#ParsedReport
18-11-2022
HZ RAT goes China. Distribution
https://medium.com/@DCSO_CyTec/hz-rat-goes-china-506854c5f2e2
Threats:
Hzrat
Troldesh
Credential_stealing_technique
Cobalt_strike
Beacon
Geo:
China, Netherlands, Australia, Russia, Spain, Chinese
CVEs:
CVE-2017-11882 [Vulners]
Vulners: Score: 9.3, CVSS: 4.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft office (2013, 2010, 2016, 2007)
TTPs:
Tactics: 1
Technics: 9
IOCs:
Hash: 226
IP: 22
Url: 3
File: 10
Path: 5
Softs:
puttygen, easyconnect, wechat, google chrome, microsoft edge, mozilla firefox
Algorithms:
zip, aes, base64, xor
Functions:
OpenVPN
YARA: Found
Links:
18-11-2022
HZ RAT goes China. Distribution
https://medium.com/@DCSO_CyTec/hz-rat-goes-china-506854c5f2e2
Threats:
Hzrat
Troldesh
Credential_stealing_technique
Cobalt_strike
Beacon
Geo:
China, Netherlands, Australia, Russia, Spain, Chinese
CVEs:
CVE-2017-11882 [Vulners]
Vulners: Score: 9.3, CVSS: 4.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft office (2013, 2010, 2016, 2007)
TTPs:
Tactics: 1
Technics: 9
IOCs:
Hash: 226
IP: 22
Url: 3
File: 10
Path: 5
Softs:
puttygen, easyconnect, wechat, google chrome, microsoft edge, mozilla firefox
Algorithms:
zip, aes, base64, xor
Functions:
OpenVPN
YARA: Found
Links:
https://github.com/DCSO/Blog\_CyTec/tree/main/2022\_11\_hz\_rat\_goes\_china/hz\_rat\_cnc\_extractorhttps://github.com/DCSO/Blog\_CyTec/tree/main/2022\_11\_hz\_rat\_goes\_china/hz\_rat\_pcap\_decryptorhttps://github.com/WaterJuice/WjCryptLib/tree/e39760a85015b88820d7a2de832155a7c8ff2c88https://github.com/DCSO/Blog\_CyTec/tree/main/2022\_11\_hz\_rat\_goes\_china/yarahttps://github.com/DCSO/Blog\_CyTec/tree/main/2022\_11\_hz\_rat\_goes\_china/hz\_rat\_server\_scannerhttps://gist.github.com/botlabsDev/e8dee63cb4ab957803492a077da64adfhttps://github.com/DCSO/Blog\_CyTec/tree/main/2022\_11\_hz\_rat\_goes\_chinaMedium
HZ RAT goes China
Walking down the Royal Road as we did in one of our previous posts, another by-catch of our Yara rule caught our attention. Turns out we…
#ParsedReport
18-11-2022
Alert (AA22-321A)
https://us-cert.cisa.gov/ncas/alerts/aa22-321a
Threats:
Hive
Vssadmin_tool
Industry:
Healthcare, Government, Financial
Geo:
Canada, Australia
CVEs:
CVE-2020-12812 [Vulners]
Vulners: Score: 7.5, CVSS: 2.6,
Vulners: Exploitation: True
X-Force: Risk: 5.3
X-Force: Patch: Official fix
Soft:
- fortinet fortios (<6.2.4, 6.4.0, <6.0.10)
CVE-2021-31207 [Vulners]
Vulners: Score: 6.5, CVSS: 1.7,
Vulners: Exploitation: True
X-Force: Risk: 6.6
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
CVE-2021-42321 [Vulners]
Vulners: Score: 6.5, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2016, 2019, 2016, 2019)
CVE-2021-34523 [Vulners]
