CTT Report Hub
3.41K subscribers
9.74K photos
6 videos
67 files
13.4K links
Threat Intelligence Report Hub
Download Telegram
#ParsedReport
26-09-2022

BumbleBee: Round Two

https://thedfirreport.com/2022/09/26/bumblebee-round-two

Threats:
Bumblebee
Cobalt_strike
Meterpreter_tool
Adfind_tool
Nltest_tool
Beacon
Procdump_tool
Anydesk_tool
Icedid
Conti
Bazarbackdoor
Diavol
Process_injection_technique
Dumplsass_tool
Tur

TTPs:
Tactics: 11
Technics: 17

IOCs:
File: 22
Path: 14
IP: 10
Hash: 3

Softs:
active directory, internet explorer, qemu

Algorithms:
7zip , base64, zip

Win API:
CreateRemoteThread, VirtualAllocEx, CreateThread

SIGMA: Found

Links:
https://github.com/EricZimmerman/LECmd
#ParsedReport
26-09-2022

NullMixer: oodles of Trojans in a single dropper

https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498

Actors/Campaigns:
Pseudomanuscrypt

Threats:
Nullmixer
Smokeloader
Lgoogloader
Socelar
Redline_stealer
Fabookie
Cold_stealer
Beacon
Glupteba
Clipbanker
Formatloader
Csdimonetize
Danabot
Raccoon_stealer
Sgnitloader
Obsidium_tool
Shortloader
Legionloader
Putty_tool
Antivm
C-joker
Privateloader
Garbage_cleaner
Azorult
Vidar_stealer
Predator

Industry:
Financial, Government, E-commerce

Geo:
France, Italy, India, Germany, Turkey, Russia, Egypt, Brazil

TTPs:
Tactics: 1
Technics: 2

IOCs:
File: 19
Path: 1
Url: 31
Hash: 40
IP: 5
Domain: 21

Softs:
windows defender, microsoft edge, opera, nsis installer, chrome, telegram

Algorithms:
base64, zip, xor

Languages:
autoit, delphi
#ParsedReport
27-09-2022

NSIS Type of LockBit 3.0 Ransomware Disguised as Job Application Emails Being Distributed

https://asec.ahnlab.com/en/39259

Threats:
Lockbit
Ransom/mdp.event.m4353

IOCs:
File: 6
Hash: 2
#ParsedReport
27-09-2022

Threat Actors Utilize PowerPoint Files to Distribute Graphite Malware

https://socradar.io/threat-actors-utilize-powerpoint-files-to-distribute-graphite-malware

Actors/Campaigns:
Fancy_bear

Threats:
Graphite
Process_injection_technique

Industry:
Government

Geo:
Russia, French

TTPs:
Tactics: 6
Technics: 13

IOCs:
File: 6
Hash: 12
Domain: 2
Url: 2

Softs:
zoom, microsoft onedrive, component object model

Algorithms:
xor, aes-256-cbc

Win API:
NtAllocateVirtualMemory

YARA: Found
#ParsedReport
27-09-2022

Agent Tesla RAT Delivered by Quantum Builder With NewTTPs. Key Features of this Attack:

https://www.zscaler.com/blogs/security-research/agent-tesla-rat-delivered-quantum-builder-new-ttps

Actors/Campaigns:
Lazarus

Threats:
Agent_tesla
Quantum_locker
Uac_bypass_technique
Lolbin
Rock
Redline_stealer
Icedid
Cloudeye
Remcos_rat
Asyncrat_rat

Industry:
E-commerce, Financial

Geo:
Guangdong, Chinese, China

TTPs:
Tactics: 1
Technics: 0

IOCs:
File: 10
Hash: 9
Domain: 3
Url: 3
Path: 2
Email: 1

Softs:
windows defender

Algorithms:
zip, xor, base64, aes, gzip

Functions:
FromBase64String, VarType, CreateObject, DownloadData, WriteAllBytes, Run, ShellExecute, CreateShortcut

