#ParsedReport
03-10-2022
RedLine Stealer Campaign Abusing Discord via PDF Links
https://www.netskope.com/blog/redline-stealer-campaign-abusing-discord-via-pdf-links
Threats:
Redline_stealer
Purecrypter
Njrat_rat
Agent_tesla
Asyncrat_rat
Lockbit
Lampion
Industry:
Financial, Entertainment
Geo:
Belarus, Armenia, Azerbaijan, Ukraine, Russia, Moldova, Kazakhstan, Uzbekistan, Kyrgyzstan, Tajikistan
IOCs:
File: 11
Softs:
discord, chrome, atomicwallet, binancechain, bitappwallet, boltx, bravewallet, coin98wallet, coinbase, equalwallet, have more...
Algorithms:
zip, aes, xor, base64, gzip
Languages:
visual_basic
YARA: Found
Links:
03-10-2022
RedLine Stealer Campaign Abusing Discord via PDF Links
https://www.netskope.com/blog/redline-stealer-campaign-abusing-discord-via-pdf-links
Threats:
Redline_stealer
Purecrypter
Njrat_rat
Agent_tesla
Asyncrat_rat
Lockbit
Lampion
Industry:
Financial, Entertainment
Geo:
Belarus, Armenia, Azerbaijan, Ukraine, Russia, Moldova, Kazakhstan, Uzbekistan, Kyrgyzstan, Tajikistan
IOCs:
File: 11
Softs:
discord, chrome, atomicwallet, binancechain, bitappwallet, boltx, bravewallet, coin98wallet, coinbase, equalwallet, have more...
Algorithms:
zip, aes, xor, base64, gzip
Languages:
visual_basic
YARA: Found
Links:
https://github.com/netskopeoss/NetskopeThreatLabsIOCs/tree/main/RedLine%20Stealerhttps://github.com/netskopeoss/NetskopeThreatLabsIOCs/tree/main/RedLine%20Stealer/2022-09-30Netskope
RedLine Stealer Campaign Abusing Discord via PDF Links
Summary RedLine is an infostealer malware discovered in 2020. Often sold in underground forums, it is capable of stealing data such as credit card
#ParsedReport
03-10-2022
Amazonthemed campaigns of Lazarus in the Netherlands and Belgium
https://www.welivesecurity.com/2022/09/30/amazon-themed-campaigns-lazarus-netherlands-belgium
Actors/Campaigns:
Lazarus (motivation: cyber_espionage, financially_motivated, cyber_criminal)
Dream_job (motivation: cyber_espionage)
Threats:
Airdry
Fudmodule_rootkit
Cobra
Wannacryptor
Wannacry
Byovd_technique
Threatneedle
Watering_hole_technique
Nukesped_rat
Timestomp_technique
Dll_sideloading_technique
Themida_tool
Vmprotect_tool
Putty_tool
Industry:
Entertainment, Aerospace, Financial, Healthcare
Geo:
Ukraine, Korean, Netherlands, Belgium, Polish, Mexican, Korea, Dprk, Aruba, Berlin
CVEs:
CVE-2021-21551 [Vulners]
Vulners: Score: 4.6, CVSS: 4.3,
Vulners: Exploitation: True
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- dell dbutil 2 3.sys (-)
TTPs:
Tactics: 7
Technics: 19
IOCs:
File: 16
Url: 4
Hash: 16
Path: 18
IP: 4
Softs:
windows kernel
Algorithms:
base64, zip, crc, spritz, aes-128, xor, rc4, hc-128, exhibit
Functions:
SetOfficeCertInit, SetOfficeCert
Links:
03-10-2022
Amazonthemed campaigns of Lazarus in the Netherlands and Belgium
https://www.welivesecurity.com/2022/09/30/amazon-themed-campaigns-lazarus-netherlands-belgium
Actors/Campaigns:
Lazarus (motivation: cyber_espionage, financially_motivated, cyber_criminal)
Dream_job (motivation: cyber_espionage)
Threats:
Airdry
Fudmodule_rootkit
Cobra
Wannacryptor
Wannacry
Byovd_technique
Threatneedle
Watering_hole_technique
Nukesped_rat
Timestomp_technique
Dll_sideloading_technique
Themida_tool
Vmprotect_tool
Putty_tool
Industry:
Entertainment, Aerospace, Financial, Healthcare
Geo:
Ukraine, Korean, Netherlands, Belgium, Polish, Mexican, Korea, Dprk, Aruba, Berlin
CVEs:
CVE-2021-21551 [Vulners]
Vulners: Score: 4.6, CVSS: 4.3,
Vulners: Exploitation: True
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- dell dbutil 2 3.sys (-)
TTPs:
Tactics: 7
Technics: 19
IOCs:
File: 16
Url: 4
Hash: 16
Path: 18
IP: 4
Softs:
windows kernel
Algorithms:
base64, zip, crc, spritz, aes-128, xor, rc4, hc-128, exhibit
Functions:
SetOfficeCertInit, SetOfficeCert
Links:
https://github.com/wolfSSL/wolfsslhttps://github.com/tike/GOnpphttps://github.com/alecmus/lecuihttps://github.com/erinata/FingerTexthttps://github.com/eset/malware-ioc/tree/master/nukesped\_lazarus#amazon-themed-campaigns-of-lazarus-in-the-netherlands-and-belgiumWeLiveSecurity
Amazon‑themed campaigns of Lazarus in the Netherlands and Belgium
ESET researchers have discovered Lazarus attacks against targets in the Netherlands and Belgium that use spearphishing emails connected to fake job offers.
