#ParsedReport
04-10-2022
Threat Advisory: Microsoft warns of actively exploited vulnerabilities in Exchange Server
http://blog.talosintelligence.com/2022/09/threat-advisory-exchange-server-vulns.html
Actors/Campaigns:
Hafnium
Threats:
Proxynotshell_vuln
Proxyshell_vuln
Sharpyshell
Chinachopper
Geo:
China, Chinese
CVEs:
CVE-2022-41082 [Vulners]
Vulners: Score: Unknown, CVSS: 2.8,
Vulners: Exploitation: Unknown
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)
CVE-2022-41040 [Vulners]
Vulners: Score: Unknown, CVSS: 3.2,
Vulners: Exploitation: True
X-Force: Risk: 6.5
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)
IOCs:
Path: 4
IP: 19
Url: 1
Softs:
microsoft exchange
Links:
04-10-2022
Threat Advisory: Microsoft warns of actively exploited vulnerabilities in Exchange Server
http://blog.talosintelligence.com/2022/09/threat-advisory-exchange-server-vulns.html
Actors/Campaigns:
Hafnium
Threats:
Proxynotshell_vuln
Proxyshell_vuln
Sharpyshell
Chinachopper
Geo:
China, Chinese
CVEs:
CVE-2022-41082 [Vulners]
Vulners: Score: Unknown, CVSS: 2.8,
Vulners: Exploitation: Unknown
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)
CVE-2022-41040 [Vulners]
Vulners: Score: Unknown, CVSS: 3.2,
Vulners: Exploitation: True
X-Force: Risk: 6.5
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)
IOCs:
Path: 4
IP: 19
Url: 1
Softs:
microsoft exchange
Links:
https://github.com/antonioCoco/SharPyShellTalosintelligence
Threat Advisory: Microsoft warns of actively exploited vulnerabilities in Exchange Server
A blog from the world class Intelligence Group, Talos, Cisco's Intelligence Group
#ParsedReport
04-10-2022
OnionPoison: infected Tor Browser installer distributed through popular YouTube channel
https://securelist.com/onionpoison-infected-tor-browser-installer-youtube/107627
Actors/Campaigns:
Onionpoison
Threats:
Onionduke
Geo:
China, Chinese
IOCs:
File: 7
Registry: 1
Domain: 1
Hash: 3
Softs:
visual studio, chrome, wechat
Algorithms:
xor, aes-128, base64, aes, hmac-sha1, hmac
Win API:
RtlDecompressBuffer
04-10-2022
OnionPoison: infected Tor Browser installer distributed through popular YouTube channel
https://securelist.com/onionpoison-infected-tor-browser-installer-youtube/107627
Actors/Campaigns:
Onionpoison
Threats:
Onionduke
Geo:
China, Chinese
IOCs:
File: 7
Registry: 1
Domain: 1
Hash: 3
Softs:
visual studio, chrome, wechat
Algorithms:
xor, aes-128, base64, aes, hmac-sha1, hmac
Win API:
RtlDecompressBuffer
#technique
Post-Exploitation Persistent Email Forwarder in Outlook Desktop
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/post-exploitation-persistent-email-forwarder-in-outlook-desktop/
Post-Exploitation Persistent Email Forwarder in Outlook Desktop
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/post-exploitation-persistent-email-forwarder-in-outlook-desktop/
Trustwave
Post-Exploitation Persistent Email Forwarder in Outlook Desktop
There is an exploitation method that can automatically forward emails CC’d to external addresses via an Outlook Desktop rule, even when this action is prevented on the corporate Exchange server.
