#ParsedReport
08-11-2022
Pro-Russian hacktivists targeting adversaries with Killnet ransomware
https://blog.cyble.com/2022/11/08/pro-russian-hacktivists-targeting-adversaries-with-killnet-ransomware
Actors/Campaigns:
Killnet (motivation: hacktivism)
Threats:
Chaos
Tsunami_botnet
Beacon
Industry:
Financial
Geo:
Georgia, Singapore, Dubai, Ukraine, India, Russia, Australia, Russian
TTPs:
Tactics: 3
Technics: 3
IOCs:
Coin: 1
Path: 1
File: 1
IP: 1
Hash: 1
Softs:
telegram
08-11-2022
Pro-Russian hacktivists targeting adversaries with Killnet ransomware
https://blog.cyble.com/2022/11/08/pro-russian-hacktivists-targeting-adversaries-with-killnet-ransomware
Actors/Campaigns:
Killnet (motivation: hacktivism)
Threats:
Chaos
Tsunami_botnet
Beacon
Industry:
Financial
Geo:
Georgia, Singapore, Dubai, Ukraine, India, Russia, Australia, Russian
TTPs:
Tactics: 3
Technics: 3
IOCs:
Coin: 1
Path: 1
File: 1
IP: 1
Hash: 1
Softs:
telegram
#ParsedReport
08-11-2022
DeimosC2: What SOC Analysts and Incident Responders Need to Know About This C&C Framework. Introduction
https://www.trendmicro.com/en_us/research/22/k/deimosc2-what-soc-analysts-and-incident-responders-need-to-know.html
Threats:
Deimosc2_tool
Cobalt_strike
Brc4_tool
Sliver_tool
Aresc2_tool
Poshc2_tool
Trevorc2_tool
Metasploit_tool
Phpsploit
Merlin_tool
Screengrab
Minidump_tool
Lsadump_tool
Ntdsdump
Nmap_tool
IOCs:
Domain: 1
File: 2
IP: 43
Softs:
debian, macos, android, ubuntu
Algorithms:
rsa-2048, aes
Links:
08-11-2022
DeimosC2: What SOC Analysts and Incident Responders Need to Know About This C&C Framework. Introduction
https://www.trendmicro.com/en_us/research/22/k/deimosc2-what-soc-analysts-and-incident-responders-need-to-know.html
Threats:
Deimosc2_tool
Cobalt_strike
Brc4_tool
Sliver_tool
Aresc2_tool
Poshc2_tool
Trevorc2_tool
Metasploit_tool
Phpsploit
Merlin_tool
Screengrab
Minidump_tool
Lsadump_tool
Ntdsdump
Nmap_tool
IOCs:
Domain: 1
File: 2
IP: 43
Softs:
debian, macos, android, ubuntu
Algorithms:
rsa-2048, aes
Links:
https://github.com/unixpickle/gobfuscatehttps://github.com/trendmicro/research/blob/main/deimosc2/deimosc2\_iocs.csvhttps://github.com/DeimosC2/DeimosC2/commit/4d4e3160219cfaffd1572eb6aa68470007c76fc1https://github.com/trendmicro/research/tree/main/deimosc2Trend Micro
DeimosC2: What SOC Analysts and Incident Responders Need to Know About This C&C Framework
This report provides defenders and security operations center teams with the technical details they need to know should they encounter the DeimosC2 C&C framework.