#ParsedReport
03-10-2022
Private Drainer for MetaMask Crypto Wallets
https://cloudsek.com/threatintelligence/private-drainer-for-metamask-crypto-wallets/?utm_source=rss&utm_medium=rss&utm_campaign=private-drainer-for-metamask-crypto-wallets
Actors/Campaigns:
Seaflower
Industry:
Financial
TTPs:
Tactics: 1
Technics: 0
Softs:
telegram
03-10-2022
Private Drainer for MetaMask Crypto Wallets
https://cloudsek.com/threatintelligence/private-drainer-for-metamask-crypto-wallets/?utm_source=rss&utm_medium=rss&utm_campaign=private-drainer-for-metamask-crypto-wallets
Actors/Campaigns:
Seaflower
Industry:
Financial
TTPs:
Tactics: 1
Technics: 0
Softs:
telegram
Cloudsek
Private Drainer for MetaMask Crypto Wallets | Threat Intelligence | CloudSEK
We Discovered a Private drainer for Metamask which is capable of transferring cryptocurrency from the victim’s wallet to the attacker's wallet.
#ParsedReport
03-10-2022
Phishing Campaigns Targeting KFC and McDonalds
https://cloudsek.com/threatintelligence/phishing-campaigns-targeting-kfc-and-mcdonalds/?utm_source=rss&utm_medium=rss&utm_campaign=phishing-campaigns-targeting-kfc-and-mcdonalds
Industry:
Financial
Geo:
Indian, Singapore
TTPs:
Tactics: 1
Technics: 0
IOCs:
Domain: 23
Softs:
android, chrome
03-10-2022
Phishing Campaigns Targeting KFC and McDonalds
https://cloudsek.com/threatintelligence/phishing-campaigns-targeting-kfc-and-mcdonalds/?utm_source=rss&utm_medium=rss&utm_campaign=phishing-campaigns-targeting-kfc-and-mcdonalds
Industry:
Financial
Geo:
Indian, Singapore
TTPs:
Tactics: 1
Technics: 0
IOCs:
Domain: 23
Softs:
android, chrome
Cloudsek
Phishing Campaigns Targeting KFC and McDonald’s | Threat Intelligence | CloudSEK
KFC and McDonald’s were targeted via phishing campaigns. Campaigns aimed at the Saudi Arabia, UAE, and Singapore regions. Payment details has also been compromised.
#ParsedReport
03-10-2022
Phishing Campaign Abusing Reverse Tunnel Service Provider, Portmap.io
https://cloudsek.com/threatintelligence/phishing-campaign-abusing-reverse-tunnel-service-provider-portmap-io/?utm_source=rss&utm_medium=rss&utm_campaign=phishing-campaign-abusing-reverse-tunnel-service-provider-portmap-io
Industry:
Financial
Geo:
Indian
03-10-2022
Phishing Campaign Abusing Reverse Tunnel Service Provider, Portmap.io
https://cloudsek.com/threatintelligence/phishing-campaign-abusing-reverse-tunnel-service-provider-portmap-io/?utm_source=rss&utm_medium=rss&utm_campaign=phishing-campaign-abusing-reverse-tunnel-service-provider-portmap-io
Industry:
Financial
Geo:
Indian
Cloudsek
Phishing Campaign Abusing Reverse Tunnel Service Provider, Portmap.io | Threat Intelligence | CloudSEK
Portmap.io was misused in a phishing campaign targeting Indian banking customers. Phishing URLs are distributed via smishing techniques.