#ParsedReport
05-10-2022
Change in Magniber Ransomware (*.js *.wsf) September 28th
https://asec.ahnlab.com/en/39489
Threats:
Magniber
Typosquatting_technique
IOCs:
Hash: 2
Softs:
chrome
05-10-2022
Change in Magniber Ransomware (*.js *.wsf) September 28th
https://asec.ahnlab.com/en/39489
Threats:
Magniber
Typosquatting_technique
IOCs:
Hash: 2
Softs:
chrome
ASEC BLOG
Change in Magniber Ransomware (*.js → *.wsf) – September 28th - ASEC BLOG
The ASEC analysis team has explained through the blog post on September 8th that the Magniber ransomware has changed from having a CPL extension to a JSE extension. The attacker made another change after September 8th, changing the file extension from JSE…
#ParsedReport
05-10-2022
APT Group Lazarus Exploits High Severity Flaw in Dell Driver
https://socradar.io/apt-group-lazarus-exploits-high-severity-flaw-in-dell-driver
Actors/Campaigns:
Lazarus (motivation: cyber_espionage)
Threats:
Byovd_technique
Airdry
Sslsniffer_tool
Fudmodule_rootkit
Timestomp_technique
Dll_sideloading_technique
Industry:
Aerospace
Geo:
Netherlands, Belgium
CVEs:
CVE-2021-21551 [Vulners]
Vulners: Score: 4.6, CVSS: 4.3,
Vulners: Exploitation: True
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- dell dbutil 2 3.sys (-)
TTPs:
Tactics: 7
Technics: 19
IOCs:
File: 3
Hash: 13
Url: 3
Links:
05-10-2022
APT Group Lazarus Exploits High Severity Flaw in Dell Driver
https://socradar.io/apt-group-lazarus-exploits-high-severity-flaw-in-dell-driver
Actors/Campaigns:
Lazarus (motivation: cyber_espionage)
Threats:
Byovd_technique
Airdry
Sslsniffer_tool
Fudmodule_rootkit
Timestomp_technique
Dll_sideloading_technique
Industry:
Aerospace
Geo:
Netherlands, Belgium
CVEs:
CVE-2021-21551 [Vulners]
Vulners: Score: 4.6, CVSS: 4.3,
Vulners: Exploitation: True
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- dell dbutil 2 3.sys (-)
TTPs:
Tactics: 7
Technics: 19
IOCs:
File: 3
Hash: 13
Url: 3
Links:
https://github.com/eset/malware-ioc/tree/master/nukesped\_lazarusSOCRadar® Cyber Intelligence Inc.
APT Group Lazarus Exploits High Severity Flaw in Dell Driver
The state-sponsored Lazarus group has been using a new strategy called Bring Your Own Vulnerable Driver (BYOVD) attack. The group was...
#ParsedReport
05-10-2022
Malware Analysis Report (AR22-277A)
https://us-cert.cisa.gov/ncas/analysis-reports/ar22-277a
Threats:
Covalent_stealer
Impacket_tool
Clientuploader_tool
Tedy
IOCs:
Path: 1
Hash: 47
IP: 1
Softs:
microsoft visual c++
Algorithms:
aes-256-cbc, xor, aes, gzip, base64
Platforms:
intel
05-10-2022
Malware Analysis Report (AR22-277A)
https://us-cert.cisa.gov/ncas/analysis-reports/ar22-277a
Threats:
Covalent_stealer
Impacket_tool
Clientuploader_tool
Tedy
IOCs:
Path: 1
Hash: 47
IP: 1
Softs:
microsoft visual c++
Algorithms:
aes-256-cbc, xor, aes, gzip, base64
Platforms:
intel
www.cisa.gov
MAR-10365227-1.v1 CovalentStealer | CISA
Notification This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product…
#ParsedReport
05-10-2022
Analysis of LilithBot Malware and Eternity Threat Group. Introduction
https://www.zscaler.com/blogs/security-research/analysis-lilithbot-malware-and-eternity-threat-group
Actors/Campaigns:
Eternity
Jester
Shathak
Threats:
Lilithbot
Eternity_project
Lilith_rat
Industry:
Financial
Geo:
Russian
TTPs:
Tactics: 6
Technics: 15
IOCs:
Email: 1
Coin: 2
IP: 4
Hash: 6
File: 4
Path: 1
Softs:
telegram
Algorithms:
zip, aes
05-10-2022
Analysis of LilithBot Malware and Eternity Threat Group. Introduction
https://www.zscaler.com/blogs/security-research/analysis-lilithbot-malware-and-eternity-threat-group
Actors/Campaigns:
Eternity
Jester
Shathak
Threats:
Lilithbot
Eternity_project
Lilith_rat
Industry:
Financial
Geo:
Russian
TTPs:
Tactics: 6
Technics: 15
IOCs:
Email: 1
Coin: 2
IP: 4
Hash: 6
File: 4
Path: 1
Softs:
telegram
Algorithms:
zip, aes
Zscaler
Analysis of LilithBot Malware and Eternity Threat Group | Zscaler
ThreatLabz analysis of LilithBot, a multifunction malware sold as-a-service by the Eternity threat group.
