#ParsedReport
14-11-2022
XDSpy APT. XDSPY APT organization recently analyzed the attack activity of the Russian Ministry of Defense
https://mp.weixin.qq.com/s/cW2Evf6Nqb3fhQ7ntnKHsA
Threats:
Xdspy
Industry:
Government
Geo:
Belarusian, Russian
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 1
Path: 2
Hash: 14
Url: 7
Softs:
internet explorer
Algorithms:
rc4, base64
Functions:
InternetExplorer
Win API:
WaitForSingleObject
Platforms:
x86
14-11-2022
XDSpy APT. XDSPY APT organization recently analyzed the attack activity of the Russian Ministry of Defense
https://mp.weixin.qq.com/s/cW2Evf6Nqb3fhQ7ntnKHsA
Threats:
Xdspy
Industry:
Government
Geo:
Belarusian, Russian
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 1
Path: 2
Hash: 14
Url: 7
Softs:
internet explorer
Algorithms:
rc4, base64
Functions:
InternetExplorer
Win API:
WaitForSingleObject
Platforms:
x86
Weixin Official Accounts Platform
XDSpy APT组织近期针对俄罗斯国防部的攻击活动分析
本次攻击手法较之前有更新,主要为规避沙箱检测以及引擎查杀!
#ParsedReport
14-11-2022
Sysdig TRT uncovers massive cryptomining operation leveraging GitHub Actions
https://sysdig.com/blog/massive-cryptomining-operation-github-actions
Actors/Campaigns:
Purpleurchin
Oceanlotus (motivation: cyber_espionage)
Teamtnt
Threats:
Xmrig_miner
Onyx
Industry:
Financial
TTPs:
Tactics: 2
Technics: 0
IOCs:
Coin: 2
File: 4
IP: 6
Hash: 1
Softs:
docker, ubuntu, curl, "docker, mysql
Functions:
OpenVPN
Languages:
python, php
Links:
14-11-2022
Sysdig TRT uncovers massive cryptomining operation leveraging GitHub Actions
https://sysdig.com/blog/massive-cryptomining-operation-github-actions
Actors/Campaigns:
Purpleurchin
Oceanlotus (motivation: cyber_espionage)
Teamtnt
Threats:
Xmrig_miner
Onyx
Industry:
Financial
TTPs:
Tactics: 2
Technics: 0
IOCs:
Coin: 2
File: 4
IP: 6
Hash: 1
Softs:
docker, ubuntu, curl, "docker, mysql
Functions:
OpenVPN
Languages:
python, php
Links:
https://github.com/newtondev/no-dev-fee-stratum-proxyhttps://github.com/jordansissel/xdotoolhttps://github.com/pricingSysdig
Sysdig TRT uncovers massive cryptomining operation leveraging GitHub Actions | Sysdig
Sysdig TRT uncovered an extensive and sophisticated active cryptomining operation using GitHub, Heroku, Buddy.works, and others. We are going to refer to this as PURPLEURCHIN.
#ParsedReport
14-11-2022
Typhon Reborn With New Capabilities
https://unit42.paloaltonetworks.com/typhon-reborn-stealer
Threats:
Typhon_reborn
Typhon_stealer
IOCs:
File: 4
Hash: 2
Softs:
telegram, google chrome, microsoft edge, chrome, coin98
Functions:
MeltSelf
14-11-2022
Typhon Reborn With New Capabilities
https://unit42.paloaltonetworks.com/typhon-reborn-stealer
Threats:
Typhon_reborn
Typhon_stealer
IOCs:
File: 4
Hash: 2
Softs:
telegram, google chrome, microsoft edge, chrome, coin98
Functions:
MeltSelf
Unit 42
Typhon Reborn With New Capabilities
Typhon Stealer, a crypto miner/stealer for hire that was discovered in August 2022, now has an updated version called Typhon Reborn.
