#ParsedReport
21-10-2022
Venus ransomware targets remote desktop services
https://www.malwarebytes.com/blog/news/2022/10/venus-ransomware-targets-remote-desktop-services
Threats:
Venus_locker
Chaos
Softs:
remote desktop services
21-10-2022
Venus ransomware targets remote desktop services
https://www.malwarebytes.com/blog/news/2022/10/venus-ransomware-targets-remote-desktop-services
Threats:
Venus_locker
Chaos
Softs:
remote desktop services
Malwarebytes
Venus Ransomware targets remote desktop services
We take a look at reports of Venus ransomware targeting remote desktop services/RDP.
#ParsedReport
21-10-2022
Attackers Abusing Various Remote Control Tools
https://asec.ahnlab.com/en/40263
Actors/Campaigns:
Kimsuky
Darkside
Ta505
Threats:
Anydesk_tool
Remcos_rat
Teamviewer_tool
Metasploit_tool
Avemaria_rat
Sbit_rat
Redline_stealer
Nanocore_rat
Gh0st_rat
Asyncrat_rat
Quasar_rat
Nukesped_rat
Appleseed
Cobalt_strike
Meterpreter_tool
Conti
Todesk_tool
Rudesktop_tool
Smokeloader
Ammyyadmin_tool
Flawedammyy
Mimikatz_tool
Clop
Sweetpotato_tool
Tightvnc_tool
Tigervnc_tool
Tinynuke
Hvnc_tool
Hiddenvnc_tool
Tmate_tool
Xmrig_miner
Tsunami_botnet
Hildegard
Radmin_tool
Malware/mdp.download.m1197
Bazarbackdoor
Industry:
Financial
Geo:
Russian, Chinese
IOCs:
File: 3
Hash: 2
Url: 6
Softs:
ms-sql
Functions:
SetWindowsTextW
21-10-2022
Attackers Abusing Various Remote Control Tools
https://asec.ahnlab.com/en/40263
Actors/Campaigns:
Kimsuky
Darkside
Ta505
Threats:
Anydesk_tool
Remcos_rat
Teamviewer_tool
Metasploit_tool
Avemaria_rat
Sbit_rat
Redline_stealer
Nanocore_rat
Gh0st_rat
Asyncrat_rat
Quasar_rat
Nukesped_rat
Appleseed
Cobalt_strike
Meterpreter_tool
Conti
Todesk_tool
Rudesktop_tool
Smokeloader
Ammyyadmin_tool
Flawedammyy
Mimikatz_tool
Clop
Sweetpotato_tool
Tightvnc_tool
Tigervnc_tool
Tinynuke
Hvnc_tool
Hiddenvnc_tool
Tmate_tool
Xmrig_miner
Tsunami_botnet
Hildegard
Radmin_tool
Malware/mdp.download.m1197
Bazarbackdoor
Industry:
Financial
Geo:
Russian, Chinese
IOCs:
File: 3
Hash: 2
Url: 6
Softs:
ms-sql
Functions:
SetWindowsTextW
ASEC
Attackers Abusing Various Remote Control Tools - ASEC
Attackers Abusing Various Remote Control Tools ASEC
#ParsedReport
21-10-2022
GuLoader Malware Disguised as a Word File Being Distributed in Korea
https://asec.ahnlab.com/en/40283
Threats:
Cloudeye
Formbook
Redline_stealer
Agent_tesla
Trojan/win.agent.c5275941
Geo:
Korea, Korean
IOCs:
Url: 1
File: 1
Path: 1
Hash: 2
Algorithms:
xor
Functions:
API
21-10-2022
GuLoader Malware Disguised as a Word File Being Distributed in Korea
https://asec.ahnlab.com/en/40283
Threats:
Cloudeye
Formbook
Redline_stealer
Agent_tesla
Trojan/win.agent.c5275941
Geo:
Korea, Korean
IOCs:
Url: 1
File: 1
Path: 1
Hash: 2
Algorithms:
xor
Functions:
API
ASEC
GuLoader Malware Disguised as a Word File Being Distributed in Korea - ASEC
The ASEC analysis team has discovered that the GuLoader malware is being distributed to Korean corporate users. GuLoader is a downloader that has been steadily distributed since the past, downloading various malware. The phishing mail being distributed is…
#ParsedReport
21-10-2022
Ursnif Malware Moving to Ransomware Operations from Bank Account Theft
https://socradar.io/ursnif-malware-moving-to-ransomware-operations-from-bank-account-theft
Threats:
Gozi
Industry:
Financial, Telco
IOCs:
File: 3
Hash: 28
Domain: 28
IP: 30
Softs:
windows registry
Platforms:
x64
21-10-2022
Ursnif Malware Moving to Ransomware Operations from Bank Account Theft
https://socradar.io/ursnif-malware-moving-to-ransomware-operations-from-bank-account-theft
Threats:
Gozi
Industry:
Financial, Telco
IOCs:
File: 3
Hash: 28
Domain: 28
IP: 30
Softs:
windows registry
Platforms:
x64
SOCRadar® Cyber Intelligence Inc.
