#ParsedReport
09-11-2022
Cisco Talos Intelligence Blog. Threat Spotlight: Cyber Criminal Adoption of IPFS for Phishing, Malware Campaigns
https://blog.talosintelligence.com/ipfs-abuse
Threats:
Agent_tesla
Upx_tool
Hannabi_grabber
Beacon
Industry:
Financial
Geo:
Turkish
IOCs:
Url: 1
Command: 4
Path: 7
File: 4
Registry: 2
Softs:
discord, curl, windows registry, chrome, mozilla firefox
Algorithms:
zip, base64
Languages:
python
Links:
09-11-2022
Cisco Talos Intelligence Blog. Threat Spotlight: Cyber Criminal Adoption of IPFS for Phishing, Malware Campaigns
https://blog.talosintelligence.com/ipfs-abuse
Threats:
Agent_tesla
Upx_tool
Hannabi_grabber
Beacon
Industry:
Financial
Geo:
Turkish
IOCs:
Url: 1
Command: 4
Path: 7
File: 4
Registry: 2
Softs:
discord, curl, windows registry, chrome, mozilla firefox
Algorithms:
zip, base64
Languages:
python
Links:
https://github.com/Cisco-Talos/IOCs/tree/main/2022/11https://github.com/Cisco-Talos/osquery\_queries/blob/master/win\_malware/malware\_hannabi\_file\_artifact.ymlCisco Talos Blog
Threat Spotlight: Cyber Criminal Adoption of IPFS for Phishing, Malware Campaigns
* The InterPlanetary File System (IPFS) is an emerging Web3 technology that is currently seeing widespread abuse by threat actors.
* Cisco Talos has observed multiple ongoing campaigns that leverage the IPFS network to host their malware payloads and phishing…
* Cisco Talos has observed multiple ongoing campaigns that leverage the IPFS network to host their malware payloads and phishing…
#ParsedReport
10-11-2022
Penetration and Distribution Method of Gwisin Attacker
https://asec.ahnlab.com/en/41565
Threats:
Gwisin
Watering_hole_technique
Nmap_tool
Geo:
Korean
TTPs:
Tactics: 1
Technics: 0
IOCs:
IP: 2
File: 6
Path: 1
Hash: 2
Functions:
service_issue
Languages:
python, php
Platforms:
x86
10-11-2022
Penetration and Distribution Method of Gwisin Attacker
https://asec.ahnlab.com/en/41565
Threats:
Gwisin
Watering_hole_technique
Nmap_tool
Geo:
Korean
TTPs:
Tactics: 1
Technics: 0
IOCs:
IP: 2
File: 6
Path: 1
Hash: 2
Functions:
service_issue
Languages:
python, php
Platforms:
x86
ASEC BLOG
Penetration and Distribution Method of Gwisin Attacker - ASEC BLOG
The attacker of Gwisin ransomware targets and penetrates the publicly available servers of companies. They then use the server as their foothold for distributing the ransomware into the internal infrastructure. It is known that the attacker uses various means…
#ParsedReport
10-11-2022
Distribution of Word File (External + RTF) Modified to Avoid Detection
https://asec.ahnlab.com/en/41472
Threats:
Lokibot_stealer
Agent_tesla
Trojan/win.generic.c5290118
Trojan/win.msil.r510204
Malware/mdp.download.m1881
Geo:
Korea
CVEs:
CVE-2017-11882 [Vulners]
Vulners: Score: 9.3, CVSS: 4.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft office (2013, 2010, 2016, 2007)
IOCs:
File: 1
Coin: 1
Hash: 3
Url: 11
Softs:
microsoft office
10-11-2022
Distribution of Word File (External + RTF) Modified to Avoid Detection
