#ParsedReport
05-10-2022
Alert (AA22-277A)
https://www.cisa.gov/uscert/ncas/alerts/aa22-277a
Threats:
Impacket_tool
Covalent_stealer
Chinachopper
Hyperbro
Netstat_tool
Screenconnect_tool
Industry:
Government, Iot
Geo:
China
CVEs:
CVE-2021-27065 [Vulners]
Vulners: Score: 6.8, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2016, 2016, 2013, 2016, 2019, 2013, 2016, 2016, 2016, 2016, 2016, 2016, 2016, 2019, 2019, 2019, 2019, 2019, 2019, 2019)
CVE-2021-26858 [Vulners]
Vulners: Score: 6.8, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2019, 2019)
CVE-2021-26855 [Vulners]
Vulners: Score: 7.5, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2016, 2016, 2013, 2016, 2016, 2013, 2016, 2019, 2013, 2016, 2016, 2016, 2016, 2016, 2016, 2016, 2019, 2019, 2019, 2019, 2019, 2019, 2019, 2019)
CVE-2021-26857 [Vulners]
Vulners: Score: 6.8, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2010, 2013, 2019, 2016, 2019, 2016)
TTPs:
Tactics: 10
Technics: 31
IOCs:
File: 13
Path: 2
Softs:
microsoft exchange server, microsoft onedrive, active directory
Algorithms:
aes, zip
Languages:
python
YARA: Found
05-10-2022
Alert (AA22-277A)
https://www.cisa.gov/uscert/ncas/alerts/aa22-277a
Threats:
Impacket_tool
Covalent_stealer
Chinachopper
Hyperbro
Netstat_tool
Screenconnect_tool
Industry:
Government, Iot
Geo:
China
CVEs:
CVE-2021-27065 [Vulners]
Vulners: Score: 6.8, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2016, 2016, 2013, 2016, 2019, 2013, 2016, 2016, 2016, 2016, 2016, 2016, 2016, 2019, 2019, 2019, 2019, 2019, 2019, 2019)
CVE-2021-26858 [Vulners]
Vulners: Score: 6.8, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2019, 2019)
CVE-2021-26855 [Vulners]
Vulners: Score: 7.5, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2016, 2016, 2013, 2016, 2016, 2013, 2016, 2019, 2013, 2016, 2016, 2016, 2016, 2016, 2016, 2016, 2019, 2019, 2019, 2019, 2019, 2019, 2019, 2019)
CVE-2021-26857 [Vulners]
Vulners: Score: 6.8, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2010, 2013, 2019, 2016, 2019, 2016)
TTPs:
Tactics: 10
Technics: 31
IOCs:
File: 13
Path: 2
Softs:
microsoft exchange server, microsoft onedrive, active directory
Algorithms:
aes, zip
Languages:
python
YARA: Found
#ParsedReport
05-10-2022
How Water Labbu Exploits Electron-Based Applications. Initial investigation
https://www.trendmicro.com/en_us/research/22/j/how-water-labbu-exploits-electron-based-applications.html
Actors/Campaigns:
Water_labbu
Threats:
Cobalt_strike
Metasploit_tool
Typosquatting_technique
Filecoder
Trojan.win64.shelload.i
Trojan.win32.shelload.bk
Swrort
Matsnu
Industry:
Financial
Geo:
Chinese
CVEs:
CVE-2021-21220 [Vulners]
Vulners: Score: 6.8, CVSS: 3.1,
Vulners: Exploitation: True
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- google chrome (<89.0.4389.128)
- fedoraproject fedora (32, 33, 34)
IOCs:
Hash: 80
Domain: 3
File: 9
Registry: 1
Softs:
chromium, chrome, internet explorer
Algorithms:
zip, xor, aes, base64
Languages:
javascript, golang, php
Platforms:
x64
Links:
05-10-2022
How Water Labbu Exploits Electron-Based Applications. Initial investigation
https://www.trendmicro.com/en_us/research/22/j/how-water-labbu-exploits-electron-based-applications.html
Actors/Campaigns:
Water_labbu
Threats:
Cobalt_strike
Metasploit_tool
Typosquatting_technique
Filecoder
Trojan.win64.shelload.i
Trojan.win32.shelload.bk
Swrort
Matsnu
Industry:
Financial
Geo:
Chinese
CVEs:
CVE-2021-21220 [Vulners]
Vulners: Score: 6.8, CVSS: 3.1,
Vulners: Exploitation: True
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- google chrome (<89.0.4389.128)
- fedoraproject fedora (32, 33, 34)
IOCs:
Hash: 80
Domain: 3
File: 9
Registry: 1
Softs:
chromium, chrome, internet explorer
Algorithms:
zip, xor, aes, base64
Languages:
javascript, golang, php
Platforms:
x64
Links:
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/browser/chrome\_cve\_2021\_21220\_v8\_insufficient\_validation.rb
https://github.com/electron/asarTrend Micro
How Water Labbu Exploits Electron-Based Applications
In the second part of our Water Labbu blog series, we explore how the threat actor exploits Electron-based applications using Cobalt Strike to deploy backdoors.