#ParsedReport
08-11-2022
, Dropper. Malware Bomb, Crack camouflage Dropper malware resumption resumption
https://asec.ahnlab.com/ko/41490
Threats:
Vidar_stealer
Raccoon_stealer
Record_breaker_stealer
Beamwinhttp_loader
IOCs:
File: 6
Hash: 5
Algorithms:
zip
08-11-2022
, Dropper. Malware Bomb, Crack camouflage Dropper malware resumption resumption
https://asec.ahnlab.com/ko/41490
Threats:
Vidar_stealer
Raccoon_stealer
Record_breaker_stealer
Beamwinhttp_loader
IOCs:
File: 6
Hash: 5
Algorithms:
zip
ASEC BLOG
악성코드 폭탄, 크랙 위장 Dropper 악성코드 유포 재개 - ASEC BLOG
한동안 유포가 중단되었던 크랙 위장 드로퍼 악성코드가 다시 활발하게 유포되고 있다. 해당 악성코드를 실행할 경우 동시에 수많은 악성코드에 감염된다. 악성코드 “폭탄”인 셈이다. 상용 프로그램의 크랙으로 위장한 악성코드 유포는 “단일 악성코드” 유형과 “드로퍼형 악성코드” 유형으로 양분되어 활발하게 유포되었다. ASEC 분석팀에서는 이러한 악성코드 유포를 상세히 모니터링 중이며 블로그 포스팅을 통해 여러 번 소개한 바 있다. 악성코드는 검색엔진에서 상위에…
#ParsedReport
08-11-2022
Massive YouTube Campaign Targeting Over 100 Applications to Deliver Info Stealer
https://blog.cyble.com/2022/11/08/massive-youtube-campaign-targeting-over-100-applications-to-deliver-info-stealer
Threats:
Pennywise
Redline_stealer
Vidar_stealer
Record_breaker_stealer
Sapphire
Avemaria_rat
Redrum
Raccoon_stealer
Beacon
Process_injection_technique
Process_hollowing_technique
Industry:
Entertainment, E-commerce, Financial
Geo:
Singapore, Australia, Dubai, Georgia, India
TTPs:
Tactics: 7
Technics: 14
IOCs:
Url: 9
IP: 1
Hash: 4
Softs:
autocad, adobe illustrator, photoshop
Languages:
rust
08-11-2022
Massive YouTube Campaign Targeting Over 100 Applications to Deliver Info Stealer
https://blog.cyble.com/2022/11/08/massive-youtube-campaign-targeting-over-100-applications-to-deliver-info-stealer
Threats:
Pennywise
Redline_stealer
Vidar_stealer
Record_breaker_stealer
Sapphire
Avemaria_rat
Redrum
Raccoon_stealer
Beacon
Process_injection_technique
Process_hollowing_technique
Industry:
Entertainment, E-commerce, Financial
Geo:
Singapore, Australia, Dubai, Georgia, India
TTPs:
Tactics: 7
Technics: 14
IOCs:
Url: 9
IP: 1
Hash: 4
Softs:
autocad, adobe illustrator, photoshop
Languages:
rust
Cyble
Massive YouTube Campaign Targeting Over 100 Applications to Deliver Info Stealer
Cyble Research and Intelligence Labs (CRIL) analyzes how Threat Actors use Phishing websites to deliver Info stealer via YouTube Tutorials.
#technique
Shennina is an automated host exploitation framework. The mission of the project is to fully automate the scanning, vulnerability scanning/analysis, and exploitation using Artificial Intelligence.
https://github.com/mazen160/shennina
Shennina is an automated host exploitation framework. The mission of the project is to fully automate the scanning, vulnerability scanning/analysis, and exploitation using Artificial Intelligence.
https://github.com/mazen160/shennina
GitHub
GitHub - mazen160/shennina: Automating Host Exploitation with AI
Automating Host Exploitation with AI. Contribute to mazen160/shennina development by creating an account on GitHub.
#ParsedReport
09-11-2022
Emotet returns Targeting Users Worldwide. Conclusion
https://blog.cyble.com/2022/11/09/emotet-returns-targeting-users-worldwide
Threats:
Emotet
Icedid
Bumblebee
Trickbot
Qakbot
Industry:
Financial
Geo:
India, Australia, Singapore, Georgia, Dubai
TTPs:
Tactics: 7
Technics: 12
IOCs:
Url: 8
IP: 20
Path: 2
File: 2
Hash: 5
Softs:
microsoft office, task scheduler
Algorithms:
zip
09-11-2022
Emotet returns Targeting Users Worldwide. Conclusion
https://blog.cyble.com/2022/11/09/emotet-returns-targeting-users-worldwide
Threats:
Emotet
Icedid
Bumblebee
Trickbot
Qakbot
Industry:
Financial
Geo:
India, Australia, Singapore, Georgia, Dubai
TTPs:
Tactics: 7
Technics: 12
IOCs:
Url: 8
IP: 20
Path: 2
File: 2
Hash: 5
Softs:
microsoft office, task scheduler
Algorithms:
zip
Cyble
Emotet returns Targeting Users Worldwide
CRIL analyzes the return of Emotet malware that spreads Bumblebee and IcedID malware to steal users' sensitive information.
