#ParsedReport
03-11-2022
New Laplas Clipper Distributed via SmokeLoader. Conclusion
https://blog.cyble.com/2022/11/02/new-laplas-clipper-distributed-by-smokeloader
Threats:
Laplas_clipper
Smokeloader
Raccoon_stealer
Recordbreaker_stealer
Systembc
Tron
Vmprotect_tool
Process_injection_technique
Dll_sideloading_technique
Industry:
Financial
Geo:
Georgia, Dubai, Australia, Singapore, Netherlands, India, Italy
TTPs:
Tactics: 6
Technics: 17
IOCs:
Url: 6
Hash: 183
File: 3
Command: 2
Softs:
zcash, task scheduler, telegram
Functions:
GetRegEx, SetOnline, GetAddress, SendRequest
03-11-2022
New Laplas Clipper Distributed via SmokeLoader. Conclusion
https://blog.cyble.com/2022/11/02/new-laplas-clipper-distributed-by-smokeloader
Threats:
Laplas_clipper
Smokeloader
Raccoon_stealer
Recordbreaker_stealer
Systembc
Tron
Vmprotect_tool
Process_injection_technique
Dll_sideloading_technique
Industry:
Financial
Geo:
Georgia, Dubai, Australia, Singapore, Netherlands, India, Italy
TTPs:
Tactics: 6
Technics: 17
IOCs:
Url: 6
Hash: 183
File: 3
Command: 2
Softs:
zcash, task scheduler, telegram
Functions:
GetRegEx, SetOnline, GetAddress, SendRequest
Cyble
Cyble - New Laplas Clipper Distributed Via SmokeLoader
Cyble Research & Intelligence Labs analyses How Laplas Clipper Distributed via SmokeLoader targeting Cryptocurrency Users.
#ParsedReport
03-11-2022
Family Tree: Related DLL-Sideloading Cases Bear Strange Fruit
https://news.sophos.com/en-us/2022/11/03/family-tree-related-dll-sideloading-cases-bear-strange-fruit
Actors/Campaigns:
Red_delta
Luminousmoth
Threats:
Dll_sideloading_technique
Revil
Cobalt_strike
Metasploit_tool
Netcat_tool
Uac_bypass_technique
Plugx_rat
Shadowpad
Process_hollowing_technique
Trochilus_rat
Tofsee
Netsky
Gh0st_rat
Solarmarker
Trickbot
Industry:
Government
Geo:
Chinese, China, Asia
TTPs:
IOCs:
IP: 10
File: 57
Path: 65
Command: 2
Hash: 30
Registry: 9
Softs:
windows search, "curl, chromium
Functions:
sendSAS, API
Win API:
GetTickCount
Links:
03-11-2022
Family Tree: Related DLL-Sideloading Cases Bear Strange Fruit
https://news.sophos.com/en-us/2022/11/03/family-tree-related-dll-sideloading-cases-bear-strange-fruit
Actors/Campaigns:
Red_delta
Luminousmoth
Threats:
Dll_sideloading_technique
Revil
Cobalt_strike
Metasploit_tool
Netcat_tool
Uac_bypass_technique
Plugx_rat
Shadowpad
Process_hollowing_technique
Trochilus_rat
Tofsee
Netsky
Gh0st_rat
Solarmarker
Trickbot
Industry:
Government
Geo:
Chinese, China, Asia
TTPs:
IOCs:
IP: 10
File: 57
Path: 65
Command: 2
Hash: 30
Registry: 9
Softs:
windows search, "curl, chromium
Functions:
sendSAS, API
Win API:
GetTickCount
Links:
https://gist.github.com/dezhub/c0fee68d1e06657a45ec39365362fca7https://github.com/sophoslabs/IoCshttps://gist.github.com/api0cradle/d4aaef39db0d845627d819b2b6b30512https://github.com/m0n0ph1/malware-1/blob/master/Trochilus/bin/Bin/vtcp.dllSophos News
Family Tree: DLL-Sideloading Cases May Be Related
A threat actor’s repeated use of DLL-hijack execution flow makes for interesting attack results, including omnivorous file ingestion; we break down five cases and find commonalities
#ParsedReport
03-11-2022
Inside the V1 Raccoon Stealers Den
https://www.team-cymru.com/post/inside-the-v1-raccoon-stealer-s-den
Threats:
Raccoon_stealer
Industry:
E-commerce, Financial, Telco
Geo:
Singapore, Brazil, Ukraine, Ukrainian, Italian, Canada, Russian
IOCs:
Domain: 1
Softs:
telegram
03-11-2022
Inside the V1 Raccoon Stealers Den
https://www.team-cymru.com/post/inside-the-v1-raccoon-stealer-s-den
Threats:
Raccoon_stealer
Industry:
E-commerce, Financial, Telco
Geo:
Singapore, Brazil, Ukraine, Ukrainian, Italian, Canada, Russian
IOCs:
Domain: 1
Softs:
telegram
Team-Cymru
Exploring the V1 Raccoon Stealer: Team Cymru's Insight
Stay ahead of the latest cybersecurity threats with Team Cymru's expert analysis. Dive deep into the V1 Raccoon Stealer's den and learn how it operates and the possible connections to Kharkiv and the CC2BTC Marketplace.
