CTT Report Hub
3.41K subscribers
9.74K photos
6 videos
67 files
13.4K links
Threat Intelligence Report Hub
Download Telegram
#ParsedReport
22-09-2022

Threat Actors Exploit Atlassian ConfluenceRCE Flawto Install Crypto Miners. Threat Actors Exploit Atlassian Confluence RCE Flaw to Install Crypto Miners

https://socradar.io/threat-actors-exploit-atlassian-confluence-rce-flaw-to-install-crypto-miners

Threats:
Hezb

CVEs:
CVE-2022-26134 [Vulners]
Vulners: Score: 7.5, CVSS: 6.8,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- atlassian confluence data center (7.18.0, <7.17.4, <7.16.4, <7.15.2, <7.14.3, <7.13.7, <7.4.17)
- atlassian confluence server (7.18.0, <7.17.4, <7.16.4, <7.15.2, <7.14.3, <7.13.7, <7.4.17)


TTPs:
Tactics: 1
Technics: 12

IOCs:
IP: 4
Url: 8
Hash: 2

Softs:
confluence, curl
#ParsedReport
22-09-2022

7 Years of Scarlet Mimics Mobile Surveillance Campaign Targeting Uyghurs. Introduction

https://research.checkpoint.com/2022/never-truly-left-7-years-of-scarlet-mimics-mobile-surveillance-campaign-targeting-uyghurs

Actors/Campaigns:
Scarlet_mimic (motivation: cyber_espionage)

Threats:
Mobileorder
Jaderat
Dead_drop_technique

Industry:
Healthcare, Transport

Geo:
Norway, China, Asia, Chinas, Yemen, Chinese, Tibetan

TTPs:
Tactics: 1
Technics: 0

IOCs:
File: 3
Hash: 30
Domain: 7
IP: 3
Url: 4

Softs:
android, macos

Algorithms:
aes, base64
#ParsedReport
22-09-2022

Raspberry Robins Roshtyak: A Little Lesson in Trickery

https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/?utm_source=rss&utm_medium=rss&utm_campaign=raspberry-robins-roshtyak-a-little-lesson-in-trickery

Actors/Campaigns:
Evil_corp

Threats:
Raspberry_robin
Roshtyak
Apc_injection_technique
Medusalocker
Browserassistant
Sandbox_evasion_technique
Trap flag_technique
Uac_bypass_technique
Uacme
Lolbin
Beacon
Rapsberry_robin

CVEs:
CVE-2021-1732 [Vulners]
Vulners: Score: 4.6, CVSS: 4.3,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft windows 10 (20h2, 1803, 1809, 1909, 2004)
- microsoft windows server 2016 (20h2, 1909, 2004)
- microsoft windows server 2019 (-)

CVE-2020-1054 [Vulners]
Vulners: Score: 7.2, CVSS: 3.7,
Vulners: Exploitation: True
X-Force: Risk: 7
X-Force: Patch: Official fix
Soft:
- microsoft windows 10 (-, 1607, 1709, 1803, 1809, 1903, 1909)
- microsoft windows 7 (-)
- microsoft windows 8.1 (-)
- microsoft windows rt 8.1 (-)
- microsoft windows server 2008 (-, r2, r2)
have more...

TTPs:
Tactics: 3
Technics: 0

IOCs:
File: 27
Path: 3
Registry: 4
Url: 1
Domain: 202
Hash: 66

Softs:
microsoft office, process explorer, psexec, windows shell, active directory

Algorithms:
base64, prng, zip, rc4, xor

Win API:
MulDiv, TerminateProcess, NtQueueApcThreadEx, VirtualFree, UnmapViewOfFile, RtlExitUserThread, RtlAddVectoredExceptionHandler, SetUnhandledExceptionFilter, ZwSetInformationProcess, GetThreadContext, have more...

Languages:
java

Platforms:
x64, x86

Links:
https://github.com/hfiref0x/UACME
https://github.com/avast/ioc/tree/master/RaspberryRobin
https://github.com/hfiref0x/UACME/blob/c998cb1f1bafd36f566f17208b915dc48dda5edf/Source/Akagi/methods/hybrids.c#L877
https://github.com/sam-b/windows\_kernel\_address\_leaks/blob/master/HMValidateHandle/HMValidateHandle/HMValidateHandle.cpp
https://github.com/odzhan/injection/blob/master/kct/kct.c
#ParsedReport
22-09-2022

Noberus Ransomware: Darkside and BlackMatter Successor Continues to Evolve its Tactics

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/noberus-blackcat-ransomware-ttps

Actors/Campaigns:
Blackcat (motivation: information_theft)
Darkside
Blackmatter
Carbanak

Threats:
Exmatter_tool
Eamfo
Blackcat
Blackbasta
Lockbit
Yanluowang
Conti
Monti
Gmer_tool

