#ParsedReport
21-10-2022
WarHawk: the New Backdoor in the Arsenal of the SideWinder APTGroup. Key Features of this Attack
https://www.zscaler.com/blogs/security-research/warhawk-new-backdoor-arsenal-sidewinder-apt-group-0
Actors/Campaigns:
Sidewinder (motivation: cyber_espionage)
Lazarus
Threats:
Warhawk
Cobalt_strike
Process_injection_technique
Finfisher
Beacon
Industry:
Government, Energy
Geo:
Indian, Pakistan, Asia
TTPs:
Tactics: 5
Technics: 9
IOCs:
Domain: 9
File: 16
Url: 7
IP: 2
Hash: 7
Algorithms:
base64
Functions:
GetCurrentHWProfileA, HTTPSendRequestW, wsprintf, URLDownloadToFileA
Win API:
RtlAudioDriver, LoadLibraryA, GetUserNameA, GetProcAddress, GetCurrentHwProfileA, GetComputerNameA, InternetReadFile, RegQueryValueExA, ShellExecuteA, LoadLibrary, have more...
Languages:
php
21-10-2022
WarHawk: the New Backdoor in the Arsenal of the SideWinder APTGroup. Key Features of this Attack
https://www.zscaler.com/blogs/security-research/warhawk-new-backdoor-arsenal-sidewinder-apt-group-0
Actors/Campaigns:
Sidewinder (motivation: cyber_espionage)
Lazarus
Threats:
Warhawk
Cobalt_strike
Process_injection_technique
Finfisher
Beacon
Industry:
Government, Energy
Geo:
Indian, Pakistan, Asia
TTPs:
Tactics: 5
Technics: 9
IOCs:
Domain: 9
File: 16
Url: 7
IP: 2
Hash: 7
Algorithms:
base64
Functions:
GetCurrentHWProfileA, HTTPSendRequestW, wsprintf, URLDownloadToFileA
Win API:
RtlAudioDriver, LoadLibraryA, GetUserNameA, GetProcAddress, GetCurrentHwProfileA, GetComputerNameA, InternetReadFile, RegQueryValueExA, ShellExecuteA, LoadLibrary, have more...
Languages:
php
Zscaler
WarHawk: New APT backdoor from SideWinder | Zscaler
SideWinder APT, an Indian threat group, has been targeting Pakistan in threat campaigns using a new backdoor called "WarHawk." Read the ThreatLabz analysis.
#ParsedReport
21-10-2022
Mirai, RAR1Ransom, and GuardMiner Multiple Malware Campaigns Target VMware Vulnerability
https://www.fortinet.com/blog/threat-research/multiple-malware-campaigns-target-vmware-vulnerability
Threats:
Mirai
Rar1ransom
Guardminer
Xmrig_miner
CVEs:
CVE-2022-22947 [Vulners]
Vulners: Score: 6.8, CVSS: 7.4,
Vulners: Exploitation: True
X-Force: Risk: 10
X-Force: Patch: Official fix
Soft:
- vmware spring cloud gateway (3.1.0, <3.0.7)
- oracle commerce guided search (11.3.2)
- oracle communications cloud native core network slice selection function (1.8.0, 22.1.0)
- oracle communications cloud native core network repository function (1.15.0, 1.15.1, 22.2.0, 22.1.2)
- oracle communications cloud native core network function cloud native environment (1.10.0)
have more...
CVE-2022-26134 [Vulners]
Vulners: Score: 7.5, CVSS: 6.8,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- atlassian confluence data center (7.18.0, <7.17.4, <7.16.4, <7.15.2, <7.14.3, <7.13.7, <7.4.17)
- atlassian confluence server (7.18.0, <7.17.4, <7.16.4, <7.15.2, <7.14.3, <7.13.7, <7.4.17)
CVE-2022-22954 [Vulners]
Vulners: Score: 10.0, CVSS: 3.7,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- vmware identity manager (3.3.3, 3.3.4, 3.3.5, 3.3.6)
- vmware vrealize automation (7.6, le8.6)
- vmware workspace one access (20.10.0.1, 20.10.0.0, 21.08.0.1, 21.08.0.0)
- vmware vrealize suite lifecycle manager (le8.2)
- vmware cloud foundation (le4.3.1)
have more...
CVE-2018-7600 [Vulners]
Vulners: Score: 7.5, CVSS: 7.4,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- drupal (le7.57, <8.3.9, <8.4.6, <8.5.1)
- debian debian linux (9.0, 8.0, 7.0)
have more...
