#ParsedReport
04-11-2022
. Analysis of typical mining family series Outlaw (dead) mining zombie network
https://www.antiy.cn/research/notice&report/research_report/20221103.html
Threats:
Hezb
Kthmimu
Perlbot
Shellshock_vuln
Haiduc_tool
Drupalgeddon_vuln
Xhide_tool
Xmrig_miner
Ethminer
Upx_tool
Industry:
Financial, Iot, Government, Education, Energy
Geo:
Romanian, Romania, Chinese
CVEs:
CVE-2018-7600 [Vulners]
Vulners: Score: 7.5, CVSS: 7.4,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- drupal (le7.57, <8.3.9, <8.4.6, <8.5.1)
- debian debian linux (9.0, 8.0, 7.0)
CVE-2014-7169 [Vulners]
Vulners: Score: 10.0, CVSS: 4.6,
Vulners: Exploitation: True
X-Force: Risk: 10
X-Force: Patch: Official fix
Soft:
- gnu bash (1.14.0, 1.14.1, 2.0, 2.01, 2.05, 3.0, 4.1, 4.2, 1.14.2, 1.14.3, 2.01.1, 2.02, 3.0.16, 3.1, 4.3, 1.14.4, 1.14.5, 2.02.1, 2.03, 2.04, 3.2, 3.2.48, 1.14.6, 1.14.7, 2.05, 2.05, 4.0, 4.0)
CVE-2017-1000117 [Vulners]
Vulners: Score: 6.8, CVSS: 3.5,
Vulners: Exploitation: Unknown
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- git-scm git (2.11.0, 2.9.0, 2.9.0, 2.8.0, 2.11.0, 2.8.0, 2.9.0, 2.9.1, 2.11.0, 2.11.1, 2.13.1, 2.13.2, le2.7.5, 2.10.0, 2.10.0, 2.10.0, 2.13.0, 2.12.0, 2.11.0, 2.8.2, 2.8.3, 2.10.0, 2.10.1, 2.12.1, 2.12.2, 2.14.0, 2.13.0, 2.12.0, 2.12.0, 2.11.0, 2.9.0, 2.8.0, 2.8.4, 2.8.5, 2.10.2, 2.10.3, 2.12.3, 2.13.0, 2.8.0, 2.14.0, 2.14.0, 2.13.0, 2.8.0, 2.8.1, 2.9.2, 2.9.3, 2.9.4, 2.11.2, 2.12.0, 2.13.3, 2.13.4)
TTPs:
Tactics: 2
Technics: 0
IOCs:
File: 18
IP: 60
Coin: 4
Url: 100
Email: 4
Domain: 6
Hash: 48
Algorithms:
base64
Languages:
perl, php
Platforms:
intel
04-11-2022
. Analysis of typical mining family series Outlaw (dead) mining zombie network
https://www.antiy.cn/research/notice&report/research_report/20221103.html
Threats:
Hezb
Kthmimu
Perlbot
Shellshock_vuln
Haiduc_tool
Drupalgeddon_vuln
Xhide_tool
Xmrig_miner
Ethminer
Upx_tool
Industry:
Financial, Iot, Government, Education, Energy
Geo:
Romanian, Romania, Chinese
CVEs:
CVE-2018-7600 [Vulners]
Vulners: Score: 7.5, CVSS: 7.4,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- drupal (le7.57, <8.3.9, <8.4.6, <8.5.1)
- debian debian linux (9.0, 8.0, 7.0)
CVE-2014-7169 [Vulners]
Vulners: Score: 10.0, CVSS: 4.6,
Vulners: Exploitation: True
X-Force: Risk: 10
X-Force: Patch: Official fix
Soft:
- gnu bash (1.14.0, 1.14.1, 2.0, 2.01, 2.05, 3.0, 4.1, 4.2, 1.14.2, 1.14.3, 2.01.1, 2.02, 3.0.16, 3.1, 4.3, 1.14.4, 1.14.5, 2.02.1, 2.03, 2.04, 3.2, 3.2.48, 1.14.6, 1.14.7, 2.05, 2.05, 4.0, 4.0)
CVE-2017-1000117 [Vulners]
Vulners: Score: 6.8, CVSS: 3.5,
Vulners: Exploitation: Unknown
