#ParsedReport
10-11-2022
Rise of Banking Trojan Dropper in Google Play. Technical Details
https://www.zscaler.com/blogs/security-research/rise-banking-trojan-dropper-google-play-0
Threats:
Xenomorph
Hostile
Joker
Coper
Industry:
Financial
IOCs:
File: 3
Hash: 22
Url: 1
Domain: 2
Softs:
telegram
Algorithms:
rc4
10-11-2022
Rise of Banking Trojan Dropper in Google Play. Technical Details
https://www.zscaler.com/blogs/security-research/rise-banking-trojan-dropper-google-play-0
Threats:
Xenomorph
Hostile
Joker
Coper
Industry:
Financial
IOCs:
File: 3
Hash: 22
Url: 1
Domain: 2
Softs:
telegram
Algorithms:
rc4
Zscaler
Rise of Banking Trojan Dropper in Google Play | Zscaler
The Zscaler ThreatLabz team has recently discovered the Xenomorph banking trojan embedded in a Lifestyle app in the Google Play store. Read more.
#ParsedReport
10-11-2022
Hack the Real Box: APT41s New Subgroup Earth Longzhi
https://www.trendmicro.com/en_us/research/22/k/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html
Actors/Campaigns:
Axiom (motivation: cyber_criminal)
Earth_baku
Threats:
Cobalt_strike
Symaticloader
Process_injection_technique
Htran
Bigpipeloader
Outloader
Croxloader
Multipipeloader
Printnightmare_vuln
Mimikatz_tool
Lsadump_tool
Dcsync_technique
Industry:
Aerospace, Healthcare, Government, Financial
Geo:
China, Taiwan, Malaysia, Ukraine, Pakistan, Thailand, Indonesia, Asia, Chinese
CVEs:
CVE-2019-16098 [Vulners]
Vulners: Score: 7.2, CVSS: 5.1,
Vulners: Exploitation: Unknown
X-Force: Risk: 7.8
X-Force: Patch: Unavailable
Soft:
- msi afterburner (4.6.2.15658)
IOCs:
File: 12
Hash: 1
Algorithms:
base64, xor
Win API:
UpdateProcThreadAttribute, RtlDecompressBuffer, OpenProcess, PsSetCreateProcessNotifyRoutine, IoCreateDriver
Languages:
python
Platforms:
x64
Links:
10-11-2022
Hack the Real Box: APT41s New Subgroup Earth Longzhi
https://www.trendmicro.com/en_us/research/22/k/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html
Actors/Campaigns:
Axiom (motivation: cyber_criminal)
Earth_baku
Threats:
Cobalt_strike
Symaticloader
Process_injection_technique
Htran
Bigpipeloader
Outloader
Croxloader
Multipipeloader
Printnightmare_vuln
Mimikatz_tool
Lsadump_tool
Dcsync_technique
Industry:
Aerospace, Healthcare, Government, Financial
Geo:
China, Taiwan, Malaysia, Ukraine, Pakistan, Thailand, Indonesia, Asia, Chinese
CVEs:
CVE-2019-16098 [Vulners]
Vulners: Score: 7.2, CVSS: 5.1,
Vulners: Exploitation: Unknown
X-Force: Risk: 7.8
X-Force: Patch: Unavailable
Soft:
- msi afterburner (4.6.2.15658)
IOCs:
File: 12
Hash: 1
Algorithms:
base64, xor
Win API:
UpdateProcThreadAttribute, RtlDecompressBuffer, OpenProcess, PsSetCreateProcessNotifyRoutine, IoCreateDriver
Languages:
python
Platforms:
x64
Links:
https://github.com/itm4n/PrintSpoofer
https://github.com/HiwinCN/HTranTrend Micro
Hack the Real Box: APT41’s New Subgroup Earth Longzhi
We looked into the campaigns deployed by a new subgroup of advanced persistent threat (APT) group APT41, Earth Longzhi. This entry breaks down the technical details of the campaigns in full as presented at HITCON PEACE 2022 in August.
