#ParsedReport
22-09-2022
Threat Actors Exploit Atlassian ConfluenceRCE Flawto Install Crypto Miners. Threat Actors Exploit Atlassian Confluence RCE Flaw to Install Crypto Miners
https://socradar.io/threat-actors-exploit-atlassian-confluence-rce-flaw-to-install-crypto-miners
Threats:
Hezb
CVEs:
CVE-2022-26134 [Vulners]
Vulners: Score: 7.5, CVSS: 6.8,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- atlassian confluence data center (7.18.0, <7.17.4, <7.16.4, <7.15.2, <7.14.3, <7.13.7, <7.4.17)
- atlassian confluence server (7.18.0, <7.17.4, <7.16.4, <7.15.2, <7.14.3, <7.13.7, <7.4.17)
TTPs:
Tactics: 1
Technics: 12
IOCs:
IP: 4
Url: 8
Hash: 2
Softs:
confluence, curl
22-09-2022
Threat Actors Exploit Atlassian ConfluenceRCE Flawto Install Crypto Miners. Threat Actors Exploit Atlassian Confluence RCE Flaw to Install Crypto Miners
https://socradar.io/threat-actors-exploit-atlassian-confluence-rce-flaw-to-install-crypto-miners
Threats:
Hezb
CVEs:
CVE-2022-26134 [Vulners]
Vulners: Score: 7.5, CVSS: 6.8,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- atlassian confluence data center (7.18.0, <7.17.4, <7.16.4, <7.15.2, <7.14.3, <7.13.7, <7.4.17)
- atlassian confluence server (7.18.0, <7.17.4, <7.16.4, <7.15.2, <7.14.3, <7.13.7, <7.4.17)
TTPs:
Tactics: 1
Technics: 12
IOCs:
IP: 4
Url: 8
Hash: 2
Softs:
confluence, curl
SOCRadar® Cyber Intelligence Inc.
Threat Actors Exploit Atlassian Confluence RCE Flaw to Install Crypto Miners - SOCRadar® Cyber Intelligence Inc.
Unpatched Atlassian Confluence Server instances are vulnerable to a critical RCE flaw. The flaw, tracked as CVE-2022-26134 (CVSS score: 9.8),
#ParsedReport
22-09-2022
7 Years of Scarlet Mimics Mobile Surveillance Campaign Targeting Uyghurs. Introduction
https://research.checkpoint.com/2022/never-truly-left-7-years-of-scarlet-mimics-mobile-surveillance-campaign-targeting-uyghurs
Actors/Campaigns:
Scarlet_mimic (motivation: cyber_espionage)
Threats:
Mobileorder
Jaderat
Dead_drop_technique
Industry:
Healthcare, Transport
Geo:
Norway, China, Asia, Chinas, Yemen, Chinese, Tibetan
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 3
Hash: 30
Domain: 7
IP: 3
Url: 4
Softs:
android, macos
Algorithms:
aes, base64
22-09-2022
7 Years of Scarlet Mimics Mobile Surveillance Campaign Targeting Uyghurs. Introduction
https://research.checkpoint.com/2022/never-truly-left-7-years-of-scarlet-mimics-mobile-surveillance-campaign-targeting-uyghurs
Actors/Campaigns:
Scarlet_mimic (motivation: cyber_espionage)
Threats:
Mobileorder
Jaderat
Dead_drop_technique
Industry:
Healthcare, Transport
Geo:
Norway, China, Asia, Chinas, Yemen, Chinese, Tibetan
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 3
Hash: 30
Domain: 7
IP: 3
Url: 4
Softs:
android, macos
Algorithms:
aes, base64
Check Point Research
7 Years of Scarlet Mimic’s Mobile Surveillance Campaign Targeting Uyghurs - Check Point Research
Introduction In 2022, Check Point Research (CPR) observed a new wave of a long-standing campaign targeting the Uyghur community, a Turkic ethnic group originating from Central Asia, one of the largest minority ethnic groups in China. This malicious activity…
#ParsedReport
22-09-2022
Raspberry Robins Roshtyak: A Little Lesson in Trickery
https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/?utm_source=rss&utm_medium=rss&utm_campaign=raspberry-robins-roshtyak-a-little-lesson-in-trickery
Actors/Campaigns:
Evil_corp
Threats:
Raspberry_robin
Roshtyak
Apc_injection_technique
Medusalocker
Browserassistant
Sandbox_evasion_technique
Trap flag_technique
Uac_bypass_technique
Uacme
Lolbin
Beacon
Rapsberry_robin
CVEs:
CVE-2021-1732 [Vulners]
Vulners: Score: 4.6, CVSS: 4.3,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft windows 10 (20h2, 1803, 1809, 1909, 2004)
- microsoft windows server 2016 (20h2, 1909, 2004)
- microsoft windows server 2019 (-)
CVE-2020-1054 [Vulners]
Vulners: Score: 7.2, CVSS: 3.7,
Vulners: Exploitation: True
X-Force: Risk: 7
X-Force: Patch: Official fix
Soft:
- microsoft windows 10 (-, 1607, 1709, 1803, 1809, 1903, 1909)
- microsoft windows 7 (-)
- microsoft windows 8.1 (-)
- microsoft windows rt 8.1 (-)
- microsoft windows server 2008 (-, r2, r2)
have more...