IOCs:
Url: 1
Domain: 3
IP: 1
File: 7
Hash: 10
Softs:
vmware workspace one, curl, process explorer
Algorithms:
xor
Links:
21-10-2022
Mirai, RAR1Ransom, and GuardMiner Multiple Malware Campaigns Target VMware Vulnerability
https://www.fortinet.com/blog/threat-research/multiple-malware-campaigns-target-vmware-vulnerability
Threats:
Mirai
Rar1ransom
Guardminer
Xmrig_miner
CVEs:
CVE-2022-22947 [Vulners]
Vulners: Score: 6.8, CVSS: 7.4,
Vulners: Exploitation: True
X-Force: Risk: 10
X-Force: Patch: Official fix
Soft:
- vmware spring cloud gateway (3.1.0, <3.0.7)
- oracle commerce guided search (11.3.2)
- oracle communications cloud native core network slice selection function (1.8.0, 22.1.0)
- oracle communications cloud native core network repository function (1.15.0, 1.15.1, 22.2.0, 22.1.2)
- oracle communications cloud native core network function cloud native environment (1.10.0)
have more...
CVE-2022-26134 [Vulners]
Vulners: Score: 7.5, CVSS: 6.8,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- atlassian confluence data center (7.18.0, <7.17.4, <7.16.4, <7.15.2, <7.14.3, <7.13.7, <7.4.17)
- atlassian confluence server (7.18.0, <7.17.4, <7.16.4, <7.15.2, <7.14.3, <7.13.7, <7.4.17)
CVE-2022-22954 [Vulners]
Vulners: Score: 10.0, CVSS: 3.7,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- vmware identity manager (3.3.3, 3.3.4, 3.3.5, 3.3.6)
- vmware vrealize automation (7.6, le8.6)
- vmware workspace one access (20.10.0.1, 20.10.0.0, 21.08.0.1, 21.08.0.0)
- vmware vrealize suite lifecycle manager (le8.2)
- vmware cloud foundation (le4.3.1)
have more...
CVE-2018-7600 [Vulners]
Vulners: Score: 7.5, CVSS: 7.4,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- drupal (le7.57, <8.3.9, <8.4.6, <8.5.1)
- debian debian linux (9.0, 8.0, 7.0)
have more...
IOCs:
Url: 1
Domain: 3
IP: 1
File: 7
Hash: 10
Softs:
vmware workspace one, curl, process explorer
Algorithms:
xor
Links:
https://github.com/chaitin/xray/releasesFortinet Blog
Mirai, RAR1Ransom, and GuardMiner – Multiple Malware Campaigns Target VMware Vulnerability
In April, VMware patched a vulnerability CVE-2022-22954, which causes server-side template injection. Read our blog to learn more about how malware is attempting to leverage the vulnerability and t…
#ParsedReport
23-10-2022
Alert (AA22-294A)
https://us-cert.cisa.gov/ncas/alerts/aa22-294a
Threats:
Daixin
Passthehash_technique
Babuk
Daxin
Industry:
Financial, Iot, Healthcare
Geo:
Canada, Australia
TTPs:
Tactics: 7
Technics: 10
IOCs:
Hash: 5
Softs:
esxi, rclonean
Links:
23-10-2022
Alert (AA22-294A)
https://us-cert.cisa.gov/ncas/alerts/aa22-294a
Threats:
Daixin
Passthehash_technique
Babuk
Daxin
Industry:
Financial, Iot, Healthcare
Geo:
Canada, Australia
TTPs:
Tactics: 7
Technics: 10
IOCs:
Hash: 5
Softs:
esxi, rclonean
Links:
https://github.com/cisagov/cset/releases/tag/v10.3.0.0www.cisa.gov
#StopRansomware: Daixin Team | CISA
Actions to take today to mitigate cyber threats from ransomware: • Install updates for operating systems, software, and firmware as soon as they are released. • Require phishing-resistant MFA for as many services as possible. • Train users to recognize and…
#ParsedReport
24-10-2022
Broken Dreams and Piggy Banks: Pig Butchering Crypto Fraud Growing Online
https://www.proofpoint.com/us/blog/threat-insight/broken-dreams-and-piggy-banks-pig-butchering-crypto-fraud-growing-online
Threats:
Pig_butchering
Industry:
Education, Petroleum, Financial
Geo:
Chinese, Cambodia, China, Asia
IOCs:
Domain: 46
Softs:
telegram, coinbase, discord
24-10-2022
Broken Dreams and Piggy Banks: Pig Butchering Crypto Fraud Growing Online
https://www.proofpoint.com/us/blog/threat-insight/broken-dreams-and-piggy-banks-pig-butchering-crypto-fraud-growing-online
Threats:
Pig_butchering
Industry:
Education, Petroleum, Financial
Geo:
Chinese, Cambodia, China, Asia
IOCs:
Domain: 46
Softs:
telegram, coinbase, discord
Proofpoint
Pig Butchering Crypto Scam (Sha Zhu Pan) on the Rise | Proofpoint US
Proofpoint is tracking threats known as Sha Zhu Pan, or "Pig Butchering" scam. Learn all about the pig butchering crypto scam growing online.
