#ParsedReport
26-09-2022
Lazarus Operation In(ter)ception Targets macOS Users Dreaming of Jobs in Crypto
https://www.sentinelone.com/blog/lazarus-operation-interception-targets-macos-users-dreaming-of-jobs-in-crypto
Actors/Campaigns:
Lazarus (motivation: cyber_espionage)
Dream_job
Threats:
Nukesped_rat
Industry:
Aerospace
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 2
Domain: 1
Hash: 3
Softs:
macos, coinbase
Functions:
startDaemon
Platforms:
apple, intel
26-09-2022
Lazarus Operation In(ter)ception Targets macOS Users Dreaming of Jobs in Crypto
https://www.sentinelone.com/blog/lazarus-operation-interception-targets-macos-users-dreaming-of-jobs-in-crypto
Actors/Campaigns:
Lazarus (motivation: cyber_espionage)
Dream_job
Threats:
Nukesped_rat
Industry:
Aerospace
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 2
Domain: 1
Hash: 3
Softs:
macos, coinbase
Functions:
startDaemon
Platforms:
apple, intel
SentinelOne
Lazarus ‘Operation In(ter)ception’ Targets macOS Users Dreaming of Jobs in Crypto
First Coinbase, now Crypto.com. Lazarus campaign targets more crypto exchange platform job seekers with multi-stage malware.
#ParsedReport
26-09-2022
Stopping Vulnerable Driver Attacks. Key takeaways
https://www.elastic.co/security-labs/stopping-vulnerable-driver-attacks
Threats:
Process_hacker_tool
Softs:
process explorer, windows defender application control
Algorithms:
exhibit
YARA: Found
Links:
26-09-2022
Stopping Vulnerable Driver Attacks. Key takeaways
https://www.elastic.co/security-labs/stopping-vulnerable-driver-attacks
Threats:
Process_hacker_tool
Softs:
process explorer, windows defender application control
Algorithms:
exhibit
YARA: Found
Links:
https://github.com/winsiderss/systeminformerhttps://github.com/Yaxser/Backstabhttps://github.com/elastic/detection-ruleshttps://github.com/br-sn/CheekyBlinderhttps://github.com/MicrosoftDocs/windows-itpro-docs/blob/public/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.mdhttps://github.com/Cr4sh/KernelForgehttps://github.com/MicrosoftDocs/windows-itpro-docs/blob/ce56a2f15015e07bf35cd05ce3299340d16e759a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md?plain=1#L391https://github.com/elastic/protections-artifacts/search?q=VulnDriverhttps://github.com/hfiref0x/KDUwww.elastic.co
Stopping Vulnerable Driver Attacks — Elastic Security Labs
This post includes a primer on kernel mode attacks, along with Elastic’s recommendations for securing users from kernel attacks leveraging vulnerable drivers.
#ParsedReport
26-09-2022
FARGO Ransomware Targets Vulnerable Microsoft SQL Servers
https://socradar.io/fargo-ransomware-targets-vulnerable-microsoft-sql-servers
Actors/Campaigns:
Fakeupdates
Threats:
Mallox
Cobalt_strike
Beacon
Industry:
Financial
IOCs:
File: 2
Path: 1
Hash: 8
Url: 1
Softs:
microsoft sql, ms-sql, telegram
Algorithms:
aes-128, chacha20, curve25519
26-09-2022
FARGO Ransomware Targets Vulnerable Microsoft SQL Servers
https://socradar.io/fargo-ransomware-targets-vulnerable-microsoft-sql-servers
Actors/Campaigns:
Fakeupdates
Threats:
Mallox
Cobalt_strike
Beacon
Industry:
Financial
IOCs:
File: 2
Path: 1
Hash: 8
Url: 1
Softs:
microsoft sql, ms-sql, telegram
Algorithms:
aes-128, chacha20, curve25519
SOCRadar® Cyber Intelligence Inc.
FARGO Ransomware Targets Vulnerable Microsoft SQL Servers - SOCRadar® Cyber Intelligence Inc.