https://asec.ahnlab.com/en/41472
Threats:
Lokibot_stealer
Agent_tesla
Trojan/win.generic.c5290118
Trojan/win.msil.r510204
Malware/mdp.download.m1881
Geo:
Korea
CVEs:
CVE-2017-11882 [Vulners]
Vulners: Score: 9.3, CVSS: 4.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft office (2013, 2010, 2016, 2007)
IOCs:
File: 1
Coin: 1
Hash: 3
Url: 11
Softs:
microsoft office
ASEC
Distribution of Word File (External + RTF) Modified to Avoid Detection - ASEC
Distribution of Word File (External + RTF) Modified to Avoid Detection ASEC
#ParsedReport
10-11-2022
ASEC Weekly Malware Statistics (October 31st, 2022 November 6th, 2022)
https://asec.ahnlab.com/en/41650
Threats:
Beamwinhttp_loader
Garbage_cleaner
Agent_tesla
Smokeloader
Cloudeye
Formbook
Remcos_rat
Nanocore_rat
Amadey
Lockbit
Geo:
Korea
IOCs:
Domain: 9
Email: 1
File: 15
Url: 10
Softs:
discord, telegram, nsis installer, task scheduler
Languages:
visual_basic, php
10-11-2022
ASEC Weekly Malware Statistics (October 31st, 2022 November 6th, 2022)
https://asec.ahnlab.com/en/41650
Threats:
Beamwinhttp_loader
Garbage_cleaner
Agent_tesla
Smokeloader
Cloudeye
Formbook
Remcos_rat
Nanocore_rat
Amadey
Lockbit
Geo:
Korea
IOCs:
Domain: 9
Email: 1
File: 15
Url: 10
Softs:
discord, telegram, nsis installer, task scheduler
Languages:
visual_basic, php
ASEC
ASEC Weekly Malware Statistics (October 31st, 2022 – November 6th, 2022) - ASEC
ASEC Weekly Malware Statistics (October 31st, 2022 – November 6th, 2022) ASEC
#ParsedReport
10-11-2022
PNG Steganography Hides Backdoor. Conclusion
https://decoded.avast.io/martinchlumecky/png-steganography/?utm_source=rss&utm_medium=rss&utm_campaign=png-steganography
Actors/Campaigns:
Worok (motivation: cyber_espionage)
Threats:
Dll_hijacking_technique
Dropboxcontrol
Proxyshell_vuln
Clrloader
Pngloader
Powheartbeat
Industry:
Government, Energy
Geo:
America, Mexico, Asia, Cambodia, Russia, Vietnam, Africa
IOCs:
File: 14
Path: 5
Command: 1
Hash: 4
Softs:
windows service, microsoft visual c++, internet explorer
Algorithms:
gzip, xor
Functions:
DropBoxControl
Win API:
WmiApSrv, LoadLibraryExW, CorBindToRuntimeEx
Languages:
jscript
10-11-2022
PNG Steganography Hides Backdoor. Conclusion
https://decoded.avast.io/martinchlumecky/png-steganography/?utm_source=rss&utm_medium=rss&utm_campaign=png-steganography
Actors/Campaigns:
Worok (motivation: cyber_espionage)
Threats:
Dll_hijacking_technique
Dropboxcontrol
Proxyshell_vuln
Clrloader
Pngloader
Powheartbeat
Industry:
Government, Energy
Geo:
America, Mexico, Asia, Cambodia, Russia, Vietnam, Africa
IOCs:
File: 14
Path: 5
Command: 1
Hash: 4
Softs:
windows service, microsoft visual c++, internet explorer
Algorithms:
gzip, xor
Functions:
DropBoxControl
Win API:
WmiApSrv, LoadLibraryExW, CorBindToRuntimeEx
Languages:
jscript
Gendigital
PNG Steganography Hides Backdoor
Unveiling Advanced PNG Steganography in Worok Malware Campaign
#ParsedReport
10-11-2022
New Phishing Technique Targeting Over 20 Crypto Wallets
https://www.netskope.com/blog/new-phishing-technique-targeting-over-20-crypto-wallets