TTPs:
Tactics: 3
Technics: 0
IOCs:
File: 27
Path: 3
Registry: 4
Url: 1
Domain: 202
Hash: 66
Softs:
microsoft office, process explorer, psexec, windows shell, active directory
Algorithms:
base64, prng, zip, rc4, xor
Win API:
MulDiv, TerminateProcess, NtQueueApcThreadEx, VirtualFree, UnmapViewOfFile, RtlExitUserThread, RtlAddVectoredExceptionHandler, SetUnhandledExceptionFilter, ZwSetInformationProcess, GetThreadContext, have more...
Languages:
java
Platforms:
x64, x86
Links:
22-09-2022
Raspberry Robins Roshtyak: A Little Lesson in Trickery
https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/?utm_source=rss&utm_medium=rss&utm_campaign=raspberry-robins-roshtyak-a-little-lesson-in-trickery
Actors/Campaigns:
Evil_corp
Threats:
Raspberry_robin
Roshtyak
Apc_injection_technique
Medusalocker
Browserassistant
Sandbox_evasion_technique
Trap flag_technique
Uac_bypass_technique
Uacme
Lolbin
Beacon
Rapsberry_robin
CVEs:
CVE-2021-1732 [Vulners]
Vulners: Score: 4.6, CVSS: 4.3,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft windows 10 (20h2, 1803, 1809, 1909, 2004)
- microsoft windows server 2016 (20h2, 1909, 2004)
- microsoft windows server 2019 (-)
CVE-2020-1054 [Vulners]
Vulners: Score: 7.2, CVSS: 3.7,
Vulners: Exploitation: True
X-Force: Risk: 7
X-Force: Patch: Official fix
Soft:
- microsoft windows 10 (-, 1607, 1709, 1803, 1809, 1903, 1909)
- microsoft windows 7 (-)
- microsoft windows 8.1 (-)
- microsoft windows rt 8.1 (-)
- microsoft windows server 2008 (-, r2, r2)
have more...
TTPs:
Tactics: 3
Technics: 0
IOCs:
File: 27
Path: 3
Registry: 4
Url: 1
Domain: 202
Hash: 66
Softs:
microsoft office, process explorer, psexec, windows shell, active directory
Algorithms:
base64, prng, zip, rc4, xor
Win API:
MulDiv, TerminateProcess, NtQueueApcThreadEx, VirtualFree, UnmapViewOfFile, RtlExitUserThread, RtlAddVectoredExceptionHandler, SetUnhandledExceptionFilter, ZwSetInformationProcess, GetThreadContext, have more...