Ursnif Malware Moving to Ransomware Operations from Bank Account Theft - SOCRadar® Cyber Intelligence Inc.
Ursnif (a.k.a. Gozi), a former banking trojan, has been repurposed as a generic backdoor. Threat actors could use the new variant to distribute
#ParsedReport
21-10-2022
Trends in Web Threats: Old Web Skimmer Still Active Today
https://unit42.paloaltonetworks.com/web-threat-trends-web-skimmer
Industry:
Financial
Geo:
Japan, Emea, America, Africa, Russia, Germany, Australia, Apac
IOCs:
Domain: 3
File: 2
Url: 1
IP: 4
Hash: 2
Languages:
javascript
YARA: Found
21-10-2022
Trends in Web Threats: Old Web Skimmer Still Active Today
https://unit42.paloaltonetworks.com/web-threat-trends-web-skimmer
Industry:
Financial
Geo:
Japan, Emea, America, Africa, Russia, Germany, Australia, Apac
IOCs:
Domain: 3
File: 2
Url: 1
IP: 4
Hash: 2
Languages:
javascript
YARA: Found
Unit 42
Trends in Web Threats: Old Web Skimmer Still Active Today
We examine trends in web threats for the first quarter of 2022, including an old web skimmer that is still active five years later.
#ParsedReport
21-10-2022
ASEC (20221010 \~ 20221016). ASEC Weekly Malware Statistics (20221010 \~ 20221016)
https://asec.ahnlab.com/ko/40440
Threats:
Smokeloader
Smokerloader
Agent_tesla
Azorult
Cloudeye
Postealer
Formbook
Remcos_rat
Nanocore_rat
Beamwinhttp_loader
Garbage_cleaner
Clipboard_grabbing_technique
Industry:
Transport
Geo:
Korea
IOCs:
File: 22
Domain: 10
IP: 3
Email: 5
Url: 20
Softs:
discord, nsis installer
Languages:
php, visual_basic
21-10-2022
ASEC (20221010 \~ 20221016). ASEC Weekly Malware Statistics (20221010 \~ 20221016)
https://asec.ahnlab.com/ko/40440
Threats:
Smokeloader
Smokerloader
Agent_tesla
Azorult
Cloudeye
Postealer
Formbook
Remcos_rat
Nanocore_rat
Beamwinhttp_loader
Garbage_cleaner
Clipboard_grabbing_technique
Industry:
Transport
Geo:
Korea
IOCs:
File: 22
Domain: 10
IP: 3
Email: 5
Url: 20
Softs:
discord, nsis installer
Languages:
php, visual_basic
ASEC BLOG
ASEC 주간 악성코드 통계 (20221010 ~ 20221016) - ASEC BLOG
ASEC 분석팀에서는 ASEC 자동 분석 시스템 RAPIT 을 활용하여 알려진 악성코드들에 대한 분류 및 대응을 진행하고 있다. 본 포스팅에서는 2022년 10월 10일 월요일부터 10월 16일 일요일까지 한 주간 수집된 악성코드의 통계를 정리한다. 대분류 상으로는 다운로더가 44.4%로 1위를 차지하였으며, 그 다음으로는 인포스틸러 악성코드가 41.7%, 백도어 12.5%, 랜섬웨어 0.9%, 코인마이너가 0.5%로 집계되었다. Top1. SmokeLoader…
#ParsedReport
21-10-2022
OnionPoison: YouTube Channels spreading malicious TOR browsers installers
https://www.secureblink.com/threat-research/onion-poison-you-tube-channels-spreading-malicious-tor-browsers-installers
Actors/Campaigns:
Onionpoison
Threats:
Onionduke
Geo:
China, Chinese
IOCs:
Hash: 9
File: 9
Registry: 1
Domain: 1
Softs:
visual studio, google chrome, wechat
Algorithms:
aes, xor, hmac-sha1, base64, aes-128, hmac
Win API:
RtlDecompressBuffer
21-10-2022
OnionPoison: YouTube Channels spreading malicious TOR browsers installers
https://www.secureblink.com/threat-research/onion-poison-you-tube-channels-spreading-malicious-tor-browsers-installers
Actors/Campaigns:
Onionpoison
Threats:
Onionduke
Geo:
China, Chinese
IOCs:
Hash: 9
File: 9
Registry: 1
Domain: 1
Softs:
visual studio, google chrome, wechat
Algorithms:
aes, xor, hmac-sha1, base64, aes-128, hmac
Win API:
RtlDecompressBuffer
Secureblink
OnionPoison: YouTube Channels spreading malicious TOR browsers installers | Secure Blink
OnionPoison involved in wild infection chain of TOR Browser installer spread via YouTube channels
#ParsedReport
21-10-2022
Exbyte: BlackByte Ransomware Attackers Deploy New Exfiltration Tool
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware
Actors/Campaigns:
Blackmatter
Blackcat
Threats:
Exbyte_stealer
Blackbyte
Megadumper_tool
Ollydbg_tool
Windbg_tool