#ParsedReport
03-10-2022
Dissecting BlueSky Ransomware Payload
https://yoroi.company/research/dissecting-bluesky-ransomware-payload
Actors/Campaigns:
Bluesky
Threats:
Conti
Industry:
Ics
TTPs:
Tactics: 1
Technics: 0
IOCs:
Hash: 2
Registry: 1
File: 8
Algorithms:
chacha20, rc4, curve25519
Win API:
NtSetInformationThread, RtlAdjustPrivilege, SeDebugPrivilege, CryptAcquireContextA, CreateFileW, NtQueryInformatonFile, NtQueryInformatonProcess, SetThreadExecutionState
Platforms:
x86
YARA: Found
03-10-2022
Dissecting BlueSky Ransomware Payload
https://yoroi.company/research/dissecting-bluesky-ransomware-payload
Actors/Campaigns:
Bluesky
Threats:
Conti
Industry:
Ics
TTPs:
Tactics: 1
Technics: 0
IOCs:
Hash: 2
Registry: 1
File: 8
Algorithms:
chacha20, rc4, curve25519
Win API:
NtSetInformationThread, RtlAdjustPrivilege, SeDebugPrivilege, CryptAcquireContextA, CreateFileW, NtQueryInformatonFile, NtQueryInformatonProcess, SetThreadExecutionState
Platforms:
x86
YARA: Found
Tinexta Cyber
Il polo italiano della Cyber Security
Innovazione digitale sicura Protezione per un futuro digitale resiliente Tinexta Cyber è il polo italiano della cyber security. Parte del gruppo Tinexta, nasce dalla sintesi di tre eccellenze – Corvallis, Swascan e Yoroi – con l’obiettivo di supportare le…
#ParsedReport
01-10-2022
Qualys Response to ProxyNotShell Microsoft Exchange Server Zero-Day Threat Using Qualys Cloud Platform
https://blog.qualys.com/vulnerabilities-threat-research/2022/09/30/qualys-response-to-proxynotshell-microsoft-exchange-server-zero-day-threat-using-qualys-platform
Threats:
Proxynotshell_vuln
Chinachopper
Geo:
Vietnamese, China, Chinese
CVEs:
CVE-2022-41082 [Vulners]
Vulners: Score: Unknown, CVSS: 2.8,
Vulners: Exploitation: Unknown
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)
CVE-2022-41040 [Vulners]
Vulners: Score: Unknown, CVSS: 3.2,
Vulners: Exploitation: True
X-Force: Risk: 6.5
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)
TTPs:
IOCs:
File: 4
Path: 1
Hash: 10
Softs:
microsoft exchange server, microsoft exchange
Languages:
python
Links:
01-10-2022
Qualys Response to ProxyNotShell Microsoft Exchange Server Zero-Day Threat Using Qualys Cloud Platform
https://blog.qualys.com/vulnerabilities-threat-research/2022/09/30/qualys-response-to-proxynotshell-microsoft-exchange-server-zero-day-threat-using-qualys-platform
Threats:
Proxynotshell_vuln
Chinachopper
Geo:
Vietnamese, China, Chinese
CVEs:
CVE-2022-41082 [Vulners]
Vulners: Score: Unknown, CVSS: 2.8,
Vulners: Exploitation: Unknown
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)
CVE-2022-41040 [Vulners]
Vulners: Score: Unknown, CVSS: 3.2,
Vulners: Exploitation: True
X-Force: Risk: 6.5
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)
TTPs:
IOCs:
File: 4
Path: 1
Hash: 10
Softs:
microsoft exchange server, microsoft exchange
Languages:
python
Links:
https://github.com/Qualys/Custom-Assessment-and-Remediation-Script-Library/tree/main/Zero%20Day/CVE-2022-41040%2C41082(ProxyNotShell%20Microsoft%20Exchange%20Server)Qualys
Qualys Response to ProxyNotShell Microsoft Exchange Server Zero-Day Threat Using Qualys Cloud Platform | Qualys
On September 29, 2022, active attacks against Microsoft Exchange were reported by Vietnamese cybersecurity company GTSC. The researcher at GTSC reported two critical vulnerabilities (now named…
#ParsedReport
04-10-2022
Comm100 Installer Abused in Supply Chain Attack to Distribute Malware
https://socradar.io/comm100-installer-abused-in-supply-chain-attack-to-distribute-malware
Industry:
Healthcare
Geo:
China, Asian, American
IOCs:
Url: 7
File: 3
Hash: 5
Path: 1
Languages:
javascript
04-10-2022
Comm100 Installer Abused in Supply Chain Attack to Distribute Malware
https://socradar.io/comm100-installer-abused-in-supply-chain-attack-to-distribute-malware
Industry:
Healthcare
Geo:
China, Asian, American
IOCs:
Url: 7
File: 3
Hash: 5
Path: 1
Languages:
javascript
SOCRadar® Cyber Intelligence Inc.