#ParsedReport
24-10-2022
Attacking Very Weak RC4-Like Ciphers the Hard Way. What?
https://research.checkpoint.com/2022/attacking-very-weak-rc4-like-ciphers-the-hard-way
Threats:
Knot
Algorithms:
rc4, xor
24-10-2022
Attacking Very Weak RC4-Like Ciphers the Hard Way. What?
https://research.checkpoint.com/2022/attacking-very-weak-rc4-like-ciphers-the-hard-way
Threats:
Knot
Algorithms:
rc4, xor
Check Point Research
Attacking Very Weak RC4-Like Ciphers the Hard Way - Check Point Research
What? RC4 is a popular encryption algorithm. The way it works is that a “Key Scheduling Algorithm” (KSA) takes your key and generates a 256-byte array, and then a “Pseudo-Random Generation Algorithm” (PRGA) uses that byte array to output an endless stream…
#ParsedReport
24-10-2022
How Kerberos Golden Ticket Attacks Are Signaling a Greater Need for Identity-Based Security
https://www.sentinelone.com/blog/how-kerberos-golden-ticket-attacks-are-signaling-a-greater-need-for-identity-based-security
Threats:
Golden_ticket_technique
Mimikatz_tool
Dcsync_technique
Lsadump_tool
Softs:
active directory, local security authority, azure ad
24-10-2022
How Kerberos Golden Ticket Attacks Are Signaling a Greater Need for Identity-Based Security
https://www.sentinelone.com/blog/how-kerberos-golden-ticket-attacks-are-signaling-a-greater-need-for-identity-based-security
Threats:
Golden_ticket_technique
Mimikatz_tool
Dcsync_technique
Lsadump_tool
Softs:
active directory, local security authority, azure ad
SentinelOne
How Kerberos Golden Ticket Attacks Are Signaling a Greater Need for Identity-Based Security
Explore the concept of Golden Ticket Attacks, how they are used by attackers, and strategies to detect and prevent them for enhanced cybersecurity.
#ParsedReport
24-10-2022
BYOVD. Rajarus attack group's malware infection case that disables vaccine programs with BYOVD techniques
https://asec.ahnlab.com/ko/40495
Actors/Campaigns:
Lazarus
Threats:
Byovd_technique
Watering_hole_technique
Lazardoor
Lazarshell
Lazarloader
Trojan/win.agent
Putty_tool
Plink
Industry:
Chemical
Geo:
Korea
CVEs:
CVE-2021-26606 [Vulners]
Vulners: Score: 10.0, CVSS: 3.0,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- dreamsecurity magicline4nx.exe (le1.0.0.17)
IOCs:
Hash: 16
IP: 13
Url: 1
File: 6
24-10-2022
BYOVD. Rajarus attack group's malware infection case that disables vaccine programs with BYOVD techniques
https://asec.ahnlab.com/ko/40495
Actors/Campaigns:
Lazarus
Threats:
Byovd_technique
Watering_hole_technique
Lazardoor
Lazarshell
Lazarloader
Trojan/win.agent
Putty_tool
Plink
Industry:
Chemical
Geo:
Korea
CVEs:
CVE-2021-26606 [Vulners]
Vulners: Score: 10.0, CVSS: 3.0,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- dreamsecurity magicline4nx.exe (le1.0.0.17)
IOCs:
Hash: 16
IP: 13
Url: 1
File: 6
ASEC BLOG
BYOVD 기법으로 백신 프로그램을 무력화하는 라자루스 공격 그룹의 악성코드 감염 사례 - ASEC BLOG
2022년 4월 안랩은 ASEC 블로그 (INITECH 프로세스를 악용하는 라자루스 공격 그룹의 신종 악성코드, https://asec.ahnlab.com/ko/33706)에서 라자루스 공격 그룹이 악성코드 감염을 위해 INITECH 프로세스를 악용한다는 내용을 소개했다. 본 글에서는 라자루스 공격 그룹이 워터링 홀 기법을 통해 시스템 해킹에 성공 후 내부 네트워크 내의 시스템들을 추가로 해킹하기 위해 드림시큐리티사의 MagicLine4NX 제품의 취약점을…
