#ParsedReport
28-09-2022
LockBit 3.0 Ransomware Distributed via Word Documents
https://asec.ahnlab.com/en/39242
Threats:
Lockbit
Malware/mdp.download.m1197
Ransom/mdp.decoy.m1171
IOCs:
File: 9
Url: 2
Path: 4
Hash: 6
Softs:
curl
28-09-2022
LockBit 3.0 Ransomware Distributed via Word Documents
https://asec.ahnlab.com/en/39242
Threats:
Lockbit
Malware/mdp.download.m1197
Ransom/mdp.decoy.m1171
IOCs:
File: 9
Url: 2
Path: 4
Hash: 6
Softs:
curl
ASEC
LockBit 3.0 Ransomware Distributed via Word Documents - ASEC
LockBit 3.0 Ransomware Distributed via Word Documents ASEC
#ParsedReport
28-09-2022
ASEC Weekly Malware Statistics (September 12th, 2022 September 18th, 2022)
https://asec.ahnlab.com/en/39332
Threats:
Agent_tesla
Cloudeye
Formbook
Remcos_rat
Nanocore_rat
Lokibot_stealer
Smokeloader
Clipboard_grabbing_technique
Industry:
Financial
Geo:
Korea
IOCs:
Domain: 7
IP: 2
Email: 4
File: 17
Url: 8
Softs:
discord, nsis installer
Languages:
visual_basic, php
28-09-2022
ASEC Weekly Malware Statistics (September 12th, 2022 September 18th, 2022)
https://asec.ahnlab.com/en/39332
Threats:
Agent_tesla
Cloudeye
Formbook
Remcos_rat
Nanocore_rat
Lokibot_stealer
Smokeloader
Clipboard_grabbing_technique
Industry:
Financial
Geo:
Korea
IOCs:
Domain: 7
IP: 2
Email: 4
File: 17
Url: 8
Softs:
discord, nsis installer
Languages:
visual_basic, php
ASEC
ASEC Weekly Malware Statistics (September 12th, 2022 – September 18th, 2022) - ASEC
ASEC Weekly Malware Statistics (September 12th, 2022 – September 18th, 2022) ASEC
#ParsedReport
28-09-2022
ASEC Weekly Malware Statistics (September 19th, 2022 September 25th, 2022)
https://asec.ahnlab.com/en/39370
Threats:
Agent_tesla
Vidar_stealer
Snake_keylogger
Smokeloader
Lockbit
Dharma
Industry:
Financial
Geo:
Korea, Korean
IOCs:
Domain: 10
IP: 4
Email: 8
File: 17
Url: 9
Softs:
discord
28-09-2022
ASEC Weekly Malware Statistics (September 19th, 2022 September 25th, 2022)
https://asec.ahnlab.com/en/39370
Threats:
Agent_tesla
Vidar_stealer
Snake_keylogger
Smokeloader
Lockbit
Dharma
Industry:
Financial
Geo:
Korea, Korean
IOCs:
Domain: 10
IP: 4
Email: 8
File: 17
Url: 9
Softs:
discord
ASEC BLOG
ASEC Weekly Malware Statistics (September 19th, 2022 - September 25th, 2022) - ASEC BLOG
The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from September 19th, 2022 (Monday) to September 25th, 2022 (Sunday). For the main category…
#ParsedReport
28-09-2022
Prilex: the pricey prickle credit card complex
https://securelist.com/prilex-atm-pos-malware-evolution/107551
Threats:
Prilex
Spsniffer
Anydesk_tool
Golden_ticket_technique
Code_cave_technique
Industry:
Financial
Geo:
Brazil, German, Brazilian, Russian
Softs:
telegram
Algorithms:
des
Functions:
GetZip, SetStartup, GetStartup, GetModules, GetConfig, GetKey, SetConfig
Win API:
CloseHandle
Languages:
java, visual_basic, php
28-09-2022
Prilex: the pricey prickle credit card complex
https://securelist.com/prilex-atm-pos-malware-evolution/107551
Threats:
Prilex
Spsniffer
Anydesk_tool
Golden_ticket_technique
Code_cave_technique
Industry:
Financial
Geo:
Brazil, German, Brazilian, Russian
Softs:
telegram
Algorithms:
des
Functions:
GetZip, SetStartup, GetStartup, GetModules, GetConfig, GetKey, SetConfig
Win API:
CloseHandle
Languages:
java, visual_basic, php
#ParsedReport
28-09-2022
Threat Actors Impersonate GitHub, Zoom, and Cloudflare to Steal User Information
https://socradar.io/threat-actors-impersonate-github-zoom-and-cloudflare-to-steal-user-information
Actors/Campaigns:
Fin11 (motivation: financially_motivated)
Threats:
Asyncrat_rat
Vidar_stealer
Clop
Raccoon_stealer
Amadey
Geo:
Russia, Russian
IOCs:
File: 5
Path: 1
Url: 13
IP: 17
Domain: 14
Hash: 4
Softs:
zoom, chrome
Algorithms:
base64, zip
Languages:
javascript
28-09-2022
Threat Actors Impersonate GitHub, Zoom, and Cloudflare to Steal User Information
https://socradar.io/threat-actors-impersonate-github-zoom-and-cloudflare-to-steal-user-information
Actors/Campaigns:
Fin11 (motivation: financially_motivated)
Threats:
Asyncrat_rat
Vidar_stealer
Clop
Raccoon_stealer
Amadey
Geo:
Russia, Russian
IOCs:
File: 5
Path: 1
Url: 13
IP: 17
Domain: 14
Hash: 4
Softs:
zoom, chrome
Algorithms:
base64, zip
Languages:
javascript
SOCRadar® Cyber Intelligence Inc.
Threat Actors Impersonate GitHub, Zoom, and Cloudflare to Steal User Information
During the last two months, threat actors impersonating well-known names such as CloudFlare, GitHub, and Zoom.
#ParsedReport
28-09-2022
Chaos is a Go-based Swiss army knife of malware
https://blog.lumen.com/chaos-is-a-go-based-swiss-army-knife-of-malware/?utm_source=rss&utm_medium=rss&utm_campaign=chaos-is-a-go-based-swiss-army-knife-of-malware
Threats:
Chaos
Kaiji
Emotet
Beacon
Xmrig_miner
Ddostf
Industry:
Entertainment, Financial
Geo:
Emea, China, Australia, America, Asia, Chinese, Apac, Pacific
CVEs:
CVE-2017-17215 [Vulners]
Vulners: Score: 6.5, CVSS: 6.1,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Unavailable
Soft:
- huawei hg532 firmware (-)
CVE-2022-30525 [Vulners]
Vulners: Score: 10.0, CVSS: 2.9,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- zyxel usg flex 100w firmware (<5.30)
- zyxel usg flex 200 firmware (<5.30)
- zyxel usg flex 500 firmware (le5.30)
- zyxel usg flex 700 firmware (<5.30)
- zyxel vpn100 firmware (<5.30)
have more...
IOCs:
Registry: 1
File: 5
Coin: 1
Hash: 7
Domain: 17
Algorithms:
exhibit, aes
Platforms:
arm, x86, intel, mips, amd64
Languages:
golang
Links:
28-09-2022
Chaos is a Go-based Swiss army knife of malware
https://blog.lumen.com/chaos-is-a-go-based-swiss-army-knife-of-malware/?utm_source=rss&utm_medium=rss&utm_campaign=chaos-is-a-go-based-swiss-army-knife-of-malware
Threats:
Chaos
Kaiji
Emotet
Beacon
Xmrig_miner
Ddostf
Industry:
Entertainment, Financial
Geo:
Emea, China, Australia, America, Asia, Chinese, Apac, Pacific
CVEs:
CVE-2017-17215 [Vulners]
Vulners: Score: 6.5, CVSS: 6.1,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Unavailable
Soft:
- huawei hg532 firmware (-)
CVE-2022-30525 [Vulners]
Vulners: Score: 10.0, CVSS: 2.9,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- zyxel usg flex 100w firmware (<5.30)
- zyxel usg flex 200 firmware (<5.30)
- zyxel usg flex 500 firmware (le5.30)
- zyxel usg flex 700 firmware (<5.30)
- zyxel vpn100 firmware (<5.30)
have more...
