#ParsedReport
16-11-2022
DAGON LOCKER Ransomware Being Distributed
https://asec.ahnlab.com/en/42037
Threats:
Dagon_locker
Quantum_locker
Mount_locker
Ransom/mdp.behavior.m1171
Ransom/mdp.behavior.m1946
Geo:
Korean, Korea
IOCs:
Hash: 2
File: 3
Algorithms:
rsa-2048, chacha20
Win API:
GetCommandLineW, GetDriveTypeW, CryptImportKey, CryptEncrypt
Win Services:
agntsvc
Platforms:
x64
16-11-2022
DAGON LOCKER Ransomware Being Distributed
https://asec.ahnlab.com/en/42037
Threats:
Dagon_locker
Quantum_locker
Mount_locker
Ransom/mdp.behavior.m1171
Ransom/mdp.behavior.m1946
Geo:
Korean, Korea
IOCs:
Hash: 2
File: 3
Algorithms:
rsa-2048, chacha20
Win API:
GetCommandLineW, GetDriveTypeW, CryptImportKey, CryptEncrypt
Win Services:
agntsvc
Platforms:
x64
ASEC
DAGON LOCKER Ransomware Being Distributed - ASEC
DAGON LOCKER Ransomware Being Distributed ASEC
#ParsedReport
16-11-2022
ASEC Weekly Malware Statistics (November 7th, 2022 November 13th, 2022)
https://asec.ahnlab.com/en/42068
Threats:
Emotet
Qakbot
Trickbot
Icedid
Agent_tesla
Smokeloader
Amadey
Lockbit
Cloudeye
Formbook
Remcos_rat
Nanocore_rat
Industry:
Financial
Geo:
Korea
IOCs:
Url: 8
Email: 5
File: 11
Domain: 7
Softs:
discord, nsis installer
Languages:
visual_basic
16-11-2022
ASEC Weekly Malware Statistics (November 7th, 2022 November 13th, 2022)
https://asec.ahnlab.com/en/42068
Threats:
Emotet
Qakbot
Trickbot
Icedid
Agent_tesla
Smokeloader
Amadey
Lockbit
Cloudeye
Formbook
Remcos_rat
Nanocore_rat
Industry:
Financial
Geo:
Korea
IOCs:
Url: 8
Email: 5
File: 11
Domain: 7
Softs:
discord, nsis installer
Languages:
visual_basic
ASEC
ASEC Weekly Malware Statistics (November 7th, 2022 – November 13th, 2022) - ASEC
The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from November 7th, 2022 (Monday) to November 13th (Sunday). For the main category, downloader…
#ParsedReport
16-11-2022
https://www.antiy.cn/research/notice&report/research_report/20221115.html
Threats:
Redline_stealer
Ethminer
Process_injection_technique
Powerkatz_stealer
Geo:
Azerbaijan, Kazakhstan, Russia, Belarus, Uzbekistan, Armenia, Tajikistan, Kyrgyzstan, Ukraine
TTPs:
Tactics: 4
Technics: 0
IOCs:
File: 20
Hash: 11
IP: 1
Path: 1
Softs:
node.js
Algorithms:
gzip, zip
Platforms:
intel, x86
16-11-2022
https://www.antiy.cn/research/notice&report/research_report/20221115.html
Threats:
Redline_stealer
Ethminer
Process_injection_technique
Powerkatz_stealer
Geo:
Azerbaijan, Kazakhstan, Russia, Belarus, Uzbekistan, Armenia, Tajikistan, Kyrgyzstan, Ukraine
TTPs:
Tactics: 4
Technics: 0
IOCs:
File: 20
Hash: 11
IP: 1
Path: 1
Softs:
node.js
Algorithms:
gzip, zip
Platforms:
intel, x86
www.antiy.cn
通过视频网站传播的RedLine窃密木马跟进分析
安天CERT在监测通过视频网站传播RedLine窃密木马的攻击活动中发现攻击者增加了自动登录视频网站发布恶意视频的攻击模块,实现了“发布视频->窃取账号->用窃取到的账号进一步传播”的攻击流程自动化体系,增强了恶意代码传播扩散的能力。
#ParsedReport
16-11-2022
