#ParsedReport
18-10-2022
Spyder Loader: Malware Seen in Recent Campaign Targeting Organizations in Hong Kong
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/spyder-loader-cuckoobees-hong-kong
Actors/Campaigns:
Cuckoobees
Threats:
Spyder
Cryptopp_tool
Mimikatz_tool
Industry:
Government
IOCs:
File: 7
Path: 1
Hash: 88
Algorithms:
chacha20, aes
Win API:
GetComputerNameW
18-10-2022
Spyder Loader: Malware Seen in Recent Campaign Targeting Organizations in Hong Kong
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/spyder-loader-cuckoobees-hong-kong
Actors/Campaigns:
Cuckoobees
Threats:
Spyder
Cryptopp_tool
Mimikatz_tool
Industry:
Government
IOCs:
File: 7
Path: 1
Hash: 88
Algorithms:
chacha20, aes
Win API:
GetComputerNameW
Security
Spyder Loader: Malware Seen in Recent Campaign Targeting Organizations in Hong Kong
Activity appears to be a continuation of previously documented Operation CuckooBees campaign.
#ParsedReport
19-10-2022
ASEC Weekly Malware Statistics (October 3rd, 2022 October 9th, 2022)
https://asec.ahnlab.com/en/40056
Threats:
Smokeloader
Agent_tesla
Beamwinhttp_loader
Garbage_cleaner
Snake_keylogger
Remcos_rat
Formbook
Nanocore_rat
Industry:
Financial
Geo:
Korea
IOCs:
File: 11
Domain: 11
Email: 7
Url: 2
Softs:
discord
Languages:
php
19-10-2022
ASEC Weekly Malware Statistics (October 3rd, 2022 October 9th, 2022)
https://asec.ahnlab.com/en/40056
Threats:
Smokeloader
Agent_tesla
Beamwinhttp_loader
Garbage_cleaner
Snake_keylogger
Remcos_rat
Formbook
Nanocore_rat
Industry:
Financial
Geo:
Korea
IOCs:
File: 11
Domain: 11
Email: 7
Url: 2
Softs:
discord
Languages:
php
ASEC BLOG
ASEC Weekly Malware Statistics (October 3rd, 2022 – October 9th, 2022) - ASEC BLOG
The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from October 3rd, 2022 (Monday) to October 9th, 2022 (Sunday). For the main category, downloader…
#ParsedReport
19-10-2022
. Coin minor malware installed for vulnerable Apache Tomcat web servers
https://asec.ahnlab.com/ko/40315
Threats:
Meterpreter_tool
Xmrig_miner
Dropper/win.miner.c5283988
Trojan/vbs.runner.sc184041
Industry:
Healthcare
IOCs:
File: 6
Url: 5
Domain: 1
Coin: 1
Hash: 7
Algorithms:
base64
19-10-2022
. Coin minor malware installed for vulnerable Apache Tomcat web servers
https://asec.ahnlab.com/ko/40315
Threats:
Meterpreter_tool
Xmrig_miner
Dropper/win.miner.c5283988
Trojan/vbs.runner.sc184041
Industry:
Healthcare
IOCs:
File: 6
Url: 5
Domain: 1
Coin: 1
Hash: 7
Algorithms:
base64
ASEC BLOG
취약한 아파치 톰캣 웹 서버를 대상으로 설치되는 코인 마이너 악성코드 - ASEC BLOG
ASEC 분석팀에서는 최근 취약한 아파치 톰캣 웹 서버를 대상으로 하는 공격을 확인하였다. 최신 업데이트가 되지 않은 톰캣 서버는 대표적인 취약점 공격 벡터 중 하나이다. 과거에도 ASEC 블로그에서 취약한 JBoss 버전이 설치된 아파치 톰캣 서버를 대상으로 한 공격을 소개한 바 있다. 공격자는 취약점 공격 도구인 JexBoss를 이용해 웹쉘을 설치한 후 미터프리터 악성코드로 감염 시스템에 대한 제어를 획득하였다. 일반적으로 공격자들은 스캐닝 결과 취약한…
#ParsedReport
19-10-2022
DeadBolt ransomware: nothing but NASty
https://blog.group-ib.com/nas-under-threat
Threats:
Deadbolt
Upx_tool
Industry:
Petroleum, Financial
CVEs:
CVE-2022-27593 [Vulners]
Vulners: Score: Unknown, CVSS: 3.1,
Vulners: Exploitation: True
X-Force: Risk: 10