#ParsedReport
03-11-2022
(External+RTF). Distribution of Word Files, which is cleverly manipulated for the purpose of avoiding diagnostic (EXTERNAL+RTF)
https://asec.ahnlab.com/ko/41172
Threats:
Postealer
Lokibot_stealer
Trojan/win.generic.c5290118
Trojan/win.msil.r510204
Malware/mdp.download.m1881
Geo:
Korea
CVEs:
CVE-2017-11882 [Vulners]
Vulners: Score: 9.3, CVSS: 4.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft office (2013, 2010, 2016, 2007)
IOCs:
File: 4
Coin: 1
Hash: 3
Url: 11
03-11-2022
(External+RTF). Distribution of Word Files, which is cleverly manipulated for the purpose of avoiding diagnostic (EXTERNAL+RTF)
https://asec.ahnlab.com/ko/41172
Threats:
Postealer
Lokibot_stealer
Trojan/win.generic.c5290118
Trojan/win.msil.r510204
Malware/mdp.download.m1881
Geo:
Korea
CVEs:
CVE-2017-11882 [Vulners]
Vulners: Score: 9.3, CVSS: 4.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft office (2013, 2010, 2016, 2007)
IOCs:
File: 4
Coin: 1
Hash: 3
Url: 11
ASEC BLOG
진단 회피를 목적으로 교묘하게 조작된 워드파일 유포 (External+RTF) - ASEC BLOG
MS Office Word 문서의 External 외부 연결 접속을 가능한 점을 이용하여, 추가적인 RTF 악성코드를 유포하는 악성 워드파일은 꽤 오래전부터 지속적으로 확인되어왔다. 하지만, 최근 안티바이러스 제품의 진단을 회피하기 위한 것으로 추정되는 파일들이 국내에 다수 유포되는 정황이 확인되어 이를 알리고자 한다. 업무상 목적으로 위장한 이메일에 워드파일을 첨부한 것은 크게 다르지 않으나, OOXML(Office Open XML) 포맷 내부에서 확인할…
#ParsedReport
03-11-2022
Prynt Stealer Source Code Shared over Cybercrime Forum
https://cloudsek.com/threatintelligence/prynt-stealer-source-code-shared-over-cybercrime-forum/?utm_source=rss&utm_medium=rss&utm_campaign=prynt-stealer-source-code-shared-over-cybercrime-forum
Threats:
Prynt_stealer
Industry:
Entertainment, Financial
TTPs:
Tactics: 1
Technics: 0
Softs:
microsoft excel, telegram, chrome, opera, amigo, coccoc, kometa, torch, 7star, chedot, have more...
Languages:
php, java
03-11-2022
Prynt Stealer Source Code Shared over Cybercrime Forum
https://cloudsek.com/threatintelligence/prynt-stealer-source-code-shared-over-cybercrime-forum/?utm_source=rss&utm_medium=rss&utm_campaign=prynt-stealer-source-code-shared-over-cybercrime-forum
Threats:
Prynt_stealer
Industry:
Entertainment, Financial
TTPs:
Tactics: 1
Technics: 0
Softs:
microsoft excel, telegram, chrome, opera, amigo, coccoc, kometa, torch, 7star, chedot, have more...