Industry:
Retail, Financial, Healthcare, Education, Government

IOCs:
File: 11
Hash: 11

Softs:
debian

Algorithms:
chacha20, aes

Languages:
rust

Platforms:
arm
#ParsedReport
21-09-2022

EvilProxy: Scaling Phishing Attacks Keeping MFA At Bay

https://www.secureblink.com/cyber-security-news/evil-proxy-scaling-phishing-attacks-keeping-mfa-at-bay

Actors/Campaigns:
Bec

Threats:
Evilproxy
Moloch
Juicestealer

Industry:
E-commerce, Financial

IOCs:
Url: 1
Domain: 7
IP: 3

Softs:
instagram, telegram, docker

Languages:
python, javascript

Platforms:
apple
#ParsedReport
22-09-2022

The Mystery of Metador \| An Unattributed Threat Hiding in Telcos, ISPs, and Universities

https://www.sentinelone.com/labs/the-mystery-of-metador-an-unattributed-threat-hiding-in-telcos-isps-and-universities

Actors/Campaigns:
Metador (motivation: cyber_espionage)
Moshendragon
Muddywater

Threats:
Lolbin
Mafalda
Cryshell
Metamain

Industry:
Education, Telco

Geo:
Iranian, Chinese, Spanish, Africa

IOCs:
File: 4
Path: 2
IP: 1
Domain: 1
#ParsedReport
23-09-2022

FARGO Ransomware (Mallox) Being Distributed to Vulnerable MS-SQL Servers

https://asec.ahnlab.com/en/39152

Threats:
Mallox
Globeimposter
Cobalt_strike
Asyncrat_rat
Ransomware/win.ransom.c5153317
Dropper/win.dotnet.c5237010
Malware/mdp.download.m1197

IOCs:
File: 4
Hash: 4
Url: 1

Softs:
ms-sql, mysql
#ParsedReport
23-09-2022

Void Balaur \| The Sprawling Infrastructure of a Careless Mercenary

https://www.sentinelone.com/labs/the-sprawling-infrastructure-of-a-careless-mercenary

Actors/Campaigns:
Voidbalaur

Industry:
Government, Financial

Geo:
Kazakhstan, Latvia, Moldova, Russian, Sudan, Brazil, Georgia, Ukraine, Russia, Spain, Taiwan, African

IOCs:
Domain: 6
IP: 1

Softs:
telegram, instagram
#ParsedReport
23-09-2022

Mass email campaign with a pinch of targeted spam

https://securelist.com/agent-tesla-malicious-spam-campaign/107478

Threats:
Agent_tesla
Tightvnc_tool

Geo:
Mexico, Turkey, Malaysian, Bulgarian, America, Brazil, Greek, Malaysia, Germany, Italy, Portugal, Asia, Russian, Vietnam, Spain

IOCs:
File: 2
Hash: 7

Softs:
telegram, chrome, opera, amigo, chedot, chromium, comodo dragon, liebao, orbitum, sleipnir, have more...
#ParsedReport
23-09-2022

A New Attack Wave Targeting Critical Magento Vulnerability

https://socradar.io/a-new-attack-wave-targeting-critical-magento-vulnerability

Industry:
E-commerce

Geo:
Bulgaria

CVEs:
CVE-2022-24087 [Vulners]
Vulners: Score: Unknown, CVSS: 1.5,
Vulners: Exploitation: Unknown
X-Force: Risk: Unknown
X-Force: Patch: Unknown

CVE-2022-24086 [Vulners]
Vulners: Score: 10.0, CVSS: 6.3,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- adobe commerce (<2.3.0, le2.3.6, 2.3.7, 2.3.7, le2.4.2, 2.4.3, 2.4.3)
- magento (<2.3.0, le2.3.6, 2.3.7, 2.3.7, le2.4.2, 2.4.3, 2.4.3)


IOCs:
File: 2
Domain: 1
IP: 3

Languages:
php

Platforms:
apple
#ParsedReport
26-09-2022

Lazarus Operation In(ter)ception Targets macOS Users Dreaming of Jobs in Crypto

https://www.sentinelone.com/blog/lazarus-operation-interception-targets-macos-users-dreaming-of-jobs-in-crypto

Actors/Campaigns:
Lazarus (motivation: cyber_espionage)
Dream_job

Threats:
Nukesped_rat

Industry:
Aerospace

TTPs:
Tactics: 1
Technics: 0

IOCs:
File: 2
Domain: 1
Hash: 3

Softs:
macos, coinbase

Functions:
startDaemon

Platforms:
apple, intel
#ParsedReport
26-09-2022

Stopping Vulnerable Driver Attacks. Key takeaways

https://www.elastic.co/security-labs/stopping-vulnerable-driver-attacks

Threats:
Process_hacker_tool

Softs:
process explorer, windows defender application control

Algorithms:
exhibit

YARA: Found

Links:
https://github.com/winsiderss/systeminformer
https://github.com/Yaxser/Backstab
https://github.com/elastic/detection-rules
https://github.com/br-sn/CheekyBlinder
https://github.com/MicrosoftDocs/windows-itpro-docs/blob/public/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
https://github.com/Cr4sh/KernelForge
https://github.com/MicrosoftDocs/windows-itpro-docs/blob/ce56a2f15015e07bf35cd05ce3299340d16e759a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md?plain=1#L391
https://github.com/elastic/protections-artifacts/search?q=VulnDriver
https://github.com/hfiref0x/KDU
#ParsedReport
26-09-2022