Industry:
Financial
IOCs:
Url: 1
Softs:
coinbase
10-11-2022
New Phishing Technique Targeting Over 20 Crypto Wallets
https://www.netskope.com/blog/new-phishing-technique-targeting-over-20-crypto-wallets
Industry:
Financial
IOCs:
Url: 1
Softs:
coinbase
Netskope
New Phishing Technique Targeting Over 20 Crypto Wallets
Overview of the Netlify Scam Netskope Threat Labs spotted a new crypto-phishing attack that aims to steal sensitive data from crypto wallets, including
#ParsedReport
10-11-2022
They See Me Roaming: Following APT29 by Taking a Deeper Look at Windows Credential Roaming
https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming
Actors/Campaigns:
Duke
Threats:
Mimikatz_tool
CVEs:
CVE-2022-30170 [Vulners]
Vulners: Score: Unknown, CVSS: 4.5,
Vulners: Exploitation: Unknown
X-Force: Risk: 7.3
X-Force: Patch: Official fix
Soft:
- microsoft windows server 2008 (r2, -)
- microsoft windows server 2012 (r2, -)
- microsoft windows 10 (1607, 1809, 21h1, -, 21h2, 20h2)
- microsoft windows 8.1 (-)
- microsoft windows server 2016 (-)
have more...
IOCs:
File: 3
Path: 1
Softs:
active directory, component object model
Languages:
python
Links:
10-11-2022
They See Me Roaming: Following APT29 by Taking a Deeper Look at Windows Credential Roaming
https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming
Actors/Campaigns:
Duke
Threats:
Mimikatz_tool
CVEs:
CVE-2022-30170 [Vulners]
Vulners: Score: Unknown, CVSS: 4.5,
Vulners: Exploitation: Unknown
X-Force: Risk: 7.3
X-Force: Patch: Official fix
Soft:
- microsoft windows server 2008 (r2, -)
- microsoft windows server 2012 (r2, -)
- microsoft windows 10 (1607, 1809, 21h1, -, 21h2, 20h2)
- microsoft windows 8.1 (-)
- microsoft windows server 2016 (-)
have more...
IOCs:
File: 3
Path: 1
Softs:
active directory, component object model
Languages:
python
Links:
https://github.com/openwall/john/blob/bleeding-jumbo/run/DPAPImk2john.pyhttps://github.com/mandiant/Vulnerability-Disclosures/blob/master/2022/MNDT-2022-0038/MNDT-2022-0038.mdGoogle Cloud Blog
They See Me Roaming: Following APT29 by Taking a Deeper Look at Windows Credential Roaming | Mandiant | Google Cloud Blog
#ParsedReport
10-11-2022
Rise of Banking Trojan Dropper in Google Play. Technical Details
https://www.zscaler.com/blogs/security-research/rise-banking-trojan-dropper-google-play-0
Threats:
Xenomorph
Hostile
Joker
Coper
Industry:
Financial
IOCs:
File: 3
Hash: 22
Url: 1
Domain: 2
Softs:
telegram
Algorithms:
rc4
10-11-2022
Rise of Banking Trojan Dropper in Google Play. Technical Details
https://www.zscaler.com/blogs/security-research/rise-banking-trojan-dropper-google-play-0
Threats:
Xenomorph
Hostile
Joker
Coper
Industry:
Financial
IOCs:
File: 3
Hash: 22
Url: 1
Domain: 2
Softs:
telegram
Algorithms:
rc4
Zscaler
Rise of Banking Trojan Dropper in Google Play | Zscaler
The Zscaler ThreatLabz team has recently discovered the Xenomorph banking trojan embedded in a Lifestyle app in the Google Play store. Read more.