#ParsedReport
09-11-2022
BlackCat Ransomware: Tactics and Techniques From a Targeted Attack
https://www.netskope.com/blog/blackcat-ransomware-tactics-and-techniques-from-a-targeted-attack
Actors/Campaigns:
Blackcat
Darkside
Blackmatter
Fin12
Dev-0504
Threats:
Blackcat
Ryuk
Conti
Revil
Exmatter_tool
Teamviewer_tool
Wevtutil_tool
Redline_stealer
Lockbit
Industry:
Ics, Government
Geo:
Asia, Africa, Americas
TTPs:
Tactics: 11
Technics: 15
IOCs:
Command: 6
Path: 5
File: 13
Softs:
psexec, esxi, onenote, thebat, wordpad, discord
Algorithms:
aes, chacha20, aes-128, zip
Win API:
Sleep
Win Services:
agntsvc, dbeng50, dbsnmp, encsvc, infopath, isqlplussvc, mydesktopqos, mydesktopservice, ocautoupds, ocomm, have more...
Languages:
rust
Platforms:
x86, intel
Links:
09-11-2022
BlackCat Ransomware: Tactics and Techniques From a Targeted Attack
https://www.netskope.com/blog/blackcat-ransomware-tactics-and-techniques-from-a-targeted-attack
Actors/Campaigns:
Blackcat
Darkside
Blackmatter
Fin12
Dev-0504
Threats:
Blackcat
Ryuk
Conti
Revil
Exmatter_tool
Teamviewer_tool
Wevtutil_tool
Redline_stealer
Lockbit
Industry:
Ics, Government
Geo:
Asia, Africa, Americas
TTPs:
Tactics: 11
Technics: 15
IOCs:
Command: 6
Path: 5
File: 13
Softs:
psexec, esxi, onenote, thebat, wordpad, discord
Algorithms:
aes, chacha20, aes-128, zip
Win API:
Sleep
Win Services:
agntsvc, dbeng50, dbsnmp, encsvc, infopath, isqlplussvc, mydesktopqos, mydesktopservice, ocautoupds, ocomm, have more...
Languages:
rust
Platforms:
x86, intel
Links:
https://github.com/mkaring/ConfuserExhttps://github.com/f0wl/blackCatConfNetskope
BlackCat Ransomware: Tactics and Techniques From a Targeted Attack
Summary BlackCat (a.k.a. ALPHV and Noberus) is a Ransomware-as-a-Service (RaaS) group that emerged in November 2021, making headlines for being a
#ParsedReport
09-11-2022
Hired hand: Scammers mimic Saudi manpower provider
https://blog.group-ib.com/hired-hand
Industry:
Financial, Logistic, Government
Geo:
Mena
Softs:
telegram
09-11-2022
Hired hand: Scammers mimic Saudi manpower provider
https://blog.group-ib.com/hired-hand
Industry:
Financial, Logistic, Government
Geo:
Mena
Softs:
telegram
Group-IB
Hired hand: Scammers mimic Saudi manpower provider
Group-IB uncovers one thousand (and one) fake domains part of a scam campaign targeting users in KSA
#ParsedReport
09-11-2022
Amadey Bot: Ransomware Affiliates Spreading LockBit By Phishing Email
https://www.secureblink.com/threat-research/amadey-bot-ransomware-affiliates-spreading-lock-bit-by-phishing-email
Actors/Campaigns:
Ta505
Threats:
Amadey
Lockbit
Gandcrab
Clop
Flawedammyy
Smokeloader
Trojan/lnk.runner
Malware/win.generic.r531852
Delf
Ransom/mdp.decoy.m1171
Ransom/mdp.event.m1875
Ransom/mdp.behavior.m1946
Industry:
E-commerce
Geo:
Korea, Korean
IOCs:
File: 9
Path: 7
Command: 2
Coin: 1
Hash: 8
Url: 7
Softs:
task scheduler
09-11-2022
Amadey Bot: Ransomware Affiliates Spreading LockBit By Phishing Email
https://www.secureblink.com/threat-research/amadey-bot-ransomware-affiliates-spreading-lock-bit-by-phishing-email
Actors/Campaigns:
Ta505
Threats:
Amadey
Lockbit
Gandcrab
Clop
Flawedammyy
Smokeloader
Trojan/lnk.runner
Malware/win.generic.r531852
Delf
Ransom/mdp.decoy.m1171
Ransom/mdp.event.m1875
Ransom/mdp.behavior.m1946
Industry:
E-commerce
Geo:
Korea, Korean
IOCs:
File: 9
Path: 7
Command: 2
Coin: 1
Hash: 8
Url: 7
Softs:
task scheduler
Secureblink
Amadey Bot: Ransomware Affiliates Spreading LockBit By Phishing Email | Secure Blink
LockBit 3.0 Ransomware affiliates acting as a lure with phishing emails to deploy Amadey Bot across infected devices to take control...