IOCs:
Registry: 1
File: 5
Coin: 1
Hash: 7
Domain: 17
Algorithms:
exhibit, aes
Platforms:
arm, x86, intel, mips, amd64
Languages:
golang
Links:
https://gist.github.com/paul91/60371b437658093e826e
https://github.com/blacklotuslabs/IOCs/blob/main/Chaos\_IoCs.txt
https://github.com/xmrig/xmrigLumen
Blog & News Updates | Lumen Technologies
The Lumen blog and newsroom is your source for business technology news and insights, customer stories, press and media, and trending articles.
#ParsedReport
29-09-2022
SmokeLoader Delivers the New Erbium Stealer
https://cyberint.com/blog/research/smokeloader-delivers-the-new-erbium-stealer
Threats:
Erbium_stealer
Smokeloader
Redline_stealer
Gimmick
Arkei_stealer
Dcrat_rat
Raccoon_stealer
Formbook
Industry:
Financial, Entertainment
Geo:
Russian
IOCs:
File: 3
Hash: 10
Softs:
telegram, discord
Languages:
php
29-09-2022
SmokeLoader Delivers the New Erbium Stealer
https://cyberint.com/blog/research/smokeloader-delivers-the-new-erbium-stealer
Threats:
Erbium_stealer
Smokeloader
Redline_stealer
Gimmick
Arkei_stealer
Dcrat_rat
Raccoon_stealer
Formbook
Industry:
Financial, Entertainment
Geo:
Russian
IOCs:
File: 3
Hash: 10
Softs:
telegram, discord
Languages:
php
Cyberint
SmokeLoader Delivers the New Erbium Stealer
Over the past few months, a new info stealer has emerged developed by an underground Russian-based group that has been operating since July
#ParsedReport
29-09-2022
Erbium stealer on the hunt for data
https://www.malwarebytes.com/blog/news/2022/09/increasingly-popular-erbium-stealer-on-the-hunt-for-data
Threats:
Erbium_stealer
Chaos
Industry:
E-commerce
Softs:
chrome, clover wallet, keychain, zilpay
29-09-2022
Erbium stealer on the hunt for data
https://www.malwarebytes.com/blog/news/2022/09/increasingly-popular-erbium-stealer-on-the-hunt-for-data
Threats:
Erbium_stealer
Chaos
Industry:
E-commerce
Softs:
chrome, clover wallet, keychain, zilpay
Malwarebytes
Erbium stealer on the hunt for data
We take a look at reports of new data theft malware relying on sold old tricks
#ParsedReport
29-09-2022
ZINC weaponizing open-source software
https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software
Actors/Campaigns:
Lazarus (motivation: cyber_espionage, information_theft, financially_motivated, politically_motivated)
Ice_fog
Threats:
Zetanile
Putty_tool
Tightvnc_tool
Foggybrass
Phantomstar
Artemis
Airdry
Themida_tool
Vmprotect_tool
Eventhorizon
Industry:
Entertainment, Aerospace
Geo:
India, Korea, Russia
IOCs:
File: 13
IP: 3
Path: 10
Domain: 2
Hash: 9
Softs:
sumatra pdf, microsoft defender, microsoft defender for endpoint, microsoft 365 defender, task scheduler
Algorithms:
zip, aes
Languages:
php
Platforms:
x64
Links:
29-09-2022
ZINC weaponizing open-source software
https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software
Actors/Campaigns:
Lazarus (motivation: cyber_espionage, information_theft, financially_motivated, politically_motivated)
Ice_fog
Threats:
Zetanile
Putty_tool
Tightvnc_tool
Foggybrass
Phantomstar
Artemis
Airdry
Themida_tool
Vmprotect_tool
Eventhorizon
Industry:
Entertainment, Aerospace
Geo:
India, Korea, Russia
IOCs:
File: 13
IP: 3
Path: 10
Domain: 2
Hash: 9
Softs:
sumatra pdf, microsoft defender, microsoft defender for endpoint, microsoft 365 defender, task scheduler
Algorithms:
zip, aes
Languages:
php
Platforms:
x64
Links:
https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincOctober2022\_IP\_Domain\_Hash\_IOC.yaml
https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincOctober2022\_AVHits\_IOC.yaml
https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincOctober2022\_Filename\_Commandline\_IOC.yamlMicrosoft News
ZINC weaponizing open-source software
In recent months, Microsoft detected weaponization of legitimate open-source software by an actor the Microsoft Threat Intelligence Center (MSTIC) tracks as ZINC, targeting employees at media, defense and aerospace, and IT service provider organizations in…
#ParsedReport
29-09-2022
New campaign uses government, union-themed lures to deliver Cobalt Strike beacons
http://blog.talosintelligence.com/2022/09/new-campaign-uses-government-union.html
Threats:
Cobalt_strike
Beacon
Process_injection_technique
Redline_stealer
Amadey
Industry:
Government
Geo:
Netherlands
CVEs:
CVE-2017-0199 [Vulners]
Vulners: Score: 9.3, CVSS: 7.8,
Vulners: Exploitation: True
X-Force: Risk: 9.3
X-Force: Patch: Official fix
Soft:
- microsoft windows server 2008 (r2, *)
- microsoft windows server 2012 (-)
- microsoft windows vista (*)
- microsoft office (2010, 2013, 2016, 2007)
- microsoft windows 7 (*)
have more...
TTPs:
Tactics: 1
Technics: 0
IOCs:
Url: 6
File: 3
IP: 3
Hash: 12
Softs:
microsoft word, microsoft office, visual basic for applications, ubuntu
Algorithms:
aes
Languages:
visual_basic
Platforms:
x86, x64
29-09-2022
New campaign uses government, union-themed lures to deliver Cobalt Strike beacons
http://blog.talosintelligence.com/2022/09/new-campaign-uses-government-union.html
Threats:
Cobalt_strike
Beacon
Process_injection_technique
Redline_stealer
Amadey
Industry:
Government
Geo:
Netherlands
CVEs:
CVE-2017-0199 [Vulners]
Vulners: Score: 9.3, CVSS: 7.8,
Vulners: Exploitation: True
X-Force: Risk: 9.3
X-Force: Patch: Official fix
Soft:
- microsoft windows server 2008 (r2, *)
- microsoft windows server 2012 (-)
- microsoft windows vista (*)
- microsoft office (2010, 2013, 2016, 2007)
- microsoft windows 7 (*)
have more...
TTPs:
Tactics: 1
Technics: 0
IOCs:
Url: 6
File: 3
IP: 3
Hash: 12
Softs:
microsoft word, microsoft office, visual basic for applications, ubuntu
Algorithms:
aes
Languages:
visual_basic
Platforms:
x86, x64
Talosintelligence
New campaign uses government, union-themed lures to deliver Cobalt Strike beacons
A blog from the world class Intelligence Group, Talos, Cisco's Intelligence Group
#ParsedReport
29-09-2022
Witchetty: Group Uses Updated Toolset in Attacks on Governments in Middle East
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/witchetty-steganography-espionage
Actors/Campaigns:
Ta410 (motivation: cyber_espionage)
Stone_panda (motivation: cyber_espionage)
Threats:
Proxyshell_vuln
Proxylogon_exploit
Lookback
Minidump_tool
Mimikatz
Winrm_tool
Chinachopper
Plugx_rat
Plink
Secretsdump_tool
Fscan_tool
Industry:
Government
Geo:
China, Africa, African
CVEs:
CVE-2021-26855 [Vulners]
Vulners: Score: 7.5, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2016, 2016, 2013, 2016, 2016, 2013, 2016, 2019, 2013, 2016, 2016, 2016, 2016, 2016, 2016, 2016, 2019, 2019, 2019, 2019, 2019, 2019, 2019, 2019)
