#ParsedReport
17-11-2022
MS Office URL. MS Office Normal URL disguised and distributed word document
https://asec.ahnlab.com/ko/42233
Actors/Campaigns:
Kimsuky
Geo:
Korea, China, Korean
IOCs:
File: 5
Url: 12
Hash: 1
17-11-2022
MS Office URL. MS Office Normal URL disguised and distributed word document
https://asec.ahnlab.com/ko/42233
Actors/Campaigns:
Kimsuky
Geo:
Korea, China, Korean
IOCs:
File: 5
Url: 12
Hash: 1
ASEC BLOG
MS Office 정상 URL 위장하여 유포중인 워드문서 - ASEC BLOG
최근 워드 문서로 위장한 악성코드가 특정 경로(ex. 카카오톡 단체대화방)를 중심으로 유포되는 이슈가 공유된 바 있다. ASEC 분석팀은 추가 모니터링 과정에서, 유사 워드문서에 사용된 URL이 정상 URL과 유사성 측면에서 매우 교묘해지는 정황을 확인하여 사용자들에게 주의를 당부하고자 한다. 내부적으로 현재까지 확인된 악성 워드문서의 파일명은 다음과 같다.파일명에서 확인되는 내국인의 실명은 삭제처리( ○○○)하였는데, 외교안보 분야의 전문가인 점과 파일명도…
#ParsedReport
17-11-2022
Pilfered Keys: Free App Infected by Malware Steals Keychain Data
https://www.trendmicro.com/en_us/research/22/k/pilfered-keys-free-app-infected-by-malware-steals-keychain-data.html
TTPs:
Tactics: 6
Technics: 10
IOCs:
Hash: 4
Url: 1
Softs:
keychain, macos, chrome
Algorithms:
3des
Platforms:
apple
Links:
17-11-2022
Pilfered Keys: Free App Infected by Malware Steals Keychain Data
https://www.trendmicro.com/en_us/research/22/k/pilfered-keys-free-app-infected-by-malware-steals-keychain-data.html
TTPs:
Tactics: 6
Technics: 10
IOCs:
Hash: 4
Url: 1
Softs:
keychain, macos, chrome
Algorithms:
3des
Platforms:
apple
Links:
https://github.com/jukai9316/JKEncrypthttps://github.com/InjoyDeng/ResignToolTrend Micro
Pilfered Keys Free App Infected by Malware Steals Keychain Data
Open-source applications are a practical way to save money while keeping up with your productivity. However, this can be abused by threat actors to steal your data. Find out how one app was used to gather information of Apple users.
#ParsedReport
16-11-2022
BOMB: A Dropper-Like Malware Actively Spreading In Disguise of Cracks
https://www.secureblink.com/threat-research/bomb-a-dropper-like-malware-actively-spreading-in-disguise-of-cracks
Threats:
BOMB
Vidar_stealer
Raccoon_stealer
Cryptbot_stealer
Record_breaker_stealer
IOCs:
File: 2
Hash: 5
Algorithms:
zip
16-11-2022
BOMB: A Dropper-Like Malware Actively Spreading In Disguise of Cracks
https://www.secureblink.com/threat-research/bomb-a-dropper-like-malware-actively-spreading-in-disguise-of-cracks
Threats:
BOMB
Vidar_stealer
Raccoon_stealer
Cryptbot_stealer
Record_breaker_stealer
IOCs:
File: 2
Hash: 5
Algorithms:
zip
Secureblink
BOMB: A Dropper-Like Malware Actively Spreading In Disguise of Cracks | Secure Blink
BOMB, a dropper malware concealed as crack actively circulated following it's dormancy deployed over the targeted system…
#ParsedReport
17-11-2022
Cisco Talos Intelligence Blog. Get a Loda This: LodaRAT meets new friends
https://blog.talosintelligence.com/get-a-loda-this
Actors/Campaigns:
Kasablanka (motivation: cyber_espionage)
Threats:
Lodarat
Redline_stealer
Neshta
Venomrat
S500rat
Beacon
Powershell_keylogger_tool
Hvnc_tool
Upx_tool
Industry:
Financial
Geo:
Ethiopia, Peruvian, China
IOCs:
Hash: 5
File: 4
Path: 1
IP: 2
Domain: 2
Softs:
android, windows media player, telegram
Algorithms:
xor
Functions:
EntryPoint
Languages:
delphi, autoit
Platforms:
x86, x64
17-11-2022
Cisco Talos Intelligence Blog. Get a Loda This: LodaRAT meets new friends
https://blog.talosintelligence.com/get-a-loda-this
Actors/Campaigns:
Kasablanka (motivation: cyber_espionage)
Threats:
Lodarat
Redline_stealer
Neshta
Venomrat
S500rat
Beacon
Powershell_keylogger_tool
Hvnc_tool
Upx_tool
Industry:
Financial
Geo:
Ethiopia, Peruvian, China
IOCs:
Hash: 5
File: 4
Path: 1
IP: 2
Domain: 2
Softs:
android, windows media player, telegram
Algorithms:
xor
Functions:
EntryPoint
Languages:
delphi, autoit
Platforms:
x86, x64
Cisco Talos Blog
Get a Loda This: LodaRAT meets new friends
* LodaRAT samples were deployed alongside other malware families, including RedLine and Neshta.