#ParsedReport
09-11-2022
Sanctioned deals: the Irano-Russian connection under Ankara's supervision. Analysis of the NPPD leak
https://blog.cluster25.duskrise.com/2022/11/07/irano-russian-connection-nppd-leak
Actors/Campaigns:
Black_reward (motivation: hacktivism)
Irgc (motivation: hacktivism)
Carbanak
Threats:
Dharma
Mimikatz_tool
Phorpiex
Adwind_rat
Formbook
Suppobox
Narilam
Kuluoz
Industry:
Government, Petroleum, Financial, Nuclear_power, Transport, Energy, Logistic
Geo:
Russian, India, Azerbaijan, Russia, Asia, Iran, Turkish, Iranian, Turkey, Ankara, Tehran, Teheran, Ukrainian, Moscow
IOCs:
Hash: 19
Softs:
windows registry, ms sql
Languages:
autoit, php, java
Platforms:
intel
09-11-2022
Sanctioned deals: the Irano-Russian connection under Ankara's supervision. Analysis of the NPPD leak
https://blog.cluster25.duskrise.com/2022/11/07/irano-russian-connection-nppd-leak
Actors/Campaigns:
Black_reward (motivation: hacktivism)
Irgc (motivation: hacktivism)
Carbanak
Threats:
Dharma
Mimikatz_tool
Phorpiex
Adwind_rat
Formbook
Suppobox
Narilam
Kuluoz
Industry:
Government, Petroleum, Financial, Nuclear_power, Transport, Energy, Logistic
Geo:
Russian, India, Azerbaijan, Russia, Asia, Iran, Turkish, Iranian, Turkey, Ankara, Tehran, Teheran, Ukrainian, Moscow
IOCs:
Hash: 19
Softs:
windows registry, ms sql
Languages:
autoit, php, java
Platforms:
intel
#ParsedReport
09-11-2022
. Vajrayana organization uses false social chat software to start fishing attacks on Pakistani military personnel
https://mp.weixin.qq.com/s/103MfZHdQ9lWlM6rSLfqcA
Actors/Campaigns:
Apt37
Threats:
Hyperssl
Ahmyth_rat
Industry:
Government, Healthcare
Geo:
Pakistan, India, Chinese, Pakistani, Asian, Nepal
IOCs:
File: 10
Softs:
android
09-11-2022
. Vajrayana organization uses false social chat software to start fishing attacks on Pakistani military personnel
https://mp.weixin.qq.com/s/103MfZHdQ9lWlM6rSLfqcA
Actors/Campaigns:
Apt37
Threats:
Hyperssl
Ahmyth_rat
Industry:
Government, Healthcare
Geo:
Pakistan, India, Chinese, Pakistani, Asian, Nepal
IOCs:
File: 10
Softs:
android
Weixin Official Accounts Platform
金刚象组织利用虚假的社交聊天软件对巴基斯坦军方人员展开钓鱼攻击
金刚象近期移动端攻击活动披露!