Microsoft SQL database servers are the target of a new ransomware attack campaign called FARGO ransomware. FARGO, also known as TargetCompany, aims to
#ParsedReport
26-09-2022
DcDcrypt Ransomware Decryptor
https://labs.k7computing.com/index.php/dcdcrypt-ransomware-decryptor
Threats:
Dcdcrypt
IOCs:
File: 3
Email: 1
Hash: 1
Softs:
telegram
Algorithms:
aes, cbc, xor, base64
Functions:
GetHashCode
26-09-2022
DcDcrypt Ransomware Decryptor
https://labs.k7computing.com/index.php/dcdcrypt-ransomware-decryptor
Threats:
Dcdcrypt
IOCs:
File: 3
Email: 1
Hash: 1
Softs:
telegram
Algorithms:
aes, cbc, xor, base64
Functions:
GetHashCode
K7 Labs
DcDcrypt Ransomware Decryptor
We at K7 Labs came across DcDcrypt ransomware sample, that had infected a user machine and encrypted all user files. […]
#ParsedReport
26-09-2022
BumbleBee: Round Two
https://thedfirreport.com/2022/09/26/bumblebee-round-two
Threats:
Bumblebee
Cobalt_strike
Meterpreter_tool
Adfind_tool
Nltest_tool
Beacon
Procdump_tool
Anydesk_tool
Icedid
Conti
Bazarbackdoor
Diavol
Process_injection_technique
Dumplsass_tool
Tur
TTPs:
Tactics: 11
Technics: 17
IOCs:
File: 22
Path: 14
IP: 10
Hash: 3
Softs:
active directory, internet explorer, qemu
Algorithms:
7zip , base64, zip
Win API:
CreateRemoteThread, VirtualAllocEx, CreateThread
SIGMA: Found
Links:
26-09-2022
BumbleBee: Round Two
https://thedfirreport.com/2022/09/26/bumblebee-round-two
Threats:
Bumblebee
Cobalt_strike
Meterpreter_tool
Adfind_tool
Nltest_tool
Beacon
Procdump_tool
Anydesk_tool
Icedid
Conti
Bazarbackdoor
Diavol
Process_injection_technique
Dumplsass_tool
Tur
TTPs:
Tactics: 11
Technics: 17
IOCs:
File: 22
Path: 14
IP: 10
Hash: 3
Softs:
active directory, internet explorer, qemu
Algorithms:
7zip , base64, zip
Win API:
CreateRemoteThread, VirtualAllocEx, CreateThread
SIGMA: Found
Links:
https://github.com/EricZimmerman/LECmdThe DFIR Report
BumbleBee: Round Two - The DFIR Report
In this intrusion from May 2022, the threat actors used BumbleBee as the initial access vector. BumbleBee has been identified as an initial access vector utilized by several ransomware affiliates. In this intrusion, we see the threat actor use BumbleBee to…
#ParsedReport
26-09-2022
NullMixer: oodles of Trojans in a single dropper
https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498
Actors/Campaigns:
Pseudomanuscrypt
Threats:
Nullmixer
Smokeloader
Lgoogloader
Socelar
Redline_stealer
Fabookie
Cold_stealer
Beacon
Glupteba
Clipbanker
Formatloader
Csdimonetize
Danabot
Raccoon_stealer
Sgnitloader
Obsidium_tool
Shortloader
Legionloader
Putty_tool
Antivm
C-joker
Privateloader
Garbage_cleaner
Azorult
Vidar_stealer
Predator
Industry:
Financial, Government, E-commerce
Geo:
France, Italy, India, Germany, Turkey, Russia, Egypt, Brazil
TTPs:
Tactics: 1
Technics: 2
IOCs:
File: 19
Path: 1
Url: 31
Hash: 40
IP: 5
Domain: 21
Softs:
windows defender, microsoft edge, opera, nsis installer, chrome, telegram
Algorithms:
base64, zip, xor
Languages:
autoit, delphi
26-09-2022
NullMixer: oodles of Trojans in a single dropper
https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498
Actors/Campaigns:
Pseudomanuscrypt
Threats:
Nullmixer
Smokeloader
Lgoogloader
Socelar
Redline_stealer
Fabookie
Cold_stealer
Beacon
Glupteba
Clipbanker
Formatloader
Csdimonetize
Danabot
Raccoon_stealer
Sgnitloader
Obsidium_tool
Shortloader
Legionloader
Putty_tool
Antivm
C-joker
Privateloader
Garbage_cleaner
Azorult
Vidar_stealer
Predator
Industry:
Financial, Government, E-commerce
Geo:
France, Italy, India, Germany, Turkey, Russia, Egypt, Brazil
TTPs:
Tactics: 1
Technics: 2
IOCs:
File: 19
Path: 1
Url: 31
Hash: 40
IP: 5
Domain: 21
Softs:
windows defender, microsoft edge, opera, nsis installer, chrome, telegram
Algorithms:
base64, zip, xor
Languages:
autoit, delphi
Securelist
NullMixer drops Redline Stealer, SmokeLoader and other malware
NullMixer is a dropper delivering a number of Trojans, such as RedLine Stealer, SmokeLoader, Satacom, and others.