FARGO Ransomware Targets Vulnerable Microsoft SQL Servers

https://socradar.io/fargo-ransomware-targets-vulnerable-microsoft-sql-servers

Actors/Campaigns:
Fakeupdates

Threats:
Mallox
Cobalt_strike
Beacon

Industry:
Financial

IOCs:
File: 2
Path: 1
Hash: 8
Url: 1

Softs:
microsoft sql, ms-sql, telegram

Algorithms:
aes-128, chacha20, curve25519
#ParsedReport
26-09-2022

BumbleBee: Round Two

https://thedfirreport.com/2022/09/26/bumblebee-round-two

Threats:
Bumblebee
Cobalt_strike
Meterpreter_tool
Adfind_tool
Nltest_tool
Beacon
Procdump_tool
Anydesk_tool
Icedid
Conti
Bazarbackdoor
Diavol
Process_injection_technique
Dumplsass_tool
Tur

TTPs:
Tactics: 11
Technics: 17

IOCs:
File: 22
Path: 14
IP: 10
Hash: 3

Softs:
active directory, internet explorer, qemu

Algorithms:
7zip , base64, zip

Win API:
CreateRemoteThread, VirtualAllocEx, CreateThread

SIGMA: Found

Links:
https://github.com/EricZimmerman/LECmd
#ParsedReport
26-09-2022

NullMixer: oodles of Trojans in a single dropper

https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498

Actors/Campaigns:
Pseudomanuscrypt

Threats:
Nullmixer
Smokeloader
Lgoogloader
Socelar
Redline_stealer
Fabookie
Cold_stealer
Beacon
Glupteba
Clipbanker
Formatloader
Csdimonetize
Danabot
Raccoon_stealer
Sgnitloader
Obsidium_tool
Shortloader
Legionloader
Putty_tool
Antivm
C-joker
Privateloader
Garbage_cleaner
Azorult
Vidar_stealer
Predator

Industry:
Financial, Government, E-commerce

Geo:
France, Italy, India, Germany, Turkey, Russia, Egypt, Brazil

TTPs:
Tactics: 1
Technics: 2

IOCs:
File: 19
Path: 1
Url: 31
Hash: 40
IP: 5
Domain: 21

Softs:
windows defender, microsoft edge, opera, nsis installer, chrome, telegram

Algorithms:
base64, zip, xor

Languages:
autoit, delphi
#ParsedReport
27-09-2022

NSIS Type of LockBit 3.0 Ransomware Disguised as Job Application Emails Being Distributed

https://asec.ahnlab.com/en/39259

Threats:
Lockbit
Ransom/mdp.event.m4353

IOCs:
File: 6
Hash: 2
#ParsedReport
27-09-2022

Threat Actors Utilize PowerPoint Files to Distribute Graphite Malware

https://socradar.io/threat-actors-utilize-powerpoint-files-to-distribute-graphite-malware

Actors/Campaigns:
Fancy_bear

Threats:
Graphite
Process_injection_technique

Industry:
Government

Geo:
Russia, French

TTPs:
Tactics: 6
Technics: 13

IOCs:
File: 6
Hash: 12
Domain: 2
Url: 2

Softs:
zoom, microsoft onedrive, component object model

Algorithms:
xor, aes-256-cbc

Win API:
NtAllocateVirtualMemory

YARA: Found
#ParsedReport
27-09-2022

Agent Tesla RAT Delivered by Quantum Builder With NewTTPs. Key Features of this Attack:

https://www.zscaler.com/blogs/security-research/agent-tesla-rat-delivered-quantum-builder-new-ttps

Actors/Campaigns:
Lazarus

Threats:
Agent_tesla
Quantum_locker
Uac_bypass_technique
Lolbin
Rock
Redline_stealer
Icedid
Cloudeye
Remcos_rat
Asyncrat_rat

Industry:
E-commerce, Financial

Geo:
Guangdong, Chinese, China

TTPs:
Tactics: 1
Technics: 0

IOCs:
File: 10
Hash: 9
Domain: 3
Url: 3
Path: 2
Email: 1

Softs:
windows defender

Algorithms:
zip, xor, base64, aes, gzip

Functions:
FromBase64String, VarType, CreateObject, DownloadData, WriteAllBytes, Run, ShellExecute, CreateShortcut

Win Services:
WebClient

Links:
https://github.com/tylerapplebaum/CMSTP-UACBypass/blob/master/UACBypassCMSTP.ps1