#ParsedReport
05-10-2022
ASEC (20220926 \~ 20221002). ASEC Weekly Malware Statistics (20220926 \~ 20221002)
https://asec.ahnlab.com/ko/39548
Threats:
Beamwinhttp_loader
Garbage_cleaner
Smokeloader
Smokerloader
Lockbit
Dharma
Vidar_stealer
Antefrigus
Revil
Postealer
Nemty
Agent_tesla
Azorult
Industry:
Transport
Geo:
Korea
IOCs:
Domain: 17
File: 15
Url: 21
IP: 3
Email: 5
Softs:
discord
05-10-2022
ASEC (20220926 \~ 20221002). ASEC Weekly Malware Statistics (20220926 \~ 20221002)
https://asec.ahnlab.com/ko/39548
Threats:
Beamwinhttp_loader
Garbage_cleaner
Smokeloader
Smokerloader
Lockbit
Dharma
Vidar_stealer
Antefrigus
Revil
Postealer
Nemty
Agent_tesla
Azorult
Industry:
Transport
Geo:
Korea
IOCs:
Domain: 17
File: 15
Url: 21
IP: 3
Email: 5
Softs:
discord
ASEC BLOG
ASEC 주간 악성코드 통계 (20220926 ~ 20221002) - ASEC BLOG
ASEC 분석팀에서는 ASEC 자동 분석 시스템 RAPIT 을 활용하여 알려진 악성코드들에 대한 분류 및 대응을 진행하고 있다. 본 포스팅에서는 2022년 9월 26일 월요일부터 10월 02일 일요일까지 한 주간 수집된 악성코드의 통계를 정리한다. 대분류 상으로는 다운로더가 38.2%로 1위를 차지하였으며, 그 다음으로는 인포스틸러 악성코드가 35.1%, 랜섬웨어 14.7%, 백도어가 11.6%, 코인마이너가 0.4%로 집계되었다. Top 1 – BeamWinHTTP…
#ParsedReport
05-10-2022
Malware Analysis Report (AR22-277C)
https://us-cert.cisa.gov/ncas/analysis-reports/ar22-277c
Actors/Campaigns:
Hafnium
Threats:
Chinachopper
Impacket_tool
Geo:
China
CVEs:
CVE-2021-27065 [Vulners]
Vulners: Score: 6.8, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2016, 2016, 2013, 2016, 2019, 2013, 2016, 2016, 2016, 2016, 2016, 2016, 2016, 2019, 2019, 2019, 2019, 2019, 2019, 2019)
CVE-2021-26855 [Vulners]
Vulners: Score: 7.5, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2016, 2016, 2013, 2016, 2016, 2013, 2016, 2019, 2013, 2016, 2016, 2016, 2016, 2016, 2016, 2016, 2019, 2019, 2019, 2019, 2019, 2019, 2019, 2019)
TTPs:
IOCs:
Hash: 17
Softs:
microsoft exchange, active directory
Functions:
Page_Load
Languages:
javascript, jscript
05-10-2022
Malware Analysis Report (AR22-277C)
https://us-cert.cisa.gov/ncas/analysis-reports/ar22-277c
Actors/Campaigns:
Hafnium
Threats:
Chinachopper
Impacket_tool
Geo:
China
CVEs:
CVE-2021-27065 [Vulners]
Vulners: Score: 6.8, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2016, 2016, 2013, 2016, 2019, 2013, 2016, 2016, 2016, 2016, 2016, 2016, 2016, 2019, 2019, 2019, 2019, 2019, 2019, 2019)
CVE-2021-26855 [Vulners]
Vulners: Score: 7.5, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2016, 2016, 2013, 2016, 2016, 2013, 2016, 2019, 2013, 2016, 2016, 2016, 2016, 2016, 2016, 2016, 2019, 2019, 2019, 2019, 2019, 2019, 2019, 2019)
TTPs:
IOCs:
Hash: 17
Softs:
microsoft exchange, active directory
Functions:
Page_Load
Languages:
javascript, jscript
www.cisa.gov
MAR-10365227-3.v1 China Chopper Webshells | CISA
Notification This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product…
#ParsedReport
05-10-2022
Alert (AA22-277A)
https://www.cisa.gov/uscert/ncas/alerts/aa22-277a
Threats:
Impacket_tool
Covalent_stealer
Chinachopper
Hyperbro
Netstat_tool
Screenconnect_tool
Industry:
Government, Iot
Geo:
China
CVEs:
CVE-2021-27065 [Vulners]
Vulners: Score: 6.8, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2016, 2016, 2013, 2016, 2019, 2013, 2016, 2016, 2016, 2016, 2016, 2016, 2016, 2019, 2019, 2019, 2019, 2019, 2019, 2019)
CVE-2021-26858 [Vulners]
Vulners: Score: 6.8, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2019, 2019)
CVE-2021-26855 [Vulners]
Vulners: Score: 7.5, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2016, 2016, 2013, 2016, 2016, 2013, 2016, 2019, 2013, 2016, 2016, 2016, 2016, 2016, 2016, 2016, 2019, 2019, 2019, 2019, 2019, 2019, 2019, 2019)