#ParsedReport
11-11-2022
Emotet Being Distributed Again via Excel Files After 6 Months
https://asec.ahnlab.com/en/41826
Threats:
Emotet
Malware/win.generic.c5291114
Geo:
Korea
IOCs:
Path: 5
File: 2
Hash: 4
Url: 4
Softs:
microsoft office
Platforms:
x86, x64
11-11-2022
Emotet Being Distributed Again via Excel Files After 6 Months
https://asec.ahnlab.com/en/41826
Threats:
Emotet
Malware/win.generic.c5291114
Geo:
Korea
IOCs:
Path: 5
File: 2
Hash: 4
Url: 4
Softs:
microsoft office
Platforms:
x86, x64
ASEC BLOG
Emotet Being Distributed Again via Excel Files After 6 Months - ASEC BLOG
Over multiple blog posts, the ASEC analysis team has released information on the distribution of Emotet which had been modified in many different ways. It has recently been identified that the Emotet malware has become active again. Around six months have…
#ParsedReport
11-11-2022
Magniber Ransomware Attempts to Bypass MOTW (Mark of the Web)
https://asec.ahnlab.com/en/41889
Threats:
Magniber
Typosquatting_technique
IOCs:
File: 5
Registry: 2
Hash: 3
Languages:
javascript
11-11-2022
Magniber Ransomware Attempts to Bypass MOTW (Mark of the Web)
https://asec.ahnlab.com/en/41889
Threats:
Magniber
Typosquatting_technique
IOCs:
File: 5
Registry: 2
Hash: 3
Languages:
javascript
ASEC BLOG
Magniber Ransomware Attempts to Bypass MOTW (Mark of the Web) - ASEC BLOG
The ASEC analysis team uploaded a post on October 25th to inform the users of the changes that have been made to the Magniber ransomware. Magniber, which is still actively being distributed, has undergone many changes to evade the detection of anti-malware…
#ParsedReport
11-11-2022
HackHound IRC Bot Being Distributed via Webhards
https://asec.ahnlab.com/en/41806
Threats:
Njrat_rat
Udprat
Passview_tool
Hawkeye_keylogger
Condis_technique
Torhammer_technique
Trojan/win.korat.c5290614
Deathransom
Infostealer/win.agent.c5290619
Bladabindi
Ircbot
Trojan/win.agent.c5290070
Trojan/win.generic.r452668
Malware/mdp.behavior.m1693
Geo:
Korean
IOCs:
File: 3
Path: 2
Hash: 19
Domain: 6
Url: 1
Softs:
chrome, discord
Languages:
golang
Platforms:
x64
11-11-2022
HackHound IRC Bot Being Distributed via Webhards
https://asec.ahnlab.com/en/41806
Threats:
Njrat_rat
Udprat
Passview_tool
Hawkeye_keylogger
Condis_technique
Torhammer_technique
Trojan/win.korat.c5290614
Deathransom
Infostealer/win.agent.c5290619
Bladabindi
Ircbot
Trojan/win.agent.c5290070
Trojan/win.generic.r452668
Malware/mdp.behavior.m1693
Geo:
Korean
IOCs:
File: 3
Path: 2
Hash: 19
Domain: 6
Url: 1
Softs:
chrome, discord
Languages:
golang
Platforms:
x64
ASEC BLOG
HackHound IRC Bot Being Distributed via Webhards - ASEC BLOG
Webhards are the main platforms that the attackers targeting Korean users exploit to distribute malware. The ASEC analysis team has been monitoring malware types distributed through webhards and uploaded multiple blog posts about them in the past. Generally…
#ParsedReport
11-11-2022
Ransomware Roundup: New Inlock and Xorist Variants
https://www.fortinet.com/blog/threat-research/Ransomware-Roundup-New-Inlock-and-Xorist-Variants
Threats:
Xorist
Cuba
Filecoder
Industry:
Financial, Government
Geo:
Spanish
IOCs:
File: 4
Hash: 6
11-11-2022
