#ParsedReport
25-10-2022
. Analysis of the attack activity of the remote control Trojan by forging the Chinese version of the Telegram website
https://www.antiy.cn/research/notice&report/research_report/20221024.html
Threats:
Gh0st_rat
Process_injection_technique
Geo:
Chinese
TTPs:
Tactics: 4
Technics: 0
IOCs:
File: 16
Domain: 14
Hash: 6
Softs:
telegram, windows defender, windows installer
Win API:
MessageBox
Platforms:
x86, intel
25-10-2022
. Analysis of the attack activity of the remote control Trojan by forging the Chinese version of the Telegram website
https://www.antiy.cn/research/notice&report/research_report/20221024.html
Threats:
Gh0st_rat
Process_injection_technique
Geo:
Chinese
TTPs:
Tactics: 4
Technics: 0
IOCs:
File: 16
Domain: 14
Hash: 6
Softs:
telegram, windows defender, windows installer
Win API:
MessageBox
Platforms:
x86, intel
www.antiy.cn
通过伪造中文版Telegram网站投放远控木马的攻击活动分析
近日,安天CERT监测到一起通过伪造中文版Telegram网站投放远控木马的攻击活动,本次攻击主要针对使用Windows系统的用户。经验证,安天智甲终端防御系统(简称IEP)可实现对该远控木马的有效查杀。
#ParsedReport
25-10-2022
LV Ransomware Exploits ProxyShell in Attack on a Jordan-based Company. Overview
https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html
Threats:
Lv_ransomware
Proxyshell_vuln
Revil
Proxylogon_exploit
Mimikatz_tool
Netscan_tool
Systembc
Ransom.win32.lvran.ymcikt
Trojan.bat.lvran.ymcil
Ransom.win32.lvran.ymcik
Trojan.win32.lvran.ymcil
Trojan.win32.frs.vsnw0ci22
Trojan.win32.frs.vsnw04j22
Industry:
Government
Geo:
German, Jordan
CVEs:
CVE-2021-34473 [Vulners]
Vulners: Score: 10.0, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
CVE-2021-27065 [Vulners]
Vulners: Score: 6.8, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2016, 2016, 2013, 2016, 2019, 2013, 2016, 2016, 2016, 2016, 2016, 2016, 2016, 2019, 2019, 2019, 2019, 2019, 2019, 2019)
CVE-2021-31207 [Vulners]
Vulners: Score: 6.5, CVSS: 1.7,
Vulners: Exploitation: True
X-Force: Risk: 6.6
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
CVE-2021-26855 [Vulners]
Vulners: Score: 7.5, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2016, 2016, 2013, 2016, 2016, 2013, 2016, 2019, 2013, 2016, 2016, 2016, 2016, 2016, 2016, 2016, 2019, 2019, 2019, 2019, 2019, 2019, 2019, 2019)
CVE-2021-34523 [Vulners]
Vulners: Score: 7.5, CVSS: 3.4,
Vulners: Exploitation: True
X-Force: Risk: 9
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
IOCs:
IP: 8
File: 3
Hash: 13
Softs:
microsoft exchange
Algorithms:
rc4
25-10-2022
LV Ransomware Exploits ProxyShell in Attack on a Jordan-based Company. Overview
https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html
Threats:
Lv_ransomware
Proxyshell_vuln
Revil
Proxylogon_exploit
Mimikatz_tool
Netscan_tool
Systembc
Ransom.win32.lvran.ymcikt
Trojan.bat.lvran.ymcil
Ransom.win32.lvran.ymcik
Trojan.win32.lvran.ymcil
Trojan.win32.frs.vsnw0ci22
Trojan.win32.frs.vsnw04j22
Industry:
Government
Geo:
German, Jordan
CVEs:
CVE-2021-34473 [Vulners]
Vulners: Score: 10.0, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
CVE-2021-27065 [Vulners]
Vulners: Score: 6.8, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2016, 2016, 2013, 2016, 2019, 2013, 2016, 2016, 2016, 2016, 2016, 2016, 2016, 2019, 2019, 2019, 2019, 2019, 2019, 2019)
