confluence server (7.18.0, <7.17.4, <7.16.4, <7.15.2, <7.14.3, <7.13.7, <7.4.17)
TTPs:
Tactics: 1
Technics: 12
IOCs:
IP: 4
Url: 8
Hash: 2
Softs:
confluence, curl
SOCRadar® Cyber Intelligence Inc.
Threat Actors Exploit Atlassian Confluence RCE Flaw to Install Crypto Miners - SOCRadar® Cyber Intelligence Inc.
Unpatched Atlassian Confluence Server instances are vulnerable to a critical RCE flaw. The flaw, tracked as CVE-2022-26134 (CVSS score: 9.8),
#ParsedReport
22-09-2022
7 Years of Scarlet Mimics Mobile Surveillance Campaign Targeting Uyghurs. Introduction
https://research.checkpoint.com/2022/never-truly-left-7-years-of-scarlet-mimics-mobile-surveillance-campaign-targeting-uyghurs
Actors/Campaigns:
Scarlet_mimic (motivation: cyber_espionage)
Threats:
Mobileorder
Jaderat
Dead_drop_technique
Industry:
Healthcare, Transport
Geo:
Norway, China, Asia, Chinas, Yemen, Chinese, Tibetan
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 3
Hash: 30
Domain: 7
IP: 3
Url: 4
Softs:
android, macos
Algorithms:
aes, base64
22-09-2022
7 Years of Scarlet Mimics Mobile Surveillance Campaign Targeting Uyghurs. Introduction
https://research.checkpoint.com/2022/never-truly-left-7-years-of-scarlet-mimics-mobile-surveillance-campaign-targeting-uyghurs
Actors/Campaigns:
Scarlet_mimic (motivation: cyber_espionage)
Threats:
Mobileorder
Jaderat
Dead_drop_technique
Industry:
Healthcare, Transport
Geo:
Norway, China, Asia, Chinas, Yemen, Chinese, Tibetan
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 3
Hash: 30
Domain: 7
IP: 3
Url: 4
Softs:
android, macos
Algorithms:
aes, base64
Check Point Research
7 Years of Scarlet Mimic’s Mobile Surveillance Campaign Targeting Uyghurs - Check Point Research
Introduction In 2022, Check Point Research (CPR) observed a new wave of a long-standing campaign targeting the Uyghur community, a Turkic ethnic group originating from Central Asia, one of the largest minority ethnic groups in China. This malicious activity…
#ParsedReport
22-09-2022
Raspberry Robins Roshtyak: A Little Lesson in Trickery
https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/?utm_source=rss&utm_medium=rss&utm_campaign=raspberry-robins-roshtyak-a-little-lesson-in-trickery
Actors/Campaigns:
Evil_corp
Threats:
Raspberry_robin
Roshtyak
Apc_injection_technique
Medusalocker
Browserassistant
Sandbox_evasion_technique
Trap flag_technique
Uac_bypass_technique
Uacme
Lolbin
Beacon
Rapsberry_robin
CVEs:
CVE-2021-1732 [Vulners]
Vulners: Score: 4.6, CVSS: 4.3,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft windows 10 (20h2, 1803, 1809, 1909, 2004)
- microsoft windows server 2016 (20h2, 1909, 2004)
- microsoft windows server 2019 (-)
CVE-2020-1054 [Vulners]
Vulners: Score: 7.2, CVSS: 3.7,
Vulners: Exploitation: True
X-Force: Risk: 7
X-Force: Patch: Official fix
Soft:
- microsoft windows 10 (-, 1607, 1709, 1803, 1809, 1903, 1909)
- microsoft windows 7 (-)
- microsoft windows 8.1 (-)
- microsoft windows rt 8.1 (-)
- microsoft windows server 2008 (-, r2, r2)
have more...