Ransomware Roundup: New Inlock and Xorist Variants
https://www.fortinet.com/blog/threat-research/Ransomware-Roundup-New-Inlock-and-Xorist-Variants
Threats:
Xorist
Cuba
Filecoder
Industry:
Financial, Government
Geo:
Spanish
IOCs:
File: 4
Hash: 6
Fortinet Blog
Ransomware Roundup: New Inlock and Xorist Variants | FortiGuard Labs
The latest FortiGuard Labs Threat Signal Ransomware Roundup covers the Inlock ransomware and a new variant of the Xorist ransomware, along with protection recommendations. Read more.…
#ParsedReport
11-11-2022
#ShortAndMalicious: StrelaStealer aims for mail credentials. Execution via polyglot
https://medium.com/@DCSO_CyTec/shortandmalicious-strelastealer-aims-for-mail-credentials-a4c3e78c8abc
Threats:
Strela_stealer
Dll_sideloading_technique
Geo:
Moscow, Russian, Spanish
TTPs:
Tactics: 1
Technics: 6
IOCs:
File: 6
Path: 2
Hash: 13
IP: 1
Url: 1
Algorithms:
xor
Win API:
CryptUnprotectData
Links:
11-11-2022
#ShortAndMalicious: StrelaStealer aims for mail credentials. Execution via polyglot
https://medium.com/@DCSO_CyTec/shortandmalicious-strelastealer-aims-for-mail-credentials-a4c3e78c8abc
Threats:
Strela_stealer
Dll_sideloading_technique
Geo:
Moscow, Russian, Spanish
TTPs:
Tactics: 1
Technics: 6
IOCs:
File: 6
Path: 2
Hash: 13
IP: 1
Url: 1
Algorithms:
xor
Win API:
CryptUnprotectData
Links:
https://github.com/DCSO/Blog\_CyTec/blob/main/2022\_11\_\_short\_and\_malicious\_strela\_stealer/misp.event.jsonMedium
#ShortAndMalicious: StrelaStealer aims for mail credentials
Quick look at a new stealer utilizing polyglot files
#ParsedReport
11-11-2022
A Muddy, Advanced Persistent Teacher
https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/muddy-advanced-persistent-teacher.html
Actors/Campaigns:
Muddywater
Oilrig
Threats:
Zerologon_vuln
Industry:
Government, Financial, Education
Geo:
Iran, Israeli, Irans, Tehran, Iranian
CVEs:
CVE-2020-0688 [Vulners]
Vulners: Score: 9.0, CVSS: 3.3,
Vulners: Exploitation: True
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016, 2010)
CVE-2020-1472 [Vulners]
Vulners: Score: 9.3, CVSS: 3.8,
Vulners: Exploitation: True
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- microsoft windows server 2008 (r2)
- microsoft windows server 2012 (-, r2)
- microsoft windows server 2016 (-, 1903, 1909, 2004)
- microsoft windows server 2019 (-)
- fedoraproject fedora (31, 32, 33)
have more...
IOCs:
File: 1
11-11-2022
A Muddy, Advanced Persistent Teacher
https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/muddy-advanced-persistent-teacher.html
Actors/Campaigns:
Muddywater
Oilrig
Threats:
Zerologon_vuln
Industry:
Government, Financial, Education
Geo:
Iran, Israeli, Irans, Tehran, Iranian
CVEs:
CVE-2020-0688 [Vulners]
Vulners: Score: 9.0, CVSS: 3.3,
Vulners: Exploitation: True
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016, 2010)
CVE-2020-1472 [Vulners]
Vulners: Score: 9.3, CVSS: 3.8,
Vulners: Exploitation: True
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- microsoft windows server 2008 (r2)
- microsoft windows server 2012 (-, r2)
- microsoft windows server 2016 (-, 1903, 1909, 2004)
- microsoft windows server 2019 (-)
- fedoraproject fedora (31, 32, 33)
have more...