CVE-2021-31207 [Vulners]
Vulners: Score: 6.5, CVSS: 1.7,
Vulners: Exploitation: True
X-Force: Risk: 6.6
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
CVE-2021-26855 [Vulners]
Vulners: Score: 7.5, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2016, 2016, 2013, 2016, 2016, 2013, 2016, 2019, 2013, 2016, 2016, 2016, 2016, 2016, 2016, 2016, 2019, 2019, 2019, 2019, 2019, 2019, 2019, 2019)
CVE-2021-34523 [Vulners]
Vulners: Score: 7.5, CVSS: 3.4,
Vulners: Exploitation: True
X-Force: Risk: 9
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
IOCs:
IP: 8
File: 3
Hash: 13
Softs:
microsoft exchange
Algorithms:
rc4
Trend Micro
LV Ransomware Exploits ProxyShell in Attack on a Jordan-based Company
Our blog entry provides a look at an attack involving the LV ransomware on a Jordan-based company from an intrusion analysis standpoint
#ParsedReport
25-10-2022
The Anatomy of Wiper Malware, Part 4: Less Common Helper Techniques
https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-4
Actors/Campaigns:
Agrius
Threats:
Meteor_wiper
Hermeticwiper
Isaacwiper
Killdisk
Doublezero
Apostle
Sierras
Stonedrill_wiper
Petya
Ordinypt
Disttrack
Whispergate
Israbye
Zerocleare_wiper
Dustman_wiper
Geo:
Tokyo, Ukraine
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 4
Path: 5
Command: 22
Registry: 1
Hash: 39
Softs:
bcdedit, active directory
Functions:
OpenSCManager, OpenService, InitiateSystemShutdownEx
Win API:
ControlService, GetDiskFreeSpaceExW, DsRoleGetPrimaryDomainInformation, NetUnjoinDomain, ExitWindowsEx, NtRaiseHardError, Sleep
25-10-2022
The Anatomy of Wiper Malware, Part 4: Less Common Helper Techniques
https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-4
Actors/Campaigns:
Agrius
Threats:
Meteor_wiper
Hermeticwiper
Isaacwiper
Killdisk
Doublezero
Apostle
Sierras
Stonedrill_wiper
Petya
Ordinypt
Disttrack
Whispergate
Israbye
Zerocleare_wiper
Dustman_wiper
Geo:
Tokyo, Ukraine
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 4
Path: 5
Command: 22
Registry: 1
Hash: 39
Softs:
bcdedit, active directory
Functions:
OpenSCManager, OpenService, InitiateSystemShutdownEx
Win API:
ControlService, GetDiskFreeSpaceExW, DsRoleGetPrimaryDomainInformation, NetUnjoinDomain, ExitWindowsEx, NtRaiseHardError, Sleep
crowdstrike.com
The Anatomy of Wiper Malware, Part 4: Helper Techniques
This blog covers some of the rarely used “helper” techniques implemented by wipers, which achieve secondary goals or facilitate a smaller portion of the wiping process.
#ParsedReport
25-10-2022
VBS AgentTesla. AgentTesla distributed through VBS
https://asec.ahnlab.com/ko/40571
Threats:
Agent_tesla
Dropper/vbs.generic
Trojan/vbs.agent
Trojan/vbs.obfuscated
Industry:
Transport
IOCs:
File: 18
Email: 2
Hash: 4
25-10-2022
VBS AgentTesla. AgentTesla distributed through VBS
https://asec.ahnlab.com/ko/40571
Threats:
Agent_tesla
Dropper/vbs.generic
Trojan/vbs.agent
Trojan/vbs.obfuscated
Industry:
Transport
IOCs:
File: 18
Email: 2
Hash: 4
ASEC BLOG
VBS를 통해 유포 중인 AgentTesla - ASEC BLOG