#ParsedReport
27-09-2022
NSIS Type of LockBit 3.0 Ransomware Disguised as Job Application Emails Being Distributed
https://asec.ahnlab.com/en/39259
Threats:
Lockbit
Ransom/mdp.event.m4353
IOCs:
File: 6
Hash: 2
27-09-2022
NSIS Type of LockBit 3.0 Ransomware Disguised as Job Application Emails Being Distributed
https://asec.ahnlab.com/en/39259
Threats:
Lockbit
Ransom/mdp.event.m4353
IOCs:
File: 6
Hash: 2
ASEC
NSIS Type of LockBit 3.0 Ransomware Disguised as Job Application Emails Being Distributed - ASEC
NSIS Type of LockBit 3.0 Ransomware Disguised as Job Application Emails Being Distributed ASEC
#ParsedReport
27-09-2022
Threat Actors Utilize PowerPoint Files to Distribute Graphite Malware
https://socradar.io/threat-actors-utilize-powerpoint-files-to-distribute-graphite-malware
Actors/Campaigns:
Fancy_bear
Threats:
Graphite
Process_injection_technique
Industry:
Government
Geo:
Russia, French
TTPs:
Tactics: 6
Technics: 13
IOCs:
File: 6
Hash: 12
Domain: 2
Url: 2
Softs:
zoom, microsoft onedrive, component object model
Algorithms:
xor, aes-256-cbc
Win API:
NtAllocateVirtualMemory
YARA: Found
27-09-2022
Threat Actors Utilize PowerPoint Files to Distribute Graphite Malware
https://socradar.io/threat-actors-utilize-powerpoint-files-to-distribute-graphite-malware
Actors/Campaigns:
Fancy_bear
Threats:
Graphite
Process_injection_technique
Industry:
Government
Geo:
Russia, French
TTPs:
Tactics: 6
Technics: 13
IOCs:
File: 6
Hash: 12
Domain: 2
Url: 2
Softs:
zoom, microsoft onedrive, component object model
Algorithms:
xor, aes-256-cbc
Win API:
NtAllocateVirtualMemory
YARA: Found
SOCRadar® Cyber Intelligence Inc.
Threat Actors Utilize PowerPoint Files to Distribute Graphite Malware - SOCRadar® Cyber Intelligence Inc.
Threat actors started utilizing PowerPoint presentations as a code execution method and delivering Graphite malware in targeted attacks.
#ParsedReport
27-09-2022
Agent Tesla RAT Delivered by Quantum Builder With NewTTPs. Key Features of this Attack:
https://www.zscaler.com/blogs/security-research/agent-tesla-rat-delivered-quantum-builder-new-ttps
Actors/Campaigns:
Lazarus
Threats:
Agent_tesla
Quantum_locker
Uac_bypass_technique
Lolbin
Rock
Redline_stealer
Icedid
Cloudeye
Remcos_rat
Asyncrat_rat
Industry:
E-commerce, Financial
Geo:
Guangdong, Chinese, China
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 10
Hash: 9
Domain: 3
Url: 3
Path: 2
Email: 1
Softs:
windows defender
Algorithms:
zip, xor, base64, aes, gzip
Functions:
FromBase64String, VarType, CreateObject, DownloadData, WriteAllBytes, Run, ShellExecute, CreateShortcut
Win Services:
WebClient
Links:
27-09-2022
Agent Tesla RAT Delivered by Quantum Builder With NewTTPs. Key Features of this Attack:
https://www.zscaler.com/blogs/security-research/agent-tesla-rat-delivered-quantum-builder-new-ttps
Actors/Campaigns:
Lazarus
Threats:
Agent_tesla
Quantum_locker
Uac_bypass_technique
Lolbin
Rock
Redline_stealer
Icedid
Cloudeye
Remcos_rat
Asyncrat_rat
Industry:
E-commerce, Financial
Geo:
Guangdong, Chinese, China
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 10
Hash: 9
Domain: 3
Url: 3
Path: 2
Email: 1
Softs:
windows defender
Algorithms:
zip, xor, base64, aes, gzip
Functions:
FromBase64String, VarType, CreateObject, DownloadData, WriteAllBytes, Run, ShellExecute, CreateShortcut
Win Services:
WebClient
Links:
https://github.com/tylerapplebaum/CMSTP-UACBypass/blob/master/UACBypassCMSTP.ps1Zscaler
Quantum Builder Delivers Agent Tesla RAT with New TTP
New campaign uses Quantum Builder, sold on the dark web, to deliver Agent Tesla RAT. In this campaign, threat actors use enhanced tactics from previous attacks.
