CTT Report Hub
3.41K subscribers
9.74K photos
6 videos
67 files
13.4K links
Threat Intelligence Report Hub
Download Telegram
#ParsedReport
30-09-2022

Brazilian Banking Trojan Resurfaces

https://labs.k7computing.com/index.php/brazilian-banking-trojan-resurfaces

Threats:
Klbanker
Janeleiro
Amavaldo
Html_smuggling_technique
Dll_sideloading_technique

Industry:
Financial

Geo:
America, Brazilian, Brasil

TTPs:
Tactics: 1
Technics: 0

IOCs:
File: 8
Url: 3
IP: 1
Hash: 2

Softs:
chrome

Algorithms:
base64, aes, rc4, zip

Languages:
javascript, jscript
#ParsedReport
30-09-2022

Excel Macro Qakbot, ISO. Distributed to QAKBOT, ISO files distributed in Excel Macro

https://asec.ahnlab.com/ko/39329

Threats:
Qakbot
Asyncrat_rat
Icedid
Bumblebee
Malware/win.generic.c5240833

Industry:
Financial

IOCs:
File: 4
Path: 1
IP: 17
Hash: 5

Softs:
windows defender
#ParsedReport
30-09-2022

A glimpse into the shadowy realm of a Chinese APT: detailed analysis of a ShadowPad intrusion. Summary

https://research.nccgroup.com/2022/09/30/a-glimpse-into-the-shadowy-realm-of-a-chinese-apt-detailed-analysis-of-a-shadowpad-intrusion

Threats:
Shadowpad
Timestomp_technique
Credential_harvesting_technique
Powerview
Sessiongopher_tool
Process_injection_technique
Process_hollowing_technique
Powersploit
Winrm_tool
Poison_ivy
Adfind_tool
Nbtscan_tool
Mimikatz

Geo:
Chinese, China

CVEs:
CVE-2022-29464 [Vulners]
Vulners: Score: 10.0, CVSS: 5.2,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- wso2 identity server analytics (5.5.0, 5.4.1, 5.6.0, 5.4.0)
- wso2 api manager (le4.0.0)
- wso2 identity server (le5.11.0)
- wso2 enterprise integrator (le6.6.0)
- wso2 identity server as key manager (le5.10.0)
have more...

TTPs:
Tactics: 12
Technics: 40

IOCs:
Hash: 13
IP: 1
File: 9
Path: 34

Softs:
windows service, local security authority, active directory, component object model

Algorithms:
aes-cbc, aes, 7zip , xor

Languages:
python
#ParsedReport
30-09-2022

Ransomware Roundup: Bisamware and Chile Locker

https://www.fortinet.com/blog/threat-research/ransomware-roundup-bisamware-and-chile-locker

Threats:
Bisamware
Follina_vuln
W32/agent.bnq!tr.ransom
W64/agent.bnq!tr.ransom

Industry:
Government, Financial

Geo:
Uruguay, Netherland, Italy, Malaysia, Chile, Spain, Romania, Canada, China, Poland, Russia, Mexico

CVEs:
CVE-2022-30190 [Vulners]
Vulners: Score: 9.3, CVSS: 3.4,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft windows server 2012 (r2, -)
- microsoft windows 10 (1607, -, 1809, 20h2, 21h1, 21h2)
- microsoft windows 8.1 (-)
- microsoft windows server 2016 (-)
- microsoft windows server 2008 (-, r2)
have more...

IOCs:
File: 1
Hash: 11

Softs:
microsoft word
#tool

IcedID Decryptor
A script to statically decrypt license.dat files associated with IcedID infections.
The script will also decrypt the .data section from unpacked IcedID samples.

https://github.com/matthewB-huntress/IcedID
#ParsedReport
30-09-2022

Deep dive into the TTD ecosystem. Background

https://www.elastic.co/security-labs/deep-dive-into-the-ttd-ecosystem

Threats:
Windbg_tool
Dll_injection_technique
Process_injection_technique
Lolbas_technique

IOCs:
File: 11
IP: 1
Hash: 2
Registry: 1

Softs:
windows service, local security authority

Algorithms:
base64

Functions:
SbValidateAndParseDebugAuthToken

Win API:
SeDebugPrivilege, NtOpenProcess, NtQuerySystemEnvironmentValueEx, SeSystemEnvironmentPrivilege, IsDebuggerPresent

Platforms:
x86, arm, x64, amd64

Links:
https://gist.github.com/calladoum-elastic/4666dafc789a273c35a4aedf2ed9cd9e
https://gist.github.com/calladoum-elastic/328068f19e60a76b00f20cdb936cd078
#ParsedReport
01-10-2022

Qualys Response to ProxyNotShell Microsoft Exchange Server Zero-Day Threat Using Qualys Platform

https://blog.qualys.com/misc/2022/09/30/qualys-response-to-proxynotshell-microsoft-exchange-server-zero-day-threat-using-qualys-platform

