#technique
Shennina is an automated host exploitation framework. The mission of the project is to fully automate the scanning, vulnerability scanning/analysis, and exploitation using Artificial Intelligence.
https://github.com/mazen160/shennina
Shennina is an automated host exploitation framework. The mission of the project is to fully automate the scanning, vulnerability scanning/analysis, and exploitation using Artificial Intelligence.
https://github.com/mazen160/shennina
GitHub
GitHub - mazen160/shennina: Automating Host Exploitation with AI
Automating Host Exploitation with AI. Contribute to mazen160/shennina development by creating an account on GitHub.
#ParsedReport
09-11-2022
Emotet returns Targeting Users Worldwide. Conclusion
https://blog.cyble.com/2022/11/09/emotet-returns-targeting-users-worldwide
Threats:
Emotet
Icedid
Bumblebee
Trickbot
Qakbot
Industry:
Financial
Geo:
India, Australia, Singapore, Georgia, Dubai
TTPs:
Tactics: 7
Technics: 12
IOCs:
Url: 8
IP: 20
Path: 2
File: 2
Hash: 5
Softs:
microsoft office, task scheduler
Algorithms:
zip
09-11-2022
Emotet returns Targeting Users Worldwide. Conclusion
https://blog.cyble.com/2022/11/09/emotet-returns-targeting-users-worldwide
Threats:
Emotet
Icedid
Bumblebee
Trickbot
Qakbot
Industry:
Financial
Geo:
India, Australia, Singapore, Georgia, Dubai
TTPs:
Tactics: 7
Technics: 12
IOCs:
Url: 8
IP: 20
Path: 2
File: 2
Hash: 5
Softs:
microsoft office, task scheduler
Algorithms:
zip
Cyble
Emotet returns Targeting Users Worldwide
CRIL analyzes the return of Emotet malware that spreads Bumblebee and IcedID malware to steal users' sensitive information.
#ParsedReport
09-11-2022
BlackCat Ransomware: Tactics and Techniques From a Targeted Attack
https://www.netskope.com/blog/blackcat-ransomware-tactics-and-techniques-from-a-targeted-attack
Actors/Campaigns:
Blackcat
Darkside
Blackmatter
Fin12
Dev-0504
Threats:
Blackcat
Ryuk
Conti
Revil
Exmatter_tool
Teamviewer_tool
Wevtutil_tool
Redline_stealer
Lockbit
Industry:
Ics, Government
Geo:
Asia, Africa, Americas
TTPs:
Tactics: 11
Technics: 15
IOCs:
Command: 6
Path: 5
File: 13
Softs:
psexec, esxi, onenote, thebat, wordpad, discord
Algorithms:
aes, chacha20, aes-128, zip
Win API:
Sleep
Win Services:
agntsvc, dbeng50, dbsnmp, encsvc, infopath, isqlplussvc, mydesktopqos, mydesktopservice, ocautoupds, ocomm, have more...
Languages:
rust
Platforms:
x86, intel
Links:
09-11-2022
BlackCat Ransomware: Tactics and Techniques From a Targeted Attack
https://www.netskope.com/blog/blackcat-ransomware-tactics-and-techniques-from-a-targeted-attack
Actors/Campaigns:
Blackcat
Darkside
Blackmatter
Fin12
Dev-0504
Threats:
Blackcat
Ryuk
Conti
Revil
Exmatter_tool
Teamviewer_tool
Wevtutil_tool
Redline_stealer
Lockbit
Industry:
Ics, Government
Geo:
Asia, Africa, Americas
TTPs:
Tactics: 11
Technics: 15
IOCs:
Command: 6
Path: 5
File: 13
Softs:
psexec, esxi, onenote, thebat, wordpad, discord
Algorithms:
aes, chacha20, aes-128, zip
Win API:
Sleep
Win Services:
agntsvc, dbeng50, dbsnmp, encsvc, infopath, isqlplussvc, mydesktopqos, mydesktopservice, ocautoupds, ocomm, have more...