Win Services:
WebClient

Links:
https://github.com/tylerapplebaum/CMSTP-UACBypass/blob/master/UACBypassCMSTP.ps1
#ParsedReport
27-09-2022

Metador is behind the series of intrusions on telcos, ISPs & Unis

https://www.secureblink.com/cyber-security-news/metador-is-behind-the-series-of-intrusions-on-telcos-is-ps-and-unis

Actors/Campaigns:
Metador (motivation: cyber_espionage)

Threats:
Bespoke
Lolbin
Metamain
Mafalda
Cryshell

Industry:
Telco, Government, Education

Geo:
Chinese, Africa, Spanish, Iranian

Softs:
windows security
#ParsedReport
27-09-2022

Watch Out for the New NFT-001

https://blog.morphisec.com/nft-malware-new-evasion-abilities

Actors/Campaigns:
Nft_001 (motivation: cyber_criminal, cyber_espionage)

Threats:
Babadeda
Remcos_rat
Sbit_rat
Dll_sideloading_technique
Asyncrat_rat
Uac_bypass_technique
Eternity_stealer
Arkei_stealer

Industry:
Financial

IOCs:
IP: 13
File: 3
Path: 1
Url: 2
Hash: 16
Domain: 13

Softs:
discord, windows defender

Links:
https://github.com/AzAgarampur/byeintegrity-lite
#ParsedReport
27-09-2022

More Than Meets the Eye: Exposing a Polyglot File That Delivers IcedID

https://unit42.paloaltonetworks.com/polyglot-file-icedid-payload

Actors/Campaigns:
Axiom
Oilrig
Europium

Threats:
Icedid
Terra_stealer
Agent_tesla

TTPs:
Tactics: 1
Technics: 0

IOCs:
File: 6
Hash: 4
Domain: 1

Algorithms:
zip, 7zip , exhibit

Functions:
Mshta

Languages:
javascript
#ParsedReport
28-09-2022

LockBit 3.0 Ransomware Distributed via Word Documents

https://asec.ahnlab.com/en/39242

Threats:
Lockbit
Malware/mdp.download.m1197
Ransom/mdp.decoy.m1171

IOCs:
File: 9
Url: 2
Path: 4
Hash: 6

Softs:
curl
#ParsedReport
28-09-2022

ASEC Weekly Malware Statistics (September 12th, 2022 September 18th, 2022)

https://asec.ahnlab.com/en/39332

Threats:
Agent_tesla
Cloudeye
Formbook
Remcos_rat
Nanocore_rat
Lokibot_stealer
Smokeloader
Clipboard_grabbing_technique

Industry:
Financial

Geo:
Korea

IOCs:
Domain: 7
IP: 2
Email: 4
File: 17
Url: 8

Softs:
discord, nsis installer

Languages:
visual_basic, php
#ParsedReport
28-09-2022

Prilex: the pricey prickle credit card complex

https://securelist.com/prilex-atm-pos-malware-evolution/107551

Threats:
Prilex
Spsniffer
Anydesk_tool
Golden_ticket_technique
Code_cave_technique

Industry:
Financial

Geo:
Brazil, German, Brazilian, Russian

Softs:
telegram

Algorithms:
des

Functions:
GetZip, SetStartup, GetStartup, GetModules, GetConfig, GetKey, SetConfig

Win API:
CloseHandle

Languages:
java, visual_basic, php
#ParsedReport
28-09-2022

Threat Actors Impersonate GitHub, Zoom, and Cloudflare to Steal User Information

https://socradar.io/threat-actors-impersonate-github-zoom-and-cloudflare-to-steal-user-information

Actors/Campaigns:
Fin11 (motivation: financially_motivated)

Threats:
Asyncrat_rat
Vidar_stealer
Clop
Raccoon_stealer
Amadey

Geo:
Russia, Russian

IOCs:
File: 5
Path: 1
Url: 13
IP: 17
Domain: 14
Hash: 4

Softs:
zoom, chrome

Algorithms:
base64, zip

Languages:
javascript
#ParsedReport
28-09-2022

Chaos is a Go-based Swiss army knife of malware

https://blog.lumen.com/chaos-is-a-go-based-swiss-army-knife-of-malware/?utm_source=rss&utm_medium=rss&utm_campaign=chaos-is-a-go-based-swiss-army-knife-of-malware