Vulners: Score: 7.5, CVSS: 3.4,
Vulners: Exploitation: True
X-Force: Risk: 9
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
CVE-2021-34473 [Vulners]
Vulners: Score: 10.0, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
TTPs:
Tactics: 5
Technics: 10
IOCs:
File: 9
Url: 6
Command: 1
Domain: 4
IP: 24
Softs:
microsoft exchange, microsoft exchange server, windows defender, esxi, microsoft windows defender, bcdedit, active directory
Links:
18-11-2022
Alert (AA22-321A)
https://us-cert.cisa.gov/ncas/alerts/aa22-321a
Threats:
Hive
Vssadmin_tool
Industry:
Healthcare, Government, Financial
Geo:
Canada, Australia
CVEs:
CVE-2020-12812 [Vulners]
Vulners: Score: 7.5, CVSS: 2.6,
Vulners: Exploitation: True
X-Force: Risk: 5.3
X-Force: Patch: Official fix
Soft:
- fortinet fortios (<6.2.4, 6.4.0, <6.0.10)
CVE-2021-31207 [Vulners]
Vulners: Score: 6.5, CVSS: 1.7,
Vulners: Exploitation: True
X-Force: Risk: 6.6
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
CVE-2021-42321 [Vulners]
Vulners: Score: 6.5, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2016, 2019, 2016, 2019)
CVE-2021-34523 [Vulners]
Vulners: Score: 7.5, CVSS: 3.4,
Vulners: Exploitation: True
X-Force: Risk: 9
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
CVE-2021-34473 [Vulners]
Vulners: Score: 10.0, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
TTPs:
Tactics: 5
Technics: 10
IOCs:
File: 9
Url: 6
Command: 1
Domain: 4
IP: 24
Softs:
microsoft exchange, microsoft exchange server, windows defender, esxi, microsoft windows defender, bcdedit, active directory
Links:
https://github.com/cisagov/cset/#ParsedReport
18-11-2022
The Real Cost of Cryptomining: Adversarial Analysis of TeamTNT
https://sysdig.com/blog/real-cost-cryptomining-teamtnt
Actors/Campaigns:
Teamtnt (motivation: cyber_criminal, cyber_espionage, financially_motivated, hacktivism)
Chimaera
Threats:
Hildegard
Xmrig_miner
Xmrigcc_tool
Industry:
Financial, Government
Geo:
Canada, America, Ireland, German, Netherlands, Romania, Germany
Softs:
parrotos, redis, docker, alpine, ubuntu
Links:
18-11-2022
The Real Cost of Cryptomining: Adversarial Analysis of TeamTNT
https://sysdig.com/blog/real-cost-cryptomining-teamtnt
Actors/Campaigns:
Teamtnt (motivation: cyber_criminal, cyber_espionage, financially_motivated, hacktivism)
Chimaera
Threats:
Hildegard
Xmrig_miner
Xmrigcc_tool
Industry:
Financial, Government
Geo:
Canada, America, Ireland, German, Netherlands, Romania, Germany
Softs:
parrotos, redis, docker, alpine, ubuntu
Links:
https://github.com/xmrig/xmrig-proxySysdig
The Real Cost of Cryptomining: Adversarial Analysis of TeamTNT
Sysdig TRT attributed more than $8,100 worth of cryptocurrency to TeamTNT, costing the victims of cryptomining more than $430,000.
