#ParsedReport
11-11-2022
Ransomware Roundup: New Inlock and Xorist Variants
https://www.fortinet.com/blog/threat-research/Ransomware-Roundup-New-Inlock-and-Xorist-Variants
Threats:
Xorist
Cuba
Filecoder
Industry:
Financial, Government
Geo:
Spanish
IOCs:
File: 4
Hash: 6
11-11-2022
Ransomware Roundup: New Inlock and Xorist Variants
https://www.fortinet.com/blog/threat-research/Ransomware-Roundup-New-Inlock-and-Xorist-Variants
Threats:
Xorist
Cuba
Filecoder
Industry:
Financial, Government
Geo:
Spanish
IOCs:
File: 4
Hash: 6
Fortinet Blog
Ransomware Roundup: New Inlock and Xorist Variants | FortiGuard Labs
The latest FortiGuard Labs Threat Signal Ransomware Roundup covers the Inlock ransomware and a new variant of the Xorist ransomware, along with protection recommendations. Read more.…
#ParsedReport
11-11-2022
#ShortAndMalicious: StrelaStealer aims for mail credentials. Execution via polyglot
https://medium.com/@DCSO_CyTec/shortandmalicious-strelastealer-aims-for-mail-credentials-a4c3e78c8abc
Threats:
Strela_stealer
Dll_sideloading_technique
Geo:
Moscow, Russian, Spanish
TTPs:
Tactics: 1
Technics: 6
IOCs:
File: 6
Path: 2
Hash: 13
IP: 1
Url: 1
Algorithms:
xor
Win API:
CryptUnprotectData
Links:
11-11-2022
#ShortAndMalicious: StrelaStealer aims for mail credentials. Execution via polyglot
https://medium.com/@DCSO_CyTec/shortandmalicious-strelastealer-aims-for-mail-credentials-a4c3e78c8abc
Threats:
Strela_stealer
Dll_sideloading_technique
Geo:
Moscow, Russian, Spanish
TTPs:
Tactics: 1
Technics: 6
IOCs:
File: 6
Path: 2
Hash: 13
IP: 1
Url: 1
Algorithms:
xor
Win API:
CryptUnprotectData
Links:
https://github.com/DCSO/Blog\_CyTec/blob/main/2022\_11\_\_short\_and\_malicious\_strela\_stealer/misp.event.jsonMedium
#ShortAndMalicious: StrelaStealer aims for mail credentials
Quick look at a new stealer utilizing polyglot files
#ParsedReport
11-11-2022
A Muddy, Advanced Persistent Teacher
https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/muddy-advanced-persistent-teacher.html
Actors/Campaigns:
Muddywater
Oilrig
Threats:
Zerologon_vuln
Industry:
Government, Financial, Education
Geo:
Iran, Israeli, Irans, Tehran, Iranian
CVEs:
CVE-2020-0688 [Vulners]
Vulners: Score: 9.0, CVSS: 3.3,
Vulners: Exploitation: True
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016, 2010)
CVE-2020-1472 [Vulners]
Vulners: Score: 9.3, CVSS: 3.8,
Vulners: Exploitation: True
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- microsoft windows server 2008 (r2)
- microsoft windows server 2012 (-, r2)
- microsoft windows server 2016 (-, 1903, 1909, 2004)
- microsoft windows server 2019 (-)
- fedoraproject fedora (31, 32, 33)
have more...
IOCs:
File: 1
11-11-2022
A Muddy, Advanced Persistent Teacher
https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/muddy-advanced-persistent-teacher.html
Actors/Campaigns:
Muddywater
Oilrig
Threats:
Zerologon_vuln
Industry:
Government, Financial, Education
Geo:
Iran, Israeli, Irans, Tehran, Iranian
CVEs:
CVE-2020-0688 [Vulners]
Vulners: Score: 9.0, CVSS: 3.3,
Vulners: Exploitation: True
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016, 2010)
CVE-2020-1472 [Vulners]
Vulners: Score: 9.3, CVSS: 3.8,
Vulners: Exploitation: True
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- microsoft windows server 2008 (r2)
- microsoft windows server 2012 (-, r2)
- microsoft windows server 2016 (-, 1903, 1909, 2004)
- microsoft windows server 2019 (-)
- fedoraproject fedora (31, 32, 33)
have more...
