CTT Report Hub
3.41K subscribers
9.74K photos
6 videos
67 files
13.4K links
Threat Intelligence Report Hub
Download Telegram
#ParsedReport
20-09-2022

Meeting the Ministrer

https://www.fortinet.com/blog/threat-research/konni-rat-phishing-email-deploying-malware

Actors/Campaigns:
Apt37

Threats:
Konni
Vba/agent.aif!tr

Industry:
Government

Geo:
Russian, Japan, Dprk, Russia, China, Korea, Ukraine

IOCs:
File: 2
Domain: 1
IP: 1
Hash: 3

Softs:
microsoft powerpoint, microsoft office

Algorithms:
zip
#ParsedReport
20-09-2022

The Evolution of the Chromeloader Malware

https://blogs.vmware.com/security/2022/09/the-evolution-of-the-chromeloader-malware.html

Threats:
Chromeloader
Credential_stealing_technique
Zipbomb_technique
Enigma_tool

Industry:
Media, Government

IOCs:
Path: 2
File: 37
Registry: 9
Domain: 9
Url: 2

Softs:
macos, chrome, node.js, chromium, utorrent, bittorrent

Algorithms:
base64, zip

Functions:
OpenSubtitles

Languages:
javascript
#ParsedReport
20-09-2022

New Malware Campaign Targets Zoom Users

https://blog.cyble.com/2022/09/19/new-malware-campaign-targets-zoom-users

Threats:
Vidar_stealer
Arkei_stealer
Beacon

Industry:
E-commerce, Financial

Geo:
Dubai, Australia, Georgia, India, Singapore

TTPs:
Tactics: 7
Technics: 13

IOCs:
Domain: 6
Url: 3
File: 2
Path: 2
IP: 3
Hash: 1

Softs:
zoom, telegram
#ParsedReport
21-09-2022

ASEC Weekly Malware Statistics (September 5th, 2022 September 11th, 2022)

https://asec.ahnlab.com/en/38942

Threats:
Cloudeye
Formbook
Agent_tesla
Remcos_rat
Nanocore_rat
Lokibot_stealer
Smokeloader
Clipboard_grabbing_technique

Industry:
Transport

Geo:
Korea

IOCs:
Url: 30
File: 15
Email: 4

Softs:
nsis installer, discord

Languages:
visual_basic
#ParsedReport
21-09-2022

Native function and Assembly Code Invocation

https://research.checkpoint.com/2022/native-function-and-assembly-code-invocation

Threats:
Grief
Dumpulator_tool
Unicorn
Miniduke
Medusalocker
Minidump_tool
Process_hacker_tool

IOCs:
Hash: 1
File: 19

Softs:
process explorer, speakeasy, qemu

Functions:
APPCALL_MANUAL, SetCondBPonRet, cleanup_appcall

Win API:
MiniDumpWriteDump

Languages:
python

Platforms:
x86

Links:
https://github.com/mrexodia/MiniDumpPlugin
https://github.com/unicorn-engine/unicorn
https://github.com/unicorn-engine/unicorn/tree/master/bindings/python
https://github.com/mrexodia/dumpulator
#ParsedReport
21-09-2022

NetSupport RAT Distributed Via SocGholish

https://blog.cyble.com/2022/09/21/netsupport-rat-distributed-via-socgholish

Actors/Campaigns:
Fakeupdates

Threats:
Netsupportmanager_rat
Socgholish_loader
Cobalt_strike
Beacon
Dll_sideloading_technique
Process_injection_technique

Geo:
Dubai, India, Australia, Georgia, Singapore

TTPs:
Tactics: 6
Technics: 12

IOCs:
File: 3
Path: 1
Url: 4
IP: 2
Hash: 6

Softs:
microsoft teams, chrome

Algorithms:
gzip, zip

Languages:
javascript
#ParsedReport
21-09-2022

Domain Shadowing: A Stealthy Use of DNS Compromise for Cybercrime

https://unit42.paloaltonetworks.com/domain-shadowing

Threats:
Credential_harvesting_technique
Dns_hijacking_technique

Geo:
Japan, Australia, Russia, Japanese

IOCs:
Domain: 14
IP: 6
Url: 1
Email: 1

Platforms:
apple
#ParsedReport
21-09-2022

Technical Analysis of Crytox Ransomware. Key points

https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware

Threats:
Upx_tool
Win64.ransom.crytox

Geo:
Netherlands

IOCs:
Hash: 13
Registry: 2
Path: 1
File: 8

Softs:
vssadmin

Algorithms:
aes, aes-cbc

Functions:
ShChangeNotify

Win API:
CryptGenKey, SeBackupPrivilege, SeRestorePrivilege, WNetOpenEnumW, WNetEnumResourceW, GetLogicalDrives, GetTickCount

Platforms:
intel, x86

Links:
https://github.com/uTox/uTox
#ParsedReport
21-09-2022

Threat Actors Continue to Abuse Google Tag Manager for Payment Card e-Skimming

https://www.recordedfuture.com/threat-actors-continue-to-abuse-google-tag-manager-for-payment-card-e-skimming

Actors/Campaigns:
Magecart

Industry:
E-commerce, Financial

IOCs:
Domain: 2

Algorithms:
xor

Languages:
javascript
#ParsedReport
22-09-2022

Threat Actors Exploit Atlassian ConfluenceRCE Flawto Install Crypto Miners. Threat Actors Exploit Atlassian Confluence RCE Flaw to Install Crypto Miners

https://socradar.io/threat-actors-exploit-atlassian-confluence-rce-flaw-to-install-crypto-miners