#ParsedReport
27-09-2022
ASEC (20220919 \~ 20220925). ASEC Weekly Malware Statistics (20220919 \~ 20220925)
https://asec.ahnlab.com/ko/39257
Threats:
Agent_tesla
Azorult
Vidar_stealer
Postealer
Nemty
Antefrigus
Revil
Snake_keylogger
Smokeloader
Smokerloader
Lockbit
Dharma
Industry:
Transport, Financial
Geo:
Korea
IOCs:
File: 28
Domain: 10
IP: 4
Email: 8
Url: 7
Softs:
discord
27-09-2022
ASEC (20220919 \~ 20220925). ASEC Weekly Malware Statistics (20220919 \~ 20220925)
https://asec.ahnlab.com/ko/39257
Threats:
Agent_tesla
Azorult
Vidar_stealer
Postealer
Nemty
Antefrigus
Revil
Snake_keylogger
Smokeloader
Smokerloader
Lockbit
Dharma
Industry:
Transport, Financial
Geo:
Korea
IOCs:
File: 28
Domain: 10
IP: 4
Email: 8
Url: 7
Softs:
discord
ASEC BLOG
ASEC 주간 악성코드 통계 (20220919 ~ 20220925) - ASEC BLOG
ASEC 분석팀에서는 ASEC 자동 분석 시스템 RAPIT 을 활용하여 알려진 악성코드들에 대한 분류 및 대응을 진행하고 있다. 본 포스팅에서는 2022년 9월 19일 월요일부터 9월 25일 일요일까지 한 주간 수집된 악성코드의 통계를 정리한다. 대분류 상으로는 인포스틸러가 51.3%로 1위를 차지하였으며, 그 다음으로는 백도어 악성코드가 21.1%, 다운로더 17.2%, 랜섬웨어가 10.3%로 집계되었다. Top 1 – Agent Tesla 인포스틸러…
#ParsedReport
27-09-2022
Metador is behind the series of intrusions on telcos, ISPs & Unis
https://www.secureblink.com/cyber-security-news/metador-is-behind-the-series-of-intrusions-on-telcos-is-ps-and-unis
Actors/Campaigns:
Metador (motivation: cyber_espionage)
Threats:
Bespoke
Lolbin
Metamain
Mafalda
Cryshell
Industry:
Telco, Government, Education
Geo:
Chinese, Africa, Spanish, Iranian
Softs:
windows security
27-09-2022
Metador is behind the series of intrusions on telcos, ISPs & Unis
https://www.secureblink.com/cyber-security-news/metador-is-behind-the-series-of-intrusions-on-telcos-is-ps-and-unis
Actors/Campaigns:
Metador (motivation: cyber_espionage)
Threats:
Bespoke
Lolbin
Metamain
Mafalda
Cryshell
Industry:
Telco, Government, Education
Geo:
Chinese, Africa, Spanish, Iranian
Softs:
windows security
Secureblink
Metador is behind the series of intrusions on telcos, ISPs & Unis
researchers just recently discovered its operations while examining a series of intrusions at one organization
#ParsedReport
27-09-2022
Watch Out for the New NFT-001
https://blog.morphisec.com/nft-malware-new-evasion-abilities
Actors/Campaigns:
Nft_001 (motivation: cyber_criminal, cyber_espionage)
Threats:
Babadeda
Remcos_rat
Sbit_rat
Dll_sideloading_technique
Asyncrat_rat
Uac_bypass_technique
Eternity_stealer
Arkei_stealer
Industry:
Financial
IOCs:
IP: 13
File: 3
Path: 1
Url: 2
Hash: 16
Domain: 13
Softs:
discord, windows defender
Links:
27-09-2022
Watch Out for the New NFT-001
https://blog.morphisec.com/nft-malware-new-evasion-abilities
Actors/Campaigns:
Nft_001 (motivation: cyber_criminal, cyber_espionage)
Threats:
Babadeda
Remcos_rat
Sbit_rat
Dll_sideloading_technique
Asyncrat_rat
Uac_bypass_technique
Eternity_stealer
Arkei_stealer
Industry:
Financial
IOCs:
IP: 13
File: 3
Path: 1
Url: 2
Hash: 16
Domain: 13
Softs:
discord, windows defender
Links:
https://github.com/AzAgarampur/byeintegrity-liteMorphisec
NFT Malware Gets New Evasion Abilities
The NFT malware NFT-001 has upgraded to a new staged downloader, making it more evasive and dangerous.