Languages:
java
Platforms:
x64, x86
Links:
https://github.com/hfiref0x/UACME
https://github.com/avast/ioc/tree/master/RaspberryRobin
https://github.com/hfiref0x/UACME/blob/c998cb1f1bafd36f566f17208b915dc48dda5edf/Source/Akagi/methods/hybrids.c#L877
https://github.com/sam-b/windows\_kernel\_address\_leaks/blob/master/HMValidateHandle/HMValidateHandle/HMValidateHandle.cpp
https://github.com/odzhan/injection/blob/master/kct/kct.cGendigital
Raspberry Robin’s Roshtyak: A Little Lesson in Trickery
Innovative Evasion Techniques in Roshtyak
#ParsedReport
22-09-2022
Noberus Ransomware: Darkside and BlackMatter Successor Continues to Evolve its Tactics
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/noberus-blackcat-ransomware-ttps
Actors/Campaigns:
Blackcat (motivation: information_theft)
Darkside
Blackmatter
Carbanak
Threats:
Exmatter_tool
Eamfo
Blackcat
Blackbasta
Lockbit
Yanluowang
Conti
Monti
Gmer_tool
Industry:
Retail, Financial, Healthcare, Education, Government
IOCs:
File: 11
Hash: 11
Softs:
debian
Algorithms:
chacha20, aes
Languages:
rust
Platforms:
arm
22-09-2022
Noberus Ransomware: Darkside and BlackMatter Successor Continues to Evolve its Tactics
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/noberus-blackcat-ransomware-ttps
Actors/Campaigns:
Blackcat (motivation: information_theft)
Darkside
Blackmatter
Carbanak
Threats:
Exmatter_tool
Eamfo
Blackcat
Blackbasta
Lockbit
Yanluowang
Conti
Monti
Gmer_tool
Industry:
Retail, Financial, Healthcare, Education, Government
IOCs:
File: 11
Hash: 11
Softs:
debian
Algorithms:
chacha20, aes
Languages:
rust
Platforms:
arm
Security
Noberus Ransomware: Darkside and BlackMatter Successor Continues to Evolve its Tactics
New version of Exmatter, and Eamfo malware, used by attackers deploying the Rust-based ransomware.
#ParsedReport
22-09-2022
Threat analysis: Malicious npm package mimics Material Tailwind CSS tool
https://blog.reversinglabs.com/blog/threat-analysis-malicious-npm-package-mimicks-material-tailwind-css-tool
Threats:
Sunburst
IOCs:
Path: 2
IP: 2
Hash: 6
Algorithms:
xor, zip, base64
Languages:
javascript
Platforms:
x86
22-09-2022
Threat analysis: Malicious npm package mimics Material Tailwind CSS tool
https://blog.reversinglabs.com/blog/threat-analysis-malicious-npm-package-mimicks-material-tailwind-css-tool
Threats:
Sunburst
IOCs:
Path: 2
IP: 2
Hash: 6
Algorithms:
xor, zip, base64
Languages:
javascript
Platforms:
x86
ReversingLabs
Threat analysis: Malicious npm package mimics Material Tailwind CSS tool
ReversingLabs has discovered a malicious npm package disguised as the software tool Material Tailwind. Here's an in-depth look at our discovery — and threat analysis. (Updated with MachO executable information.)
#ParsedReport
21-09-2022
EvilProxy: Scaling Phishing Attacks Keeping MFA At Bay
https://www.secureblink.com/cyber-security-news/evil-proxy-scaling-phishing-attacks-keeping-mfa-at-bay
Actors/Campaigns:
Bec
Threats:
Evilproxy
Moloch
Juicestealer
Industry:
E-commerce, Financial
IOCs:
Url: 1
Domain: 7
IP: 3
Softs:
instagram, telegram, docker
Languages:
python, javascript
Platforms:
apple
21-09-2022
EvilProxy: Scaling Phishing Attacks Keeping MFA At Bay
https://www.secureblink.com/cyber-security-news/evil-proxy-scaling-phishing-attacks-keeping-mfa-at-bay
Actors/Campaigns:
Bec
Threats:
Evilproxy
Moloch
Juicestealer
Industry:
E-commerce, Financial
IOCs:
Url: 1
Domain: 7
IP: 3
Softs:
instagram, telegram, docker
Languages:
python, javascript
Platforms:
apple
#ParsedReport
22-09-2022
BYOVD. Root Kit Malware Analysis Report using BYOVD of La Jarus Group
https://asec.ahnlab.com/ko/38593