X-Force: Patch: Official fix
Soft:
- qnap photo station (<5.2.14, <5.4.15, <5.7.18, <6.0.22, <6.1.2)
Algorithms:
aes, aes-128, gzip, cbc, des
Languages:
javascript, lua, php
Platforms:
arm
Links:
19-10-2022
DeadBolt ransomware: nothing but NASty
https://blog.group-ib.com/nas-under-threat
Threats:
Deadbolt
Upx_tool
Industry:
Petroleum, Financial
CVEs:
CVE-2022-27593 [Vulners]
Vulners: Score: Unknown, CVSS: 3.1,
Vulners: Exploitation: True
X-Force: Risk: 10
X-Force: Patch: Official fix
Soft:
- qnap photo station (<5.2.14, <5.4.15, <5.7.18, <6.0.22, <6.1.2)
Algorithms:
aes, aes-128, gzip, cbc, des
Languages:
javascript, lua, php
Platforms:
arm
Links:
https://github.com/rivitna/Malware/tree/main/DeadBolt/deadbolt\_demoGroup-IB
DeadBolt ransomware: nothing but NASty
The Group-IB Incident Response Team investigated an incident related to a DeadBolt attack and analyzed a DeadBolt ransomware sample.
#ParsedReport
19-10-2022
Sophos X-Ops finds Attackers Using Covert Channels in Backdoor Against Devices
https://news.sophos.com/en-us/2022/10/19/sophos-x-ops-finds-attackers-using-covert-channels-in-backdoor-against-devices
Threats:
Gh0st_rat
Metasploit_tool
Termite
CVEs:
CVE-2022-1040 [Vulners]
Vulners: Score: 7.5, CVSS: 6.5,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- sophos sfos (le18.5.3)
CVE-2022-3236 [Vulners]
Vulners: Score: Unknown, CVSS: 6.3,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- sophos firewall (le19.0.1)
TTPs:
IOCs:
File: 3
Domain: 2
IP: 25
Hash: 34
Algorithms:
aes, rc4, base64
Languages:
perl, java
Links:
19-10-2022
Sophos X-Ops finds Attackers Using Covert Channels in Backdoor Against Devices
https://news.sophos.com/en-us/2022/10/19/sophos-x-ops-finds-attackers-using-covert-channels-in-backdoor-against-devices
Threats:
Gh0st_rat
Metasploit_tool
Termite
CVEs:
CVE-2022-1040 [Vulners]
Vulners: Score: 7.5, CVSS: 6.5,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- sophos sfos (le18.5.3)
CVE-2022-3236 [Vulners]
Vulners: Score: Unknown, CVSS: 6.3,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- sophos firewall (le19.0.1)
TTPs:
IOCs:
File: 3
Domain: 2
IP: 25
Hash: 34
Algorithms:
aes, rc4, base64
Languages:
perl, java
Links:
https://github.com/rapid7/metasploit-javapayload/blob/dee9809f78a7e86981a8f39e0622f05458c85940/javapayload/src/main/java/metasploit/Payload.javahttps://github.com/sophoslabs/IoCs/blob/master/CVE-2022-3236\_IOCs.csvSophos News
Sophos X-Ops finds Attackers Using Covert Channels in Backdoor Against Devices
Newly discovered attack combines custom and commodity malware
#ParsedReport
19-10-2022
TeamTNT Returns or Does It?
https://www.trendmicro.com/en_us/research/22/j/teamtnt-returns-or-does-it.html
Actors/Campaigns:
Teamtnt (motivation: cyber_criminal)
Threats:
Xmrig_miner
Zgrab_scanner_tool
Netstat_tool
Pnscan_tool
Masscan_tool
Cronb
Geo:
China, Germany
TTPs:
Tactics: 6
Technics: 25
IOCs:
IP: 14
File: 4
Coin: 1
Url: 15
Domain: 3
Softs:
docker, curl, crontab, apparmor, alisecguard, redis, systemd
Algorithms:
base64
Languages:
python
Links:
19-10-2022
TeamTNT Returns or Does It?
