#ParsedReport
15-11-2022
Phishing Campaign Targeting Indonesian BRI Bank Using SMS Stealer
https://blog.cyble.com/2022/11/15/phishing-campaign-targeting-indonesian-bri-bank-using-sms-stealer
Threats:
Sms_stealer
Smseye_stealer
Industry:
Financial
Geo:
Dubai, Georgia, Singapore, Australia, Indonesian, Indonesia, India
TTPs:
Tactics: 6
Technics: 7
IOCs:
Url: 15
Hash: 4
File: 1
Softs:
android, telegram
Languages:
php, kotlin
Links:
15-11-2022
Phishing Campaign Targeting Indonesian BRI Bank Using SMS Stealer
https://blog.cyble.com/2022/11/15/phishing-campaign-targeting-indonesian-bri-bank-using-sms-stealer
Threats:
Sms_stealer
Smseye_stealer
Industry:
Financial
Geo:
Dubai, Georgia, Singapore, Australia, Indonesian, Indonesia, India
TTPs:
Tactics: 6
Technics: 7
IOCs:
Url: 15
Hash: 4
File: 1
Softs:
android, telegram
Languages:
php, kotlin
Links:
https://github.com/AbyssalArmy/SmsEyeCyble
SMS Stealer Phishing Campaign Hits Indonesia's BRI Bank
Cyble Research & Intelligence Labs analyzes an active phishing campaign targeting Indonesian BRI bank using Android SMS Stealer.
#ParsedReport
15-11-2022
Billbug: State-sponsored Actor Targets Cert Authority, Government Agencies in Multiple Asian Countries
https://symantec-enterprise-blogs.security.com/threat-intelligence/espionage-asia-governments-cert-authority
Actors/Campaigns:
Dragonfish (motivation: information_theft, cyber_espionage)
Threats:
Hannotog
Sagerunex
Adfind_tool
Nbtscan_tool
Stowaway_tool
Cobalt_strike
Industry:
Government
Geo:
Asia, Asian
IOCs:
File: 5
Command: 2
Hash: 23
Softs:
active directory
Algorithms:
xor, aes-256-cbc, zip, rc4
Win API:
WinHttpGetIEProxyConfigForCurrentUser
15-11-2022
Billbug: State-sponsored Actor Targets Cert Authority, Government Agencies in Multiple Asian Countries
https://symantec-enterprise-blogs.security.com/threat-intelligence/espionage-asia-governments-cert-authority
Actors/Campaigns:
Dragonfish (motivation: information_theft, cyber_espionage)
Threats:
Hannotog
Sagerunex
Adfind_tool
Nbtscan_tool
Stowaway_tool
Cobalt_strike
Industry:
Government
Geo:
Asia, Asian
IOCs:
File: 5
Command: 2
Hash: 23
Softs:
active directory
Algorithms:
xor, aes-256-cbc, zip, rc4
Win API:
WinHttpGetIEProxyConfigForCurrentUser
Security
Billbug: State-sponsored Actor Targets Cert Authority, Government Agencies in Multiple Asian Countries
Campaign has been ongoing for at least the last six months.