IOCs:
File: 1
PwC
A Muddy, Advanced Persistent Teacher
On 26th October 2022, the US Department of Treasury issued broad sanctions against Iranian entities including a cyber security company, Ravin Academy, and the two individuals that founded it “for having materially assisted, sponsored, or provided financial…
#ParsedReport
11-11-2022
New updated IceXLoader claims thousands of victims around the world
https://minerva-labs.com/blog/new-updated-icexloader-claims-thousands-of-victims-around-the-world
Threats:
Icexloader
Process_hollowing_technique
Nimbda_loader
Bazarnimrod
Process_injection_technique
Geo:
Chinese
TTPs:
IOCs:
Path: 8
Registry: 2
File: 4
Command: 2
Hash: 4
Url: 1
Softs:
net framework, windows defender
Win API:
AmsiScanBuffer
Languages:
javascript
11-11-2022
New updated IceXLoader claims thousands of victims around the world
https://minerva-labs.com/blog/new-updated-icexloader-claims-thousands-of-victims-around-the-world
Threats:
Icexloader
Process_hollowing_technique
Nimbda_loader
Bazarnimrod
Process_injection_technique
Geo:
Chinese
TTPs:
IOCs:
Path: 8
Registry: 2
File: 4
Command: 2
Hash: 4
Url: 1
Softs:
net framework, windows defender
Win API:
AmsiScanBuffer
Languages:
javascript
Rapid7
Rapid7 Cybersecurity - Command Your Attack Surface
Level up SecOps with the only endpoint to cloud, unified cybersecurity platform. Confidently act to prevent breaches with a leading MDR partner. Request demo!
#ParsedReport
11-11-2022
Lookout Discovers Long-running Surveillance Campaigns Targeting Uyghurs
https://resources2.lookout.com/blog/uyghur-surveillance-campaign-badbazaar-moonshine
Actors/Campaigns:
Mirage
Nickel
Pitty_tiger
Emissary_panda
Earth_empusa
Threats:
Moonshine
Bahamut
Bazarbackdoor
Bazaar
Aitm_technique
Cmstar
Enfal
Doubleagent
Goldeneagle
Pluginphantom
Actionspy
Industry:
Telco, Government
Geo:
Asia, Afghanistan, Tibetan, Russia, Chinese, Turkey, Chinas, China
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 12
Hash: 1
Domain: 4
Email: 1
IP: 2
Softs:
android, telegram, wechat
Algorithms:
xor, gzip, aes, base64
Platforms:
apple
Links:
11-11-2022
Lookout Discovers Long-running Surveillance Campaigns Targeting Uyghurs
https://resources2.lookout.com/blog/uyghur-surveillance-campaign-badbazaar-moonshine
Actors/Campaigns:
Mirage
Nickel
Pitty_tiger
Emissary_panda
Earth_empusa
Threats:
Moonshine
Bahamut
Bazarbackdoor
Bazaar
Aitm_technique
Cmstar
Enfal
Doubleagent
Goldeneagle
Pluginphantom
Actionspy
Industry:
Telco, Government
Geo:
Asia, Afghanistan, Tibetan, Russia, Chinese, Turkey, Chinas, China
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 12
Hash: 1
Domain: 4
Email: 1
IP: 2
Softs:
android, telegram, wechat
Algorithms:
xor, gzip, aes, base64
Platforms:
apple
Links:
https://github.com/Tencent/wcdbLookout
Lookout Discovers Long-running Surveillance Campaigns Targeting Uyghurs | Lookout
Researchers from Lookout Threat Lab have uncovered two new surveillance campaigns, BadBazaar and MOONSHINE, targeting Uyghurs in the People’s Republic of China and abroad.
#ParsedReport
11-11-2022
-\| APT MacOS. According to the characteristics of the sample behavior, C2, and open source intelligence, the organization behind the attack is "Sea Lotus" APT.
https://mp.weixin.qq.com/s/2tdgA5mhTL-0Xew_xsWwpg
Actors/Campaigns:
Oceanlotus
TTPs:
Tactics: 2
Technics: 0
IOCs:
File: 5
Url: 2
Hash: 8
IP: 1
Softs:
macos
Algorithms:
aes-256
Languages:
perl
Platforms:
apple
11-11-2022
-\| APT MacOS. According to the characteristics of the sample behavior, C2, and open source intelligence, the organization behind the attack is "Sea Lotus" APT.