#ParsedReport
27-09-2022
LockBit 3.0. Lockbit 3.0 ransomware distributed through word documents
https://asec.ahnlab.com/ko/39196
Threats:
Lockbit
Malware/mdp.download.m1197
Ransom/mdp.decoy.m1171
IOCs:
File: 11
Path: 2
Hash: 6
Url: 2
Softs:
curl
27-09-2022
LockBit 3.0. Lockbit 3.0 ransomware distributed through word documents
https://asec.ahnlab.com/ko/39196
Threats:
Lockbit
Malware/mdp.download.m1197
Ransom/mdp.decoy.m1171
IOCs:
File: 11
Path: 2
Hash: 6
Url: 2
Softs:
curl
ASEC
워드 문서를 통해 유포되는 LockBit 3.0 랜섬웨어 - ASEC
ASEC 분석팀은 9/23 공유한 <입사지원 위장 메일로 유포 중인 NSIS형태의 LockBit 3.0 랜섬웨어>가 워드 문서 형태로도 유포되는 것을 확인하였다. 정확한 유포 경로는 확인되지 않았으나, 유포 파일명으로 ‘임규민.docx’, ‘전채린.docx’ 등 사람 이름을 사용하는 것으로 보아 전과 유사하게 입사지원서를 위장하여 유포되었을 것으로 추정된다. 확인된 워드 문서 내부 word_relssettings.xml.rels 파일에 External…
#ParsedReport
27-09-2022
Exmatter Tool Provides a New Strategy for Extortion
https://socradar.io/exmatter-tool-provides-a-new-strategy-for-extortion
Actors/Campaigns:
Blackmatter
Threats:
Exmatter_tool
27-09-2022
Exmatter Tool Provides a New Strategy for Extortion
https://socradar.io/exmatter-tool-provides-a-new-strategy-for-extortion
Actors/Campaigns:
Blackmatter
Threats:
Exmatter_tool
SOCRadar® Cyber Intelligence Inc.
Exmatter Tool Provides a New Strategy for Extortion - SOCRadar® Cyber Intelligence Inc.
Data exfiltration malware Exmatter, previously associated with the BlackMatter ransomware gang, now has data corruption capabilities. This could signify a new
#ParsedReport
27-09-2022
More Than Meets the Eye: Exposing a Polyglot File That Delivers IcedID
https://unit42.paloaltonetworks.com/polyglot-file-icedid-payload
Actors/Campaigns:
Axiom
Oilrig
Europium
Threats:
Icedid
Terra_stealer
Agent_tesla
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 6
Hash: 4
Domain: 1
Algorithms:
zip, 7zip , exhibit
Functions:
Mshta
Languages:
javascript
27-09-2022
More Than Meets the Eye: Exposing a Polyglot File That Delivers IcedID
https://unit42.paloaltonetworks.com/polyglot-file-icedid-payload
Actors/Campaigns:
Axiom
Oilrig
Europium
Threats:
Icedid
Terra_stealer
Agent_tesla
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 6
Hash: 4
Domain: 1
Algorithms:
zip, 7zip , exhibit
Functions:
Mshta
Languages:
javascript
Unit 42
More Than Meets the Eye: Exposing a Polyglot File That Delivers IcedID
Polyglot files, such as the malicious CHM file analyzed here, can be abused to hide from anti-malware systems that rely on file format identification.
