CTT Report Hub
3.41K subscribers
9.74K photos
6 videos
67 files
13.4K links
Threat Intelligence Report Hub
Download Telegram
#tool

IcedID Decryptor
A script to statically decrypt license.dat files associated with IcedID infections.
The script will also decrypt the .data section from unpacked IcedID samples.

https://github.com/matthewB-huntress/IcedID
#ParsedReport
30-09-2022

Deep dive into the TTD ecosystem. Background

https://www.elastic.co/security-labs/deep-dive-into-the-ttd-ecosystem

Threats:
Windbg_tool
Dll_injection_technique
Process_injection_technique
Lolbas_technique

IOCs:
File: 11
IP: 1
Hash: 2
Registry: 1

Softs:
windows service, local security authority

Algorithms:
base64

Functions:
SbValidateAndParseDebugAuthToken

Win API:
SeDebugPrivilege, NtOpenProcess, NtQuerySystemEnvironmentValueEx, SeSystemEnvironmentPrivilege, IsDebuggerPresent

Platforms:
x86, arm, x64, amd64

Links:
https://gist.github.com/calladoum-elastic/4666dafc789a273c35a4aedf2ed9cd9e
https://gist.github.com/calladoum-elastic/328068f19e60a76b00f20cdb936cd078
#ParsedReport
01-10-2022

Qualys Response to ProxyNotShell Microsoft Exchange Server Zero-Day Threat Using Qualys Platform

https://blog.qualys.com/misc/2022/09/30/qualys-response-to-proxynotshell-microsoft-exchange-server-zero-day-threat-using-qualys-platform

Threats:
Proxynotshell_vuln
Chinachopper

Geo:
China, Vietnamese, Chinese

CVEs:
CVE-2022-41040 [Vulners]
Vulners: Score: Unknown, CVSS: 3.2,
Vulners: Exploitation: True
X-Force: Risk: 6.5
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)

CVE-2022-41082 [Vulners]
Vulners: Score: Unknown, CVSS: 2.8,
Vulners: Exploitation: Unknown
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)


TTPs:

IOCs:
File: 4
Path: 1
Hash: 10

Softs:
microsoft exchange server, microsoft exchange

Languages:
python

Links:
https://github.com/Qualys/Custom-Assessment-and-Remediation-Script-Library/tree/main/Zero%20Day/CVE-2022-41040%2C41082(ProxyNotShell%20Microsoft%20Exchange%20Server)
#ParsedReport
01-10-2022

Analyzing attacks using the Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082

https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082

Threats:
Chinachopper
Backdoor:win32/rewritehttp.a
Win32/iisexchgdropwebshell.a!dha
Trojan:win32/iisexchgspawncmd.a
Trojan:win32/webshellterminal.a
Trojan:win32/webshellterminal.b
Proxyshell_vuln

CVEs:
CVE-2022-41040 [Vulners]
Vulners: Score: Unknown, CVSS: Unknown,
Vulners: Exploitation: Unknown
X-Force: Risk: 6.5
X-Force: Patch: Official fix

CVE-2022-21082 [Vulners]
Vulners: Score: Unknown, CVSS: Unknown,
Vulners: Exploitation: Unknown
X-Force: Risk: Unknown
X-Force: Patch: Unknown

CVE-2022-41082 [Vulners]
Vulners: Score: Unknown, CVSS: Unknown,
Vulners: Exploitation: Unknown
X-Force: Risk: 8.8
X-Force: Patch: Official fix


TTPs:
Tactics: 3
Technics: 0

IOCs:
File: 1

Softs:
microsoft defender for endpoint, microsoft defender, microsoft 365 defender, microsoft exchange server, active directory, microsoft exchange, windows hello