Languages:
php, java
CloudSEK - Digital Risk Management Enterprise | Artificial Intelligence based Cybersecurity
Prynt Stealer Source Code Shared over Cybercrime Forum - CloudSEK
Prynt Stealer operating on stealth mode to steal sensitive data & credentials from the victims’ systems, browsers, & crypto wallets.
#rstcloud
+ 4 online-sandbox в источниках IOC
- Хэши самого загруженного файла + хэши вредоносов, которые он дропает.
- Если разобран конфиг вредоноса, забираем оттуда C2 и прочие сетевые ресурсы.
+ 4 online-sandbox в источниках IOC
- Хэши самого загруженного файла + хэши вредоносов, которые он дропает.
- Если разобран конфиг вредоноса, забираем оттуда C2 и прочие сетевые ресурсы.
#ParsedReport
04-11-2022
. Analysis of typical mining family series Outlaw (dead) mining zombie network
https://www.antiy.cn/research/notice&report/research_report/20221103.html
Threats:
Hezb
Kthmimu
Perlbot
Shellshock_vuln
Haiduc_tool
Drupalgeddon_vuln
Xhide_tool
Xmrig_miner
Ethminer
Upx_tool
Industry:
Financial, Iot, Government, Education, Energy
Geo:
Romanian, Romania, Chinese
CVEs:
CVE-2018-7600 [Vulners]
Vulners: Score: 7.5, CVSS: 7.4,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- drupal (le7.57, <8.3.9, <8.4.6, <8.5.1)
- debian debian linux (9.0, 8.0, 7.0)
CVE-2014-7169 [Vulners]
Vulners: Score: 10.0, CVSS: 4.6,
Vulners: Exploitation: True
X-Force: Risk: 10
X-Force: Patch: Official fix
Soft:
- gnu bash (1.14.0, 1.14.1, 2.0, 2.01, 2.05, 3.0, 4.1, 4.2, 1.14.2, 1.14.3, 2.01.1, 2.02, 3.0.16, 3.1, 4.3, 1.14.4, 1.14.5, 2.02.1, 2.03, 2.04, 3.2, 3.2.48, 1.14.6, 1.14.7, 2.05, 2.05, 4.0, 4.0)
CVE-2017-1000117 [Vulners]
Vulners: Score: 6.8, CVSS: 3.5,
Vulners: Exploitation: Unknown
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- git-scm git (2.11.0, 2.9.0, 2.9.0, 2.8.0, 2.11.0, 2.8.0, 2.9.0, 2.9.1, 2.11.0, 2.11.1, 2.13.1, 2.13.2, le2.7.5, 2.10.0, 2.10.0, 2.10.0, 2.13.0, 2.12.0, 2.11.0, 2.8.2, 2.8.3, 2.10.0, 2.10.1, 2.12.1, 2.12.2, 2.14.0, 2.13.0, 2.12.0, 2.12.0, 2.11.0, 2.9.0, 2.8.0, 2.8.4, 2.8.5, 2.10.2, 2.10.3, 2.12.3, 2.13.0, 2.8.0, 2.14.0, 2.14.0, 2.13.0, 2.8.0, 2.8.1, 2.9.2, 2.9.3, 2.9.4, 2.11.2, 2.12.0, 2.13.3, 2.13.4)
TTPs:
Tactics: 2
Technics: 0
IOCs:
File: 18
IP: 60
Coin: 4
Url: 100
Email: 4
Domain: 6
Hash: 48
Algorithms:
base64
Languages:
perl, php
Platforms:
intel
04-11-2022
. Analysis of typical mining family series Outlaw (dead) mining zombie network
https://www.antiy.cn/research/notice&report/research_report/20221103.html
Threats:
Hezb
Kthmimu
Perlbot
Shellshock_vuln
Haiduc_tool
Drupalgeddon_vuln
Xhide_tool
Xmrig_miner
Ethminer
Upx_tool