Exmatter_tool
Lockbit
Ryuk
Stealbit
Proxyshell_vuln
Proxylogon_exploit
Adfind_tool
Anydesk_tool
Netscan_tool
Powerview
Edrsandblast_tool
Vssadmin_tool
Conti
Revil
CVEs:
CVE-2021-34523 [Vulners]
Vulners: Score: 7.5, CVSS: 3.4,
Vulners: Exploitation: True
X-Force: Risk: 9
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
CVE-2021-34473 [Vulners]
Vulners: Score: 10.0, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
CVE-2021-27065 [Vulners]
Vulners: Score: 6.8, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2016, 2016, 2013, 2016, 2019, 2013, 2016, 2016, 2016, 2016, 2016, 2016, 2016, 2019, 2019, 2019, 2019, 2019, 2019, 2019)
CVE-2021-26855 [Vulners]
Vulners: Score: 7.5, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2016, 2016, 2013, 2016, 2016, 2013, 2016, 2019, 2013, 2016, 2016, 2016, 2016, 2016, 2016, 2016, 2019, 2019, 2019, 2019, 2019, 2019, 2019, 2019)
CVE-2021-31207 [Vulners]
Vulners: Score: 6.5, CVSS: 1.7,
Vulners: Exploitation: True
X-Force: Risk: 6.6
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
IOCs:
File: 16
Command: 15
Path: 1
IP: 1
Hash: 15
Url: 7
Softs:
microsoft exchange
Win API:
IsDebuggerPresent, CheckRemoteDebuggerPresent
YARA: Found
Links:
21-10-2022
Exbyte: BlackByte Ransomware Attackers Deploy New Exfiltration Tool
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware
Actors/Campaigns:
Blackmatter
Blackcat
Threats:
Exbyte_stealer
Blackbyte
Megadumper_tool
Ollydbg_tool
Windbg_tool
Exmatter_tool
Lockbit
Ryuk
Stealbit
Proxyshell_vuln
Proxylogon_exploit
Adfind_tool
Anydesk_tool
Netscan_tool
Powerview
Edrsandblast_tool
Vssadmin_tool
Conti
Revil
CVEs:
CVE-2021-34523 [Vulners]
Vulners: Score: 7.5, CVSS: 3.4,
Vulners: Exploitation: True
X-Force: Risk: 9
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
CVE-2021-34473 [Vulners]
Vulners: Score: 10.0, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
CVE-2021-27065 [Vulners]
Vulners: Score: 6.8, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2016, 2016, 2013, 2016, 2019, 2013, 2016, 2016, 2016, 2016, 2016, 2016, 2016, 2019, 2019, 2019, 2019, 2019, 2019, 2019)
CVE-2021-26855 [Vulners]
Vulners: Score: 7.5, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2016, 2016, 2013, 2016, 2016, 2013, 2016, 2019, 2013, 2016, 2016, 2016, 2016, 2016, 2016, 2016, 2019, 2019, 2019, 2019, 2019, 2019, 2019, 2019)
CVE-2021-31207 [Vulners]
Vulners: Score: 6.5, CVSS: 1.7,
Vulners: Exploitation: True
X-Force: Risk: 6.6
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
IOCs:
File: 16
Command: 15
Path: 1
IP: 1
Hash: 15
Url: 7
Softs:
microsoft exchange
Win API:
IsDebuggerPresent, CheckRemoteDebuggerPresent
YARA: Found
Links:
https://github.com/wavestone-cdt/EDRSandblastSecurity
Exbyte: BlackByte Ransomware Attackers Deploy New Exfiltration Tool
Exbyte is the latest tool developed by ransomware attackers to expedite data theft from victims.
#ParsedReport
21-10-2022
WarHawk: the New Backdoor in the Arsenal of the SideWinder APTGroup. Key Features of this Attack
https://www.zscaler.com/blogs/security-research/warhawk-new-backdoor-arsenal-sidewinder-apt-group-0
Actors/Campaigns:
Sidewinder (motivation: cyber_espionage)
Lazarus
Threats:
Warhawk
Cobalt_strike
Process_injection_technique
Finfisher
Beacon
Industry:
Government, Energy
Geo:
Indian, Pakistan, Asia
TTPs:
Tactics: 5
Technics: 9
IOCs:
Domain: 9
File: 16
Url: 7
IP: 2
Hash: 7
Algorithms:
base64
Functions:
GetCurrentHWProfileA, HTTPSendRequestW, wsprintf, URLDownloadToFileA
Win API:
RtlAudioDriver, LoadLibraryA, GetUserNameA, GetProcAddress, GetCurrentHwProfileA, GetComputerNameA, InternetReadFile, RegQueryValueExA, ShellExecuteA, LoadLibrary, have more...