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- git-scm git (2.11.0, 2.9.0, 2.9.0, 2.8.0, 2.11.0, 2.8.0, 2.9.0, 2.9.1, 2.11.0, 2.11.1, 2.13.1, 2.13.2, le2.7.5, 2.10.0, 2.10.0, 2.10.0, 2.13.0, 2.12.0, 2.11.0, 2.8.2, 2.8.3, 2.10.0, 2.10.1, 2.12.1, 2.12.2, 2.14.0, 2.13.0, 2.12.0, 2.12.0, 2.11.0, 2.9.0, 2.8.0, 2.8.4, 2.8.5, 2.10.2, 2.10.3, 2.12.3, 2.13.0, 2.8.0, 2.14.0, 2.14.0, 2.13.0, 2.8.0, 2.8.1, 2.9.2, 2.9.3, 2.9.4, 2.11.2, 2.12.0, 2.13.3, 2.13.4)
TTPs:
Tactics: 2
Technics: 0
IOCs:
File: 18
IP: 60
Coin: 4
Url: 100
Email: 4
Domain: 6
Hash: 48
Algorithms:
base64
Languages:
perl, php
Platforms:
intel
www.antiy.cn
典型挖矿家族系列分析一 丨Outlaw(亡命徒)挖矿僵尸网络
安天CERT将近几年历史跟踪储备的典型流行挖矿木马家族组织梳理形成专题报告,本期介绍Outlaw(亡命徒)挖矿僵尸网络
#ParsedReport
07-11-2022
MOTW(Mark of the Web)
https://asec.ahnlab.com/ko/41257
Threats:
Magniber
Typosquatting_technique
IOCs:
File: 11
Registry: 2
Hash: 3
Languages:
javascript
07-11-2022
MOTW(Mark of the Web)
https://asec.ahnlab.com/ko/41257
Threats:
Magniber
Typosquatting_technique
IOCs:
File: 11
Registry: 2
Hash: 3
Languages:
javascript
ASEC BLOG
MOTW(Mark of the Web) 우회를 시도한 매그니베르 랜섬웨어 - ASEC BLOG
ASEC 분석팀은 지난 10월 13일 매그니베르(Magniber)랜섬웨어의 변화에 대한 글을 공개했다. 현재도 활발하게 유포되는 매그니베르 랜섬웨어는 백신의 탐지를 회피하기 위해 다양한 변화를 해왔다. 이 중 Microsoft 에서 제공하는 파일의 출처를 확인해주는 Mark of the Web(MOTW)을 우회한 것으로 확인된 2022.09.08 ~ 2022.09.29 기간 동안의 스크립트 형태에 대해 소개한다. 날짜 확장자 실행 프로세스 암호화 프로세스…
#ParsedReport
07-11-2022
Ransomware Spotlight: BlackCat
https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackcat
Actors/Campaigns:
Blackcat
Darkside
Blackmatter
Threats:
Blackcat
Blackbasta
Blackbyte
Lockbit
Conti
Ransomexx
Exmatter_tool
Eamfo
Adfind_tool
Adrecon
Process_hacker_tool
Mimikatz_tool
Megasync_tool
Teamviewer_tool
Industry:
Energy, Ics, E-commerce, Financial
Geo:
Pacific, Australia
CVEs:
CVE-2021-27065 [Vulners]
Vulners: Score: 6.8, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2016, 2016, 2013, 2016, 2019, 2013, 2016, 2016, 2016, 2016, 2016, 2016, 2016, 2019, 2019, 2019, 2019, 2019, 2019, 2019)
CVE-2021-26857 [Vulners]
Vulners: Score: 6.8, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2010, 2013, 2019, 2016, 2019, 2016)
CVE-2021-26855 [Vulners]
Vulners: Score: 7.5, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2016, 2016, 2013, 2016, 2016, 2013, 2016, 2019, 2013, 2016, 2016, 2016, 2016, 2016, 2016, 2016, 2019, 2019, 2019, 2019, 2019, 2019, 2019, 2019)
CVE-2021-26858 [Vulners]
Vulners: Score: 6.8, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2019, 2019)
TTPs:
Tactics: 8
Technics: 21
IOCs:
File: 14
Softs:
psexec, winscp, esxi, dbsnmp, encsvc, onenote, powerpnt, thebat, wordpad, msexchange, have more...