#ParsedReport
16-11-2022
DAGON LOCKER Ransomware Being Distributed
https://asec.ahnlab.com/en/42037
Threats:
Dagon_locker
Quantum_locker
Mount_locker
Ransom/mdp.behavior.m1171
Ransom/mdp.behavior.m1946
Geo:
Korean, Korea
IOCs:
Hash: 2
File: 3
Algorithms:
rsa-2048, chacha20
Win API:
GetCommandLineW, GetDriveTypeW, CryptImportKey, CryptEncrypt
Win Services:
agntsvc
Platforms:
x64
16-11-2022
DAGON LOCKER Ransomware Being Distributed
https://asec.ahnlab.com/en/42037
Threats:
Dagon_locker
Quantum_locker
Mount_locker
Ransom/mdp.behavior.m1171
Ransom/mdp.behavior.m1946
Geo:
Korean, Korea
IOCs:
Hash: 2
File: 3
Algorithms:
rsa-2048, chacha20
Win API:
GetCommandLineW, GetDriveTypeW, CryptImportKey, CryptEncrypt
Win Services:
agntsvc
Platforms:
x64
ASEC
DAGON LOCKER Ransomware Being Distributed - ASEC
DAGON LOCKER Ransomware Being Distributed ASEC
#ParsedReport
16-11-2022
ASEC Weekly Malware Statistics (November 7th, 2022 November 13th, 2022)
https://asec.ahnlab.com/en/42068
Threats:
Emotet
Qakbot
Trickbot
Icedid
Agent_tesla
Smokeloader
Amadey
Lockbit
Cloudeye
Formbook
Remcos_rat
Nanocore_rat
Industry:
Financial
Geo:
Korea
IOCs:
Url: 8
Email: 5
File: 11
Domain: 7
Softs:
discord, nsis installer
Languages:
visual_basic
16-11-2022
ASEC Weekly Malware Statistics (November 7th, 2022 November 13th, 2022)
https://asec.ahnlab.com/en/42068
Threats:
Emotet
Qakbot
Trickbot
Icedid
Agent_tesla
Smokeloader
Amadey
Lockbit
Cloudeye
Formbook
Remcos_rat
Nanocore_rat
Industry:
Financial
Geo:
Korea
IOCs:
Url: 8
Email: 5
File: 11
Domain: 7
Softs:
discord, nsis installer
Languages:
visual_basic
ASEC
ASEC Weekly Malware Statistics (November 7th, 2022 – November 13th, 2022) - ASEC
The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from November 7th, 2022 (Monday) to November 13th (Sunday). For the main category, downloader…
#ParsedReport
16-11-2022
https://www.antiy.cn/research/notice&report/research_report/20221115.html
Threats:
Redline_stealer
Ethminer
Process_injection_technique
Powerkatz_stealer
Geo:
Azerbaijan, Kazakhstan, Russia, Belarus, Uzbekistan, Armenia, Tajikistan, Kyrgyzstan, Ukraine
TTPs:
Tactics: 4
Technics: 0
IOCs:
File: 20
Hash: 11
IP: 1
Path: 1
Softs:
node.js
Algorithms:
gzip, zip
Platforms:
intel, x86
16-11-2022
https://www.antiy.cn/research/notice&report/research_report/20221115.html
Threats:
Redline_stealer
Ethminer
Process_injection_technique
Powerkatz_stealer
Geo:
Azerbaijan, Kazakhstan, Russia, Belarus, Uzbekistan, Armenia, Tajikistan, Kyrgyzstan, Ukraine
TTPs:
Tactics: 4
Technics: 0
IOCs:
File: 20
Hash: 11
IP: 1
Path: 1
Softs:
node.js
Algorithms:
gzip, zip
Platforms:
intel, x86
www.antiy.cn
通过视频网站传播的RedLine窃密木马跟进分析
安天CERT在监测通过视频网站传播RedLine窃密木马的攻击活动中发现攻击者增加了自动登录视频网站发布恶意视频的攻击模块,实现了“发布视频->窃取账号->用窃取到的账号进一步传播”的攻击流程自动化体系,增强了恶意代码传播扩散的能力。
#ParsedReport
16-11-2022
A Comprehensive Look at Emotets Fall 2022 Return
https://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-fall-2022-return
Actors/Campaigns:
Mummyspider
Threats:
Emotet
Icedid
Bumblebee
Xmrig_miner
Xmr_miner
Cobalt_strike
Qakbot
Geo:
Spanish, Greece, Spain, Italy, Mexico, French, Germany, Portuguese, Japan, Brazil, Japanese, France, German, Italian
IOCs:
File: 2
Hash: 2
Domain: 1
Softs:
microsoft office
Algorithms:
zip, xor
Functions:
CreateTimerQueueEx
16-11-2022
A Comprehensive Look at Emotets Fall 2022 Return
https://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-fall-2022-return
Actors/Campaigns:
Mummyspider
Threats:
Emotet
Icedid
Bumblebee
Xmrig_miner
Xmr_miner
Cobalt_strike
Qakbot
Geo:
Spanish, Greece, Spain, Italy, Mexico, French, Germany, Portuguese, Japan, Brazil, Japanese, France, German, Italian
IOCs:
File: 2
Hash: 2
Domain: 1
Softs:
microsoft office
Algorithms:
zip, xor
Functions:
CreateTimerQueueEx
Proofpoint
Emotet Malware Is Back - Virus Analysis | Proofpoint US
The Emotet malware has returned. Read more about the return of Emotet malware in 2022, what this means for you, and how to protect against it.