A Comprehensive Look at Emotets Fall 2022 Return
https://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-fall-2022-return
Actors/Campaigns:
Mummyspider
Threats:
Emotet
Icedid
Bumblebee
Xmrig_miner
Xmr_miner
Cobalt_strike
Qakbot
Geo:
Spanish, Greece, Spain, Italy, Mexico, French, Germany, Portuguese, Japan, Brazil, Japanese, France, German, Italian
IOCs:
File: 2
Hash: 2
Domain: 1
Softs:
microsoft office
Algorithms:
zip, xor
Functions:
CreateTimerQueueEx
16-11-2022
A Comprehensive Look at Emotets Fall 2022 Return
https://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-fall-2022-return
Actors/Campaigns:
Mummyspider
Threats:
Emotet
Icedid
Bumblebee
Xmrig_miner
Xmr_miner
Cobalt_strike
Qakbot
Geo:
Spanish, Greece, Spain, Italy, Mexico, French, Germany, Portuguese, Japan, Brazil, Japanese, France, German, Italian
IOCs:
File: 2
Hash: 2
Domain: 1
Softs:
microsoft office
Algorithms:
zip, xor
Functions:
CreateTimerQueueEx
Proofpoint
Emotet Malware Is Back - Virus Analysis | Proofpoint US
The Emotet malware has returned. Read more about the return of Emotet malware in 2022, what this means for you, and how to protect against it.
#ParsedReport
16-11-2022
New RapperBot Campaign We Know What You Bruting for this Time
https://www.fortinet.com/blog/threat-research/new-rapperbot-campaign-ddos-attacks
Threats:
Rapperbot
Mirai
Tcpsynflood_technique
Tcpackflood_technique
Tcpstomp_technique
Satori
Bashlite
Hostile
Industry:
Iot
IOCs:
File: 1
Hash: 7
Url: 16
IP: 1
Softs:
curl
Platforms:
arm, mips, intel
16-11-2022
New RapperBot Campaign We Know What You Bruting for this Time
https://www.fortinet.com/blog/threat-research/new-rapperbot-campaign-ddos-attacks
Threats:
Rapperbot
Mirai
Tcpsynflood_technique
Tcpackflood_technique
Tcpstomp_technique
Satori
Bashlite
Hostile
Industry:
Iot
IOCs:
File: 1
Hash: 7
Url: 16
IP: 1
Softs:
curl
Platforms:
arm, mips, intel
Fortinet Blog
New RapperBot Campaign – We Know What You Bruting for this Time
FortiGuard Labs provides an analysis on RapperBot focusing on comparing samples for different campaigns, including one aiming to launch Distributed Denial of Service (DDoS) attacks. Read our blog t…
#ParsedReport
16-11-2022
BATLOADER: The Evasive Downloader Malware. Executive Summary
https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html
Threats:
Batloader
Nikki
Conti
Log4shell_vuln
Atera_tool
Z_loader
Zeus
Teamviewer_tool
Nsudo_tool
Syncro_tool
Gozi
Arkei_stealer
Vidar_stealer
Cobalt_strike
Industry:
Financial
CVEs:
CVE-2013-3900 [Vulners]
Vulners: Score: 7.6, CVSS: 4.5,
Vulners: Exploitation: True
X-Force: Risk: 9.3
X-Force: Patch: Official fix
Soft:
- microsoft windows xp (-, -)
- microsoft windows server 2008 (r2, -)
- microsoft windows server 2012 (r2, -)
- microsoft windows 10 (1607, -, 21h2, 20h2, 21h1, 1909, 1809)
- microsoft windows 8.1 (-)
have more...