https://www.trendmicro.com/en_us/research/22/j/teamtnt-returns-or-does-it.html
Actors/Campaigns:
Teamtnt (motivation: cyber_criminal)
Threats:
Xmrig_miner
Zgrab_scanner_tool
Netstat_tool
Pnscan_tool
Masscan_tool
Cronb
Geo:
China, Germany
TTPs:
Tactics: 6
Technics: 25
IOCs:
IP: 14
File: 4
Coin: 1
Url: 15
Domain: 3
Softs:
docker, curl, crontab, apparmor, alisecguard, redis, systemd
Algorithms:
base64
Languages:
python
Links:
https://github.com/gianlucaborello/libprocesshider
https://github.com/zmap/zgrabTrend Micro
TeamTNT Returns — Or Does It?
Our honeypots caught malicious cryptocurrency miner samples targeting the cloud and containers, and its routines are reminiscent of the routines employed by cybercriminal group TeamTNT, which was said to have quit in November 2021. Our investigation shows…
#ParsedReport
19-10-2022
.NET FormBook. A.NET appearance formbook malware distribution
https://asec.ahnlab.com/ko/40167
Threats:
Formbook
Malware/mdp.injection.m3509
IOCs:
File: 3
Hash: 1
Url: 2
19-10-2022
.NET FormBook. A.NET appearance formbook malware distribution
https://asec.ahnlab.com/ko/40167
Threats:
Formbook
Malware/mdp.injection.m3509
IOCs:
File: 3
Hash: 1
Url: 2
ASEC BLOG
.NET 외형의 FormBook 악성코드 유포 중 - ASEC BLOG
안랩 V3 제품에는 악성코드 위협으로부터 사용자를 보호하기 위한 다양한 탐지 기능이 있다. 이 중 ‘앱 격리 검사 (App Isolate Scan)’ 기능은 의심 프로세스에 대한 탐지 및 격리를 제공하는 기능으로서, 랜섬웨어 외 인포스틸러나 다운로더 등의 악성코드를 가상 환경에 격리하여 탐지할 수 있다. 안랩 ASD 인프라에 아직 수집되지 않았거나 악성코드의 정적, 동적 행위 패턴이 확인되지 않은 악성코드를 선제적으로 격리하여 사용자를 보호할 수 있는…
Запилил первую версию парсера команд cmd и powershell, содержащихся в отчетах. Чуть не психанул и не перешел на тяжелые наркотики в виде синтаксического анализатора Lex-Yacc.
👍1
#ParsedReport
19-10-2022
New Malicious Clicker found in apps installed by 20M+ users. How it works
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/new-malicious-clicker-found-in-apps-installed-by-20m-users
Threats:
Adware-admob
IOCs:
Domain: 6
Hash: 16
Softs:
android, (torch), instagram
19-10-2022
New Malicious Clicker found in apps installed by 20M+ users. How it works
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/new-malicious-clicker-found-in-apps-installed-by-20m-users
Threats:
Adware-admob
IOCs:
Domain: 6
Hash: 16
Softs:
android, (torch), instagram
McAfee Blog
New Malicious Clicker found in apps installed by 20M+ users | McAfee Blog
Authored by SangRyol Ryu Cybercriminals are always after illegal advertising revenue. As we have previously reported, we have seen many mobile malwares
#ParsedReport
20-10-2022
Black Basta and the Unnoticed Delivery. Introduction
https://research.checkpoint.com/2022/black-basta-and-the-unnoticed-delivery
Threats:
Blackbasta
Conti
Cobalt_strike
Qakbot
Trap flag_technique
Antidebugging_technique
Windbg_tool
Industry:
Financial
Geo:
India, Denmark, Switzerland, Italy, Canada, Germany, France, Austria
IOCs:
Hash: 7
File: 3
Algorithms:
aes, chacha20
Functions:
FindWindow, CreateFile
Win API:
NtGlobalFlag, DebugBreak, QueryPerformanceCounter, GetTickCount, VirtualAlloc, GetWriteWatch, CloseHandle, NtQueryInformationProcess, ReadFile, WriteFile, have more...