#ParsedReport
24-10-2022
Multiple RCE Vulnerabilities Affecting Veeam Backup & Replication
https://cloudsek.com/threatintelligence/multiple-rce-vulnerabilities-affecting-veeam-backup-replication/?utm_source=rss&utm_medium=rss&utm_campaign=multiple-rce-vulnerabilities-affecting-veeam-backup-replication
Threats:
Empire_loader
Monti
Yanluowang
CVEs:
CVE-2022-26501 [Vulners]
Vulners: Score: 10.0, CVSS: 2.0,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- veeam backup \& replication (<10.0.1.4854, 10.0.1.4854, 10.0.1.4854, 10.0.1.4854, 10.0.1.4854, <11.0.1.1261, 11.0.1.1261, 11.0.1.1261, 11.0.1.1261, 11.0.1.1261)
CVE-2022-26500 [Vulners]
Vulners: Score: 6.5, CVSS: 7.4,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- veeam backup \& replication (9.5.0.1536, 9.5.4.2615, <10.0.1.4854, 10.0.1.4854, 10.0.1.4854, 10.0.1.4854, 10.0.1.4854, <11.0.1.1261, 11.0.1.1261, 11.0.1.1261, 11.0.1.1261, 11.0.1.1261)
CVE-2022-26504 [Vulners]
Vulners: Score: 9.0, CVSS: 7.4,
Vulners: Exploitation: Unknown
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- veeam backup \& replication (9.5.0.1536, 9.5.4.2615, <10.0.1.4854, 10.0.1.4854, 10.0.1.4854, 10.0.1.4854, 10.0.1.4854, <11.0.1.1261, 11.0.1.1261, 11.0.1.1261, 11.0.1.1261, 11.0.1.1261)
TTPs:
Tactics: 3
Technics: 0
IOCs:
File: 3
Hash: 3
IP: 1
Softs:
hyper-v
Languages:
python
Links:
24-10-2022
Multiple RCE Vulnerabilities Affecting Veeam Backup & Replication
https://cloudsek.com/threatintelligence/multiple-rce-vulnerabilities-affecting-veeam-backup-replication/?utm_source=rss&utm_medium=rss&utm_campaign=multiple-rce-vulnerabilities-affecting-veeam-backup-replication
Threats:
Empire_loader
Monti
Yanluowang
CVEs:
CVE-2022-26501 [Vulners]
Vulners: Score: 10.0, CVSS: 2.0,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- veeam backup \& replication (<10.0.1.4854, 10.0.1.4854, 10.0.1.4854, 10.0.1.4854, 10.0.1.4854, <11.0.1.1261, 11.0.1.1261, 11.0.1.1261, 11.0.1.1261, 11.0.1.1261)
CVE-2022-26500 [Vulners]
Vulners: Score: 6.5, CVSS: 7.4,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- veeam backup \& replication (9.5.0.1536, 9.5.4.2615, <10.0.1.4854, 10.0.1.4854, 10.0.1.4854, 10.0.1.4854, 10.0.1.4854, <11.0.1.1261, 11.0.1.1261, 11.0.1.1261, 11.0.1.1261, 11.0.1.1261)
CVE-2022-26504 [Vulners]
Vulners: Score: 9.0, CVSS: 7.4,
Vulners: Exploitation: Unknown
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- veeam backup \& replication (9.5.0.1536, 9.5.4.2615, <10.0.1.4854, 10.0.1.4854, 10.0.1.4854, 10.0.1.4854, 10.0.1.4854, <11.0.1.1261, 11.0.1.1261, 11.0.1.1261, 11.0.1.1261, 11.0.1.1261)
TTPs:
Tactics: 3
Technics: 0
IOCs:
File: 3
Hash: 3
IP: 1
Softs:
hyper-v
Languages:
python
Links:
https://github.com/sadshade/veeam-credsCloudsek
Multiple RCE Vulnerabilities Affecting Veeam Backup & Replication | Threat Intelligence | CloudSEK
Several critical and high-severity vulnerabilities affecting Veeam Backup & Replication exploited by advertising fully weaponized tools for remote code execution.