CVE-2020-1599 [Vulners]
Vulners: Score: 2.1, CVSS: 1.9,
Vulners: Exploitation: True
X-Force: Risk: 5.5
X-Force: Patch: Official fix
Soft:
- microsoft windows 10 (-, 20h2, 1607, 1803, 1809, 1903, 1909, 2004)
- microsoft windows 7 (-)
- microsoft windows 8.1 (-)
- microsoft windows rt 8.1 (-)
- microsoft windows server 2008 (-, r2)
have more...
TTPs:
Tactics: 1
Technics: 0
IOCs:
Url: 1
IP: 1
Domain: 4
File: 4
Hash: 72
Path: 8
Command: 1
Softs:
windows installer, zoom, discord, windows defender, ide bcded,
Platforms:
x86
16-11-2022
BATLOADER: The Evasive Downloader Malware. Executive Summary
https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html
Threats:
Batloader
Nikki
Conti
Log4shell_vuln
Atera_tool
Z_loader
Zeus
Teamviewer_tool
Nsudo_tool
Syncro_tool
Gozi
Arkei_stealer
Vidar_stealer
Cobalt_strike
Industry:
Financial
CVEs:
CVE-2013-3900 [Vulners]
Vulners: Score: 7.6, CVSS: 4.5,
Vulners: Exploitation: True
X-Force: Risk: 9.3
X-Force: Patch: Official fix
Soft:
- microsoft windows xp (-, -)
- microsoft windows server 2008 (r2, -)
- microsoft windows server 2012 (r2, -)
- microsoft windows 10 (1607, -, 21h2, 20h2, 21h1, 1909, 1809)
- microsoft windows 8.1 (-)
have more...
CVE-2020-1599 [Vulners]
Vulners: Score: 2.1, CVSS: 1.9,
Vulners: Exploitation: True
X-Force: Risk: 5.5
X-Force: Patch: Official fix
Soft:
- microsoft windows 10 (-, 20h2, 1607, 1803, 1809, 1903, 1909, 2004)
- microsoft windows 7 (-)
- microsoft windows 8.1 (-)
- microsoft windows rt 8.1 (-)
- microsoft windows server 2008 (-, r2)
have more...
TTPs:
Tactics: 1
Technics: 0
IOCs:
Url: 1
IP: 1
Domain: 4
File: 4
Hash: 72
Path: 8
Command: 1
Softs:
windows installer, zoom, discord, windows defender, ide bcded,
Platforms:
x86
VMware Security Blog
BATLOADER: The Evasive Downloader Malware
We explore the Batloader malware, its history, attributes, how it is delivered, the infection chain, and Carbon Black’s detection capabilities.
#ParsedReport
16-11-2022
Threat Actors Taking Advantage of FTX Bankruptcy
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/threat-actors-taking-advantage-of-ftx-bankruptcy
Industry:
Education
IOCs:
Domain: 2
16-11-2022
Threat Actors Taking Advantage of FTX Bankruptcy
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/threat-actors-taking-advantage-of-ftx-bankruptcy
Industry:
Education
IOCs:
Domain: 2
McAfee Blog
Threat Actors Taking Advantage of FTX Bankruptcy | McAfee Blog
Authored by Oliver Devane It hasn’t taken malicious actors long to take advantage of the recent bankruptcy filing of FTX, McAfee has discovered several
#ParsedReport
16-11-2022
New SocGholish Malware Variant Uses Zip Compression & Evasive Techniques
https://blog.sucuri.net/2022/11/new-socgholish-malware-variant-uses-zip-compression-evasive-techniques.html
Threats:
Socgholish_loader
IOCs:
File: 3
Domain: 3
Softs:
chrome
Algorithms:
base64, zip
Languages:
php, javascript
16-11-2022
New SocGholish Malware Variant Uses Zip Compression & Evasive Techniques
https://blog.sucuri.net/2022/11/new-socgholish-malware-variant-uses-zip-compression-evasive-techniques.html
Threats:
Socgholish_loader
IOCs:
File: 3
Domain: 3
Softs:
chrome
Algorithms:
base64, zip
Languages:
php, javascript
Sucuri Blog
New SocGholish Malware Variant Uses Zip Compression & Evasive Techniques
Analysis of a new technique to inject websites with SocGholish malware found using zip compression, obfuscation, strrev functions, and other evasive techniques to avoid detection.