#ParsedReport
16-11-2022
New RapperBot Campaign We Know What You Bruting for this Time
https://www.fortinet.com/blog/threat-research/new-rapperbot-campaign-ddos-attacks
Threats:
Rapperbot
Mirai
Tcpsynflood_technique
Tcpackflood_technique
Tcpstomp_technique
Satori
Bashlite
Hostile
Industry:
Iot
IOCs:
File: 1
Hash: 7
Url: 16
IP: 1
Softs:
curl
Platforms:
arm, mips, intel
16-11-2022
New RapperBot Campaign We Know What You Bruting for this Time
https://www.fortinet.com/blog/threat-research/new-rapperbot-campaign-ddos-attacks
Threats:
Rapperbot
Mirai
Tcpsynflood_technique
Tcpackflood_technique
Tcpstomp_technique
Satori
Bashlite
Hostile
Industry:
Iot
IOCs:
File: 1
Hash: 7
Url: 16
IP: 1
Softs:
curl
Platforms:
arm, mips, intel
Fortinet Blog
New RapperBot Campaign – We Know What You Bruting for this Time
FortiGuard Labs provides an analysis on RapperBot focusing on comparing samples for different campaigns, including one aiming to launch Distributed Denial of Service (DDoS) attacks. Read our blog t…
#ParsedReport
16-11-2022
BATLOADER: The Evasive Downloader Malware. Executive Summary
https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html
Threats:
Batloader
Nikki
Conti
Log4shell_vuln
Atera_tool
Z_loader
Zeus
Teamviewer_tool
Nsudo_tool
Syncro_tool
Gozi
Arkei_stealer
Vidar_stealer
Cobalt_strike
Industry:
Financial
CVEs:
CVE-2013-3900 [Vulners]
Vulners: Score: 7.6, CVSS: 4.5,
Vulners: Exploitation: True
X-Force: Risk: 9.3
X-Force: Patch: Official fix
Soft:
- microsoft windows xp (-, -)
- microsoft windows server 2008 (r2, -)
- microsoft windows server 2012 (r2, -)
- microsoft windows 10 (1607, -, 21h2, 20h2, 21h1, 1909, 1809)
- microsoft windows 8.1 (-)
have more...
CVE-2020-1599 [Vulners]
Vulners: Score: 2.1, CVSS: 1.9,
Vulners: Exploitation: True
X-Force: Risk: 5.5
X-Force: Patch: Official fix
Soft:
- microsoft windows 10 (-, 20h2, 1607, 1803, 1809, 1903, 1909, 2004)
- microsoft windows 7 (-)
- microsoft windows 8.1 (-)
- microsoft windows rt 8.1 (-)
- microsoft windows server 2008 (-, r2)
have more...
TTPs:
Tactics: 1
Technics: 0
IOCs:
Url: 1
IP: 1
Domain: 4
File: 4
Hash: 72
Path: 8
Command: 1
Softs:
windows installer, zoom, discord, windows defender, ide bcded,
Platforms:
x86
16-11-2022
BATLOADER: The Evasive Downloader Malware. Executive Summary
https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html
Threats:
Batloader
Nikki
Conti
Log4shell_vuln
Atera_tool
Z_loader
Zeus
Teamviewer_tool
Nsudo_tool
Syncro_tool
Gozi
Arkei_stealer
Vidar_stealer
Cobalt_strike
Industry:
Financial
CVEs:
CVE-2013-3900 [Vulners]
Vulners: Score: 7.6, CVSS: 4.5,
Vulners: Exploitation: True
X-Force: Risk: 9.3
X-Force: Patch: Official fix
Soft:
- microsoft windows xp (-, -)
- microsoft windows server 2008 (r2, -)
- microsoft windows server 2012 (r2, -)
- microsoft windows 10 (1607, -, 21h2, 20h2, 21h1, 1909, 1809)
- microsoft windows 8.1 (-)
have more...