Languages:
rust
Platforms:
x86, intel
Links:
https://github.com/mkaring/ConfuserExhttps://github.com/f0wl/blackCatConfNetskope
BlackCat Ransomware: Tactics and Techniques From a Targeted Attack
Summary BlackCat (a.k.a. ALPHV and Noberus) is a Ransomware-as-a-Service (RaaS) group that emerged in November 2021, making headlines for being a
#ParsedReport
09-11-2022
Hired hand: Scammers mimic Saudi manpower provider
https://blog.group-ib.com/hired-hand
Industry:
Financial, Logistic, Government
Geo:
Mena
Softs:
telegram
09-11-2022
Hired hand: Scammers mimic Saudi manpower provider
https://blog.group-ib.com/hired-hand
Industry:
Financial, Logistic, Government
Geo:
Mena
Softs:
telegram
Group-IB
Hired hand: Scammers mimic Saudi manpower provider
Group-IB uncovers one thousand (and one) fake domains part of a scam campaign targeting users in KSA
#ParsedReport
09-11-2022
Amadey Bot: Ransomware Affiliates Spreading LockBit By Phishing Email
https://www.secureblink.com/threat-research/amadey-bot-ransomware-affiliates-spreading-lock-bit-by-phishing-email
Actors/Campaigns:
Ta505
Threats:
Amadey
Lockbit
Gandcrab
Clop
Flawedammyy
Smokeloader
Trojan/lnk.runner
Malware/win.generic.r531852
Delf
Ransom/mdp.decoy.m1171
Ransom/mdp.event.m1875
Ransom/mdp.behavior.m1946
Industry:
E-commerce
Geo:
Korea, Korean
IOCs:
File: 9
Path: 7
Command: 2
Coin: 1
Hash: 8
Url: 7
Softs:
task scheduler
09-11-2022
Amadey Bot: Ransomware Affiliates Spreading LockBit By Phishing Email
https://www.secureblink.com/threat-research/amadey-bot-ransomware-affiliates-spreading-lock-bit-by-phishing-email
Actors/Campaigns:
Ta505
Threats:
Amadey
Lockbit
Gandcrab
Clop
Flawedammyy
Smokeloader
Trojan/lnk.runner
Malware/win.generic.r531852
Delf
Ransom/mdp.decoy.m1171
Ransom/mdp.event.m1875
Ransom/mdp.behavior.m1946
Industry:
E-commerce
Geo:
Korea, Korean
IOCs:
File: 9
Path: 7
Command: 2
Coin: 1
Hash: 8
Url: 7
Softs:
task scheduler
Secureblink
Amadey Bot: Ransomware Affiliates Spreading LockBit By Phishing Email | Secure Blink
LockBit 3.0 Ransomware affiliates acting as a lure with phishing emails to deploy Amadey Bot across infected devices to take control...
#ParsedReport
09-11-2022
Sanctioned deals: the Irano-Russian connection under Ankara's supervision. Analysis of the NPPD leak
https://blog.cluster25.duskrise.com/2022/11/07/irano-russian-connection-nppd-leak
Actors/Campaigns:
Black_reward (motivation: hacktivism)
Irgc (motivation: hacktivism)
Carbanak
Threats:
Dharma
Mimikatz_tool
Phorpiex
Adwind_rat
Formbook
Suppobox
Narilam
Kuluoz
Industry:
Government, Petroleum, Financial, Nuclear_power, Transport, Energy, Logistic
Geo:
Russian, India, Azerbaijan, Russia, Asia, Iran, Turkish, Iranian, Turkey, Ankara, Tehran, Teheran, Ukrainian, Moscow
IOCs:
Hash: 19
Softs:
windows registry, ms sql
Languages:
autoit, php, java
Platforms:
intel
09-11-2022
Sanctioned deals: the Irano-Russian connection under Ankara's supervision. Analysis of the NPPD leak
https://blog.cluster25.duskrise.com/2022/11/07/irano-russian-connection-nppd-leak
Actors/Campaigns:
Black_reward (motivation: hacktivism)
Irgc (motivation: hacktivism)
Carbanak
Threats:
Dharma
Mimikatz_tool
Phorpiex
Adwind_rat
Formbook
Suppobox
Narilam
Kuluoz
Industry:
Government, Petroleum, Financial, Nuclear_power, Transport, Energy, Logistic
Geo:
Russian, India, Azerbaijan, Russia, Asia, Iran, Turkish, Iranian, Turkey, Ankara, Tehran, Teheran, Ukrainian, Moscow