#ParsedReport
16-11-2022
Fangxiao: a Chinese threat actor
https://www.cyjax.com/2022/11/14/fangxiao-a-chinese-threat-actor
Actors/Campaigns:
Fangxiao (motivation: cyber_criminal)
Threats:
Triada
Industry:
Retail, Healthcare, Energy, Financial
Geo:
Chinese, China, Emirates, Chinas
Softs:
android
16-11-2022
Fangxiao: a Chinese threat actor
https://www.cyjax.com/2022/11/14/fangxiao-a-chinese-threat-actor
Actors/Campaigns:
Fangxiao (motivation: cyber_criminal)
Threats:
Triada
Industry:
Retail, Healthcare, Energy, Financial
Geo:
Chinese, China, Emirates, Chinas
Softs:
android
Cyjax
Fangxiao: a Chinese threat actor
Phishing campaigns continue to increase globally. These operations offer an easy route for cybercriminals to generate revenue, steal credentials and spread malware. Cyjax has recently investigated a sophisticated, large-scale phishing campaign that exploits…
#ParsedReport
16-11-2022
Wiki. Wiki ransomware domestic distribution
https://asec.ahnlab.com/ko/41768
Threats:
Dharma
IOCs:
Path: 1
File: 13
Command: 1
Email: 1
Hash: 2
16-11-2022
Wiki. Wiki ransomware domestic distribution
https://asec.ahnlab.com/ko/41768
Threats:
Dharma
IOCs:
Path: 1
File: 13
Command: 1
Email: 1
Hash: 2
ASEC BLOG
Wiki 랜섬웨어 국내 유포 중 - ASEC BLOG
ASEC 분석팀은 안랩 ASD 인프라의 랜섬웨어 의심 행위 차단 이력을 통해, Crysis 랜섬웨어의 변종으로 확인되는 Wiki 랜섬웨어가 정상 프로그램으로 위장하여 유포되는 것을 확인하였다. Wiki 랜섬웨어는 실질적인 암호화를 수행하기 전, %AppData% 경로나 %windir%system32 경로에 자가 복제를 수행하고 시작 프로그램에 등록을 위한 레지스트리 등록(HKLMSoftwareMicrosoftWindowsCurrentVersionRun)…
#ParsedReport
16-11-2022
WatchDog Continues to Target East Asian CSPs
https://www.cadosecurity.com/watchdog-continues-to-target-east-asian-csps
Actors/Campaigns:
Teamtnt
Threats:
Coinstomp
Timestomp_technique
Xmrig_miner
Log4shell_vuln
Geo:
Asian
IOCs:
Domain: 2
Hash: 2
Softs:
unix, macos
Links:
16-11-2022
WatchDog Continues to Target East Asian CSPs
https://www.cadosecurity.com/watchdog-continues-to-target-east-asian-csps
Actors/Campaigns:
Teamtnt
Threats:
Coinstomp
Timestomp_technique
Xmrig_miner
Log4shell_vuln
Geo:
Asian
IOCs:
Domain: 2
Hash: 2
Softs:
unix, macos
Links:
https://github.com/cado-securityCado Security | Cloud Forensics & Incident Response
WatchDog Continues to Target East Asian CSPs - Cado Security | Cloud Forensics & Incident Response
Researchers at Cado Labs have recently discovered a new malicious shell script, which can be attributed to the threat actor WatchDog.