* Cisco Talos identified several variants and altered versions of LodaRAT with updated functionality have been seen in the wild.
* Changes in these LodaRAT variants…
* Cisco Talos identified several variants and altered versions of LodaRAT with updated functionality have been seen in the wild.
* Changes in these LodaRAT variants…
#ParsedReport
17-11-2022
Alert (AA22-320A)
https://us-cert.cisa.gov/ncas/alerts/aa22-320a
Threats:
Log4shell_vuln
Xmrig_miner
Mimikatz_tool
Dumplsass_tool
Credential_stealing_technique
Kerberoasting_technique
Geo:
Iran, Iranian
CVEs:
CVE-2021-44228 [Vulners]
Vulners: Score: 9.3, CVSS: 4.5,
Vulners: Exploitation: True
X-Force: Risk: 10
X-Force: Patch: Official fix
Soft:
- apache log4j (2.0, 2.0, 2.0, 2.0, <2.15.0, <2.3.1, <2.12.2)
- siemens sppa-t3000 ses3000 firmware (*)
- siemens logo\! soft comfort (*)
- siemens spectrum power 4 (4.70, 4.70, <4.70, 4.70)
- siemens siveillance control pro (*)
have more...
TTPs:
Tactics: 8
Technics: 16
IOCs:
File: 14
IP: 4
Domain: 4
Command: 2
Path: 1
Registry: 1
Softs:
vmware horizon, windows defender, psexec, active directory, local security authority, mware horizon se, windows task scheduler, windows registry, microsoft security advisory, windows defender credential guard, have more...
Algorithms:
base64
17-11-2022
Alert (AA22-320A)
https://us-cert.cisa.gov/ncas/alerts/aa22-320a
Threats:
Log4shell_vuln
Xmrig_miner
Mimikatz_tool
Dumplsass_tool
Credential_stealing_technique
Kerberoasting_technique
Geo:
Iran, Iranian
CVEs:
CVE-2021-44228 [Vulners]
Vulners: Score: 9.3, CVSS: 4.5,
Vulners: Exploitation: True
X-Force: Risk: 10
X-Force: Patch: Official fix
Soft:
- apache log4j (2.0, 2.0, 2.0, 2.0, <2.15.0, <2.3.1, <2.12.2)
- siemens sppa-t3000 ses3000 firmware (*)
- siemens logo\! soft comfort (*)
- siemens spectrum power 4 (4.70, 4.70, <4.70, 4.70)
- siemens siveillance control pro (*)
have more...
TTPs:
Tactics: 8
Technics: 16
IOCs:
File: 14
IP: 4
Domain: 4
Command: 2
Path: 1
Registry: 1
Softs:
vmware horizon, windows defender, psexec, active directory, local security authority, mware horizon se, windows task scheduler, windows registry, microsoft security advisory, windows defender credential guard, have more...