ASEC 분석팀은 최근 악성 VBS 통해 AgentTesla가 유포되고 있음을 확인하였다. 스크립트 파일에는 다수의 코드가 여러 번 난독화 되어 있는 특징이 있다. AgentTesla는 지난 5월 윈도우 도움말 파일(*.chm)을 통한 유포가 확인된 이력이 있으며 지속적으로 유포 방식을 변경하고 있는 것으로 보인다. VBS 스크립트는 메일에 압축 파일 형태로 첨부되어 유포된다. 최근에는 국내 기업을 사칭한 유포 메일도 확인되었다. 압축파일 내부에는 VBS가…
#ParsedReport
25-10-2022
From RM3 to LDR4: URSNIF Leaves Banking Fraud Behind
https://www.mandiant.com/resources/blog/rm3-ldr4-ursnif-banking-fraud
Actors/Campaigns:
Shathak
Threats:
Gozi
Cutwail
Hancitor
Serpent
Beacon
Trickbot
Emotet
Icedid
Carberp
Industry:
Financial, Telco
Geo:
Russia, Italy, Oceania
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 11
Path: 1
Registry: 1
Domain: 28
Hash: 28
IP: 31
Softs:
internet explorer, microsoft word, chrome
Algorithms:
aes-256, cbc, aes, crc-32, xor, prng, base64
Win API:
DllRegisterServer, QueueUserAPC
Platforms:
x86, x64
YARA: Found
25-10-2022
From RM3 to LDR4: URSNIF Leaves Banking Fraud Behind
https://www.mandiant.com/resources/blog/rm3-ldr4-ursnif-banking-fraud
Actors/Campaigns:
Shathak
Threats:
Gozi
Cutwail
Hancitor
Serpent
Beacon
Trickbot
Emotet
Icedid
Carberp
Industry:
Financial, Telco
Geo:
Russia, Italy, Oceania
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 11
Path: 1
Registry: 1
Domain: 28
Hash: 28
IP: 31
Softs:
internet explorer, microsoft word, chrome
Algorithms:
aes-256, cbc, aes, crc-32, xor, prng, base64
Win API:
DllRegisterServer, QueueUserAPC
Platforms:
x86, x64
YARA: Found
Google Cloud Blog
From RM3 to LDR4: URSNIF Leaves Banking Fraud Behind | Mandiant | Google Cloud Blog
#ParsedReport
25-10-2022
Dual Malware Infection Targets Cryptocurrency Users
https://blog.cyble.com/2022/10/25/dual-malware-infection-targets-cryptocurrency-users
Threats:
Tron
Process_injection_technique
Industry:
Energy, Financial
Geo:
Singapore, Dubai, Australia, America, India, Georgia
TTPs:
Tactics: 6
Technics: 15
IOCs:
File: 6
Path: 3
Command: 4
Url: 2
Domain: 1
Coin: 7
Hash: 3
Softs:
windows defender, task scheduler, zcash
Algorithms:
base64
Functions:
GetClipBoardData, OpenClipBoard, EmptyClipBoard, SetClipBoard
Win API:
BitBlt, CopyFileA
Languages:
visual_basic
25-10-2022
Dual Malware Infection Targets Cryptocurrency Users
https://blog.cyble.com/2022/10/25/dual-malware-infection-targets-cryptocurrency-users
Threats:
Tron
Process_injection_technique
Industry:
Energy, Financial
Geo:
Singapore, Dubai, Australia, America, India, Georgia
TTPs:
Tactics: 6
Technics: 15
IOCs:
File: 6
Path: 3
Command: 4
Url: 2
Domain: 1
Coin: 7
Hash: 3
Softs:
windows defender, task scheduler, zcash
Algorithms:
base64
Functions:
GetClipBoardData, OpenClipBoard, EmptyClipBoard, SetClipBoard
Win API:
BitBlt, CopyFileA
Languages:
visual_basic
Cyble
Dual Malware Infection Targets Cryptocurrency Users
Cyble Research & Intelligence Labs analyses how Threat Actors utilize a Coin Miner and Clipper for rapid monetary gain.
Если смотреть по всем источникам с начала 2022 года, то уникальных:
ip: 1,3М
domain: 943K
url: 828K
hash: 1,2K
Это уже после очистки, расчета скоринга и прибивания тех, у кого score = 0.
ip: 1,3М
domain: 943K
url: 828K
hash: 1,2K
Это уже после очистки, расчета скоринга и прибивания тех, у кого score = 0.