https://mp.weixin.qq.com/s/2tdgA5mhTL-0Xew_xsWwpg
Actors/Campaigns:
Oceanlotus
TTPs:
Tactics: 2
Technics: 0
IOCs:
File: 5
Url: 2
Hash: 8
IP: 1
Softs:
macos
Algorithms:
aes-256
Languages:
perl
Platforms:
apple
Weixin Official Accounts Platform
九维团队-暗队(情报)| “海莲花”APT 样本(MacOS)分析报告
本文为安恒信息分子实验室反APT小组(九维团队-暗队)对“海莲花”APT样本(MacOS)的分析报告。
#ParsedReport
14-11-2022
BumbleBee Zeros in on Meterpreter
https://thedfirreport.com/2022/11/14/bumblebee-zeros-in-on-meterpreter
Threats:
Bumblebee
Meterpreter_tool
Cobalt_strike
Beacon
Uac_bypass_technique
Zerologon_vuln
Adfind_tool
Nltest_tool
Dumplsass_tool
Passthehash_technique
Process_injection_technique
Powersploit
TTPs:
Tactics: 9
Technics: 24
IOCs:
File: 20
Command: 4
Path: 16
IP: 4
Domain: 3
Hash: 13
Email: 1
Softs:
sysinternals, winlogon
Algorithms:
zip
Functions:
OpenSSL
Win API:
NtAllocateVirtualMemoryRemoteApiCall
Platforms:
x86, x64
YARA: Found
SIGMA: Found
Links:
14-11-2022
BumbleBee Zeros in on Meterpreter
https://thedfirreport.com/2022/11/14/bumblebee-zeros-in-on-meterpreter
Threats:
Bumblebee
Meterpreter_tool
Cobalt_strike
Beacon
Uac_bypass_technique
Zerologon_vuln
Adfind_tool
Nltest_tool
Dumplsass_tool
Passthehash_technique
Process_injection_technique
Powersploit
TTPs:
Tactics: 9
Technics: 24
IOCs:
File: 20
Command: 4
Path: 16
IP: 4
Domain: 3
Hash: 13
Email: 1
Softs:
sysinternals, winlogon
Algorithms:
zip
Functions:
OpenSSL
Win API:
NtAllocateVirtualMemoryRemoteApiCall
Platforms:
x86, x64
YARA: Found
SIGMA: Found
Links:
https://github.com/iagox86/metasploit-framework-webexec/blob/master/documentation/modules/exploit/windows/local/bypassuac\_sluihijack.mdhttps://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/bypassuac\_sluihijack.rbThe DFIR Report
BumbleBee Zeros in on Meterpreter
In this intrusion from May 2022, the threat actors used BumbleBee as the initial access vector from a Contact Forms campaign. We have previously reported on two BumbleBee intrusions (1, 2), and thi…
#ParsedReport
14-11-2022
A Dropper-Type Malware Bomb Being Distributed Again in the Disguise of Cracks
https://asec.ahnlab.com/en/41972
Threats:
Vidar_stealer
Raccoon_stealer
Cryptbot_stealer
Record_breaker_stealer
Beamwinhttp_loader
IOCs:
File: 2
Hash: 5
Algorithms:
zip
14-11-2022
A Dropper-Type Malware Bomb Being Distributed Again in the Disguise of Cracks
https://asec.ahnlab.com/en/41972
Threats:
Vidar_stealer
Raccoon_stealer
Cryptbot_stealer
Record_breaker_stealer
Beamwinhttp_loader
IOCs:
File: 2
Hash: 5
Algorithms:
zip
ASEC BLOG
A Dropper-Type Malware Bomb Being Distributed Again in the Disguise of Cracks - ASEC BLOG
The dropper malware which camouflaged itself as a crack is being actively distributed again after a period of dormancy. When this malware is executed, the affected system becomes infected with numerous malware programs simultaneously. This is effectively…
#ParsedReport
14-11-2022
Massive ois[.\]is Black Hat Redirect Malware Campaign
https://blog.sucuri.net/2022/11/massive-ois-is-black-hat-redirect-malware-campaign.html
Industry:
Financial
IOCs:
Domain: 18
File: 18
Url: 3
Softs:
cpanel
Languages:
php, javascript
14-11-2022
Massive ois[.\]is Black Hat Redirect Malware Campaign
https://blog.sucuri.net/2022/11/massive-ois-is-black-hat-redirect-malware-campaign.html
Industry:
Financial
IOCs:
Domain: 18
File: 18
Url: 3
Softs:
cpanel
Languages:
php, javascript
Sucuri Blog
Massive ois[.]is Black Hat Redirect Malware Campaign
Learn how attackers are redirecting WordPress website visitors to fake Q&A sites via ois[.]is malware. These malicious redirects appear to be designed to increase the authority of the attacker’s sites for search engines.