Actors/Campaigns:
Lazarus
Threats:
Byovd_technique
Industry:
Healthcare, Financial
Geo:
Asia, Korea
IOCs:
File: 6
Algorithms:
aes
22-09-2022
BYOVD. Root Kit Malware Analysis Report using BYOVD of La Jarus Group
https://asec.ahnlab.com/ko/38593
Actors/Campaigns:
Lazarus
Threats:
Byovd_technique
Industry:
Healthcare, Financial
Geo:
Asia, Korea
IOCs:
File: 6
Algorithms:
aes
ASEC
라자루스 그룹의 BYOVD를 활용한 루트킷 악성코드 분석 보고서 - ASEC
북한의 해킹 그룹으로 알려진 라자루스 그룹은 지난 2009년부터 국내를 비롯하여 미국, 아시아, 유럽 등의 다양한 국가를 대상으로 공격을 수행하고 있다. 자사 ASD(AhnLab Smart Defense) 인프라에 따르면 2022년 상반기에 라자루스 그룹은 국내의 방산, 금융, 언론, 제약 산업군에 대해 APT(Advanced Persistent Threat) 공격 활동을 전개하였다. 안랩에서는 이러한 APT 공격을 면밀히 추적하였으며 공격 과정에서 보안…
#ParsedReport
22-09-2022
The Mystery of Metador \| An Unattributed Threat Hiding in Telcos, ISPs, and Universities
https://www.sentinelone.com/labs/the-mystery-of-metador-an-unattributed-threat-hiding-in-telcos-isps-and-universities
Actors/Campaigns:
Metador (motivation: cyber_espionage)
Moshendragon
Muddywater
Threats:
Lolbin
Mafalda
Cryshell
Metamain
Industry:
Education, Telco
Geo:
Iranian, Chinese, Spanish, Africa
IOCs:
File: 4
Path: 2
IP: 1
Domain: 1
22-09-2022
The Mystery of Metador \| An Unattributed Threat Hiding in Telcos, ISPs, and Universities
https://www.sentinelone.com/labs/the-mystery-of-metador-an-unattributed-threat-hiding-in-telcos-isps-and-universities
Actors/Campaigns:
Metador (motivation: cyber_espionage)
Moshendragon
Muddywater
Threats:
Lolbin
Mafalda
Cryshell
Metamain
Industry:
Education, Telco
Geo:
Iranian, Chinese, Spanish, Africa
IOCs:
File: 4
Path: 2
IP: 1
Domain: 1
SentinelOne
The Mystery of Metador | An Unattributed Threat Hiding in Telcos, ISPs, and Universities
An elusive adversary is attacking high-value targets with impunity using novel malware frameworks and custom-built backdoors.
#ParsedReport
23-09-2022
FARGO Ransomware (Mallox) Being Distributed to Vulnerable MS-SQL Servers
https://asec.ahnlab.com/en/39152
Threats:
Mallox
Globeimposter
Cobalt_strike
Asyncrat_rat
Ransomware/win.ransom.c5153317
Dropper/win.dotnet.c5237010
Malware/mdp.download.m1197
IOCs:
File: 4
Hash: 4
Url: 1
Softs:
ms-sql, mysql
23-09-2022
FARGO Ransomware (Mallox) Being Distributed to Vulnerable MS-SQL Servers
https://asec.ahnlab.com/en/39152
Threats:
Mallox
Globeimposter
Cobalt_strike
Asyncrat_rat
Ransomware/win.ransom.c5153317
Dropper/win.dotnet.c5237010
Malware/mdp.download.m1197
IOCs:
File: 4
Hash: 4
Url: 1
Softs:
ms-sql, mysql
ASEC
FARGO Ransomware (Mallox) Being Distributed to Unsecured MS-SQL Servers - ASEC
FARGO Ransomware (Mallox) Being Distributed to Unsecured MS-SQL Servers ASEC
#ParsedReport
23-09-2022
Void Balaur \| The Sprawling Infrastructure of a Careless Mercenary
https://www.sentinelone.com/labs/the-sprawling-infrastructure-of-a-careless-mercenary
Actors/Campaigns:
Voidbalaur
Industry:
Government, Financial
Geo:
Kazakhstan, Latvia, Moldova, Russian, Sudan, Brazil, Georgia, Ukraine, Russia, Spain, Taiwan, African
IOCs:
Domain: 6
IP: 1
Softs:
telegram, instagram
23-09-2022
Void Balaur \| The Sprawling Infrastructure of a Careless Mercenary
https://www.sentinelone.com/labs/the-sprawling-infrastructure-of-a-careless-mercenary
Actors/Campaigns:
Voidbalaur
Industry:
Government, Financial
Geo:
Kazakhstan, Latvia, Moldova, Russian, Sudan, Brazil, Georgia, Ukraine, Russia, Spain, Taiwan, African
IOCs:
Domain: 6
IP: 1
Softs:
telegram, instagram
SentinelOne
Void Balaur | The Sprawling Infrastructure of a Careless Mercenary
The Void Balaur cyber mercenary group has thrived throughout 2022, attacking targets on a global scale with new phishing campaigns.