Algorithms:
base64
www.cisa.gov
Iranian Government-Sponsored APT Actors Compromise Federal Network, Deploy Crypto Miner, Credential Harvester | CISA
From mid-June through mid-July 2022, CISA conducted an incident response engagement at a Federal Civilian Executive Branch (FCEB) organization where CISA observed suspected advanced persistent threat (APT) activity. In the course of incident response activities…
#ParsedReport
17-11-2022
DEV-0569 finds new ways to deliver Royal ransomware, various payloads. Detection details
https://www.microsoft.com/en-us/security/blog/2022/11/17/dev-0569-finds-new-ways-to-deliver-royal-ransomware-various-payloads
Actors/Campaigns:
Dev-0569
Dev-0858
Threats:
Royal_ransomware
Disabling_antivirus_technique
Nsudo_tool
Batloader
Teamviewer_tool
Anydesk_tool
Icedid
Vidar_stealer
Gozi
Z_loader
Cobalt_strike
Beacon
Industry:
Financial
IOCs:
Domain: 2
File: 1
Softs:
microsoft defender, microsoft defender for endpoint, microsoft teams, zoom, telegram, microsoft edge, psexec
Algorithms:
aes
17-11-2022
DEV-0569 finds new ways to deliver Royal ransomware, various payloads. Detection details
https://www.microsoft.com/en-us/security/blog/2022/11/17/dev-0569-finds-new-ways-to-deliver-royal-ransomware-various-payloads
Actors/Campaigns:
Dev-0569
Dev-0858
Threats:
Royal_ransomware
Disabling_antivirus_technique
Nsudo_tool
Batloader
Teamviewer_tool
Anydesk_tool
Icedid
Vidar_stealer
Gozi
Z_loader
Cobalt_strike
Beacon
Industry:
Financial
IOCs:
Domain: 2
File: 1
Softs:
microsoft defender, microsoft defender for endpoint, microsoft teams, zoom, telegram, microsoft edge, psexec
Algorithms:
aes
Microsoft News
DEV-0569 finds new ways to deliver Royal ransomware, various payloads
DEV-0569’s recent activity shows their reliance on malvertising and phishing in delivering malicious payloads. The group’s changes and updates in delivery and payload led to distribution of info stealers and Royal ransomware.
#ParsedReport
18-11-2022
Emotets Vacation is Over: No Rest for the Wicked
https://www.deepinstinct.com/blog/emotet-vacation-is-over-no-rest-for-the-wicked
Threats:
Emotet
Industry:
Financial
IOCs:
Hash: 7
IP: 55
Softs:
microsoft office
Algorithms:
zip, base64, ecdsa, ecdh
Win API:
VirtualAlloc
18-11-2022
Emotets Vacation is Over: No Rest for the Wicked
https://www.deepinstinct.com/blog/emotet-vacation-is-over-no-rest-for-the-wicked
Threats:
Emotet
Industry:
Financial
IOCs:
Hash: 7
IP: 55
Softs:
microsoft office
Algorithms:
zip, base64, ecdsa, ecdh
Win API:
VirtualAlloc
Deep Instinct
Emotet’s Vacation is Over: No Rest for the Wicked | Deep Instinct
Emotet is a prolific malware botnet that originally functioned as a banking trojan when it emerged in 2014. It was spread via spam campaigns, imitating financial statements, transfers, and payment invoices. Emotet is propagated mostly via Office email attachments…
#ParsedReport
18-11-2022
Earth Preta Spear-Phishing Governments Worldwide. Threat hunting
https://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html
Actors/Campaigns:
Earth_preta (motivation: cyber_espionage)
Red_delta
Threats:
Toneins
Toneshell
Pubload
Dll_sideloading_technique
Putty_tool
Beacon
Cobalt_strike
Plugx_rat
Industry:
Education, Government
Geo:
Usa, Chinese, Myanmar, China, Taiwan, Asia, Philippines, Japan, Australia, Pacific