IOCs:
File: 1
PwC
A Muddy, Advanced Persistent Teacher
On 26th October 2022, the US Department of Treasury issued broad sanctions against Iranian entities including a cyber security company, Ravin Academy, and the two individuals that founded it “for having materially assisted, sponsored, or provided financial…
#ParsedReport
11-11-2022
New updated IceXLoader claims thousands of victims around the world
https://minerva-labs.com/blog/new-updated-icexloader-claims-thousands-of-victims-around-the-world
Threats:
Icexloader
Process_hollowing_technique
Nimbda_loader
Bazarnimrod
Process_injection_technique
Geo:
Chinese
TTPs:
IOCs:
Path: 8
Registry: 2
File: 4
Command: 2
Hash: 4
Url: 1
Softs:
net framework, windows defender
Win API:
AmsiScanBuffer
Languages:
javascript
11-11-2022
New updated IceXLoader claims thousands of victims around the world
https://minerva-labs.com/blog/new-updated-icexloader-claims-thousands-of-victims-around-the-world
Threats:
Icexloader
Process_hollowing_technique
Nimbda_loader
Bazarnimrod
Process_injection_technique
Geo:
Chinese
TTPs:
IOCs:
Path: 8
Registry: 2
File: 4
Command: 2
Hash: 4
Url: 1
Softs:
net framework, windows defender
Win API:
AmsiScanBuffer
Languages:
javascript
Rapid7
Rapid7 Cybersecurity - Command Your Attack Surface
Level up SecOps with the only endpoint to cloud, unified cybersecurity platform. Confidently act to prevent breaches with a leading MDR partner. Request demo!
#ParsedReport
11-11-2022
Lookout Discovers Long-running Surveillance Campaigns Targeting Uyghurs
https://resources2.lookout.com/blog/uyghur-surveillance-campaign-badbazaar-moonshine
Actors/Campaigns:
Mirage
Nickel
Pitty_tiger
Emissary_panda
Earth_empusa
Threats:
Moonshine
Bahamut
Bazarbackdoor
Bazaar
Aitm_technique
Cmstar
Enfal
Doubleagent
Goldeneagle
Pluginphantom
Actionspy
Industry:
Telco, Government
Geo:
Asia, Afghanistan, Tibetan, Russia, Chinese, Turkey, Chinas, China
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 12
Hash: 1
Domain: 4
Email: 1
IP: 2
Softs:
android, telegram, wechat
Algorithms:
xor, gzip, aes, base64
Platforms:
apple
Links:
11-11-2022
Lookout Discovers Long-running Surveillance Campaigns Targeting Uyghurs
https://resources2.lookout.com/blog/uyghur-surveillance-campaign-badbazaar-moonshine
Actors/Campaigns:
Mirage
Nickel
Pitty_tiger
Emissary_panda
Earth_empusa
Threats:
Moonshine
Bahamut
Bazarbackdoor
Bazaar
Aitm_technique
Cmstar
Enfal
Doubleagent
Goldeneagle
Pluginphantom
Actionspy
Industry:
Telco, Government
Geo:
Asia, Afghanistan, Tibetan, Russia, Chinese, Turkey, Chinas, China
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 12
Hash: 1
Domain: 4
Email: 1
IP: 2
Softs:
android, telegram, wechat
Algorithms:
xor, gzip, aes, base64
Platforms:
apple
Links:
https://github.com/Tencent/wcdbLookout
Lookout Discovers Long-running Surveillance Campaigns Targeting Uyghurs | Lookout
Researchers from Lookout Threat Lab have uncovered two new surveillance campaigns, BadBazaar and MOONSHINE, targeting Uyghurs in the People’s Republic of China and abroad.