Algorithms:
7zip
Win API:
NetShareEnum
Win Services:
VeeamNFSSvc, VeeamTransportSvc, VeeamDeploymentSvc, WSBExchange, PDVFSService, BackupExecVSSProvider, BackupExecAgentAccelerator, BackupExecAgentBrowser, BackupExecDiveciMediaService, BackupExecJobEngine, have more...
Languages:
rust
Platforms:
intel
Links:
07-11-2022
Ransomware Spotlight: BlackCat
https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackcat
Actors/Campaigns:
Blackcat
Darkside
Blackmatter
Threats:
Blackcat
Blackbasta
Blackbyte
Lockbit
Conti
Ransomexx
Exmatter_tool
Eamfo
Adfind_tool
Adrecon
Process_hacker_tool
Mimikatz_tool
Megasync_tool
Teamviewer_tool
Industry:
Energy, Ics, E-commerce, Financial
Geo:
Pacific, Australia
CVEs:
CVE-2021-27065 [Vulners]
Vulners: Score: 6.8, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2016, 2016, 2013, 2016, 2019, 2013, 2016, 2016, 2016, 2016, 2016, 2016, 2016, 2019, 2019, 2019, 2019, 2019, 2019, 2019)
CVE-2021-26857 [Vulners]
Vulners: Score: 6.8, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2010, 2013, 2019, 2016, 2019, 2016)
CVE-2021-26855 [Vulners]
Vulners: Score: 7.5, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2016, 2016, 2013, 2016, 2016, 2013, 2016, 2019, 2013, 2016, 2016, 2016, 2016, 2016, 2016, 2016, 2019, 2019, 2019, 2019, 2019, 2019, 2019, 2019)
CVE-2021-26858 [Vulners]
Vulners: Score: 6.8, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2019, 2019)
TTPs:
Tactics: 8
Technics: 21
IOCs:
File: 14
Softs:
psexec, winscp, esxi, dbsnmp, encsvc, onenote, powerpnt, thebat, wordpad, msexchange, have more...
Algorithms:
7zip
Win API:
NetShareEnum
Win Services:
VeeamNFSSvc, VeeamTransportSvc, VeeamDeploymentSvc, WSBExchange, PDVFSService, BackupExecVSSProvider, BackupExecAgentAccelerator, BackupExecAgentBrowser, BackupExecDiveciMediaService, BackupExecJobEngine, have more...
Languages:
rust
Platforms:
intel
Links:
https://github.com/ParrotSec/mimikatzTrendmicro
Ransomware Spotlight: BlackCat
Known for its unconventional methods and use of advanced extortion techniques, BlackCat has quickly risen to prominence in the cybercrime community. As this ransomware group forges its way to gain more clout, we examine its operations and discuss how organizations…
#ParsedReport
07-11-2022
BlueFox Stealer: a newcomer designed for traffers teams
https://blog.sekoia.io/bluefox-information-stealer-traffer-maas
Threats:
Bluefox_stealer
Traffer
Raccoon_stealer
Erbium_stealer
Redline_stealer
Vidar_stealer
Aurora
Lumma_stealer
Mars_stealer
Smokeloader
Privateloader
Mixloader
Industry:
E-commerce, Financial
Geo:
Russian
TTPs:
Tactics: 7
Technics: 17
IOCs:
Command: 1
File: 1
Hash: 11
Softs:
telegram, omium, edg, google chrome, microsoft edge, windows registry, (chromium, chrome, opera, tronlink, binancechain, have more...
Platforms:
x86
YARA: Found
Links:
07-11-2022
BlueFox Stealer: a newcomer designed for traffers teams
https://blog.sekoia.io/bluefox-information-stealer-traffer-maas
Threats:
Bluefox_stealer
Traffer
Raccoon_stealer
Erbium_stealer
Redline_stealer
Vidar_stealer
Aurora
Lumma_stealer
Mars_stealer
Smokeloader
Privateloader
Mixloader
Industry:
E-commerce, Financial
Geo:
Russian
TTPs:
Tactics: 7
Technics: 17
IOCs:
Command: 1
File: 1
Hash: 11
Softs:
telegram, omium, edg, google chrome, microsoft edge, windows registry, (chromium, chrome, opera, tronlink, binancechain, have more...