CVE-2020-1599 [Vulners]
Vulners: Score: 2.1, CVSS: 1.9,
Vulners: Exploitation: True
X-Force: Risk: 5.5
X-Force: Patch: Official fix
Soft:
- microsoft windows 10 (-, 20h2, 1607, 1803, 1809, 1903, 1909, 2004)
- microsoft windows 7 (-)
- microsoft windows 8.1 (-)
- microsoft windows rt 8.1 (-)
- microsoft windows server 2008 (-, r2)
have more...
TTPs:
Tactics: 1
Technics: 0
IOCs:
Url: 1
IP: 1
Domain: 4
File: 4
Hash: 72
Path: 8
Command: 1
Softs:
windows installer, zoom, discord, windows defender, ide bcded,
Platforms:
x86
VMware Security Blog
BATLOADER: The Evasive Downloader Malware
We explore the Batloader malware, its history, attributes, how it is delivered, the infection chain, and Carbon Black’s detection capabilities.
#ParsedReport
16-11-2022
Threat Actors Taking Advantage of FTX Bankruptcy
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/threat-actors-taking-advantage-of-ftx-bankruptcy
Industry:
Education
IOCs:
Domain: 2
16-11-2022
Threat Actors Taking Advantage of FTX Bankruptcy
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/threat-actors-taking-advantage-of-ftx-bankruptcy
Industry:
Education
IOCs:
Domain: 2
McAfee Blog
Threat Actors Taking Advantage of FTX Bankruptcy | McAfee Blog
Authored by Oliver Devane It hasn’t taken malicious actors long to take advantage of the recent bankruptcy filing of FTX, McAfee has discovered several
#ParsedReport
16-11-2022
New SocGholish Malware Variant Uses Zip Compression & Evasive Techniques
https://blog.sucuri.net/2022/11/new-socgholish-malware-variant-uses-zip-compression-evasive-techniques.html
Threats:
Socgholish_loader
IOCs:
File: 3
Domain: 3
Softs:
chrome
Algorithms:
base64, zip
Languages:
php, javascript
16-11-2022
New SocGholish Malware Variant Uses Zip Compression & Evasive Techniques
https://blog.sucuri.net/2022/11/new-socgholish-malware-variant-uses-zip-compression-evasive-techniques.html
Threats:
Socgholish_loader
IOCs:
File: 3
Domain: 3
Softs:
chrome
Algorithms:
base64, zip
Languages:
php, javascript
Sucuri Blog
New SocGholish Malware Variant Uses Zip Compression & Evasive Techniques
Analysis of a new technique to inject websites with SocGholish malware found using zip compression, obfuscation, strrev functions, and other evasive techniques to avoid detection.