Comm100 Installer Abused in Supply Chain Attack to Distribute Malware
The Comm100 Live Chat application was subject to a supply chain attack in the very last days of September. A trojanized installer was used...
#ParsedReport
04-10-2022
Decrypted: MafiaWare666 Ransomware
https://decoded.avast.io/threatresearch/decrypted-mafiaware666-ransomware/?utm_source=rss&utm_medium=rss&utm_campaign=decrypted-mafiaware666-ransomware
Threats:
Hades
Industry:
Financial
IOCs:
Hash: 8
Algorithms:
aes, zip
Languages:
php
Links:
04-10-2022
Decrypted: MafiaWare666 Ransomware
https://decoded.avast.io/threatresearch/decrypted-mafiaware666-ransomware/?utm_source=rss&utm_medium=rss&utm_campaign=decrypted-mafiaware666-ransomware
Threats:
Hades
Industry:
Financial
IOCs:
Hash: 8
Algorithms:
aes, zip
Languages:
php
Links:
https://github.com/avast/ioc/tree/master/MafiaWare666Gendigital
Decrypted: MafiaWare666 ransomware
Avast releases MafiaWare666 ransomware decryptor
#ParsedReport
04-10-2022
Remove All The Callbacks BlackByte Ransomware Disables EDR Via RTCore64.sys Abuse
https://news.sophos.com/en-us/2022/10/04/blackbyte-ransomware-returns
Threats:
Blackbyte
Avoslocker
Uac_bypass_technique
Mimikatz_tool
CVEs:
CVE-2019-16098 [Vulners]
Vulners: Score: 7.2, CVSS: 5.1,
Vulners: Exploitation: Unknown
X-Force: Risk: 7.8
X-Force: Patch: Unavailable
Soft:
- msi afterburner (4.6.2.15658)
IOCs:
File: 7
Hash: 2
Softs:
windows kernel
Algorithms:
xor
Functions:
CreateFile, NetSetInformationThreadW
Win API:
PsSetCreateThreadNotifyRoutine, PsSetCreateProcessNotifyRoutine, PsSetLoadImageNotifyRoutine, NtReadVirtualMemory, GetFileVersionInfoW, EtwThreatIntProvRegHandleOffset, CreateServiceW, EnumDeviceDrivers, GetDeviceDriverBaseNameW, DeviceIoControl, have more...
Links:
04-10-2022
Remove All The Callbacks BlackByte Ransomware Disables EDR Via RTCore64.sys Abuse
https://news.sophos.com/en-us/2022/10/04/blackbyte-ransomware-returns
Threats:
Blackbyte
Avoslocker
Uac_bypass_technique
Mimikatz_tool
CVEs:
CVE-2019-16098 [Vulners]
Vulners: Score: 7.2, CVSS: 5.1,
Vulners: Exploitation: Unknown
X-Force: Risk: 7.8
X-Force: Patch: Unavailable
Soft:
- msi afterburner (4.6.2.15658)
IOCs:
File: 7
Hash: 2
Softs:
windows kernel
Algorithms:
xor
Functions:
CreateFile, NetSetInformationThreadW
Win API:
PsSetCreateThreadNotifyRoutine, PsSetCreateProcessNotifyRoutine, PsSetLoadImageNotifyRoutine, NtReadVirtualMemory, GetFileVersionInfoW, EtwThreatIntProvRegHandleOffset, CreateServiceW, EnumDeviceDrivers, GetDeviceDriverBaseNameW, DeviceIoControl, have more...