CVE-2021-27065 [Vulners]
Vulners: Score: 6.8, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2016, 2016, 2013, 2016, 2019, 2013, 2016, 2016, 2016, 2016, 2016, 2016, 2016, 2019, 2019, 2019, 2019, 2019, 2019, 2019)
CVE-2021-34523 [Vulners]
Vulners: Score: 7.5, CVSS: 3.4,
Vulners: Exploitation: True
X-Force: Risk: 9
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
CVE-2021-34473 [Vulners]
Vulners: Score: 10.0, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
CVE-2021-31207 [Vulners]
Vulners: Score: 6.5, CVSS: 1.7,
Vulners: Exploitation: True
X-Force: Risk: 6.6
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
IOCs:
File: 15
Path: 4
Registry: 1
IP: 4
Hash: 49
Domain: 1
Softs:
local security authority
Algorithms:
xor, zip
Win API:
MiniDumpWriteDump
Platforms:
x86
29-09-2022
Witchetty: Group Uses Updated Toolset in Attacks on Governments in Middle East
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/witchetty-steganography-espionage
Actors/Campaigns:
Ta410 (motivation: cyber_espionage)
Stone_panda (motivation: cyber_espionage)
Threats:
Proxyshell_vuln
Proxylogon_exploit
Lookback
Minidump_tool
Mimikatz
Winrm_tool
Chinachopper
Plugx_rat
Plink
Secretsdump_tool
Fscan_tool
Industry:
Government
Geo:
China, Africa, African
CVEs:
CVE-2021-26855 [Vulners]
Vulners: Score: 7.5, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2016, 2016, 2013, 2016, 2016, 2013, 2016, 2019, 2013, 2016, 2016, 2016, 2016, 2016, 2016, 2016, 2019, 2019, 2019, 2019, 2019, 2019, 2019, 2019)
CVE-2021-27065 [Vulners]
Vulners: Score: 6.8, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2016, 2016, 2013, 2016, 2019, 2013, 2016, 2016, 2016, 2016, 2016, 2016, 2016, 2019, 2019, 2019, 2019, 2019, 2019, 2019)
CVE-2021-34523 [Vulners]
Vulners: Score: 7.5, CVSS: 3.4,
Vulners: Exploitation: True
X-Force: Risk: 9
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
CVE-2021-34473 [Vulners]
Vulners: Score: 10.0, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
CVE-2021-31207 [Vulners]
Vulners: Score: 6.5, CVSS: 1.7,
Vulners: Exploitation: True
X-Force: Risk: 6.6
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
IOCs:
File: 15
Path: 4
Registry: 1
IP: 4
Hash: 49
Domain: 1
Softs:
local security authority
Algorithms:
xor, zip
Win API:
MiniDumpWriteDump
Platforms:
x86
Security
Witchetty: Group Uses Updated Toolset in Attacks on Governments in Middle East
Espionage group begins using new backdoor that leverages rarely seen steganography technique.
#ParsedReport
29-09-2022
APT28 attack uses old PowerPoint trick to download malware
https://www.malwarebytes.com/blog/news/2022/09/powerpoint-mouseover-triggers-powershell-script-for-malware-delivery
Actors/Campaigns:
Fancy_bear
Threats:
Mouseover_technique
Graphite
Industry:
Government
Geo:
Russian
IOCs:
File: 5
Path: 1
Softs:
microsoft onedrive
29-09-2022
APT28 attack uses old PowerPoint trick to download malware
https://www.malwarebytes.com/blog/news/2022/09/powerpoint-mouseover-triggers-powershell-script-for-malware-delivery
Actors/Campaigns:
Fancy_bear
Threats:
Mouseover_technique
Graphite
Industry:
Government
Geo:
Russian
IOCs:
File: 5
Path: 1
