CTT Report Hub
3.41K subscribers
9.74K photos
6 videos
67 files
13.4K links
Threat Intelligence Report Hub
Download Telegram
#ParsedReport
04-10-2022

Decrypted: MafiaWare666 Ransomware

https://decoded.avast.io/threatresearch/decrypted-mafiaware666-ransomware/?utm_source=rss&utm_medium=rss&utm_campaign=decrypted-mafiaware666-ransomware

Threats:
Hades

Industry:
Financial

IOCs:
Hash: 8

Algorithms:
aes, zip

Languages:
php

Links:
https://github.com/avast/ioc/tree/master/MafiaWare666
#ParsedReport
04-10-2022

Remove All The Callbacks BlackByte Ransomware Disables EDR Via RTCore64.sys Abuse

https://news.sophos.com/en-us/2022/10/04/blackbyte-ransomware-returns

Threats:
Blackbyte
Avoslocker
Uac_bypass_technique
Mimikatz_tool

CVEs:
CVE-2019-16098 [Vulners]
Vulners: Score: 7.2, CVSS: 5.1,
Vulners: Exploitation: Unknown
X-Force: Risk: 7.8
X-Force: Patch: Unavailable
Soft:
- msi afterburner (4.6.2.15658)


IOCs:
File: 7
Hash: 2

Softs:
windows kernel

Algorithms:
xor

Functions:
CreateFile, NetSetInformationThreadW

Win API:
PsSetCreateThreadNotifyRoutine, PsSetCreateProcessNotifyRoutine, PsSetLoadImageNotifyRoutine, NtReadVirtualMemory, GetFileVersionInfoW, EtwThreatIntProvRegHandleOffset, CreateServiceW, EnumDeviceDrivers, GetDeviceDriverBaseNameW, DeviceIoControl, have more...

Links:
https://github.com/wavestone-cdt/EDRSandblast
https://github.com/sophoslabs/IoCs/blob/master/Ransomware-BlackByte.csv
#ParsedReport
04-10-2022

Leveraging Microsoft Office Documents to Deliver Agent Tesla and njRat

https://www.fortinet.com/blog/threat-research/leveraging-microsoft-office-documents-to-deliver-agent-tesla-and-njrat

Threats:
Agent_tesla
Njrat_rat
Process_hollowing_technique
Vba/agent.ain!tr
Snake_keylogger

IOCs:
File: 9
Url: 1
Domain: 2
Hash: 17

Softs:
microsoft office, process explorer

Algorithms:
zip, base64

Functions:
Auto_Open, ko

Win API:
VirtualAllocEx

Languages:
javascript
#ParsedReport
04-10-2022

Threat Advisory: Microsoft warns of actively exploited vulnerabilities in Exchange Server

http://blog.talosintelligence.com/2022/09/threat-advisory-exchange-server-vulns.html

Actors/Campaigns:
Hafnium

Threats:
Proxynotshell_vuln
Proxyshell_vuln
Sharpyshell
Chinachopper

Geo:
China, Chinese

CVEs:
CVE-2022-41082 [Vulners]
Vulners: Score: Unknown, CVSS: 2.8,
Vulners: Exploitation: Unknown
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)

CVE-2022-41040 [Vulners]
Vulners: Score: Unknown, CVSS: 3.2,
Vulners: Exploitation: True
X-Force: Risk: 6.5
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)


IOCs:
Path: 4
IP: 19
Url: 1

Softs:
microsoft exchange

Links:
https://github.com/antonioCoco/SharPyShell
#ParsedReport
04-10-2022

OnionPoison: infected Tor Browser installer distributed through popular YouTube channel

https://securelist.com/onionpoison-infected-tor-browser-installer-youtube/107627

Actors/Campaigns:
Onionpoison

Threats:
Onionduke

Geo:
China, Chinese

IOCs:
File: 7
Registry: 1
Domain: 1
Hash: 3

Softs:
visual studio, chrome, wechat

Algorithms:
xor, aes-128, base64, aes, hmac-sha1, hmac

Win API:
RtlDecompressBuffer
#ParsedReport
05-10-2022

APT Group Lazarus Exploits High Severity Flaw in Dell Driver

https://socradar.io/apt-group-lazarus-exploits-high-severity-flaw-in-dell-driver

Actors/Campaigns:
Lazarus (motivation: cyber_espionage)

Threats:
Byovd_technique
Airdry
Sslsniffer_tool
Fudmodule_rootkit
Timestomp_technique
Dll_sideloading_technique