#ParsedReport
11-11-2022
-\| APT MacOS. According to the characteristics of the sample behavior, C2, and open source intelligence, the organization behind the attack is "Sea Lotus" APT.
https://mp.weixin.qq.com/s/2tdgA5mhTL-0Xew_xsWwpg
Actors/Campaigns:
Oceanlotus
TTPs:
Tactics: 2
Technics: 0
IOCs:
File: 5
Url: 2
Hash: 8
IP: 1
Softs:
macos
Algorithms:
aes-256
Languages:
perl
Platforms:
apple
11-11-2022
-\| APT MacOS. According to the characteristics of the sample behavior, C2, and open source intelligence, the organization behind the attack is "Sea Lotus" APT.
https://mp.weixin.qq.com/s/2tdgA5mhTL-0Xew_xsWwpg
Actors/Campaigns:
Oceanlotus
TTPs:
Tactics: 2
Technics: 0
IOCs:
File: 5
Url: 2
Hash: 8
IP: 1
Softs:
macos
Algorithms:
aes-256
Languages:
perl
Platforms:
apple
Weixin Official Accounts Platform
九维团队-暗队(情报)| “海莲花”APT 样本(MacOS)分析报告
本文为安恒信息分子实验室反APT小组(九维团队-暗队)对“海莲花”APT样本(MacOS)的分析报告。
#ParsedReport
14-11-2022
BumbleBee Zeros in on Meterpreter
https://thedfirreport.com/2022/11/14/bumblebee-zeros-in-on-meterpreter
Threats:
Bumblebee
Meterpreter_tool
Cobalt_strike
Beacon
Uac_bypass_technique
Zerologon_vuln
Adfind_tool
Nltest_tool
Dumplsass_tool
Passthehash_technique
Process_injection_technique
Powersploit
TTPs:
Tactics: 9
Technics: 24
IOCs:
File: 20
Command: 4
Path: 16
IP: 4
Domain: 3
Hash: 13
Email: 1
Softs:
sysinternals, winlogon
Algorithms:
zip
Functions:
OpenSSL
Win API:
NtAllocateVirtualMemoryRemoteApiCall
Platforms:
x86, x64
YARA: Found
SIGMA: Found
Links:
14-11-2022
BumbleBee Zeros in on Meterpreter
https://thedfirreport.com/2022/11/14/bumblebee-zeros-in-on-meterpreter
Threats:
Bumblebee
Meterpreter_tool
Cobalt_strike
Beacon
Uac_bypass_technique
Zerologon_vuln
Adfind_tool
Nltest_tool
Dumplsass_tool
Passthehash_technique
Process_injection_technique
Powersploit
TTPs:
Tactics: 9
Technics: 24
IOCs:
File: 20
Command: 4
Path: 16
IP: 4
Domain: 3
Hash: 13
Email: 1
Softs:
sysinternals, winlogon
Algorithms:
zip
Functions:
OpenSSL
Win API:
NtAllocateVirtualMemoryRemoteApiCall
Platforms:
x86, x64
YARA: Found
SIGMA: Found
Links:
https://github.com/iagox86/metasploit-framework-webexec/blob/master/documentation/modules/exploit/windows/local/bypassuac\_sluihijack.mdhttps://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/bypassuac\_sluihijack.rbThe DFIR Report
BumbleBee Zeros in on Meterpreter
In this intrusion from May 2022, the threat actors used BumbleBee as the initial access vector from a Contact Forms campaign. We have previously reported on two BumbleBee intrusions (1, 2), and thi…
#ParsedReport
14-11-2022
A Dropper-Type Malware Bomb Being Distributed Again in the Disguise of Cracks
https://asec.ahnlab.com/en/41972
Threats:
Vidar_stealer
Raccoon_stealer
Cryptbot_stealer
Record_breaker_stealer
Beamwinhttp_loader
IOCs:
File: 2
Hash: 5
Algorithms:
zip
14-11-2022
A Dropper-Type Malware Bomb Being Distributed Again in the Disguise of Cracks