Softs:
microsoft onedrive
Malwarebytes
APT28 attack uses old PowerPoint trick to download malware
The Russian APT known as Fancy Bear was caught using an old mouseover technique that doesn't need macros
#ParsedReport
29-09-2022
(Magniber) (*.js -> *.wsf) 09/28. Magniber Ransomware Change ( *.js-> *.wsf) -09/28
https://asec.ahnlab.com/ko/39376
Threats:
Magniber
Typosquatting_technique
IOCs:
File: 4
Hash: 2
Softs:
chrome
29-09-2022
(Magniber) (*.js -> *.wsf) 09/28. Magniber Ransomware Change ( *.js-> *.wsf) -09/28
https://asec.ahnlab.com/ko/39376
Threats:
Magniber
Typosquatting_technique
IOCs:
File: 4
Hash: 2
Softs:
chrome
ASEC BLOG
매그니베르(Magniber) 랜섬웨어 변경 (*.js -> *.wsf) - 09/28 - ASEC BLOG
ASEC 분석팀은 지난 9월 8일 매그니베르 랜섬웨어가 CPL 확장자 에서 JSE 확장자로 변경됨을 블로그를 통해 소개한 바 있다. 공격자는 9월 8일 이후에도 지난 9월 16일에는 JSE 확장자에서 JS 확장자로 변경하였다. 그리고 금일 공격자는 JS 확장자에서 WSF 확장자로 유포 방식을 변경하였다. 공격자는 V3와 같은 백신 제품의 다양한 탐지 방식을 회피하기 위해 지속적으로 변형을 유포하고 있는 것으로 보인다. 금일 변경된 WSF 유포 방식은 [그림…
#ParsedReport
29-09-2022
Fabricated Bank website distributes Android Spyware
https://blog.cyble.com/2022/09/29/fabricated-bank-website-distributes-android-spyware
Threats:
Spymax
Industry:
Financial
Geo:
Singapore, India, Georgia, Dubai, Australia
TTPs:
Tactics: 4
Technics: 9
IOCs:
File: 1
Domain: 1
Url: 4
Hash: 1
Softs:
android, tronlink
29-09-2022
Fabricated Bank website distributes Android Spyware
https://blog.cyble.com/2022/09/29/fabricated-bank-website-distributes-android-spyware
Threats:
Spymax
Industry:
Financial
Geo:
Singapore, India, Georgia, Dubai, Australia
TTPs:
Tactics: 4
Technics: 9
IOCs:
File: 1
Domain: 1
Url: 4
Hash: 1
Softs:
android, tronlink
Cyble
Fabricated Bank website distributes Android Spyware
Cyble Research and Intelligence Labs analyzes Spymax Android spyware being distributed via a Fabricated bank Site.
Apollo OTP Bot Exploiting Google Voice for MFA Bypass
https://cloudsek.com/threatintelligence/apollo-otp-bot-exploiting-google-voice-for-mfa-bypass/?utm_source=rss&utm_medium=rss&utm_campaign=apollo-otp-bot-exploiting-google-voice-for-mfa-bypass
https://cloudsek.com/threatintelligence/apollo-otp-bot-exploiting-google-voice-for-mfa-bypass/?utm_source=rss&utm_medium=rss&utm_campaign=apollo-otp-bot-exploiting-google-voice-for-mfa-bypass
Cloudsek
Apollo OTP Bot Exploiting Google Voice for MFA Bypass | Threat Intelligence | CloudSEK
Category: Malware Intelligence Type/Family: Botnet Industry: Finance & Banking Region: Global Source*: C3 Executive Summary THREAT IMPACT MITIGATION Apollo OTP bot advertised on the cybercrime forum. Discord-based bot capable of making spoofed calls using…
#technique
fastjson1.2.80 payload collection
https://mp-weixin-qq-com.translate.goog/s/SwkJVTW3SddgA6uy_e59qg?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp
fastjson1.2.80 payload collection
https://mp-weixin-qq-com.translate.goog/s/SwkJVTW3SddgA6uy_e59qg?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp
#ParsedReport
30-09-2022
Brazilian Banking Trojan Resurfaces
https://labs.k7computing.com/index.php/brazilian-banking-trojan-resurfaces
Threats:
Klbanker
Janeleiro
Amavaldo
Html_smuggling_technique
Dll_sideloading_technique
Industry:
Financial
Geo:
America, Brazilian, Brasil
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 8