CVE-2021-26857 [Vulners]
Vulners: Score: 6.8, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2010, 2013, 2019, 2016, 2019, 2016)
TTPs:
Tactics: 10
Technics: 31
IOCs:
File: 13
Path: 2
Softs:
microsoft exchange server, microsoft onedrive, active directory
Algorithms:
aes, zip
Languages:
python
YARA: Found
05-10-2022
Alert (AA22-277A)
https://www.cisa.gov/uscert/ncas/alerts/aa22-277a
Threats:
Impacket_tool
Covalent_stealer
Chinachopper
Hyperbro
Netstat_tool
Screenconnect_tool
Industry:
Government, Iot
Geo:
China
CVEs:
CVE-2021-27065 [Vulners]
Vulners: Score: 6.8, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2016, 2016, 2013, 2016, 2019, 2013, 2016, 2016, 2016, 2016, 2016, 2016, 2016, 2019, 2019, 2019, 2019, 2019, 2019, 2019)
CVE-2021-26858 [Vulners]
Vulners: Score: 6.8, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2019, 2019)
CVE-2021-26855 [Vulners]
Vulners: Score: 7.5, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2016, 2016, 2013, 2016, 2016, 2013, 2016, 2019, 2013, 2016, 2016, 2016, 2016, 2016, 2016, 2016, 2019, 2019, 2019, 2019, 2019, 2019, 2019, 2019)
CVE-2021-26857 [Vulners]
Vulners: Score: 6.8, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2010, 2013, 2019, 2016, 2019, 2016)
TTPs:
Tactics: 10
Technics: 31
IOCs:
File: 13
Path: 2
Softs:
microsoft exchange server, microsoft onedrive, active directory
Algorithms:
aes, zip
Languages:
python
YARA: Found
#ParsedReport
05-10-2022
How Water Labbu Exploits Electron-Based Applications. Initial investigation
https://www.trendmicro.com/en_us/research/22/j/how-water-labbu-exploits-electron-based-applications.html
Actors/Campaigns:
Water_labbu
Threats:
Cobalt_strike
Metasploit_tool
Typosquatting_technique
Filecoder
Trojan.win64.shelload.i
Trojan.win32.shelload.bk
Swrort
Matsnu
Industry:
Financial
Geo:
Chinese
CVEs:
CVE-2021-21220 [Vulners]
Vulners: Score: 6.8, CVSS: 3.1,
Vulners: Exploitation: True
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- google chrome (<89.0.4389.128)
- fedoraproject fedora (32, 33, 34)
IOCs:
Hash: 80
Domain: 3
File: 9
Registry: 1
Softs:
chromium, chrome, internet explorer
Algorithms:
zip, xor, aes, base64
Languages:
javascript, golang, php
Platforms:
x64
Links:
05-10-2022
How Water Labbu Exploits Electron-Based Applications. Initial investigation
https://www.trendmicro.com/en_us/research/22/j/how-water-labbu-exploits-electron-based-applications.html
Actors/Campaigns:
Water_labbu
Threats:
Cobalt_strike
Metasploit_tool
Typosquatting_technique
Filecoder
Trojan.win64.shelload.i
Trojan.win32.shelload.bk
Swrort
Matsnu
Industry:
Financial
Geo:
Chinese
CVEs:
CVE-2021-21220 [Vulners]
Vulners: Score: 6.8, CVSS: 3.1,
Vulners: Exploitation: True
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- google chrome (<89.0.4389.128)
- fedoraproject fedora (32, 33, 34)
IOCs:
Hash: 80
Domain: 3
File: 9
Registry: 1
Softs:
chromium, chrome, internet explorer
Algorithms:
zip, xor, aes, base64
Languages:
javascript, golang, php
Platforms:
x64
Links:
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/browser/chrome\_cve\_2021\_21220\_v8\_insufficient\_validation.rb
https://github.com/electron/asarTrend Micro
How Water Labbu Exploits Electron-Based Applications
In the second part of our Water Labbu blog series, we explore how the threat actor exploits Electron-based applications using Cobalt Strike to deploy backdoors.