Languages:
php
21-10-2022
WarHawk: the New Backdoor in the Arsenal of the SideWinder APTGroup. Key Features of this Attack
https://www.zscaler.com/blogs/security-research/warhawk-new-backdoor-arsenal-sidewinder-apt-group-0
Actors/Campaigns:
Sidewinder (motivation: cyber_espionage)
Lazarus
Threats:
Warhawk
Cobalt_strike
Process_injection_technique
Finfisher
Beacon
Industry:
Government, Energy
Geo:
Indian, Pakistan, Asia
TTPs:
Tactics: 5
Technics: 9
IOCs:
Domain: 9
File: 16
Url: 7
IP: 2
Hash: 7
Algorithms:
base64
Functions:
GetCurrentHWProfileA, HTTPSendRequestW, wsprintf, URLDownloadToFileA
Win API:
RtlAudioDriver, LoadLibraryA, GetUserNameA, GetProcAddress, GetCurrentHwProfileA, GetComputerNameA, InternetReadFile, RegQueryValueExA, ShellExecuteA, LoadLibrary, have more...
Languages:
php
Zscaler
WarHawk: New APT backdoor from SideWinder | Zscaler
SideWinder APT, an Indian threat group, has been targeting Pakistan in threat campaigns using a new backdoor called "WarHawk." Read the ThreatLabz analysis.
#ParsedReport
21-10-2022
Mirai, RAR1Ransom, and GuardMiner Multiple Malware Campaigns Target VMware Vulnerability
https://www.fortinet.com/blog/threat-research/multiple-malware-campaigns-target-vmware-vulnerability
Threats:
Mirai
Rar1ransom
Guardminer
Xmrig_miner
CVEs:
CVE-2022-22947 [Vulners]
Vulners: Score: 6.8, CVSS: 7.4,
Vulners: Exploitation: True
X-Force: Risk: 10
X-Force: Patch: Official fix
Soft:
- vmware spring cloud gateway (3.1.0, <3.0.7)
- oracle commerce guided search (11.3.2)
- oracle communications cloud native core network slice selection function (1.8.0, 22.1.0)
- oracle communications cloud native core network repository function (1.15.0, 1.15.1, 22.2.0, 22.1.2)
- oracle communications cloud native core network function cloud native environment (1.10.0)
have more...
CVE-2022-26134 [Vulners]
Vulners: Score: 7.5, CVSS: 6.8,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- atlassian confluence data center (7.18.0, <7.17.4, <7.16.4, <7.15.2, <7.14.3, <7.13.7, <7.4.17)
- atlassian confluence server (7.18.0, <7.17.4, <7.16.4, <7.15.2, <7.14.3, <7.13.7, <7.4.17)
CVE-2022-22954 [Vulners]
Vulners: Score: 10.0, CVSS: 3.7,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- vmware identity manager (3.3.3, 3.3.4, 3.3.5, 3.3.6)
- vmware vrealize automation (7.6, le8.6)
- vmware workspace one access (20.10.0.1, 20.10.0.0, 21.08.0.1, 21.08.0.0)
- vmware vrealize suite lifecycle manager (le8.2)
- vmware cloud foundation (le4.3.1)
have more...
CVE-2018-7600 [Vulners]
Vulners: Score: 7.5, CVSS: 7.4,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- drupal (le7.57, <8.3.9, <8.4.6, <8.5.1)
- debian debian linux (9.0, 8.0, 7.0)
have more...
IOCs:
Url: 1
Domain: 3
IP: 1
File: 7
Hash: 10
Softs:
vmware workspace one, curl, process explorer
Algorithms:
xor
Links:
21-10-2022
Mirai, RAR1Ransom, and GuardMiner Multiple Malware Campaigns Target VMware Vulnerability
https://www.fortinet.com/blog/threat-research/multiple-malware-campaigns-target-vmware-vulnerability
Threats:
Mirai
Rar1ransom
Guardminer
Xmrig_miner
CVEs:
CVE-2022-22947 [Vulners]
Vulners: Score: 6.8, CVSS: 7.4,
Vulners: Exploitation: True
X-Force: Risk: 10
X-Force: Patch: Official fix
Soft:
- vmware spring cloud gateway (3.1.0, <3.0.7)
- oracle commerce guided search (11.3.2)
- oracle communications cloud native core network slice selection function (1.8.0, 22.1.0)
- oracle communications cloud native core network repository function (1.15.0, 1.15.1, 22.2.0, 22.1.2)
- oracle communications cloud native core network function cloud native environment (1.10.0)
have more...