Links:
https://github.com/wavestone-cdt/EDRSandblasthttps://github.com/sophoslabs/IoCs/blob/master/Ransomware-BlackByte.csvSophos News
Remove All The Callbacks – BlackByte Ransomware Disables EDR Via RTCore64.sys Abuse
A fresh exploration of the malware uncovers a new tactic for bypassing security products by abusing a known driver vulnerability
#ParsedReport
04-10-2022
Leveraging Microsoft Office Documents to Deliver Agent Tesla and njRat
https://www.fortinet.com/blog/threat-research/leveraging-microsoft-office-documents-to-deliver-agent-tesla-and-njrat
Threats:
Agent_tesla
Njrat_rat
Process_hollowing_technique
Vba/agent.ain!tr
Snake_keylogger
IOCs:
File: 9
Url: 1
Domain: 2
Hash: 17
Softs:
microsoft office, process explorer
Algorithms:
zip, base64
Functions:
Auto_Open, ko
Win API:
VirtualAllocEx
Languages:
javascript
04-10-2022
Leveraging Microsoft Office Documents to Deliver Agent Tesla and njRat
https://www.fortinet.com/blog/threat-research/leveraging-microsoft-office-documents-to-deliver-agent-tesla-and-njrat
Threats:
Agent_tesla
Njrat_rat
Process_hollowing_technique
Vba/agent.ain!tr
Snake_keylogger
IOCs:
File: 9
Url: 1
Domain: 2
Hash: 17
Softs:
microsoft office, process explorer
Algorithms:
zip, base64
Functions:
Auto_Open, ko
Win API:
VirtualAllocEx
Languages:
javascript
Fortinet Blog
Leveraging Microsoft Office Documents to Deliver Agent Tesla and njRat | FortiGuard Labs
FortiGuard Labs discovered malicious Microsoft Office documents attempting to leverage legitimate websites to execute a shell script and drop malware variants of Agent Tesla and njRat. Read more fo…
#ParsedReport
04-10-2022
Threat Advisory: Microsoft warns of actively exploited vulnerabilities in Exchange Server
http://blog.talosintelligence.com/2022/09/threat-advisory-exchange-server-vulns.html
Actors/Campaigns:
Hafnium
Threats:
Proxynotshell_vuln
Proxyshell_vuln
Sharpyshell
Chinachopper
Geo:
China, Chinese
CVEs:
CVE-2022-41082 [Vulners]
Vulners: Score: Unknown, CVSS: 2.8,
Vulners: Exploitation: Unknown
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)
CVE-2022-41040 [Vulners]
Vulners: Score: Unknown, CVSS: 3.2,
Vulners: Exploitation: True
X-Force: Risk: 6.5
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)
IOCs:
Path: 4
IP: 19
Url: 1
Softs:
microsoft exchange
Links:
04-10-2022
Threat Advisory: Microsoft warns of actively exploited vulnerabilities in Exchange Server
http://blog.talosintelligence.com/2022/09/threat-advisory-exchange-server-vulns.html
Actors/Campaigns:
Hafnium
Threats:
Proxynotshell_vuln
Proxyshell_vuln
Sharpyshell
Chinachopper
Geo:
China, Chinese
CVEs:
CVE-2022-41082 [Vulners]
Vulners: Score: Unknown, CVSS: 2.8,
Vulners: Exploitation: Unknown
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)
CVE-2022-41040 [Vulners]
Vulners: Score: Unknown, CVSS: 3.2,
Vulners: Exploitation: True
X-Force: Risk: 6.5
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)
IOCs:
Path: 4
IP: 19
Url: 1
Softs:
microsoft exchange
Links:
https://github.com/antonioCoco/SharPyShellTalosintelligence
Threat Advisory: Microsoft warns of actively exploited vulnerabilities in Exchange Server
A blog from the world class Intelligence Group, Talos, Cisco's Intelligence Group
#ParsedReport
04-10-2022
OnionPoison: infected Tor Browser installer distributed through popular YouTube channel
https://securelist.com/onionpoison-infected-tor-browser-installer-youtube/107627
Actors/Campaigns:
Onionpoison
Threats:
Onionduke
Geo:
China, Chinese
IOCs:
File: 7
Registry: 1
Domain: 1
Hash: 3
Softs:
visual studio, chrome, wechat
Algorithms:
xor, aes-128, base64, aes, hmac-sha1, hmac
Win API:
RtlDecompressBuffer
04-10-2022
OnionPoison: infected Tor Browser installer distributed through popular YouTube channel
https://securelist.com/onionpoison-infected-tor-browser-installer-youtube/107627
Actors/Campaigns:
Onionpoison
Threats:
Onionduke
Geo:
China, Chinese
IOCs:
File: 7
Registry: 1
Domain: 1
Hash: 3
Softs:
visual studio, chrome, wechat
Algorithms:
xor, aes-128, base64, aes, hmac-sha1, hmac
Win API:
RtlDecompressBuffer
#technique
Post-Exploitation Persistent Email Forwarder in Outlook Desktop
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/post-exploitation-persistent-email-forwarder-in-outlook-desktop/
Post-Exploitation Persistent Email Forwarder in Outlook Desktop
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/post-exploitation-persistent-email-forwarder-in-outlook-desktop/
Trustwave
Post-Exploitation Persistent Email Forwarder in Outlook Desktop
There is an exploitation method that can automatically forward emails CC’d to external addresses via an Outlook Desktop rule, even when this action is prevented on the corporate Exchange server.
