#ParsedReport
17-11-2022
DEV-0569 finds new ways to deliver Royal ransomware, various payloads. Detection details
https://www.microsoft.com/en-us/security/blog/2022/11/17/dev-0569-finds-new-ways-to-deliver-royal-ransomware-various-payloads
Actors/Campaigns:
Dev-0569
Dev-0858
Threats:
Royal_ransomware
Disabling_antivirus_technique
Nsudo_tool
Batloader
Teamviewer_tool
Anydesk_tool
Icedid
Vidar_stealer
Gozi
Z_loader
Cobalt_strike
Beacon
Industry:
Financial
IOCs:
Domain: 2
File: 1
Softs:
microsoft defender, microsoft defender for endpoint, microsoft teams, zoom, telegram, microsoft edge, psexec
Algorithms:
aes
17-11-2022
DEV-0569 finds new ways to deliver Royal ransomware, various payloads. Detection details
https://www.microsoft.com/en-us/security/blog/2022/11/17/dev-0569-finds-new-ways-to-deliver-royal-ransomware-various-payloads
Actors/Campaigns:
Dev-0569
Dev-0858
Threats:
Royal_ransomware
Disabling_antivirus_technique
Nsudo_tool
Batloader
Teamviewer_tool
Anydesk_tool
Icedid
Vidar_stealer
Gozi
Z_loader
Cobalt_strike
Beacon
Industry:
Financial
IOCs:
Domain: 2
File: 1
Softs:
microsoft defender, microsoft defender for endpoint, microsoft teams, zoom, telegram, microsoft edge, psexec
Algorithms:
aes
Microsoft News
DEV-0569 finds new ways to deliver Royal ransomware, various payloads
DEV-0569’s recent activity shows their reliance on malvertising and phishing in delivering malicious payloads. The group’s changes and updates in delivery and payload led to distribution of info stealers and Royal ransomware.
#ParsedReport
18-11-2022
Emotets Vacation is Over: No Rest for the Wicked
https://www.deepinstinct.com/blog/emotet-vacation-is-over-no-rest-for-the-wicked
Threats:
Emotet
Industry:
Financial
IOCs:
Hash: 7
IP: 55
Softs:
microsoft office
Algorithms:
zip, base64, ecdsa, ecdh
Win API:
VirtualAlloc
18-11-2022
Emotets Vacation is Over: No Rest for the Wicked
https://www.deepinstinct.com/blog/emotet-vacation-is-over-no-rest-for-the-wicked
Threats:
Emotet
Industry:
Financial
IOCs:
Hash: 7
IP: 55
Softs:
microsoft office
Algorithms:
zip, base64, ecdsa, ecdh
Win API:
VirtualAlloc
Deep Instinct
Emotet’s Vacation is Over: No Rest for the Wicked | Deep Instinct
Emotet is a prolific malware botnet that originally functioned as a banking trojan when it emerged in 2014. It was spread via spam campaigns, imitating financial statements, transfers, and payment invoices. Emotet is propagated mostly via Office email attachments…
#ParsedReport
18-11-2022
Earth Preta Spear-Phishing Governments Worldwide. Threat hunting
https://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html
Actors/Campaigns:
Earth_preta (motivation: cyber_espionage)
Red_delta
Threats:
Toneins
Toneshell
Pubload
Dll_sideloading_technique
Putty_tool
Beacon
Cobalt_strike
Plugx_rat
Industry:
Education, Government
Geo:
Usa, Chinese, Myanmar, China, Taiwan, Asia, Philippines, Japan, Australia, Pacific
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 58
Path: 2
Command: 4
Registry: 1
Hash: 96
IP: 7
Email: 14
Softs:
microsoft office, microsoft silverlight, microsoft word
Algorithms:
aes, rc4, xor, zip
Win API:
OpenEventA, GrayStringW, EnumDateFormatsA, LineDDA, GetForegroundWindow, EnumThreadWindows