CVE-2022-26134 [Vulners]
Vulners: Score: 7.5, CVSS: 6.8,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- atlassian confluence data center (7.18.0, <7.17.4, <7.16.4, <7.15.2, <7.14.3, <7.13.7, <7.4.17)
- atlassian confluence server (7.18.0, <7.17.4, <7.16.4, <7.15.2, <7.14.3, <7.13.7, <7.4.17)
CVE-2022-22954 [Vulners]
Vulners: Score: 10.0, CVSS: 3.7,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- vmware identity manager (3.3.3, 3.3.4, 3.3.5, 3.3.6)
- vmware vrealize automation (7.6, le8.6)
- vmware workspace one access (20.10.0.1, 20.10.0.0, 21.08.0.1, 21.08.0.0)
- vmware vrealize suite lifecycle manager (le8.2)
- vmware cloud foundation (le4.3.1)
have more...
CVE-2018-7600 [Vulners]
Vulners: Score: 7.5, CVSS: 7.4,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- drupal (le7.57, <8.3.9, <8.4.6, <8.5.1)
- debian debian linux (9.0, 8.0, 7.0)
have more...
IOCs:
Url: 1
Domain: 3
IP: 1
File: 7
Hash: 10
Softs:
vmware workspace one, curl, process explorer
Algorithms:
xor
Links:
https://github.com/chaitin/xray/releasesFortinet Blog
Mirai, RAR1Ransom, and GuardMiner – Multiple Malware Campaigns Target VMware Vulnerability
In April, VMware patched a vulnerability CVE-2022-22954, which causes server-side template injection. Read our blog to learn more about how malware is attempting to leverage the vulnerability and t…
#ParsedReport
23-10-2022
Alert (AA22-294A)
https://us-cert.cisa.gov/ncas/alerts/aa22-294a
Threats:
Daixin
Passthehash_technique
Babuk
Daxin
Industry:
Financial, Iot, Healthcare
Geo:
Canada, Australia
TTPs:
Tactics: 7
Technics: 10
IOCs:
Hash: 5
Softs:
esxi, rclonean
Links:
23-10-2022
Alert (AA22-294A)
https://us-cert.cisa.gov/ncas/alerts/aa22-294a
Threats:
Daixin
Passthehash_technique
Babuk
Daxin
Industry:
Financial, Iot, Healthcare
Geo:
Canada, Australia
TTPs:
Tactics: 7
Technics: 10
IOCs:
Hash: 5
Softs:
esxi, rclonean
Links:
https://github.com/cisagov/cset/releases/tag/v10.3.0.0www.cisa.gov
#StopRansomware: Daixin Team | CISA
Actions to take today to mitigate cyber threats from ransomware: • Install updates for operating systems, software, and firmware as soon as they are released. • Require phishing-resistant MFA for as many services as possible. • Train users to recognize and…
#ParsedReport
24-10-2022
Broken Dreams and Piggy Banks: Pig Butchering Crypto Fraud Growing Online
https://www.proofpoint.com/us/blog/threat-insight/broken-dreams-and-piggy-banks-pig-butchering-crypto-fraud-growing-online
Threats:
Pig_butchering
Industry:
Education, Petroleum, Financial
Geo:
Chinese, Cambodia, China, Asia
IOCs:
Domain: 46
Softs:
telegram, coinbase, discord
24-10-2022
Broken Dreams and Piggy Banks: Pig Butchering Crypto Fraud Growing Online
https://www.proofpoint.com/us/blog/threat-insight/broken-dreams-and-piggy-banks-pig-butchering-crypto-fraud-growing-online
Threats:
Pig_butchering
Industry:
Education, Petroleum, Financial
Geo:
Chinese, Cambodia, China, Asia
IOCs:
Domain: 46
Softs:
telegram, coinbase, discord
Proofpoint
Pig Butchering Crypto Scam (Sha Zhu Pan) on the Rise | Proofpoint US
Proofpoint is tracking threats known as Sha Zhu Pan, or "Pig Butchering" scam. Learn all about the pig butchering crypto scam growing online.