Platforms:
x86
YARA: Found
Links:
https://github.com/SEKOIA-IO/Community/tree/main/IOCs/bluefoxSekoia.io Blog
BlueFox Stealer: a newcomer designed for traffers teams
In September 2022 during routine Dark Web monitoring we identified BlueFox Stealer v2, a newly-advertized information stealer sold as MaaS.
#ParsedReport
07-11-2022
HackHound IRC Bot
https://asec.ahnlab.com/ko/41335
Threats:
Njrat_rat
Udprat
Passview_tool
Hawkeye_keylogger
Trojan/win.korat.c5290614
Deathransom
Infostealer/win.agent.c5290619
Bladabindi
Ircbot
Trojan/win.agent.c5290070
Trojan/win.generic.r452668
Malware/mdp.behavior.m1693
Industry:
Education
IOCs:
File: 9
Path: 2
Hash: 19
Domain: 6
Url: 1
Softs:
chrome, discord
Languages:
golang
Platforms:
x64
07-11-2022
HackHound IRC Bot
https://asec.ahnlab.com/ko/41335
Threats:
Njrat_rat
Udprat
Passview_tool
Hawkeye_keylogger
Trojan/win.korat.c5290614
Deathransom
Infostealer/win.agent.c5290619
Bladabindi
Ircbot
Trojan/win.agent.c5290070
Trojan/win.generic.r452668
Malware/mdp.behavior.m1693
Industry:
Education
IOCs:
File: 9
Path: 2
Hash: 19
Domain: 6
Url: 1
Softs:
chrome, discord
Languages:
golang
Platforms:
x64
ASEC BLOG
웹하드를 통해 유포 중인 HackHound IRC Bot - ASEC BLOG
ContentsnjRATUDP RatWebBrowserPassViewInfoStealerHackHound IRC Bot 웹하드는 국내 사용자를 대상으로 하는 공격자들이 사용하는 대표적인 악성코드 유포 플랫폼이다. ASEC 분석팀에서는 웹하드를 통해 유포되는 악성코드들을 모니터링하고 있으며 과거 다수의 블로그를 통해 정보를 공유한 바 있다. 일반적으로 공격자들은 성인 게임이나 사용 게임의 크랙 버전과 같은 불법 프로그램과 함께 악성코드를 유포한다. 이렇게…
#ParsedReport
07-11-2022
Get a demo. Inside the Yanluowang Leak: Organization, Members, and Tactics
https://darktrace.com/blog/inside-the-yanluowang-leak-organization-members-and-tactics
Actors/Campaigns:
Evil_corp
Wizard_spider
Threats:
Yanluowang
Fivehands
Credential_harvesting_technique
Saint_tool
Payloadbin
Conti
Revil
Checkmate
Babuk
Rook
Pandora
Industry:
Financial
Geo:
Ukrainian, Chinese, Ukraine, Russian
IOCs:
File: 1
07-11-2022
Get a demo. Inside the Yanluowang Leak: Organization, Members, and Tactics
https://darktrace.com/blog/inside-the-yanluowang-leak-organization-members-and-tactics
Actors/Campaigns:
Evil_corp
Wizard_spider
Threats:
Yanluowang
Fivehands
Credential_harvesting_technique
Saint_tool
Payloadbin
Conti
Revil
Checkmate
Babuk
Rook
Pandora
Industry:
Financial
Geo:
Ukrainian, Chinese, Ukraine, Russian
IOCs:
File: 1
Darktrace
Behind Yanluowang: Unveiling Cyber Threat Tactics
Discover the latest insights into the Yanluowang leak organization, uncovering its members and tactics.