https://asec.ahnlab.com/en/41972
Threats:
Vidar_stealer
Raccoon_stealer
Cryptbot_stealer
Record_breaker_stealer
Beamwinhttp_loader
IOCs:
File: 2
Hash: 5
Algorithms:
zip
ASEC BLOG
A Dropper-Type Malware Bomb Being Distributed Again in the Disguise of Cracks - ASEC BLOG
The dropper malware which camouflaged itself as a crack is being actively distributed again after a period of dormancy. When this malware is executed, the affected system becomes infected with numerous malware programs simultaneously. This is effectively…
#ParsedReport
14-11-2022
Massive ois[.\]is Black Hat Redirect Malware Campaign
https://blog.sucuri.net/2022/11/massive-ois-is-black-hat-redirect-malware-campaign.html
Industry:
Financial
IOCs:
Domain: 18
File: 18
Url: 3
Softs:
cpanel
Languages:
php, javascript
14-11-2022
Massive ois[.\]is Black Hat Redirect Malware Campaign
https://blog.sucuri.net/2022/11/massive-ois-is-black-hat-redirect-malware-campaign.html
Industry:
Financial
IOCs:
Domain: 18
File: 18
Url: 3
Softs:
cpanel
Languages:
php, javascript
Sucuri Blog
Massive ois[.]is Black Hat Redirect Malware Campaign
Learn how attackers are redirecting WordPress website visitors to fake Q&A sites via ois[.]is malware. These malicious redirects appear to be designed to increase the authority of the attacker’s sites for search engines.
#ParsedReport
14-11-2022
Koxic. KOXIC ransomware domestic distribution
https://asec.ahnlab.com/ko/41837
Threats:
Koxic
Revil
Upx_tool
Ransomware/win.koxiccrypt.r533926
Deathransom
Trojan/win.generic.c4963639
Ransom/mdp.delete.m2117
Malware/mdp.behavior.m2771
Ransom/mdp.decoy.m4475
Geo:
Korea
IOCs:
File: 31
Registry: 4
Command: 3
Hash: 3
Softs:
mysql
Algorithms:
aes, cbc
Functions:
CreateFileMappingW
Win API:
SeBackupPrivilege, SeRestorePrivilege, SeManageVolumePrivilege, SeTakeOwnershipPrivilege, MoveFileExW, reateFileMappingW, ViewOfFile
Win Services:
SQLWriter, MSSQLServerOLAPService, MSSQLSERVER, MSSQL$SQLEXPRESS, ReportServer
Platforms:
intel
14-11-2022
Koxic. KOXIC ransomware domestic distribution
https://asec.ahnlab.com/ko/41837
Threats:
Koxic
Revil
Upx_tool
Ransomware/win.koxiccrypt.r533926
Deathransom
Trojan/win.generic.c4963639
Ransom/mdp.delete.m2117
Malware/mdp.behavior.m2771
Ransom/mdp.decoy.m4475
Geo:
Korea
IOCs:
File: 31
Registry: 4
Command: 3
Hash: 3
Softs:
mysql
Algorithms:
aes, cbc
Functions:
CreateFileMappingW
Win API:
SeBackupPrivilege, SeRestorePrivilege, SeManageVolumePrivilege, SeTakeOwnershipPrivilege, MoveFileExW, reateFileMappingW, ViewOfFile
Win Services:
SQLWriter, MSSQLServerOLAPService, MSSQLSERVER, MSSQL$SQLEXPRESS, ReportServer
Platforms:
intel
ASEC BLOG
Koxic 랜섬웨어 국내 유포 중 - ASEC BLOG
Koxic 랜섬웨어의 국내 유포 정황이 확인되었다. 올해 초 최초로 수집되었지만 파일 외형과 내부 랜섬노트가 변형된 파일이 최근 ASD 인프라를 통해 탐지 및 차단된 이력을 확인하였다. 감염 시 암호화된 파일의 이름에 “.KOXIC_[랜덤문자열]” 확장자가 추가되며, 각 디렉터리에 TXT 파일의 랜섬 노트를 생성한다. 랜섬노트의 파일명은 다음과 같다. 최근 수집된 샘플의 랜섬 노트는 한 때 국내에 활발하게 유포되었던 BlueCrab(Sodinokibi…