#ParsedReport
05-10-2022
Change in Magniber Ransomware (*.js *.wsf) September 28th
https://asec.ahnlab.com/en/39489
Threats:
Magniber
Typosquatting_technique
IOCs:
Hash: 2
Softs:
chrome
05-10-2022
Change in Magniber Ransomware (*.js *.wsf) September 28th
https://asec.ahnlab.com/en/39489
Threats:
Magniber
Typosquatting_technique
IOCs:
Hash: 2
Softs:
chrome
ASEC BLOG
Change in Magniber Ransomware (*.js → *.wsf) – September 28th - ASEC BLOG
The ASEC analysis team has explained through the blog post on September 8th that the Magniber ransomware has changed from having a CPL extension to a JSE extension. The attacker made another change after September 8th, changing the file extension from JSE…
#ParsedReport
05-10-2022
APT Group Lazarus Exploits High Severity Flaw in Dell Driver
https://socradar.io/apt-group-lazarus-exploits-high-severity-flaw-in-dell-driver
Actors/Campaigns:
Lazarus (motivation: cyber_espionage)
Threats:
Byovd_technique
Airdry
Sslsniffer_tool
Fudmodule_rootkit
Timestomp_technique
Dll_sideloading_technique
Industry:
Aerospace
Geo:
Netherlands, Belgium
CVEs:
CVE-2021-21551 [Vulners]
Vulners: Score: 4.6, CVSS: 4.3,
Vulners: Exploitation: True
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- dell dbutil 2 3.sys (-)
TTPs:
Tactics: 7
Technics: 19
IOCs:
File: 3
Hash: 13
Url: 3
Links:
05-10-2022
APT Group Lazarus Exploits High Severity Flaw in Dell Driver
https://socradar.io/apt-group-lazarus-exploits-high-severity-flaw-in-dell-driver
Actors/Campaigns:
Lazarus (motivation: cyber_espionage)
Threats:
Byovd_technique
Airdry
Sslsniffer_tool
Fudmodule_rootkit
Timestomp_technique
Dll_sideloading_technique
Industry:
Aerospace
Geo:
Netherlands, Belgium
CVEs:
CVE-2021-21551 [Vulners]
Vulners: Score: 4.6, CVSS: 4.3,
Vulners: Exploitation: True
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- dell dbutil 2 3.sys (-)
TTPs:
Tactics: 7
Technics: 19
IOCs:
File: 3
Hash: 13
Url: 3
Links:
https://github.com/eset/malware-ioc/tree/master/nukesped\_lazarusSOCRadar® Cyber Intelligence Inc.
APT Group Lazarus Exploits High Severity Flaw in Dell Driver
The state-sponsored Lazarus group has been using a new strategy called Bring Your Own Vulnerable Driver (BYOVD) attack. The group was...