#technique
The goal of the LOLBAS project is to document every binary, script, and library that can be used for Living Off The Land techniques.
https://lolbas-project.github.io/
https://github.com/LOLBAS-Project/LOLBAS/blob/master/README.md
The goal of the LOLBAS project is to document every binary, script, and library that can be used for Living Off The Land techniques.
https://lolbas-project.github.io/
https://github.com/LOLBAS-Project/LOLBAS/blob/master/README.md
GitHub
LOLBAS/README.md at master · LOLBAS-Project/LOLBAS
Living Off The Land Binaries And Scripts - (LOLBins and LOLScripts) - LOLBAS-Project/LOLBAS
#ParsedReport
06-10-2022
Microsoft SQL Servers Infected by the New Malware: Maggie
https://socradar.io/microsoft-sql-servers-infected-by-the-new-malware-maggie
Threats:
Maggie
Geo:
Korean, India, Korea
TTPs:
IOCs:
File: 4
Hash: 6
Url: 5
Path: 1
Softs:
microsoft sql, remote desktop services, mssql
06-10-2022
Microsoft SQL Servers Infected by the New Malware: Maggie
https://socradar.io/microsoft-sql-servers-infected-by-the-new-malware-maggie
Threats:
Maggie
Geo:
Korean, India, Korea
TTPs:
IOCs:
File: 4
Hash: 6
Url: 5
Path: 1
Softs:
microsoft sql, remote desktop services, mssql
SOCRadar® Cyber Intelligence Inc.
Microsoft SQL Servers Infected by the New Malware: Maggie
Maggie has emerged as a brand-new malware. The backdoor has already spread to hundreds of computers and is specifically designed to attack Microsoft SQL
#ParsedReport
06-10-2022
New Spyware RatMilad Targets Middle Eastern Mobile Devices
https://socradar.io/new-spyware-ratmilad-targets-middle-eastern-mobile-devices
Threats:
Ratmilad
Chrysaor
Geo:
Iran, Iranian
IOCs:
Url: 1
Domain: 1
Hash: 8
Softs:
android, telegram
06-10-2022
New Spyware RatMilad Targets Middle Eastern Mobile Devices
https://socradar.io/new-spyware-ratmilad-targets-middle-eastern-mobile-devices
Threats:
Ratmilad
Chrysaor
Geo:
Iran, Iranian
IOCs:
Url: 1
Domain: 1
Hash: 8
Softs:
android, telegram
SOCRadar® Cyber Intelligence Inc.
New Spyware RatMilad Targets Middle Eastern Mobile Devices
RatMilad, a newly discovered Android spyware, has been stealing data from mobile devices in the Middle East.
#ParsedReport
07-10-2022
Eternity Threat Group Distributing Multifunctional LilithBot Malware
https://socradar.io/eternity-threat-group-distributing-multifunctional-lilithbot-malware
Actors/Campaigns:
Eternity
Jester
Threats:
Lilithbot
Eternity_project
Industry:
Financial
Geo:
Russian
IOCs:
Hash: 4
IP: 4
Softs:
telegram
07-10-2022
Eternity Threat Group Distributing Multifunctional LilithBot Malware
https://socradar.io/eternity-threat-group-distributing-multifunctional-lilithbot-malware
Actors/Campaigns:
Eternity
Jester
Threats:
Lilithbot
Eternity_project
Industry:
Financial
Geo:
Russian
IOCs:
Hash: 4
IP: 4
Softs:
telegram
SOCRadar® Cyber Intelligence Inc.