#ParsedReport
24-10-2022
Attacking Very Weak RC4-Like Ciphers the Hard Way. What?
https://research.checkpoint.com/2022/attacking-very-weak-rc4-like-ciphers-the-hard-way
Threats:
Knot
Algorithms:
rc4, xor
24-10-2022
Attacking Very Weak RC4-Like Ciphers the Hard Way. What?
https://research.checkpoint.com/2022/attacking-very-weak-rc4-like-ciphers-the-hard-way
Threats:
Knot
Algorithms:
rc4, xor
Check Point Research
Attacking Very Weak RC4-Like Ciphers the Hard Way - Check Point Research
What? RC4 is a popular encryption algorithm. The way it works is that a “Key Scheduling Algorithm” (KSA) takes your key and generates a 256-byte array, and then a “Pseudo-Random Generation Algorithm” (PRGA) uses that byte array to output an endless stream…
#ParsedReport
24-10-2022
How Kerberos Golden Ticket Attacks Are Signaling a Greater Need for Identity-Based Security
https://www.sentinelone.com/blog/how-kerberos-golden-ticket-attacks-are-signaling-a-greater-need-for-identity-based-security
Threats:
Golden_ticket_technique
Mimikatz_tool
Dcsync_technique
Lsadump_tool
Softs:
active directory, local security authority, azure ad
24-10-2022
How Kerberos Golden Ticket Attacks Are Signaling a Greater Need for Identity-Based Security
https://www.sentinelone.com/blog/how-kerberos-golden-ticket-attacks-are-signaling-a-greater-need-for-identity-based-security
Threats:
Golden_ticket_technique
Mimikatz_tool
Dcsync_technique
Lsadump_tool
Softs:
active directory, local security authority, azure ad
SentinelOne
How Kerberos Golden Ticket Attacks Are Signaling a Greater Need for Identity-Based Security
Explore the concept of Golden Ticket Attacks, how they are used by attackers, and strategies to detect and prevent them for enhanced cybersecurity.
#ParsedReport
24-10-2022
BYOVD. Rajarus attack group's malware infection case that disables vaccine programs with BYOVD techniques
https://asec.ahnlab.com/ko/40495
Actors/Campaigns:
Lazarus
Threats:
Byovd_technique
Watering_hole_technique
Lazardoor
Lazarshell
Lazarloader
Trojan/win.agent
Putty_tool
Plink
Industry:
Chemical
Geo:
Korea
CVEs:
CVE-2021-26606 [Vulners]
Vulners: Score: 10.0, CVSS: 3.0,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- dreamsecurity magicline4nx.exe (le1.0.0.17)
IOCs:
Hash: 16
IP: 13
Url: 1
File: 6
24-10-2022
BYOVD. Rajarus attack group's malware infection case that disables vaccine programs with BYOVD techniques
https://asec.ahnlab.com/ko/40495
Actors/Campaigns:
Lazarus
Threats:
Byovd_technique
Watering_hole_technique
Lazardoor
Lazarshell
Lazarloader
Trojan/win.agent
Putty_tool
Plink
Industry:
Chemical
Geo:
Korea
CVEs:
CVE-2021-26606 [Vulners]
Vulners: Score: 10.0, CVSS: 3.0,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- dreamsecurity magicline4nx.exe (le1.0.0.17)
IOCs:
Hash: 16
IP: 13
Url: 1
File: 6
ASEC BLOG
BYOVD 기법으로 백신 프로그램을 무력화하는 라자루스 공격 그룹의 악성코드 감염 사례 - ASEC BLOG
2022년 4월 안랩은 ASEC 블로그 (INITECH 프로세스를 악용하는 라자루스 공격 그룹의 신종 악성코드, https://asec.ahnlab.com/ko/33706)에서 라자루스 공격 그룹이 악성코드 감염을 위해 INITECH 프로세스를 악용한다는 내용을 소개했다. 본 글에서는 라자루스 공격 그룹이 워터링 홀 기법을 통해 시스템 해킹에 성공 후 내부 네트워크 내의 시스템들을 추가로 해킹하기 위해 드림시큐리티사의 MagicLine4NX 제품의 취약점을…
#ParsedReport
24-10-2022
Multiple RCE Vulnerabilities Affecting Veeam Backup & Replication
https://cloudsek.com/threatintelligence/multiple-rce-vulnerabilities-affecting-veeam-backup-replication/?utm_source=rss&utm_medium=rss&utm_campaign=multiple-rce-vulnerabilities-affecting-veeam-backup-replication
Threats:
Empire_loader
Monti
Yanluowang
CVEs:
CVE-2022-26501 [Vulners]
Vulners: Score: 10.0, CVSS: 2.0,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- veeam backup \& replication (<10.0.1.4854, 10.0.1.4854, 10.0.1.4854, 10.0.1.4854, 10.0.1.4854, <11.0.1.1261, 11.0.1.1261, 11.0.1.1261, 11.0.1.1261, 11.0.1.1261)