#ParsedReport
10-11-2022
Hack the Real Box: APT41s New Subgroup Earth Longzhi
https://www.trendmicro.com/en_us/research/22/k/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html
Actors/Campaigns:
Axiom (motivation: cyber_criminal)
Earth_baku
Threats:
Cobalt_strike
Symaticloader
Process_injection_technique
Htran
Bigpipeloader
Outloader
Croxloader
Multipipeloader
Printnightmare_vuln
Mimikatz_tool
Lsadump_tool
Dcsync_technique
Industry:
Aerospace, Healthcare, Government, Financial
Geo:
China, Taiwan, Malaysia, Ukraine, Pakistan, Thailand, Indonesia, Asia, Chinese
CVEs:
CVE-2019-16098 [Vulners]
Vulners: Score: 7.2, CVSS: 5.1,
Vulners: Exploitation: Unknown
X-Force: Risk: 7.8
X-Force: Patch: Unavailable
Soft:
- msi afterburner (4.6.2.15658)
IOCs:
File: 12
Hash: 1
Algorithms:
base64, xor
Win API:
UpdateProcThreadAttribute, RtlDecompressBuffer, OpenProcess, PsSetCreateProcessNotifyRoutine, IoCreateDriver
Languages:
python
Platforms:
x64
Links:
10-11-2022
Hack the Real Box: APT41s New Subgroup Earth Longzhi
https://www.trendmicro.com/en_us/research/22/k/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html
Actors/Campaigns:
Axiom (motivation: cyber_criminal)
Earth_baku
Threats:
Cobalt_strike
Symaticloader
Process_injection_technique
Htran
Bigpipeloader
Outloader
Croxloader
Multipipeloader
Printnightmare_vuln
Mimikatz_tool
Lsadump_tool
Dcsync_technique
Industry:
Aerospace, Healthcare, Government, Financial
Geo:
China, Taiwan, Malaysia, Ukraine, Pakistan, Thailand, Indonesia, Asia, Chinese
CVEs:
CVE-2019-16098 [Vulners]
Vulners: Score: 7.2, CVSS: 5.1,
Vulners: Exploitation: Unknown
X-Force: Risk: 7.8
X-Force: Patch: Unavailable
Soft:
- msi afterburner (4.6.2.15658)
IOCs:
File: 12
Hash: 1
Algorithms:
base64, xor
Win API:
UpdateProcThreadAttribute, RtlDecompressBuffer, OpenProcess, PsSetCreateProcessNotifyRoutine, IoCreateDriver
Languages:
python
Platforms:
x64
Links:
https://github.com/itm4n/PrintSpoofer
https://github.com/HiwinCN/HTranTrend Micro
Hack the Real Box: APT41’s New Subgroup Earth Longzhi
We looked into the campaigns deployed by a new subgroup of advanced persistent threat (APT) group APT41, Earth Longzhi. This entry breaks down the technical details of the campaigns in full as presented at HITCON PEACE 2022 in August.
#ParsedReport
11-11-2022
Emotet Being Distributed Again via Excel Files After 6 Months
https://asec.ahnlab.com/en/41826
Threats:
Emotet
Malware/win.generic.c5291114
Geo:
Korea
IOCs:
Path: 5
File: 2
Hash: 4
Url: 4
Softs:
microsoft office
Platforms:
x86, x64
11-11-2022
Emotet Being Distributed Again via Excel Files After 6 Months
https://asec.ahnlab.com/en/41826
Threats:
Emotet
Malware/win.generic.c5291114
Geo:
Korea
IOCs:
Path: 5
File: 2
Hash: 4
Url: 4
Softs:
microsoft office
Platforms:
x86, x64
ASEC BLOG
Emotet Being Distributed Again via Excel Files After 6 Months - ASEC BLOG
Over multiple blog posts, the ASEC analysis team has released information on the distribution of Emotet which had been modified in many different ways. It has recently been identified that the Emotet malware has become active again. Around six months have…
#ParsedReport
11-11-2022
Magniber Ransomware Attempts to Bypass MOTW (Mark of the Web)
https://asec.ahnlab.com/en/41889
Threats:
Magniber
Typosquatting_technique
IOCs:
File: 5
Registry: 2
Hash: 3
Languages:
javascript
11-11-2022