#ParsedReport
14-11-2022
Kitten.gif: Meet the Sabbath Ransomware Affiliate Program, Again
https://www.mandiant.com/resources/blog/sabbath-ransomware-affiliate
Actors/Campaigns:
Unc2190 (motivation: information_theft)
Threats:
Cobalt_strike
Beacon
Rollcoast
Themida_tool
Redrum
Process_injection_technique
Industry:
Government, Financial, Education, Healthcare
Geo:
Armenia, Germany, Slovakia, Russian, Belarus, Kyrgyzstan, Ukraine, Kenya, Africa, Ukrainian, India, Malta, Indonesian, Malaysia, Albania, Azerbaijan, Croatia, Canada, Belarusian, Latvia, Norway, Pakistan, Macedonia, Uzbekistan, Iran, Thailand, Kazakhstan, Estonia, Tajikistan, Turkey, Vietnam, Indonesia, Georgia, Azerbaijani, Turkish, Turkmenistan, Lithuania, Russia, Slovenia, Sweden, Vietnamese
TTPs:
Tactics: 7
Technics: 17
IOCs:
File: 1
Url: 2
IP: 6
Hash: 20
Algorithms:
aes
Languages:
java
Platforms:
x64
YARA: Found
14-11-2022
Kitten.gif: Meet the Sabbath Ransomware Affiliate Program, Again
https://www.mandiant.com/resources/blog/sabbath-ransomware-affiliate
Actors/Campaigns:
Unc2190 (motivation: information_theft)
Threats:
Cobalt_strike
Beacon
Rollcoast
Themida_tool
Redrum
Process_injection_technique
Industry:
Government, Financial, Education, Healthcare
Geo:
Armenia, Germany, Slovakia, Russian, Belarus, Kyrgyzstan, Ukraine, Kenya, Africa, Ukrainian, India, Malta, Indonesian, Malaysia, Albania, Azerbaijan, Croatia, Canada, Belarusian, Latvia, Norway, Pakistan, Macedonia, Uzbekistan, Iran, Thailand, Kazakhstan, Estonia, Tajikistan, Turkey, Vietnam, Indonesia, Georgia, Azerbaijani, Turkish, Turkmenistan, Lithuania, Russia, Slovenia, Sweden, Vietnamese
TTPs:
Tactics: 7
Technics: 17
IOCs:
File: 1
Url: 2
IP: 6
Hash: 20
Algorithms:
aes
Languages:
java
Platforms:
x64
YARA: Found
Mandiant
Kitten.gif: Meet the Sabbath Ransomware Affiliate Program, Again | Mandiant
#ParsedReport
14-11-2022
XDSpy APT. XDSPY APT organization recently analyzed the attack activity of the Russian Ministry of Defense
https://mp.weixin.qq.com/s/cW2Evf6Nqb3fhQ7ntnKHsA
Threats:
Xdspy
Industry:
Government
Geo:
Belarusian, Russian
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 1
Path: 2
Hash: 14
Url: 7
Softs:
internet explorer
Algorithms:
rc4, base64
Functions:
InternetExplorer
Win API:
WaitForSingleObject
Platforms:
x86
14-11-2022
XDSpy APT. XDSPY APT organization recently analyzed the attack activity of the Russian Ministry of Defense
https://mp.weixin.qq.com/s/cW2Evf6Nqb3fhQ7ntnKHsA
Threats:
Xdspy
Industry:
Government
Geo:
Belarusian, Russian
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 1
Path: 2
Hash: 14
Url: 7
Softs:
internet explorer
Algorithms:
rc4, base64
Functions:
InternetExplorer
Win API:
WaitForSingleObject
Platforms:
x86
Weixin Official Accounts Platform
XDSpy APT组织近期针对俄罗斯国防部的攻击活动分析
本次攻击手法较之前有更新,主要为规避沙箱检测以及引擎查杀!