#ParsedReport
15-11-2022
DTrack activity targeting Europe and Latin America
https://securelist.com/dtrack-targeting-europe-latin-america/107798
Actors/Campaigns:
Lazarus (motivation: financially_motivated)
Threats:
Dtrack_rat
Process_hollowing_technique
Industry:
Telco, Education, Chemical, Financial
Geo:
Switzerland, Italy, Brazil, Turkey, Mexico, America, India, Germany
IOCs:
File: 1
Domain: 4
Hash: 2
Algorithms:
rc4
15-11-2022
DTrack activity targeting Europe and Latin America
https://securelist.com/dtrack-targeting-europe-latin-america/107798
Actors/Campaigns:
Lazarus (motivation: financially_motivated)
Threats:
Dtrack_rat
Process_hollowing_technique
Industry:
Telco, Education, Chemical, Financial
Geo:
Switzerland, Italy, Brazil, Turkey, Mexico, America, India, Germany
IOCs:
File: 1
Domain: 4
Hash: 2
Algorithms:
rc4
Securelist
Dtrack expands its operations to Europe and Latin America
In recent campaigns DTrack targets organizations in Europe and Latin America, and uses more delivery stages.
#ParsedReport
15-11-2022
ASEC (20221107 \~ 20221113). ASEC Weekly Malware Statistics (20221107 \~ 20221113)
https://asec.ahnlab.com/ko/41981
Actors/Campaigns:
Ta505
Threats:
Emotet
Qakbot
Trickbot
Agent_tesla
Azorult
Smokeloader
Smokerloader
Amadey
Lockbit
Gandcrab
Clop
Cloudeye
Postealer
Formbook
Remcos_rat
Nanocore_rat
Industry:
Financial, Transport
Geo:
Korea
IOCs:
File: 23
Url: 8
Email: 5
Domain: 7
Softs:
discord, nsis installer
Algorithms:
zip
Languages:
visual_basic
15-11-2022
ASEC (20221107 \~ 20221113). ASEC Weekly Malware Statistics (20221107 \~ 20221113)
https://asec.ahnlab.com/ko/41981
Actors/Campaigns:
Ta505
Threats:
Emotet
Qakbot
Trickbot
Agent_tesla
Azorult
Smokeloader
Smokerloader
Amadey
Lockbit
Gandcrab
Clop
Cloudeye
Postealer
Formbook
Remcos_rat
Nanocore_rat
Industry:
Financial, Transport
Geo:
Korea
IOCs:
File: 23
Url: 8
Email: 5
Domain: 7
Softs:
discord, nsis installer
Algorithms:
zip
Languages:
visual_basic
ASEC BLOG
ASEC 주간 악성코드 통계 (20221107 ~ 20221113) - ASEC BLOG
ContentsTop 1 – EmotetTop 2 – AgentTeslaTop 3 – SmokeLoaderTop 4 – AmadeyTop 5 – GuLoader ASEC 분석팀에서는 ASEC 자동 분석 시스템 RAPIT 을 활용하여 알려진 악성코드들에 대한 분류 및 대응을 진행하고 있다. 본 포스팅에서는 2022년 11월 7일 월요일부터 11월 13일 일요일까지 한 주간 수집된 악성코드의 통계를 정리한다. 대분류 상으로는 다운로더가 37.8%로 1위를…
#ParsedReport
15-11-2022
Exploring Modifications in New Mirai Botnet Clones
https://www.nozominetworks.com/blog/exploring-modifications-in-new-mirai-botnet-clones
Threats:
Mirai
Bashlite
Darknexus_botnet
Industry:
Iot
CVEs:
CVE-2017-17215 [Vulners]
Vulners: Score: 6.5, CVSS: 6.1,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Unavailable
Soft:
- huawei hg532 firmware (-)
Algorithms:
xor
Links:
15-11-2022
Exploring Modifications in New Mirai Botnet Clones
https://www.nozominetworks.com/blog/exploring-modifications-in-new-mirai-botnet-clones
Threats:
Mirai
Bashlite
Darknexus_botnet
Industry:
Iot
CVEs:
CVE-2017-17215 [Vulners]
Vulners: Score: 6.5, CVSS: 6.1,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Unavailable
Soft:
- huawei hg532 firmware (-)
Algorithms:
xor
Links:
http://1.%09https/github.com/jgamblin/Mirai-Source-Code/blob/master/mirai/bot/table.c#L16Nozominetworks
Exploring Modifications in New Mirai Botnet Clones
Nozomi Networks researchers discover modified Mirai botnets and share how network defenders can detect new variants.