Links:
18-11-2022
Earth Preta Spear-Phishing Governments Worldwide. Threat hunting
https://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html
Actors/Campaigns:
Earth_preta (motivation: cyber_espionage)
Red_delta
Threats:
Toneins
Toneshell
Pubload
Dll_sideloading_technique
Putty_tool
Beacon
Cobalt_strike
Plugx_rat
Industry:
Education, Government
Geo:
Usa, Chinese, Myanmar, China, Taiwan, Asia, Philippines, Japan, Australia, Pacific
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 58
Path: 2
Command: 4
Registry: 1
Hash: 96
IP: 7
Email: 14
Softs:
microsoft office, microsoft silverlight, microsoft word
Algorithms:
aes, rc4, xor, zip
Win API:
OpenEventA, GrayStringW, EnumDateFormatsA, LineDDA, GetForegroundWindow, EnumThreadWindows
Links:
https://github.com/mxrch/GHunthttps://github.com/Tai7sy/vs-obfuscationhttps://github.com/EricZimmerman/LECmdTrend Micro
Earth Preta Spear-Phishing Governments Worldwide
#ParsedReport
18-11-2022
HZ RAT goes China. Distribution
https://medium.com/@DCSO_CyTec/hz-rat-goes-china-506854c5f2e2
Threats:
Hzrat
Troldesh
Credential_stealing_technique
Cobalt_strike
Beacon
Geo:
China, Netherlands, Australia, Russia, Spain, Chinese
CVEs:
CVE-2017-11882 [Vulners]
Vulners: Score: 9.3, CVSS: 4.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft office (2013, 2010, 2016, 2007)
TTPs:
Tactics: 1
Technics: 9
IOCs:
Hash: 226
IP: 22
Url: 3
File: 10
Path: 5
Softs:
puttygen, easyconnect, wechat, google chrome, microsoft edge, mozilla firefox
Algorithms:
zip, aes, base64, xor
Functions:
OpenVPN
YARA: Found
Links:
18-11-2022
HZ RAT goes China. Distribution
https://medium.com/@DCSO_CyTec/hz-rat-goes-china-506854c5f2e2
Threats:
Hzrat
Troldesh
Credential_stealing_technique
Cobalt_strike
Beacon
Geo:
China, Netherlands, Australia, Russia, Spain, Chinese
CVEs:
CVE-2017-11882 [Vulners]
Vulners: Score: 9.3, CVSS: 4.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft office (2013, 2010, 2016, 2007)
TTPs:
Tactics: 1
Technics: 9
IOCs:
Hash: 226
IP: 22
Url: 3
File: 10
Path: 5
Softs:
puttygen, easyconnect, wechat, google chrome, microsoft edge, mozilla firefox
Algorithms:
zip, aes, base64, xor
Functions:
OpenVPN
YARA: Found
Links:
https://github.com/DCSO/Blog\_CyTec/tree/main/2022\_11\_hz\_rat\_goes\_china/hz\_rat\_cnc\_extractorhttps://github.com/DCSO/Blog\_CyTec/tree/main/2022\_11\_hz\_rat\_goes\_china/hz\_rat\_pcap\_decryptorhttps://github.com/WaterJuice/WjCryptLib/tree/e39760a85015b88820d7a2de832155a7c8ff2c88https://github.com/DCSO/Blog\_CyTec/tree/main/2022\_11\_hz\_rat\_goes\_china/yarahttps://github.com/DCSO/Blog\_CyTec/tree/main/2022\_11\_hz\_rat\_goes\_china/hz\_rat\_server\_scannerhttps://gist.github.com/botlabsDev/e8dee63cb4ab957803492a077da64adfhttps://github.com/DCSO/Blog\_CyTec/tree/main/2022\_11\_hz\_rat\_goes\_chinaMedium
HZ RAT goes China
Walking down the Royal Road as we did in one of our previous posts, another by-catch of our Yara rule caught our attention. Turns out we…
#ParsedReport
18-11-2022
Alert (AA22-321A)
https://us-cert.cisa.gov/ncas/alerts/aa22-321a
Threats:
Hive
Vssadmin_tool
Industry:
Healthcare, Government, Financial
Geo:
Canada, Australia
CVEs:
CVE-2020-12812 [Vulners]