#ParsedReport
18-11-2022
AXLocker, Octocrypt, and Alice: Leading a new wave of Ransomware Campaigns
https://blog.cyble.com/2022/11/18/axlocker-octocrypt-and-alice-leading-a-new-wave-of-ransomware-campaigns
Threats:
Axlocker
Octocrypt
Alice_ransomware
Octo
Upx_tool
Industry:
Government, Financial
Geo:
Singapore, Australia, Georgia, India, Dubai
TTPs:
Tactics: 8
Technics: 13
IOCs:
Url: 1
File: 4
Hash: 8
Softs:
discord, opera, telegram
Algorithms:
aes-256-ctr, aes
Functions:
startencryption
Languages:
golang
Platforms:
intel
18-11-2022
AXLocker, Octocrypt, and Alice: Leading a new wave of Ransomware Campaigns
https://blog.cyble.com/2022/11/18/axlocker-octocrypt-and-alice-leading-a-new-wave-of-ransomware-campaigns
Threats:
Axlocker
Octocrypt
Alice_ransomware
Octo
Upx_tool
Industry:
Government, Financial
Geo:
Singapore, Australia, Georgia, India, Dubai
TTPs:
Tactics: 8
Technics: 13
IOCs:
Url: 1
File: 4
Hash: 8
Softs:
discord, opera, telegram
Algorithms:
aes-256-ctr, aes
Functions:
startencryption
Languages:
golang
Platforms:
intel
#ParsedReport
18-11-2022
Disneyland Malware Team: Its a Puny World After All
https://krebsonsecurity.com/2022/11/disneyland-malware-team-its-a-puny-world-after-all
Actors/Campaigns:
Disneyland_team
Threats:
Gozi
Industry:
Financial
Geo:
Dubai, Russia, Emirates
IOCs:
Domain: 6
Url: 4
18-11-2022
Disneyland Malware Team: Its a Puny World After All
https://krebsonsecurity.com/2022/11/disneyland-malware-team-its-a-puny-world-after-all
Actors/Campaigns:
Disneyland_team
Threats:
Gozi
Industry:
Financial
Geo:
Dubai, Russia, Emirates
IOCs:
Domain: 6
Url: 4
Krebs on Security
Disneyland Malware Team: It’s a Puny World After All
A financial cybercrime group calling itself the Disneyland Team has been making liberal use of visually confusing phishing domains that spoof popular bank brands using Punycode, an Internet standard that allows web browsers to render domain names with non…
#technique
laZzzy is a shellcode loader that demonstrates different execution techniques commonly employed by malware. laZzzy was developed using different open-source header-only libraries.
https://github.com/capt-meelo/laZzzy
laZzzy is a shellcode loader that demonstrates different execution techniques commonly employed by malware. laZzzy was developed using different open-source header-only libraries.
https://github.com/capt-meelo/laZzzy
GitHub
GitHub - capt-meelo/laZzzy: laZzzy is a shellcode loader, developed using different open-source libraries, that demonstrates different…
laZzzy is a shellcode loader, developed using different open-source libraries, that demonstrates different execution techniques. - capt-meelo/laZzzy
#technique
Relaying to AD Certificate Services over RPC
https://blog.compass-security.com/2022/11/relaying-to-ad-certificate-services-over-rpc/
Relaying to AD Certificate Services over RPC
https://blog.compass-security.com/2022/11/relaying-to-ad-certificate-services-over-rpc/
#technique
Titan is a User Defined Reflective DLL ( URDLL ) that uses a combination of techniques to achieve initial execution and maintain shell stability for Cobalt Strike in a modern endpoint-deteciton and response heavy environment.
https://github.com/SecIdiot/titan
Titan is a User Defined Reflective DLL ( URDLL ) that uses a combination of techniques to achieve initial execution and maintain shell stability for Cobalt Strike in a modern endpoint-deteciton and response heavy environment.
https://github.com/SecIdiot/titan
#technique
A simple PoC to invoke an encrypted shellcode by using an hidden call.
https://github.com/enkomio/BrokenFlow
A simple PoC to invoke an encrypted shellcode by using an hidden call.