20-10-2022
Black Basta and the Unnoticed Delivery. Introduction
https://research.checkpoint.com/2022/black-basta-and-the-unnoticed-delivery
Threats:
Blackbasta
Conti
Cobalt_strike
Qakbot
Trap flag_technique
Antidebugging_technique
Windbg_tool
Industry:
Financial
Geo:
India, Denmark, Switzerland, Italy, Canada, Germany, France, Austria
IOCs:
Hash: 7
File: 3
Algorithms:
aes, chacha20
Functions:
FindWindow, CreateFile
Win API:
NtGlobalFlag, DebugBreak, QueryPerformanceCounter, GetTickCount, VirtualAlloc, GetWriteWatch, CloseHandle, NtQueryInformationProcess, ReadFile, WriteFile, have more...
Check Point Research
Black Basta and the Unnoticed Delivery - Check Point Research
Introduction As reported by Check Point at the end of H1 2022, 1 out of 40 organizations worldwide were impacted by ransomware attacks, which constitutes a worrying 59% increase over the past year. The ransomware business continues to grow in gargantuan proportions…
#ParsedReport
20-10-2022
Domestic Kitten campaign spying on Iranian citizens with new FurBall malware
https://www.welivesecurity.com/2022/10/20/domestic-kitten-campaign-spying-iranian-citizens-furball-malware
Actors/Campaigns:
Domestic_kitten
Threats:
Furball
Kidlogger
Geo:
Ukraine, Iranian, Iran
TTPs:
Tactics: 6
Technics: 9
IOCs:
File: 1
Hash: 1
Softs:
android
Languages:
php
YARA: Found
20-10-2022
Domestic Kitten campaign spying on Iranian citizens with new FurBall malware
https://www.welivesecurity.com/2022/10/20/domestic-kitten-campaign-spying-iranian-citizens-furball-malware
Actors/Campaigns:
Domestic_kitten
Threats:
Furball
Kidlogger
Geo:
Ukraine, Iranian, Iran
TTPs:
Tactics: 6
Technics: 9
IOCs:
File: 1
Hash: 1
Softs:
android
Languages:
php
YARA: Found
WeLiveSecurity
Domestic Kitten campaign spying on Iranian citizens with new FurBall malware
APT-C-50’s Domestic Kitten campaign continues, targeting Iranian citizens with a new version of the FurBall malware posing as an Android translation app.
#ParsedReport
20-10-2022
Infostealer Distributed Using Bundled Installer
https://blog.cyble.com/2022/10/20/infostealer-distributed-using-bundled-installer
Threats:
Beacon
Industry:
Financial
Geo:
Singapore, Georgia, Dubai, Australia, India
TTPs:
Tactics: 5
Technics: 10
IOCs:
File: 5
IP: 2
Coin: 2
Registry: 1
Url: 1
Hash: 15
Softs:
telegram, photoshop, topaz clean, bitappwallet, binancechain, bravewallet, equalwallet, iwallet, mathwallet, niftywallet, have more...
Algorithms:
zip
20-10-2022
Infostealer Distributed Using Bundled Installer
https://blog.cyble.com/2022/10/20/infostealer-distributed-using-bundled-installer
Threats:
Beacon
Industry:
Financial
Geo:
Singapore, Georgia, Dubai, Australia, India
TTPs:
Tactics: 5
Technics: 10
IOCs:
File: 5
IP: 2
Coin: 2
Registry: 1
Url: 1
Hash: 15
Softs:
telegram, photoshop, topaz clean, bitappwallet, binancechain, bravewallet, equalwallet, iwallet, mathwallet, niftywallet, have more...
Algorithms:
zip
Cyble
Infostealer Distributed Using Bundled Installer
Cyble Research and Intelligence Labs identifies a new Temp stealer and analyses how it spreads via free & cracking Software.