#ParsedReport
16-11-2022
An Update on LockBit 3.0
https://explore.avertium.com/resource/an-update-on-lockbit-3
Actors/Campaigns:
Lapsus
Threats:
Lockbit
Bloodystealer
Conti
Medusalocker
Hydra
Blackbyte
H0lygh0st
Gh0st_rat
Industry:
Healthcare, Retail, Financial, Chemical
Geo:
Iranian, Russian, Korean, Russia, India, Indonesia, China, France, Japanese, Germany, Albania, Ukraine, Canada, French
IOCs:
Hash: 13
Url: 2
Domain: 1
Softs:
windows powershell, telegram, windows defender, active directory
Win API:
OpenSCManagerA
Languages:
javascript
16-11-2022
An Update on LockBit 3.0
https://explore.avertium.com/resource/an-update-on-lockbit-3
Actors/Campaigns:
Lapsus
Threats:
Lockbit
Bloodystealer
Conti
Medusalocker
Hydra
Blackbyte
H0lygh0st
Gh0st_rat
Industry:
Healthcare, Retail, Financial, Chemical
Geo:
Iranian, Russian, Korean, Russia, India, Indonesia, China, France, Japanese, Germany, Albania, Ukraine, Canada, French
IOCs:
Hash: 13
Url: 2
Domain: 1
Softs:
windows powershell, telegram, windows defender, active directory
Win API:
OpenSCManagerA
Languages:
javascript
Avertium
An Update on LockBit 3.0
This report looks at the recent activity of LockBit 3.0, their tactics and techniques, as well as the state of ransomware for 2022.
#ParsedReport
16-11-2022
Cloud Abuse: New Technique Using Adobe Acrobat to Host Phishing
https://www.netskope.com/blog/cloud-abuse-new-technique-using-adobe-acrobat-to-host-phishing
Industry:
Financial
IOCs:
Url: 2
Softs:
microsoft office
Languages:
javascript, php
16-11-2022
Cloud Abuse: New Technique Using Adobe Acrobat to Host Phishing
https://www.netskope.com/blog/cloud-abuse-new-technique-using-adobe-acrobat-to-host-phishing
Industry:
Financial
IOCs:
Url: 2
Softs:
microsoft office
Languages:
javascript, php
Netskope
Cloud Abuse: New Technique Using Adobe Acrobat to Host Phishing
Summary Netskope Threat Labs recently discovered a phishing campaign that is abusing Adobe Acrobat to host a Microsoft Office phishing page. While abusing
#ParsedReport
16-11-2022
Venus Ransomware \| Zeoticus Spin-off Shows Sophistication Isnt Necessary for Success
https://www.sentinelone.com/blog/venus-ransomware-zeoticus-spin-off-shows-sophistication-isnt-necessary-for-success
Threats:
Venus_locker
Industry:
Healthcare
TTPs:
IOCs:
Path: 2
File: 35
Command: 1
Hash: 69
Softs:
onenote, sqlagent, sqlbrowser, thebat64, wordpad, "sqlagent, "sqlbrowser, "dbsnmp, "encsvc, "onenote, have more...
Win API:
NetShareEnum
Win Services:
agntsvc, dbeng50, dbsnmp, encsvc, infopath, isqlplussvc, mydesktopqos, mydesktopservice, ocautoupds, ocomm, have more...
16-11-2022
Venus Ransomware \| Zeoticus Spin-off Shows Sophistication Isnt Necessary for Success
https://www.sentinelone.com/blog/venus-ransomware-zeoticus-spin-off-shows-sophistication-isnt-necessary-for-success
Threats:
Venus_locker
Industry:
Healthcare
TTPs:
IOCs:
Path: 2
File: 35
Command: 1
Hash: 69
Softs:
onenote, sqlagent, sqlbrowser, thebat64, wordpad, "sqlagent, "sqlbrowser, "dbsnmp, "encsvc, "onenote, have more...
Win API:
NetShareEnum
Win Services:
agntsvc, dbeng50, dbsnmp, encsvc, infopath, isqlplussvc, mydesktopqos, mydesktopservice, ocautoupds, ocomm, have more...
SentinelOne
Venus Ransomware | Zeoticus Spin-off Shows Sophistication Isn’t Necessary for Success
Learn about the uptick in activity of this recent ransomware variant that has been encrypting victims worldwide, with the latest IoCS, TTPs and analysis.