#ParsedReport
27-10-2022
FormBook Malware Being Distributed as .NET
https://asec.ahnlab.com/en/40663
Threats:
Formbook
Malware/mdp.injection.m3509
IOCs:
File: 3
Hash: 1
Url: 2
27-10-2022
FormBook Malware Being Distributed as .NET
https://asec.ahnlab.com/en/40663
Threats:
Formbook
Malware/mdp.injection.m3509
IOCs:
File: 3
Hash: 1
Url: 2
ASEC BLOG
FormBook Malware Being Distributed as .NET - ASEC BLOG
The FormBook malware that was recently detected by a V3 software had been downloaded to the system and executed while the user was using a web browser. FormBook is an info-stealer that aims to steal the user’s web browser login information, keyboard input…
#ParsedReport
27-10-2022
Qakbot Malware Being Distributed in Korea
https://asec.ahnlab.com/en/40682
Threats:
Qakbot
Bumblebee
Icedid
Malware/win.possible_smhpqakbottha.r525663
Industry:
Financial
Geo:
Korea, Korean
IOCs:
File: 2
IP: 4
Hash: 3
27-10-2022
Qakbot Malware Being Distributed in Korea
https://asec.ahnlab.com/en/40682
Threats:
Qakbot
Bumblebee
Icedid
Malware/win.possible_smhpqakbottha.r525663
Industry:
Financial
Geo:
Korea, Korean
IOCs:
File: 2
IP: 4
Hash: 3
ASEC BLOG
Qakbot Malware Being Distributed in Korea - ASEC BLOG
The ASEC analysis team has identified the Qakbot malware that was introduced in the past is being distributed to Korean users. The overall operation process, including the fact that it uses ISO files, is similar to the previous version, but a process to bypass…
#ParsedReport
27-10-2022
CoinMiner Being Installed on Vulnerable Apache Tomcat Web Server
https://asec.ahnlab.com/en/40673
Threats:
Meterpreter_tool
Xmrig_miner
Dropper/win.miner.c5283988
Trojan/vbs.runner.sc184041
Industry:
Healthcare
Geo:
Korean
IOCs:
File: 5
Url: 5
Domain: 1
Coin: 1
Hash: 7
Softs:
task scheduler
Algorithms:
base64
27-10-2022
CoinMiner Being Installed on Vulnerable Apache Tomcat Web Server
https://asec.ahnlab.com/en/40673
Threats:
Meterpreter_tool
Xmrig_miner
Dropper/win.miner.c5283988
Trojan/vbs.runner.sc184041
Industry:
Healthcare
Geo:
Korean
IOCs:
File: 5
Url: 5
Domain: 1
Coin: 1
Hash: 7
Softs:
task scheduler
Algorithms:
base64
ASEC BLOG
CoinMiner Being Installed on Vulnerable Apache Tomcat Web Server - ASEC BLOG
The ASEC analysis team has recently identified attacks targeting vulnerable Apache Tomcat web server. The Tomcat server that has not been updated to the latest version is one of the major attack vectors that exploit vulnerabilities. In the past, the ASEC…
#ParsedReport
27-10-2022
ASEC Weekly Malware Statistics (October 17th, 2022 October 23rd, 2022)
https://asec.ahnlab.com/en/40787
Threats:
Agent_tesla
Beamwinhttp_loader
Garbage_cleaner
Smokeloader
Lockbit
Dharma
Snake_keylogger
Formbook
Clipboard_grabbing_technique
Industry:
Financial
Geo:
Korea
IOCs:
Domain: 13
IP: 4
Email: 9
File: 15
Url: 9
Softs:
discord
Languages:
php
27-10-2022
ASEC Weekly Malware Statistics (October 17th, 2022 October 23rd, 2022)
https://asec.ahnlab.com/en/40787
Threats:
Agent_tesla
Beamwinhttp_loader
Garbage_cleaner
Smokeloader
Lockbit
Dharma
Snake_keylogger
Formbook
Clipboard_grabbing_technique
Industry:
Financial
Geo:
Korea
IOCs:
Domain: 13
IP: 4
Email: 9
File: 15
Url: 9
Softs:
discord
Languages:
php
ASEC BLOG
ASEC Weekly Malware Statistics (October 17th, 2022 – October 23rd, 2022) - ASEC BLOG
The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from October 17th, 2022 (Monday) to October 23rd (Sunday). For the main category, info-stealer…