Industry:
Aerospace

Geo:
Netherlands, Belgium

CVEs:
CVE-2021-21551 [Vulners]
Vulners: Score: 4.6, CVSS: 4.3,
Vulners: Exploitation: True
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- dell dbutil 2 3.sys (-)


TTPs:
Tactics: 7
Technics: 19

IOCs:
File: 3
Hash: 13
Url: 3

Links:
https://github.com/eset/malware-ioc/tree/master/nukesped\_lazarus
#ParsedReport
05-10-2022

Analysis of LilithBot Malware and Eternity Threat Group. Introduction

https://www.zscaler.com/blogs/security-research/analysis-lilithbot-malware-and-eternity-threat-group

Actors/Campaigns:
Eternity
Jester
Shathak

Threats:
Lilithbot
Eternity_project
Lilith_rat

Industry:
Financial

Geo:
Russian

TTPs:
Tactics: 6
Technics: 15

IOCs:
Email: 1
Coin: 2
IP: 4
Hash: 6
File: 4
Path: 1

Softs:
telegram

Algorithms:
zip, aes
#ParsedReport
05-10-2022

Malware Analysis Report (AR22-277C)

https://us-cert.cisa.gov/ncas/analysis-reports/ar22-277c

Actors/Campaigns:
Hafnium

Threats:
Chinachopper
Impacket_tool

Geo:
China

CVEs:
CVE-2021-27065 [Vulners]
Vulners: Score: 6.8, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2016, 2016, 2013, 2016, 2019, 2013, 2016, 2016, 2016, 2016, 2016, 2016, 2016, 2019, 2019, 2019, 2019, 2019, 2019, 2019)

CVE-2021-26855 [Vulners]
Vulners: Score: 7.5, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2016, 2016, 2013, 2016, 2016, 2013, 2016, 2019, 2013, 2016, 2016, 2016, 2016, 2016, 2016, 2016, 2019, 2019, 2019, 2019, 2019, 2019, 2019, 2019)


TTPs:

IOCs:
Hash: 17

Softs:
microsoft exchange, active directory

Functions:
Page_Load

Languages:
javascript, jscript
#ParsedReport
05-10-2022

Alert (AA22-277A)

https://www.cisa.gov/uscert/ncas/alerts/aa22-277a

Threats:
Impacket_tool
Covalent_stealer
Chinachopper
Hyperbro
Netstat_tool
Screenconnect_tool

Industry:
Government, Iot

Geo:
China

CVEs:
CVE-2021-27065 [Vulners]
Vulners: Score: 6.8, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2016, 2016, 2013, 2016, 2019, 2013, 2016, 2016, 2016, 2016, 2016, 2016, 2016, 2019, 2019, 2019, 2019, 2019, 2019, 2019)

CVE-2021-26858 [Vulners]
Vulners: Score: 6.8, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2019, 2019)

CVE-2021-26855 [Vulners]
Vulners: Score: 7.5, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2016, 2016, 2013, 2016, 2016, 2013, 2016, 2019, 2013, 2016, 2016, 2016, 2016, 2016, 2016, 2016, 2019, 2019, 2019, 2019, 2019, 2019, 2019, 2019)

CVE-2021-26857 [Vulners]
Vulners: Score: 6.8, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2010, 2013, 2019, 2016, 2019, 2016)


TTPs:
Tactics: 10
Technics: 31

IOCs:
File: 13
Path: 2

Softs:
microsoft exchange server, microsoft onedrive, active directory

Algorithms:
aes, zip

Languages:
python

YARA: Found
#ParsedReport
05-10-2022

How Water Labbu Exploits Electron-Based Applications. Initial investigation

https://www.trendmicro.com/en_us/research/22/j/how-water-labbu-exploits-electron-based-applications.html

Actors/Campaigns:
Water_labbu

Threats:
Cobalt_strike
Metasploit_tool
Typosquatting_technique
Filecoder
Trojan.win64.shelload.i
Trojan.win32.shelload.bk
Swrort
Matsnu

Industry:
Financial

Geo:
Chinese

CVEs:
CVE-2021-21220 [Vulners]
Vulners: Score: 6.8, CVSS: 3.1,
Vulners: Exploitation: True
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- google chrome (<89.0.4389.128)
- fedoraproject fedora (32, 33, 34)


IOCs:
Hash: 80
Domain: 3
File: 9
Registry: 1

Softs:
chromium, chrome, internet explorer

Algorithms:
zip, xor, aes, base64

Languages:
javascript, golang, php

Platforms:
x64

Links:
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/browser/chrome\_cve\_2021\_21220\_v8\_insufficient\_validation.rb
https://github.com/electron/asar
#technique

Это, конечно, лолкек...