Eternity Threat Group Distributing Multifunctional LilithBot Malware
LilithBot, a multipurpose malware sample, was found by ThreatLabz. Further investigation indicated that malware was connected to the...
#ParsedReport
07-10-2022
LofyGang Software Supply Chain Attackers; Organized, Persistent, and Operating for over a Year. Connecting The Dots
https://checkmarx.com/blog/lofygang-software-supply-chain-attackers-organized-persistent-and-operating-for-over-a-year
Actors/Campaigns:
Lofygang (motivation: cyber_criminal)
Nitro
Threats:
Glitch
Typosquatting_technique
Starjacking_technique
Industry:
Entertainment, Financial
Geo:
Portuguese, Brazilian, Brazil
IOCs:
File: 1
Url: 80
Softs:
discord, zoom, nitro generator
Links:
07-10-2022
LofyGang Software Supply Chain Attackers; Organized, Persistent, and Operating for over a Year. Connecting The Dots
https://checkmarx.com/blog/lofygang-software-supply-chain-attackers-organized-persistent-and-operating-for-over-a-year
Actors/Campaigns:
Lofygang (motivation: cyber_criminal)
Nitro
Threats:
Glitch
Typosquatting_technique
Starjacking_technique
Industry:
Entertainment, Financial
Geo:
Portuguese, Brazilian, Brazil
IOCs:
File: 1
Url: 80
Softs:
discord, zoom, nitro generator
Links:
https://github.com/PolarLofyhttps://github.com/relative/synchronyhttps://gist.github.com/jossef/aaa9e45c062d973f18bd87c43b9c4fc7Checkmarx
LofyGang - Software Supply Chain Attackers; Organized, Persistent, and Operating for over a Year
The Checkmarx Labs supply chain security research team finds attack group “LofyGang” linked to several software supply chain incidents reported this year by Sonatype, Jfrog, and Securelist.
#ParsedReport
07-10-2022
Modified FiveM Spoofer Targeting Gamers
https://blog.cyble.com/2022/10/07/modified-fivem-spoofer-targeting-gamers
Threats:
Asyncrat_rat
Beacon
Industry:
Entertainment
Geo:
Singapore, Australia, Dubai, India, Georgia
TTPs:
Tactics: 6
Technics: 6
IOCs:
Url: 4
File: 2
Hash: 4
Softs:
fivem, discord, tiktok
07-10-2022
Modified FiveM Spoofer Targeting Gamers
https://blog.cyble.com/2022/10/07/modified-fivem-spoofer-targeting-gamers
Threats:
Asyncrat_rat
Beacon
Industry:
Entertainment
Geo:
Singapore, Australia, Dubai, India, Georgia
TTPs:
Tactics: 6
Technics: 6
IOCs:
Url: 4
File: 2
Hash: 4
Softs:
fivem, discord, tiktok
Cyble
Modified FiveM Spoofer Targeting Gamers
Cyble Research and Intelligence Labs investigates the Discord channel leveraged by Threat Actor to target gamers using modified FiveM Spoofer.