Links:
https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeWorkerProcessMakingRemoteCall.yaml
https://github.com/Azure/Azure-Sentinel/blob/08a8d2b9c5c9083e341be447773a34b56b205dee/Detections/W3CIISLog/ProxyShellPwn2Own.yaml
https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/W3CIISLog/PotentialWebshell.yaml
https://github.com/Azure/Azure-Sentinel/blob/master/Detections/W3CIISLog/MaliciousAlertLinkedWebRequests.yaml
https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/ExchangeOABVirtualDirectoryAttributeContainingPotentialWebshell.yaml
https://github.com/Azure/Azure-Sentinel/blob/master/Detections/http\_proxy\_oab\_CL/ExchagngeSuspiciousFileDownloads.yaml
https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/W3CIISLog/WebShellActivity.yaml
https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/exchange-iis-worker-dropping-webshell.yaml
#ParsedReport
03-10-2022

DeftTorero: tactics, techniques and procedures of intrusions revealed

https://securelist.com/defttorero-tactics-techniques-and-procedures/107610

Actors/Campaigns:
Volatile_cedar

Threats:
Lolbin
Caterpillar_shell
Aspxspy_shell
Nmap_tool
Mimikatz
Empire_loader
Mimikittenz_tool
Meterpreter_tool
Powersploit
Regeorg

Industry:
Government, Telco, Education

Geo:
Emirates, Lebanon, Kuwait, Turkey, Jordan, Egypt

TTPs:
Tactics: 1
Technics: 0

IOCs:
File: 24
Path: 1
Url: 1
IP: 1
Hash: 20

Softs:
vssadmin

Algorithms:
base64

Functions:
GetAllData, GetIEHistory, OpenClipFn, SetWinHoK

Languages:
php

YARA: Found

Links:
https://github.com/Neo23x0/signature-base/blob/master/yara/apt\_volatile\_cedar.yar
https://github.com/tennc/webshell
#ParsedReport
03-10-2022

Bumblebee: increasing its capacity and evolving its TTPs. Background & Key Findings

https://research.checkpoint.com/2022/bumblebee-increasing-its-capacity-and-evolving-its-ttps

Threats:
Bumblebee
Cobalt_strike
Vidar_stealer
Sliver_tool
Meterpreter_tool
Beacon
Trickbot

Industry:
Financial

IOCs:
Hash: 21
Coin: 2
IP: 30

Softs:
active directory

Algorithms:
base64, exhibit, rc4

YARA: Found

Links:
https://github.com/LordNoteworthy/al-khaser
#ParsedReport
03-10-2022

ProxyNotShell-Microsoft Exchange Vulnerabilities

https://cyberint.com/blog/research/proxynotshell-microsoft-exchange-vulnerabilities

Threats:
Proxynotshell_vuln
Nmap_tool

Geo:
Chinese

CVEs:
CVE-2022-41040 [Vulners]
Vulners: Score: Unknown, CVSS: 3.2,
Vulners: Exploitation: True
X-Force: Risk: 6.5
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)

CVE-2022-41082 [Vulners]
Vulners: Score: Unknown, CVSS: 2.8,
Vulners: Exploitation: Unknown
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)


IOCs:
Hash: 10
IP: 18
Url: 1

Softs:
microsoft exchange server

Links:
https://github.com/AntSwordProject/antSword
#ParsedReport
03-10-2022

RedLine Stealer Campaign Abusing Discord via PDF Links

https://www.netskope.com/blog/redline-stealer-campaign-abusing-discord-via-pdf-links

Threats:
Redline_stealer
Purecrypter
Njrat_rat
Agent_tesla
Asyncrat_rat
Lockbit
Lampion

Industry:
Financial, Entertainment

Geo:
Belarus, Armenia, Azerbaijan, Ukraine, Russia, Moldova, Kazakhstan, Uzbekistan, Kyrgyzstan, Tajikistan

IOCs:
File: 11

Softs:
discord, chrome, atomicwallet, binancechain, bitappwallet, boltx, bravewallet, coin98wallet, coinbase, equalwallet, have more...