#technique
The goal of the LOLBAS project is to document every binary, script, and library that can be used for Living Off The Land techniques.
https://lolbas-project.github.io/
https://github.com/LOLBAS-Project/LOLBAS/blob/master/README.md
The goal of the LOLBAS project is to document every binary, script, and library that can be used for Living Off The Land techniques.
https://lolbas-project.github.io/
https://github.com/LOLBAS-Project/LOLBAS/blob/master/README.md
GitHub
LOLBAS/README.md at master · LOLBAS-Project/LOLBAS
Living Off The Land Binaries And Scripts - (LOLBins and LOLScripts) - LOLBAS-Project/LOLBAS
#ParsedReport
06-10-2022
Microsoft SQL Servers Infected by the New Malware: Maggie
https://socradar.io/microsoft-sql-servers-infected-by-the-new-malware-maggie
Threats:
Maggie
Geo:
Korean, India, Korea
TTPs:
IOCs:
File: 4
Hash: 6
Url: 5
Path: 1
Softs:
microsoft sql, remote desktop services, mssql
06-10-2022
Microsoft SQL Servers Infected by the New Malware: Maggie
https://socradar.io/microsoft-sql-servers-infected-by-the-new-malware-maggie
Threats:
Maggie
Geo:
Korean, India, Korea
TTPs:
IOCs:
File: 4
Hash: 6
Url: 5
Path: 1
Softs:
microsoft sql, remote desktop services, mssql
SOCRadar® Cyber Intelligence Inc.
Microsoft SQL Servers Infected by the New Malware: Maggie
Maggie has emerged as a brand-new malware. The backdoor has already spread to hundreds of computers and is specifically designed to attack Microsoft SQL
#ParsedReport
06-10-2022
New Spyware RatMilad Targets Middle Eastern Mobile Devices
https://socradar.io/new-spyware-ratmilad-targets-middle-eastern-mobile-devices
Threats:
Ratmilad
Chrysaor
Geo:
Iran, Iranian
IOCs:
Url: 1
Domain: 1
Hash: 8
Softs:
android, telegram
06-10-2022
New Spyware RatMilad Targets Middle Eastern Mobile Devices
https://socradar.io/new-spyware-ratmilad-targets-middle-eastern-mobile-devices
Threats:
Ratmilad
Chrysaor
Geo:
Iran, Iranian
IOCs:
Url: 1
Domain: 1
Hash: 8
Softs:
android, telegram
SOCRadar® Cyber Intelligence Inc.
New Spyware RatMilad Targets Middle Eastern Mobile Devices
RatMilad, a newly discovered Android spyware, has been stealing data from mobile devices in the Middle East.
#ParsedReport
07-10-2022
Eternity Threat Group Distributing Multifunctional LilithBot Malware
https://socradar.io/eternity-threat-group-distributing-multifunctional-lilithbot-malware
Actors/Campaigns:
Eternity
Jester
Threats:
Lilithbot
Eternity_project
Industry:
Financial
Geo:
Russian
IOCs:
Hash: 4
IP: 4
Softs:
telegram
07-10-2022
Eternity Threat Group Distributing Multifunctional LilithBot Malware
https://socradar.io/eternity-threat-group-distributing-multifunctional-lilithbot-malware
Actors/Campaigns:
Eternity
Jester
Threats:
Lilithbot
Eternity_project
Industry:
Financial
Geo:
Russian
IOCs:
Hash: 4
IP: 4
Softs:
telegram
SOCRadar® Cyber Intelligence Inc.
Eternity Threat Group Distributing Multifunctional LilithBot Malware
LilithBot, a multipurpose malware sample, was found by ThreatLabz. Further investigation indicated that malware was connected to the...