IOCs:
Hash: 19
Softs:
windows registry, ms sql
Languages:
autoit, php, java
Platforms:
intel
#ParsedReport
09-11-2022
. Vajrayana organization uses false social chat software to start fishing attacks on Pakistani military personnel
https://mp.weixin.qq.com/s/103MfZHdQ9lWlM6rSLfqcA
Actors/Campaigns:
Apt37
Threats:
Hyperssl
Ahmyth_rat
Industry:
Government, Healthcare
Geo:
Pakistan, India, Chinese, Pakistani, Asian, Nepal
IOCs:
File: 10
Softs:
android
09-11-2022
. Vajrayana organization uses false social chat software to start fishing attacks on Pakistani military personnel
https://mp.weixin.qq.com/s/103MfZHdQ9lWlM6rSLfqcA
Actors/Campaigns:
Apt37
Threats:
Hyperssl
Ahmyth_rat
Industry:
Government, Healthcare
Geo:
Pakistan, India, Chinese, Pakistani, Asian, Nepal
IOCs:
File: 10
Softs:
android
Weixin Official Accounts Platform
金刚象组织利用虚假的社交聊天软件对巴基斯坦军方人员展开钓鱼攻击
金刚象近期移动端攻击活动披露!
#ParsedReport
09-11-2022
The Case of Cloud9 Chrome Botnet
https://www.zimperium.com/blog/the-case-of-cloud9-chrome-botnet
Actors/Campaigns:
Keksec
Threats:
Cloud9_botnet
Industry:
Energy
CVEs:
CVE-2016-7200 [Vulners]
Vulners: Score: 7.6, CVSS: 6.9,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft edge (*)
CVE-2019-11708 [Vulners]
Vulners: Score: 10.0, CVSS: 4.2,
Vulners: Exploitation: True
X-Force: Risk: 6.3
X-Force: Patch: Official fix
Soft:
- mozilla firefox esr (<60.7.2)
- mozilla firefox (<67.0.4)
- mozilla thunderbird (<60.7.2)
CVE-2016-0189 [Vulners]
Vulners: Score: 7.6, CVSS: 6.7,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft jscript (5.8)
- microsoft vbscript (5.8, 5.7)
CVE-2019-9810 [Vulners]
Vulners: Score: 6.8, CVSS: 3.9,
Vulners: Exploitation: Unknown
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- mozilla firefox (<66.0.1)
- mozilla firefox esr (<60.6.1)
- mozilla thunderbird (<60.6.1)
- redhat enterprise linux (8.0)
- redhat enterprise linux eus (8.1, 8.2, 8.4)
have more...
CVE-2014-6332 [Vulners]
Vulners: Score: 9.3, CVSS: 6.5,
Vulners: Exploitation: True
X-Force: Risk: 9.3
X-Force: Patch: Official fix
Soft:
- microsoft windows server 2008 (r2, r2, -)
- microsoft windows 7 (-)
- microsoft windows vista (-)
- microsoft windows rt (-)
- microsoft windows rt 8.1 (-)
have more...
IOCs:
File: 7
IP: 2
Hash: 6
Softs:
chrome, google chrome, internet explorer
Languages:
javascript
09-11-2022
The Case of Cloud9 Chrome Botnet
https://www.zimperium.com/blog/the-case-of-cloud9-chrome-botnet
Actors/Campaigns:
Keksec
Threats:
Cloud9_botnet
Industry:
Energy
CVEs:
CVE-2016-7200 [Vulners]
Vulners: Score: 7.6, CVSS: 6.9,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft edge (*)
CVE-2019-11708 [Vulners]
Vulners: Score: 10.0, CVSS: 4.2,
Vulners: Exploitation: True
X-Force: Risk: 6.3
X-Force: Patch: Official fix
Soft:
- mozilla firefox esr (<60.7.2)
- mozilla firefox (<67.0.4)
- mozilla thunderbird (<60.7.2)
CVE-2016-0189 [Vulners]
Vulners: Score: 7.6, CVSS: 6.7,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft jscript (5.8)
- microsoft vbscript (5.8, 5.7)
CVE-2019-9810 [Vulners]
Vulners: Score: 6.8, CVSS: 3.9,
Vulners: Exploitation: Unknown
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- mozilla firefox (<66.0.1)
- mozilla firefox esr (<60.6.1)
- mozilla thunderbird (<60.6.1)
- redhat enterprise linux (8.0)
- redhat enterprise linux eus (8.1, 8.2, 8.4)
have more...