#ParsedReport
27-10-2022
DDoSFodcha. Ddos madness from the soil: Fodcha zombie network again shows his teeth again
https://blog.netlab.360.com/ddosmonster_the_return_of__fodcha_cn
Threats:
Fodcha
Mirai
Industry:
Healthcare, Telco
Geo:
China
IOCs:
File: 7
IP: 3
Hash: 1
Algorithms:
chacha, xxtea, chacha20
Languages:
python
27-10-2022
DDoSFodcha. Ddos madness from the soil: Fodcha zombie network again shows his teeth again
https://blog.netlab.360.com/ddosmonster_the_return_of__fodcha_cn
Threats:
Fodcha
Mirai
Industry:
Healthcare, Telco
Geo:
China
IOCs:
File: 7
IP: 3
Hash: 1
Algorithms:
chacha, xxtea, chacha20
Languages:
python
360 Netlab Blog - Network Security Research Lab at 360
卷土重来的DDoS狂魔:Fodcha僵尸网络再次露出獠牙
背景
2022年4月13日,360Netlab首次向社区披露了Fodcha僵尸网络,在我们的文章发表之后,Fodcha遭受到相关部门的打击,其作者迅速做出回应,在样本中留下Netlab pls leave me alone I surrender字样向我们投降。本以为Fodcha会就此淡出江湖,没想到这次投降只是一个不讲武德的假动作,Fodcha的作者在诈降之后并没有停下更新的脚步,很快就推出了新版本。
在新版本中,Fodcha的作者重新设计了通信协议,并开始使用xxtea和chacha20算法…
2022年4月13日,360Netlab首次向社区披露了Fodcha僵尸网络,在我们的文章发表之后,Fodcha遭受到相关部门的打击,其作者迅速做出回应,在样本中留下Netlab pls leave me alone I surrender字样向我们投降。本以为Fodcha会就此淡出江湖,没想到这次投降只是一个不讲武德的假动作,Fodcha的作者在诈降之后并没有停下更新的脚步,很快就推出了新版本。
在新版本中,Fodcha的作者重新设计了通信协议,并开始使用xxtea和chacha20算法…
#ParsedReport
27-10-2022
SpiderLabs Blog. Insta-Phish-A-Gram
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/insta-phish-a-gram
IOCs:
Url: 6
Domain: 1
Softs:
instagram
27-10-2022
SpiderLabs Blog. Insta-Phish-A-Gram
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/insta-phish-a-gram
IOCs:
Url: 6
Domain: 1
Softs:
Trustwave
Insta-Phish-A-Gram | Trustwave
Following Trustwave SpiderLabs’ blog on social media-themed phishing on Facebook, comes another flavor of ‘infringement’ phishing. In this case, the targets, still under the umbrella of Meta, are Instagram users.
#ParsedReport
27-10-2022
Guacamaya Group
https://cyberint.com/blog/research/guacamaya-group
Actors/Campaigns:
Guacamaya (motivation: hacktivism)
Industry:
Government
Geo:
Brazil, Latam, Ecuador, America, Mexico, Colombia, Chile, Russia
27-10-2022
Guacamaya Group
https://cyberint.com/blog/research/guacamaya-group
Actors/Campaigns:
Guacamaya (motivation: hacktivism)
Industry:
Government
Geo:
Brazil, Latam, Ecuador, America, Mexico, Colombia, Chile, Russia
Cyberint
Guacamaya Group
Q3 of 2022 has provided us with many interesting insights into the ransomware industry with a slight increase in incidents
#ParsedReport
27-10-2022
Fake Hungarian Government Email Drops Warzone RAT
https://www.fortinet.com/blog/threat-research/fake-hungarian-government-email-drops-warzone-rat
Threats:
Avemaria_rat
Matryoshka_rat
De4dot_tool
Uac_bypass_technique
Kryptik_trojan
W32/agent.tjs!tr
W32/antiav.niz!tr
Industry:
Government
Geo:
Hungarian, Hungary
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 1
Path: 1
IP: 1
Hash: 4
Softs:
windows defender
Algorithms:
zip, base64
Functions:
InitializeComponent, PerformLayout, ResourceTemplateDefine, GetMethod
27-10-2022
Fake Hungarian Government Email Drops Warzone RAT
https://www.fortinet.com/blog/threat-research/fake-hungarian-government-email-drops-warzone-rat
Threats:
Avemaria_rat
Matryoshka_rat
De4dot_tool
Uac_bypass_technique
Kryptik_trojan
W32/agent.tjs!tr
W32/antiav.niz!tr
Industry:
Government
Geo:
Hungarian, Hungary
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 1
Path: 1
IP: 1
Hash: 4
Softs:
windows defender