#ParsedReport
15-11-2022
Phishing Campaign Targeting Indonesian BRI Bank Using SMS Stealer
https://blog.cyble.com/2022/11/15/phishing-campaign-targeting-indonesian-bri-bank-using-sms-stealer
Threats:
Sms_stealer
Smseye_stealer
Industry:
Financial
Geo:
Dubai, Georgia, Singapore, Australia, Indonesian, Indonesia, India
TTPs:
Tactics: 6
Technics: 7
IOCs:
Url: 15
Hash: 4
File: 1
Softs:
android, telegram
Languages:
php, kotlin
Links:
15-11-2022
Phishing Campaign Targeting Indonesian BRI Bank Using SMS Stealer
https://blog.cyble.com/2022/11/15/phishing-campaign-targeting-indonesian-bri-bank-using-sms-stealer
Threats:
Sms_stealer
Smseye_stealer
Industry:
Financial
Geo:
Dubai, Georgia, Singapore, Australia, Indonesian, Indonesia, India
TTPs:
Tactics: 6
Technics: 7
IOCs:
Url: 15
Hash: 4
File: 1
Softs:
android, telegram
Languages:
php, kotlin
Links:
https://github.com/AbyssalArmy/SmsEyeCyble
SMS Stealer Phishing Campaign Hits Indonesia's BRI Bank
Cyble Research & Intelligence Labs analyzes an active phishing campaign targeting Indonesian BRI bank using Android SMS Stealer.
#ParsedReport
15-11-2022
Billbug: State-sponsored Actor Targets Cert Authority, Government Agencies in Multiple Asian Countries
https://symantec-enterprise-blogs.security.com/threat-intelligence/espionage-asia-governments-cert-authority
Actors/Campaigns:
Dragonfish (motivation: information_theft, cyber_espionage)
Threats:
Hannotog
Sagerunex
Adfind_tool
Nbtscan_tool
Stowaway_tool
Cobalt_strike
Industry:
Government
Geo:
Asia, Asian
IOCs:
File: 5
Command: 2
Hash: 23
Softs:
active directory
Algorithms:
xor, aes-256-cbc, zip, rc4
Win API:
WinHttpGetIEProxyConfigForCurrentUser
15-11-2022
Billbug: State-sponsored Actor Targets Cert Authority, Government Agencies in Multiple Asian Countries
https://symantec-enterprise-blogs.security.com/threat-intelligence/espionage-asia-governments-cert-authority
Actors/Campaigns:
Dragonfish (motivation: information_theft, cyber_espionage)
Threats:
Hannotog
Sagerunex
Adfind_tool
Nbtscan_tool
Stowaway_tool
Cobalt_strike
Industry:
Government
Geo:
Asia, Asian
IOCs:
File: 5
Command: 2
Hash: 23
Softs:
active directory
Algorithms:
xor, aes-256-cbc, zip, rc4
Win API:
WinHttpGetIEProxyConfigForCurrentUser
Security
Billbug: State-sponsored Actor Targets Cert Authority, Government Agencies in Multiple Asian Countries
Campaign has been ongoing for at least the last six months.