#ParsedReport
16-11-2022
Fangxiao: a Chinese threat actor
https://www.cyjax.com/2022/11/14/fangxiao-a-chinese-threat-actor
Actors/Campaigns:
Fangxiao (motivation: cyber_criminal)
Threats:
Triada
Industry:
Retail, Healthcare, Energy, Financial
Geo:
Chinese, China, Emirates, Chinas
Softs:
android
16-11-2022
Fangxiao: a Chinese threat actor
https://www.cyjax.com/2022/11/14/fangxiao-a-chinese-threat-actor
Actors/Campaigns:
Fangxiao (motivation: cyber_criminal)
Threats:
Triada
Industry:
Retail, Healthcare, Energy, Financial
Geo:
Chinese, China, Emirates, Chinas
Softs:
android
Cyjax
Fangxiao: a Chinese threat actor
Phishing campaigns continue to increase globally. These operations offer an easy route for cybercriminals to generate revenue, steal credentials and spread malware. Cyjax has recently investigated a sophisticated, large-scale phishing campaign that exploits…
#ParsedReport
16-11-2022
Wiki. Wiki ransomware domestic distribution
https://asec.ahnlab.com/ko/41768
Threats:
Dharma
IOCs:
Path: 1
File: 13
Command: 1
Email: 1
Hash: 2
16-11-2022
Wiki. Wiki ransomware domestic distribution
https://asec.ahnlab.com/ko/41768
Threats:
Dharma
IOCs:
Path: 1
File: 13
Command: 1
Email: 1
Hash: 2
ASEC BLOG
Wiki 랜섬웨어 국내 유포 중 - ASEC BLOG
ASEC 분석팀은 안랩 ASD 인프라의 랜섬웨어 의심 행위 차단 이력을 통해, Crysis 랜섬웨어의 변종으로 확인되는 Wiki 랜섬웨어가 정상 프로그램으로 위장하여 유포되는 것을 확인하였다. Wiki 랜섬웨어는 실질적인 암호화를 수행하기 전, %AppData% 경로나 %windir%system32 경로에 자가 복제를 수행하고 시작 프로그램에 등록을 위한 레지스트리 등록(HKLMSoftwareMicrosoftWindowsCurrentVersionRun)…
#ParsedReport
16-11-2022
WatchDog Continues to Target East Asian CSPs
https://www.cadosecurity.com/watchdog-continues-to-target-east-asian-csps
Actors/Campaigns:
Teamtnt
Threats:
Coinstomp
Timestomp_technique
Xmrig_miner
Log4shell_vuln
Geo:
Asian
IOCs:
Domain: 2
Hash: 2
Softs:
unix, macos
Links:
16-11-2022
WatchDog Continues to Target East Asian CSPs
https://www.cadosecurity.com/watchdog-continues-to-target-east-asian-csps
Actors/Campaigns:
Teamtnt
Threats:
Coinstomp
Timestomp_technique
Xmrig_miner
Log4shell_vuln
Geo:
Asian
IOCs:
Domain: 2
Hash: 2
Softs:
unix, macos
Links:
https://github.com/cado-securityCado Security | Cloud Forensics & Incident Response
WatchDog Continues to Target East Asian CSPs - Cado Security | Cloud Forensics & Incident Response
Researchers at Cado Labs have recently discovered a new malicious shell script, which can be attributed to the threat actor WatchDog.
#ParsedReport
16-11-2022
An Update on LockBit 3.0
https://explore.avertium.com/resource/an-update-on-lockbit-3
Actors/Campaigns:
Lapsus
Threats:
Lockbit
Bloodystealer
Conti
Medusalocker
Hydra
Blackbyte
H0lygh0st
Gh0st_rat
Industry:
Healthcare, Retail, Financial, Chemical
Geo:
Iranian, Russian, Korean, Russia, India, Indonesia, China, France, Japanese, Germany, Albania, Ukraine, Canada, French
IOCs:
Hash: 13
Url: 2
Domain: 1
Softs:
windows powershell, telegram, windows defender, active directory
Win API:
OpenSCManagerA
Languages:
javascript
16-11-2022
An Update on LockBit 3.0
https://explore.avertium.com/resource/an-update-on-lockbit-3
Actors/Campaigns:
Lapsus
Threats:
Lockbit
Bloodystealer
Conti
Medusalocker
Hydra
Blackbyte
H0lygh0st
Gh0st_rat
Industry:
Healthcare, Retail, Financial, Chemical
Geo:
Iranian, Russian, Korean, Russia, India, Indonesia, China, France, Japanese, Germany, Albania, Ukraine, Canada, French
IOCs:
Hash: 13
Url: 2
Domain: 1
Softs:
windows powershell, telegram, windows defender, active directory
Win API:
OpenSCManagerA
Languages:
javascript
Avertium
An Update on LockBit 3.0
This report looks at the recent activity of LockBit 3.0, their tactics and techniques, as well as the state of ransomware for 2022.