Vulners: Score: 7.5, CVSS: 2.6,
Vulners: Exploitation: True
X-Force: Risk: 5.3
X-Force: Patch: Official fix
Soft:
- fortinet fortios (<6.2.4, 6.4.0, <6.0.10)
CVE-2021-31207 [Vulners]
Vulners: Score: 6.5, CVSS: 1.7,
Vulners: Exploitation: True
X-Force: Risk: 6.6
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
CVE-2021-42321 [Vulners]
Vulners: Score: 6.5, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2016, 2019, 2016, 2019)
CVE-2021-34523 [Vulners]
Vulners: Score: 7.5, CVSS: 3.4,
Vulners: Exploitation: True
X-Force: Risk: 9
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
CVE-2021-34473 [Vulners]
Vulners: Score: 10.0, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
TTPs:
Tactics: 5
Technics: 10
IOCs:
File: 9
Url: 6
Command: 1
Domain: 4
IP: 24
Softs:
microsoft exchange, microsoft exchange server, windows defender, esxi, microsoft windows defender, bcdedit, active directory
Links:
18-11-2022
Alert (AA22-321A)
https://us-cert.cisa.gov/ncas/alerts/aa22-321a
Threats:
Hive
Vssadmin_tool
Industry:
Healthcare, Government, Financial
Geo:
Canada, Australia
CVEs:
CVE-2020-12812 [Vulners]
Vulners: Score: 7.5, CVSS: 2.6,
Vulners: Exploitation: True
X-Force: Risk: 5.3
X-Force: Patch: Official fix
Soft:
- fortinet fortios (<6.2.4, 6.4.0, <6.0.10)
CVE-2021-31207 [Vulners]
Vulners: Score: 6.5, CVSS: 1.7,
Vulners: Exploitation: True
X-Force: Risk: 6.6
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
CVE-2021-42321 [Vulners]
Vulners: Score: 6.5, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2016, 2019, 2016, 2019)
CVE-2021-34523 [Vulners]
Vulners: Score: 7.5, CVSS: 3.4,
Vulners: Exploitation: True
X-Force: Risk: 9
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
CVE-2021-34473 [Vulners]
Vulners: Score: 10.0, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
TTPs:
Tactics: 5
Technics: 10
IOCs:
File: 9
Url: 6
Command: 1
Domain: 4
IP: 24
Softs:
microsoft exchange, microsoft exchange server, windows defender, esxi, microsoft windows defender, bcdedit, active directory
Links:
https://github.com/cisagov/cset/#ParsedReport
18-11-2022
The Real Cost of Cryptomining: Adversarial Analysis of TeamTNT
https://sysdig.com/blog/real-cost-cryptomining-teamtnt
Actors/Campaigns:
Teamtnt (motivation: cyber_criminal, cyber_espionage, financially_motivated, hacktivism)
Chimaera
Threats:
Hildegard
Xmrig_miner
Xmrigcc_tool
Industry:
Financial, Government
Geo:
Canada, America, Ireland, German, Netherlands, Romania, Germany
Softs:
parrotos, redis, docker, alpine, ubuntu
Links:
18-11-2022
The Real Cost of Cryptomining: Adversarial Analysis of TeamTNT
https://sysdig.com/blog/real-cost-cryptomining-teamtnt
Actors/Campaigns:
Teamtnt (motivation: cyber_criminal, cyber_espionage, financially_motivated, hacktivism)
Chimaera
Threats:
Hildegard
Xmrig_miner
Xmrigcc_tool
Industry:
Financial, Government
Geo:
Canada, America, Ireland, German, Netherlands, Romania, Germany
Softs:
parrotos, redis, docker, alpine, ubuntu
Links:
https://github.com/xmrig/xmrig-proxySysdig
The Real Cost of Cryptomining: Adversarial Analysis of TeamTNT
Sysdig TRT attributed more than $8,100 worth of cryptocurrency to TeamTNT, costing the victims of cryptomining more than $430,000.