#ParsedReport
05-10-2022
Malware Analysis Report (AR22-277A)
https://us-cert.cisa.gov/ncas/analysis-reports/ar22-277a
Threats:
Covalent_stealer
Impacket_tool
Clientuploader_tool
Tedy
IOCs:
Path: 1
Hash: 47
IP: 1
Softs:
microsoft visual c++
Algorithms:
aes-256-cbc, xor, aes, gzip, base64
Platforms:
intel
05-10-2022
Malware Analysis Report (AR22-277A)
https://us-cert.cisa.gov/ncas/analysis-reports/ar22-277a
Threats:
Covalent_stealer
Impacket_tool
Clientuploader_tool
Tedy
IOCs:
Path: 1
Hash: 47
IP: 1
Softs:
microsoft visual c++
Algorithms:
aes-256-cbc, xor, aes, gzip, base64
Platforms:
intel
www.cisa.gov
MAR-10365227-1.v1 CovalentStealer | CISA
Notification This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product…
#ParsedReport
05-10-2022
Analysis of LilithBot Malware and Eternity Threat Group. Introduction
https://www.zscaler.com/blogs/security-research/analysis-lilithbot-malware-and-eternity-threat-group
Actors/Campaigns:
Eternity
Jester
Shathak
Threats:
Lilithbot
Eternity_project
Lilith_rat
Industry:
Financial
Geo:
Russian
TTPs:
Tactics: 6
Technics: 15
IOCs:
Email: 1
Coin: 2
IP: 4
Hash: 6
File: 4
Path: 1
Softs:
telegram
Algorithms:
zip, aes
05-10-2022
Analysis of LilithBot Malware and Eternity Threat Group. Introduction
https://www.zscaler.com/blogs/security-research/analysis-lilithbot-malware-and-eternity-threat-group
Actors/Campaigns:
Eternity
Jester
Shathak
Threats:
Lilithbot
Eternity_project
Lilith_rat
Industry:
Financial
Geo:
Russian
TTPs:
Tactics: 6
Technics: 15
IOCs:
Email: 1
Coin: 2
IP: 4
Hash: 6
File: 4
Path: 1
Softs:
telegram
Algorithms:
zip, aes
Zscaler
Analysis of LilithBot Malware and Eternity Threat Group | Zscaler
ThreatLabz analysis of LilithBot, a multifunction malware sold as-a-service by the Eternity threat group.
#ParsedReport
05-10-2022
ASEC (20220926 \~ 20221002). ASEC Weekly Malware Statistics (20220926 \~ 20221002)
https://asec.ahnlab.com/ko/39548
Threats:
Beamwinhttp_loader
Garbage_cleaner
Smokeloader
Smokerloader
Lockbit
Dharma
Vidar_stealer
Antefrigus
Revil
Postealer
Nemty
Agent_tesla
Azorult
Industry:
Transport
Geo:
Korea
IOCs:
Domain: 17
File: 15
Url: 21
IP: 3
Email: 5
Softs:
discord
05-10-2022
ASEC (20220926 \~ 20221002). ASEC Weekly Malware Statistics (20220926 \~ 20221002)
https://asec.ahnlab.com/ko/39548
Threats:
Beamwinhttp_loader
Garbage_cleaner
Smokeloader
Smokerloader
Lockbit
Dharma
Vidar_stealer
Antefrigus
Revil
Postealer
Nemty
Agent_tesla
Azorult
Industry:
Transport
Geo:
Korea
IOCs:
Domain: 17
File: 15
Url: 21
IP: 3
Email: 5
Softs:
discord
ASEC BLOG
ASEC 주간 악성코드 통계 (20220926 ~ 20221002) - ASEC BLOG
ASEC 분석팀에서는 ASEC 자동 분석 시스템 RAPIT 을 활용하여 알려진 악성코드들에 대한 분류 및 대응을 진행하고 있다. 본 포스팅에서는 2022년 9월 26일 월요일부터 10월 02일 일요일까지 한 주간 수집된 악성코드의 통계를 정리한다. 대분류 상으로는 다운로더가 38.2%로 1위를 차지하였으며, 그 다음으로는 인포스틸러 악성코드가 35.1%, 랜섬웨어 14.7%, 백도어가 11.6%, 코인마이너가 0.4%로 집계되었다. Top 1 – BeamWinHTTP…
#ParsedReport
05-10-2022
Malware Analysis Report (AR22-277C)
https://us-cert.cisa.gov/ncas/analysis-reports/ar22-277c
Actors/Campaigns:
Hafnium
Threats:
Chinachopper
Impacket_tool
Geo:
China
CVEs:
CVE-2021-27065 [Vulners]
Vulners: Score: 6.8, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2016, 2016, 2013, 2016, 2019, 2013, 2016, 2016, 2016, 2016, 2016, 2016, 2016, 2019, 2019, 2019, 2019, 2019, 2019, 2019)
CVE-2021-26855 [Vulners]