#ParsedReport
25-10-2022
Rapidly Evolving Magniber Ransomware
https://asec.ahnlab.com/en/40422
Threats:
Magniber
Typosquatting_technique
IOCs:
File: 5
Registry: 2
Hash: 6
Softs:
chrome
25-10-2022
Rapidly Evolving Magniber Ransomware
https://asec.ahnlab.com/en/40422
Threats:
Magniber
Typosquatting_technique
IOCs:
File: 5
Registry: 2
Hash: 6
Softs:
chrome
ASEC
Rapidly Evolving Magniber Ransomware - ASEC
The Magniber ransomware has recently been evolving rapidly. From changing its file extension, injection and to UAC bypassing techniques, the Magniber ransomware has been rapidly changing to bypass the detection of anti-malware software. This article summarizes…
#ParsedReport
25-10-2022
Analysis on Attack Techniques and Cases Using RDP
https://asec.ahnlab.com/en/40394
Actors/Campaigns:
Darkside
Kimsuky
Threats:
Lokilocker
Lockbit
Plink
Conti
Appleseed
Reverserdp_technique
Avemaria_rat
Htran
Mimikatz_tool
Passthehash_technique
Trojan/win.agent.c5245646
Trojan/bat.agent.sc183591
Malware/win.generic.c4933135
Bazarbackdoor
Geo:
Korean
TTPs:
Tactics: 1
Technics: 0
IOCs:
Registry: 4
File: 6
IP: 1
Hash: 3
Url: 1
Softs:
remote desktop services, psexec, ms-sql
Functions:
CreateHiddenAccount
Languages:
golang
Platforms:
x64
Links:
25-10-2022
Analysis on Attack Techniques and Cases Using RDP
https://asec.ahnlab.com/en/40394
Actors/Campaigns:
Darkside
Kimsuky
Threats:
Lokilocker
Lockbit
Plink
Conti
Appleseed
Reverserdp_technique
Avemaria_rat
Htran
Mimikatz_tool
Passthehash_technique
Trojan/win.agent.c5245646
Trojan/bat.agent.sc183591
Malware/win.generic.c4933135
Bazarbackdoor
Geo:
Korean
TTPs:
Tactics: 1
Technics: 0
IOCs:
Registry: 4
File: 6
IP: 1
Hash: 3
Url: 1
Softs:
remote desktop services, psexec, ms-sql
Functions:
CreateHiddenAccount
Languages:
golang
Platforms:
x64
Links:
https://github.com/wgpsec/CreateHiddenAccountASEC
Analysis on Attack Techniques and Cases Using RDP - ASEC
Overview One of the previous ASEC blog posts discussed cases where attackers abused various remote control tools that are originally used for system management purposes to gain control over infected systems.[1] This post will cover cases where RDP (Remote…
#ParsedReport
25-10-2022
ASEC Weekly Malware Statistics (October 10th, 2022 October 16th, 2022)
https://asec.ahnlab.com/en/40526
Threats:
Smokeloader
Agent_tesla
Cloudeye
Formbook
Remcos_rat
Nanocore_rat
Beamwinhttp_loader
Garbage_cleaner
Clipboard_grabbing_technique
Industry:
Transport
Geo:
Korea
IOCs:
File: 15
Domain: 10
IP: 3
Email: 5
Url: 20
Softs:
discord, nsis installer
Languages:
visual_basic, php
25-10-2022
ASEC Weekly Malware Statistics (October 10th, 2022 October 16th, 2022)
https://asec.ahnlab.com/en/40526
Threats:
Smokeloader
Agent_tesla
Cloudeye
Formbook
Remcos_rat
Nanocore_rat
Beamwinhttp_loader
Garbage_cleaner
Clipboard_grabbing_technique
Industry:
Transport
Geo:
Korea
IOCs:
File: 15
Domain: 10
IP: 3
Email: 5
Url: 20
Softs:
discord, nsis installer
Languages:
visual_basic, php
ASEC BLOG
ASEC Weekly Malware Statistics (October 10th, 2022 – October 16th, 2022) - ASEC BLOG
The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from October 10th, 2022 (Monday) to October 16th, 2022 (Sunday). For the main category, downloader…
#ParsedReport
25-10-2022
Amadey Bot Disguised as a Famous Korean Messenger Program Being Distributed
https://asec.ahnlab.com/en/40483
Threats:
Amadey
Kisa
Smokeloader
Geo:
Korean
IOCs:
File: 5
Command: 2
Path: 3
Hash: 3
Url: 2
Algorithms:
zip
25-10-2022
Amadey Bot Disguised as a Famous Korean Messenger Program Being Distributed