#ParsedReport
07-11-2022
Massive Phishing Campaigns Target India Banks Clients
https://www.trendmicro.com/en_us/research/22/k/massive-phishing-campaigns-target-india-banks-clients.html
Threats:
Drinik
Fakereward
Axbanker
Icrat
Icspy
Industry:
Financial
Geo:
Indian, India
IOCs:
Hash: 54
IP: 3
Url: 1
File: 2
Softs:
android
Functions:
and
07-11-2022
Massive Phishing Campaigns Target India Banks Clients
https://www.trendmicro.com/en_us/research/22/k/massive-phishing-campaigns-target-india-banks-clients.html
Threats:
Drinik
Fakereward
Axbanker
Icrat
Icspy
Industry:
Financial
Geo:
Indian, India
IOCs:
Hash: 54
IP: 3
Url: 1
File: 2
Softs:
android
Functions:
and
Trend Micro
Massive Phishing Campaigns Target India Banks’ Clients
#ParsedReport
07-11-2022
SocGholish Diversifies and Expands Its Malware Staging Infrastructure to Counter Defenders
https://www.sentinelone.com/labs/socgholish-diversifies-and-expands-its-malware-staging-infrastructure-to-counter-defenders
Actors/Campaigns:
Evil_corp
Threats:
Socgholish_loader
Cobalt_strike
Netsupportmanager_rat
Wastedlocker
Geo:
Netherlands, France
IOCs:
Url: 2
Domain: 1
Algorithms:
base64
Languages:
javascript
07-11-2022
SocGholish Diversifies and Expands Its Malware Staging Infrastructure to Counter Defenders
https://www.sentinelone.com/labs/socgholish-diversifies-and-expands-its-malware-staging-infrastructure-to-counter-defenders
Actors/Campaigns:
Evil_corp
Threats:
Socgholish_loader
Cobalt_strike
Netsupportmanager_rat
Wastedlocker
Geo:
Netherlands, France
IOCs:
Url: 2
Domain: 1
Algorithms:
base64
Languages:
javascript
SentinelOne
SocGholish Diversifies and Expands Its Malware Staging Infrastructure to Counter Defenders
SocGholish operators continue to infect websites at a massive scale, and the threat actor is ramping up its infrastructure to match.
#ParsedReport
07-11-2022
6 Excel Emotet. EMOTET malware that is being distributed again through the Excel file in 6 months
https://asec.ahnlab.com/ko/41365
Threats:
Emotet
Malware/win.generic.c5291114
Industry:
Petroleum
IOCs:
File: 6
Path: 5
Hash: 4
Url: 4
Softs:
microsoft office
Platforms:
x64, x86
07-11-2022
6 Excel Emotet. EMOTET malware that is being distributed again through the Excel file in 6 months
https://asec.ahnlab.com/ko/41365
Threats:
Emotet
Malware/win.generic.c5291114
Industry:
Petroleum
IOCs:
File: 6
Path: 5
Hash: 4
Url: 4
Softs:
microsoft office
Platforms:
x64, x86
ASEC BLOG
6개월만에 Excel 파일을 통해 다시 유포 중인 Emotet 악성코드 - ASEC BLOG
ASEC 분석팀은 다양한 방식을 통해 변형되어 유포된 Emotet 악성코드에 대해 여러 차례 블로그를 통해 정보를 공개한 바 있다. 최근 Emotet 악성코드의 유포가 다시 활발해진 정황이 확인되었다. 마지막으로 활발한 유포 양상을 보이던 것부터 약 6개월이 지난 시점이며, 당시 유포되었던 Excel 파일과 어떤 부분이 달라졌는지 살펴보려고 한다. 무작위적인 이메일의 첨부파일을 통해 유포되는 것과, Excel 시트에 하얀색 텍스트로 여러 수식을 분산은닉한…
#ParsedReport
08-11-2022
LockBit 3.0 Being Distributed via Amadey Bot
https://asec.ahnlab.com/en/41450
Actors/Campaigns:
Ta505
Threats:
Amadey
Lockbit
Gandcrab
Flawedammyy
Clop
Smokeloader
Trojan/lnk.runner
Malware/win.generic.r531852
Delf
Ransom/mdp.decoy.m1171
Ransom/mdp.event.m1875