#ParsedReport
07-10-2022
DLL Side-Loading (mi.dll). Lazarus Group DLL Side-Loading Technique (mi.dll)
https://asec.ahnlab.com/ko/39648
Actors/Campaigns:
Lazarus
Shell_crew
Threats:
Dll_sideloading_technique
Winrm_tool
Lazardoor
Lazarloader
TTPs:
IOCs:
File: 12
Path: 6
Hash: 4
Algorithms:
aes-128
07-10-2022
DLL Side-Loading (mi.dll). Lazarus Group DLL Side-Loading Technique (mi.dll)
https://asec.ahnlab.com/ko/39648
Actors/Campaigns:
Lazarus
Shell_crew
Threats:
Dll_sideloading_technique
Winrm_tool
Lazardoor
Lazarloader
TTPs:
IOCs:
File: 12
Path: 6
Hash: 4
Algorithms:
aes-128
ASEC
라자루스 그룹 DLL Side-Loading 기법 이용 (mi.dll) - ASEC
ASEC 분석팀은 라자루스 공격 그룹을 추적하던 중 공격자가 초기 침투 단계에서 다음 공격 단계 달성을 위해 정상 응용 프로그램을 이용한 DLL Side-Loading 공격 기법(T1574.002)을 사용하는 정황을 포착했다. Hijack Execution Flow: DLL Side-Loading, Sub-technique T1574.002 – Enterprise | MITRE ATT&CK® APT19 launched an HTTP malware variant…
#ParsedReport
07-10-2022
SpiderLabs Blog. HTML File Attachments: Still A Threat
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/html-file-attachments-still-a-threat
Actors/Campaigns:
Wizard_spider (motivation: cyber_criminal)
Threats:
Html_smuggling_technique
Mekotio
Ousaban
Trickbot
Qakbot
Industry:
Financial
Algorithms:
zip
Languages:
javascript
Links:
07-10-2022
SpiderLabs Blog. HTML File Attachments: Still A Threat
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/html-file-attachments-still-a-threat
Actors/Campaigns:
Wizard_spider (motivation: cyber_criminal)
Threats:
Html_smuggling_technique
Mekotio
Ousaban
Trickbot
Qakbot
Industry:
Financial
Algorithms:
zip
Languages:
javascript
Links:
https://github.com/javascript-obfuscator/javascript-obfuscator#ParsedReport
07-10-2022
Letting off steam
https://blog.group-ib.com/steam
Threats:
Blackcat
Industry:
Entertainment, Education, Financial
Geo:
Singapore, Russian
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 5
Softs:
telegram, discord
Languages:
rust, php
07-10-2022
Letting off steam
https://blog.group-ib.com/steam
Threats:
Blackcat
Industry:
Entertainment, Education, Financial
Geo:
Singapore, Russian
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 5
Softs:
telegram, discord
Languages:
rust, php
Group-IB
Letting off steam
Hackers use the browser-in-the-browser technique to steal Steam accounts
#ParsedReport
07-10-2022
We Smell A RatMilad Android Spyware
https://blog.zimperium.com/we-smell-a-ratmilad-mobile-spyware
Threats:
Ratmilad
Industry:
Financial, Government
IOCs:
Url: 2
File: 14
Domain: 1
Hash: 8
Softs:
android, telegram, burp suite, media features
Algorithms:
zip
07-10-2022
We Smell A RatMilad Android Spyware
https://blog.zimperium.com/we-smell-a-ratmilad-mobile-spyware
Threats:
Ratmilad
Industry:
Financial, Government
IOCs:
Url: 2
File: 14
Domain: 1
Hash: 8
Softs:
android, telegram, burp suite, media features
Algorithms:
zip
#ParsedReport
07-10-2022
Excel Document Delivers Multiple Malware by Exploiting CVE-2017-11882 Part II
https://www.fortinet.com/blog/threat-research/excel-document-delivers-multiple-malware-exploiting-cve-2017-11882-part-two
Threats:
Redline_stealer
Formbook
Imminentmonitor_rat
CVEs:
CVE-2017-11882 [Vulners]
Vulners: Score: 9.3, CVSS: 4.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft office (2013, 2010, 2016, 2007)
IOCs:
Url: 2
IP: 1
File: 20
Domain: 2
Hash: 2
Softs:
task scheduler, chrome, opera, waterfox, k-meleon, icedragon, cyberfox, blackhaw, 7star, chromeplus, have more...
Algorithms:
gzip
Functions:
CreateProcessAsUser, CreateFlag, APIs, Wow64GetThreadContext, Wow64SetThreadContext, CreateBind, CreateChannel, GetArguments, GetUpdates, CheckConnect, have more...
Win API:
GetThreadContext, ReadProcessMemory, VirtualAllocEx, WriteProcessMemory, SetThreadContext, ResumeThread
07-10-2022
Excel Document Delivers Multiple Malware by Exploiting CVE-2017-11882 Part II
https://www.fortinet.com/blog/threat-research/excel-document-delivers-multiple-malware-exploiting-cve-2017-11882-part-two
Threats:
Redline_stealer
Formbook
Imminentmonitor_rat
CVEs:
CVE-2017-11882 [Vulners]
Vulners: Score: 9.3, CVSS: 4.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft office (2013, 2010, 2016, 2007)
IOCs:
Url: 2
IP: 1
File: 20
Domain: 2
Hash: 2
Softs:
task scheduler, chrome, opera, waterfox, k-meleon, icedragon, cyberfox, blackhaw, 7star, chromeplus, have more...