#ParsedReport
14-11-2022
Koxic. KOXIC ransomware domestic distribution
https://asec.ahnlab.com/ko/41837
Threats:
Koxic
Revil
Upx_tool
Ransomware/win.koxiccrypt.r533926
Deathransom
Trojan/win.generic.c4963639
Ransom/mdp.delete.m2117
Malware/mdp.behavior.m2771
Ransom/mdp.decoy.m4475
Geo:
Korea
IOCs:
File: 31
Registry: 4
Command: 3
Hash: 3
Softs:
mysql
Algorithms:
aes, cbc
Functions:
CreateFileMappingW
Win API:
SeBackupPrivilege, SeRestorePrivilege, SeManageVolumePrivilege, SeTakeOwnershipPrivilege, MoveFileExW, reateFileMappingW, ViewOfFile
Win Services:
SQLWriter, MSSQLServerOLAPService, MSSQLSERVER, MSSQL$SQLEXPRESS, ReportServer
Platforms:
intel
14-11-2022
Koxic. KOXIC ransomware domestic distribution
https://asec.ahnlab.com/ko/41837
Threats:
Koxic
Revil
Upx_tool
Ransomware/win.koxiccrypt.r533926
Deathransom
Trojan/win.generic.c4963639
Ransom/mdp.delete.m2117
Malware/mdp.behavior.m2771
Ransom/mdp.decoy.m4475
Geo:
Korea
IOCs:
File: 31
Registry: 4
Command: 3
Hash: 3
Softs:
mysql
Algorithms:
aes, cbc
Functions:
CreateFileMappingW
Win API:
SeBackupPrivilege, SeRestorePrivilege, SeManageVolumePrivilege, SeTakeOwnershipPrivilege, MoveFileExW, reateFileMappingW, ViewOfFile
Win Services:
SQLWriter, MSSQLServerOLAPService, MSSQLSERVER, MSSQL$SQLEXPRESS, ReportServer
Platforms:
intel
ASEC BLOG
Koxic 랜섬웨어 국내 유포 중 - ASEC BLOG
Koxic 랜섬웨어의 국내 유포 정황이 확인되었다. 올해 초 최초로 수집되었지만 파일 외형과 내부 랜섬노트가 변형된 파일이 최근 ASD 인프라를 통해 탐지 및 차단된 이력을 확인하였다. 감염 시 암호화된 파일의 이름에 “.KOXIC_[랜덤문자열]” 확장자가 추가되며, 각 디렉터리에 TXT 파일의 랜섬 노트를 생성한다. 랜섬노트의 파일명은 다음과 같다. 최근 수집된 샘플의 랜섬 노트는 한 때 국내에 활발하게 유포되었던 BlueCrab(Sodinokibi…
#ParsedReport
14-11-2022
Kitten.gif: Meet the Sabbath Ransomware Affiliate Program, Again
https://www.mandiant.com/resources/blog/sabbath-ransomware-affiliate
Actors/Campaigns:
Unc2190 (motivation: information_theft)
Threats:
Cobalt_strike
Beacon
Rollcoast
Themida_tool
Redrum
Process_injection_technique
Industry:
Government, Financial, Education, Healthcare
Geo:
Armenia, Germany, Slovakia, Russian, Belarus, Kyrgyzstan, Ukraine, Kenya, Africa, Ukrainian, India, Malta, Indonesian, Malaysia, Albania, Azerbaijan, Croatia, Canada, Belarusian, Latvia, Norway, Pakistan, Macedonia, Uzbekistan, Iran, Thailand, Kazakhstan, Estonia, Tajikistan, Turkey, Vietnam, Indonesia, Georgia, Azerbaijani, Turkish, Turkmenistan, Lithuania, Russia, Slovenia, Sweden, Vietnamese
TTPs:
Tactics: 7
Technics: 17
IOCs:
File: 1
Url: 2
IP: 6
Hash: 20
Algorithms:
aes
Languages:
java
Platforms:
x64
YARA: Found
14-11-2022
Kitten.gif: Meet the Sabbath Ransomware Affiliate Program, Again
https://www.mandiant.com/resources/blog/sabbath-ransomware-affiliate
Actors/Campaigns:
Unc2190 (motivation: information_theft)
Threats:
Cobalt_strike
Beacon
Rollcoast
Themida_tool
Redrum
Process_injection_technique
Industry:
Government, Financial, Education, Healthcare
Geo:
Armenia, Germany, Slovakia, Russian, Belarus, Kyrgyzstan, Ukraine, Kenya, Africa, Ukrainian, India, Malta, Indonesian, Malaysia, Albania, Azerbaijan, Croatia, Canada, Belarusian, Latvia, Norway, Pakistan, Macedonia, Uzbekistan, Iran, Thailand, Kazakhstan, Estonia, Tajikistan, Turkey, Vietnam, Indonesia, Georgia, Azerbaijani, Turkish, Turkmenistan, Lithuania, Russia, Slovenia, Sweden, Vietnamese
TTPs:
Tactics: 7
Technics: 17
IOCs:
File: 1
Url: 2
IP: 6
Hash: 20
Algorithms:
aes
Languages:
java
Platforms:
x64
YARA: Found
Mandiant
Kitten.gif: Meet the Sabbath Ransomware Affiliate Program, Again | Mandiant
#ParsedReport
14-11-2022
XDSpy APT. XDSPY APT organization recently analyzed the attack activity of the Russian Ministry of Defense
https://mp.weixin.qq.com/s/cW2Evf6Nqb3fhQ7ntnKHsA
Threats:
Xdspy
Industry:
Government
Geo:
Belarusian, Russian
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 1
Path: 2
Hash: 14
Url: 7
Softs:
internet explorer
Algorithms:
rc4, base64
Functions:
InternetExplorer
Win API:
WaitForSingleObject
Platforms:
x86
14-11-2022
XDSpy APT. XDSPY APT organization recently analyzed the attack activity of the Russian Ministry of Defense
https://mp.weixin.qq.com/s/cW2Evf6Nqb3fhQ7ntnKHsA
Threats:
Xdspy
Industry:
Government
Geo:
Belarusian, Russian
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 1
Path: 2
Hash: 14
Url: 7
Softs:
internet explorer
Algorithms:
rc4, base64
Functions:
InternetExplorer
Win API:
WaitForSingleObject
Platforms:
x86
Weixin Official Accounts Platform
XDSpy APT组织近期针对俄罗斯国防部的攻击活动分析
本次攻击手法较之前有更新,主要为规避沙箱检测以及引擎查杀!
#ParsedReport
14-11-2022
Sysdig TRT uncovers massive cryptomining operation leveraging GitHub Actions
https://sysdig.com/blog/massive-cryptomining-operation-github-actions
Actors/Campaigns:
Purpleurchin
Oceanlotus (motivation: cyber_espionage)
Teamtnt
Threats:
Xmrig_miner
Onyx
Industry:
Financial
TTPs:
Tactics: 2
Technics: 0
IOCs:
Coin: 2
File: 4
IP: 6
Hash: 1
Softs:
docker, ubuntu, curl, "docker, mysql
Functions:
OpenVPN
Languages:
python, php
Links:
14-11-2022
Sysdig TRT uncovers massive cryptomining operation leveraging GitHub Actions
https://sysdig.com/blog/massive-cryptomining-operation-github-actions
Actors/Campaigns:
Purpleurchin
Oceanlotus (motivation: cyber_espionage)
Teamtnt
Threats:
Xmrig_miner
Onyx
Industry:
Financial
TTPs:
Tactics: 2
Technics: 0
IOCs:
Coin: 2
File: 4
IP: 6
Hash: 1
Softs:
docker, ubuntu, curl, "docker, mysql
Functions:
OpenVPN
Languages:
python, php
Links:
https://github.com/newtondev/no-dev-fee-stratum-proxyhttps://github.com/jordansissel/xdotoolhttps://github.com/pricingSysdig
Sysdig TRT uncovers massive cryptomining operation leveraging GitHub Actions | Sysdig
Sysdig TRT uncovered an extensive and sophisticated active cryptomining operation using GitHub, Heroku, Buddy.works, and others. We are going to refer to this as PURPLEURCHIN.