#ParsedReport
20-10-2022
Qakbot. QAKBOT malicious code domestic distribution
https://asec.ahnlab.com/ko/40364
Threats:
Qakbot
Bumblebee
Icedid
Malware/win.possible_smhpqakbottha.r525663
Industry:
Financial
IOCs:
File: 4
IP: 4
Hash: 3
20-10-2022
Qakbot. QAKBOT malicious code domestic distribution
https://asec.ahnlab.com/ko/40364
Threats:
Qakbot
Bumblebee
Icedid
Malware/win.possible_smhpqakbottha.r525663
Industry:
Financial
IOCs:
File: 4
IP: 4
Hash: 3
ASEC BLOG
Qakbot 악성코드 국내 유포 중 - ASEC BLOG
ASEC 분석팀은 지난 9월에 소개했던 Qakbot 악성코드가 국내 사용자를 대상으로 유포 중인 것을 확인하였다. ISO 파일을 이용한 점을 포함한 전체적인 동작 과정은 기존과 유사하지만, 행위 탐지를 우회하기 위한 과정이 추가되었다. 먼저, 국내 사용자를 대상으로 유포된 이메일은 아래와 같다. 해당 메일은 기존 정상 메일을 가로채 악성 파일을 첨부하여 회신한 형태로, 이전에 블로그를 통해 소개했던 Bumblebee 와 IceID 의 유포 과정과 동일하다.…
#ParsedReport
20-10-2022
Phishing Campaign Targeting the Saudi Government Service Portal, Absher
https://cloudsek.com/threatintelligence/phishing-campaign-targeting-the-saudi-government-service-portal-absher/?utm_source=rss&utm_medium=rss&utm_campaign=phishing-campaign-targeting-the-saudi-government-service-portal-absher
Industry:
Government
20-10-2022
Phishing Campaign Targeting the Saudi Government Service Portal, Absher
https://cloudsek.com/threatintelligence/phishing-campaign-targeting-the-saudi-government-service-portal-absher/?utm_source=rss&utm_medium=rss&utm_campaign=phishing-campaign-targeting-the-saudi-government-service-portal-absher
Industry:
Government
Cloudsek
Phishing Campaign Targeting the Saudi Government Service Portal, Absher | Threat Intelligence | CloudSEK
Multiple phishing domains impersonating Absher, the Saudi government service portal. Domains provide fake services to the citizens and steal their credentials.
#ParsedReport
20-10-2022
An In-Depth Look at Russian Threat Actor, Killnet
https://www.avertium.com/resources/threat-reports/an-in-depth-look-at-russian-threat-actor-killnet
Actors/Campaigns:
Killnet (motivation: hacktivism, financially_motivated)
Nb65 (motivation: hacktivism)
Bluehornet (motivation: hacktivism)
Sandworm
Fancy_bear
Xaknet
Vice_society
Threats:
Hermeticwiper
Whispergate
Revil
Credential_harvesting_technique
Industry:
Energy, Aerospace, Financial, Government
Geo:
France, Russian, Latvia, German, Germany, Estonia, Russia, Lithuanias, Kaliningrad, Polish, Poland, Romania, Ukrainian, Ukraine, Lithuania
IOCs:
IP: 60
Softs:
telegram
20-10-2022
An In-Depth Look at Russian Threat Actor, Killnet
https://www.avertium.com/resources/threat-reports/an-in-depth-look-at-russian-threat-actor-killnet
Actors/Campaigns:
Killnet (motivation: hacktivism, financially_motivated)
Nb65 (motivation: hacktivism)
Bluehornet (motivation: hacktivism)
Sandworm
Fancy_bear
Xaknet
Vice_society
Threats:
Hermeticwiper
Whispergate
Revil
Credential_harvesting_technique
Industry:
Energy, Aerospace, Financial, Government
Geo:
France, Russian, Latvia, German, Germany, Estonia, Russia, Lithuanias, Kaliningrad, Polish, Poland, Romania, Ukrainian, Ukraine, Lithuania
IOCs:
IP: 60
Softs:
telegram
Avertium
An In-Depth Look at Russian Threat Actor, Killnet
Russian hacktivists like Killnet are making threats against and attacking not only Ukraine, but the U.S. as well.