Magniber Ransomware Attempts to Bypass MOTW (Mark of the Web)
https://asec.ahnlab.com/en/41889
Threats:
Magniber
Typosquatting_technique
IOCs:
File: 5
Registry: 2
Hash: 3
Languages:
javascript
ASEC BLOG
Magniber Ransomware Attempts to Bypass MOTW (Mark of the Web) - ASEC BLOG
The ASEC analysis team uploaded a post on October 25th to inform the users of the changes that have been made to the Magniber ransomware. Magniber, which is still actively being distributed, has undergone many changes to evade the detection of anti-malware…
#ParsedReport
11-11-2022
HackHound IRC Bot Being Distributed via Webhards
https://asec.ahnlab.com/en/41806
Threats:
Njrat_rat
Udprat
Passview_tool
Hawkeye_keylogger
Condis_technique
Torhammer_technique
Trojan/win.korat.c5290614
Deathransom
Infostealer/win.agent.c5290619
Bladabindi
Ircbot
Trojan/win.agent.c5290070
Trojan/win.generic.r452668
Malware/mdp.behavior.m1693
Geo:
Korean
IOCs:
File: 3
Path: 2
Hash: 19
Domain: 6
Url: 1
Softs:
chrome, discord
Languages:
golang
Platforms:
x64
11-11-2022
HackHound IRC Bot Being Distributed via Webhards
https://asec.ahnlab.com/en/41806
Threats:
Njrat_rat
Udprat
Passview_tool
Hawkeye_keylogger
Condis_technique
Torhammer_technique
Trojan/win.korat.c5290614
Deathransom
Infostealer/win.agent.c5290619
Bladabindi
Ircbot
Trojan/win.agent.c5290070
Trojan/win.generic.r452668
Malware/mdp.behavior.m1693
Geo:
Korean
IOCs:
File: 3
Path: 2
Hash: 19
Domain: 6
Url: 1
Softs:
chrome, discord
Languages:
golang
Platforms:
x64
ASEC BLOG
HackHound IRC Bot Being Distributed via Webhards - ASEC BLOG
Webhards are the main platforms that the attackers targeting Korean users exploit to distribute malware. The ASEC analysis team has been monitoring malware types distributed through webhards and uploaded multiple blog posts about them in the past. Generally…
#ParsedReport
11-11-2022
Ransomware Roundup: New Inlock and Xorist Variants
https://www.fortinet.com/blog/threat-research/Ransomware-Roundup-New-Inlock-and-Xorist-Variants
Threats:
Xorist
Cuba
Filecoder
Industry:
Financial, Government
Geo:
Spanish
IOCs:
File: 4
Hash: 6
11-11-2022
Ransomware Roundup: New Inlock and Xorist Variants
https://www.fortinet.com/blog/threat-research/Ransomware-Roundup-New-Inlock-and-Xorist-Variants
Threats:
Xorist
Cuba
Filecoder
Industry:
Financial, Government
Geo:
Spanish
IOCs:
File: 4
Hash: 6
Fortinet Blog
Ransomware Roundup: New Inlock and Xorist Variants | FortiGuard Labs
The latest FortiGuard Labs Threat Signal Ransomware Roundup covers the Inlock ransomware and a new variant of the Xorist ransomware, along with protection recommendations. Read more.…
#ParsedReport
11-11-2022
#ShortAndMalicious: StrelaStealer aims for mail credentials. Execution via polyglot
https://medium.com/@DCSO_CyTec/shortandmalicious-strelastealer-aims-for-mail-credentials-a4c3e78c8abc
Threats:
Strela_stealer
Dll_sideloading_technique
Geo:
Moscow, Russian, Spanish
TTPs:
Tactics: 1
Technics: 6
IOCs:
File: 6
Path: 2
Hash: 13
IP: 1
Url: 1
Algorithms:
xor
Win API:
CryptUnprotectData
Links:
11-11-2022
#ShortAndMalicious: StrelaStealer aims for mail credentials. Execution via polyglot
https://medium.com/@DCSO_CyTec/shortandmalicious-strelastealer-aims-for-mail-credentials-a4c3e78c8abc
Threats:
Strela_stealer
Dll_sideloading_technique
Geo:
Moscow, Russian, Spanish
TTPs:
Tactics: 1
Technics: 6
IOCs:
File: 6
Path: 2
Hash: 13