CVE-2022-26500 [Vulners]
Vulners: Score: 6.5, CVSS: 7.4,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- veeam backup \& replication (9.5.0.1536, 9.5.4.2615, <10.0.1.4854, 10.0.1.4854, 10.0.1.4854, 10.0.1.4854, 10.0.1.4854, <11.0.1.1261, 11.0.1.1261, 11.0.1.1261, 11.0.1.1261, 11.0.1.1261)
CVE-2022-26504 [Vulners]
Vulners: Score: 9.0, CVSS: 7.4,
Vulners: Exploitation: Unknown
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- veeam backup \& replication (9.5.0.1536, 9.5.4.2615, <10.0.1.4854, 10.0.1.4854, 10.0.1.4854, 10.0.1.4854, 10.0.1.4854, <11.0.1.1261, 11.0.1.1261, 11.0.1.1261, 11.0.1.1261, 11.0.1.1261)
TTPs:
Tactics: 3
Technics: 0
IOCs:
File: 3
Hash: 3
IP: 1
Softs:
hyper-v
Languages:
python
Links:
24-10-2022
Multiple RCE Vulnerabilities Affecting Veeam Backup & Replication
https://cloudsek.com/threatintelligence/multiple-rce-vulnerabilities-affecting-veeam-backup-replication/?utm_source=rss&utm_medium=rss&utm_campaign=multiple-rce-vulnerabilities-affecting-veeam-backup-replication
Threats:
Empire_loader
Monti
Yanluowang
CVEs:
CVE-2022-26501 [Vulners]
Vulners: Score: 10.0, CVSS: 2.0,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- veeam backup \& replication (<10.0.1.4854, 10.0.1.4854, 10.0.1.4854, 10.0.1.4854, 10.0.1.4854, <11.0.1.1261, 11.0.1.1261, 11.0.1.1261, 11.0.1.1261, 11.0.1.1261)
CVE-2022-26500 [Vulners]
Vulners: Score: 6.5, CVSS: 7.4,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- veeam backup \& replication (9.5.0.1536, 9.5.4.2615, <10.0.1.4854, 10.0.1.4854, 10.0.1.4854, 10.0.1.4854, 10.0.1.4854, <11.0.1.1261, 11.0.1.1261, 11.0.1.1261, 11.0.1.1261, 11.0.1.1261)
CVE-2022-26504 [Vulners]
Vulners: Score: 9.0, CVSS: 7.4,
Vulners: Exploitation: Unknown
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- veeam backup \& replication (9.5.0.1536, 9.5.4.2615, <10.0.1.4854, 10.0.1.4854, 10.0.1.4854, 10.0.1.4854, 10.0.1.4854, <11.0.1.1261, 11.0.1.1261, 11.0.1.1261, 11.0.1.1261, 11.0.1.1261)
TTPs:
Tactics: 3
Technics: 0
IOCs:
File: 3
Hash: 3
IP: 1
Softs:
hyper-v
Languages:
python
Links:
https://github.com/sadshade/veeam-credsCloudsek
Multiple RCE Vulnerabilities Affecting Veeam Backup & Replication | Threat Intelligence | CloudSEK
Several critical and high-severity vulnerabilities affecting Veeam Backup & Replication exploited by advertising fully weaponized tools for remote code execution.
#ParsedReport
25-10-2022
Rapidly Evolving Magniber Ransomware
https://asec.ahnlab.com/en/40422
Threats:
Magniber
Typosquatting_technique
IOCs:
File: 5
Registry: 2
Hash: 6
Softs:
chrome
25-10-2022
Rapidly Evolving Magniber Ransomware
https://asec.ahnlab.com/en/40422
Threats:
Magniber
Typosquatting_technique
IOCs:
File: 5
Registry: 2
Hash: 6
Softs:
chrome
ASEC
Rapidly Evolving Magniber Ransomware - ASEC
The Magniber ransomware has recently been evolving rapidly. From changing its file extension, injection and to UAC bypassing techniques, the Magniber ransomware has been rapidly changing to bypass the detection of anti-malware software. This article summarizes…
#ParsedReport
25-10-2022
Analysis on Attack Techniques and Cases Using RDP
https://asec.ahnlab.com/en/40394
Actors/Campaigns:
Darkside
Kimsuky
Threats:
Lokilocker
Lockbit
Plink
Conti
Appleseed
Reverserdp_technique
Avemaria_rat
Htran
Mimikatz_tool
Passthehash_technique
Trojan/win.agent.c5245646
Trojan/bat.agent.sc183591
Malware/win.generic.c4933135
Bazarbackdoor
Geo:
Korean
TTPs:
Tactics: 1
Technics: 0
IOCs:
Registry: 4
File: 6
IP: 1
Hash: 3
Url: 1
Softs:
remote desktop services, psexec, ms-sql
Functions:
CreateHiddenAccount
Languages:
golang
Platforms:
x64
Links:
25-10-2022
Analysis on Attack Techniques and Cases Using RDP
https://asec.ahnlab.com/en/40394