#ParsedReport
28-09-2022
LockBit 3.0 Ransomware Distributed via Word Documents
https://asec.ahnlab.com/en/39242
Threats:
Lockbit
Malware/mdp.download.m1197
Ransom/mdp.decoy.m1171
IOCs:
File: 9
Url: 2
Path: 4
Hash: 6
Softs:
curl
28-09-2022
LockBit 3.0 Ransomware Distributed via Word Documents
https://asec.ahnlab.com/en/39242
Threats:
Lockbit
Malware/mdp.download.m1197
Ransom/mdp.decoy.m1171
IOCs:
File: 9
Url: 2
Path: 4
Hash: 6
Softs:
curl
ASEC
LockBit 3.0 Ransomware Distributed via Word Documents - ASEC
LockBit 3.0 Ransomware Distributed via Word Documents ASEC
#ParsedReport
28-09-2022
ASEC Weekly Malware Statistics (September 12th, 2022 September 18th, 2022)
https://asec.ahnlab.com/en/39332
Threats:
Agent_tesla
Cloudeye
Formbook
Remcos_rat
Nanocore_rat
Lokibot_stealer
Smokeloader
Clipboard_grabbing_technique
Industry:
Financial
Geo:
Korea
IOCs:
Domain: 7
IP: 2
Email: 4
File: 17
Url: 8
Softs:
discord, nsis installer
Languages:
visual_basic, php
28-09-2022
ASEC Weekly Malware Statistics (September 12th, 2022 September 18th, 2022)
https://asec.ahnlab.com/en/39332
Threats:
Agent_tesla
Cloudeye
Formbook
Remcos_rat
Nanocore_rat
Lokibot_stealer
Smokeloader
Clipboard_grabbing_technique
Industry:
Financial
Geo:
Korea
IOCs:
Domain: 7
IP: 2
Email: 4
File: 17
Url: 8
Softs:
discord, nsis installer
Languages:
visual_basic, php
ASEC
ASEC Weekly Malware Statistics (September 12th, 2022 – September 18th, 2022) - ASEC
ASEC Weekly Malware Statistics (September 12th, 2022 – September 18th, 2022) ASEC
#ParsedReport
28-09-2022
ASEC Weekly Malware Statistics (September 19th, 2022 September 25th, 2022)
https://asec.ahnlab.com/en/39370
Threats:
Agent_tesla
Vidar_stealer
Snake_keylogger
Smokeloader
Lockbit
Dharma
Industry:
Financial
Geo:
Korea, Korean
IOCs:
Domain: 10
IP: 4
Email: 8
File: 17
Url: 9
Softs:
discord
28-09-2022
ASEC Weekly Malware Statistics (September 19th, 2022 September 25th, 2022)
https://asec.ahnlab.com/en/39370
Threats:
Agent_tesla
Vidar_stealer
Snake_keylogger
Smokeloader
Lockbit
Dharma
Industry:
Financial
Geo:
Korea, Korean
IOCs:
Domain: 10
IP: 4
Email: 8
File: 17
Url: 9
Softs:
discord
ASEC BLOG
ASEC Weekly Malware Statistics (September 19th, 2022 - September 25th, 2022) - ASEC BLOG
The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from September 19th, 2022 (Monday) to September 25th, 2022 (Sunday). For the main category…
#ParsedReport
28-09-2022
Prilex: the pricey prickle credit card complex
https://securelist.com/prilex-atm-pos-malware-evolution/107551
Threats:
Prilex
Spsniffer
Anydesk_tool
Golden_ticket_technique
Code_cave_technique
Industry:
Financial
Geo:
Brazil, German, Brazilian, Russian
Softs:
telegram
Algorithms:
des
Functions:
GetZip, SetStartup, GetStartup, GetModules, GetConfig, GetKey, SetConfig
Win API:
CloseHandle
Languages:
java, visual_basic, php
28-09-2022
Prilex: the pricey prickle credit card complex
https://securelist.com/prilex-atm-pos-malware-evolution/107551
Threats:
Prilex
Spsniffer
Anydesk_tool
Golden_ticket_technique
Code_cave_technique
Industry:
Financial
Geo:
Brazil, German, Brazilian, Russian
Softs:
telegram
Algorithms:
des
Functions:
GetZip, SetStartup, GetStartup, GetModules, GetConfig, GetKey, SetConfig
Win API:
CloseHandle
Languages:
java, visual_basic, php
#ParsedReport
28-09-2022
Threat Actors Impersonate GitHub, Zoom, and Cloudflare to Steal User Information
https://socradar.io/threat-actors-impersonate-github-zoom-and-cloudflare-to-steal-user-information
Actors/Campaigns:
Fin11 (motivation: financially_motivated)
Threats:
Asyncrat_rat
Vidar_stealer
Clop
Raccoon_stealer
Amadey
Geo:
Russia, Russian
IOCs:
File: 5
Path: 1
Url: 13
IP: 17
Domain: 14
Hash: 4
Softs:
zoom, chrome
Algorithms:
base64, zip
Languages:
javascript
28-09-2022
Threat Actors Impersonate GitHub, Zoom, and Cloudflare to Steal User Information
https://socradar.io/threat-actors-impersonate-github-zoom-and-cloudflare-to-steal-user-information
Actors/Campaigns:
Fin11 (motivation: financially_motivated)
Threats:
Asyncrat_rat
Vidar_stealer
Clop
Raccoon_stealer
Amadey
Geo:
Russia, Russian
IOCs:
File: 5
Path: 1
Url: 13
IP: 17
Domain: 14
Hash: 4
Softs:
zoom, chrome
Algorithms:
base64, zip
Languages:
javascript
SOCRadar® Cyber Intelligence Inc.