#ParsedReport
16-11-2022
DAGON LOCKER Ransomware Being Distributed
https://asec.ahnlab.com/en/42037
Threats:
Dagon_locker
Quantum_locker
Mount_locker
Ransom/mdp.behavior.m1171
Ransom/mdp.behavior.m1946
Geo:
Korean, Korea
IOCs:
Hash: 2
File: 3
Algorithms:
rsa-2048, chacha20
Win API:
GetCommandLineW, GetDriveTypeW, CryptImportKey, CryptEncrypt
Win Services:
agntsvc
Platforms:
x64
16-11-2022
DAGON LOCKER Ransomware Being Distributed
https://asec.ahnlab.com/en/42037
Threats:
Dagon_locker
Quantum_locker
Mount_locker
Ransom/mdp.behavior.m1171
Ransom/mdp.behavior.m1946
Geo:
Korean, Korea
IOCs:
Hash: 2
File: 3
Algorithms:
rsa-2048, chacha20
Win API:
GetCommandLineW, GetDriveTypeW, CryptImportKey, CryptEncrypt
Win Services:
agntsvc
Platforms:
x64
ASEC
DAGON LOCKER Ransomware Being Distributed - ASEC
DAGON LOCKER Ransomware Being Distributed ASEC
#ParsedReport
16-11-2022
ASEC Weekly Malware Statistics (November 7th, 2022 November 13th, 2022)
https://asec.ahnlab.com/en/42068
Threats:
Emotet
Qakbot
Trickbot
Icedid
Agent_tesla
Smokeloader
Amadey
Lockbit
Cloudeye
Formbook
Remcos_rat
Nanocore_rat
Industry:
Financial
Geo:
Korea
IOCs:
Url: 8
Email: 5
File: 11
Domain: 7
Softs:
discord, nsis installer
Languages:
visual_basic
16-11-2022
ASEC Weekly Malware Statistics (November 7th, 2022 November 13th, 2022)
https://asec.ahnlab.com/en/42068
Threats:
Emotet
Qakbot
Trickbot
Icedid
Agent_tesla
Smokeloader
Amadey
Lockbit
Cloudeye
Formbook
Remcos_rat
Nanocore_rat
Industry:
Financial
Geo:
Korea
IOCs:
Url: 8
Email: 5
File: 11
Domain: 7
Softs:
discord, nsis installer
Languages:
visual_basic
ASEC
ASEC Weekly Malware Statistics (November 7th, 2022 – November 13th, 2022) - ASEC
The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from November 7th, 2022 (Monday) to November 13th (Sunday). For the main category, downloader…
#ParsedReport
16-11-2022
https://www.antiy.cn/research/notice&report/research_report/20221115.html
Threats:
Redline_stealer
Ethminer
Process_injection_technique
Powerkatz_stealer
Geo:
Azerbaijan, Kazakhstan, Russia, Belarus, Uzbekistan, Armenia, Tajikistan, Kyrgyzstan, Ukraine
TTPs:
Tactics: 4
Technics: 0
IOCs:
File: 20
Hash: 11
IP: 1
Path: 1
Softs:
node.js
Algorithms:
gzip, zip
Platforms:
intel, x86
16-11-2022
https://www.antiy.cn/research/notice&report/research_report/20221115.html
Threats:
Redline_stealer
Ethminer
Process_injection_technique
Powerkatz_stealer
Geo:
Azerbaijan, Kazakhstan, Russia, Belarus, Uzbekistan, Armenia, Tajikistan, Kyrgyzstan, Ukraine
TTPs:
Tactics: 4
Technics: 0
IOCs:
File: 20
Hash: 11
IP: 1
Path: 1
Softs:
node.js
Algorithms:
gzip, zip
Platforms:
intel, x86
www.antiy.cn
通过视频网站传播的RedLine窃密木马跟进分析
安天CERT在监测通过视频网站传播RedLine窃密木马的攻击活动中发现攻击者增加了自动登录视频网站发布恶意视频的攻击模块,实现了“发布视频->窃取账号->用窃取到的账号进一步传播”的攻击流程自动化体系,增强了恶意代码传播扩散的能力。
#ParsedReport
16-11-2022
A Comprehensive Look at Emotets Fall 2022 Return
https://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-fall-2022-return
Actors/Campaigns:
Mummyspider
Threats:
Emotet
Icedid
Bumblebee
Xmrig_miner
Xmr_miner
Cobalt_strike
Qakbot
Geo:
Spanish, Greece, Spain, Italy, Mexico, French, Germany, Portuguese, Japan, Brazil, Japanese, France, German, Italian
IOCs:
File: 2
Hash: 2
Domain: 1
Softs:
microsoft office
Algorithms:
zip, xor
Functions:
CreateTimerQueueEx
16-11-2022
A Comprehensive Look at Emotets Fall 2022 Return
https://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-fall-2022-return
Actors/Campaigns:
Mummyspider
Threats:
Emotet
Icedid
Bumblebee
Xmrig_miner
Xmr_miner
Cobalt_strike
Qakbot
Geo:
Spanish, Greece, Spain, Italy, Mexico, French, Germany, Portuguese, Japan, Brazil, Japanese, France, German, Italian
IOCs:
File: 2
Hash: 2
Domain: 1
Softs:
microsoft office
Algorithms:
zip, xor
Functions:
CreateTimerQueueEx
Proofpoint
Emotet Malware Is Back - Virus Analysis | Proofpoint US
The Emotet malware has returned. Read more about the return of Emotet malware in 2022, what this means for you, and how to protect against it.