#ParsedReport
09-11-2022
The Case of Cloud9 Chrome Botnet
https://www.zimperium.com/blog/the-case-of-cloud9-chrome-botnet
Actors/Campaigns:
Keksec
Threats:
Cloud9_botnet
Industry:
Energy
CVEs:
CVE-2016-7200 [Vulners]
Vulners: Score: 7.6, CVSS: 6.9,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft edge (*)
CVE-2019-11708 [Vulners]
Vulners: Score: 10.0, CVSS: 4.2,
Vulners: Exploitation: True
X-Force: Risk: 6.3
X-Force: Patch: Official fix
Soft:
- mozilla firefox esr (<60.7.2)
- mozilla firefox (<67.0.4)
- mozilla thunderbird (<60.7.2)
CVE-2016-0189 [Vulners]
Vulners: Score: 7.6, CVSS: 6.7,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft jscript (5.8)
- microsoft vbscript (5.8, 5.7)
CVE-2019-9810 [Vulners]
Vulners: Score: 6.8, CVSS: 3.9,
Vulners: Exploitation: Unknown
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- mozilla firefox (<66.0.1)
- mozilla firefox esr (<60.6.1)
- mozilla thunderbird (<60.6.1)
- redhat enterprise linux (8.0)
- redhat enterprise linux eus (8.1, 8.2, 8.4)
have more...
CVE-2014-6332 [Vulners]
Vulners: Score: 9.3, CVSS: 6.5,
Vulners: Exploitation: True
X-Force: Risk: 9.3
X-Force: Patch: Official fix
Soft:
- microsoft windows server 2008 (r2, r2, -)
- microsoft windows 7 (-)
- microsoft windows vista (-)
- microsoft windows rt (-)
- microsoft windows rt 8.1 (-)
have more...
IOCs:
File: 7
IP: 2
Hash: 6
Softs:
chrome, google chrome, internet explorer
Languages:
javascript
09-11-2022
The Case of Cloud9 Chrome Botnet
https://www.zimperium.com/blog/the-case-of-cloud9-chrome-botnet
Actors/Campaigns:
Keksec
Threats:
Cloud9_botnet
Industry:
Energy
CVEs:
CVE-2016-7200 [Vulners]
Vulners: Score: 7.6, CVSS: 6.9,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft edge (*)
CVE-2019-11708 [Vulners]
Vulners: Score: 10.0, CVSS: 4.2,
Vulners: Exploitation: True
X-Force: Risk: 6.3
X-Force: Patch: Official fix
Soft:
- mozilla firefox esr (<60.7.2)
- mozilla firefox (<67.0.4)
- mozilla thunderbird (<60.7.2)
CVE-2016-0189 [Vulners]
Vulners: Score: 7.6, CVSS: 6.7,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft jscript (5.8)
- microsoft vbscript (5.8, 5.7)
CVE-2019-9810 [Vulners]
Vulners: Score: 6.8, CVSS: 3.9,
Vulners: Exploitation: Unknown
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- mozilla firefox (<66.0.1)
- mozilla firefox esr (<60.6.1)
- mozilla thunderbird (<60.6.1)
- redhat enterprise linux (8.0)
- redhat enterprise linux eus (8.1, 8.2, 8.4)
have more...
CVE-2014-6332 [Vulners]
Vulners: Score: 9.3, CVSS: 6.5,
Vulners: Exploitation: True
X-Force: Risk: 9.3
X-Force: Patch: Official fix
Soft:
- microsoft windows server 2008 (r2, r2, -)
- microsoft windows 7 (-)
- microsoft windows vista (-)
- microsoft windows rt (-)
- microsoft windows rt 8.1 (-)
have more...