Threat Actors Impersonate GitHub, Zoom, and Cloudflare to Steal User Information
During the last two months, threat actors impersonating well-known names such as CloudFlare, GitHub, and Zoom.
#ParsedReport
28-09-2022
Chaos is a Go-based Swiss army knife of malware
https://blog.lumen.com/chaos-is-a-go-based-swiss-army-knife-of-malware/?utm_source=rss&utm_medium=rss&utm_campaign=chaos-is-a-go-based-swiss-army-knife-of-malware
Threats:
Chaos
Kaiji
Emotet
Beacon
Xmrig_miner
Ddostf
Industry:
Entertainment, Financial
Geo:
Emea, China, Australia, America, Asia, Chinese, Apac, Pacific
CVEs:
CVE-2017-17215 [Vulners]
Vulners: Score: 6.5, CVSS: 6.1,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Unavailable
Soft:
- huawei hg532 firmware (-)
CVE-2022-30525 [Vulners]
Vulners: Score: 10.0, CVSS: 2.9,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- zyxel usg flex 100w firmware (<5.30)
- zyxel usg flex 200 firmware (<5.30)
- zyxel usg flex 500 firmware (le5.30)
- zyxel usg flex 700 firmware (<5.30)
- zyxel vpn100 firmware (<5.30)
have more...
IOCs:
Registry: 1
File: 5
Coin: 1
Hash: 7
Domain: 17
Algorithms:
exhibit, aes
Platforms:
arm, x86, intel, mips, amd64
Languages:
golang
Links:
28-09-2022
Chaos is a Go-based Swiss army knife of malware
https://blog.lumen.com/chaos-is-a-go-based-swiss-army-knife-of-malware/?utm_source=rss&utm_medium=rss&utm_campaign=chaos-is-a-go-based-swiss-army-knife-of-malware
Threats:
Chaos
Kaiji
Emotet
Beacon
Xmrig_miner
Ddostf
Industry:
Entertainment, Financial
Geo:
Emea, China, Australia, America, Asia, Chinese, Apac, Pacific
CVEs:
CVE-2017-17215 [Vulners]
Vulners: Score: 6.5, CVSS: 6.1,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Unavailable
Soft:
- huawei hg532 firmware (-)
CVE-2022-30525 [Vulners]
Vulners: Score: 10.0, CVSS: 2.9,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- zyxel usg flex 100w firmware (<5.30)
- zyxel usg flex 200 firmware (<5.30)
- zyxel usg flex 500 firmware (le5.30)
- zyxel usg flex 700 firmware (<5.30)
- zyxel vpn100 firmware (<5.30)
have more...
IOCs:
Registry: 1
File: 5
Coin: 1
Hash: 7
Domain: 17
Algorithms:
exhibit, aes
Platforms:
arm, x86, intel, mips, amd64
Languages:
golang
Links:
https://gist.github.com/paul91/60371b437658093e826e
https://github.com/blacklotuslabs/IOCs/blob/main/Chaos\_IoCs.txt
https://github.com/xmrig/xmrigLumen
Blog & News Updates | Lumen Technologies
The Lumen blog and newsroom is your source for business technology news and insights, customer stories, press and media, and trending articles.