Industry:
Financial, Iot, Government, Education, Energy
Geo:
Romanian, Romania, Chinese
CVEs:
CVE-2018-7600 [Vulners]
Vulners: Score: 7.5, CVSS: 7.4,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- drupal (le7.57, <8.3.9, <8.4.6, <8.5.1)
- debian debian linux (9.0, 8.0, 7.0)
CVE-2014-7169 [Vulners]
Vulners: Score: 10.0, CVSS: 4.6,
Vulners: Exploitation: True
X-Force: Risk: 10
X-Force: Patch: Official fix
Soft:
- gnu bash (1.14.0, 1.14.1, 2.0, 2.01, 2.05, 3.0, 4.1, 4.2, 1.14.2, 1.14.3, 2.01.1, 2.02, 3.0.16, 3.1, 4.3, 1.14.4, 1.14.5, 2.02.1, 2.03, 2.04, 3.2, 3.2.48, 1.14.6, 1.14.7, 2.05, 2.05, 4.0, 4.0)
CVE-2017-1000117 [Vulners]
Vulners: Score: 6.8, CVSS: 3.5,
Vulners: Exploitation: Unknown
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- git-scm git (2.11.0, 2.9.0, 2.9.0, 2.8.0, 2.11.0, 2.8.0, 2.9.0, 2.9.1, 2.11.0, 2.11.1, 2.13.1, 2.13.2, le2.7.5, 2.10.0, 2.10.0, 2.10.0, 2.13.0, 2.12.0, 2.11.0, 2.8.2, 2.8.3, 2.10.0, 2.10.1, 2.12.1, 2.12.2, 2.14.0, 2.13.0, 2.12.0, 2.12.0, 2.11.0, 2.9.0, 2.8.0, 2.8.4, 2.8.5, 2.10.2, 2.10.3, 2.12.3, 2.13.0, 2.8.0, 2.14.0, 2.14.0, 2.13.0, 2.8.0, 2.8.1, 2.9.2, 2.9.3, 2.9.4, 2.11.2, 2.12.0, 2.13.3, 2.13.4)
TTPs:
Tactics: 2
Technics: 0
IOCs:
File: 18
IP: 60
Coin: 4
Url: 100
Email: 4
Domain: 6
Hash: 48
Algorithms:
base64
Languages:
perl, php
Platforms:
intel
www.antiy.cn
典型挖矿家族系列分析一 丨Outlaw(亡命徒)挖矿僵尸网络
安天CERT将近几年历史跟踪储备的典型流行挖矿木马家族组织梳理形成专题报告,本期介绍Outlaw(亡命徒)挖矿僵尸网络
#ParsedReport
07-11-2022
MOTW(Mark of the Web)
https://asec.ahnlab.com/ko/41257
Threats:
Magniber
Typosquatting_technique
IOCs:
File: 11
Registry: 2
Hash: 3
Languages:
javascript
07-11-2022
MOTW(Mark of the Web)
https://asec.ahnlab.com/ko/41257
Threats:
Magniber
Typosquatting_technique
IOCs:
File: 11
Registry: 2
Hash: 3
Languages:
javascript
ASEC BLOG
MOTW(Mark of the Web) 우회를 시도한 매그니베르 랜섬웨어 - ASEC BLOG
ASEC 분석팀은 지난 10월 13일 매그니베르(Magniber)랜섬웨어의 변화에 대한 글을 공개했다. 현재도 활발하게 유포되는 매그니베르 랜섬웨어는 백신의 탐지를 회피하기 위해 다양한 변화를 해왔다. 이 중 Microsoft 에서 제공하는 파일의 출처를 확인해주는 Mark of the Web(MOTW)을 우회한 것으로 확인된 2022.09.08 ~ 2022.09.29 기간 동안의 스크립트 형태에 대해 소개한다. 날짜 확장자 실행 프로세스 암호화 프로세스…
#ParsedReport
07-11-2022
Ransomware Spotlight: BlackCat
https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackcat
Actors/Campaigns:
Blackcat
Darkside
Blackmatter
Threats:
Blackcat
Blackbasta
Blackbyte
Lockbit
Conti
Ransomexx
Exmatter_tool
Eamfo
Adfind_tool
Adrecon
Process_hacker_tool
Mimikatz_tool
Megasync_tool
Teamviewer_tool
Industry:
Energy, Ics, E-commerce, Financial
Geo:
Pacific, Australia
CVEs:
CVE-2021-27065 [Vulners]