#ParsedReport
16-11-2022
New RapperBot Campaign We Know What You Bruting for this Time
https://www.fortinet.com/blog/threat-research/new-rapperbot-campaign-ddos-attacks
Threats:
Rapperbot
Mirai
Tcpsynflood_technique
Tcpackflood_technique
Tcpstomp_technique
Satori
Bashlite
Hostile
Industry:
Iot
IOCs:
File: 1
Hash: 7
Url: 16
IP: 1
Softs:
curl
Platforms:
arm, mips, intel
16-11-2022
New RapperBot Campaign We Know What You Bruting for this Time
https://www.fortinet.com/blog/threat-research/new-rapperbot-campaign-ddos-attacks
Threats:
Rapperbot
Mirai
Tcpsynflood_technique
Tcpackflood_technique
Tcpstomp_technique
Satori
Bashlite
Hostile
Industry:
Iot
IOCs:
File: 1
Hash: 7
Url: 16
IP: 1
Softs:
curl
Platforms:
arm, mips, intel
Fortinet Blog
New RapperBot Campaign – We Know What You Bruting for this Time
FortiGuard Labs provides an analysis on RapperBot focusing on comparing samples for different campaigns, including one aiming to launch Distributed Denial of Service (DDoS) attacks. Read our blog t…
#ParsedReport
16-11-2022
BATLOADER: The Evasive Downloader Malware. Executive Summary
https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html
Threats:
Batloader
Nikki
Conti
Log4shell_vuln
Atera_tool
Z_loader
Zeus
Teamviewer_tool
Nsudo_tool
Syncro_tool
Gozi
Arkei_stealer
Vidar_stealer
Cobalt_strike
Industry:
Financial
CVEs:
CVE-2013-3900 [Vulners]
Vulners: Score: 7.6, CVSS: 4.5,
Vulners: Exploitation: True
X-Force: Risk: 9.3
X-Force: Patch: Official fix
Soft:
- microsoft windows xp (-, -)
- microsoft windows server 2008 (r2, -)
- microsoft windows server 2012 (r2, -)
- microsoft windows 10 (1607, -, 21h2, 20h2, 21h1, 1909, 1809)
- microsoft windows 8.1 (-)
have more...
CVE-2020-1599 [Vulners]
Vulners: Score: 2.1, CVSS: 1.9,
Vulners: Exploitation: True
X-Force: Risk: 5.5
X-Force: Patch: Official fix
Soft:
- microsoft windows 10 (-, 20h2, 1607, 1803, 1809, 1903, 1909, 2004)
- microsoft windows 7 (-)
- microsoft windows 8.1 (-)
- microsoft windows rt 8.1 (-)
- microsoft windows server 2008 (-, r2)
have more...
TTPs:
Tactics: 1
Technics: 0
IOCs:
Url: 1
IP: 1
Domain: 4
File: 4
Hash: 72
Path: 8
Command: 1
Softs:
windows installer, zoom, discord, windows defender, ide bcded,
Platforms:
x86
16-11-2022
BATLOADER: The Evasive Downloader Malware. Executive Summary
https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html
Threats:
Batloader
Nikki
Conti
Log4shell_vuln
Atera_tool
Z_loader
Zeus
Teamviewer_tool
Nsudo_tool
Syncro_tool
Gozi
Arkei_stealer
Vidar_stealer
Cobalt_strike
Industry:
Financial
CVEs:
CVE-2013-3900 [Vulners]
Vulners: Score: 7.6, CVSS: 4.5,
Vulners: Exploitation: True
X-Force: Risk: 9.3
X-Force: Patch: Official fix
Soft:
- microsoft windows xp (-, -)
- microsoft windows server 2008 (r2, -)
- microsoft windows server 2012 (r2, -)
- microsoft windows 10 (1607, -, 21h2, 20h2, 21h1, 1909, 1809)
- microsoft windows 8.1 (-)
have more...
