CTT Report Hub
3.41K subscribers
9.74K photos
6 videos
67 files
13.4K links
Threat Intelligence Report Hub
Download Telegram
#ParsedReport
27-09-2022

Metador is behind the series of intrusions on telcos, ISPs & Unis

https://www.secureblink.com/cyber-security-news/metador-is-behind-the-series-of-intrusions-on-telcos-is-ps-and-unis

Actors/Campaigns:
Metador (motivation: cyber_espionage)

Threats:
Bespoke
Lolbin
Metamain
Mafalda
Cryshell

Industry:
Telco, Government, Education

Geo:
Chinese, Africa, Spanish, Iranian

Softs:
windows security
#ParsedReport
27-09-2022

Watch Out for the New NFT-001

https://blog.morphisec.com/nft-malware-new-evasion-abilities

Actors/Campaigns:
Nft_001 (motivation: cyber_criminal, cyber_espionage)

Threats:
Babadeda
Remcos_rat
Sbit_rat
Dll_sideloading_technique
Asyncrat_rat
Uac_bypass_technique
Eternity_stealer
Arkei_stealer

Industry:
Financial

IOCs:
IP: 13
File: 3
Path: 1
Url: 2
Hash: 16
Domain: 13

Softs:
discord, windows defender

Links:
https://github.com/AzAgarampur/byeintegrity-lite
#ParsedReport
27-09-2022

More Than Meets the Eye: Exposing a Polyglot File That Delivers IcedID

https://unit42.paloaltonetworks.com/polyglot-file-icedid-payload

Actors/Campaigns:
Axiom
Oilrig
Europium

Threats:
Icedid
Terra_stealer
Agent_tesla

TTPs:
Tactics: 1
Technics: 0

IOCs:
File: 6
Hash: 4
Domain: 1

Algorithms:
zip, 7zip , exhibit

Functions:
Mshta

Languages:
javascript
#ParsedReport
28-09-2022

LockBit 3.0 Ransomware Distributed via Word Documents

https://asec.ahnlab.com/en/39242

Threats:
Lockbit
Malware/mdp.download.m1197
Ransom/mdp.decoy.m1171

IOCs:
File: 9
Url: 2
Path: 4
Hash: 6

Softs:
curl
#ParsedReport
28-09-2022

ASEC Weekly Malware Statistics (September 12th, 2022 September 18th, 2022)

https://asec.ahnlab.com/en/39332

Threats:
Agent_tesla
Cloudeye
Formbook
Remcos_rat
Nanocore_rat
Lokibot_stealer
Smokeloader
Clipboard_grabbing_technique

Industry:
Financial

Geo:
Korea

IOCs:
Domain: 7
IP: 2
Email: 4
File: 17
Url: 8

Softs:
discord, nsis installer

Languages:
visual_basic, php
#ParsedReport
28-09-2022

Prilex: the pricey prickle credit card complex

https://securelist.com/prilex-atm-pos-malware-evolution/107551

Threats:
Prilex
Spsniffer
Anydesk_tool
Golden_ticket_technique
Code_cave_technique

Industry:
Financial

Geo:
Brazil, German, Brazilian, Russian

Softs:
telegram

Algorithms:
des

Functions:
GetZip, SetStartup, GetStartup, GetModules, GetConfig, GetKey, SetConfig

Win API:
CloseHandle

Languages:
java, visual_basic, php
#ParsedReport
28-09-2022

Threat Actors Impersonate GitHub, Zoom, and Cloudflare to Steal User Information

https://socradar.io/threat-actors-impersonate-github-zoom-and-cloudflare-to-steal-user-information

Actors/Campaigns:
Fin11 (motivation: financially_motivated)

Threats:
Asyncrat_rat
Vidar_stealer
Clop
Raccoon_stealer
Amadey

Geo:
Russia, Russian

IOCs:
File: 5
Path: 1
Url: 13
IP: 17
Domain: 14
Hash: 4

Softs:
zoom, chrome

Algorithms:
base64, zip

Languages:
javascript
#ParsedReport
28-09-2022

Chaos is a Go-based Swiss army knife of malware

https://blog.lumen.com/chaos-is-a-go-based-swiss-army-knife-of-malware/?utm_source=rss&utm_medium=rss&utm_campaign=chaos-is-a-go-based-swiss-army-knife-of-malware

Threats:
Chaos
Kaiji
Emotet
Beacon
Xmrig_miner
Ddostf

Industry:
Entertainment, Financial

Geo:
Emea, China, Australia, America, Asia, Chinese, Apac, Pacific

CVEs:
CVE-2017-17215 [Vulners]
Vulners: Score: 6.5, CVSS: 6.1,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Unavailable
Soft:
- huawei hg532 firmware (-)

CVE-2022-30525 [Vulners]
Vulners: Score: 10.0, CVSS: 2.9,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- zyxel usg flex 100w firmware (<5.30)
- zyxel usg flex 200 firmware (<5.30)
- zyxel usg flex 500 firmware (le5.30)
- zyxel usg flex 700 firmware (<5.30)
- zyxel vpn100 firmware (<5.30)
have more...