Vulners: Score: 6.8, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2016, 2016, 2013, 2016, 2019, 2013, 2016, 2016, 2016, 2016, 2016, 2016, 2016, 2019, 2019, 2019, 2019, 2019, 2019, 2019)
CVE-2021-26857 [Vulners]
Vulners: Score: 6.8, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2010, 2013, 2019, 2016, 2019, 2016)
CVE-2021-26855 [Vulners]
Vulners: Score: 7.5, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2016, 2016, 2013, 2016, 2016, 2013, 2016, 2019, 2013, 2016, 2016, 2016, 2016, 2016, 2016, 2016, 2019, 2019, 2019, 2019, 2019, 2019, 2019, 2019)
CVE-2021-26858 [Vulners]
Vulners: Score: 6.8, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2019, 2019)
TTPs:
Tactics: 8
Technics: 21
IOCs:
File: 14
Softs:
psexec, winscp, esxi, dbsnmp, encsvc, onenote, powerpnt, thebat, wordpad, msexchange, have more...
Algorithms:
7zip
Win API:
NetShareEnum
Win Services:
VeeamNFSSvc, VeeamTransportSvc, VeeamDeploymentSvc, WSBExchange, PDVFSService, BackupExecVSSProvider, BackupExecAgentAccelerator, BackupExecAgentBrowser, BackupExecDiveciMediaService, BackupExecJobEngine, have more...
Languages:
rust
Platforms:
intel
Links:
07-11-2022
Ransomware Spotlight: BlackCat
https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackcat
Actors/Campaigns:
Blackcat
Darkside
Blackmatter
Threats:
Blackcat
Blackbasta
Blackbyte
Lockbit
Conti
Ransomexx
Exmatter_tool
Eamfo
Adfind_tool
Adrecon
Process_hacker_tool
Mimikatz_tool
Megasync_tool
Teamviewer_tool
Industry:
Energy, Ics, E-commerce, Financial
Geo:
Pacific, Australia
CVEs:
CVE-2021-27065 [Vulners]
Vulners: Score: 6.8, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2016, 2016, 2013, 2016, 2019, 2013, 2016, 2016, 2016, 2016, 2016, 2016, 2016, 2019, 2019, 2019, 2019, 2019, 2019, 2019)
CVE-2021-26857 [Vulners]
Vulners: Score: 6.8, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2010, 2013, 2019, 2016, 2019, 2016)
CVE-2021-26855 [Vulners]
Vulners: Score: 7.5, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2016, 2016, 2013, 2016, 2016, 2013, 2016, 2019, 2013, 2016, 2016, 2016, 2016, 2016, 2016, 2016, 2019, 2019, 2019, 2019, 2019, 2019, 2019, 2019)
CVE-2021-26858 [Vulners]
Vulners: Score: 6.8, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2019, 2019)
TTPs:
Tactics: 8
Technics: 21
IOCs:
File: 14
Softs:
psexec, winscp, esxi, dbsnmp, encsvc, onenote, powerpnt, thebat, wordpad, msexchange, have more...
Algorithms:
7zip
Win API:
NetShareEnum
Win Services:
VeeamNFSSvc, VeeamTransportSvc, VeeamDeploymentSvc, WSBExchange, PDVFSService, BackupExecVSSProvider, BackupExecAgentAccelerator, BackupExecAgentBrowser, BackupExecDiveciMediaService, BackupExecJobEngine, have more...