https://github.com/enkomio/BrokenFlow
GitHub
GitHub - enkomio/BrokenFlow: A simple PoC to invoke an encrypted shellcode by using an hidden call
A simple PoC to invoke an encrypted shellcode by using an hidden call - enkomio/BrokenFlow
#technique
Bypassing Kerberoast Detections with Modified KDC Options and Encryption Types
https://github.com/trustedsec/orpheus
Bypassing Kerberoast Detections with Modified KDC Options and Encryption Types
https://github.com/trustedsec/orpheus
GitHub
GitHub - trustedsec/orpheus: Bypassing Kerberoast Detections with Modified KDC Options and Encryption Types
Bypassing Kerberoast Detections with Modified KDC Options and Encryption Types - trustedsec/orpheus
#ParsedReport
18-11-2022
Netskope Threat Coverage: Prestige Ransomware
https://www.netskope.com/blog/netskope-threat-coverage-prestige-ransomware
Actors/Campaigns:
Dev-0960
Sandworm
Threats:
Prestige_ransomware
Hermeticwiper
Vssadmin_tool
Blackcat
Lockbit
Industry:
Logistic, Transport
Geo:
Ukraine, Russian, Ukrainian, Poland
IOCs:
Path: 7
Command: 1
File: 2
Softs:
windows registry, mssql windows service, mssql, psexec
Algorithms:
aes, lzma, bzip, zipx
Win Services:
MSSQLSERVER
YARA: Found
SIGMA: Found
Links:
18-11-2022
Netskope Threat Coverage: Prestige Ransomware
https://www.netskope.com/blog/netskope-threat-coverage-prestige-ransomware
Actors/Campaigns:
Dev-0960
Sandworm
Threats:
Prestige_ransomware
Hermeticwiper
Vssadmin_tool
Blackcat
Lockbit
Industry:
Logistic, Transport
Geo:
Ukraine, Russian, Ukrainian, Poland
IOCs:
Path: 7
Command: 1
File: 2
Softs:
windows registry, mssql windows service, mssql, psexec
Algorithms:
aes, lzma, bzip, zipx
Win Services:
MSSQLSERVER
YARA: Found
SIGMA: Found
Links:
https://github.com/netskopeoss/NetskopeThreatLabsIOCs/tree/main/Prestigehttps://github.com/SigmaHQ/sigmaNetskope
Netskope Threat Coverage: Prestige Ransomware
Summary In October 2022, a novel ransomware named Prestige was found targeting logistics and transportation sectors in Ukraine and Poland. According to
#ParsedReport
18-11-2022
Securonix Threat Labs Security Advisory: Qbot/QakBot Malwares New Initial Execution Uses Grifted Regsvr32 Binary to Run DLL Payload
https://www.securonix.com/blog/qbot-qakbot-malwares-new-initial-execution
Actors/Campaigns:
Steep_maverick
Threats:
Qakbot
TTPs:
Tactics: 2
Technics: 3
IOCs:
Path: 3
File: 7
Command: 1
Hash: 6
Softs:
sysinternals
Algorithms:
zip
Win API:
WmiCreateProcess
18-11-2022
Securonix Threat Labs Security Advisory: Qbot/QakBot Malwares New Initial Execution Uses Grifted Regsvr32 Binary to Run DLL Payload
https://www.securonix.com/blog/qbot-qakbot-malwares-new-initial-execution
Actors/Campaigns:
Steep_maverick
Threats:
Qakbot
TTPs:
Tactics: 2
Technics: 3
IOCs:
Path: 3
File: 7
Command: 1
Hash: 6
Softs:
sysinternals
Algorithms:
zip
Win API:
WmiCreateProcess
Securonix
Securonix Threat Labs Security Advisory: Qbot/QakBot Malware’s New Initial Execution Uses Grifted Regsvr32 Binary to Run DLL Payload
Explore the latest analysis of QakBot malware using obfuscated Regsvr32 binaries to evade detection and infect systems.