#ParsedReport
16-11-2022
ARCrypter Ransomware Expands Its Operations From Latin America to the World
https://blogs.blackberry.com/en/2022/11/arcrypter-ransomware-expands-its-operations-from-latin-america-to-the-world
Threats:
Arcrypter
Process_injection_technique
Industry:
Foodtech, Government
Geo:
American, Canada, Colombian, Chile, Colombia, China, Latam, America
TTPs:
Tactics: 8
Technics: 29
IOCs:
File: 6
Path: 6
Registry: 3
Command: 2
Hash: 10
Softs:
microsoft visual c++, component object model, windows service
Platforms:
x64
SIGMA: Found
16-11-2022
ARCrypter Ransomware Expands Its Operations From Latin America to the World
https://blogs.blackberry.com/en/2022/11/arcrypter-ransomware-expands-its-operations-from-latin-america-to-the-world
Threats:
Arcrypter
Process_injection_technique
Industry:
Foodtech, Government
Geo:
American, Canada, Colombian, Chile, Colombia, China, Latam, America
TTPs:
Tactics: 8
Technics: 29
IOCs:
File: 6
Path: 6
Registry: 3
Command: 2
Hash: 10
Softs:
microsoft visual c++, component object model, windows service
Platforms:
x64
SIGMA: Found
BlackBerry
ARCrypter Ransomware Expands Its Operations From Latin America to the World
Between Aug. and Oct. 2022, Chile's government computer systems and Invima, The Colombia National Food and Drug Surveillance Institute, were attacked by a previously unseen ransomware variant. Based on the unique strings identified during our threat hunting…
#ParsedReport
17-11-2022
MS Office URL. MS Office Normal URL disguised and distributed word document
https://asec.ahnlab.com/ko/42233
Actors/Campaigns:
Kimsuky
Geo:
Korea, China, Korean
IOCs:
File: 5
Url: 12
Hash: 1
17-11-2022
MS Office URL. MS Office Normal URL disguised and distributed word document
https://asec.ahnlab.com/ko/42233
Actors/Campaigns:
Kimsuky
Geo:
Korea, China, Korean
IOCs:
File: 5
Url: 12
Hash: 1
ASEC BLOG
MS Office 정상 URL 위장하여 유포중인 워드문서 - ASEC BLOG
최근 워드 문서로 위장한 악성코드가 특정 경로(ex. 카카오톡 단체대화방)를 중심으로 유포되는 이슈가 공유된 바 있다. ASEC 분석팀은 추가 모니터링 과정에서, 유사 워드문서에 사용된 URL이 정상 URL과 유사성 측면에서 매우 교묘해지는 정황을 확인하여 사용자들에게 주의를 당부하고자 한다. 내부적으로 현재까지 확인된 악성 워드문서의 파일명은 다음과 같다.파일명에서 확인되는 내국인의 실명은 삭제처리( ○○○)하였는데, 외교안보 분야의 전문가인 점과 파일명도…
#ParsedReport
17-11-2022
Pilfered Keys: Free App Infected by Malware Steals Keychain Data
https://www.trendmicro.com/en_us/research/22/k/pilfered-keys-free-app-infected-by-malware-steals-keychain-data.html
TTPs:
Tactics: 6
Technics: 10
IOCs:
Hash: 4
Url: 1
Softs:
keychain, macos, chrome
Algorithms:
3des
Platforms:
apple
Links:
17-11-2022
Pilfered Keys: Free App Infected by Malware Steals Keychain Data
https://www.trendmicro.com/en_us/research/22/k/pilfered-keys-free-app-infected-by-malware-steals-keychain-data.html
TTPs:
Tactics: 6
Technics: 10
IOCs:
Hash: 4
Url: 1
Softs:
keychain, macos, chrome
Algorithms:
3des
Platforms:
apple
Links:
https://github.com/jukai9316/JKEncrypthttps://github.com/InjoyDeng/ResignToolTrend Micro
Pilfered Keys Free App Infected by Malware Steals Keychain Data
Open-source applications are a practical way to save money while keeping up with your productivity. However, this can be abused by threat actors to steal your data. Find out how one app was used to gather information of Apple users.