#ParsedReport
20-10-2022
New Prestige ransomware impacts organizations in Ukraine and Poland
https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland
Actors/Campaigns:
Dev-0960
Threats:
Prestige_ransomware
Minidump_tool
Hermeticwiper
Arguepatch_loader
Killdisk
Impacket_tool
Winpeas_tool
Cryptopp_tool
Industry:
Transport, Logistic
Geo:
Ukraine, Russian, Poland
IOCs:
File: 7
Path: 3
Hash: 3
Softs:
microsoft 365 defender, active directory, windows scheduled task, mssql windows service, psexec, microsoft defender, microsoft defender for endpoint
Win API:
Wow64DisableWow64FsRedirection, Wow64RevertWow64FsRedirection
Win Services:
MSSQLSERVER
Links:
20-10-2022
New Prestige ransomware impacts organizations in Ukraine and Poland
https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland
Actors/Campaigns:
Dev-0960
Threats:
Prestige_ransomware
Minidump_tool
Hermeticwiper
Arguepatch_loader
Killdisk
Impacket_tool
Winpeas_tool
Cryptopp_tool
Industry:
Transport, Logistic
Geo:
Ukraine, Russian, Poland
IOCs:
File: 7
Path: 3
Hash: 3
Softs:
microsoft 365 defender, active directory, windows scheduled task, mssql windows service, psexec, microsoft defender, microsoft defender for endpoint
Win API:
Wow64DisableWow64FsRedirection, Wow64RevertWow64FsRedirection
Win Services:
MSSQLSERVER
Links:
https://github.com/Azure/Azure-Sentinel/tree/master/Detections/MultipleDataSources/PrestigeRansomwareIOCsOct22.yamlMicrosoft Security Blog
New “Prestige” ransomware impacts organizations in Ukraine and Poland | Microsoft Security Blog
The Microsoft Threat Intelligence Center (MSTIC) has identified evidence of a novel ransomware campaign attributed to IRIDIUM targeting organizations in the logistics and transportation industry in Ukraine and Poland utilizing a previously unidentified ransomware…
#ParsedReport
21-10-2022
Venus ransomware targets remote desktop services
https://www.malwarebytes.com/blog/news/2022/10/venus-ransomware-targets-remote-desktop-services
Threats:
Venus_locker
Chaos
Softs:
remote desktop services
21-10-2022
Venus ransomware targets remote desktop services
https://www.malwarebytes.com/blog/news/2022/10/venus-ransomware-targets-remote-desktop-services
Threats:
Venus_locker
Chaos
Softs:
remote desktop services
Malwarebytes
Venus Ransomware targets remote desktop services
We take a look at reports of Venus ransomware targeting remote desktop services/RDP.
#ParsedReport
21-10-2022
Attackers Abusing Various Remote Control Tools
https://asec.ahnlab.com/en/40263
Actors/Campaigns:
Kimsuky
Darkside
Ta505
Threats:
Anydesk_tool
Remcos_rat
Teamviewer_tool
Metasploit_tool
Avemaria_rat
Sbit_rat
Redline_stealer
Nanocore_rat
Gh0st_rat
Asyncrat_rat
Quasar_rat
Nukesped_rat
Appleseed
Cobalt_strike
Meterpreter_tool
Conti
Todesk_tool
Rudesktop_tool
Smokeloader
Ammyyadmin_tool
Flawedammyy
Mimikatz_tool
Clop
Sweetpotato_tool
Tightvnc_tool
Tigervnc_tool
Tinynuke
Hvnc_tool
Hiddenvnc_tool
Tmate_tool
Xmrig_miner
Tsunami_botnet
Hildegard
Radmin_tool
Malware/mdp.download.m1197
Bazarbackdoor
Industry:
Financial
Geo:
Russian, Chinese
IOCs:
File: 3
Hash: 2
Url: 6
Softs:
ms-sql
Functions:
SetWindowsTextW
21-10-2022
Attackers Abusing Various Remote Control Tools
https://asec.ahnlab.com/en/40263
Actors/Campaigns:
Kimsuky
Darkside
Ta505
Threats:
Anydesk_tool
Remcos_rat