#ParsedReport
21-11-2022
ViperSoftX: Hiding in System Logs and Spreading VenomSoftX. Campaign overview
https://decoded.avast.io/janrubin/vipersoftx-hiding-in-system-logs-and-spreading-venomsoftx/?utm_source=rss&utm_medium=rss&utm_campaign=vipersoftx-hiding-in-system-logs-and-spreading-venomsoftx
Threats:
Vipersoftx
Venomsoftx
Cyberchef_tool
Kraken
Industry:
Financial
Geo:
Italy, Usa, India
IOCs:
File: 3
Path: 8
Url: 2
Domain: 5
Hash: 16
Coin: 17
Softs:
adobe illustrator, corel video studio, microsoft office, task scheduler, chrome, opera, coinbase
Algorithms:
cbc, base64, aes, exhibit
Languages:
javascript, python
Links:
21-11-2022
ViperSoftX: Hiding in System Logs and Spreading VenomSoftX. Campaign overview
https://decoded.avast.io/janrubin/vipersoftx-hiding-in-system-logs-and-spreading-venomsoftx/?utm_source=rss&utm_medium=rss&utm_campaign=vipersoftx-hiding-in-system-logs-and-spreading-venomsoftx
Threats:
Vipersoftx
Venomsoftx
Cyberchef_tool
Kraken
Industry:
Financial
Geo:
Italy, Usa, India
IOCs:
File: 3
Path: 8
Url: 2
Domain: 5
Hash: 16
Coin: 17
Softs:
adobe illustrator, corel video studio, microsoft office, task scheduler, chrome, opera, coinbase
Algorithms:
cbc, base64, aes, exhibit
Languages:
javascript, python
Links:
https://github.com/avast/ioc/blob/master/ViperSoftX/extras/list\_of\_locations.txt
https://github.com/avast/ioc/blob/master/ViperSoftX/extras/VenomSoftX\_address\_book.txt
https://github.com/avast/ioc/blob/master/ViperSoftX/
https://github.com/avast/ioc/blob/master/ViperSoftX/extras/extraction\_script
https://github.com/avast/ioc/blob/master/ViperSoftX/wallets.csv
https://github.com/avast/ioc/blob/master/ViperSoftX/extras/extraction\_script/extract\_files.py
https://github.com/avast/ioc/blob/master/ViperSoftX/extras/list\_of\_keywords.txtGendigital
ViperSoftX: Hiding in System Logs and Spreading VenomSoftX
Unveiling the Stealth Tactics of ViperSoftX Malware
#ParsedReport
21-11-2022
Mustang PandaClaimloader. Mustang Panda, a Chinese -based base, has a targeted attack on the malware "CLAIMLOADER", is it affected by Japan?
https://www.lac.co.jp/lacwatch/report/20221117_003189.html
Actors/Campaigns:
Red_delta
Threats:
Claimloader
Dll_sideloading_technique
Accevent_tool
Meterpreter_tool
Cobalt_strike
Plugx_rat
Antidebugging_technique
Industry:
Government
Geo:
Myanmar, Chinese, Philippine, Philippines, Asian, Japanese, Thailand, Japan
IOCs:
File: 5
Hash: 14
IP: 6
Softs:
task scheduler
Algorithms:
aes
Win API:
MessageBox
21-11-2022
Mustang PandaClaimloader. Mustang Panda, a Chinese -based base, has a targeted attack on the malware "CLAIMLOADER", is it affected by Japan?