IP: 1
Url: 1
Algorithms:
xor
Win API:
CryptUnprotectData
Links:
https://github.com/DCSO/Blog\_CyTec/blob/main/2022\_11\_\_short\_and\_malicious\_strela\_stealer/misp.event.jsonMedium
#ShortAndMalicious: StrelaStealer aims for mail credentials
Quick look at a new stealer utilizing polyglot files
#ParsedReport
11-11-2022
A Muddy, Advanced Persistent Teacher
https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/muddy-advanced-persistent-teacher.html
Actors/Campaigns:
Muddywater
Oilrig
Threats:
Zerologon_vuln
Industry:
Government, Financial, Education
Geo:
Iran, Israeli, Irans, Tehran, Iranian
CVEs:
CVE-2020-0688 [Vulners]
Vulners: Score: 9.0, CVSS: 3.3,
Vulners: Exploitation: True
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016, 2010)
CVE-2020-1472 [Vulners]
Vulners: Score: 9.3, CVSS: 3.8,
Vulners: Exploitation: True
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- microsoft windows server 2008 (r2)
- microsoft windows server 2012 (-, r2)
- microsoft windows server 2016 (-, 1903, 1909, 2004)
- microsoft windows server 2019 (-)
- fedoraproject fedora (31, 32, 33)
have more...
IOCs:
File: 1
11-11-2022
A Muddy, Advanced Persistent Teacher
https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/muddy-advanced-persistent-teacher.html
Actors/Campaigns:
Muddywater
Oilrig
Threats:
Zerologon_vuln
Industry:
Government, Financial, Education
Geo:
Iran, Israeli, Irans, Tehran, Iranian
CVEs:
CVE-2020-0688 [Vulners]
Vulners: Score: 9.0, CVSS: 3.3,
Vulners: Exploitation: True
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016, 2010)
CVE-2020-1472 [Vulners]
Vulners: Score: 9.3, CVSS: 3.8,
Vulners: Exploitation: True
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- microsoft windows server 2008 (r2)
- microsoft windows server 2012 (-, r2)
- microsoft windows server 2016 (-, 1903, 1909, 2004)
- microsoft windows server 2019 (-)
- fedoraproject fedora (31, 32, 33)
have more...
IOCs:
File: 1
PwC
A Muddy, Advanced Persistent Teacher
On 26th October 2022, the US Department of Treasury issued broad sanctions against Iranian entities including a cyber security company, Ravin Academy, and the two individuals that founded it “for having materially assisted, sponsored, or provided financial…
#ParsedReport
11-11-2022
New updated IceXLoader claims thousands of victims around the world
https://minerva-labs.com/blog/new-updated-icexloader-claims-thousands-of-victims-around-the-world
Threats:
Icexloader
Process_hollowing_technique
Nimbda_loader
Bazarnimrod
Process_injection_technique
Geo:
Chinese
TTPs:
IOCs:
Path: 8
Registry: 2
File: 4
Command: 2
Hash: 4
Url: 1
Softs:
net framework, windows defender
Win API:
AmsiScanBuffer
Languages:
javascript
11-11-2022
New updated IceXLoader claims thousands of victims around the world
https://minerva-labs.com/blog/new-updated-icexloader-claims-thousands-of-victims-around-the-world
Threats:
Icexloader
Process_hollowing_technique
Nimbda_loader
Bazarnimrod
Process_injection_technique
Geo:
Chinese
TTPs:
IOCs:
Path: 8
Registry: 2
File: 4
Command: 2
Hash: 4
Url: 1
Softs:
net framework, windows defender
Win API:
AmsiScanBuffer
Languages:
javascript
Rapid7
Rapid7 Cybersecurity - Command Your Attack Surface
Level up SecOps with the only endpoint to cloud, unified cybersecurity platform. Confidently act to prevent breaches with a leading MDR partner. Request demo!