Algorithms:
gzip
Functions:
CreateProcessAsUser, CreateFlag, APIs, Wow64GetThreadContext, Wow64SetThreadContext, CreateBind, CreateChannel, GetArguments, GetUpdates, CheckConnect, have more...
Win API:
GetThreadContext, ReadProcessMemory, VirtualAllocEx, WriteProcessMemory, SetThreadContext, ResumeThread
Fortinet Blog
Excel Document Delivers Multiple Malware by Exploiting CVE-2017-11882 – Part II
FortiGuard Labs discovered an Excel document, which exploits CVE-2017-11882 to execute malicious code to deliver and execute malware. Part two of this series reveals more about the Redline payload …
#ParsedReport
07-10-2022
Evolution of BazarCall Social Engineering Tactics
https://www.trellix.com/en-us/about/newsroom/stories/research/evolution-of-bazarcall-social-engineering-tactics.html
Threats:
Bazarbackdoor
Conti
Trickbot
Gozi
Icedid
Screenconnect_tool
Revil
Industry:
Financial
Geo:
Asian, India, China, Canada
TTPs:
IOCs:
File: 2
Hash: 3
Domain: 1
Url: 86
Softs:
windows registry
07-10-2022
Evolution of BazarCall Social Engineering Tactics
https://www.trellix.com/en-us/about/newsroom/stories/research/evolution-of-bazarcall-social-engineering-tactics.html
Threats:
Bazarbackdoor
Conti
Trickbot
Gozi
Icedid
Screenconnect_tool
Revil
Industry:
Financial
Geo:
Asian, India, China, Canada
TTPs:
IOCs:
File: 2
Hash: 3
Domain: 1
Url: 86
Softs:
windows registry
Trellix
Evolution of BazarCall Social Engineering Tactics
With the growth in cyberattacks, people are increasingly aware of the common tactics used by adversaries. As awareness has improved, BazarCall has ceaselessly adapted and evolved its social engineering tactics accordingly.
#ParsedReport
07-10-2022
Conti Ransomware: The History Behind One of the Worlds Most Aggressive RaaS Groups
https://flashpoint.io/blog/history-of-conti-ransomware
Actors/Campaigns:
Wizard_spider
Threats:
Conti
Maze
Egregor
Ryuk
Cobalt_strike
Trickbot
Beacon
Adfind_tool
Diavol
Industry:
Government, Healthcare, E-commerce, Financial
Geo:
Japanese, Ukraine, Japan, Russian, Russia
Softs:
active directory
07-10-2022
Conti Ransomware: The History Behind One of the Worlds Most Aggressive RaaS Groups
https://flashpoint.io/blog/history-of-conti-ransomware
Actors/Campaigns:
Wizard_spider
Threats:
Conti
Maze
Egregor
Ryuk
Cobalt_strike
Trickbot
Beacon
Adfind_tool
Diavol
Industry:
Government, Healthcare, E-commerce, Financial
Geo:
Japanese, Ukraine, Japan, Russian, Russia
Softs:
active directory
Flashpoint
Conti Ransomware: Inside One of the World’s Most Aggressive Ransomware Groups
Conti ransomware has become one of the most infamous in the ransomware space. Recent developments have called into question the future of the group, prompting a look back on how they came to be.