CVE-2020-1599 [Vulners]
Vulners: Score: 2.1, CVSS: 1.9,
Vulners: Exploitation: True
X-Force: Risk: 5.5
X-Force: Patch: Official fix
Soft:
- microsoft windows 10 (-, 20h2, 1607, 1803, 1809, 1903, 1909, 2004)
- microsoft windows 7 (-)
- microsoft windows 8.1 (-)
- microsoft windows rt 8.1 (-)
- microsoft windows server 2008 (-, r2)
have more...
TTPs:
Tactics: 1
Technics: 0
IOCs:
Url: 1
IP: 1
Domain: 4
File: 4
Hash: 72
Path: 8
Command: 1
Softs:
windows installer, zoom, discord, windows defender, ide bcded,
Platforms:
x86
VMware Security Blog
BATLOADER: The Evasive Downloader Malware
We explore the Batloader malware, its history, attributes, how it is delivered, the infection chain, and Carbon Black’s detection capabilities.
#ParsedReport
16-11-2022
Threat Actors Taking Advantage of FTX Bankruptcy
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/threat-actors-taking-advantage-of-ftx-bankruptcy
Industry:
Education
IOCs:
Domain: 2
16-11-2022
Threat Actors Taking Advantage of FTX Bankruptcy
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/threat-actors-taking-advantage-of-ftx-bankruptcy
Industry:
Education
IOCs:
Domain: 2
McAfee Blog
Threat Actors Taking Advantage of FTX Bankruptcy | McAfee Blog
Authored by Oliver Devane It hasn’t taken malicious actors long to take advantage of the recent bankruptcy filing of FTX, McAfee has discovered several
#ParsedReport
16-11-2022
New SocGholish Malware Variant Uses Zip Compression & Evasive Techniques
https://blog.sucuri.net/2022/11/new-socgholish-malware-variant-uses-zip-compression-evasive-techniques.html
Threats:
Socgholish_loader
IOCs:
File: 3
Domain: 3
Softs:
chrome
Algorithms:
base64, zip
Languages:
php, javascript
16-11-2022
New SocGholish Malware Variant Uses Zip Compression & Evasive Techniques
https://blog.sucuri.net/2022/11/new-socgholish-malware-variant-uses-zip-compression-evasive-techniques.html
Threats:
Socgholish_loader
IOCs:
File: 3
Domain: 3
Softs:
chrome
Algorithms:
base64, zip
Languages:
php, javascript
Sucuri Blog
New SocGholish Malware Variant Uses Zip Compression & Evasive Techniques
Analysis of a new technique to inject websites with SocGholish malware found using zip compression, obfuscation, strrev functions, and other evasive techniques to avoid detection.