Algorithms:
zip, base64
Functions:
InitializeComponent, PerformLayout, ResourceTemplateDefine, GetMethod
Fortinet Blog
Fake Hungarian Government Email Drops Warzone RAT
FortiGuard Labs recently discovered an email pretending to come from the Hungarian government with a malicious attachment, which is a zipped executable that, upon execution, extracts the Warzone RA…
#ParsedReport
27-10-2022
ASEC (20221017 \~ 20221023). ASEC Weekly Malware Statistics (20221017 \~ 20221023)
https://asec.ahnlab.com/ko/40556
Threats:
Agent_tesla
Azorult
Beamwinhttp_loader
Garbage_cleaner
Smokeloader
Smokerloader
Lockbit
Dharma
Snake_keylogger
Formbook
Clipboard_grabbing_technique
Industry:
Transport, Financial
Geo:
Korea
IOCs:
File: 20
Domain: 13
IP: 4
Email: 9
Url: 9
Softs:
discord
Languages:
php
27-10-2022
ASEC (20221017 \~ 20221023). ASEC Weekly Malware Statistics (20221017 \~ 20221023)
https://asec.ahnlab.com/ko/40556
Threats:
Agent_tesla
Azorult
Beamwinhttp_loader
Garbage_cleaner
Smokeloader
Smokerloader
Lockbit
Dharma
Snake_keylogger
Formbook
Clipboard_grabbing_technique
Industry:
Transport, Financial
Geo:
Korea
IOCs:
File: 20
Domain: 13
IP: 4
Email: 9
Url: 9
Softs:
discord
Languages:
php
ASEC BLOG
ASEC 주간 악성코드 통계 (20221017 ~ 20221023) - ASEC BLOG
ASEC 분석팀에서는 ASEC 자동 분석 시스템 RAPIT 을 활용하여 알려진 악성코드들에 대한 분류 및 대응을 진행하고 있다. 본 포스팅에서는 2022년 10월 17일 월요일부터 10월 23일 일요일까지 한 주간 수집된 악성코드의 통계를 정리한다. 대분류 상으로는 인포스틸러가 52.7%로 1위를 차지하였으며, 그 다음으로는 다운로더 악성코드가 37.0%, 백도어 8.8%, 랜섬웨어 1.0%, 뱅킹 악성코드가 0.5%로 집계되었다. Top 1 – Agent…
#ParsedReport
27-10-2022
Raspberry Robin worm part of larger ecosystem facilitating pre-ransomware activity
https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity
Actors/Campaigns:
Evil_corp
Fin11 (motivation: cyber_criminal)
Ta505
Dev-0856
Dev-0651 (motivation: cyber_criminal)
Threats:
Raspberry_robin
Fauppod
Socgholish_loader
Lockbit
Icedid
Bumblebee
Truebot
Cobalt_strike
Clop
Lolbin
Uac_bypass_technique
Roshtyak
Dridex
Credential_stealing_technique
Trojan:js/socgolsh.a
Beacon
Industry:
Financial
IOCs:
File: 15
Domain: 3
Hash: 5
Url: 4
IP: 1
Softs:
dot(net, microsoft defender, microsoft defender for endpoint, windows explorer, windows installer, discord, windows local security authority
Algorithms:
zip
Win API:
GetModuleHandleA, LoadLibraryW
Languages:
javascript
27-10-2022
Raspberry Robin worm part of larger ecosystem facilitating pre-ransomware activity
https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity
Actors/Campaigns:
Evil_corp
Fin11 (motivation: cyber_criminal)
Ta505
Dev-0856
Dev-0651 (motivation: cyber_criminal)
Threats:
Raspberry_robin
Fauppod
Socgholish_loader
Lockbit
Icedid
Bumblebee
Truebot
Cobalt_strike
Clop
Lolbin
Uac_bypass_technique
Roshtyak
Dridex
Credential_stealing_technique
Trojan:js/socgolsh.a
Beacon
Industry:
Financial
IOCs:
File: 15
Domain: 3
Hash: 5
Url: 4
IP: 1
Softs:
dot(net, microsoft defender, microsoft defender for endpoint, windows explorer, windows installer, discord, windows local security authority
Algorithms:
zip
Win API:
GetModuleHandleA, LoadLibraryW
Languages:
javascript
Microsoft News
Raspberry Robin worm part of larger ecosystem facilitating pre-ransomware activity
Microsoft has discovered recent activity indicating that the Raspberry Robin worm is part of a complex and interconnected malware ecosystem, with links to other malware families and alternate infection methods beyond its original USB drive spread.