#ParsedReport
14-11-2022
Sysdig TRT uncovers massive cryptomining operation leveraging GitHub Actions
https://sysdig.com/blog/massive-cryptomining-operation-github-actions
Actors/Campaigns:
Purpleurchin
Oceanlotus (motivation: cyber_espionage)
Teamtnt
Threats:
Xmrig_miner
Onyx
Industry:
Financial
TTPs:
Tactics: 2
Technics: 0
IOCs:
Coin: 2
File: 4
IP: 6
Hash: 1
Softs:
docker, ubuntu, curl, "docker, mysql
Functions:
OpenVPN
Languages:
python, php
Links:
14-11-2022
Sysdig TRT uncovers massive cryptomining operation leveraging GitHub Actions
https://sysdig.com/blog/massive-cryptomining-operation-github-actions
Actors/Campaigns:
Purpleurchin
Oceanlotus (motivation: cyber_espionage)
Teamtnt
Threats:
Xmrig_miner
Onyx
Industry:
Financial
TTPs:
Tactics: 2
Technics: 0
IOCs:
Coin: 2
File: 4
IP: 6
Hash: 1
Softs:
docker, ubuntu, curl, "docker, mysql
Functions:
OpenVPN
Languages:
python, php
Links:
https://github.com/newtondev/no-dev-fee-stratum-proxyhttps://github.com/jordansissel/xdotoolhttps://github.com/pricingSysdig
Sysdig TRT uncovers massive cryptomining operation leveraging GitHub Actions | Sysdig
Sysdig TRT uncovered an extensive and sophisticated active cryptomining operation using GitHub, Heroku, Buddy.works, and others. We are going to refer to this as PURPLEURCHIN.
#ParsedReport
14-11-2022
Typhon Reborn With New Capabilities
https://unit42.paloaltonetworks.com/typhon-reborn-stealer
Threats:
Typhon_reborn
Typhon_stealer
IOCs:
File: 4
Hash: 2
Softs:
telegram, google chrome, microsoft edge, chrome, coin98
Functions:
MeltSelf
14-11-2022
Typhon Reborn With New Capabilities
https://unit42.paloaltonetworks.com/typhon-reborn-stealer
Threats:
Typhon_reborn
Typhon_stealer
IOCs:
File: 4
Hash: 2
Softs:
telegram, google chrome, microsoft edge, chrome, coin98
Functions:
MeltSelf
Unit 42
Typhon Reborn With New Capabilities
Typhon Stealer, a crypto miner/stealer for hire that was discovered in August 2022, now has an updated version called Typhon Reborn.
#ParsedReport
15-11-2022
DTrack activity targeting Europe and Latin America
https://securelist.com/dtrack-targeting-europe-latin-america/107798
Actors/Campaigns:
Lazarus (motivation: financially_motivated)
Threats:
Dtrack_rat
Process_hollowing_technique
Industry:
Telco, Education, Chemical, Financial
Geo:
Switzerland, Italy, Brazil, Turkey, Mexico, America, India, Germany
IOCs:
File: 1
Domain: 4
Hash: 2
Algorithms:
rc4
15-11-2022
DTrack activity targeting Europe and Latin America
https://securelist.com/dtrack-targeting-europe-latin-america/107798
Actors/Campaigns:
Lazarus (motivation: financially_motivated)
Threats:
Dtrack_rat
Process_hollowing_technique
Industry:
Telco, Education, Chemical, Financial
Geo:
Switzerland, Italy, Brazil, Turkey, Mexico, America, India, Germany
IOCs:
File: 1
Domain: 4
Hash: 2
Algorithms:
rc4
Securelist
Dtrack expands its operations to Europe and Latin America
In recent campaigns DTrack targets organizations in Europe and Latin America, and uses more delivery stages.