Threats:
Proxynotshell_vuln
Chinachopper

Geo:
China, Vietnamese, Chinese

CVEs:
CVE-2022-41040 [Vulners]
Vulners: Score: Unknown, CVSS: 3.2,
Vulners: Exploitation: True
X-Force: Risk: 6.5
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)

CVE-2022-41082 [Vulners]
Vulners: Score: Unknown, CVSS: 2.8,
Vulners: Exploitation: Unknown
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)


TTPs:

IOCs:
File: 4
Path: 1
Hash: 10

Softs:
microsoft exchange server, microsoft exchange

Languages:
python

Links:
https://github.com/Qualys/Custom-Assessment-and-Remediation-Script-Library/tree/main/Zero%20Day/CVE-2022-41040%2C41082(ProxyNotShell%20Microsoft%20Exchange%20Server)
#ParsedReport
01-10-2022

Analyzing attacks using the Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082

https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082

Threats:
Chinachopper
Backdoor:win32/rewritehttp.a
Win32/iisexchgdropwebshell.a!dha
Trojan:win32/iisexchgspawncmd.a
Trojan:win32/webshellterminal.a
Trojan:win32/webshellterminal.b
Proxyshell_vuln

CVEs:
CVE-2022-41040 [Vulners]
Vulners: Score: Unknown, CVSS: Unknown,
Vulners: Exploitation: Unknown
X-Force: Risk: 6.5
X-Force: Patch: Official fix

CVE-2022-21082 [Vulners]
Vulners: Score: Unknown, CVSS: Unknown,
Vulners: Exploitation: Unknown
X-Force: Risk: Unknown
X-Force: Patch: Unknown

CVE-2022-41082 [Vulners]
Vulners: Score: Unknown, CVSS: Unknown,
Vulners: Exploitation: Unknown
X-Force: Risk: 8.8
X-Force: Patch: Official fix


TTPs:
Tactics: 3
Technics: 0

IOCs:
File: 1

Softs:
microsoft defender for endpoint, microsoft defender, microsoft 365 defender, microsoft exchange server, active directory, microsoft exchange, windows hello

Links:
https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeWorkerProcessMakingRemoteCall.yaml
https://github.com/Azure/Azure-Sentinel/blob/08a8d2b9c5c9083e341be447773a34b56b205dee/Detections/W3CIISLog/ProxyShellPwn2Own.yaml
https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/W3CIISLog/PotentialWebshell.yaml
https://github.com/Azure/Azure-Sentinel/blob/master/Detections/W3CIISLog/MaliciousAlertLinkedWebRequests.yaml
https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/ExchangeOABVirtualDirectoryAttributeContainingPotentialWebshell.yaml
https://github.com/Azure/Azure-Sentinel/blob/master/Detections/http\_proxy\_oab\_CL/ExchagngeSuspiciousFileDownloads.yaml
https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/W3CIISLog/WebShellActivity.yaml
https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/exchange-iis-worker-dropping-webshell.yaml
#ParsedReport
03-10-2022

DeftTorero: tactics, techniques and procedures of intrusions revealed

https://securelist.com/defttorero-tactics-techniques-and-procedures/107610

Actors/Campaigns:
Volatile_cedar

Threats:
Lolbin
Caterpillar_shell
Aspxspy_shell
Nmap_tool
Mimikatz
Empire_loader
Mimikittenz_tool
Meterpreter_tool
Powersploit
Regeorg

Industry:
Government, Telco, Education

Geo:
Emirates, Lebanon, Kuwait, Turkey, Jordan, Egypt

TTPs:
Tactics: 1
Technics: 0

IOCs:
File: 24
Path: 1
Url: 1
IP: 1
Hash: 20

Softs:
vssadmin

Algorithms:
base64

Functions:
GetAllData, GetIEHistory, OpenClipFn, SetWinHoK

Languages:
php

YARA: Found

Links:
https://github.com/Neo23x0/signature-base/blob/master/yara/apt\_volatile\_cedar.yar
https://github.com/tennc/webshell
#ParsedReport
03-10-2022

Bumblebee: increasing its capacity and evolving its TTPs. Background & Key Findings

https://research.checkpoint.com/2022/bumblebee-increasing-its-capacity-and-evolving-its-ttps

Threats:
Bumblebee
Cobalt_strike
Vidar_stealer
Sliver_tool
Meterpreter_tool
Beacon
Trickbot

Industry:
Financial

IOCs:
Hash: 21
Coin: 2
IP: 30

Softs:
active directory

Algorithms:
base64, exhibit, rc4

YARA: Found

Links:
https://github.com/LordNoteworthy/al-khaser
#ParsedReport
03-10-2022

ProxyNotShell-Microsoft Exchange Vulnerabilities

https://cyberint.com/blog/research/proxynotshell-microsoft-exchange-vulnerabilities

Threats:
Proxynotshell_vuln
Nmap_tool

Geo:
Chinese

CVEs:
CVE-2022-41040 [Vulners]
Vulners: Score: Unknown, CVSS: 3.2,
Vulners: Exploitation: True
X-Force: Risk: 6.5
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)