#ParsedReport
11-11-2022
Lookout Discovers Long-running Surveillance Campaigns Targeting Uyghurs
https://resources2.lookout.com/blog/uyghur-surveillance-campaign-badbazaar-moonshine
Actors/Campaigns:
Mirage
Nickel
Pitty_tiger
Emissary_panda
Earth_empusa
Threats:
Moonshine
Bahamut
Bazarbackdoor
Bazaar
Aitm_technique
Cmstar
Enfal
Doubleagent
Goldeneagle
Pluginphantom
Actionspy
Industry:
Telco, Government
Geo:
Asia, Afghanistan, Tibetan, Russia, Chinese, Turkey, Chinas, China
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 12
Hash: 1
Domain: 4
Email: 1
IP: 2
Softs:
android, telegram, wechat
Algorithms:
xor, gzip, aes, base64
Platforms:
apple
Links:
11-11-2022
Lookout Discovers Long-running Surveillance Campaigns Targeting Uyghurs
https://resources2.lookout.com/blog/uyghur-surveillance-campaign-badbazaar-moonshine
Actors/Campaigns:
Mirage
Nickel
Pitty_tiger
Emissary_panda
Earth_empusa
Threats:
Moonshine
Bahamut
Bazarbackdoor
Bazaar
Aitm_technique
Cmstar
Enfal
Doubleagent
Goldeneagle
Pluginphantom
Actionspy
Industry:
Telco, Government
Geo:
Asia, Afghanistan, Tibetan, Russia, Chinese, Turkey, Chinas, China
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 12
Hash: 1
Domain: 4
Email: 1
IP: 2
Softs:
android, telegram, wechat
Algorithms:
xor, gzip, aes, base64
Platforms:
apple
Links:
https://github.com/Tencent/wcdbLookout
Lookout Discovers Long-running Surveillance Campaigns Targeting Uyghurs | Lookout
Researchers from Lookout Threat Lab have uncovered two new surveillance campaigns, BadBazaar and MOONSHINE, targeting Uyghurs in the People’s Republic of China and abroad.
#ParsedReport
11-11-2022
-\| APT MacOS. According to the characteristics of the sample behavior, C2, and open source intelligence, the organization behind the attack is "Sea Lotus" APT.
https://mp.weixin.qq.com/s/2tdgA5mhTL-0Xew_xsWwpg
Actors/Campaigns:
Oceanlotus
TTPs:
Tactics: 2
Technics: 0
IOCs:
File: 5
Url: 2
Hash: 8
IP: 1
Softs:
macos
Algorithms:
aes-256
Languages:
perl
Platforms:
apple
11-11-2022
-\| APT MacOS. According to the characteristics of the sample behavior, C2, and open source intelligence, the organization behind the attack is "Sea Lotus" APT.