Actors/Campaigns:
Darkside
Kimsuky
Threats:
Lokilocker
Lockbit
Plink
Conti
Appleseed
Reverserdp_technique
Avemaria_rat
Htran
Mimikatz_tool
Passthehash_technique
Trojan/win.agent.c5245646
Trojan/bat.agent.sc183591
Malware/win.generic.c4933135
Bazarbackdoor
Geo:
Korean
TTPs:
Tactics: 1
Technics: 0
IOCs:
Registry: 4
File: 6
IP: 1
Hash: 3
Url: 1
Softs:
remote desktop services, psexec, ms-sql
Functions:
CreateHiddenAccount
Languages:
golang
Platforms:
x64
Links:
https://github.com/wgpsec/CreateHiddenAccountASEC
Analysis on Attack Techniques and Cases Using RDP - ASEC
Overview One of the previous ASEC blog posts discussed cases where attackers abused various remote control tools that are originally used for system management purposes to gain control over infected systems.[1] This post will cover cases where RDP (Remote…
#ParsedReport
25-10-2022
ASEC Weekly Malware Statistics (October 10th, 2022 October 16th, 2022)
https://asec.ahnlab.com/en/40526
Threats:
Smokeloader
Agent_tesla
Cloudeye
Formbook
Remcos_rat
Nanocore_rat
Beamwinhttp_loader
Garbage_cleaner
Clipboard_grabbing_technique
Industry:
Transport
Geo:
Korea
IOCs:
File: 15
Domain: 10
IP: 3
Email: 5
Url: 20
Softs:
discord, nsis installer
Languages:
visual_basic, php
25-10-2022
ASEC Weekly Malware Statistics (October 10th, 2022 October 16th, 2022)
https://asec.ahnlab.com/en/40526
Threats:
Smokeloader
Agent_tesla
Cloudeye
Formbook
Remcos_rat
Nanocore_rat
Beamwinhttp_loader
Garbage_cleaner
Clipboard_grabbing_technique
Industry:
Transport
Geo:
Korea
IOCs:
File: 15
Domain: 10
IP: 3
Email: 5
Url: 20
Softs:
discord, nsis installer
Languages:
visual_basic, php
ASEC BLOG
ASEC Weekly Malware Statistics (October 10th, 2022 – October 16th, 2022) - ASEC BLOG
The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from October 10th, 2022 (Monday) to October 16th, 2022 (Sunday). For the main category, downloader…
#ParsedReport
25-10-2022
Amadey Bot Disguised as a Famous Korean Messenger Program Being Distributed
https://asec.ahnlab.com/en/40483
Threats:
Amadey
Kisa
Smokeloader
Geo:
Korean
IOCs:
File: 5
Command: 2
Path: 3
Hash: 3
Url: 2
Algorithms:
zip
25-10-2022
Amadey Bot Disguised as a Famous Korean Messenger Program Being Distributed
https://asec.ahnlab.com/en/40483
Threats:
Amadey
Kisa
Smokeloader
Geo:
Korean
IOCs:
File: 5
Command: 2
Path: 3
Hash: 3
Url: 2
Algorithms:
zip
ASEC BLOG
Amadey Bot Disguised as a Famous Korean Messenger Program Being Distributed - ASEC BLOG
On October 17th, 2022, the Korean Internet & Security Agency (KISA) published a security notice titled “Advising Caution on Cyber Attacks Exploiting the Kakao Service Malfunction Issue’, and according to the notice, malware disguised as a KakaoTalk installation…
#ParsedReport
25-10-2022
. Analysis of the attack activity of the remote control Trojan by forging the Chinese version of the Telegram website
https://www.antiy.cn/research/notice&report/research_report/20221024.html
Threats:
Gh0st_rat
Process_injection_technique
Geo:
Chinese
TTPs:
Tactics: 4
Technics: 0
IOCs:
File: 16
Domain: 14
Hash: 6
Softs:
telegram, windows defender, windows installer
Win API:
MessageBox
Platforms:
x86, intel
25-10-2022
. Analysis of the attack activity of the remote control Trojan by forging the Chinese version of the Telegram website
https://www.antiy.cn/research/notice&report/research_report/20221024.html
Threats:
Gh0st_rat
Process_injection_technique
Geo:
Chinese
TTPs:
Tactics: 4
Technics: 0
IOCs:
File: 16
Domain: 14
Hash: 6
Softs:
telegram, windows defender, windows installer
Win API:
MessageBox
Platforms:
x86, intel
www.antiy.cn
通过伪造中文版Telegram网站投放远控木马的攻击活动分析
近日,安天CERT监测到一起通过伪造中文版Telegram网站投放远控木马的攻击活动,本次攻击主要针对使用Windows系统的用户。经验证,安天智甲终端防御系统(简称IEP)可实现对该远控木马的有效查杀。