#ParsedReport
15-11-2022
ASEC (20221107 \~ 20221113). ASEC Weekly Malware Statistics (20221107 \~ 20221113)
https://asec.ahnlab.com/ko/41981
Actors/Campaigns:
Ta505
Threats:
Emotet
Qakbot
Trickbot
Agent_tesla
Azorult
Smokeloader
Smokerloader
Amadey
Lockbit
Gandcrab
Clop
Cloudeye
Postealer
Formbook
Remcos_rat
Nanocore_rat
Industry:
Financial, Transport
Geo:
Korea
IOCs:
File: 23
Url: 8
Email: 5
Domain: 7
Softs:
discord, nsis installer
Algorithms:
zip
Languages:
visual_basic
15-11-2022
ASEC (20221107 \~ 20221113). ASEC Weekly Malware Statistics (20221107 \~ 20221113)
https://asec.ahnlab.com/ko/41981
Actors/Campaigns:
Ta505
Threats:
Emotet
Qakbot
Trickbot
Agent_tesla
Azorult
Smokeloader
Smokerloader
Amadey
Lockbit
Gandcrab
Clop
Cloudeye
Postealer
Formbook
Remcos_rat
Nanocore_rat
Industry:
Financial, Transport
Geo:
Korea
IOCs:
File: 23
Url: 8
Email: 5
Domain: 7
Softs:
discord, nsis installer
Algorithms:
zip
Languages:
visual_basic
ASEC BLOG
ASEC 주간 악성코드 통계 (20221107 ~ 20221113) - ASEC BLOG
ContentsTop 1 – EmotetTop 2 – AgentTeslaTop 3 – SmokeLoaderTop 4 – AmadeyTop 5 – GuLoader ASEC 분석팀에서는 ASEC 자동 분석 시스템 RAPIT 을 활용하여 알려진 악성코드들에 대한 분류 및 대응을 진행하고 있다. 본 포스팅에서는 2022년 11월 7일 월요일부터 11월 13일 일요일까지 한 주간 수집된 악성코드의 통계를 정리한다. 대분류 상으로는 다운로더가 37.8%로 1위를…
#ParsedReport
15-11-2022
Exploring Modifications in New Mirai Botnet Clones
https://www.nozominetworks.com/blog/exploring-modifications-in-new-mirai-botnet-clones
Threats:
Mirai
Bashlite
Darknexus_botnet
Industry:
Iot
CVEs:
CVE-2017-17215 [Vulners]
Vulners: Score: 6.5, CVSS: 6.1,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Unavailable
Soft:
- huawei hg532 firmware (-)
Algorithms:
xor
Links:
15-11-2022
Exploring Modifications in New Mirai Botnet Clones
https://www.nozominetworks.com/blog/exploring-modifications-in-new-mirai-botnet-clones
Threats:
Mirai
Bashlite
Darknexus_botnet
Industry:
Iot
CVEs:
CVE-2017-17215 [Vulners]
Vulners: Score: 6.5, CVSS: 6.1,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Unavailable
Soft:
- huawei hg532 firmware (-)
Algorithms:
xor
Links:
http://1.%09https/github.com/jgamblin/Mirai-Source-Code/blob/master/mirai/bot/table.c#L16Nozominetworks
Exploring Modifications in New Mirai Botnet Clones
Nozomi Networks researchers discover modified Mirai botnets and share how network defenders can detect new variants.