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 58
Path: 2
Command: 4
Registry: 1
Hash: 96
IP: 7
Email: 14
Softs:
microsoft office, microsoft silverlight, microsoft word
Algorithms:
aes, rc4, xor, zip
Win API:
OpenEventA, GrayStringW, EnumDateFormatsA, LineDDA, GetForegroundWindow, EnumThreadWindows
Links:
18-11-2022
Earth Preta Spear-Phishing Governments Worldwide. Threat hunting
https://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html
Actors/Campaigns:
Earth_preta (motivation: cyber_espionage)
Red_delta
Threats:
Toneins
Toneshell
Pubload
Dll_sideloading_technique
Putty_tool
Beacon
Cobalt_strike
Plugx_rat
Industry:
Education, Government
Geo:
Usa, Chinese, Myanmar, China, Taiwan, Asia, Philippines, Japan, Australia, Pacific
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 58
Path: 2
Command: 4
Registry: 1
Hash: 96
IP: 7
Email: 14
Softs:
microsoft office, microsoft silverlight, microsoft word
Algorithms:
aes, rc4, xor, zip
Win API:
OpenEventA, GrayStringW, EnumDateFormatsA, LineDDA, GetForegroundWindow, EnumThreadWindows
Links:
https://github.com/mxrch/GHunthttps://github.com/Tai7sy/vs-obfuscationhttps://github.com/EricZimmerman/LECmdTrend Micro
Earth Preta Spear-Phishing Governments Worldwide
#ParsedReport
18-11-2022
HZ RAT goes China. Distribution
https://medium.com/@DCSO_CyTec/hz-rat-goes-china-506854c5f2e2
Threats:
Hzrat
Troldesh
Credential_stealing_technique
Cobalt_strike
Beacon
Geo:
China, Netherlands, Australia, Russia, Spain, Chinese
CVEs:
CVE-2017-11882 [Vulners]
Vulners: Score: 9.3, CVSS: 4.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft office (2013, 2010, 2016, 2007)
TTPs:
Tactics: 1
Technics: 9
IOCs:
Hash: 226
IP: 22
Url: 3
File: 10
Path: 5
Softs:
puttygen, easyconnect, wechat, google chrome, microsoft edge, mozilla firefox
Algorithms:
zip, aes, base64, xor
Functions:
OpenVPN
YARA: Found
Links:
18-11-2022
HZ RAT goes China. Distribution
https://medium.com/@DCSO_CyTec/hz-rat-goes-china-506854c5f2e2
Threats:
Hzrat
Troldesh
Credential_stealing_technique
Cobalt_strike
Beacon
Geo:
China, Netherlands, Australia, Russia, Spain, Chinese
CVEs:
CVE-2017-11882 [Vulners]
Vulners: Score: 9.3, CVSS: 4.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft office (2013, 2010, 2016, 2007)
TTPs:
Tactics: 1
Technics: 9
IOCs:
Hash: 226
IP: 22
Url: 3
File: 10
Path: 5
Softs:
puttygen, easyconnect, wechat, google chrome, microsoft edge, mozilla firefox
Algorithms:
zip, aes, base64, xor
Functions:
OpenVPN
YARA: Found
Links:
https://github.com/DCSO/Blog\_CyTec/tree/main/2022\_11\_hz\_rat\_goes\_china/hz\_rat\_cnc\_extractorhttps://github.com/DCSO/Blog\_CyTec/tree/main/2022\_11\_hz\_rat\_goes\_china/hz\_rat\_pcap\_decryptorhttps://github.com/WaterJuice/WjCryptLib/tree/e39760a85015b88820d7a2de832155a7c8ff2c88https://github.com/DCSO/Blog\_CyTec/tree/main/2022\_11\_hz\_rat\_goes\_china/yarahttps://github.com/DCSO/Blog\_CyTec/tree/main/2022\_11\_hz\_rat\_goes\_china/hz\_rat\_server\_scannerhttps://gist.github.com/botlabsDev/e8dee63cb4ab957803492a077da64adfhttps://github.com/DCSO/Blog\_CyTec/tree/main/2022\_11\_hz\_rat\_goes\_chinaMedium
HZ RAT goes China
Walking down the Royal Road as we did in one of our previous posts, another by-catch of our Yara rule caught our attention. Turns out we…
#ParsedReport
18-11-2022
Alert (AA22-321A)
https://us-cert.cisa.gov/ncas/alerts/aa22-321a