IOCs:
File: 7
IP: 2
Hash: 6
Softs:
chrome, google chrome, internet explorer
Languages:
javascript
Zimperium
The Case of Cloud9 Chrome Botnet - Zimperium
The Zimperium zLabs team recently discovered a malicious browser extension, originally called Cloud9, which not only steals the information available during the browser session but can also install malware on a user's device and subsequently assume control…
#ParsedReport
09-11-2022
Get a demo. The resurgence of the raccoon: Steps of a Raccoon Stealer v2 Infection (Part 2)
https://darktrace.com/blog/the-resurgence-of-the-raccoon-steps-of-a-raccoon-stealer-v2-infection-part-2
Threats:
Raccoon_stealer
Cryptbot_stealer
Geo:
Russia, Italy, Russian, Netherlands
IOCs:
Domain: 7
File: 11
Softs:
telegram, discord
Algorithms:
rc4
09-11-2022
Get a demo. The resurgence of the raccoon: Steps of a Raccoon Stealer v2 Infection (Part 2)
https://darktrace.com/blog/the-resurgence-of-the-raccoon-steps-of-a-raccoon-stealer-v2-infection-part-2
Threats:
Raccoon_stealer
Cryptbot_stealer
Geo:
Russia, Italy, Russian, Netherlands
IOCs:
Domain: 7
File: 11
Softs:
telegram, discord
Algorithms:
rc4
Darktrace
[Part 2] Typical Steps of a Raccoon Stealer v2 Infection
Since the release of version 2 of Raccoon Stealer, Darktrace’s SOC has observed a surge in activity. See the typical steps used by this new threat!
#ParsedReport
09-11-2022
Get a demo. The last of its kind: Analysis of a Raccoon Stealer v1 infection (Part 1)
https://darktrace.com/blog/the-last-of-its-kind-analysis-of-a-raccoon-stealer-v1-infection-part-1
Threats:
Raccoon_stealer
Dead_drop_technique
Industry:
Financial
IOCs:
Domain: 5
IP: 2
Hash: 4
File: 1
Softs:
telegram, discord
Algorithms:
base64, gzip, rc4, zip
09-11-2022
Get a demo. The last of its kind: Analysis of a Raccoon Stealer v1 infection (Part 1)
https://darktrace.com/blog/the-last-of-its-kind-analysis-of-a-raccoon-stealer-v1-infection-part-1
Threats:
Raccoon_stealer
Dead_drop_technique
Industry:
Financial
IOCs:
Domain: 5
IP: 2
Hash: 4
File: 1
Softs:
telegram, discord
Algorithms:
base64, gzip, rc4, zip
Darktrace
[Part 1] Analysis of a Raccoon Stealer v1 Infection | Darktrace Blog
Darktrace’s SOC team observed a fast-paced compromise involving Raccoon Stealer v1. See which steps the Raccoon Stealer v1 took to extract company data!
#ParsedReport
09-11-2022
DAGON LOCKER. Dagon Ransomware DAGON LOCKER
https://asec.ahnlab.com/ko/41577
Threats:
Dagon_locker
Quantum_locker
Mount_locker
Ransom/mdp.behavior.m1171
Ransom/mdp.behavior.m1946
IOCs:
File: 9
Hash: 2
Softs:
windows service
Algorithms:
rsa-2048, chacha20
Functions:
GetDriveTypew
Platforms:
x64
09-11-2022
DAGON LOCKER. Dagon Ransomware DAGON LOCKER
https://asec.ahnlab.com/ko/41577
Threats:
Dagon_locker
Quantum_locker
Mount_locker
Ransom/mdp.behavior.m1171
Ransom/mdp.behavior.m1946
IOCs:
File: 9
Hash: 2
Softs:
windows service
Algorithms:
rsa-2048, chacha20
Functions:
GetDriveTypew
Platforms:
x64
ASEC BLOG
다곤 랜섬웨어 DAGON LOCKER 유포 중 - ASEC BLOG
DAGON LOCKER 다곤 랜섬웨어(이하 DAGON 랜섬웨어) 국내 유포가 확인되었다. 안랩 ASD 인프라의 랜섬웨어 의심 행위 차단 이력으로 최초 발견되었으며, 지난 10월에는 국내 모 기관이 안랩에 악성 의심 파일로 접수하기도 하였다. DAGON 랜섬웨어의 주 유포 경로는 피싱 또는 이메일 첨부파일이지만 서비스형 랜섬웨어(Ransomware-as-a-Service)이기 때문에, 공격자에 따라 유포 경로와 공격 대상은 다양할 수 있다. DAGON 랜섬웨어는…