CVE-2022-41082 [Vulners]
Vulners: Score: Unknown, CVSS: 2.8,
Vulners: Exploitation: Unknown
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)


IOCs:
Hash: 10
IP: 18
Url: 1

Softs:
microsoft exchange server

Links:
https://github.com/AntSwordProject/antSword
#ParsedReport
03-10-2022

RedLine Stealer Campaign Abusing Discord via PDF Links

https://www.netskope.com/blog/redline-stealer-campaign-abusing-discord-via-pdf-links

Threats:
Redline_stealer
Purecrypter
Njrat_rat
Agent_tesla
Asyncrat_rat
Lockbit
Lampion

Industry:
Financial, Entertainment

Geo:
Belarus, Armenia, Azerbaijan, Ukraine, Russia, Moldova, Kazakhstan, Uzbekistan, Kyrgyzstan, Tajikistan

IOCs:
File: 11

Softs:
discord, chrome, atomicwallet, binancechain, bitappwallet, boltx, bravewallet, coin98wallet, coinbase, equalwallet, have more...

Algorithms:
zip, aes, xor, base64, gzip

Languages:
visual_basic

YARA: Found

Links:
https://github.com/netskopeoss/NetskopeThreatLabsIOCs/tree/main/RedLine%20Stealer
https://github.com/netskopeoss/NetskopeThreatLabsIOCs/tree/main/RedLine%20Stealer/2022-09-30
#ParsedReport
03-10-2022

Amazonthemed campaigns of Lazarus in the Netherlands and Belgium

https://www.welivesecurity.com/2022/09/30/amazon-themed-campaigns-lazarus-netherlands-belgium

Actors/Campaigns:
Lazarus (motivation: cyber_espionage, financially_motivated, cyber_criminal)
Dream_job (motivation: cyber_espionage)

Threats:
Airdry
Fudmodule_rootkit
Cobra
Wannacryptor
Wannacry
Byovd_technique
Threatneedle
Watering_hole_technique
Nukesped_rat
Timestomp_technique
Dll_sideloading_technique
Themida_tool
Vmprotect_tool
Putty_tool

Industry:
Entertainment, Aerospace, Financial, Healthcare

Geo:
Ukraine, Korean, Netherlands, Belgium, Polish, Mexican, Korea, Dprk, Aruba, Berlin

CVEs:
CVE-2021-21551 [Vulners]
Vulners: Score: 4.6, CVSS: 4.3,
Vulners: Exploitation: True
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- dell dbutil 2 3.sys (-)


TTPs:
Tactics: 7
Technics: 19

IOCs:
File: 16
Url: 4
Hash: 16
Path: 18
IP: 4

Softs:
windows kernel

Algorithms:
base64, zip, crc, spritz, aes-128, xor, rc4, hc-128, exhibit

Functions:
SetOfficeCertInit, SetOfficeCert

Links:
https://github.com/wolfSSL/wolfssl
https://github.com/tike/GOnpp
https://github.com/alecmus/lecui
https://github.com/erinata/FingerText
https://github.com/eset/malware-ioc/tree/master/nukesped\_lazarus#amazon-themed-campaigns-of-lazarus-in-the-netherlands-and-belgium
#ParsedReport
03-10-2022

Dissecting BlueSky Ransomware Payload

https://yoroi.company/research/dissecting-bluesky-ransomware-payload

Actors/Campaigns:
Bluesky

Threats:
Conti

Industry:
Ics

TTPs:
Tactics: 1
Technics: 0

IOCs:
Hash: 2
Registry: 1
File: 8

Algorithms:
chacha20, rc4, curve25519

Win API:
NtSetInformationThread, RtlAdjustPrivilege, SeDebugPrivilege, CryptAcquireContextA, CreateFileW, NtQueryInformatonFile, NtQueryInformatonProcess, SetThreadExecutionState

Platforms:
x86

YARA: Found
#ParsedReport
01-10-2022

Qualys Response to ProxyNotShell Microsoft Exchange Server Zero-Day Threat Using Qualys Cloud Platform

https://blog.qualys.com/vulnerabilities-threat-research/2022/09/30/qualys-response-to-proxynotshell-microsoft-exchange-server-zero-day-threat-using-qualys-platform

Threats:
Proxynotshell_vuln
Chinachopper

Geo:
Vietnamese, China, Chinese

CVEs:
CVE-2022-41082 [Vulners]
Vulners: Score: Unknown, CVSS: 2.8,
Vulners: Exploitation: Unknown
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)

CVE-2022-41040 [Vulners]
Vulners: Score: Unknown, CVSS: 3.2,
Vulners: Exploitation: True
X-Force: Risk: 6.5
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)


TTPs:

IOCs:
File: 4
Path: 1
Hash: 10

Softs:
microsoft exchange server, microsoft exchange

Languages:
python

Links:
https://github.com/Qualys/Custom-Assessment-and-Remediation-Script-Library/tree/main/Zero%20Day/CVE-2022-41040%2C41082(ProxyNotShell%20Microsoft%20Exchange%20Server)