CTT Report Hub
3.41K subscribers
9.74K photos
6 videos
67 files
13.4K links
Threat Intelligence Report Hub
Download Telegram
#ParsedReport
28-09-2022

LockBit 3.0 Ransomware Distributed via Word Documents

https://asec.ahnlab.com/en/39242

Threats:
Lockbit
Malware/mdp.download.m1197
Ransom/mdp.decoy.m1171

IOCs:
File: 9
Url: 2
Path: 4
Hash: 6

Softs:
curl
#ParsedReport
28-09-2022

ASEC Weekly Malware Statistics (September 12th, 2022 September 18th, 2022)

https://asec.ahnlab.com/en/39332

Threats:
Agent_tesla
Cloudeye
Formbook
Remcos_rat
Nanocore_rat
Lokibot_stealer
Smokeloader
Clipboard_grabbing_technique

Industry:
Financial

Geo:
Korea

IOCs:
Domain: 7
IP: 2
Email: 4
File: 17
Url: 8

Softs:
discord, nsis installer

Languages:
visual_basic, php
#ParsedReport
28-09-2022

Prilex: the pricey prickle credit card complex

https://securelist.com/prilex-atm-pos-malware-evolution/107551

Threats:
Prilex
Spsniffer
Anydesk_tool
Golden_ticket_technique
Code_cave_technique

Industry:
Financial

Geo:
Brazil, German, Brazilian, Russian

Softs:
telegram

Algorithms:
des

Functions:
GetZip, SetStartup, GetStartup, GetModules, GetConfig, GetKey, SetConfig

Win API:
CloseHandle

Languages:
java, visual_basic, php
#ParsedReport
28-09-2022

Threat Actors Impersonate GitHub, Zoom, and Cloudflare to Steal User Information

https://socradar.io/threat-actors-impersonate-github-zoom-and-cloudflare-to-steal-user-information

Actors/Campaigns:
Fin11 (motivation: financially_motivated)

Threats:
Asyncrat_rat
Vidar_stealer
Clop
Raccoon_stealer
Amadey

Geo:
Russia, Russian

IOCs:
File: 5
Path: 1
Url: 13
IP: 17
Domain: 14
Hash: 4

Softs:
zoom, chrome

Algorithms:
base64, zip

Languages:
javascript
#ParsedReport
28-09-2022

Chaos is a Go-based Swiss army knife of malware

https://blog.lumen.com/chaos-is-a-go-based-swiss-army-knife-of-malware/?utm_source=rss&utm_medium=rss&utm_campaign=chaos-is-a-go-based-swiss-army-knife-of-malware

Threats:
Chaos
Kaiji
Emotet
Beacon
Xmrig_miner
Ddostf

Industry:
Entertainment, Financial

Geo:
Emea, China, Australia, America, Asia, Chinese, Apac, Pacific

CVEs:
CVE-2017-17215 [Vulners]
Vulners: Score: 6.5, CVSS: 6.1,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Unavailable
Soft:
- huawei hg532 firmware (-)

CVE-2022-30525 [Vulners]
Vulners: Score: 10.0, CVSS: 2.9,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- zyxel usg flex 100w firmware (<5.30)
- zyxel usg flex 200 firmware (<5.30)
- zyxel usg flex 500 firmware (le5.30)
- zyxel usg flex 700 firmware (<5.30)
- zyxel vpn100 firmware (<5.30)
have more...

IOCs:
Registry: 1
File: 5
Coin: 1
Hash: 7
Domain: 17

Algorithms:
exhibit, aes

Platforms:
arm, x86, intel, mips, amd64

Languages:
golang

Links:
https://gist.github.com/paul91/60371b437658093e826e
https://github.com/blacklotuslabs/IOCs/blob/main/Chaos\_IoCs.txt
https://github.com/xmrig/xmrig
#ParsedReport
29-09-2022

SmokeLoader Delivers the New Erbium Stealer

https://cyberint.com/blog/research/smokeloader-delivers-the-new-erbium-stealer

Threats:
Erbium_stealer
Smokeloader
Redline_stealer
Gimmick
Arkei_stealer
Dcrat_rat
Raccoon_stealer
Formbook