Algorithms:
zip, aes, xor, base64, gzip

Languages:
visual_basic

YARA: Found

Links:
https://github.com/netskopeoss/NetskopeThreatLabsIOCs/tree/main/RedLine%20Stealer
https://github.com/netskopeoss/NetskopeThreatLabsIOCs/tree/main/RedLine%20Stealer/2022-09-30
#ParsedReport
03-10-2022

Amazonthemed campaigns of Lazarus in the Netherlands and Belgium

https://www.welivesecurity.com/2022/09/30/amazon-themed-campaigns-lazarus-netherlands-belgium

Actors/Campaigns:
Lazarus (motivation: cyber_espionage, financially_motivated, cyber_criminal)
Dream_job (motivation: cyber_espionage)

Threats:
Airdry
Fudmodule_rootkit
Cobra
Wannacryptor
Wannacry
Byovd_technique
Threatneedle
Watering_hole_technique
Nukesped_rat
Timestomp_technique
Dll_sideloading_technique
Themida_tool
Vmprotect_tool
Putty_tool

Industry:
Entertainment, Aerospace, Financial, Healthcare

Geo:
Ukraine, Korean, Netherlands, Belgium, Polish, Mexican, Korea, Dprk, Aruba, Berlin

CVEs:
CVE-2021-21551 [Vulners]
Vulners: Score: 4.6, CVSS: 4.3,
Vulners: Exploitation: True
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- dell dbutil 2 3.sys (-)


TTPs:
Tactics: 7
Technics: 19

IOCs:
File: 16
Url: 4
Hash: 16
Path: 18
IP: 4

Softs:
windows kernel

Algorithms:
base64, zip, crc, spritz, aes-128, xor, rc4, hc-128, exhibit

Functions:
SetOfficeCertInit, SetOfficeCert

Links:
https://github.com/wolfSSL/wolfssl
https://github.com/tike/GOnpp
https://github.com/alecmus/lecui
https://github.com/erinata/FingerText
https://github.com/eset/malware-ioc/tree/master/nukesped\_lazarus#amazon-themed-campaigns-of-lazarus-in-the-netherlands-and-belgium
#ParsedReport
03-10-2022

Dissecting BlueSky Ransomware Payload

https://yoroi.company/research/dissecting-bluesky-ransomware-payload

Actors/Campaigns:
Bluesky

Threats:
Conti

Industry:
Ics

TTPs:
Tactics: 1
Technics: 0

IOCs:
Hash: 2
Registry: 1
File: 8

Algorithms:
chacha20, rc4, curve25519

Win API:
NtSetInformationThread, RtlAdjustPrivilege, SeDebugPrivilege, CryptAcquireContextA, CreateFileW, NtQueryInformatonFile, NtQueryInformatonProcess, SetThreadExecutionState

Platforms:
x86

YARA: Found
#ParsedReport
01-10-2022

Qualys Response to ProxyNotShell Microsoft Exchange Server Zero-Day Threat Using Qualys Cloud Platform

https://blog.qualys.com/vulnerabilities-threat-research/2022/09/30/qualys-response-to-proxynotshell-microsoft-exchange-server-zero-day-threat-using-qualys-platform

Threats:
Proxynotshell_vuln
Chinachopper

Geo:
Vietnamese, China, Chinese

CVEs:
CVE-2022-41082 [Vulners]
Vulners: Score: Unknown, CVSS: 2.8,
Vulners: Exploitation: Unknown
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)

CVE-2022-41040 [Vulners]
Vulners: Score: Unknown, CVSS: 3.2,
Vulners: Exploitation: True
X-Force: Risk: 6.5
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)


TTPs:

IOCs:
File: 4
Path: 1
Hash: 10

Softs:
microsoft exchange server, microsoft exchange

Languages:
python

Links:
https://github.com/Qualys/Custom-Assessment-and-Remediation-Script-Library/tree/main/Zero%20Day/CVE-2022-41040%2C41082(ProxyNotShell%20Microsoft%20Exchange%20Server)
#ParsedReport
04-10-2022