Teamviewer_tool
Metasploit_tool
Avemaria_rat
Sbit_rat
Redline_stealer
Nanocore_rat
Gh0st_rat
Asyncrat_rat
Quasar_rat
Nukesped_rat
Appleseed
Cobalt_strike
Meterpreter_tool
Conti
Todesk_tool
Rudesktop_tool
Smokeloader
Ammyyadmin_tool
Flawedammyy
Mimikatz_tool
Clop
Sweetpotato_tool
Tightvnc_tool
Tigervnc_tool
Tinynuke
Hvnc_tool
Hiddenvnc_tool
Tmate_tool
Xmrig_miner
Tsunami_botnet
Hildegard
Radmin_tool
Malware/mdp.download.m1197
Bazarbackdoor
Industry:
Financial
Geo:
Russian, Chinese
IOCs:
File: 3
Hash: 2
Url: 6
Softs:
ms-sql
Functions:
SetWindowsTextW
ASEC
Attackers Abusing Various Remote Control Tools - ASEC
Attackers Abusing Various Remote Control Tools ASEC
#ParsedReport
21-10-2022
GuLoader Malware Disguised as a Word File Being Distributed in Korea
https://asec.ahnlab.com/en/40283
Threats:
Cloudeye
Formbook
Redline_stealer
Agent_tesla
Trojan/win.agent.c5275941
Geo:
Korea, Korean
IOCs:
Url: 1
File: 1
Path: 1
Hash: 2
Algorithms:
xor
Functions:
API
21-10-2022
GuLoader Malware Disguised as a Word File Being Distributed in Korea
https://asec.ahnlab.com/en/40283
Threats:
Cloudeye
Formbook
Redline_stealer
Agent_tesla
Trojan/win.agent.c5275941
Geo:
Korea, Korean
IOCs:
Url: 1
File: 1
Path: 1
Hash: 2
Algorithms:
xor
Functions:
API
ASEC
GuLoader Malware Disguised as a Word File Being Distributed in Korea - ASEC
The ASEC analysis team has discovered that the GuLoader malware is being distributed to Korean corporate users. GuLoader is a downloader that has been steadily distributed since the past, downloading various malware. The phishing mail being distributed is…
#ParsedReport
21-10-2022
Ursnif Malware Moving to Ransomware Operations from Bank Account Theft
https://socradar.io/ursnif-malware-moving-to-ransomware-operations-from-bank-account-theft
Threats:
Gozi
Industry:
Financial, Telco
IOCs:
File: 3
Hash: 28
Domain: 28
IP: 30
Softs:
windows registry
Platforms:
x64
21-10-2022
Ursnif Malware Moving to Ransomware Operations from Bank Account Theft
https://socradar.io/ursnif-malware-moving-to-ransomware-operations-from-bank-account-theft
Threats:
Gozi
Industry:
Financial, Telco
IOCs:
File: 3
Hash: 28
Domain: 28
IP: 30
Softs:
windows registry
Platforms:
x64
SOCRadar® Cyber Intelligence Inc.
Ursnif Malware Moving to Ransomware Operations from Bank Account Theft - SOCRadar® Cyber Intelligence Inc.
Ursnif (a.k.a. Gozi), a former banking trojan, has been repurposed as a generic backdoor. Threat actors could use the new variant to distribute
#ParsedReport
21-10-2022
Trends in Web Threats: Old Web Skimmer Still Active Today
https://unit42.paloaltonetworks.com/web-threat-trends-web-skimmer
Industry:
Financial
Geo:
Japan, Emea, America, Africa, Russia, Germany, Australia, Apac
IOCs:
Domain: 3
File: 2
Url: 1
IP: 4
Hash: 2
Languages:
javascript
YARA: Found
21-10-2022
Trends in Web Threats: Old Web Skimmer Still Active Today
https://unit42.paloaltonetworks.com/web-threat-trends-web-skimmer
Industry:
Financial
Geo:
Japan, Emea, America, Africa, Russia, Germany, Australia, Apac
IOCs:
Domain: 3
File: 2
Url: 1
IP: 4
Hash: 2
Languages:
javascript
YARA: Found
Unit 42
Trends in Web Threats: Old Web Skimmer Still Active Today
We examine trends in web threats for the first quarter of 2022, including an old web skimmer that is still active five years later.