#ParsedReport
16-11-2022
BOMB: A Dropper-Like Malware Actively Spreading In Disguise of Cracks
https://www.secureblink.com/threat-research/bomb-a-dropper-like-malware-actively-spreading-in-disguise-of-cracks
Threats:
BOMB
Vidar_stealer
Raccoon_stealer
Cryptbot_stealer
Record_breaker_stealer
IOCs:
File: 2
Hash: 5
Algorithms:
zip
16-11-2022
BOMB: A Dropper-Like Malware Actively Spreading In Disguise of Cracks
https://www.secureblink.com/threat-research/bomb-a-dropper-like-malware-actively-spreading-in-disguise-of-cracks
Threats:
BOMB
Vidar_stealer
Raccoon_stealer
Cryptbot_stealer
Record_breaker_stealer
IOCs:
File: 2
Hash: 5
Algorithms:
zip
Secureblink
BOMB: A Dropper-Like Malware Actively Spreading In Disguise of Cracks | Secure Blink
BOMB, a dropper malware concealed as crack actively circulated following it's dormancy deployed over the targeted system…
#ParsedReport
17-11-2022
Cisco Talos Intelligence Blog. Get a Loda This: LodaRAT meets new friends
https://blog.talosintelligence.com/get-a-loda-this
Actors/Campaigns:
Kasablanka (motivation: cyber_espionage)
Threats:
Lodarat
Redline_stealer
Neshta
Venomrat
S500rat
Beacon
Powershell_keylogger_tool
Hvnc_tool
Upx_tool
Industry:
Financial
Geo:
Ethiopia, Peruvian, China
IOCs:
Hash: 5
File: 4
Path: 1
IP: 2
Domain: 2
Softs:
android, windows media player, telegram
Algorithms:
xor
Functions:
EntryPoint
Languages:
delphi, autoit
Platforms:
x86, x64
17-11-2022
Cisco Talos Intelligence Blog. Get a Loda This: LodaRAT meets new friends
https://blog.talosintelligence.com/get-a-loda-this
Actors/Campaigns:
Kasablanka (motivation: cyber_espionage)
Threats:
Lodarat
Redline_stealer
Neshta
Venomrat
S500rat
Beacon
Powershell_keylogger_tool
Hvnc_tool
Upx_tool
Industry:
Financial
Geo:
Ethiopia, Peruvian, China
IOCs:
Hash: 5
File: 4
Path: 1
IP: 2
Domain: 2
Softs:
android, windows media player, telegram
Algorithms:
xor
Functions:
EntryPoint
Languages:
delphi, autoit
Platforms:
x86, x64
Cisco Talos Blog
Get a Loda This: LodaRAT meets new friends
* LodaRAT samples were deployed alongside other malware families, including RedLine and Neshta.
* Cisco Talos identified several variants and altered versions of LodaRAT with updated functionality have been seen in the wild.
* Changes in these LodaRAT variants…
* Cisco Talos identified several variants and altered versions of LodaRAT with updated functionality have been seen in the wild.
* Changes in these LodaRAT variants…
#ParsedReport
17-11-2022
Alert (AA22-320A)
https://us-cert.cisa.gov/ncas/alerts/aa22-320a
Threats:
Log4shell_vuln
Xmrig_miner
Mimikatz_tool
Dumplsass_tool
Credential_stealing_technique
Kerberoasting_technique
Geo:
Iran, Iranian
CVEs:
CVE-2021-44228 [Vulners]
Vulners: Score: 9.3, CVSS: 4.5,
Vulners: Exploitation: True
X-Force: Risk: 10
X-Force: Patch: Official fix
Soft:
- apache log4j (2.0, 2.0, 2.0, 2.0, <2.15.0, <2.3.1, <2.12.2)
- siemens sppa-t3000 ses3000 firmware (*)
- siemens logo\! soft comfort (*)
- siemens spectrum power 4 (4.70, 4.70, <4.70, 4.70)
- siemens siveillance control pro (*)
have more...