Threats:
Hive
Vssadmin_tool
Industry:
Healthcare, Government, Financial
Geo:
Canada, Australia
CVEs:
CVE-2020-12812 [Vulners]
Vulners: Score: 7.5, CVSS: 2.6,
Vulners: Exploitation: True
X-Force: Risk: 5.3
X-Force: Patch: Official fix
Soft:
- fortinet fortios (<6.2.4, 6.4.0, <6.0.10)
CVE-2021-31207 [Vulners]
Vulners: Score: 6.5, CVSS: 1.7,
Vulners: Exploitation: True
X-Force: Risk: 6.6
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
CVE-2021-42321 [Vulners]
Vulners: Score: 6.5, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2016, 2019, 2016, 2019)
CVE-2021-34523 [Vulners]
Vulners: Score: 7.5, CVSS: 3.4,
Vulners: Exploitation: True
X-Force: Risk: 9
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
CVE-2021-34473 [Vulners]
Vulners: Score: 10.0, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
TTPs:
Tactics: 5
Technics: 10
IOCs:
File: 9
Url: 6
Command: 1
Domain: 4
IP: 24
Softs:
microsoft exchange, microsoft exchange server, windows defender, esxi, microsoft windows defender, bcdedit, active directory
Links:
18-11-2022
Alert (AA22-321A)
https://us-cert.cisa.gov/ncas/alerts/aa22-321a
Threats:
Hive
Vssadmin_tool
Industry:
Healthcare, Government, Financial
Geo:
Canada, Australia
CVEs:
CVE-2020-12812 [Vulners]
Vulners: Score: 7.5, CVSS: 2.6,
Vulners: Exploitation: True
X-Force: Risk: 5.3
X-Force: Patch: Official fix
Soft:
- fortinet fortios (<6.2.4, 6.4.0, <6.0.10)
CVE-2021-31207 [Vulners]
Vulners: Score: 6.5, CVSS: 1.7,
Vulners: Exploitation: True
X-Force: Risk: 6.6
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
CVE-2021-42321 [Vulners]
Vulners: Score: 6.5, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2016, 2019, 2016, 2019)
CVE-2021-34523 [Vulners]
Vulners: Score: 7.5, CVSS: 3.4,
Vulners: Exploitation: True
X-Force: Risk: 9
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
CVE-2021-34473 [Vulners]
Vulners: Score: 10.0, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
TTPs:
Tactics: 5
Technics: 10
IOCs:
File: 9
Url: 6
Command: 1
Domain: 4
IP: 24
Softs:
microsoft exchange, microsoft exchange server, windows defender, esxi, microsoft windows defender, bcdedit, active directory
Links:
https://github.com/cisagov/cset/#ParsedReport
18-11-2022
The Real Cost of Cryptomining: Adversarial Analysis of TeamTNT
https://sysdig.com/blog/real-cost-cryptomining-teamtnt
Actors/Campaigns:
Teamtnt (motivation: cyber_criminal, cyber_espionage, financially_motivated, hacktivism)
Chimaera
Threats:
Hildegard
Xmrig_miner
Xmrigcc_tool
Industry:
Financial, Government
Geo:
Canada, America, Ireland, German, Netherlands, Romania, Germany
Softs:
parrotos, redis, docker, alpine, ubuntu
Links:
18-11-2022
The Real Cost of Cryptomining: Adversarial Analysis of TeamTNT
https://sysdig.com/blog/real-cost-cryptomining-teamtnt
Actors/Campaigns:
Teamtnt (motivation: cyber_criminal, cyber_espionage, financially_motivated, hacktivism)
Chimaera
Threats:
Hildegard
Xmrig_miner
Xmrigcc_tool
Industry:
Financial, Government
Geo:
Canada, America, Ireland, German, Netherlands, Romania, Germany
Softs:
parrotos, redis, docker, alpine, ubuntu
Links:
https://github.com/xmrig/xmrig-proxySysdig
The Real Cost of Cryptomining: Adversarial Analysis of TeamTNT
Sysdig TRT attributed more than $8,100 worth of cryptocurrency to TeamTNT, costing the victims of cryptomining more than $430,000.