#ParsedReport
18-11-2022
AXLocker, Octocrypt, and Alice: Leading a new wave of Ransomware Campaigns
https://blog.cyble.com/2022/11/18/axlocker-octocrypt-and-alice-leading-a-new-wave-of-ransomware-campaigns
Threats:
Axlocker
Octocrypt
Alice_ransomware
Octo
Upx_tool
Industry:
Government, Financial
Geo:
Singapore, Australia, Georgia, India, Dubai
TTPs:
Tactics: 8
Technics: 13
IOCs:
Url: 1
File: 4
Hash: 8
Softs:
discord, opera, telegram
Algorithms:
aes-256-ctr, aes
Functions:
startencryption
Languages:
golang
Platforms:
intel
18-11-2022
AXLocker, Octocrypt, and Alice: Leading a new wave of Ransomware Campaigns
https://blog.cyble.com/2022/11/18/axlocker-octocrypt-and-alice-leading-a-new-wave-of-ransomware-campaigns
Threats:
Axlocker
Octocrypt
Alice_ransomware
Octo
Upx_tool
Industry:
Government, Financial
Geo:
Singapore, Australia, Georgia, India, Dubai
TTPs:
Tactics: 8
Technics: 13
IOCs:
Url: 1
File: 4
Hash: 8
Softs:
discord, opera, telegram
Algorithms:
aes-256-ctr, aes
Functions:
startencryption
Languages:
golang
Platforms:
intel
#ParsedReport
18-11-2022
Disneyland Malware Team: Its a Puny World After All
https://krebsonsecurity.com/2022/11/disneyland-malware-team-its-a-puny-world-after-all
Actors/Campaigns:
Disneyland_team
Threats:
Gozi
Industry:
Financial
Geo:
Dubai, Russia, Emirates
IOCs:
Domain: 6
Url: 4
18-11-2022
Disneyland Malware Team: Its a Puny World After All
https://krebsonsecurity.com/2022/11/disneyland-malware-team-its-a-puny-world-after-all
Actors/Campaigns:
Disneyland_team
Threats:
Gozi
Industry:
Financial
Geo:
Dubai, Russia, Emirates
IOCs:
Domain: 6
Url: 4
Krebs on Security
Disneyland Malware Team: It’s a Puny World After All
A financial cybercrime group calling itself the Disneyland Team has been making liberal use of visually confusing phishing domains that spoof popular bank brands using Punycode, an Internet standard that allows web browsers to render domain names with non…
#technique
laZzzy is a shellcode loader that demonstrates different execution techniques commonly employed by malware. laZzzy was developed using different open-source header-only libraries.
https://github.com/capt-meelo/laZzzy
laZzzy is a shellcode loader that demonstrates different execution techniques commonly employed by malware. laZzzy was developed using different open-source header-only libraries.
https://github.com/capt-meelo/laZzzy
GitHub
GitHub - capt-meelo/laZzzy: laZzzy is a shellcode loader, developed using different open-source libraries, that demonstrates different…
laZzzy is a shellcode loader, developed using different open-source libraries, that demonstrates different execution techniques. - capt-meelo/laZzzy
#technique
Relaying to AD Certificate Services over RPC
https://blog.compass-security.com/2022/11/relaying-to-ad-certificate-services-over-rpc/
Relaying to AD Certificate Services over RPC
https://blog.compass-security.com/2022/11/relaying-to-ad-certificate-services-over-rpc/
#technique
Titan is a User Defined Reflective DLL ( URDLL ) that uses a combination of techniques to achieve initial execution and maintain shell stability for Cobalt Strike in a modern endpoint-deteciton and response heavy environment.
https://github.com/SecIdiot/titan
Titan is a User Defined Reflective DLL ( URDLL ) that uses a combination of techniques to achieve initial execution and maintain shell stability for Cobalt Strike in a modern endpoint-deteciton and response heavy environment.
https://github.com/SecIdiot/titan
#technique
A simple PoC to invoke an encrypted shellcode by using an hidden call.
https://github.com/enkomio/BrokenFlow
A simple PoC to invoke an encrypted shellcode by using an hidden call.