https://asec.ahnlab.com/en/40483
Threats:
Amadey
Kisa
Smokeloader
Geo:
Korean
IOCs:
File: 5
Command: 2
Path: 3
Hash: 3
Url: 2
Algorithms:
zip
ASEC BLOG
Amadey Bot Disguised as a Famous Korean Messenger Program Being Distributed - ASEC BLOG
On October 17th, 2022, the Korean Internet & Security Agency (KISA) published a security notice titled “Advising Caution on Cyber Attacks Exploiting the Kakao Service Malfunction Issue’, and according to the notice, malware disguised as a KakaoTalk installation…
#ParsedReport
25-10-2022
. Analysis of the attack activity of the remote control Trojan by forging the Chinese version of the Telegram website
https://www.antiy.cn/research/notice&report/research_report/20221024.html
Threats:
Gh0st_rat
Process_injection_technique
Geo:
Chinese
TTPs:
Tactics: 4
Technics: 0
IOCs:
File: 16
Domain: 14
Hash: 6
Softs:
telegram, windows defender, windows installer
Win API:
MessageBox
Platforms:
x86, intel
25-10-2022
. Analysis of the attack activity of the remote control Trojan by forging the Chinese version of the Telegram website
https://www.antiy.cn/research/notice&report/research_report/20221024.html
Threats:
Gh0st_rat
Process_injection_technique
Geo:
Chinese
TTPs:
Tactics: 4
Technics: 0
IOCs:
File: 16
Domain: 14
Hash: 6
Softs:
telegram, windows defender, windows installer
Win API:
MessageBox
Platforms:
x86, intel
www.antiy.cn
通过伪造中文版Telegram网站投放远控木马的攻击活动分析
近日,安天CERT监测到一起通过伪造中文版Telegram网站投放远控木马的攻击活动,本次攻击主要针对使用Windows系统的用户。经验证,安天智甲终端防御系统(简称IEP)可实现对该远控木马的有效查杀。
#ParsedReport
25-10-2022
LV Ransomware Exploits ProxyShell in Attack on a Jordan-based Company. Overview
https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html
Threats:
Lv_ransomware
Proxyshell_vuln
Revil
Proxylogon_exploit
Mimikatz_tool
Netscan_tool
Systembc
Ransom.win32.lvran.ymcikt
Trojan.bat.lvran.ymcil
Ransom.win32.lvran.ymcik
Trojan.win32.lvran.ymcil
Trojan.win32.frs.vsnw0ci22
Trojan.win32.frs.vsnw04j22
Industry:
Government
Geo:
German, Jordan
CVEs:
CVE-2021-34473 [Vulners]
Vulners: Score: 10.0, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
CVE-2021-27065 [Vulners]
Vulners: Score: 6.8, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2016, 2016, 2013, 2016, 2019, 2013, 2016, 2016, 2016, 2016, 2016, 2016, 2016, 2019, 2019, 2019, 2019, 2019, 2019, 2019)
CVE-2021-31207 [Vulners]
Vulners: Score: 6.5, CVSS: 1.7,
Vulners: Exploitation: True
X-Force: Risk: 6.6
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
CVE-2021-26855 [Vulners]
Vulners: Score: 7.5, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2016, 2016, 2013, 2016, 2016, 2013, 2016, 2019, 2013, 2016, 2016, 2016, 2016, 2016, 2016, 2016, 2019, 2019, 2019, 2019, 2019, 2019, 2019, 2019)
CVE-2021-34523 [Vulners]
Vulners: Score: 7.5, CVSS: 3.4,
Vulners: Exploitation: True
X-Force: Risk: 9
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
IOCs:
IP: 8
File: 3
Hash: 13
Softs:
microsoft exchange
Algorithms:
rc4
25-10-2022
LV Ransomware Exploits ProxyShell in Attack on a Jordan-based Company. Overview
https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html
Threats:
Lv_ransomware
Proxyshell_vuln
Revil
Proxylogon_exploit
Mimikatz_tool
Netscan_tool
Systembc
Ransom.win32.lvran.ymcikt
Trojan.bat.lvran.ymcil
Ransom.win32.lvran.ymcik
Trojan.win32.lvran.ymcil
Trojan.win32.frs.vsnw0ci22
Trojan.win32.frs.vsnw04j22
Industry:
Government
Geo:
German, Jordan
CVEs:
CVE-2021-34473 [Vulners]
Vulners: Score: 10.0, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