Url: 3
IP: 1
Hash: 2
Softs:
chrome
Algorithms:
base64, aes, rc4, zip
Languages:
javascript, jscript
30-09-2022
Brazilian Banking Trojan Resurfaces
https://labs.k7computing.com/index.php/brazilian-banking-trojan-resurfaces
Threats:
Klbanker
Janeleiro
Amavaldo
Html_smuggling_technique
Dll_sideloading_technique
Industry:
Financial
Geo:
America, Brazilian, Brasil
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 8
Url: 3
IP: 1
Hash: 2
Softs:
chrome
Algorithms:
base64, aes, rc4, zip
Languages:
javascript, jscript
K7 Labs
Brazilian Banking Trojan Resurfaces
Recently we came across a tweet shared by StopMalvertisin, which was part of an ongoing cyberattack on the banking customers […]
#ParsedReport
30-09-2022
Threat Actors Exploit Unpatched Microsoft Exchange Zero-Days
https://socradar.io/threat-actors-exploit-unpatched-microsoft-exchange-zero-days
Actors/Campaigns:
Hafnium
Threats:
Chinachopper
Proxyshell_vuln
Geo:
Chinese, China
TTPs:
Tactics: 1
Technics: 14
IOCs:
File: 6
Hash: 10
IP: 18
Url: 1
Softs:
microsoft exchange
30-09-2022
Threat Actors Exploit Unpatched Microsoft Exchange Zero-Days
https://socradar.io/threat-actors-exploit-unpatched-microsoft-exchange-zero-days
Actors/Campaigns:
Hafnium
Threats:
Chinachopper
Proxyshell_vuln
Geo:
Chinese, China
TTPs:
Tactics: 1
Technics: 14
IOCs:
File: 6
Hash: 10
IP: 18
Url: 1
Softs:
microsoft exchange
SOCRadar® Cyber Intelligence Inc.
Threat Actors Exploit Unpatched Microsoft Exchange Zero-Days (ProxyNotShell) - SOCRadar® Cyber Intelligence Inc.
Security experts caution about actively exploited zero-day vulnerabilities in Microsoft Exchange servers. The flaws could allow remote code execution in fully
#ParsedReport
30-09-2022
Excel Macro Qakbot, ISO. Distributed to QAKBOT, ISO files distributed in Excel Macro
https://asec.ahnlab.com/ko/39329
Threats:
Qakbot
Asyncrat_rat
Icedid
Bumblebee
Malware/win.generic.c5240833
Industry:
Financial
IOCs:
File: 4
Path: 1
IP: 17
Hash: 5
Softs:
windows defender
30-09-2022
Excel Macro Qakbot, ISO. Distributed to QAKBOT, ISO files distributed in Excel Macro
https://asec.ahnlab.com/ko/39329
Threats:
Qakbot
Asyncrat_rat
Icedid
Bumblebee
Malware/win.generic.c5240833
Industry:
Financial
IOCs:
File: 4
Path: 1
IP: 17
Hash: 5
Softs:
windows defender
ASEC
Excel Macro 로 유포되던 Qakbot, ISO 파일로 유포 중 - ASEC
Excel Macro 로 유포되던 Qakbot, ISO 파일로 유포 중 ASEC
#ParsedReport
30-09-2022
A glimpse into the shadowy realm of a Chinese APT: detailed analysis of a ShadowPad intrusion. Summary
https://research.nccgroup.com/2022/09/30/a-glimpse-into-the-shadowy-realm-of-a-chinese-apt-detailed-analysis-of-a-shadowpad-intrusion
Threats:
Shadowpad
Timestomp_technique
Credential_harvesting_technique
Powerview
Sessiongopher_tool
Process_injection_technique
Process_hollowing_technique
Powersploit
Winrm_tool
Poison_ivy
Adfind_tool
Nbtscan_tool
Mimikatz
Geo:
Chinese, China
CVEs:
CVE-2022-29464 [Vulners]
Vulners: Score: 10.0, CVSS: 5.2,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- wso2 identity server analytics (5.5.0, 5.4.1, 5.6.0, 5.4.0)
- wso2 api manager (le4.0.0)
- wso2 identity server (le5.11.0)
- wso2 enterprise integrator (le6.6.0)
- wso2 identity server as key manager (le5.10.0)
have more...