CVE-2014-6332 [Vulners]
Vulners: Score: 9.3, CVSS: 6.5,
Vulners: Exploitation: True
X-Force: Risk: 9.3
X-Force: Patch: Official fix
Soft:
- microsoft windows server 2008 (r2, r2, -)
- microsoft windows 7 (-)
- microsoft windows vista (-)
- microsoft windows rt (-)
- microsoft windows rt 8.1 (-)
have more...
IOCs:
File: 7
IP: 2
Hash: 6
Softs:
chrome, google chrome, internet explorer
Languages:
javascript
Zimperium
The Case of Cloud9 Chrome Botnet - Zimperium
The Zimperium zLabs team recently discovered a malicious browser extension, originally called Cloud9, which not only steals the information available during the browser session but can also install malware on a user's device and subsequently assume control…
#ParsedReport
09-11-2022
Get a demo. The resurgence of the raccoon: Steps of a Raccoon Stealer v2 Infection (Part 2)
https://darktrace.com/blog/the-resurgence-of-the-raccoon-steps-of-a-raccoon-stealer-v2-infection-part-2
Threats:
Raccoon_stealer
Cryptbot_stealer
Geo:
Russia, Italy, Russian, Netherlands
IOCs:
Domain: 7
File: 11
Softs:
telegram, discord
Algorithms:
rc4
09-11-2022
Get a demo. The resurgence of the raccoon: Steps of a Raccoon Stealer v2 Infection (Part 2)
https://darktrace.com/blog/the-resurgence-of-the-raccoon-steps-of-a-raccoon-stealer-v2-infection-part-2
Threats:
Raccoon_stealer
Cryptbot_stealer
Geo:
Russia, Italy, Russian, Netherlands
IOCs:
Domain: 7
File: 11
Softs:
telegram, discord
Algorithms:
rc4
Darktrace
[Part 2] Typical Steps of a Raccoon Stealer v2 Infection
Since the release of version 2 of Raccoon Stealer, Darktrace’s SOC has observed a surge in activity. See the typical steps used by this new threat!
#ParsedReport
09-11-2022
Get a demo. The last of its kind: Analysis of a Raccoon Stealer v1 infection (Part 1)
https://darktrace.com/blog/the-last-of-its-kind-analysis-of-a-raccoon-stealer-v1-infection-part-1
Threats:
Raccoon_stealer
Dead_drop_technique
Industry:
Financial
IOCs:
Domain: 5
IP: 2
Hash: 4
File: 1
Softs:
telegram, discord
Algorithms:
base64, gzip, rc4, zip
09-11-2022
Get a demo. The last of its kind: Analysis of a Raccoon Stealer v1 infection (Part 1)
https://darktrace.com/blog/the-last-of-its-kind-analysis-of-a-raccoon-stealer-v1-infection-part-1
Threats:
Raccoon_stealer
Dead_drop_technique
Industry:
Financial
IOCs:
Domain: 5
IP: 2
Hash: 4
File: 1
Softs:
telegram, discord
Algorithms:
base64, gzip, rc4, zip
Darktrace
[Part 1] Analysis of a Raccoon Stealer v1 Infection | Darktrace Blog
Darktrace’s SOC team observed a fast-paced compromise involving Raccoon Stealer v1. See which steps the Raccoon Stealer v1 took to extract company data!