#ParsedReport
23-09-2022
Mass email campaign with a pinch of targeted spam
https://securelist.com/agent-tesla-malicious-spam-campaign/107478
Threats:
Agent_tesla
Tightvnc_tool
Geo:
Mexico, Turkey, Malaysian, Bulgarian, America, Brazil, Greek, Malaysia, Germany, Italy, Portugal, Asia, Russian, Vietnam, Spain
IOCs:
File: 2
Hash: 7
Softs:
telegram, chrome, opera, amigo, chedot, chromium, comodo dragon, liebao, orbitum, sleipnir, have more...
23-09-2022
Mass email campaign with a pinch of targeted spam
https://securelist.com/agent-tesla-malicious-spam-campaign/107478
Threats:
Agent_tesla
Tightvnc_tool
Geo:
Mexico, Turkey, Malaysian, Bulgarian, America, Brazil, Greek, Malaysia, Germany, Italy, Portugal, Asia, Russian, Vietnam, Spain
IOCs:
File: 2
Hash: 7
Softs:
telegram, chrome, opera, amigo, chedot, chromium, comodo dragon, liebao, orbitum, sleipnir, have more...
Securelist
Spam email campaign targeting businesses delivers the Agent Tesla stealer
Mass spam mailing posing as customer email delivers the Agent Tesla stealer disguised as a document to corporate users.
#ParsedReport
23-09-2022
A New Attack Wave Targeting Critical Magento Vulnerability
https://socradar.io/a-new-attack-wave-targeting-critical-magento-vulnerability
Industry:
E-commerce
Geo:
Bulgaria
CVEs:
CVE-2022-24087 [Vulners]
Vulners: Score: Unknown, CVSS: 1.5,
Vulners: Exploitation: Unknown
X-Force: Risk: Unknown
X-Force: Patch: Unknown
CVE-2022-24086 [Vulners]
Vulners: Score: 10.0, CVSS: 6.3,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- adobe commerce (<2.3.0, le2.3.6, 2.3.7, 2.3.7, le2.4.2, 2.4.3, 2.4.3)
- magento (<2.3.0, le2.3.6, 2.3.7, 2.3.7, le2.4.2, 2.4.3, 2.4.3)
IOCs:
File: 2
Domain: 1
IP: 3
Languages:
php
Platforms:
apple
23-09-2022
A New Attack Wave Targeting Critical Magento Vulnerability
https://socradar.io/a-new-attack-wave-targeting-critical-magento-vulnerability
Industry:
E-commerce
Geo:
Bulgaria
CVEs:
CVE-2022-24087 [Vulners]
Vulners: Score: Unknown, CVSS: 1.5,
Vulners: Exploitation: Unknown
X-Force: Risk: Unknown
X-Force: Patch: Unknown
CVE-2022-24086 [Vulners]
Vulners: Score: 10.0, CVSS: 6.3,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- adobe commerce (<2.3.0, le2.3.6, 2.3.7, 2.3.7, le2.4.2, 2.4.3, 2.4.3)
- magento (<2.3.0, le2.3.6, 2.3.7, 2.3.7, le2.4.2, 2.4.3, 2.4.3)
IOCs:
File: 2
Domain: 1
IP: 3
Languages:
php
Platforms:
apple
SOCRadar® Cyber Intelligence Inc.
A New Attack Wave Targeting Critical Magento Vulnerability - SOCRadar® Cyber Intelligence Inc.
E-commerce platform Magento has become a frequent target for hackers. More attempts have been made to exploit CVE-2022-24086 since its
#ParsedReport
26-09-2022
Lazarus Operation In(ter)ception Targets macOS Users Dreaming of Jobs in Crypto
https://www.sentinelone.com/blog/lazarus-operation-interception-targets-macos-users-dreaming-of-jobs-in-crypto
Actors/Campaigns:
Lazarus (motivation: cyber_espionage)
Dream_job
Threats:
Nukesped_rat
Industry:
Aerospace
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 2
Domain: 1
Hash: 3
Softs:
macos, coinbase
Functions:
startDaemon
Platforms:
apple, intel
26-09-2022
Lazarus Operation In(ter)ception Targets macOS Users Dreaming of Jobs in Crypto
https://www.sentinelone.com/blog/lazarus-operation-interception-targets-macos-users-dreaming-of-jobs-in-crypto
Actors/Campaigns:
Lazarus (motivation: cyber_espionage)
Dream_job
Threats:
Nukesped_rat
Industry:
Aerospace
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 2
Domain: 1
Hash: 3
Softs:
macos, coinbase
Functions:
startDaemon
Platforms:
apple, intel
SentinelOne
Lazarus ‘Operation In(ter)ception’ Targets macOS Users Dreaming of Jobs in Crypto
First Coinbase, now Crypto.com. Lazarus campaign targets more crypto exchange platform job seekers with multi-stage malware.