Vulners: Score: 7.5, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2016, 2016, 2013, 2016, 2016, 2013, 2016, 2019, 2013, 2016, 2016, 2016, 2016, 2016, 2016, 2016, 2019, 2019, 2019, 2019, 2019, 2019, 2019, 2019)
TTPs:
IOCs:
Hash: 17
Softs:
microsoft exchange, active directory
Functions:
Page_Load
Languages:
javascript, jscript
05-10-2022
Malware Analysis Report (AR22-277C)
https://us-cert.cisa.gov/ncas/analysis-reports/ar22-277c
Actors/Campaigns:
Hafnium
Threats:
Chinachopper
Impacket_tool
Geo:
China
CVEs:
CVE-2021-27065 [Vulners]
Vulners: Score: 6.8, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2016, 2016, 2013, 2016, 2019, 2013, 2016, 2016, 2016, 2016, 2016, 2016, 2016, 2019, 2019, 2019, 2019, 2019, 2019, 2019)
CVE-2021-26855 [Vulners]
Vulners: Score: 7.5, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2016, 2016, 2013, 2016, 2016, 2013, 2016, 2019, 2013, 2016, 2016, 2016, 2016, 2016, 2016, 2016, 2019, 2019, 2019, 2019, 2019, 2019, 2019, 2019)
TTPs:
IOCs:
Hash: 17
Softs:
microsoft exchange, active directory
Functions:
Page_Load
Languages:
javascript, jscript
www.cisa.gov
MAR-10365227-3.v1 China Chopper Webshells | CISA
Notification This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product…
#ParsedReport
05-10-2022
Alert (AA22-277A)
https://www.cisa.gov/uscert/ncas/alerts/aa22-277a
Threats:
Impacket_tool
Covalent_stealer
Chinachopper
Hyperbro
Netstat_tool
Screenconnect_tool
Industry:
Government, Iot
Geo:
China
CVEs:
CVE-2021-27065 [Vulners]
Vulners: Score: 6.8, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2016, 2016, 2013, 2016, 2019, 2013, 2016, 2016, 2016, 2016, 2016, 2016, 2016, 2019, 2019, 2019, 2019, 2019, 2019, 2019)
CVE-2021-26858 [Vulners]
Vulners: Score: 6.8, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2019, 2019)
CVE-2021-26855 [Vulners]
Vulners: Score: 7.5, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2016, 2016, 2013, 2016, 2016, 2013, 2016, 2019, 2013, 2016, 2016, 2016, 2016, 2016, 2016, 2016, 2019, 2019, 2019, 2019, 2019, 2019, 2019, 2019)
CVE-2021-26857 [Vulners]
Vulners: Score: 6.8, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2010, 2013, 2019, 2016, 2019, 2016)
TTPs:
Tactics: 10
Technics: 31
IOCs:
File: 13
Path: 2
Softs:
microsoft exchange server, microsoft onedrive, active directory
Algorithms:
aes, zip
Languages:
python
YARA: Found
05-10-2022
Alert (AA22-277A)
https://www.cisa.gov/uscert/ncas/alerts/aa22-277a
Threats:
Impacket_tool
Covalent_stealer
Chinachopper
Hyperbro
Netstat_tool
Screenconnect_tool
Industry:
Government, Iot
Geo:
China
CVEs:
CVE-2021-27065 [Vulners]
Vulners: Score: 6.8, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2016, 2016, 2013, 2016, 2019, 2013, 2016, 2016, 2016, 2016, 2016, 2016, 2016, 2019, 2019, 2019, 2019, 2019, 2019, 2019)
CVE-2021-26858 [Vulners]
Vulners: Score: 6.8, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2019, 2019)
CVE-2021-26855 [Vulners]
Vulners: Score: 7.5, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2016, 2016, 2013, 2016, 2016, 2013, 2016, 2019, 2013, 2016, 2016, 2016, 2016, 2016, 2016, 2016, 2019, 2019, 2019, 2019, 2019, 2019, 2019, 2019)
CVE-2021-26857 [Vulners]
Vulners: Score: 6.8, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2010, 2013, 2019, 2016, 2019, 2016)
TTPs:
Tactics: 10
Technics: 31
IOCs:
File: 13
Path: 2
Softs:
microsoft exchange server, microsoft onedrive, active directory
Algorithms:
aes, zip
Languages:
python
YARA: Found