TTPs:
Tactics: 12
Technics: 40
IOCs:
Hash: 13
IP: 1
File: 9
Path: 34
Softs:
windows service, local security authority, active directory, component object model
Algorithms:
aes-cbc, aes, 7zip , xor
Languages:
python
30-09-2022
A glimpse into the shadowy realm of a Chinese APT: detailed analysis of a ShadowPad intrusion. Summary
https://research.nccgroup.com/2022/09/30/a-glimpse-into-the-shadowy-realm-of-a-chinese-apt-detailed-analysis-of-a-shadowpad-intrusion
Threats:
Shadowpad
Timestomp_technique
Credential_harvesting_technique
Powerview
Sessiongopher_tool
Process_injection_technique
Process_hollowing_technique
Powersploit
Winrm_tool
Poison_ivy
Adfind_tool
Nbtscan_tool
Mimikatz
Geo:
Chinese, China
CVEs:
CVE-2022-29464 [Vulners]
Vulners: Score: 10.0, CVSS: 5.2,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- wso2 identity server analytics (5.5.0, 5.4.1, 5.6.0, 5.4.0)
- wso2 api manager (le4.0.0)
- wso2 identity server (le5.11.0)
- wso2 enterprise integrator (le6.6.0)
- wso2 identity server as key manager (le5.10.0)
have more...
TTPs:
Tactics: 12
Technics: 40
IOCs:
Hash: 13
IP: 1
File: 9
Path: 34
Softs:
windows service, local security authority, active directory, component object model
Algorithms:
aes-cbc, aes, 7zip , xor
Languages:
python
Nccgroup
Cyber Security Research
Cutting-edge cyber security research from NCC Group. Find public reports, technical advisories, analyses, & other novel insights from our global experts.
#ParsedReport
30-09-2022
Ransomware Roundup: Bisamware and Chile Locker
https://www.fortinet.com/blog/threat-research/ransomware-roundup-bisamware-and-chile-locker
Threats:
Bisamware
Follina_vuln
W32/agent.bnq!tr.ransom
W64/agent.bnq!tr.ransom
Industry:
Government, Financial
Geo:
Uruguay, Netherland, Italy, Malaysia, Chile, Spain, Romania, Canada, China, Poland, Russia, Mexico
CVEs:
CVE-2022-30190 [Vulners]
Vulners: Score: 9.3, CVSS: 3.4,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft windows server 2012 (r2, -)
- microsoft windows 10 (1607, -, 1809, 20h2, 21h1, 21h2)
- microsoft windows 8.1 (-)
- microsoft windows server 2016 (-)
- microsoft windows server 2008 (-, r2)
have more...
IOCs:
File: 1
Hash: 11
Softs:
microsoft word
30-09-2022
Ransomware Roundup: Bisamware and Chile Locker
https://www.fortinet.com/blog/threat-research/ransomware-roundup-bisamware-and-chile-locker
Threats:
Bisamware
Follina_vuln
W32/agent.bnq!tr.ransom
W64/agent.bnq!tr.ransom
Industry:
Government, Financial
Geo:
Uruguay, Netherland, Italy, Malaysia, Chile, Spain, Romania, Canada, China, Poland, Russia, Mexico
CVEs:
CVE-2022-30190 [Vulners]
Vulners: Score: 9.3, CVSS: 3.4,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft windows server 2012 (r2, -)
- microsoft windows 10 (1607, -, 1809, 20h2, 21h1, 21h2)
- microsoft windows 8.1 (-)
- microsoft windows server 2016 (-)
- microsoft windows server 2008 (-, r2)
have more...
IOCs:
File: 1
Hash: 11
Softs:
microsoft word
Fortinet Blog
Ransomware Roundup - Bisamware and Chile Locker
The latest FortiGuard Labs Threat Signal Ransomware Roundup covers Bisamware and Chile Locker ransomware, along with protection recommendations. Read more. …