#ParsedReport
15-11-2022
Phishing Campaign Targeting Indonesian BRI Bank Using SMS Stealer
https://blog.cyble.com/2022/11/15/phishing-campaign-targeting-indonesian-bri-bank-using-sms-stealer
Threats:
Sms_stealer
Smseye_stealer
Industry:
Financial
Geo:
Dubai, Georgia, Singapore, Australia, Indonesian, Indonesia, India
TTPs:
Tactics: 6
Technics: 7
IOCs:
Url: 15
Hash: 4
File: 1
Softs:
android, telegram
Languages:
php, kotlin
Links:
15-11-2022
Phishing Campaign Targeting Indonesian BRI Bank Using SMS Stealer
https://blog.cyble.com/2022/11/15/phishing-campaign-targeting-indonesian-bri-bank-using-sms-stealer
Threats:
Sms_stealer
Smseye_stealer
Industry:
Financial
Geo:
Dubai, Georgia, Singapore, Australia, Indonesian, Indonesia, India
TTPs:
Tactics: 6
Technics: 7
IOCs:
Url: 15
Hash: 4
File: 1
Softs:
android, telegram
Languages:
php, kotlin
Links:
https://github.com/AbyssalArmy/SmsEyeCyble
SMS Stealer Phishing Campaign Hits Indonesia's BRI Bank
Cyble Research & Intelligence Labs analyzes an active phishing campaign targeting Indonesian BRI bank using Android SMS Stealer.
#ParsedReport
15-11-2022
Billbug: State-sponsored Actor Targets Cert Authority, Government Agencies in Multiple Asian Countries
https://symantec-enterprise-blogs.security.com/threat-intelligence/espionage-asia-governments-cert-authority
Actors/Campaigns:
Dragonfish (motivation: information_theft, cyber_espionage)
Threats:
Hannotog
Sagerunex
Adfind_tool
Nbtscan_tool
Stowaway_tool
Cobalt_strike
Industry:
Government
Geo:
Asia, Asian
IOCs:
File: 5
Command: 2
Hash: 23
Softs:
active directory
Algorithms:
xor, aes-256-cbc, zip, rc4
Win API:
WinHttpGetIEProxyConfigForCurrentUser
15-11-2022
Billbug: State-sponsored Actor Targets Cert Authority, Government Agencies in Multiple Asian Countries
https://symantec-enterprise-blogs.security.com/threat-intelligence/espionage-asia-governments-cert-authority
Actors/Campaigns:
Dragonfish (motivation: information_theft, cyber_espionage)
Threats:
Hannotog
Sagerunex
Adfind_tool
Nbtscan_tool
Stowaway_tool
Cobalt_strike
Industry:
Government
Geo:
Asia, Asian
IOCs:
File: 5
Command: 2
Hash: 23
Softs:
active directory
Algorithms:
xor, aes-256-cbc, zip, rc4
Win API:
WinHttpGetIEProxyConfigForCurrentUser
Security
Billbug: State-sponsored Actor Targets Cert Authority, Government Agencies in Multiple Asian Countries
Campaign has been ongoing for at least the last six months.
#ParsedReport
16-11-2022
DAGON LOCKER Ransomware Being Distributed
https://asec.ahnlab.com/en/42037
Threats:
Dagon_locker
Quantum_locker
Mount_locker
Ransom/mdp.behavior.m1171
Ransom/mdp.behavior.m1946
Geo:
Korean, Korea
IOCs:
Hash: 2
File: 3
Algorithms:
rsa-2048, chacha20
Win API:
GetCommandLineW, GetDriveTypeW, CryptImportKey, CryptEncrypt
Win Services:
agntsvc
Platforms:
x64
16-11-2022
DAGON LOCKER Ransomware Being Distributed
https://asec.ahnlab.com/en/42037
Threats:
Dagon_locker
Quantum_locker
Mount_locker
Ransom/mdp.behavior.m1171
Ransom/mdp.behavior.m1946
Geo:
Korean, Korea
IOCs:
Hash: 2
File: 3
Algorithms:
rsa-2048, chacha20
Win API:
GetCommandLineW, GetDriveTypeW, CryptImportKey, CryptEncrypt
Win Services:
agntsvc
Platforms:
x64
ASEC
DAGON LOCKER Ransomware Being Distributed - ASEC
DAGON LOCKER Ransomware Being Distributed ASEC