#ParsedReport
16-11-2022
Fangxiao: a Chinese threat actor
https://www.cyjax.com/2022/11/14/fangxiao-a-chinese-threat-actor
Actors/Campaigns:
Fangxiao (motivation: cyber_criminal)
Threats:
Triada
Industry:
Retail, Healthcare, Energy, Financial
Geo:
Chinese, China, Emirates, Chinas
Softs:
android
16-11-2022
Fangxiao: a Chinese threat actor
https://www.cyjax.com/2022/11/14/fangxiao-a-chinese-threat-actor
Actors/Campaigns:
Fangxiao (motivation: cyber_criminal)
Threats:
Triada
Industry:
Retail, Healthcare, Energy, Financial
Geo:
Chinese, China, Emirates, Chinas
Softs:
android
Cyjax
Fangxiao: a Chinese threat actor
Phishing campaigns continue to increase globally. These operations offer an easy route for cybercriminals to generate revenue, steal credentials and spread malware. Cyjax has recently investigated a sophisticated, large-scale phishing campaign that exploits…
#ParsedReport
16-11-2022
Wiki. Wiki ransomware domestic distribution
https://asec.ahnlab.com/ko/41768
Threats:
Dharma
IOCs:
Path: 1
File: 13
Command: 1
Email: 1
Hash: 2
16-11-2022
Wiki. Wiki ransomware domestic distribution
https://asec.ahnlab.com/ko/41768
Threats:
Dharma
IOCs:
Path: 1
File: 13
Command: 1
Email: 1
Hash: 2
ASEC BLOG
Wiki 랜섬웨어 국내 유포 중 - ASEC BLOG
ASEC 분석팀은 안랩 ASD 인프라의 랜섬웨어 의심 행위 차단 이력을 통해, Crysis 랜섬웨어의 변종으로 확인되는 Wiki 랜섬웨어가 정상 프로그램으로 위장하여 유포되는 것을 확인하였다. Wiki 랜섬웨어는 실질적인 암호화를 수행하기 전, %AppData% 경로나 %windir%system32 경로에 자가 복제를 수행하고 시작 프로그램에 등록을 위한 레지스트리 등록(HKLMSoftwareMicrosoftWindowsCurrentVersionRun)…
#ParsedReport
16-11-2022
WatchDog Continues to Target East Asian CSPs
https://www.cadosecurity.com/watchdog-continues-to-target-east-asian-csps
Actors/Campaigns:
Teamtnt
Threats:
Coinstomp
Timestomp_technique
Xmrig_miner
Log4shell_vuln
Geo:
Asian
IOCs:
Domain: 2
Hash: 2
Softs:
unix, macos
Links:
16-11-2022
WatchDog Continues to Target East Asian CSPs
https://www.cadosecurity.com/watchdog-continues-to-target-east-asian-csps
Actors/Campaigns:
Teamtnt
Threats:
Coinstomp
Timestomp_technique
Xmrig_miner
Log4shell_vuln
Geo:
Asian
IOCs:
Domain: 2
Hash: 2
Softs:
unix, macos
Links:
https://github.com/cado-securityCado Security | Cloud Forensics & Incident Response
WatchDog Continues to Target East Asian CSPs - Cado Security | Cloud Forensics & Incident Response
Researchers at Cado Labs have recently discovered a new malicious shell script, which can be attributed to the threat actor WatchDog.
#ParsedReport
16-11-2022
An Update on LockBit 3.0
https://explore.avertium.com/resource/an-update-on-lockbit-3
Actors/Campaigns:
Lapsus
Threats:
Lockbit
Bloodystealer
Conti
Medusalocker
Hydra
Blackbyte
H0lygh0st
Gh0st_rat
Industry:
Healthcare, Retail, Financial, Chemical
Geo:
Iranian, Russian, Korean, Russia, India, Indonesia, China, France, Japanese, Germany, Albania, Ukraine, Canada, French
IOCs:
Hash: 13
Url: 2
Domain: 1
Softs:
windows powershell, telegram, windows defender, active directory
Win API:
OpenSCManagerA
Languages:
javascript
16-11-2022
An Update on LockBit 3.0
https://explore.avertium.com/resource/an-update-on-lockbit-3
Actors/Campaigns:
Lapsus
Threats:
Lockbit
Bloodystealer
Conti
Medusalocker
Hydra
Blackbyte
H0lygh0st
Gh0st_rat
Industry:
Healthcare, Retail, Financial, Chemical
Geo:
Iranian, Russian, Korean, Russia, India, Indonesia, China, France, Japanese, Germany, Albania, Ukraine, Canada, French
IOCs:
Hash: 13
Url: 2
Domain: 1
Softs:
windows powershell, telegram, windows defender, active directory
Win API:
OpenSCManagerA
Languages:
javascript
Avertium
An Update on LockBit 3.0
This report looks at the recent activity of LockBit 3.0, their tactics and techniques, as well as the state of ransomware for 2022.