TTPs:
Tactics: 8
Technics: 16
IOCs:
File: 14
IP: 4
Domain: 4
Command: 2
Path: 1
Registry: 1
Softs:
vmware horizon, windows defender, psexec, active directory, local security authority, mware horizon se, windows task scheduler, windows registry, microsoft security advisory, windows defender credential guard, have more...
Algorithms:
base64
17-11-2022
Alert (AA22-320A)
https://us-cert.cisa.gov/ncas/alerts/aa22-320a
Threats:
Log4shell_vuln
Xmrig_miner
Mimikatz_tool
Dumplsass_tool
Credential_stealing_technique
Kerberoasting_technique
Geo:
Iran, Iranian
CVEs:
CVE-2021-44228 [Vulners]
Vulners: Score: 9.3, CVSS: 4.5,
Vulners: Exploitation: True
X-Force: Risk: 10
X-Force: Patch: Official fix
Soft:
- apache log4j (2.0, 2.0, 2.0, 2.0, <2.15.0, <2.3.1, <2.12.2)
- siemens sppa-t3000 ses3000 firmware (*)
- siemens logo\! soft comfort (*)
- siemens spectrum power 4 (4.70, 4.70, <4.70, 4.70)
- siemens siveillance control pro (*)
have more...
TTPs:
Tactics: 8
Technics: 16
IOCs:
File: 14
IP: 4
Domain: 4
Command: 2
Path: 1
Registry: 1
Softs:
vmware horizon, windows defender, psexec, active directory, local security authority, mware horizon se, windows task scheduler, windows registry, microsoft security advisory, windows defender credential guard, have more...
Algorithms:
base64
www.cisa.gov
Iranian Government-Sponsored APT Actors Compromise Federal Network, Deploy Crypto Miner, Credential Harvester | CISA
From mid-June through mid-July 2022, CISA conducted an incident response engagement at a Federal Civilian Executive Branch (FCEB) organization where CISA observed suspected advanced persistent threat (APT) activity. In the course of incident response activities…
#ParsedReport
17-11-2022
DEV-0569 finds new ways to deliver Royal ransomware, various payloads. Detection details
https://www.microsoft.com/en-us/security/blog/2022/11/17/dev-0569-finds-new-ways-to-deliver-royal-ransomware-various-payloads
Actors/Campaigns:
Dev-0569
Dev-0858
Threats:
Royal_ransomware
Disabling_antivirus_technique
Nsudo_tool
Batloader
Teamviewer_tool
Anydesk_tool
Icedid
Vidar_stealer
Gozi
Z_loader
Cobalt_strike
Beacon
Industry:
Financial
IOCs:
Domain: 2
File: 1
Softs:
microsoft defender, microsoft defender for endpoint, microsoft teams, zoom, telegram, microsoft edge, psexec
Algorithms:
aes
17-11-2022
DEV-0569 finds new ways to deliver Royal ransomware, various payloads. Detection details
https://www.microsoft.com/en-us/security/blog/2022/11/17/dev-0569-finds-new-ways-to-deliver-royal-ransomware-various-payloads
Actors/Campaigns:
Dev-0569
Dev-0858
Threats:
Royal_ransomware
Disabling_antivirus_technique
Nsudo_tool
Batloader
Teamviewer_tool
Anydesk_tool
Icedid
Vidar_stealer
Gozi
Z_loader
Cobalt_strike
Beacon
Industry:
Financial
IOCs:
Domain: 2
File: 1
Softs:
microsoft defender, microsoft defender for endpoint, microsoft teams, zoom, telegram, microsoft edge, psexec
Algorithms:
aes
Microsoft News
DEV-0569 finds new ways to deliver Royal ransomware, various payloads
DEV-0569’s recent activity shows their reliance on malvertising and phishing in delivering malicious payloads. The group’s changes and updates in delivery and payload led to distribution of info stealers and Royal ransomware.