#ParsedReport
26-09-2022
Stopping Vulnerable Driver Attacks. Key takeaways
https://www.elastic.co/security-labs/stopping-vulnerable-driver-attacks
Threats:
Process_hacker_tool
Softs:
process explorer, windows defender application control
Algorithms:
exhibit
YARA: Found
Links:
26-09-2022
Stopping Vulnerable Driver Attacks. Key takeaways
https://www.elastic.co/security-labs/stopping-vulnerable-driver-attacks
Threats:
Process_hacker_tool
Softs:
process explorer, windows defender application control
Algorithms:
exhibit
YARA: Found
Links:
https://github.com/winsiderss/systeminformerhttps://github.com/Yaxser/Backstabhttps://github.com/elastic/detection-ruleshttps://github.com/br-sn/CheekyBlinderhttps://github.com/MicrosoftDocs/windows-itpro-docs/blob/public/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.mdhttps://github.com/Cr4sh/KernelForgehttps://github.com/MicrosoftDocs/windows-itpro-docs/blob/ce56a2f15015e07bf35cd05ce3299340d16e759a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md?plain=1#L391https://github.com/elastic/protections-artifacts/search?q=VulnDriverhttps://github.com/hfiref0x/KDUwww.elastic.co
Stopping Vulnerable Driver Attacks — Elastic Security Labs
This post includes a primer on kernel mode attacks, along with Elastic’s recommendations for securing users from kernel attacks leveraging vulnerable drivers.
#ParsedReport
26-09-2022
FARGO Ransomware Targets Vulnerable Microsoft SQL Servers
https://socradar.io/fargo-ransomware-targets-vulnerable-microsoft-sql-servers
Actors/Campaigns:
Fakeupdates
Threats:
Mallox
Cobalt_strike
Beacon
Industry:
Financial
IOCs:
File: 2
Path: 1
Hash: 8
Url: 1
Softs:
microsoft sql, ms-sql, telegram
Algorithms:
aes-128, chacha20, curve25519
26-09-2022
FARGO Ransomware Targets Vulnerable Microsoft SQL Servers
https://socradar.io/fargo-ransomware-targets-vulnerable-microsoft-sql-servers
Actors/Campaigns:
Fakeupdates
Threats:
Mallox
Cobalt_strike
Beacon
Industry:
Financial
IOCs:
File: 2
Path: 1
Hash: 8
Url: 1
Softs:
microsoft sql, ms-sql, telegram
Algorithms:
aes-128, chacha20, curve25519
SOCRadar® Cyber Intelligence Inc.
FARGO Ransomware Targets Vulnerable Microsoft SQL Servers - SOCRadar® Cyber Intelligence Inc.