#ParsedReport
09-11-2022
Cisco Talos Intelligence Blog. Threat Spotlight: Cyber Criminal Adoption of IPFS for Phishing, Malware Campaigns
https://blog.talosintelligence.com/ipfs-abuse
Threats:
Agent_tesla
Upx_tool
Hannabi_grabber
Beacon
Industry:
Financial
Geo:
Turkish
IOCs:
Url: 1
Command: 4
Path: 7
File: 4
Registry: 2
Softs:
discord, curl, windows registry, chrome, mozilla firefox
Algorithms:
zip, base64
Languages:
python
Links:
09-11-2022
Cisco Talos Intelligence Blog. Threat Spotlight: Cyber Criminal Adoption of IPFS for Phishing, Malware Campaigns
https://blog.talosintelligence.com/ipfs-abuse
Threats:
Agent_tesla
Upx_tool
Hannabi_grabber
Beacon
Industry:
Financial
Geo:
Turkish
IOCs:
Url: 1
Command: 4
Path: 7
File: 4
Registry: 2
Softs:
discord, curl, windows registry, chrome, mozilla firefox
Algorithms:
zip, base64
Languages:
python
Links:
https://github.com/Cisco-Talos/IOCs/tree/main/2022/11https://github.com/Cisco-Talos/osquery\_queries/blob/master/win\_malware/malware\_hannabi\_file\_artifact.ymlCisco Talos Blog
Threat Spotlight: Cyber Criminal Adoption of IPFS for Phishing, Malware Campaigns
* The InterPlanetary File System (IPFS) is an emerging Web3 technology that is currently seeing widespread abuse by threat actors.
* Cisco Talos has observed multiple ongoing campaigns that leverage the IPFS network to host their malware payloads and phishing…
* Cisco Talos has observed multiple ongoing campaigns that leverage the IPFS network to host their malware payloads and phishing…
#ParsedReport
10-11-2022
Penetration and Distribution Method of Gwisin Attacker
https://asec.ahnlab.com/en/41565
Threats:
Gwisin
Watering_hole_technique
Nmap_tool
Geo:
Korean
TTPs:
Tactics: 1
Technics: 0
IOCs:
IP: 2
File: 6
Path: 1
Hash: 2
Functions:
service_issue
Languages:
python, php
Platforms:
x86
10-11-2022
Penetration and Distribution Method of Gwisin Attacker
https://asec.ahnlab.com/en/41565
Threats:
Gwisin
Watering_hole_technique
Nmap_tool
Geo:
Korean
TTPs:
Tactics: 1
Technics: 0
IOCs:
IP: 2
File: 6
Path: 1
Hash: 2
Functions:
service_issue
Languages:
python, php
Platforms:
x86
ASEC BLOG
Penetration and Distribution Method of Gwisin Attacker - ASEC BLOG
The attacker of Gwisin ransomware targets and penetrates the publicly available servers of companies. They then use the server as their foothold for distributing the ransomware into the internal infrastructure. It is known that the attacker uses various means…
#ParsedReport
10-11-2022
Distribution of Word File (External + RTF) Modified to Avoid Detection
https://asec.ahnlab.com/en/41472
Threats:
Lokibot_stealer
Agent_tesla
Trojan/win.generic.c5290118
Trojan/win.msil.r510204
Malware/mdp.download.m1881
Geo:
Korea
CVEs:
CVE-2017-11882 [Vulners]
Vulners: Score: 9.3, CVSS: 4.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft office (2013, 2010, 2016, 2007)
IOCs:
File: 1
Coin: 1
Hash: 3
Url: 11
Softs:
microsoft office
10-11-2022
Distribution of Word File (External + RTF) Modified to Avoid Detection
https://asec.ahnlab.com/en/41472
Threats:
Lokibot_stealer
Agent_tesla
Trojan/win.generic.c5290118
Trojan/win.msil.r510204
Malware/mdp.download.m1881
Geo:
Korea
CVEs:
CVE-2017-11882 [Vulners]
Vulners: Score: 9.3, CVSS: 4.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft office (2013, 2010, 2016, 2007)