#ParsedReport
14-11-2022
Typhon Reborn With New Capabilities
https://unit42.paloaltonetworks.com/typhon-reborn-stealer
Threats:
Typhon_reborn
Typhon_stealer
IOCs:
File: 4
Hash: 2
Softs:
telegram, google chrome, microsoft edge, chrome, coin98
Functions:
MeltSelf
14-11-2022
Typhon Reborn With New Capabilities
https://unit42.paloaltonetworks.com/typhon-reborn-stealer
Threats:
Typhon_reborn
Typhon_stealer
IOCs:
File: 4
Hash: 2
Softs:
telegram, google chrome, microsoft edge, chrome, coin98
Functions:
MeltSelf
Unit 42
Typhon Reborn With New Capabilities
Typhon Stealer, a crypto miner/stealer for hire that was discovered in August 2022, now has an updated version called Typhon Reborn.
#ParsedReport
15-11-2022
DTrack activity targeting Europe and Latin America
https://securelist.com/dtrack-targeting-europe-latin-america/107798
Actors/Campaigns:
Lazarus (motivation: financially_motivated)
Threats:
Dtrack_rat
Process_hollowing_technique
Industry:
Telco, Education, Chemical, Financial
Geo:
Switzerland, Italy, Brazil, Turkey, Mexico, America, India, Germany
IOCs:
File: 1
Domain: 4
Hash: 2
Algorithms:
rc4
15-11-2022
DTrack activity targeting Europe and Latin America
https://securelist.com/dtrack-targeting-europe-latin-america/107798
Actors/Campaigns:
Lazarus (motivation: financially_motivated)
Threats:
Dtrack_rat
Process_hollowing_technique
Industry:
Telco, Education, Chemical, Financial
Geo:
Switzerland, Italy, Brazil, Turkey, Mexico, America, India, Germany
IOCs:
File: 1
Domain: 4
Hash: 2
Algorithms:
rc4
Securelist
Dtrack expands its operations to Europe and Latin America
In recent campaigns DTrack targets organizations in Europe and Latin America, and uses more delivery stages.
#ParsedReport
15-11-2022
ASEC (20221107 \~ 20221113). ASEC Weekly Malware Statistics (20221107 \~ 20221113)
https://asec.ahnlab.com/ko/41981
Actors/Campaigns:
Ta505
Threats:
Emotet
Qakbot
Trickbot
Agent_tesla
Azorult
Smokeloader
Smokerloader
Amadey
Lockbit
Gandcrab
Clop
Cloudeye
Postealer
Formbook
Remcos_rat
Nanocore_rat
Industry:
Financial, Transport
Geo:
Korea
IOCs:
File: 23
Url: 8
Email: 5
Domain: 7
Softs:
discord, nsis installer
Algorithms:
zip
Languages:
visual_basic
15-11-2022
ASEC (20221107 \~ 20221113). ASEC Weekly Malware Statistics (20221107 \~ 20221113)
https://asec.ahnlab.com/ko/41981
Actors/Campaigns:
Ta505
Threats:
Emotet
Qakbot
Trickbot
Agent_tesla
Azorult
Smokeloader
Smokerloader
Amadey
Lockbit
Gandcrab
Clop
Cloudeye
Postealer
Formbook
Remcos_rat
Nanocore_rat
Industry:
Financial, Transport
Geo:
Korea
IOCs:
File: 23
Url: 8
Email: 5
Domain: 7
Softs:
discord, nsis installer
Algorithms:
zip
Languages:
visual_basic
ASEC BLOG
ASEC 주간 악성코드 통계 (20221107 ~ 20221113) - ASEC BLOG
ContentsTop 1 – EmotetTop 2 – AgentTeslaTop 3 – SmokeLoaderTop 4 – AmadeyTop 5 – GuLoader ASEC 분석팀에서는 ASEC 자동 분석 시스템 RAPIT 을 활용하여 알려진 악성코드들에 대한 분류 및 대응을 진행하고 있다. 본 포스팅에서는 2022년 11월 7일 월요일부터 11월 13일 일요일까지 한 주간 수집된 악성코드의 통계를 정리한다. 대분류 상으로는 다운로더가 37.8%로 1위를…