#ParsedReport
09-11-2022
DAGON LOCKER. Dagon Ransomware DAGON LOCKER
https://asec.ahnlab.com/ko/41577
Threats:
Dagon_locker
Quantum_locker
Mount_locker
Ransom/mdp.behavior.m1171
Ransom/mdp.behavior.m1946
IOCs:
File: 9
Hash: 2
Softs:
windows service
Algorithms:
rsa-2048, chacha20
Functions:
GetDriveTypew
Platforms:
x64
09-11-2022
DAGON LOCKER. Dagon Ransomware DAGON LOCKER
https://asec.ahnlab.com/ko/41577
Threats:
Dagon_locker
Quantum_locker
Mount_locker
Ransom/mdp.behavior.m1171
Ransom/mdp.behavior.m1946
IOCs:
File: 9
Hash: 2
Softs:
windows service
Algorithms:
rsa-2048, chacha20
Functions:
GetDriveTypew
Platforms:
x64
ASEC BLOG
다곤 랜섬웨어 DAGON LOCKER 유포 중 - ASEC BLOG
DAGON LOCKER 다곤 랜섬웨어(이하 DAGON 랜섬웨어) 국내 유포가 확인되었다. 안랩 ASD 인프라의 랜섬웨어 의심 행위 차단 이력으로 최초 발견되었으며, 지난 10월에는 국내 모 기관이 안랩에 악성 의심 파일로 접수하기도 하였다. DAGON 랜섬웨어의 주 유포 경로는 피싱 또는 이메일 첨부파일이지만 서비스형 랜섬웨어(Ransomware-as-a-Service)이기 때문에, 공격자에 따라 유포 경로와 공격 대상은 다양할 수 있다. DAGON 랜섬웨어는…
#ParsedReport
09-11-2022
Cisco Talos Intelligence Blog. Threat Spotlight: Cyber Criminal Adoption of IPFS for Phishing, Malware Campaigns
https://blog.talosintelligence.com/ipfs-abuse
Threats:
Agent_tesla
Upx_tool
Hannabi_grabber
Beacon
Industry:
Financial
Geo:
Turkish
IOCs:
Url: 1
Command: 4
Path: 7
File: 4
Registry: 2
Softs:
discord, curl, windows registry, chrome, mozilla firefox
Algorithms:
zip, base64
Languages:
python
Links:
09-11-2022
Cisco Talos Intelligence Blog. Threat Spotlight: Cyber Criminal Adoption of IPFS for Phishing, Malware Campaigns
https://blog.talosintelligence.com/ipfs-abuse
Threats:
Agent_tesla
Upx_tool
Hannabi_grabber
Beacon
Industry:
Financial
Geo:
Turkish
IOCs:
Url: 1
Command: 4
Path: 7
File: 4
Registry: 2
Softs:
discord, curl, windows registry, chrome, mozilla firefox
Algorithms:
zip, base64
Languages:
python
Links:
https://github.com/Cisco-Talos/IOCs/tree/main/2022/11https://github.com/Cisco-Talos/osquery\_queries/blob/master/win\_malware/malware\_hannabi\_file\_artifact.ymlCisco Talos Blog
Threat Spotlight: Cyber Criminal Adoption of IPFS for Phishing, Malware Campaigns
* The InterPlanetary File System (IPFS) is an emerging Web3 technology that is currently seeing widespread abuse by threat actors.