https://www.lac.co.jp/lacwatch/report/20221117_003189.html
Actors/Campaigns:
Red_delta
Threats:
Claimloader
Dll_sideloading_technique
Accevent_tool
Meterpreter_tool
Cobalt_strike
Plugx_rat
Antidebugging_technique
Industry:
Government
Geo:
Myanmar, Chinese, Philippine, Philippines, Asian, Japanese, Thailand, Japan
IOCs:
File: 5
Hash: 14
IP: 6
Softs:
task scheduler
Algorithms:
aes
Win API:
MessageBox
株式会社ラック
中国圏拠点のMustang Pandaがマルウェア「Claimloader」で標的型攻撃、日本にも影響か | LAC WATCH
中国圏を拠点とするMustang Pandaと呼ばれる攻撃者グループがフィリピン政府組織または関連組織を標的としていると考えられる新たな活動を確認しています。この攻撃では、日米比三カ国会議に関連する文書を装ったアーカイブファイルが利用されていました。
#ParsedReport
21-11-2022
Brute Ratel C4 Badger. BRUTE RATEL C4 Badger analyzes actual combat and detection
https://mp.weixin.qq.com/s/Nnag6DSf_wx2YrnTXEwNug
Actors/Campaigns:
Duke
Threats:
Brc4_tool
Cobalt_strike
Beacon
Blackbasta
Sliver_tool
Metasploit_tool
Empire_loader
Industry:
Financial
Geo:
Guangdong
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 4
Softs:
esxi
Algorithms:
base64, ror13, rc4
Functions:
C4
Win API:
NtAllocateVirtualMemoryBadgerShellCode, NtProtectVirtualMemory, NtCreateThreadEx, NtWaitForSingleObject, NtCreateSectionSection, NtMapViewOfSectionsectionRuntimeBroker, RtlExitUserThreadWaitForSingleObject
YARA: Found
21-11-2022
Brute Ratel C4 Badger. BRUTE RATEL C4 Badger analyzes actual combat and detection
https://mp.weixin.qq.com/s/Nnag6DSf_wx2YrnTXEwNug
Actors/Campaigns:
Duke
Threats:
Brc4_tool
Cobalt_strike
Beacon
Blackbasta
Sliver_tool
Metasploit_tool
Empire_loader
Industry:
Financial
Geo:
Guangdong
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 4
Softs:
esxi
Algorithms:
base64, ror13, rc4
Functions:
C4
Win API:
NtAllocateVirtualMemoryBadgerShellCode, NtProtectVirtualMemory, NtCreateThreadEx, NtWaitForSingleObject, NtCreateSectionSection, NtMapViewOfSectionsectionRuntimeBroker, RtlExitUserThreadWaitForSingleObject
YARA: Found
#ParsedReport
21-11-2022
Threat Assessment: Luna Moth Callback Phishing Campaign
https://unit42.paloaltonetworks.com/luna-moth-callback-phishing
Actors/Campaigns:
Luna_moth
Threats:
Luna
Conti
Bazarbackdoor
Toad_technique
Syncro_tool
Atera_tool
Splashtop_tool
Industry:
Retail, Healthcare, Financial
Geo:
America, Emea, Japan, Japanese, Apac
IOCs:
Email: 2
Softs:
winscp
21-11-2022
Threat Assessment: Luna Moth Callback Phishing Campaign
https://unit42.paloaltonetworks.com/luna-moth-callback-phishing
Actors/Campaigns:
Luna_moth
Threats:
Luna
Conti
Bazarbackdoor
Toad_technique
Syncro_tool
Atera_tool
Splashtop_tool
Industry:
Retail, Healthcare, Financial
Geo:
America, Emea, Japan, Japanese, Apac
IOCs:
Email: 2
Softs:
winscp
Unit 42
Threat Assessment: Luna Moth Callback Phishing Campaign
Unit 42 investigates Luna Moth/Silent Ransom Group callback phishing extortion campaign that targeted businesses in multiple sectors.
👍1
#ParsedReport
21-11-2022
AxLocker: A new wave of ransomware attacks targeting Discord Servers
https://www.secureblink.com/threat-research/ax-locker-a-new-wave-of-ransomware-attacks-targeting-discord-servers
Threats:
Axlocker
IOCs:
Hash: 5
Softs:
discord
Algorithms:
aes
Functions:
startencryption
21-11-2022
AxLocker: A new wave of ransomware attacks targeting Discord Servers
https://www.secureblink.com/threat-research/ax-locker-a-new-wave-of-ransomware-attacks-targeting-discord-servers
Threats:
Axlocker
IOCs:
Hash: 5
Softs:
discord
Algorithms:
aes
Functions:
startencryption
Secureblink
AxLocker: A new wave of ransomware attacks targeting Discord Servers | Secure Blink
Discord servers credentials are being exploited involving newly emerged ransomware families out of which AxLocker…
#ParsedReport
21-11-2022
Aurora: a rising stealer flying under the radar. Summary
https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar
Actors/Campaigns:
Darkhalo
Threats:
Aurora
Traffer
Cheshire_botnet
Zelizzard_botnet
Redline_stealer
Raccoon_stealer
Sakura_dropper
Saturn
Bluefox_stealer
Envyscout
TTPs:
Tactics: 1
Technics: 17
IOCs:
File: 7
Path: 1
Url: 17
Domain: 9
Hash: 15
IP: 27
Coin: 2
Softs:
telegram, chromium, exodus wallet, windows defender, electrum, jaxx, zcash, coin98, terra, wombat, have more...