#ParsedReport
16-11-2022
Cloud Abuse: New Technique Using Adobe Acrobat to Host Phishing
https://www.netskope.com/blog/cloud-abuse-new-technique-using-adobe-acrobat-to-host-phishing
Industry:
Financial
IOCs:
Url: 2
Softs:
microsoft office
Languages:
javascript, php
16-11-2022
Cloud Abuse: New Technique Using Adobe Acrobat to Host Phishing
https://www.netskope.com/blog/cloud-abuse-new-technique-using-adobe-acrobat-to-host-phishing
Industry:
Financial
IOCs:
Url: 2
Softs:
microsoft office
Languages:
javascript, php
Netskope
Cloud Abuse: New Technique Using Adobe Acrobat to Host Phishing
Summary Netskope Threat Labs recently discovered a phishing campaign that is abusing Adobe Acrobat to host a Microsoft Office phishing page. While abusing
#ParsedReport
16-11-2022
Venus Ransomware \| Zeoticus Spin-off Shows Sophistication Isnt Necessary for Success
https://www.sentinelone.com/blog/venus-ransomware-zeoticus-spin-off-shows-sophistication-isnt-necessary-for-success
Threats:
Venus_locker
Industry:
Healthcare
TTPs:
IOCs:
Path: 2
File: 35
Command: 1
Hash: 69
Softs:
onenote, sqlagent, sqlbrowser, thebat64, wordpad, "sqlagent, "sqlbrowser, "dbsnmp, "encsvc, "onenote, have more...
Win API:
NetShareEnum
Win Services:
agntsvc, dbeng50, dbsnmp, encsvc, infopath, isqlplussvc, mydesktopqos, mydesktopservice, ocautoupds, ocomm, have more...
16-11-2022
Venus Ransomware \| Zeoticus Spin-off Shows Sophistication Isnt Necessary for Success
https://www.sentinelone.com/blog/venus-ransomware-zeoticus-spin-off-shows-sophistication-isnt-necessary-for-success
Threats:
Venus_locker
Industry:
Healthcare
TTPs:
IOCs:
Path: 2
File: 35
Command: 1
Hash: 69
Softs:
onenote, sqlagent, sqlbrowser, thebat64, wordpad, "sqlagent, "sqlbrowser, "dbsnmp, "encsvc, "onenote, have more...
Win API:
NetShareEnum
Win Services:
agntsvc, dbeng50, dbsnmp, encsvc, infopath, isqlplussvc, mydesktopqos, mydesktopservice, ocautoupds, ocomm, have more...
SentinelOne
Venus Ransomware | Zeoticus Spin-off Shows Sophistication Isn’t Necessary for Success
Learn about the uptick in activity of this recent ransomware variant that has been encrypting victims worldwide, with the latest IoCS, TTPs and analysis.
#ParsedReport
16-11-2022
ARCrypter Ransomware Expands Its Operations From Latin America to the World
https://blogs.blackberry.com/en/2022/11/arcrypter-ransomware-expands-its-operations-from-latin-america-to-the-world
Threats:
Arcrypter
Process_injection_technique
Industry:
Foodtech, Government
Geo:
American, Canada, Colombian, Chile, Colombia, China, Latam, America
TTPs:
Tactics: 8
Technics: 29
IOCs:
File: 6
Path: 6
Registry: 3
Command: 2
Hash: 10
Softs:
microsoft visual c++, component object model, windows service
Platforms:
x64
SIGMA: Found
16-11-2022
ARCrypter Ransomware Expands Its Operations From Latin America to the World
https://blogs.blackberry.com/en/2022/11/arcrypter-ransomware-expands-its-operations-from-latin-america-to-the-world
Threats:
Arcrypter
Process_injection_technique
Industry:
Foodtech, Government
Geo:
American, Canada, Colombian, Chile, Colombia, China, Latam, America
TTPs:
Tactics: 8
Technics: 29
IOCs:
File: 6
Path: 6
Registry: 3
Command: 2
Hash: 10
Softs:
microsoft visual c++, component object model, windows service
Platforms:
x64
SIGMA: Found
BlackBerry
ARCrypter Ransomware Expands Its Operations From Latin America to the World
Between Aug. and Oct. 2022, Chile's government computer systems and Invima, The Colombia National Food and Drug Surveillance Institute, were attacked by a previously unseen ransomware variant. Based on the unique strings identified during our threat hunting…
#ParsedReport
17-11-2022
MS Office URL. MS Office Normal URL disguised and distributed word document
https://asec.ahnlab.com/ko/42233
Actors/Campaigns:
Kimsuky
Geo:
Korea, China, Korean
IOCs:
File: 5
Url: 12
Hash: 1
17-11-2022
MS Office URL. MS Office Normal URL disguised and distributed word document
https://asec.ahnlab.com/ko/42233
Actors/Campaigns:
Kimsuky
Geo:
Korea, China, Korean
IOCs:
File: 5
Url: 12
Hash: 1
ASEC BLOG
MS Office 정상 URL 위장하여 유포중인 워드문서 - ASEC BLOG
최근 워드 문서로 위장한 악성코드가 특정 경로(ex. 카카오톡 단체대화방)를 중심으로 유포되는 이슈가 공유된 바 있다. ASEC 분석팀은 추가 모니터링 과정에서, 유사 워드문서에 사용된 URL이 정상 URL과 유사성 측면에서 매우 교묘해지는 정황을 확인하여 사용자들에게 주의를 당부하고자 한다. 내부적으로 현재까지 확인된 악성 워드문서의 파일명은 다음과 같다.파일명에서 확인되는 내국인의 실명은 삭제처리( ○○○)하였는데, 외교안보 분야의 전문가인 점과 파일명도…
#ParsedReport
17-11-2022
Pilfered Keys: Free App Infected by Malware Steals Keychain Data
https://www.trendmicro.com/en_us/research/22/k/pilfered-keys-free-app-infected-by-malware-steals-keychain-data.html
TTPs:
Tactics: 6
Technics: 10
IOCs:
Hash: 4
Url: 1
Softs:
keychain, macos, chrome
Algorithms:
3des
Platforms:
apple
Links:
17-11-2022
Pilfered Keys: Free App Infected by Malware Steals Keychain Data
https://www.trendmicro.com/en_us/research/22/k/pilfered-keys-free-app-infected-by-malware-steals-keychain-data.html
TTPs:
Tactics: 6
Technics: 10
IOCs:
Hash: 4
Url: 1
Softs:
keychain, macos, chrome
Algorithms:
3des
Platforms:
apple
Links:
https://github.com/jukai9316/JKEncrypthttps://github.com/InjoyDeng/ResignToolTrend Micro
Pilfered Keys Free App Infected by Malware Steals Keychain Data
Open-source applications are a practical way to save money while keeping up with your productivity. However, this can be abused by threat actors to steal your data. Find out how one app was used to gather information of Apple users.
#ParsedReport
16-11-2022
BOMB: A Dropper-Like Malware Actively Spreading In Disguise of Cracks
https://www.secureblink.com/threat-research/bomb-a-dropper-like-malware-actively-spreading-in-disguise-of-cracks
Threats:
BOMB
Vidar_stealer
Raccoon_stealer
Cryptbot_stealer
Record_breaker_stealer
IOCs:
File: 2
Hash: 5
Algorithms:
zip
16-11-2022
BOMB: A Dropper-Like Malware Actively Spreading In Disguise of Cracks
https://www.secureblink.com/threat-research/bomb-a-dropper-like-malware-actively-spreading-in-disguise-of-cracks
Threats:
BOMB
Vidar_stealer
Raccoon_stealer
Cryptbot_stealer
Record_breaker_stealer
IOCs:
File: 2
Hash: 5
Algorithms:
zip
Secureblink
BOMB: A Dropper-Like Malware Actively Spreading In Disguise of Cracks | Secure Blink
BOMB, a dropper malware concealed as crack actively circulated following it's dormancy deployed over the targeted system…