* Cisco Talos has observed multiple ongoing campaigns that leverage the IPFS network to host their malware payloads and phishing…
* Cisco Talos has observed multiple ongoing campaigns that leverage the IPFS network to host their malware payloads and phishing…
#ParsedReport
10-11-2022
Penetration and Distribution Method of Gwisin Attacker
https://asec.ahnlab.com/en/41565
Threats:
Gwisin
Watering_hole_technique
Nmap_tool
Geo:
Korean
TTPs:
Tactics: 1
Technics: 0
IOCs:
IP: 2
File: 6
Path: 1
Hash: 2
Functions:
service_issue
Languages:
python, php
Platforms:
x86
10-11-2022
Penetration and Distribution Method of Gwisin Attacker
https://asec.ahnlab.com/en/41565
Threats:
Gwisin
Watering_hole_technique
Nmap_tool
Geo:
Korean
TTPs:
Tactics: 1
Technics: 0
IOCs:
IP: 2
File: 6
Path: 1
Hash: 2
Functions:
service_issue
Languages:
python, php
Platforms:
x86
ASEC BLOG
Penetration and Distribution Method of Gwisin Attacker - ASEC BLOG
The attacker of Gwisin ransomware targets and penetrates the publicly available servers of companies. They then use the server as their foothold for distributing the ransomware into the internal infrastructure. It is known that the attacker uses various means…
#ParsedReport
10-11-2022
Distribution of Word File (External + RTF) Modified to Avoid Detection
https://asec.ahnlab.com/en/41472
Threats:
Lokibot_stealer
Agent_tesla
Trojan/win.generic.c5290118
Trojan/win.msil.r510204
Malware/mdp.download.m1881
Geo:
Korea
CVEs:
CVE-2017-11882 [Vulners]
Vulners: Score: 9.3, CVSS: 4.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft office (2013, 2010, 2016, 2007)
IOCs:
File: 1
Coin: 1
Hash: 3
Url: 11
Softs:
microsoft office
10-11-2022
Distribution of Word File (External + RTF) Modified to Avoid Detection
https://asec.ahnlab.com/en/41472
Threats:
Lokibot_stealer
Agent_tesla
Trojan/win.generic.c5290118
Trojan/win.msil.r510204
Malware/mdp.download.m1881
Geo:
Korea
CVEs:
CVE-2017-11882 [Vulners]
Vulners: Score: 9.3, CVSS: 4.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft office (2013, 2010, 2016, 2007)
IOCs:
File: 1
Coin: 1
Hash: 3
Url: 11
Softs:
microsoft office
ASEC
Distribution of Word File (External + RTF) Modified to Avoid Detection - ASEC
Distribution of Word File (External + RTF) Modified to Avoid Detection ASEC
#ParsedReport
10-11-2022
ASEC Weekly Malware Statistics (October 31st, 2022 November 6th, 2022)
https://asec.ahnlab.com/en/41650
Threats:
Beamwinhttp_loader
Garbage_cleaner
Agent_tesla
Smokeloader
Cloudeye
Formbook
Remcos_rat
Nanocore_rat
Amadey
Lockbit
Geo:
Korea
IOCs:
Domain: 9
Email: 1
File: 15
Url: 10
Softs:
discord, telegram, nsis installer, task scheduler
Languages:
visual_basic, php
10-11-2022
ASEC Weekly Malware Statistics (October 31st, 2022 November 6th, 2022)
https://asec.ahnlab.com/en/41650
Threats:
Beamwinhttp_loader
Garbage_cleaner
Agent_tesla
Smokeloader
Cloudeye
Formbook
Remcos_rat
Nanocore_rat
Amadey
Lockbit
Geo:
Korea
IOCs:
Domain: 9
Email: 1
File: 15
Url: 10
Softs:
discord, telegram, nsis installer, task scheduler
Languages:
visual_basic, php
ASEC
ASEC Weekly Malware Statistics (October 31st, 2022 – November 6th, 2022) - ASEC
ASEC Weekly Malware Statistics (October 31st, 2022 – November 6th, 2022) ASEC
#ParsedReport
10-11-2022
PNG Steganography Hides Backdoor. Conclusion
https://decoded.avast.io/martinchlumecky/png-steganography/?utm_source=rss&utm_medium=rss&utm_campaign=png-steganography
Actors/Campaigns:
Worok (motivation: cyber_espionage)
Threats:
Dll_hijacking_technique
Dropboxcontrol
Proxyshell_vuln
Clrloader
Pngloader
Powheartbeat
Industry:
Government, Energy
Geo:
America, Mexico, Asia, Cambodia, Russia, Vietnam, Africa
IOCs:
File: 14
Path: 5
Command: 1
Hash: 4
Softs:
windows service, microsoft visual c++, internet explorer
Algorithms:
gzip, xor
Functions:
DropBoxControl
Win API:
WmiApSrv, LoadLibraryExW, CorBindToRuntimeEx
Languages:
jscript
10-11-2022