Microsoft SQL database servers are the target of a new ransomware attack campaign called FARGO ransomware. FARGO, also known as TargetCompany, aims to
#ParsedReport
26-09-2022
DcDcrypt Ransomware Decryptor
https://labs.k7computing.com/index.php/dcdcrypt-ransomware-decryptor
Threats:
Dcdcrypt
IOCs:
File: 3
Email: 1
Hash: 1
Softs:
telegram
Algorithms:
aes, cbc, xor, base64
Functions:
GetHashCode
26-09-2022
DcDcrypt Ransomware Decryptor
https://labs.k7computing.com/index.php/dcdcrypt-ransomware-decryptor
Threats:
Dcdcrypt
IOCs:
File: 3
Email: 1
Hash: 1
Softs:
telegram
Algorithms:
aes, cbc, xor, base64
Functions:
GetHashCode
K7 Labs
DcDcrypt Ransomware Decryptor
We at K7 Labs came across DcDcrypt ransomware sample, that had infected a user machine and encrypted all user files. […]
#ParsedReport
26-09-2022
BumbleBee: Round Two
https://thedfirreport.com/2022/09/26/bumblebee-round-two
Threats:
Bumblebee
Cobalt_strike
Meterpreter_tool
Adfind_tool
Nltest_tool
Beacon
Procdump_tool
Anydesk_tool
Icedid
Conti
Bazarbackdoor
Diavol
Process_injection_technique
Dumplsass_tool
Tur
TTPs:
Tactics: 11
Technics: 17
IOCs:
File: 22
Path: 14
IP: 10
Hash: 3
Softs:
active directory, internet explorer, qemu
Algorithms:
7zip , base64, zip
Win API:
CreateRemoteThread, VirtualAllocEx, CreateThread
SIGMA: Found
Links:
26-09-2022
BumbleBee: Round Two
https://thedfirreport.com/2022/09/26/bumblebee-round-two
Threats:
Bumblebee
Cobalt_strike
Meterpreter_tool
Adfind_tool
Nltest_tool
Beacon
Procdump_tool
Anydesk_tool
Icedid
Conti
Bazarbackdoor
Diavol
Process_injection_technique
Dumplsass_tool
Tur
TTPs:
Tactics: 11
Technics: 17
IOCs:
File: 22
Path: 14
IP: 10
Hash: 3
Softs:
active directory, internet explorer, qemu
Algorithms:
7zip , base64, zip
Win API:
CreateRemoteThread, VirtualAllocEx, CreateThread
SIGMA: Found
Links:
https://github.com/EricZimmerman/LECmdThe DFIR Report
BumbleBee: Round Two - The DFIR Report
In this intrusion from May 2022, the threat actors used BumbleBee as the initial access vector. BumbleBee has been identified as an initial access vector utilized by several ransomware affiliates. In this intrusion, we see the threat actor use BumbleBee to…
#ParsedReport
26-09-2022
NullMixer: oodles of Trojans in a single dropper
https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498
Actors/Campaigns:
Pseudomanuscrypt
Threats:
Nullmixer
Smokeloader
Lgoogloader
Socelar
Redline_stealer
Fabookie
Cold_stealer
Beacon
Glupteba
Clipbanker
Formatloader
Csdimonetize
Danabot
Raccoon_stealer
Sgnitloader
Obsidium_tool
Shortloader
Legionloader
Putty_tool
Antivm
C-joker
Privateloader
Garbage_cleaner
Azorult
Vidar_stealer
Predator
Industry:
Financial, Government, E-commerce
Geo:
France, Italy, India, Germany, Turkey, Russia, Egypt, Brazil
TTPs:
Tactics: 1
Technics: 2
IOCs:
File: 19
Path: 1
Url: 31
Hash: 40
IP: 5
Domain: 21
Softs:
windows defender, microsoft edge, opera, nsis installer, chrome, telegram
Algorithms:
base64, zip, xor
Languages:
autoit, delphi
26-09-2022
NullMixer: oodles of Trojans in a single dropper
https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498
Actors/Campaigns:
Pseudomanuscrypt
Threats:
Nullmixer
Smokeloader
Lgoogloader
Socelar
Redline_stealer
Fabookie
Cold_stealer
Beacon
Glupteba
Clipbanker
Formatloader
Csdimonetize
Danabot
Raccoon_stealer
Sgnitloader
Obsidium_tool
Shortloader
Legionloader
Putty_tool
Antivm
C-joker
Privateloader
Garbage_cleaner
Azorult
Vidar_stealer
Predator
Industry:
Financial, Government, E-commerce
Geo:
France, Italy, India, Germany, Turkey, Russia, Egypt, Brazil
TTPs:
Tactics: 1
Technics: 2
IOCs:
File: 19
Path: 1
Url: 31
Hash: 40
IP: 5
Domain: 21
Softs:
windows defender, microsoft edge, opera, nsis installer, chrome, telegram
Algorithms:
base64, zip, xor
Languages:
autoit, delphi
Securelist
NullMixer drops Redline Stealer, SmokeLoader and other malware
NullMixer is a dropper delivering a number of Trojans, such as RedLine Stealer, SmokeLoader, Satacom, and others.