IOCs:
Registry: 1
File: 5
Coin: 1
Hash: 7
Domain: 17

Algorithms:
exhibit, aes

Platforms:
arm, x86, intel, mips, amd64

Languages:
golang

Links:
https://gist.github.com/paul91/60371b437658093e826e
https://github.com/blacklotuslabs/IOCs/blob/main/Chaos\_IoCs.txt
https://github.com/xmrig/xmrig
#ParsedReport
29-09-2022

SmokeLoader Delivers the New Erbium Stealer

https://cyberint.com/blog/research/smokeloader-delivers-the-new-erbium-stealer

Threats:
Erbium_stealer
Smokeloader
Redline_stealer
Gimmick
Arkei_stealer
Dcrat_rat
Raccoon_stealer
Formbook

Industry:
Financial, Entertainment

Geo:
Russian

IOCs:
File: 3
Hash: 10

Softs:
telegram, discord

Languages:
php
#ParsedReport
29-09-2022

ZINC weaponizing open-source software

https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software

Actors/Campaigns:
Lazarus (motivation: cyber_espionage, information_theft, financially_motivated, politically_motivated)
Ice_fog

Threats:
Zetanile
Putty_tool
Tightvnc_tool
Foggybrass
Phantomstar
Artemis
Airdry
Themida_tool
Vmprotect_tool
Eventhorizon

Industry:
Entertainment, Aerospace

Geo:
India, Korea, Russia

IOCs:
File: 13
IP: 3
Path: 10
Domain: 2
Hash: 9

Softs:
sumatra pdf, microsoft defender, microsoft defender for endpoint, microsoft 365 defender, task scheduler

Algorithms:
zip, aes

Languages:
php

Platforms:
x64

Links:
https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincOctober2022\_IP\_Domain\_Hash\_IOC.yaml
https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincOctober2022\_AVHits\_IOC.yaml
https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincOctober2022\_Filename\_Commandline\_IOC.yaml
#ParsedReport
29-09-2022

New campaign uses government, union-themed lures to deliver Cobalt Strike beacons

http://blog.talosintelligence.com/2022/09/new-campaign-uses-government-union.html

Threats:
Cobalt_strike
Beacon
Process_injection_technique
Redline_stealer
Amadey

Industry:
Government

Geo:
Netherlands

CVEs:
CVE-2017-0199 [Vulners]
Vulners: Score: 9.3, CVSS: 7.8,
Vulners: Exploitation: True
X-Force: Risk: 9.3
X-Force: Patch: Official fix
Soft:
- microsoft windows server 2008 (r2, *)
- microsoft windows server 2012 (-)
- microsoft windows vista (*)
- microsoft office (2010, 2013, 2016, 2007)
- microsoft windows 7 (*)
have more...

TTPs:
Tactics: 1
Technics: 0

IOCs:
Url: 6
File: 3
IP: 3
Hash: 12

Softs:
microsoft word, microsoft office, visual basic for applications, ubuntu

Algorithms:
aes

Languages:
visual_basic

Platforms:
x86, x64
#ParsedReport
29-09-2022

Witchetty: Group Uses Updated Toolset in Attacks on Governments in Middle East

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/witchetty-steganography-espionage

Actors/Campaigns:
Ta410 (motivation: cyber_espionage)
Stone_panda (motivation: cyber_espionage)

Threats:
Proxyshell_vuln
Proxylogon_exploit
Lookback
Minidump_tool
Mimikatz
Winrm_tool
Chinachopper
Plugx_rat
Plink
Secretsdump_tool
Fscan_tool

Industry:
Government

Geo:
China, Africa, African

CVEs:
CVE-2021-26855 [Vulners]
Vulners: Score: 7.5, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2016, 2016, 2013, 2016, 2016, 2013, 2016, 2019, 2013, 2016, 2016, 2016, 2016, 2016, 2016, 2016, 2019, 2019, 2019, 2019, 2019, 2019, 2019, 2019)

CVE-2021-27065 [Vulners]
Vulners: Score: 6.8, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2016, 2016, 2013, 2016, 2019, 2013, 2016, 2016, 2016, 2016, 2016, 2016, 2016, 2019, 2019, 2019, 2019, 2019, 2019, 2019)

CVE-2021-34523 [Vulners]
Vulners: Score: 7.5, CVSS: 3.4,
Vulners: Exploitation: True
X-Force: Risk: 9
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)

CVE-2021-34473 [Vulners]
Vulners: Score: 10.0, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)

CVE-2021-31207 [Vulners]
Vulners: Score: 6.5, CVSS: 1.7,
Vulners: Exploitation: True
X-Force: Risk: 6.6
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)


IOCs:
File: 15
Path: 4
Registry: 1
IP: 4
Hash: 49
Domain: 1

Softs:
local security authority

Algorithms:
xor, zip

Win API:
MiniDumpWriteDump

Platforms:
x86
#ParsedReport
29-09-2022

Fabricated Bank website distributes Android Spyware

https://blog.cyble.com/2022/09/29/fabricated-bank-website-distributes-android-spyware

Threats:
Spymax

Industry:
Financial

Geo:
Singapore, India, Georgia, Dubai, Australia

TTPs:
Tactics: 4
Technics: 9

IOCs:
File: 1
Domain: 1
Url: 4
Hash: 1

Softs:
android, tronlink