https://github.com/enkomio/BrokenFlow
GitHub
GitHub - enkomio/BrokenFlow: A simple PoC to invoke an encrypted shellcode by using an hidden call
A simple PoC to invoke an encrypted shellcode by using an hidden call - enkomio/BrokenFlow
#technique
Bypassing Kerberoast Detections with Modified KDC Options and Encryption Types
https://github.com/trustedsec/orpheus
Bypassing Kerberoast Detections with Modified KDC Options and Encryption Types
https://github.com/trustedsec/orpheus
GitHub
GitHub - trustedsec/orpheus: Bypassing Kerberoast Detections with Modified KDC Options and Encryption Types
Bypassing Kerberoast Detections with Modified KDC Options and Encryption Types - trustedsec/orpheus
#ParsedReport
18-11-2022
Netskope Threat Coverage: Prestige Ransomware
https://www.netskope.com/blog/netskope-threat-coverage-prestige-ransomware
Actors/Campaigns:
Dev-0960
Sandworm
Threats:
Prestige_ransomware
Hermeticwiper
Vssadmin_tool
Blackcat
Lockbit
Industry:
Logistic, Transport
Geo:
Ukraine, Russian, Ukrainian, Poland
IOCs:
Path: 7
Command: 1
File: 2
Softs:
windows registry, mssql windows service, mssql, psexec
Algorithms:
aes, lzma, bzip, zipx
Win Services:
MSSQLSERVER
YARA: Found
SIGMA: Found
Links:
18-11-2022
Netskope Threat Coverage: Prestige Ransomware
https://www.netskope.com/blog/netskope-threat-coverage-prestige-ransomware
Actors/Campaigns:
Dev-0960
Sandworm
Threats:
Prestige_ransomware
Hermeticwiper
Vssadmin_tool
Blackcat
Lockbit
Industry:
Logistic, Transport
Geo:
Ukraine, Russian, Ukrainian, Poland
IOCs:
Path: 7
Command: 1
File: 2
Softs:
windows registry, mssql windows service, mssql, psexec
Algorithms:
aes, lzma, bzip, zipx
Win Services:
MSSQLSERVER
YARA: Found
SIGMA: Found
Links:
https://github.com/netskopeoss/NetskopeThreatLabsIOCs/tree/main/Prestigehttps://github.com/SigmaHQ/sigmaNetskope
Netskope Threat Coverage: Prestige Ransomware
Summary In October 2022, a novel ransomware named Prestige was found targeting logistics and transportation sectors in Ukraine and Poland. According to
#ParsedReport
18-11-2022
Securonix Threat Labs Security Advisory: Qbot/QakBot Malwares New Initial Execution Uses Grifted Regsvr32 Binary to Run DLL Payload
https://www.securonix.com/blog/qbot-qakbot-malwares-new-initial-execution
Actors/Campaigns:
Steep_maverick
Threats:
Qakbot
TTPs:
Tactics: 2
Technics: 3
IOCs:
Path: 3
File: 7
Command: 1
Hash: 6
Softs:
sysinternals
Algorithms:
zip
Win API:
WmiCreateProcess
18-11-2022
Securonix Threat Labs Security Advisory: Qbot/QakBot Malwares New Initial Execution Uses Grifted Regsvr32 Binary to Run DLL Payload
https://www.securonix.com/blog/qbot-qakbot-malwares-new-initial-execution
Actors/Campaigns:
Steep_maverick
Threats:
Qakbot
TTPs:
Tactics: 2
Technics: 3
IOCs:
Path: 3
File: 7
Command: 1
Hash: 6
Softs:
sysinternals
Algorithms:
zip
Win API:
WmiCreateProcess
Securonix
Securonix Threat Labs Security Advisory: Qbot/QakBot Malware’s New Initial Execution Uses Grifted Regsvr32 Binary to Run DLL Payload
Explore the latest analysis of QakBot malware using obfuscated Regsvr32 binaries to evade detection and infect systems.