#ParsedReport
27-10-2022
Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers
https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers
Threats:
Drinik
Sms_stealer
Hydra
Bratarat
Anubis
Credential_harvesting_technique
Industry:
Financial
Geo:
Dubai, Indian, Australia, India, Singapore, Georgia
TTPs:
Tactics: 8
Technics: 10
IOCs:
Url: 7
IP: 1
File: 2
Hash: 1
Softs:
android
Functions:
onPageFinished
27-10-2022
Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers
https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers
Threats:
Drinik
Sms_stealer
Hydra
Bratarat
Anubis
Credential_harvesting_technique
Industry:
Financial
Geo:
Dubai, Indian, Australia, India, Singapore, Georgia
TTPs:
Tactics: 8
Technics: 10
IOCs:
Url: 7
IP: 1
File: 2
Hash: 1
Softs:
android
Functions:
onPageFinished
#ParsedReport
27-10-2022
Where is the Origin?: QAKBOT Uses Valid Code Signing. Key findings
https://www.trendmicro.com/en_us/research/22/j/where-is-the-origin-qakbot-uses-valid-code-signing-.html
Threats:
Qakbot
Emotet
Blackbasta
Follina_vuln
Mimikatz_tool
Stuxnet
Flame
Cobalt_strike
Industry:
Education
Geo:
Czech
CVEs:
CVE-2022-30190 [Vulners]
Vulners: Score: 9.3, CVSS: 3.4,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft windows server 2012 (r2, -)
- microsoft windows 10 (1607, -, 1809, 20h2, 21h1, 21h2)
- microsoft windows 8.1 (-)
- microsoft windows server 2016 (-)
- microsoft windows server 2008 (-, r2)
have more...
IOCs:
Hash: 7
Softs:
windows certificate
Win API:
PFXExportCertStore
27-10-2022
Where is the Origin?: QAKBOT Uses Valid Code Signing. Key findings
https://www.trendmicro.com/en_us/research/22/j/where-is-the-origin-qakbot-uses-valid-code-signing-.html
Threats:
Qakbot
Emotet
Blackbasta
Follina_vuln
Mimikatz_tool
Stuxnet
Flame
Cobalt_strike
Industry:
Education
Geo:
Czech
CVEs:
CVE-2022-30190 [Vulners]
Vulners: Score: 9.3, CVSS: 3.4,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft windows server 2012 (r2, -)
- microsoft windows 10 (1607, -, 1809, 20h2, 21h1, 21h2)
- microsoft windows 8.1 (-)
- microsoft windows server 2016 (-)
- microsoft windows server 2008 (-, r2)
have more...
IOCs:
Hash: 7
Softs:
windows certificate
Win API:
PFXExportCertStore
Trend Micro
Where is the Origin QAKBOT Uses Valid Code Signing
Code signing certificates help us assure the file's validity and legitimacy. However, threat actors can use that against us. In this blog, discover how QAKBOT use such tactic and learn ways how to prevent it.
#ParsedReport
27-10-2022
Elbie. ELBIE ransomware domestic distribution
https://asec.ahnlab.com/ko/40743
Threats:
Elbie
Ransomware/win.encryptexe.c5285322
Ransomware/win.generic.r363595
Ransom/mdp.command.m2255
Ransom/mdp.decoy.m1171
Phobos
IOCs:
File: 6
Registry: 1
Command: 3
Hash: 2
Softs:
internet explorer, bcdedit
27-10-2022
Elbie. ELBIE ransomware domestic distribution
https://asec.ahnlab.com/ko/40743
Threats:
Elbie
Ransomware/win.encryptexe.c5285322
Ransomware/win.generic.r363595
Ransom/mdp.command.m2255
Ransom/mdp.decoy.m1171
Phobos
IOCs:
File: 6
Registry: 1
Command: 3
Hash: 2
Softs:
internet explorer, bcdedit
ASEC BLOG
Elbie 랜섬웨어 국내 유포 중 - ASEC BLOG
ASEC 분석팀은 최근 내부 모니터링을 통해 Internet Explorer Add-on 설치 프로그램인 ieinstal.exe로 위장한 Elbie 랜섬웨어가 유포되고 있음을 확인하였다. 초기 실행 파일은 인코딩 된 내부의 데이터를 실질적인 랜섬웨어 행위를 수행하는 [그림 2]의 실행 파일로 디코딩 한다. 이 후 재귀 실행한 프로세스에 디코딩 한 실행파일을 인젝션하고, 사용자의 PC가 VM환경인지 확인한다. 인젝션 되어 실행된 랜섬웨어는 %AppData%…