TTPs:
Tactics: 3
Technics: 0
IOCs:
File: 27
Path: 3
Registry: 4
Url: 1
Domain: 202
Hash: 66
Softs:
microsoft office, process explorer, psexec, windows shell, active directory
Algorithms:
base64, prng, zip, rc4, xor
Win API:
MulDiv, TerminateProcess, NtQueueApcThreadEx, VirtualFree, UnmapViewOfFile, RtlExitUserThread, RtlAddVectoredExceptionHandler, SetUnhandledExceptionFilter, ZwSetInformationProcess, GetThreadContext, have more...
Languages:
java
Platforms:
x64, x86
Links:
22-09-2022
Raspberry Robins Roshtyak: A Little Lesson in Trickery
https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/?utm_source=rss&utm_medium=rss&utm_campaign=raspberry-robins-roshtyak-a-little-lesson-in-trickery
Actors/Campaigns:
Evil_corp
Threats:
Raspberry_robin
Roshtyak
Apc_injection_technique
Medusalocker
Browserassistant
Sandbox_evasion_technique
Trap flag_technique
Uac_bypass_technique
Uacme
Lolbin
Beacon
Rapsberry_robin
CVEs:
CVE-2021-1732 [Vulners]
Vulners: Score: 4.6, CVSS: 4.3,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft windows 10 (20h2, 1803, 1809, 1909, 2004)
- microsoft windows server 2016 (20h2, 1909, 2004)
- microsoft windows server 2019 (-)
CVE-2020-1054 [Vulners]
Vulners: Score: 7.2, CVSS: 3.7,
Vulners: Exploitation: True
X-Force: Risk: 7
X-Force: Patch: Official fix
Soft:
- microsoft windows 10 (-, 1607, 1709, 1803, 1809, 1903, 1909)
- microsoft windows 7 (-)
- microsoft windows 8.1 (-)
- microsoft windows rt 8.1 (-)
- microsoft windows server 2008 (-, r2, r2)
have more...
TTPs:
Tactics: 3
Technics: 0
IOCs:
File: 27
Path: 3
Registry: 4
Url: 1
Domain: 202
Hash: 66
Softs:
microsoft office, process explorer, psexec, windows shell, active directory
Algorithms:
base64, prng, zip, rc4, xor
Win API:
MulDiv, TerminateProcess, NtQueueApcThreadEx, VirtualFree, UnmapViewOfFile, RtlExitUserThread, RtlAddVectoredExceptionHandler, SetUnhandledExceptionFilter, ZwSetInformationProcess, GetThreadContext, have more...
Languages:
java
Platforms:
x64, x86
Links:
https://github.com/hfiref0x/UACME
https://github.com/avast/ioc/tree/master/RaspberryRobin
https://github.com/hfiref0x/UACME/blob/c998cb1f1bafd36f566f17208b915dc48dda5edf/Source/Akagi/methods/hybrids.c#L877
https://github.com/sam-b/windows\_kernel\_address\_leaks/blob/master/HMValidateHandle/HMValidateHandle/HMValidateHandle.cpp
https://github.com/odzhan/injection/blob/master/kct/kct.cGendigital
Raspberry Robin’s Roshtyak: A Little Lesson in Trickery
Innovative Evasion Techniques in Roshtyak
#ParsedReport
22-09-2022
Noberus Ransomware: Darkside and BlackMatter Successor Continues to Evolve its Tactics
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/noberus-blackcat-ransomware-ttps
Actors/Campaigns:
Blackcat (motivation: information_theft)
Darkside
Blackmatter
Carbanak
Threats:
Exmatter_tool
Eamfo
Blackcat
Blackbasta
Lockbit
Yanluowang
Conti
Monti
Gmer_tool
Industry:
Retail, Financial, Healthcare, Education, Government
IOCs:
File: 11
Hash: 11
Softs:
debian
Algorithms:
chacha20, aes
Languages:
rust
Platforms:
arm
22-09-2022
Noberus Ransomware: Darkside and BlackMatter Successor Continues to Evolve its Tactics
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/noberus-blackcat-ransomware-ttps
Actors/Campaigns:
Blackcat (motivation: information_theft)
Darkside
Blackmatter
Carbanak
Threats:
Exmatter_tool
Eamfo
Blackcat
Blackbasta
Lockbit
Yanluowang
Conti
Monti
Gmer_tool
Industry:
Retail, Financial, Healthcare, Education, Government
IOCs:
File: 11
Hash: 11
Softs:
debian
Algorithms:
chacha20, aes
Languages:
rust
Platforms:
arm
Security
Noberus Ransomware: Darkside and BlackMatter Successor Continues to Evolve its Tactics
New version of Exmatter, and Eamfo malware, used by attackers deploying the Rust-based ransomware.