#ParsedReport
18-11-2022
AXLocker, Octocrypt, and Alice: Leading a new wave of Ransomware Campaigns
https://blog.cyble.com/2022/11/18/axlocker-octocrypt-and-alice-leading-a-new-wave-of-ransomware-campaigns
Threats:
Axlocker
Octocrypt
Alice_ransomware
Octo
Upx_tool
Industry:
Government, Financial
Geo:
Singapore, Australia, Georgia, India, Dubai
TTPs:
Tactics: 8
Technics: 13
IOCs:
Url: 1
File: 4
Hash: 8
Softs:
discord, opera, telegram
Algorithms:
aes-256-ctr, aes
Functions:
startencryption
Languages:
golang
Platforms:
intel
18-11-2022
AXLocker, Octocrypt, and Alice: Leading a new wave of Ransomware Campaigns
https://blog.cyble.com/2022/11/18/axlocker-octocrypt-and-alice-leading-a-new-wave-of-ransomware-campaigns
Threats:
Axlocker
Octocrypt
Alice_ransomware
Octo
Upx_tool
Industry:
Government, Financial
Geo:
Singapore, Australia, Georgia, India, Dubai
TTPs:
Tactics: 8
Technics: 13
IOCs:
Url: 1
File: 4
Hash: 8
Softs:
discord, opera, telegram
Algorithms:
aes-256-ctr, aes
Functions:
startencryption
Languages:
golang
Platforms:
intel
#ParsedReport
18-11-2022
Disneyland Malware Team: Its a Puny World After All
https://krebsonsecurity.com/2022/11/disneyland-malware-team-its-a-puny-world-after-all
Actors/Campaigns:
Disneyland_team
Threats:
Gozi
Industry:
Financial
Geo:
Dubai, Russia, Emirates
IOCs:
Domain: 6
Url: 4
18-11-2022
Disneyland Malware Team: Its a Puny World After All
https://krebsonsecurity.com/2022/11/disneyland-malware-team-its-a-puny-world-after-all
Actors/Campaigns:
Disneyland_team
Threats:
Gozi
Industry:
Financial
Geo:
Dubai, Russia, Emirates
IOCs:
Domain: 6
Url: 4
Krebs on Security
Disneyland Malware Team: It’s a Puny World After All
A financial cybercrime group calling itself the Disneyland Team has been making liberal use of visually confusing phishing domains that spoof popular bank brands using Punycode, an Internet standard that allows web browsers to render domain names with non…
#technique
laZzzy is a shellcode loader that demonstrates different execution techniques commonly employed by malware. laZzzy was developed using different open-source header-only libraries.
https://github.com/capt-meelo/laZzzy
laZzzy is a shellcode loader that demonstrates different execution techniques commonly employed by malware. laZzzy was developed using different open-source header-only libraries.
https://github.com/capt-meelo/laZzzy
GitHub
GitHub - capt-meelo/laZzzy: laZzzy is a shellcode loader, developed using different open-source libraries, that demonstrates different…
laZzzy is a shellcode loader, developed using different open-source libraries, that demonstrates different execution techniques. - capt-meelo/laZzzy
#technique
Relaying to AD Certificate Services over RPC
https://blog.compass-security.com/2022/11/relaying-to-ad-certificate-services-over-rpc/
Relaying to AD Certificate Services over RPC
https://blog.compass-security.com/2022/11/relaying-to-ad-certificate-services-over-rpc/
#technique
Titan is a User Defined Reflective DLL ( URDLL ) that uses a combination of techniques to achieve initial execution and maintain shell stability for Cobalt Strike in a modern endpoint-deteciton and response heavy environment.
https://github.com/SecIdiot/titan
Titan is a User Defined Reflective DLL ( URDLL ) that uses a combination of techniques to achieve initial execution and maintain shell stability for Cobalt Strike in a modern endpoint-deteciton and response heavy environment.
https://github.com/SecIdiot/titan
#technique
A simple PoC to invoke an encrypted shellcode by using an hidden call.