PNG Steganography Hides Backdoor. Conclusion
https://decoded.avast.io/martinchlumecky/png-steganography/?utm_source=rss&utm_medium=rss&utm_campaign=png-steganography
Actors/Campaigns:
Worok (motivation: cyber_espionage)
Threats:
Dll_hijacking_technique
Dropboxcontrol
Proxyshell_vuln
Clrloader
Pngloader
Powheartbeat
Industry:
Government, Energy
Geo:
America, Mexico, Asia, Cambodia, Russia, Vietnam, Africa
IOCs:
File: 14
Path: 5
Command: 1
Hash: 4
Softs:
windows service, microsoft visual c++, internet explorer
Algorithms:
gzip, xor
Functions:
DropBoxControl
Win API:
WmiApSrv, LoadLibraryExW, CorBindToRuntimeEx
Languages:
jscript
Gendigital
PNG Steganography Hides Backdoor
Unveiling Advanced PNG Steganography in Worok Malware Campaign
#ParsedReport
10-11-2022
New Phishing Technique Targeting Over 20 Crypto Wallets
https://www.netskope.com/blog/new-phishing-technique-targeting-over-20-crypto-wallets
Industry:
Financial
IOCs:
Url: 1
Softs:
coinbase
10-11-2022
New Phishing Technique Targeting Over 20 Crypto Wallets
https://www.netskope.com/blog/new-phishing-technique-targeting-over-20-crypto-wallets
Industry:
Financial
IOCs:
Url: 1
Softs:
coinbase
Netskope
New Phishing Technique Targeting Over 20 Crypto Wallets
Overview of the Netlify Scam Netskope Threat Labs spotted a new crypto-phishing attack that aims to steal sensitive data from crypto wallets, including
#ParsedReport
10-11-2022
They See Me Roaming: Following APT29 by Taking a Deeper Look at Windows Credential Roaming
https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming
Actors/Campaigns:
Duke
Threats:
Mimikatz_tool
CVEs:
CVE-2022-30170 [Vulners]
Vulners: Score: Unknown, CVSS: 4.5,
Vulners: Exploitation: Unknown
X-Force: Risk: 7.3
X-Force: Patch: Official fix
Soft:
- microsoft windows server 2008 (r2, -)
- microsoft windows server 2012 (r2, -)
- microsoft windows 10 (1607, 1809, 21h1, -, 21h2, 20h2)
- microsoft windows 8.1 (-)
- microsoft windows server 2016 (-)
have more...
IOCs:
File: 3
Path: 1
Softs:
active directory, component object model
Languages:
python
Links:
10-11-2022
They See Me Roaming: Following APT29 by Taking a Deeper Look at Windows Credential Roaming
https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming
Actors/Campaigns:
Duke
Threats:
Mimikatz_tool
CVEs:
CVE-2022-30170 [Vulners]
Vulners: Score: Unknown, CVSS: 4.5,
Vulners: Exploitation: Unknown
X-Force: Risk: 7.3
X-Force: Patch: Official fix
Soft:
- microsoft windows server 2008 (r2, -)
- microsoft windows server 2012 (r2, -)
- microsoft windows 10 (1607, 1809, 21h1, -, 21h2, 20h2)
- microsoft windows 8.1 (-)
- microsoft windows server 2016 (-)
have more...
IOCs:
File: 3
Path: 1
Softs:
active directory, component object model
Languages:
python
Links:
https://github.com/openwall/john/blob/bleeding-jumbo/run/DPAPImk2john.pyhttps://github.com/mandiant/Vulnerability-Disclosures/blob/master/2022/MNDT-2022-0038/MNDT-2022-0038.mdGoogle Cloud Blog
They See Me Roaming: Following APT29 by Taking a Deeper Look at Windows Credential Roaming | Mandiant | Google Cloud Blog
#ParsedReport
10-11-2022
Rise of Banking Trojan Dropper in Google Play. Technical Details
https://www.zscaler.com/blogs/security-research/rise-banking-trojan-dropper-google-play-0
Threats:
Xenomorph
Hostile
Joker
Coper
Industry:
Financial
IOCs:
File: 3
Hash: 22
Url: 1
Domain: 2
Softs:
telegram
Algorithms:
rc4
10-11-2022
Rise of Banking Trojan Dropper in Google Play. Technical Details
https://www.zscaler.com/blogs/security-research/rise-banking-trojan-dropper-google-play-0
Threats:
Xenomorph
Hostile
Joker
Coper
Industry:
Financial
IOCs:
File: 3
Hash: 22
Url: 1
Domain: 2
Softs:
telegram
Algorithms:
rc4
Zscaler
Rise of Banking Trojan Dropper in Google Play | Zscaler
The Zscaler ThreatLabz team has recently discovered the Xenomorph banking trojan embedded in a Lifestyle app in the Google Play store. Read more.