Threats:
Chaos
Kaiji
Emotet
Beacon
Xmrig_miner
Ddostf

Industry:
Entertainment, Financial

Geo:
Emea, China, Australia, America, Asia, Chinese, Apac, Pacific

CVEs:
CVE-2017-17215 [Vulners]
Vulners: Score: 6.5, CVSS: 6.1,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Unavailable
Soft:
- huawei hg532 firmware (-)

CVE-2022-30525 [Vulners]
Vulners: Score: 10.0, CVSS: 2.9,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- zyxel usg flex 100w firmware (<5.30)
- zyxel usg flex 200 firmware (<5.30)
- zyxel usg flex 500 firmware (le5.30)
- zyxel usg flex 700 firmware (<5.30)
- zyxel vpn100 firmware (<5.30)
have more...

IOCs:
Registry: 1
File: 5
Coin: 1
Hash: 7
Domain: 17

Algorithms:
exhibit, aes

Platforms:
arm, x86, intel, mips, amd64

Languages:
golang

Links:
https://gist.github.com/paul91/60371b437658093e826e
https://github.com/blacklotuslabs/IOCs/blob/main/Chaos\_IoCs.txt
https://github.com/xmrig/xmrig
#ParsedReport
29-09-2022

SmokeLoader Delivers the New Erbium Stealer

https://cyberint.com/blog/research/smokeloader-delivers-the-new-erbium-stealer

Threats:
Erbium_stealer
Smokeloader
Redline_stealer
Gimmick
Arkei_stealer
Dcrat_rat
Raccoon_stealer
Formbook

Industry:
Financial, Entertainment

Geo:
Russian

IOCs:
File: 3
Hash: 10

Softs:
telegram, discord

Languages:
php
#ParsedReport
29-09-2022

ZINC weaponizing open-source software

https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software

Actors/Campaigns:
Lazarus (motivation: cyber_espionage, information_theft, financially_motivated, politically_motivated)
Ice_fog

Threats:
Zetanile
Putty_tool
Tightvnc_tool
Foggybrass
Phantomstar
Artemis
Airdry
Themida_tool
Vmprotect_tool
Eventhorizon

Industry:
Entertainment, Aerospace

Geo:
India, Korea, Russia

IOCs:
File: 13
IP: 3
Path: 10
Domain: 2
Hash: 9

Softs:
sumatra pdf, microsoft defender, microsoft defender for endpoint, microsoft 365 defender, task scheduler

Algorithms:
zip, aes

Languages:
php

Platforms:
x64

Links:
https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincOctober2022\_IP\_Domain\_Hash\_IOC.yaml
https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincOctober2022\_AVHits\_IOC.yaml
https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincOctober2022\_Filename\_Commandline\_IOC.yaml
#ParsedReport
29-09-2022

New campaign uses government, union-themed lures to deliver Cobalt Strike beacons

http://blog.talosintelligence.com/2022/09/new-campaign-uses-government-union.html

Threats:
Cobalt_strike
Beacon
Process_injection_technique
Redline_stealer
Amadey

Industry:
Government

Geo:
Netherlands

CVEs:
CVE-2017-0199 [Vulners]
Vulners: Score: 9.3, CVSS: 7.8,
Vulners: Exploitation: True
X-Force: Risk: 9.3
X-Force: Patch: Official fix
Soft:
- microsoft windows server 2008 (r2, *)
- microsoft windows server 2012 (-)
- microsoft windows vista (*)
- microsoft office (2010, 2013, 2016, 2007)
- microsoft windows 7 (*)
have more...

TTPs:
Tactics: 1
Technics: 0

IOCs:
Url: 6
File: 3
IP: 3
Hash: 12

Softs:
microsoft word, microsoft office, visual basic for applications, ubuntu

Algorithms:
aes

Languages:
visual_basic

Platforms:
x86, x64