https://mp.weixin.qq.com/s/2tdgA5mhTL-0Xew_xsWwpg
Actors/Campaigns:
Oceanlotus
TTPs:
Tactics: 2
Technics: 0
IOCs:
File: 5
Url: 2
Hash: 8
IP: 1
Softs:
macos
Algorithms:
aes-256
Languages:
perl
Platforms:
apple
Weixin Official Accounts Platform
九维团队-暗队(情报)| “海莲花”APT 样本(MacOS)分析报告
本文为安恒信息分子实验室反APT小组(九维团队-暗队)对“海莲花”APT样本(MacOS)的分析报告。
#ParsedReport
14-11-2022
BumbleBee Zeros in on Meterpreter
https://thedfirreport.com/2022/11/14/bumblebee-zeros-in-on-meterpreter
Threats:
Bumblebee
Meterpreter_tool
Cobalt_strike
Beacon
Uac_bypass_technique
Zerologon_vuln
Adfind_tool
Nltest_tool
Dumplsass_tool
Passthehash_technique
Process_injection_technique
Powersploit
TTPs:
Tactics: 9
Technics: 24
IOCs:
File: 20
Command: 4
Path: 16
IP: 4
Domain: 3
Hash: 13
Email: 1
Softs:
sysinternals, winlogon
Algorithms:
zip
Functions:
OpenSSL
Win API:
NtAllocateVirtualMemoryRemoteApiCall
Platforms:
x86, x64
YARA: Found
SIGMA: Found
Links:
14-11-2022
BumbleBee Zeros in on Meterpreter
https://thedfirreport.com/2022/11/14/bumblebee-zeros-in-on-meterpreter
Threats:
Bumblebee
Meterpreter_tool
Cobalt_strike
Beacon
Uac_bypass_technique
Zerologon_vuln
Adfind_tool
Nltest_tool
Dumplsass_tool
Passthehash_technique
Process_injection_technique
Powersploit
TTPs:
Tactics: 9
Technics: 24
IOCs:
File: 20
Command: 4
Path: 16
IP: 4
Domain: 3
Hash: 13
Email: 1
Softs:
sysinternals, winlogon
Algorithms:
zip
Functions:
OpenSSL
Win API:
NtAllocateVirtualMemoryRemoteApiCall
Platforms:
x86, x64
YARA: Found
SIGMA: Found
Links:
https://github.com/iagox86/metasploit-framework-webexec/blob/master/documentation/modules/exploit/windows/local/bypassuac\_sluihijack.mdhttps://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/bypassuac\_sluihijack.rbThe DFIR Report
BumbleBee Zeros in on Meterpreter
In this intrusion from May 2022, the threat actors used BumbleBee as the initial access vector from a Contact Forms campaign. We have previously reported on two BumbleBee intrusions (1, 2), and thi…
#ParsedReport
14-11-2022
A Dropper-Type Malware Bomb Being Distributed Again in the Disguise of Cracks
https://asec.ahnlab.com/en/41972
Threats:
Vidar_stealer
Raccoon_stealer
Cryptbot_stealer
Record_breaker_stealer
Beamwinhttp_loader
IOCs:
File: 2
Hash: 5
Algorithms:
zip
14-11-2022
A Dropper-Type Malware Bomb Being Distributed Again in the Disguise of Cracks
https://asec.ahnlab.com/en/41972
Threats:
Vidar_stealer
Raccoon_stealer
Cryptbot_stealer
Record_breaker_stealer
Beamwinhttp_loader
IOCs:
File: 2
Hash: 5
Algorithms:
zip
ASEC BLOG
A Dropper-Type Malware Bomb Being Distributed Again in the Disguise of Cracks - ASEC BLOG
The dropper malware which camouflaged itself as a crack is being actively distributed again after a period of dormancy. When this malware is executed, the affected system becomes infected with numerous malware programs simultaneously. This is effectively…
#ParsedReport
14-11-2022
Massive ois[.\]is Black Hat Redirect Malware Campaign
https://blog.sucuri.net/2022/11/massive-ois-is-black-hat-redirect-malware-campaign.html
Industry:
Financial
IOCs:
Domain: 18
File: 18
Url: 3
Softs:
cpanel
Languages:
php, javascript
14-11-2022
Massive ois[.\]is Black Hat Redirect Malware Campaign
https://blog.sucuri.net/2022/11/massive-ois-is-black-hat-redirect-malware-campaign.html
Industry:
Financial
IOCs:
Domain: 18
File: 18
Url: 3
Softs:
cpanel
Languages:
php, javascript
Sucuri Blog
Massive ois[.]is Black Hat Redirect Malware Campaign
Learn how attackers are redirecting WordPress website visitors to fake Q&A sites via ois[.]is malware. These malicious redirects appear to be designed to increase the authority of the attacker’s sites for search engines.