IOCs:
File: 1
Coin: 1
Hash: 3
Url: 11
Softs:
microsoft office
ASEC
Distribution of Word File (External + RTF) Modified to Avoid Detection - ASEC
Distribution of Word File (External + RTF) Modified to Avoid Detection ASEC
#ParsedReport
10-11-2022
ASEC Weekly Malware Statistics (October 31st, 2022 November 6th, 2022)
https://asec.ahnlab.com/en/41650
Threats:
Beamwinhttp_loader
Garbage_cleaner
Agent_tesla
Smokeloader
Cloudeye
Formbook
Remcos_rat
Nanocore_rat
Amadey
Lockbit
Geo:
Korea
IOCs:
Domain: 9
Email: 1
File: 15
Url: 10
Softs:
discord, telegram, nsis installer, task scheduler
Languages:
visual_basic, php
10-11-2022
ASEC Weekly Malware Statistics (October 31st, 2022 November 6th, 2022)
https://asec.ahnlab.com/en/41650
Threats:
Beamwinhttp_loader
Garbage_cleaner
Agent_tesla
Smokeloader
Cloudeye
Formbook
Remcos_rat
Nanocore_rat
Amadey
Lockbit
Geo:
Korea
IOCs:
Domain: 9
Email: 1
File: 15
Url: 10
Softs:
discord, telegram, nsis installer, task scheduler
Languages:
visual_basic, php
ASEC
ASEC Weekly Malware Statistics (October 31st, 2022 – November 6th, 2022) - ASEC
ASEC Weekly Malware Statistics (October 31st, 2022 – November 6th, 2022) ASEC
#ParsedReport
10-11-2022
PNG Steganography Hides Backdoor. Conclusion
https://decoded.avast.io/martinchlumecky/png-steganography/?utm_source=rss&utm_medium=rss&utm_campaign=png-steganography
Actors/Campaigns:
Worok (motivation: cyber_espionage)
Threats:
Dll_hijacking_technique
Dropboxcontrol
Proxyshell_vuln
Clrloader
Pngloader
Powheartbeat
Industry:
Government, Energy
Geo:
America, Mexico, Asia, Cambodia, Russia, Vietnam, Africa
IOCs:
File: 14
Path: 5
Command: 1
Hash: 4
Softs:
windows service, microsoft visual c++, internet explorer
Algorithms:
gzip, xor
Functions:
DropBoxControl
Win API:
WmiApSrv, LoadLibraryExW, CorBindToRuntimeEx
Languages:
jscript
10-11-2022
PNG Steganography Hides Backdoor. Conclusion
https://decoded.avast.io/martinchlumecky/png-steganography/?utm_source=rss&utm_medium=rss&utm_campaign=png-steganography
Actors/Campaigns:
Worok (motivation: cyber_espionage)
Threats:
Dll_hijacking_technique
Dropboxcontrol
Proxyshell_vuln
Clrloader
Pngloader
Powheartbeat
Industry:
Government, Energy
Geo:
America, Mexico, Asia, Cambodia, Russia, Vietnam, Africa
IOCs:
File: 14
Path: 5
Command: 1
Hash: 4
Softs:
windows service, microsoft visual c++, internet explorer
Algorithms:
gzip, xor
Functions:
DropBoxControl
Win API:
WmiApSrv, LoadLibraryExW, CorBindToRuntimeEx
Languages:
jscript
Gendigital
PNG Steganography Hides Backdoor
Unveiling Advanced PNG Steganography in Worok Malware Campaign
#ParsedReport
10-11-2022
New Phishing Technique Targeting Over 20 Crypto Wallets
https://www.netskope.com/blog/new-phishing-technique-targeting-over-20-crypto-wallets
Industry:
Financial
IOCs:
Url: 1
Softs:
coinbase
10-11-2022
New Phishing Technique Targeting Over 20 Crypto Wallets
https://www.netskope.com/blog/new-phishing-technique-targeting-over-20-crypto-wallets
Industry:
Financial
IOCs:
Url: 1
Softs:
coinbase
Netskope
New Phishing Technique Targeting Over 20 Crypto Wallets
Overview of the Netlify Scam Netskope Threat Labs spotted a new crypto-phishing attack that aims to steal sensitive data from crypto wallets, including