CVE-2021-27065 [Vulners]
Vulners: Score: 6.8, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2016, 2016, 2013, 2016, 2019, 2013, 2016, 2016, 2016, 2016, 2016, 2016, 2016, 2019, 2019, 2019, 2019, 2019, 2019, 2019)
CVE-2021-31207 [Vulners]
Vulners: Score: 6.5, CVSS: 1.7,
Vulners: Exploitation: True
X-Force: Risk: 6.6
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
CVE-2021-26855 [Vulners]
Vulners: Score: 7.5, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2016, 2016, 2013, 2016, 2016, 2013, 2016, 2019, 2013, 2016, 2016, 2016, 2016, 2016, 2016, 2016, 2019, 2019, 2019, 2019, 2019, 2019, 2019, 2019)
CVE-2021-34523 [Vulners]
Vulners: Score: 7.5, CVSS: 3.4,
Vulners: Exploitation: True
X-Force: Risk: 9
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
IOCs:
IP: 8
File: 3
Hash: 13
Softs:
microsoft exchange
Algorithms:
rc4
Trend Micro
LV Ransomware Exploits ProxyShell in Attack on a Jordan-based Company
Our blog entry provides a look at an attack involving the LV ransomware on a Jordan-based company from an intrusion analysis standpoint
#ParsedReport
25-10-2022
The Anatomy of Wiper Malware, Part 4: Less Common Helper Techniques
https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-4
Actors/Campaigns:
Agrius
Threats:
Meteor_wiper
Hermeticwiper
Isaacwiper
Killdisk
Doublezero
Apostle
Sierras
Stonedrill_wiper
Petya
Ordinypt
Disttrack
Whispergate
Israbye
Zerocleare_wiper
Dustman_wiper
Geo:
Tokyo, Ukraine
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 4
Path: 5
Command: 22
Registry: 1
Hash: 39
Softs:
bcdedit, active directory
Functions:
OpenSCManager, OpenService, InitiateSystemShutdownEx
Win API:
ControlService, GetDiskFreeSpaceExW, DsRoleGetPrimaryDomainInformation, NetUnjoinDomain, ExitWindowsEx, NtRaiseHardError, Sleep
25-10-2022
The Anatomy of Wiper Malware, Part 4: Less Common Helper Techniques
https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-4
Actors/Campaigns:
Agrius
Threats:
Meteor_wiper
Hermeticwiper
Isaacwiper
Killdisk
Doublezero
Apostle
Sierras
Stonedrill_wiper
Petya
Ordinypt
Disttrack
Whispergate
Israbye
Zerocleare_wiper
Dustman_wiper
Geo:
Tokyo, Ukraine
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 4
Path: 5
Command: 22
Registry: 1
Hash: 39
Softs:
bcdedit, active directory
Functions:
OpenSCManager, OpenService, InitiateSystemShutdownEx
Win API:
ControlService, GetDiskFreeSpaceExW, DsRoleGetPrimaryDomainInformation, NetUnjoinDomain, ExitWindowsEx, NtRaiseHardError, Sleep
crowdstrike.com
The Anatomy of Wiper Malware, Part 4: Helper Techniques
This blog covers some of the rarely used “helper” techniques implemented by wipers, which achieve secondary goals or facilitate a smaller portion of the wiping process.
#ParsedReport
25-10-2022
VBS AgentTesla. AgentTesla distributed through VBS
https://asec.ahnlab.com/ko/40571
Threats:
Agent_tesla
Dropper/vbs.generic
Trojan/vbs.agent
Trojan/vbs.obfuscated
Industry:
Transport
IOCs:
File: 18
Email: 2
Hash: 4
25-10-2022
VBS AgentTesla. AgentTesla distributed through VBS
https://asec.ahnlab.com/ko/40571
Threats:
Agent_tesla
Dropper/vbs.generic
Trojan/vbs.agent
Trojan/vbs.obfuscated
Industry:
Transport
IOCs:
File: 18
Email: 2
Hash: 4
ASEC BLOG
VBS를 통해 유포 중인 AgentTesla - ASEC BLOG
ASEC 분석팀은 최근 악성 VBS 통해 AgentTesla가 유포되고 있음을 확인하였다. 스크립트 파일에는 다수의 코드가 여러 번 난독화 되어 있는 특징이 있다. AgentTesla는 지난 5월 윈도우 도움말 파일(*.chm)을 통한 유포가 확인된 이력이 있으며 지속적으로 유포 방식을 변경하고 있는 것으로 보인다. VBS 스크립트는 메일에 압축 파일 형태로 첨부되어 유포된다. 최근에는 국내 기업을 사칭한 유포 메일도 확인되었다. 압축파일 내부에는 VBS가…
#ParsedReport
25-10-2022