#ParsedReport
10-11-2022
Hack the Real Box: APT41s New Subgroup Earth Longzhi
https://www.trendmicro.com/en_us/research/22/k/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html
Actors/Campaigns:
Axiom (motivation: cyber_criminal)
Earth_baku
Threats:
Cobalt_strike
Symaticloader
Process_injection_technique
Htran
Bigpipeloader
Outloader
Croxloader
Multipipeloader
Printnightmare_vuln
Mimikatz_tool
Lsadump_tool
Dcsync_technique
Industry:
Aerospace, Healthcare, Government, Financial
Geo:
China, Taiwan, Malaysia, Ukraine, Pakistan, Thailand, Indonesia, Asia, Chinese
CVEs:
CVE-2019-16098 [Vulners]
Vulners: Score: 7.2, CVSS: 5.1,
Vulners: Exploitation: Unknown
X-Force: Risk: 7.8
X-Force: Patch: Unavailable
Soft:
- msi afterburner (4.6.2.15658)
IOCs:
File: 12
Hash: 1
Algorithms:
base64, xor
Win API:
UpdateProcThreadAttribute, RtlDecompressBuffer, OpenProcess, PsSetCreateProcessNotifyRoutine, IoCreateDriver
Languages:
python
Platforms:
x64
Links:
10-11-2022
Hack the Real Box: APT41s New Subgroup Earth Longzhi
https://www.trendmicro.com/en_us/research/22/k/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html
Actors/Campaigns:
Axiom (motivation: cyber_criminal)
Earth_baku
Threats:
Cobalt_strike
Symaticloader
Process_injection_technique
Htran
Bigpipeloader
Outloader
Croxloader
Multipipeloader
Printnightmare_vuln
Mimikatz_tool
Lsadump_tool
Dcsync_technique
Industry:
Aerospace, Healthcare, Government, Financial
Geo:
China, Taiwan, Malaysia, Ukraine, Pakistan, Thailand, Indonesia, Asia, Chinese
CVEs:
CVE-2019-16098 [Vulners]
Vulners: Score: 7.2, CVSS: 5.1,
Vulners: Exploitation: Unknown
X-Force: Risk: 7.8
X-Force: Patch: Unavailable
Soft:
- msi afterburner (4.6.2.15658)
IOCs:
File: 12
Hash: 1
Algorithms:
base64, xor
Win API:
UpdateProcThreadAttribute, RtlDecompressBuffer, OpenProcess, PsSetCreateProcessNotifyRoutine, IoCreateDriver
Languages:
python
Platforms:
x64
Links:
https://github.com/itm4n/PrintSpoofer
https://github.com/HiwinCN/HTranTrend Micro
Hack the Real Box: APT41’s New Subgroup Earth Longzhi
We looked into the campaigns deployed by a new subgroup of advanced persistent threat (APT) group APT41, Earth Longzhi. This entry breaks down the technical details of the campaigns in full as presented at HITCON PEACE 2022 in August.
#ParsedReport
11-11-2022
Emotet Being Distributed Again via Excel Files After 6 Months
https://asec.ahnlab.com/en/41826
Threats:
Emotet
Malware/win.generic.c5291114
Geo:
Korea
IOCs:
Path: 5
File: 2
Hash: 4
Url: 4
Softs:
microsoft office
Platforms:
x86, x64
11-11-2022
Emotet Being Distributed Again via Excel Files After 6 Months
https://asec.ahnlab.com/en/41826
Threats:
Emotet
Malware/win.generic.c5291114
Geo:
Korea
IOCs:
Path: 5
File: 2
Hash: 4
Url: 4
Softs:
microsoft office
Platforms:
x86, x64
ASEC BLOG
Emotet Being Distributed Again via Excel Files After 6 Months - ASEC BLOG
Over multiple blog posts, the ASEC analysis team has released information on the distribution of Emotet which had been modified in many different ways. It has recently been identified that the Emotet malware has become active again. Around six months have…