Ransom/mdp.behavior.m1946
Geo:
Korea, Korean
IOCs:
File: 8
Path: 7
Command: 2
Coin: 1
Hash: 8
Url: 7
Softs:
task scheduler
08-11-2022
LockBit 3.0 Being Distributed via Amadey Bot
https://asec.ahnlab.com/en/41450
Actors/Campaigns:
Ta505
Threats:
Amadey
Lockbit
Gandcrab
Flawedammyy
Clop
Smokeloader
Trojan/lnk.runner
Malware/win.generic.r531852
Delf
Ransom/mdp.decoy.m1171
Ransom/mdp.event.m1875
Ransom/mdp.behavior.m1946
Geo:
Korea, Korean
IOCs:
File: 8
Path: 7
Command: 2
Coin: 1
Hash: 8
Url: 7
Softs:
task scheduler
ASEC
LockBit 3.0 Being Distributed via Amadey Bot - ASEC
The ASEC analysis team has confirmed that attackers are using Amadey Bot to install LockBit. Amadey Bot, a malware that was first discovered in 2018, is capable of stealing information and installing additional malware by receiving commands from the attacker.…
#ParsedReport
08-11-2022
Blue Team Debriefing STEEP#MAVERICK Edition
https://www.securonix.com/blog/blue-team-debriefing-steepmaverick-edition
Actors/Campaigns:
Steep_maverick
Algorithms:
zip
Links:
08-11-2022
Blue Team Debriefing STEEP#MAVERICK Edition
https://www.securonix.com/blog/blue-team-debriefing-steepmaverick-edition
Actors/Campaigns:
Steep_maverick
Algorithms:
zip
Links:
https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.mdSecuronix
Blue Team Debriefing – STEEP#MAVERICK Edition
#ParsedReport
08-11-2022
CHAOS Ransomware YASHMA Wreaking Havoc
https://labs.k7computing.com/index.php/chaos-ransomware-yashma-wreaking-havoc
Threats:
Chaos
Yashma
Havoc
Industry:
Financial
Geo:
Azerbaijani, Turkish, India
IOCs:
Registry: 1
File: 2
Hash: 1
Softs:
telegram
Functions:
forbiddencountry, registryvalue, Value, sleep, stopbackupservices
08-11-2022
CHAOS Ransomware YASHMA Wreaking Havoc
https://labs.k7computing.com/index.php/chaos-ransomware-yashma-wreaking-havoc
Threats:
Chaos
Yashma
Havoc
Industry:
Financial
Geo:
Azerbaijani, Turkish, India
IOCs:
Registry: 1
File: 2
Hash: 1
Softs:
telegram
Functions:
forbiddencountry, registryvalue, Value, sleep, stopbackupservices
K7 Labs
CHAOS Ransomware YASHMA Wreaking Havoc
Of late, we noticed in the wild several variants of ransomware built using the Chaos Ransomware Builder. This blog is […]
#ParsedReport
08-11-2022
ASEC (20221031 \~ 20221106). ASEC Weekly Malware Statistics (20221031 \~ 20221106)
https://asec.ahnlab.com/ko/41426
Actors/Campaigns:
Ta505
Threats:
Beamwinhttp_loader
Garbage_cleaner
Agent_tesla
Azorult
Smokeloader
Smokerloader
Cloudeye
Postealer
Formbook
Remcos_rat
Nanocore_rat
Amadey
Lockbit
Gandcrab
Clop
Industry:
Transport
Geo:
Korea
IOCs:
File: 23
Domain: 9
Email: 1
Url: 10
Softs:
discord, telegram, nsis installer
Algorithms:
zip
Languages:
php, visual_basic
08-11-2022
ASEC (20221031 \~ 20221106). ASEC Weekly Malware Statistics (20221031 \~ 20221106)
https://asec.ahnlab.com/ko/41426
Actors/Campaigns:
Ta505
Threats:
Beamwinhttp_loader
Garbage_cleaner
Agent_tesla
Azorult
Smokeloader
Smokerloader
Cloudeye
Postealer
Formbook
Remcos_rat
Nanocore_rat
Amadey
Lockbit