From RM3 to LDR4: URSNIF Leaves Banking Fraud Behind
https://www.mandiant.com/resources/blog/rm3-ldr4-ursnif-banking-fraud
Actors/Campaigns:
Shathak
Threats:
Gozi
Cutwail
Hancitor
Serpent
Beacon
Trickbot
Emotet
Icedid
Carberp
Industry:
Financial, Telco
Geo:
Russia, Italy, Oceania
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 11
Path: 1
Registry: 1
Domain: 28
Hash: 28
IP: 31
Softs:
internet explorer, microsoft word, chrome
Algorithms:
aes-256, cbc, aes, crc-32, xor, prng, base64
Win API:
DllRegisterServer, QueueUserAPC
Platforms:
x86, x64
YARA: Found
25-10-2022
From RM3 to LDR4: URSNIF Leaves Banking Fraud Behind
https://www.mandiant.com/resources/blog/rm3-ldr4-ursnif-banking-fraud
Actors/Campaigns:
Shathak
Threats:
Gozi
Cutwail
Hancitor
Serpent
Beacon
Trickbot
Emotet
Icedid
Carberp
Industry:
Financial, Telco
Geo:
Russia, Italy, Oceania
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 11
Path: 1
Registry: 1
Domain: 28
Hash: 28
IP: 31
Softs:
internet explorer, microsoft word, chrome
Algorithms:
aes-256, cbc, aes, crc-32, xor, prng, base64
Win API:
DllRegisterServer, QueueUserAPC
Platforms:
x86, x64
YARA: Found
Google Cloud Blog
From RM3 to LDR4: URSNIF Leaves Banking Fraud Behind | Mandiant | Google Cloud Blog
#ParsedReport
25-10-2022
Dual Malware Infection Targets Cryptocurrency Users
https://blog.cyble.com/2022/10/25/dual-malware-infection-targets-cryptocurrency-users
Threats:
Tron
Process_injection_technique
Industry:
Energy, Financial
Geo:
Singapore, Dubai, Australia, America, India, Georgia
TTPs:
Tactics: 6
Technics: 15
IOCs:
File: 6
Path: 3
Command: 4
Url: 2
Domain: 1
Coin: 7
Hash: 3
Softs:
windows defender, task scheduler, zcash
Algorithms:
base64
Functions:
GetClipBoardData, OpenClipBoard, EmptyClipBoard, SetClipBoard
Win API:
BitBlt, CopyFileA
Languages:
visual_basic
25-10-2022
Dual Malware Infection Targets Cryptocurrency Users
https://blog.cyble.com/2022/10/25/dual-malware-infection-targets-cryptocurrency-users
Threats:
Tron
Process_injection_technique
Industry:
Energy, Financial
Geo:
Singapore, Dubai, Australia, America, India, Georgia
TTPs:
Tactics: 6
Technics: 15
IOCs:
File: 6
Path: 3
Command: 4
Url: 2
Domain: 1
Coin: 7
Hash: 3
Softs:
windows defender, task scheduler, zcash
Algorithms:
base64
Functions:
GetClipBoardData, OpenClipBoard, EmptyClipBoard, SetClipBoard
Win API:
BitBlt, CopyFileA
Languages:
visual_basic
Cyble
Dual Malware Infection Targets Cryptocurrency Users
Cyble Research & Intelligence Labs analyses how Threat Actors utilize a Coin Miner and Clipper for rapid monetary gain.
Если смотреть по всем источникам с начала 2022 года, то уникальных:
ip: 1,3М
domain: 943K
url: 828K
hash: 1,2K
Это уже после очистки, расчета скоринга и прибивания тех, у кого score = 0.
ip: 1,3М
domain: 943K
url: 828K
hash: 1,2K
Это уже после очистки, расчета скоринга и прибивания тех, у кого score = 0.
#ParsedReport
27-10-2022
FormBook Malware Being Distributed as .NET
https://asec.ahnlab.com/en/40663
Threats:
Formbook
Malware/mdp.injection.m3509
IOCs:
File: 3
Hash: 1
Url: 2
27-10-2022
FormBook Malware Being Distributed as .NET
https://asec.ahnlab.com/en/40663
Threats:
Formbook
Malware/mdp.injection.m3509
IOCs:
File: 3
Hash: 1
Url: 2
ASEC BLOG
FormBook Malware Being Distributed as .NET - ASEC BLOG
The FormBook malware that was recently detected by a V3 software had been downloaded to the system and executed while the user was using a web browser. FormBook is an info-stealer that aims to steal the user’s web browser login information, keyboard input…