#ParsedReport
21-11-2022
ViperSoftX: Hiding in System Logs and Spreading VenomSoftX. Campaign overview
https://decoded.avast.io/janrubin/vipersoftx-hiding-in-system-logs-and-spreading-venomsoftx/?utm_source=rss&utm_medium=rss&utm_campaign=vipersoftx-hiding-in-system-logs-and-spreading-venomsoftx
Threats:
Vipersoftx
Venomsoftx
Cyberchef_tool
Kraken
Industry:
Financial
Geo:
Italy, Usa, India
IOCs:
File: 3
Path: 8
Url: 2
Domain: 5
Hash: 16
Coin: 17
Softs:
adobe illustrator, corel video studio, microsoft office, task scheduler, chrome, opera, coinbase
Algorithms:
cbc, base64, aes, exhibit
Languages:
javascript, python
Links:
21-11-2022
ViperSoftX: Hiding in System Logs and Spreading VenomSoftX. Campaign overview
https://decoded.avast.io/janrubin/vipersoftx-hiding-in-system-logs-and-spreading-venomsoftx/?utm_source=rss&utm_medium=rss&utm_campaign=vipersoftx-hiding-in-system-logs-and-spreading-venomsoftx
Threats:
Vipersoftx
Venomsoftx
Cyberchef_tool
Kraken
Industry:
Financial
Geo:
Italy, Usa, India
IOCs:
File: 3
Path: 8
Url: 2
Domain: 5
Hash: 16
Coin: 17
Softs:
adobe illustrator, corel video studio, microsoft office, task scheduler, chrome, opera, coinbase
Algorithms:
cbc, base64, aes, exhibit
Languages:
javascript, python
Links:
https://github.com/avast/ioc/blob/master/ViperSoftX/extras/list\_of\_locations.txt
https://github.com/avast/ioc/blob/master/ViperSoftX/extras/VenomSoftX\_address\_book.txt
https://github.com/avast/ioc/blob/master/ViperSoftX/
https://github.com/avast/ioc/blob/master/ViperSoftX/extras/extraction\_script
https://github.com/avast/ioc/blob/master/ViperSoftX/wallets.csv
https://github.com/avast/ioc/blob/master/ViperSoftX/extras/extraction\_script/extract\_files.py
https://github.com/avast/ioc/blob/master/ViperSoftX/extras/list\_of\_keywords.txtGendigital
ViperSoftX: Hiding in System Logs and Spreading VenomSoftX
Unveiling the Stealth Tactics of ViperSoftX Malware
#ParsedReport
21-11-2022
Mustang PandaClaimloader. Mustang Panda, a Chinese -based base, has a targeted attack on the malware "CLAIMLOADER", is it affected by Japan?
https://www.lac.co.jp/lacwatch/report/20221117_003189.html
Actors/Campaigns:
Red_delta
Threats:
Claimloader
Dll_sideloading_technique
Accevent_tool
Meterpreter_tool
Cobalt_strike
Plugx_rat
Antidebugging_technique
Industry:
Government
Geo:
Myanmar, Chinese, Philippine, Philippines, Asian, Japanese, Thailand, Japan
IOCs:
File: 5
Hash: 14
IP: 6
Softs:
task scheduler
Algorithms:
aes
Win API:
MessageBox
21-11-2022
Mustang PandaClaimloader. Mustang Panda, a Chinese -based base, has a targeted attack on the malware "CLAIMLOADER", is it affected by Japan?