Languages:
rust
Platforms:
intel
Links:
https://github.com/ParrotSec/mimikatzTrendmicro
Ransomware Spotlight: BlackCat
Known for its unconventional methods and use of advanced extortion techniques, BlackCat has quickly risen to prominence in the cybercrime community. As this ransomware group forges its way to gain more clout, we examine its operations and discuss how organizations…
#ParsedReport
07-11-2022
BlueFox Stealer: a newcomer designed for traffers teams
https://blog.sekoia.io/bluefox-information-stealer-traffer-maas
Threats:
Bluefox_stealer
Traffer
Raccoon_stealer
Erbium_stealer
Redline_stealer
Vidar_stealer
Aurora
Lumma_stealer
Mars_stealer
Smokeloader
Privateloader
Mixloader
Industry:
E-commerce, Financial
Geo:
Russian
TTPs:
Tactics: 7
Technics: 17
IOCs:
Command: 1
File: 1
Hash: 11
Softs:
telegram, omium, edg, google chrome, microsoft edge, windows registry, (chromium, chrome, opera, tronlink, binancechain, have more...
Platforms:
x86
YARA: Found
Links:
07-11-2022
BlueFox Stealer: a newcomer designed for traffers teams
https://blog.sekoia.io/bluefox-information-stealer-traffer-maas
Threats:
Bluefox_stealer
Traffer
Raccoon_stealer
Erbium_stealer
Redline_stealer
Vidar_stealer
Aurora
Lumma_stealer
Mars_stealer
Smokeloader
Privateloader
Mixloader
Industry:
E-commerce, Financial
Geo:
Russian
TTPs:
Tactics: 7
Technics: 17
IOCs:
Command: 1
File: 1
Hash: 11
Softs:
telegram, omium, edg, google chrome, microsoft edge, windows registry, (chromium, chrome, opera, tronlink, binancechain, have more...
Platforms:
x86
YARA: Found
Links:
https://github.com/SEKOIA-IO/Community/tree/main/IOCs/bluefoxSekoia.io Blog
BlueFox Stealer: a newcomer designed for traffers teams
In September 2022 during routine Dark Web monitoring we identified BlueFox Stealer v2, a newly-advertized information stealer sold as MaaS.
#ParsedReport
07-11-2022
HackHound IRC Bot
https://asec.ahnlab.com/ko/41335
Threats:
Njrat_rat
Udprat
Passview_tool
Hawkeye_keylogger
Trojan/win.korat.c5290614
Deathransom
Infostealer/win.agent.c5290619
Bladabindi
Ircbot
Trojan/win.agent.c5290070
Trojan/win.generic.r452668
Malware/mdp.behavior.m1693
Industry:
Education
IOCs:
File: 9
Path: 2
Hash: 19
Domain: 6
Url: 1
Softs:
chrome, discord
Languages:
golang
Platforms:
x64
07-11-2022
HackHound IRC Bot
https://asec.ahnlab.com/ko/41335
Threats:
Njrat_rat
Udprat
Passview_tool
Hawkeye_keylogger
Trojan/win.korat.c5290614
Deathransom
Infostealer/win.agent.c5290619
Bladabindi
Ircbot
Trojan/win.agent.c5290070
Trojan/win.generic.r452668
Malware/mdp.behavior.m1693
Industry:
Education
IOCs:
File: 9
Path: 2
Hash: 19
Domain: 6
Url: 1
Softs:
chrome, discord
Languages:
golang
Platforms:
x64
ASEC BLOG
웹하드를 통해 유포 중인 HackHound IRC Bot - ASEC BLOG
ContentsnjRATUDP RatWebBrowserPassViewInfoStealerHackHound IRC Bot 웹하드는 국내 사용자를 대상으로 하는 공격자들이 사용하는 대표적인 악성코드 유포 플랫폼이다. ASEC 분석팀에서는 웹하드를 통해 유포되는 악성코드들을 모니터링하고 있으며 과거 다수의 블로그를 통해 정보를 공유한 바 있다. 일반적으로 공격자들은 성인 게임이나 사용 게임의 크랙 버전과 같은 불법 프로그램과 함께 악성코드를 유포한다. 이렇게…
#ParsedReport
07-11-2022
Get a demo. Inside the Yanluowang Leak: Organization, Members, and Tactics
https://darktrace.com/blog/inside-the-yanluowang-leak-organization-members-and-tactics
Actors/Campaigns:
Evil_corp
Wizard_spider
Threats:
Yanluowang
Fivehands
Credential_harvesting_technique
Saint_tool
Payloadbin
Conti
Revil
Checkmate
Babuk
Rook
Pandora
Industry:
Financial
Geo:
Ukrainian, Chinese, Ukraine, Russian
IOCs:
File: 1
07-11-2022
Get a demo. Inside the Yanluowang Leak: Organization, Members, and Tactics
https://darktrace.com/blog/inside-the-yanluowang-leak-organization-members-and-tactics
Actors/Campaigns:
Evil_corp
Wizard_spider
Threats:
Yanluowang
Fivehands
Credential_harvesting_technique
Saint_tool
Payloadbin
Conti
Revil
Checkmate
Babuk
Rook
Pandora
Industry:
Financial
Geo:
Ukrainian, Chinese, Ukraine, Russian
IOCs:
File: 1
Darktrace
Behind Yanluowang: Unveiling Cyber Threat Tactics
Discover the latest insights into the Yanluowang leak organization, uncovering its members and tactics.