#ParsedReport
22-09-2022
Threat analysis: Malicious npm package mimics Material Tailwind CSS tool
https://blog.reversinglabs.com/blog/threat-analysis-malicious-npm-package-mimicks-material-tailwind-css-tool
Threats:
Sunburst
IOCs:
Path: 2
IP: 2
Hash: 6
Algorithms:
xor, zip, base64
Languages:
javascript
Platforms:
x86
22-09-2022
Threat analysis: Malicious npm package mimics Material Tailwind CSS tool
https://blog.reversinglabs.com/blog/threat-analysis-malicious-npm-package-mimicks-material-tailwind-css-tool
Threats:
Sunburst
IOCs:
Path: 2
IP: 2
Hash: 6
Algorithms:
xor, zip, base64
Languages:
javascript
Platforms:
x86
ReversingLabs
Threat analysis: Malicious npm package mimics Material Tailwind CSS tool
ReversingLabs has discovered a malicious npm package disguised as the software tool Material Tailwind. Here's an in-depth look at our discovery — and threat analysis. (Updated with MachO executable information.)
#ParsedReport
21-09-2022
EvilProxy: Scaling Phishing Attacks Keeping MFA At Bay
https://www.secureblink.com/cyber-security-news/evil-proxy-scaling-phishing-attacks-keeping-mfa-at-bay
Actors/Campaigns:
Bec
Threats:
Evilproxy
Moloch
Juicestealer
Industry:
E-commerce, Financial
IOCs:
Url: 1
Domain: 7
IP: 3
Softs:
instagram, telegram, docker
Languages:
python, javascript
Platforms:
apple
21-09-2022
EvilProxy: Scaling Phishing Attacks Keeping MFA At Bay
https://www.secureblink.com/cyber-security-news/evil-proxy-scaling-phishing-attacks-keeping-mfa-at-bay
Actors/Campaigns:
Bec
Threats:
Evilproxy
Moloch
Juicestealer
Industry:
E-commerce, Financial
IOCs:
Url: 1
Domain: 7
IP: 3
Softs:
instagram, telegram, docker
Languages:
python, javascript
Platforms:
apple
#ParsedReport
22-09-2022
BYOVD. Root Kit Malware Analysis Report using BYOVD of La Jarus Group
https://asec.ahnlab.com/ko/38593
Actors/Campaigns:
Lazarus
Threats:
Byovd_technique
Industry:
Healthcare, Financial
Geo:
Asia, Korea
IOCs:
File: 6
Algorithms:
aes
22-09-2022
BYOVD. Root Kit Malware Analysis Report using BYOVD of La Jarus Group
https://asec.ahnlab.com/ko/38593
Actors/Campaigns:
Lazarus
Threats:
Byovd_technique
Industry:
Healthcare, Financial
Geo:
Asia, Korea
IOCs:
File: 6
Algorithms:
aes
ASEC
라자루스 그룹의 BYOVD를 활용한 루트킷 악성코드 분석 보고서 - ASEC
북한의 해킹 그룹으로 알려진 라자루스 그룹은 지난 2009년부터 국내를 비롯하여 미국, 아시아, 유럽 등의 다양한 국가를 대상으로 공격을 수행하고 있다. 자사 ASD(AhnLab Smart Defense) 인프라에 따르면 2022년 상반기에 라자루스 그룹은 국내의 방산, 금융, 언론, 제약 산업군에 대해 APT(Advanced Persistent Threat) 공격 활동을 전개하였다. 안랩에서는 이러한 APT 공격을 면밀히 추적하였으며 공격 과정에서 보안…