#ParsedReport
07-10-2022
Fake Ransomware Infection Under widespread
https://blog.cyble.com/2022/10/06/fake-ransomware-infection-under-widespread
Industry:
Financial
Geo:
Australia, Singapore, Georgia, Dubai, India
TTPs:
Tactics: 5
Technics: 9
IOCs:
File: 7
Path: 1
Url: 1
Hash: 15
Algorithms:
gzip, zip
Languages:
php
07-10-2022
Fake Ransomware Infection Under widespread
https://blog.cyble.com/2022/10/06/fake-ransomware-infection-under-widespread
Industry:
Financial
Geo:
Australia, Singapore, Georgia, Dubai, India
TTPs:
Tactics: 5
Technics: 9
IOCs:
File: 7
Path: 1
Url: 1
Hash: 15
Algorithms:
gzip, zip
Languages:
php
#ParsedReport
10-10-2022
Dark Web Profile: Play Ransomware
https://socradar.io/dark-web-profile-play-ransomware
Threats:
Playcrypt
Nokoyawa
Adfind_tool
Lolbin
Industry:
Government
Geo:
Brazil, American
CVEs:
CVE-2018-13379 [Vulners]
Vulners: Score: 5.0, CVSS: 3.2,
Vulners: Exploitation: True
X-Force: Risk: 7.5
X-Force: Patch: Official fix
Soft:
- fortinet fortios (le6.0.4, le5.6.7)
CVE-2020-12812 [Vulners]
Vulners: Score: 7.5, CVSS: 2.6,
Vulners: Exploitation: True
X-Force: Risk: 5.3
X-Force: Patch: Official fix
Soft:
- fortinet fortios (<6.2.4, 6.4.0, <6.0.10)
IOCs:
Hash: 20
Url: 4
IP: 2
Softs:
active directory, psexec
10-10-2022
Dark Web Profile: Play Ransomware
https://socradar.io/dark-web-profile-play-ransomware
Threats:
Playcrypt
Nokoyawa
Adfind_tool
Lolbin
Industry:
Government
Geo:
Brazil, American
CVEs:
CVE-2018-13379 [Vulners]
Vulners: Score: 5.0, CVSS: 3.2,
Vulners: Exploitation: True
X-Force: Risk: 7.5
X-Force: Patch: Official fix
Soft:
- fortinet fortios (le6.0.4, le5.6.7)
CVE-2020-12812 [Vulners]
Vulners: Score: 7.5, CVSS: 2.6,
Vulners: Exploitation: True
X-Force: Risk: 5.3
X-Force: Patch: Official fix
Soft:
- fortinet fortios (<6.2.4, 6.4.0, <6.0.10)
IOCs:
Hash: 20
Url: 4
IP: 2
Softs:
active directory, psexec
SOCRadar® Cyber Intelligence Inc.
Dark Web Profile: Play Ransomware - SOCRadar® Cyber Intelligence Inc.
Ransomware is one of the common cyber-attacks developing a cybercrime industry. Today, we’ll introduce you to a new player: Play Ransomware.
#ParsedReport
10-10-2022
Mustang Panda Abuses Legitimate Apps to Target Myanmar Based Victims
https://blogs.blackberry.com/en/2022/10/mustang-panda-abuses-legitimate-apps-to-target-myanmar-based-victims
Actors/Campaigns:
Red_delta (motivation: cyber_espionage)
Threats:
Plugx_rat
Cobalt_strike
Poison_ivy
Beacon
Dll_sideloading_technique
Industry:
Ngo, Government
Geo:
Chinese, Asian, Myanmar, Asia, China
IOCs:
Domain: 4
File: 1
Hash: 4
IP: 2
Algorithms:
xor
Win API:
RtlDecompressBuffer
YARA: Found
10-10-2022
Mustang Panda Abuses Legitimate Apps to Target Myanmar Based Victims
https://blogs.blackberry.com/en/2022/10/mustang-panda-abuses-legitimate-apps-to-target-myanmar-based-victims
Actors/Campaigns:
Red_delta (motivation: cyber_espionage)
Threats:
Plugx_rat
Cobalt_strike
Poison_ivy
Beacon
Dll_sideloading_technique
Industry:
Ngo, Government
Geo:
Chinese, Asian, Myanmar, Asia, China
IOCs:
Domain: 4
File: 1
Hash: 4
IP: 2
Algorithms:
xor
Win API:
RtlDecompressBuffer
YARA: Found
BlackBerry
Mustang Panda Abuses Legitimate Apps to Target Myanmar Based Victims
The BlackBerry Research & Intelligence Team recently uncovered a campaign by an advanced persistent threat (APT) group called Mustang Panda that is leveraging the PlugX malware family to target the Southeast Asian state of Myanmar.