Industry:
Financial, Entertainment

Geo:
Russian

IOCs:
File: 3
Hash: 10

Softs:
telegram, discord

Languages:
php
#ParsedReport
29-09-2022

ZINC weaponizing open-source software

https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software

Actors/Campaigns:
Lazarus (motivation: cyber_espionage, information_theft, financially_motivated, politically_motivated)
Ice_fog

Threats:
Zetanile
Putty_tool
Tightvnc_tool
Foggybrass
Phantomstar
Artemis
Airdry
Themida_tool
Vmprotect_tool
Eventhorizon

Industry:
Entertainment, Aerospace

Geo:
India, Korea, Russia

IOCs:
File: 13
IP: 3
Path: 10
Domain: 2
Hash: 9

Softs:
sumatra pdf, microsoft defender, microsoft defender for endpoint, microsoft 365 defender, task scheduler

Algorithms:
zip, aes

Languages:
php

Platforms:
x64

Links:
https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincOctober2022\_IP\_Domain\_Hash\_IOC.yaml
https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincOctober2022\_AVHits\_IOC.yaml
https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincOctober2022\_Filename\_Commandline\_IOC.yaml
#ParsedReport
29-09-2022

New campaign uses government, union-themed lures to deliver Cobalt Strike beacons

http://blog.talosintelligence.com/2022/09/new-campaign-uses-government-union.html

Threats:
Cobalt_strike
Beacon
Process_injection_technique
Redline_stealer
Amadey

Industry:
Government

Geo:
Netherlands

CVEs:
CVE-2017-0199 [Vulners]
Vulners: Score: 9.3, CVSS: 7.8,
Vulners: Exploitation: True
X-Force: Risk: 9.3
X-Force: Patch: Official fix
Soft:
- microsoft windows server 2008 (r2, *)
- microsoft windows server 2012 (-)
- microsoft windows vista (*)
- microsoft office (2010, 2013, 2016, 2007)
- microsoft windows 7 (*)
have more...

TTPs:
Tactics: 1
Technics: 0

IOCs:
Url: 6
File: 3
IP: 3
Hash: 12

Softs:
microsoft word, microsoft office, visual basic for applications, ubuntu

Algorithms:
aes

Languages:
visual_basic

Platforms:
x86, x64
#ParsedReport
29-09-2022

Witchetty: Group Uses Updated Toolset in Attacks on Governments in Middle East

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/witchetty-steganography-espionage

Actors/Campaigns:
Ta410 (motivation: cyber_espionage)
Stone_panda (motivation: cyber_espionage)

Threats:
Proxyshell_vuln
Proxylogon_exploit
Lookback
Minidump_tool
Mimikatz
Winrm_tool
Chinachopper
Plugx_rat
Plink
Secretsdump_tool
Fscan_tool

Industry:
Government

Geo:
China, Africa, African

CVEs:
CVE-2021-26855 [Vulners]
Vulners: Score: 7.5, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2016, 2016, 2013, 2016, 2016, 2013, 2016, 2019, 2013, 2016, 2016, 2016, 2016, 2016, 2016, 2016, 2019, 2019, 2019, 2019, 2019, 2019, 2019, 2019)

CVE-2021-27065 [Vulners]
Vulners: Score: 6.8, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2016, 2016, 2013, 2016, 2019, 2013, 2016, 2016, 2016, 2016, 2016, 2016, 2016, 2019, 2019, 2019, 2019, 2019, 2019, 2019)

CVE-2021-34523 [Vulners]
Vulners: Score: 7.5, CVSS: 3.4,
Vulners: Exploitation: True
X-Force: Risk: 9
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)

CVE-2021-34473 [Vulners]
Vulners: Score: 10.0, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)

CVE-2021-31207 [Vulners]
Vulners: Score: 6.5, CVSS: 1.7,
Vulners: Exploitation: True
X-Force: Risk: 6.6
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)