#ParsedReport
07-11-2022
Massive Phishing Campaigns Target India Banks Clients
https://www.trendmicro.com/en_us/research/22/k/massive-phishing-campaigns-target-india-banks-clients.html
Threats:
Drinik
Fakereward
Axbanker
Icrat
Icspy
Industry:
Financial
Geo:
Indian, India
IOCs:
Hash: 54
IP: 3
Url: 1
File: 2
Softs:
android
Functions:
and
07-11-2022
Massive Phishing Campaigns Target India Banks Clients
https://www.trendmicro.com/en_us/research/22/k/massive-phishing-campaigns-target-india-banks-clients.html
Threats:
Drinik
Fakereward
Axbanker
Icrat
Icspy
Industry:
Financial
Geo:
Indian, India
IOCs:
Hash: 54
IP: 3
Url: 1
File: 2
Softs:
android
Functions:
and
Trend Micro
Massive Phishing Campaigns Target India Banks’ Clients
#ParsedReport
07-11-2022
SocGholish Diversifies and Expands Its Malware Staging Infrastructure to Counter Defenders
https://www.sentinelone.com/labs/socgholish-diversifies-and-expands-its-malware-staging-infrastructure-to-counter-defenders
Actors/Campaigns:
Evil_corp
Threats:
Socgholish_loader
Cobalt_strike
Netsupportmanager_rat
Wastedlocker
Geo:
Netherlands, France
IOCs:
Url: 2
Domain: 1
Algorithms:
base64
Languages:
javascript
07-11-2022
SocGholish Diversifies and Expands Its Malware Staging Infrastructure to Counter Defenders
https://www.sentinelone.com/labs/socgholish-diversifies-and-expands-its-malware-staging-infrastructure-to-counter-defenders
Actors/Campaigns:
Evil_corp
Threats:
Socgholish_loader
Cobalt_strike
Netsupportmanager_rat
Wastedlocker
Geo:
Netherlands, France
IOCs:
Url: 2
Domain: 1
Algorithms:
base64
Languages:
javascript
SentinelOne
SocGholish Diversifies and Expands Its Malware Staging Infrastructure to Counter Defenders
SocGholish operators continue to infect websites at a massive scale, and the threat actor is ramping up its infrastructure to match.