Gandcrab
Clop
Industry:
Transport
Geo:
Korea
IOCs:
File: 23
Domain: 9
Email: 1
Url: 10
Softs:
discord, telegram, nsis installer
Algorithms:
zip
Languages:
php, visual_basic
ASEC BLOG
ASEC 주간 악성코드 통계 (20221031 ~ 20221106) - ASEC BLOG
ASEC 분석팀에서는 ASEC 자동 분석 시스템 RAPIT 을 활용하여 알려진 악성코드들에 대한 분류 및 대응을 진행하고 있다. 본 포스팅에서는 2022년 10월 31일 월요일부터 11월 6일 일요일까지 한 주간 수집된 악성코드의 통계를 정리한다. 대분류 상으로는 다운로더가 64.8%로 1위를 차지하였으며, 그 다음으로는 인포스틸러 악성코드가 25.9%, 백도어 6.6%, 랜섬웨어 2.2%, 코인마이너 0.4%로 집계되었다. Top 1 – BeamWinHTTP…
#ParsedReport
08-11-2022
Pro-Russian hacktivists targeting adversaries with Killnet ransomware
https://blog.cyble.com/2022/11/08/pro-russian-hacktivists-targeting-adversaries-with-killnet-ransomware
Actors/Campaigns:
Killnet (motivation: hacktivism)
Threats:
Chaos
Tsunami_botnet
Beacon
Industry:
Financial
Geo:
Georgia, Singapore, Dubai, Ukraine, India, Russia, Australia, Russian
TTPs:
Tactics: 3
Technics: 3
IOCs:
Coin: 1
Path: 1
File: 1
IP: 1
Hash: 1
Softs:
telegram
08-11-2022
Pro-Russian hacktivists targeting adversaries with Killnet ransomware
https://blog.cyble.com/2022/11/08/pro-russian-hacktivists-targeting-adversaries-with-killnet-ransomware
Actors/Campaigns:
Killnet (motivation: hacktivism)
Threats:
Chaos
Tsunami_botnet
Beacon
Industry:
Financial
Geo:
Georgia, Singapore, Dubai, Ukraine, India, Russia, Australia, Russian
TTPs:
Tactics: 3
Technics: 3
IOCs:
Coin: 1
Path: 1
File: 1
IP: 1
Hash: 1
Softs:
telegram
#ParsedReport
08-11-2022
DeimosC2: What SOC Analysts and Incident Responders Need to Know About This C&C Framework. Introduction
https://www.trendmicro.com/en_us/research/22/k/deimosc2-what-soc-analysts-and-incident-responders-need-to-know.html
Threats:
Deimosc2_tool
Cobalt_strike
Brc4_tool
Sliver_tool
Aresc2_tool
Poshc2_tool
Trevorc2_tool
Metasploit_tool
Phpsploit
Merlin_tool
Screengrab
Minidump_tool
Lsadump_tool
Ntdsdump
Nmap_tool
IOCs:
Domain: 1
File: 2
IP: 43
Softs:
debian, macos, android, ubuntu
Algorithms:
rsa-2048, aes
Links:
08-11-2022
DeimosC2: What SOC Analysts and Incident Responders Need to Know About This C&C Framework. Introduction
https://www.trendmicro.com/en_us/research/22/k/deimosc2-what-soc-analysts-and-incident-responders-need-to-know.html
Threats:
Deimosc2_tool
Cobalt_strike
Brc4_tool
Sliver_tool
Aresc2_tool
Poshc2_tool
Trevorc2_tool
Metasploit_tool
Phpsploit
Merlin_tool
Screengrab
Minidump_tool
Lsadump_tool
Ntdsdump
Nmap_tool
IOCs:
Domain: 1
File: 2
IP: 43
Softs:
debian, macos, android, ubuntu
Algorithms:
rsa-2048, aes
Links:
https://github.com/unixpickle/gobfuscatehttps://github.com/trendmicro/research/blob/main/deimosc2/deimosc2\_iocs.csvhttps://github.com/DeimosC2/DeimosC2/commit/4d4e3160219cfaffd1572eb6aa68470007c76fc1https://github.com/trendmicro/research/tree/main/deimosc2Trend Micro
DeimosC2: What SOC Analysts and Incident Responders Need to Know About This C&C Framework
This report provides defenders and security operations center teams with the technical details they need to know should they encounter the DeimosC2 C&C framework.