#ParsedReport
27-09-2022
NSIS Type of LockBit 3.0 Ransomware Disguised as Job Application Emails Being Distributed
https://asec.ahnlab.com/en/39259
Threats:
Lockbit
Ransom/mdp.event.m4353
IOCs:
File: 6
Hash: 2
27-09-2022
NSIS Type of LockBit 3.0 Ransomware Disguised as Job Application Emails Being Distributed
https://asec.ahnlab.com/en/39259
Threats:
Lockbit
Ransom/mdp.event.m4353
IOCs:
File: 6
Hash: 2
ASEC
NSIS Type of LockBit 3.0 Ransomware Disguised as Job Application Emails Being Distributed - ASEC
NSIS Type of LockBit 3.0 Ransomware Disguised as Job Application Emails Being Distributed ASEC
#ParsedReport
27-09-2022
Threat Actors Utilize PowerPoint Files to Distribute Graphite Malware
https://socradar.io/threat-actors-utilize-powerpoint-files-to-distribute-graphite-malware
Actors/Campaigns:
Fancy_bear
Threats:
Graphite
Process_injection_technique
Industry:
Government
Geo:
Russia, French
TTPs:
Tactics: 6
Technics: 13
IOCs:
File: 6
Hash: 12
Domain: 2
Url: 2
Softs:
zoom, microsoft onedrive, component object model
Algorithms:
xor, aes-256-cbc
Win API:
NtAllocateVirtualMemory
YARA: Found
27-09-2022
Threat Actors Utilize PowerPoint Files to Distribute Graphite Malware
https://socradar.io/threat-actors-utilize-powerpoint-files-to-distribute-graphite-malware
Actors/Campaigns:
Fancy_bear
Threats:
Graphite
Process_injection_technique
Industry:
Government
Geo:
Russia, French
TTPs:
Tactics: 6
Technics: 13
IOCs:
File: 6
Hash: 12
Domain: 2
Url: 2
Softs:
zoom, microsoft onedrive, component object model
Algorithms:
xor, aes-256-cbc
Win API:
NtAllocateVirtualMemory
YARA: Found
SOCRadar® Cyber Intelligence Inc.
Threat Actors Utilize PowerPoint Files to Distribute Graphite Malware - SOCRadar® Cyber Intelligence Inc.
Threat actors started utilizing PowerPoint presentations as a code execution method and delivering Graphite malware in targeted attacks.
#ParsedReport
27-09-2022
Agent Tesla RAT Delivered by Quantum Builder With NewTTPs. Key Features of this Attack:
https://www.zscaler.com/blogs/security-research/agent-tesla-rat-delivered-quantum-builder-new-ttps
Actors/Campaigns:
Lazarus
Threats:
Agent_tesla
Quantum_locker
Uac_bypass_technique
Lolbin
Rock
Redline_stealer
Icedid
Cloudeye
Remcos_rat
Asyncrat_rat
Industry:
E-commerce, Financial
Geo:
Guangdong, Chinese, China
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 10
Hash: 9
Domain: 3
Url: 3
Path: 2
Email: 1
Softs:
windows defender
Algorithms:
zip, xor, base64, aes, gzip
Functions:
FromBase64String, VarType, CreateObject, DownloadData, WriteAllBytes, Run, ShellExecute, CreateShortcut
Win Services:
WebClient
Links:
27-09-2022
Agent Tesla RAT Delivered by Quantum Builder With NewTTPs. Key Features of this Attack:
https://www.zscaler.com/blogs/security-research/agent-tesla-rat-delivered-quantum-builder-new-ttps
Actors/Campaigns:
Lazarus
Threats:
Agent_tesla
Quantum_locker
Uac_bypass_technique
Lolbin
Rock
Redline_stealer
Icedid
Cloudeye
Remcos_rat
Asyncrat_rat
Industry:
E-commerce, Financial
Geo:
Guangdong, Chinese, China
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 10
Hash: 9
Domain: 3
Url: 3
Path: 2
Email: 1
Softs:
windows defender
Algorithms:
zip, xor, base64, aes, gzip
Functions:
FromBase64String, VarType, CreateObject, DownloadData, WriteAllBytes, Run, ShellExecute, CreateShortcut
Win Services:
WebClient
Links:
https://github.com/tylerapplebaum/CMSTP-UACBypass/blob/master/UACBypassCMSTP.ps1Zscaler
Quantum Builder Delivers Agent Tesla RAT with New TTP
New campaign uses Quantum Builder, sold on the dark web, to deliver Agent Tesla RAT. In this campaign, threat actors use enhanced tactics from previous attacks.