https://github.com/enkomio/BrokenFlow
A simple PoC to invoke an encrypted shellcode by using an hidden call.
https://github.com/enkomio/BrokenFlow
GitHub
GitHub - enkomio/BrokenFlow: A simple PoC to invoke an encrypted shellcode by using an hidden call
A simple PoC to invoke an encrypted shellcode by using an hidden call - enkomio/BrokenFlow
#technique
Bypassing Kerberoast Detections with Modified KDC Options and Encryption Types
https://github.com/trustedsec/orpheus
Bypassing Kerberoast Detections with Modified KDC Options and Encryption Types
https://github.com/trustedsec/orpheus
GitHub
GitHub - trustedsec/orpheus: Bypassing Kerberoast Detections with Modified KDC Options and Encryption Types
Bypassing Kerberoast Detections with Modified KDC Options and Encryption Types - trustedsec/orpheus
#ParsedReport
18-11-2022
Netskope Threat Coverage: Prestige Ransomware
https://www.netskope.com/blog/netskope-threat-coverage-prestige-ransomware
Actors/Campaigns:
Dev-0960
Sandworm
Threats:
Prestige_ransomware
Hermeticwiper
Vssadmin_tool
Blackcat
Lockbit
Industry:
Logistic, Transport
Geo:
Ukraine, Russian, Ukrainian, Poland
IOCs:
Path: 7
Command: 1
File: 2
Softs:
windows registry, mssql windows service, mssql, psexec
Algorithms:
aes, lzma, bzip, zipx
Win Services:
MSSQLSERVER
YARA: Found
SIGMA: Found
Links:
18-11-2022
Netskope Threat Coverage: Prestige Ransomware
https://www.netskope.com/blog/netskope-threat-coverage-prestige-ransomware
Actors/Campaigns:
Dev-0960
Sandworm
Threats:
Prestige_ransomware
Hermeticwiper
Vssadmin_tool
Blackcat
Lockbit
Industry:
Logistic, Transport
Geo:
Ukraine, Russian, Ukrainian, Poland
IOCs:
Path: 7
Command: 1
File: 2
Softs:
windows registry, mssql windows service, mssql, psexec
Algorithms:
aes, lzma, bzip, zipx
Win Services:
MSSQLSERVER
YARA: Found
SIGMA: Found
Links:
https://github.com/netskopeoss/NetskopeThreatLabsIOCs/tree/main/Prestigehttps://github.com/SigmaHQ/sigmaNetskope
Netskope Threat Coverage: Prestige Ransomware
Summary In October 2022, a novel ransomware named Prestige was found targeting logistics and transportation sectors in Ukraine and Poland. According to
#ParsedReport
18-11-2022
Securonix Threat Labs Security Advisory: Qbot/QakBot Malwares New Initial Execution Uses Grifted Regsvr32 Binary to Run DLL Payload
https://www.securonix.com/blog/qbot-qakbot-malwares-new-initial-execution
Actors/Campaigns:
Steep_maverick
Threats:
Qakbot
TTPs:
Tactics: 2
Technics: 3
IOCs:
Path: 3
File: 7
Command: 1
Hash: 6
Softs:
sysinternals
Algorithms:
zip
Win API:
WmiCreateProcess
18-11-2022
Securonix Threat Labs Security Advisory: Qbot/QakBot Malwares New Initial Execution Uses Grifted Regsvr32 Binary to Run DLL Payload
https://www.securonix.com/blog/qbot-qakbot-malwares-new-initial-execution
Actors/Campaigns:
Steep_maverick
Threats:
Qakbot
TTPs:
Tactics: 2
Technics: 3
IOCs:
Path: 3
File: 7
Command: 1
Hash: 6
Softs:
sysinternals
Algorithms:
zip
Win API:
WmiCreateProcess
Securonix
Securonix Threat Labs Security Advisory: Qbot/QakBot Malware’s New Initial Execution Uses Grifted Regsvr32 Binary to Run DLL Payload
Explore the latest analysis of QakBot malware using obfuscated Regsvr32 binaries to evade detection and infect systems.