Decrypted: MafiaWare666 Ransomware

https://decoded.avast.io/threatresearch/decrypted-mafiaware666-ransomware/?utm_source=rss&utm_medium=rss&utm_campaign=decrypted-mafiaware666-ransomware

Threats:
Hades

Industry:
Financial

IOCs:
Hash: 8

Algorithms:
aes, zip

Languages:
php

Links:
https://github.com/avast/ioc/tree/master/MafiaWare666
#ParsedReport
04-10-2022

Remove All The Callbacks BlackByte Ransomware Disables EDR Via RTCore64.sys Abuse

https://news.sophos.com/en-us/2022/10/04/blackbyte-ransomware-returns

Threats:
Blackbyte
Avoslocker
Uac_bypass_technique
Mimikatz_tool

CVEs:
CVE-2019-16098 [Vulners]
Vulners: Score: 7.2, CVSS: 5.1,
Vulners: Exploitation: Unknown
X-Force: Risk: 7.8
X-Force: Patch: Unavailable
Soft:
- msi afterburner (4.6.2.15658)


IOCs:
File: 7
Hash: 2

Softs:
windows kernel

Algorithms:
xor

Functions:
CreateFile, NetSetInformationThreadW

Win API:
PsSetCreateThreadNotifyRoutine, PsSetCreateProcessNotifyRoutine, PsSetLoadImageNotifyRoutine, NtReadVirtualMemory, GetFileVersionInfoW, EtwThreatIntProvRegHandleOffset, CreateServiceW, EnumDeviceDrivers, GetDeviceDriverBaseNameW, DeviceIoControl, have more...

Links:
https://github.com/wavestone-cdt/EDRSandblast
https://github.com/sophoslabs/IoCs/blob/master/Ransomware-BlackByte.csv
#ParsedReport
04-10-2022

Leveraging Microsoft Office Documents to Deliver Agent Tesla and njRat

https://www.fortinet.com/blog/threat-research/leveraging-microsoft-office-documents-to-deliver-agent-tesla-and-njrat

Threats:
Agent_tesla
Njrat_rat
Process_hollowing_technique
Vba/agent.ain!tr
Snake_keylogger

IOCs:
File: 9
Url: 1
Domain: 2
Hash: 17

Softs:
microsoft office, process explorer

Algorithms:
zip, base64

Functions:
Auto_Open, ko

Win API:
VirtualAllocEx

Languages:
javascript
#ParsedReport
04-10-2022

Threat Advisory: Microsoft warns of actively exploited vulnerabilities in Exchange Server

http://blog.talosintelligence.com/2022/09/threat-advisory-exchange-server-vulns.html

Actors/Campaigns:
Hafnium

Threats:
Proxynotshell_vuln
Proxyshell_vuln
Sharpyshell
Chinachopper

Geo:
China, Chinese

CVEs:
CVE-2022-41082 [Vulners]
Vulners: Score: Unknown, CVSS: 2.8,
Vulners: Exploitation: Unknown
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)

CVE-2022-41040 [Vulners]
Vulners: Score: Unknown, CVSS: 3.2,
Vulners: Exploitation: True
X-Force: Risk: 6.5
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)


IOCs:
Path: 4
IP: 19
Url: 1

Softs:
microsoft exchange

Links:
https://github.com/antonioCoco/SharPyShell
#ParsedReport
04-10-2022

OnionPoison: infected Tor Browser installer distributed through popular YouTube channel

https://securelist.com/onionpoison-infected-tor-browser-installer-youtube/107627

Actors/Campaigns:
Onionpoison

Threats:
Onionduke

Geo:
China, Chinese

IOCs:
File: 7
Registry: 1
Domain: 1
Hash: 3

Softs:
visual studio, chrome, wechat

Algorithms:
xor, aes-128, base64, aes, hmac-sha1, hmac

Win API:
RtlDecompressBuffer