Threats:
Hezb

CVEs:
CVE-2022-26134 [Vulners]
Vulners: Score: 7.5, CVSS: 6.8,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- atlassian confluence data center (7.18.0, <7.17.4, <7.16.4, <7.15.2, <7.14.3, <7.13.7, <7.4.17)
- atlassian confluence server (7.18.0, <7.17.4, <7.16.4, <7.15.2, <7.14.3, <7.13.7, <7.4.17)


TTPs:
Tactics: 1
Technics: 12

IOCs:
IP: 4
Url: 8
Hash: 2

Softs:
confluence, curl
#ParsedReport
22-09-2022

7 Years of Scarlet Mimics Mobile Surveillance Campaign Targeting Uyghurs. Introduction

https://research.checkpoint.com/2022/never-truly-left-7-years-of-scarlet-mimics-mobile-surveillance-campaign-targeting-uyghurs

Actors/Campaigns:
Scarlet_mimic (motivation: cyber_espionage)

Threats:
Mobileorder
Jaderat
Dead_drop_technique

Industry:
Healthcare, Transport

Geo:
Norway, China, Asia, Chinas, Yemen, Chinese, Tibetan

TTPs:
Tactics: 1
Technics: 0

IOCs:
File: 3
Hash: 30
Domain: 7
IP: 3
Url: 4

Softs:
android, macos

Algorithms:
aes, base64
#ParsedReport
22-09-2022

Raspberry Robins Roshtyak: A Little Lesson in Trickery

https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/?utm_source=rss&utm_medium=rss&utm_campaign=raspberry-robins-roshtyak-a-little-lesson-in-trickery

Actors/Campaigns:
Evil_corp

Threats:
Raspberry_robin
Roshtyak
Apc_injection_technique
Medusalocker
Browserassistant
Sandbox_evasion_technique
Trap flag_technique
Uac_bypass_technique
Uacme
Lolbin
Beacon
Rapsberry_robin

CVEs:
CVE-2021-1732 [Vulners]
Vulners: Score: 4.6, CVSS: 4.3,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft windows 10 (20h2, 1803, 1809, 1909, 2004)
- microsoft windows server 2016 (20h2, 1909, 2004)
- microsoft windows server 2019 (-)

CVE-2020-1054 [Vulners]
Vulners: Score: 7.2, CVSS: 3.7,
Vulners: Exploitation: True
X-Force: Risk: 7
X-Force: Patch: Official fix
Soft:
- microsoft windows 10 (-, 1607, 1709, 1803, 1809, 1903, 1909)
- microsoft windows 7 (-)
- microsoft windows 8.1 (-)
- microsoft windows rt 8.1 (-)
- microsoft windows server 2008 (-, r2, r2)
have more...

TTPs:
Tactics: 3
Technics: 0

IOCs:
File: 27
Path: 3
Registry: 4
Url: 1
Domain: 202
Hash: 66

Softs:
microsoft office, process explorer, psexec, windows shell, active directory

Algorithms:
base64, prng, zip, rc4, xor

Win API:
MulDiv, TerminateProcess, NtQueueApcThreadEx, VirtualFree, UnmapViewOfFile, RtlExitUserThread, RtlAddVectoredExceptionHandler, SetUnhandledExceptionFilter, ZwSetInformationProcess, GetThreadContext, have more...

Languages:
java

Platforms:
x64, x86

Links:
https://github.com/hfiref0x/UACME
https://github.com/avast/ioc/tree/master/RaspberryRobin
https://github.com/hfiref0x/UACME/blob/c998cb1f1bafd36f566f17208b915dc48dda5edf/Source/Akagi/methods/hybrids.c#L877
https://github.com/sam-b/windows\_kernel\_address\_leaks/blob/master/HMValidateHandle/HMValidateHandle/HMValidateHandle.cpp
https://github.com/odzhan/injection/blob/master/kct/kct.c
#ParsedReport
22-09-2022

Noberus Ransomware: Darkside and BlackMatter Successor Continues to Evolve its Tactics

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/noberus-blackcat-ransomware-ttps

Actors/Campaigns:
Blackcat (motivation: information_theft)
Darkside
Blackmatter
Carbanak

Threats:
Exmatter_tool
Eamfo
Blackcat
Blackbasta
Lockbit
Yanluowang
Conti
Monti
Gmer_tool

Industry:
Retail, Financial, Healthcare, Education, Government

IOCs:
File: 11
Hash: 11

Softs:
debian

Algorithms:
chacha20, aes

Languages:
rust

Platforms:
arm
#ParsedReport
21-09-2022

EvilProxy: Scaling Phishing Attacks Keeping MFA At Bay

https://www.secureblink.com/cyber-security-news/evil-proxy-scaling-phishing-attacks-keeping-mfa-at-bay

Actors/Campaigns:
Bec

Threats:
Evilproxy
Moloch
Juicestealer

Industry:
E-commerce, Financial

IOCs:
Url: 1
Domain: 7
IP: 3

Softs:
instagram, telegram, docker

Languages:
python, javascript

Platforms:
apple
#ParsedReport
22-09-2022

The Mystery of Metador \| An Unattributed Threat Hiding in Telcos, ISPs, and Universities

https://www.sentinelone.com/labs/the-mystery-of-metador-an-unattributed-threat-hiding-in-telcos-isps-and-universities

Actors/Campaigns:
Metador (motivation: cyber_espionage)
Moshendragon
Muddywater

Threats:
Lolbin
Mafalda
Cryshell
Metamain

Industry:
Education, Telco

Geo:
Iranian, Chinese, Spanish, Africa

IOCs:
File: 4
Path: 2
IP: 1
Domain: 1