#ParsedReport
08-11-2022
, Dropper. Malware Bomb, Crack camouflage Dropper malware resumption resumption
https://asec.ahnlab.com/ko/41490
Threats:
Vidar_stealer
Raccoon_stealer
Record_breaker_stealer
Beamwinhttp_loader
IOCs:
File: 6
Hash: 5
Algorithms:
zip
08-11-2022
, Dropper. Malware Bomb, Crack camouflage Dropper malware resumption resumption
https://asec.ahnlab.com/ko/41490
Threats:
Vidar_stealer
Raccoon_stealer
Record_breaker_stealer
Beamwinhttp_loader
IOCs:
File: 6
Hash: 5
Algorithms:
zip
ASEC BLOG
악성코드 폭탄, 크랙 위장 Dropper 악성코드 유포 재개 - ASEC BLOG
한동안 유포가 중단되었던 크랙 위장 드로퍼 악성코드가 다시 활발하게 유포되고 있다. 해당 악성코드를 실행할 경우 동시에 수많은 악성코드에 감염된다. 악성코드 “폭탄”인 셈이다. 상용 프로그램의 크랙으로 위장한 악성코드 유포는 “단일 악성코드” 유형과 “드로퍼형 악성코드” 유형으로 양분되어 활발하게 유포되었다. ASEC 분석팀에서는 이러한 악성코드 유포를 상세히 모니터링 중이며 블로그 포스팅을 통해 여러 번 소개한 바 있다. 악성코드는 검색엔진에서 상위에…
#ParsedReport
08-11-2022
Massive YouTube Campaign Targeting Over 100 Applications to Deliver Info Stealer
https://blog.cyble.com/2022/11/08/massive-youtube-campaign-targeting-over-100-applications-to-deliver-info-stealer
Threats:
Pennywise
Redline_stealer
Vidar_stealer
Record_breaker_stealer
Sapphire
Avemaria_rat
Redrum
Raccoon_stealer
Beacon
Process_injection_technique
Process_hollowing_technique
Industry:
Entertainment, E-commerce, Financial
Geo:
Singapore, Australia, Dubai, Georgia, India
TTPs:
Tactics: 7
Technics: 14
IOCs:
Url: 9
IP: 1
Hash: 4
Softs:
autocad, adobe illustrator, photoshop
Languages:
rust
08-11-2022
Massive YouTube Campaign Targeting Over 100 Applications to Deliver Info Stealer
https://blog.cyble.com/2022/11/08/massive-youtube-campaign-targeting-over-100-applications-to-deliver-info-stealer
Threats:
Pennywise
Redline_stealer
Vidar_stealer
Record_breaker_stealer
Sapphire
Avemaria_rat
Redrum
Raccoon_stealer
Beacon
Process_injection_technique
Process_hollowing_technique
Industry:
Entertainment, E-commerce, Financial
Geo:
Singapore, Australia, Dubai, Georgia, India
TTPs:
Tactics: 7
Technics: 14
IOCs:
Url: 9
IP: 1
Hash: 4
Softs:
autocad, adobe illustrator, photoshop
Languages:
rust
Cyble
Massive YouTube Campaign Targeting Over 100 Applications to Deliver Info Stealer
Cyble Research and Intelligence Labs (CRIL) analyzes how Threat Actors use Phishing websites to deliver Info stealer via YouTube Tutorials.
#technique
Shennina is an automated host exploitation framework. The mission of the project is to fully automate the scanning, vulnerability scanning/analysis, and exploitation using Artificial Intelligence.
https://github.com/mazen160/shennina
Shennina is an automated host exploitation framework. The mission of the project is to fully automate the scanning, vulnerability scanning/analysis, and exploitation using Artificial Intelligence.
https://github.com/mazen160/shennina
GitHub
GitHub - mazen160/shennina: Automating Host Exploitation with AI
Automating Host Exploitation with AI. Contribute to mazen160/shennina development by creating an account on GitHub.
#ParsedReport
09-11-2022
Emotet returns Targeting Users Worldwide. Conclusion
https://blog.cyble.com/2022/11/09/emotet-returns-targeting-users-worldwide
Threats:
Emotet
Icedid
Bumblebee
Trickbot
Qakbot
Industry:
Financial
Geo:
India, Australia, Singapore, Georgia, Dubai
TTPs:
Tactics: 7
Technics: 12
IOCs:
Url: 8
IP: 20
Path: 2
File: 2
Hash: 5
Softs:
microsoft office, task scheduler
Algorithms:
zip
09-11-2022
Emotet returns Targeting Users Worldwide. Conclusion
https://blog.cyble.com/2022/11/09/emotet-returns-targeting-users-worldwide
Threats:
Emotet
Icedid
Bumblebee
Trickbot
Qakbot
Industry:
Financial
Geo:
India, Australia, Singapore, Georgia, Dubai
TTPs:
Tactics: 7
Technics: 12
IOCs:
Url: 8
IP: 20
Path: 2
File: 2
Hash: 5
Softs:
microsoft office, task scheduler
Algorithms:
zip
Cyble
Emotet returns Targeting Users Worldwide
CRIL analyzes the return of Emotet malware that spreads Bumblebee and IcedID malware to steal users' sensitive information.