IOCs:
File: 15
Path: 4
Registry: 1
IP: 4
Hash: 49
Domain: 1

Softs:
local security authority

Algorithms:
xor, zip

Win API:
MiniDumpWriteDump

Platforms:
x86
#ParsedReport
29-09-2022

Fabricated Bank website distributes Android Spyware

https://blog.cyble.com/2022/09/29/fabricated-bank-website-distributes-android-spyware

Threats:
Spymax

Industry:
Financial

Geo:
Singapore, India, Georgia, Dubai, Australia

TTPs:
Tactics: 4
Technics: 9

IOCs:
File: 1
Domain: 1
Url: 4
Hash: 1

Softs:
android, tronlink
#ParsedReport
30-09-2022

Brazilian Banking Trojan Resurfaces

https://labs.k7computing.com/index.php/brazilian-banking-trojan-resurfaces

Threats:
Klbanker
Janeleiro
Amavaldo
Html_smuggling_technique
Dll_sideloading_technique

Industry:
Financial

Geo:
America, Brazilian, Brasil

TTPs:
Tactics: 1
Technics: 0

IOCs:
File: 8
Url: 3
IP: 1
Hash: 2

Softs:
chrome

Algorithms:
base64, aes, rc4, zip

Languages:
javascript, jscript
#ParsedReport
30-09-2022

Excel Macro Qakbot, ISO. Distributed to QAKBOT, ISO files distributed in Excel Macro

https://asec.ahnlab.com/ko/39329

Threats:
Qakbot
Asyncrat_rat
Icedid
Bumblebee
Malware/win.generic.c5240833

Industry:
Financial

IOCs:
File: 4
Path: 1
IP: 17
Hash: 5

Softs:
windows defender
#ParsedReport
30-09-2022

A glimpse into the shadowy realm of a Chinese APT: detailed analysis of a ShadowPad intrusion. Summary

https://research.nccgroup.com/2022/09/30/a-glimpse-into-the-shadowy-realm-of-a-chinese-apt-detailed-analysis-of-a-shadowpad-intrusion

Threats:
Shadowpad
Timestomp_technique
Credential_harvesting_technique
Powerview
Sessiongopher_tool
Process_injection_technique
Process_hollowing_technique
Powersploit
Winrm_tool
Poison_ivy
Adfind_tool
Nbtscan_tool
Mimikatz

Geo:
Chinese, China

CVEs:
CVE-2022-29464 [Vulners]
Vulners: Score: 10.0, CVSS: 5.2,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- wso2 identity server analytics (5.5.0, 5.4.1, 5.6.0, 5.4.0)
- wso2 api manager (le4.0.0)
- wso2 identity server (le5.11.0)
- wso2 enterprise integrator (le6.6.0)
- wso2 identity server as key manager (le5.10.0)
have more...

TTPs:
Tactics: 12
Technics: 40

IOCs:
Hash: 13
IP: 1
File: 9
Path: 34

Softs:
windows service, local security authority, active directory, component object model

Algorithms:
aes-cbc, aes, 7zip , xor

Languages:
python
#ParsedReport
30-09-2022

Ransomware Roundup: Bisamware and Chile Locker

https://www.fortinet.com/blog/threat-research/ransomware-roundup-bisamware-and-chile-locker

Threats:
Bisamware
Follina_vuln
W32/agent.bnq!tr.ransom
W64/agent.bnq!tr.ransom

Industry:
Government, Financial

Geo:
Uruguay, Netherland, Italy, Malaysia, Chile, Spain, Romania, Canada, China, Poland, Russia, Mexico

CVEs:
CVE-2022-30190 [Vulners]
Vulners: Score: 9.3, CVSS: 3.4,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft windows server 2012 (r2, -)
- microsoft windows 10 (1607, -, 1809, 20h2, 21h1, 21h2)
- microsoft windows 8.1 (-)
- microsoft windows server 2016 (-)
- microsoft windows server 2008 (-, r2)
have more...

IOCs:
File: 1
Hash: 11

Softs:
microsoft word