https://www.lac.co.jp/lacwatch/report/20221117_003189.html
Actors/Campaigns:
Red_delta
Threats:
Claimloader
Dll_sideloading_technique
Accevent_tool
Meterpreter_tool
Cobalt_strike
Plugx_rat
Antidebugging_technique
Industry:
Government
Geo:
Myanmar, Chinese, Philippine, Philippines, Asian, Japanese, Thailand, Japan
IOCs:
File: 5
Hash: 14
IP: 6
Softs:
task scheduler
Algorithms:
aes
Win API:
MessageBox
株式会社ラック
中国圏拠点のMustang Pandaがマルウェア「Claimloader」で標的型攻撃、日本にも影響か | LAC WATCH
中国圏を拠点とするMustang Pandaと呼ばれる攻撃者グループがフィリピン政府組織または関連組織を標的としていると考えられる新たな活動を確認しています。この攻撃では、日米比三カ国会議に関連する文書を装ったアーカイブファイルが利用されていました。
#ParsedReport
21-11-2022
Brute Ratel C4 Badger. BRUTE RATEL C4 Badger analyzes actual combat and detection
https://mp.weixin.qq.com/s/Nnag6DSf_wx2YrnTXEwNug
Actors/Campaigns:
Duke
Threats:
Brc4_tool
Cobalt_strike
Beacon
Blackbasta
Sliver_tool
Metasploit_tool
Empire_loader
Industry:
Financial
Geo:
Guangdong
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 4
Softs:
esxi
Algorithms:
base64, ror13, rc4
Functions:
C4
Win API:
NtAllocateVirtualMemoryBadgerShellCode, NtProtectVirtualMemory, NtCreateThreadEx, NtWaitForSingleObject, NtCreateSectionSection, NtMapViewOfSectionsectionRuntimeBroker, RtlExitUserThreadWaitForSingleObject
YARA: Found
21-11-2022
Brute Ratel C4 Badger. BRUTE RATEL C4 Badger analyzes actual combat and detection
https://mp.weixin.qq.com/s/Nnag6DSf_wx2YrnTXEwNug
Actors/Campaigns:
Duke
Threats:
Brc4_tool
Cobalt_strike
Beacon
Blackbasta
Sliver_tool
Metasploit_tool
Empire_loader
Industry:
Financial
Geo:
Guangdong
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 4
Softs:
esxi
Algorithms:
base64, ror13, rc4
Functions:
C4
Win API:
NtAllocateVirtualMemoryBadgerShellCode, NtProtectVirtualMemory, NtCreateThreadEx, NtWaitForSingleObject, NtCreateSectionSection, NtMapViewOfSectionsectionRuntimeBroker, RtlExitUserThreadWaitForSingleObject
YARA: Found
#ParsedReport
21-11-2022
Threat Assessment: Luna Moth Callback Phishing Campaign
https://unit42.paloaltonetworks.com/luna-moth-callback-phishing
Actors/Campaigns:
Luna_moth
Threats:
Luna
Conti
Bazarbackdoor
Toad_technique
Syncro_tool
Atera_tool
Splashtop_tool
Industry:
Retail, Healthcare, Financial
Geo:
America, Emea, Japan, Japanese, Apac
IOCs:
Email: 2
Softs:
winscp
21-11-2022
Threat Assessment: Luna Moth Callback Phishing Campaign
https://unit42.paloaltonetworks.com/luna-moth-callback-phishing
Actors/Campaigns:
Luna_moth
Threats:
Luna
Conti
Bazarbackdoor
Toad_technique
Syncro_tool
Atera_tool
Splashtop_tool
Industry:
Retail, Healthcare, Financial
Geo:
America, Emea, Japan, Japanese, Apac
IOCs:
Email: 2
Softs:
winscp
Unit 42
Threat Assessment: Luna Moth Callback Phishing Campaign
Unit 42 investigates Luna Moth/Silent Ransom Group callback phishing extortion campaign that targeted businesses in multiple sectors.
👍1
#ParsedReport
21-11-2022
AxLocker: A new wave of ransomware attacks targeting Discord Servers
https://www.secureblink.com/threat-research/ax-locker-a-new-wave-of-ransomware-attacks-targeting-discord-servers
Threats:
Axlocker
IOCs:
Hash: 5
Softs:
discord
Algorithms:
aes
Functions:
startencryption
21-11-2022
AxLocker: A new wave of ransomware attacks targeting Discord Servers
https://www.secureblink.com/threat-research/ax-locker-a-new-wave-of-ransomware-attacks-targeting-discord-servers
Threats:
Axlocker
IOCs:
Hash: 5
Softs:
discord
Algorithms:
aes
Functions:
startencryption
Secureblink
AxLocker: A new wave of ransomware attacks targeting Discord Servers | Secure Blink
Discord servers credentials are being exploited involving newly emerged ransomware families out of which AxLocker…