#ParsedReport
07-10-2022
LofyGang Software Supply Chain Attackers; Organized, Persistent, and Operating for over a Year. Connecting The Dots
https://checkmarx.com/blog/lofygang-software-supply-chain-attackers-organized-persistent-and-operating-for-over-a-year
Actors/Campaigns:
Lofygang (motivation: cyber_criminal)
Nitro
Threats:
Glitch
Typosquatting_technique
Starjacking_technique
Industry:
Entertainment, Financial
Geo:
Portuguese, Brazilian, Brazil
IOCs:
File: 1
Url: 80
Softs:
discord, zoom, nitro generator
Links:
07-10-2022
LofyGang Software Supply Chain Attackers; Organized, Persistent, and Operating for over a Year. Connecting The Dots
https://checkmarx.com/blog/lofygang-software-supply-chain-attackers-organized-persistent-and-operating-for-over-a-year
Actors/Campaigns:
Lofygang (motivation: cyber_criminal)
Nitro
Threats:
Glitch
Typosquatting_technique
Starjacking_technique
Industry:
Entertainment, Financial
Geo:
Portuguese, Brazilian, Brazil
IOCs:
File: 1
Url: 80
Softs:
discord, zoom, nitro generator
Links:
https://github.com/PolarLofyhttps://github.com/relative/synchronyhttps://gist.github.com/jossef/aaa9e45c062d973f18bd87c43b9c4fc7Checkmarx
LofyGang - Software Supply Chain Attackers; Organized, Persistent, and Operating for over a Year
The Checkmarx Labs supply chain security research team finds attack group “LofyGang” linked to several software supply chain incidents reported this year by Sonatype, Jfrog, and Securelist.
#ParsedReport
07-10-2022
Modified FiveM Spoofer Targeting Gamers
https://blog.cyble.com/2022/10/07/modified-fivem-spoofer-targeting-gamers
Threats:
Asyncrat_rat
Beacon
Industry:
Entertainment
Geo:
Singapore, Australia, Dubai, India, Georgia
TTPs:
Tactics: 6
Technics: 6
IOCs:
Url: 4
File: 2
Hash: 4
Softs:
fivem, discord, tiktok
07-10-2022
Modified FiveM Spoofer Targeting Gamers
https://blog.cyble.com/2022/10/07/modified-fivem-spoofer-targeting-gamers
Threats:
Asyncrat_rat
Beacon
Industry:
Entertainment
Geo:
Singapore, Australia, Dubai, India, Georgia
TTPs:
Tactics: 6
Technics: 6
IOCs:
Url: 4
File: 2
Hash: 4
Softs:
fivem, discord, tiktok
Cyble
Modified FiveM Spoofer Targeting Gamers
Cyble Research and Intelligence Labs investigates the Discord channel leveraged by Threat Actor to target gamers using modified FiveM Spoofer.
#ParsedReport
07-10-2022
DLL Side-Loading (mi.dll). Lazarus Group DLL Side-Loading Technique (mi.dll)
https://asec.ahnlab.com/ko/39648
Actors/Campaigns:
Lazarus
Shell_crew
Threats:
Dll_sideloading_technique
Winrm_tool
Lazardoor
Lazarloader
TTPs:
IOCs:
File: 12
Path: 6
Hash: 4
Algorithms:
aes-128
07-10-2022
DLL Side-Loading (mi.dll). Lazarus Group DLL Side-Loading Technique (mi.dll)
https://asec.ahnlab.com/ko/39648
Actors/Campaigns:
Lazarus
Shell_crew
Threats:
Dll_sideloading_technique
Winrm_tool
Lazardoor
Lazarloader
TTPs:
IOCs:
File: 12
Path: 6
Hash: 4
Algorithms:
aes-128
ASEC
라자루스 그룹 DLL Side-Loading 기법 이용 (mi.dll) - ASEC
ASEC 분석팀은 라자루스 공격 그룹을 추적하던 중 공격자가 초기 침투 단계에서 다음 공격 단계 달성을 위해 정상 응용 프로그램을 이용한 DLL Side-Loading 공격 기법(T1574.002)을 사용하는 정황을 포착했다. Hijack Execution Flow: DLL Side-Loading, Sub-technique T1574.002 – Enterprise | MITRE ATT&CK® APT19 launched an HTTP malware variant…