#ParsedReport
07-11-2022
6 Excel Emotet. EMOTET malware that is being distributed again through the Excel file in 6 months
https://asec.ahnlab.com/ko/41365
Threats:
Emotet
Malware/win.generic.c5291114
Industry:
Petroleum
IOCs:
File: 6
Path: 5
Hash: 4
Url: 4
Softs:
microsoft office
Platforms:
x64, x86
07-11-2022
6 Excel Emotet. EMOTET malware that is being distributed again through the Excel file in 6 months
https://asec.ahnlab.com/ko/41365
Threats:
Emotet
Malware/win.generic.c5291114
Industry:
Petroleum
IOCs:
File: 6
Path: 5
Hash: 4
Url: 4
Softs:
microsoft office
Platforms:
x64, x86
ASEC BLOG
6개월만에 Excel 파일을 통해 다시 유포 중인 Emotet 악성코드 - ASEC BLOG
ASEC 분석팀은 다양한 방식을 통해 변형되어 유포된 Emotet 악성코드에 대해 여러 차례 블로그를 통해 정보를 공개한 바 있다. 최근 Emotet 악성코드의 유포가 다시 활발해진 정황이 확인되었다. 마지막으로 활발한 유포 양상을 보이던 것부터 약 6개월이 지난 시점이며, 당시 유포되었던 Excel 파일과 어떤 부분이 달라졌는지 살펴보려고 한다. 무작위적인 이메일의 첨부파일을 통해 유포되는 것과, Excel 시트에 하얀색 텍스트로 여러 수식을 분산은닉한…
#ParsedReport
08-11-2022
LockBit 3.0 Being Distributed via Amadey Bot
https://asec.ahnlab.com/en/41450
Actors/Campaigns:
Ta505
Threats:
Amadey
Lockbit
Gandcrab
Flawedammyy
Clop
Smokeloader
Trojan/lnk.runner
Malware/win.generic.r531852
Delf
Ransom/mdp.decoy.m1171
Ransom/mdp.event.m1875
Ransom/mdp.behavior.m1946
Geo:
Korea, Korean
IOCs:
File: 8
Path: 7
Command: 2
Coin: 1
Hash: 8
Url: 7
Softs:
task scheduler
08-11-2022
LockBit 3.0 Being Distributed via Amadey Bot
https://asec.ahnlab.com/en/41450
Actors/Campaigns:
Ta505
Threats:
Amadey
Lockbit
Gandcrab
Flawedammyy
Clop
Smokeloader
Trojan/lnk.runner
Malware/win.generic.r531852
Delf
Ransom/mdp.decoy.m1171
Ransom/mdp.event.m1875
Ransom/mdp.behavior.m1946
Geo:
Korea, Korean
IOCs:
File: 8
Path: 7
Command: 2
Coin: 1
Hash: 8
Url: 7
Softs:
task scheduler
ASEC
LockBit 3.0 Being Distributed via Amadey Bot - ASEC
The ASEC analysis team has confirmed that attackers are using Amadey Bot to install LockBit. Amadey Bot, a malware that was first discovered in 2018, is capable of stealing information and installing additional malware by receiving commands from the attacker.…
#ParsedReport
08-11-2022
Blue Team Debriefing STEEP#MAVERICK Edition
https://www.securonix.com/blog/blue-team-debriefing-steepmaverick-edition
Actors/Campaigns:
Steep_maverick
Algorithms:
zip
Links:
08-11-2022
Blue Team Debriefing STEEP#MAVERICK Edition
https://www.securonix.com/blog/blue-team-debriefing-steepmaverick-edition
Actors/Campaigns:
Steep_maverick
Algorithms:
zip
Links:
https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.mdSecuronix
Blue Team Debriefing – STEEP#MAVERICK Edition
#ParsedReport
08-11-2022
CHAOS Ransomware YASHMA Wreaking Havoc
https://labs.k7computing.com/index.php/chaos-ransomware-yashma-wreaking-havoc
Threats:
Chaos
Yashma
Havoc
Industry:
Financial
Geo:
Azerbaijani, Turkish, India
IOCs:
Registry: 1
File: 2
Hash: 1
Softs:
telegram
Functions:
forbiddencountry, registryvalue, Value, sleep, stopbackupservices
08-11-2022
CHAOS Ransomware YASHMA Wreaking Havoc
https://labs.k7computing.com/index.php/chaos-ransomware-yashma-wreaking-havoc
Threats:
Chaos
Yashma
Havoc
Industry:
Financial
Geo:
Azerbaijani, Turkish, India
IOCs:
Registry: 1
File: 2
Hash: 1
Softs:
telegram
Functions:
forbiddencountry, registryvalue, Value, sleep, stopbackupservices
K7 Labs
CHAOS Ransomware YASHMA Wreaking Havoc
Of late, we noticed in the wild several variants of ransomware built using the Chaos Ransomware Builder. This blog is […]