Algorithms:
base64, zip
Languages:
golang
YARA: Found
Links:
21-11-2022
Aurora: a rising stealer flying under the radar. Summary
https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar
Actors/Campaigns:
Darkhalo
Threats:
Aurora
Traffer
Cheshire_botnet
Zelizzard_botnet
Redline_stealer
Raccoon_stealer
Sakura_dropper
Saturn
Bluefox_stealer
Envyscout
TTPs:
Tactics: 1
Technics: 17
IOCs:
File: 7
Path: 1
Url: 17
Domain: 9
Hash: 15
IP: 27
Coin: 2
Softs:
telegram, chromium, exodus wallet, windows defender, electrum, jaxx, zcash, coin98, terra, wombat, have more...
Algorithms:
base64, zip
Languages:
golang
YARA: Found
Links:
http://github.com/lxn/winhttps://github.com/SEKOIA-IO/Community/blob/main/IOCs/aurora/aurora\_iocs\_20221121.csvSekoia.io Blog
Aurora: a rising stealer flying under the radar
Since September 2022, Aurora malware is advertised as an infostealer and several traffers teams announced they added it to their malware toolset.
#ParsedReport
21-11-2022
LockBit. LOCKBIT ransomware similar file name in the form of mass distribution
https://asec.ahnlab.com/ko/42523
Threats:
Lockbit
Ransom/mdp.decoy.m1171
Geo:
Korean
IOCs:
File: 4
Hash: 2
Algorithms:
zip
Win API:
Sleep
21-11-2022
LockBit. LOCKBIT ransomware similar file name in the form of mass distribution
https://asec.ahnlab.com/ko/42523
Threats:
Lockbit
Ransom/mdp.decoy.m1171
Geo:
Korean
IOCs:
File: 4
Hash: 2
Algorithms:
zip
Win API:
Sleep
ASEC BLOG
LockBit 랜섬웨어 유사 파일명 형태로 대량 유포 중 - ASEC BLOG
ASEC 분석팀은 지난 3차례에 걸쳐 LockBit 랜섬웨어가 메일을 통해 유포되고 있음을 ASEC 블로그에 게시한 바가 있는데, 꾸준한 모니터링을 통해 LockBit 2.0과 LockBit 3.0 랜섬웨어가 파일명만 변경하여 또 다시 유포 중임을 알리고자 한다. 이번 유포 방식은 이전에 소개하였던 워드 문서나 저작권 사칭 메일이 아닌 입사지원 관련으로 위장한 피싱 메일을 통해 유포 중이다. 피싱 이메일에 첨부된 압축 파일은 [사람이름].zip 형태로…
#ParsedReport
21-11-2022
Caffeine: the Phishing-as-a-Service Platform Targeting Russian & Chinese Entities
https://cloudsek.com/threatintelligence/caffeine-the-phishing-as-a-service-platform-targeting-russian-chinese-entities/?utm_source=rss&utm_medium=rss&utm_campaign=caffeine-the-phishing-as-a-service-platform-targeting-russian-chinese-entities
Threats:
Caffeine_tool
Mrxcoder_actor
Industry:
Financial, Healthcare
Geo:
Italian, Russian, Dubai, America, Chinese
TTPs:
Tactics: 1
Technics: 0
IOCs:
Domain: 1
Softs:
telegram
Languages:
python
21-11-2022
Caffeine: the Phishing-as-a-Service Platform Targeting Russian & Chinese Entities
https://cloudsek.com/threatintelligence/caffeine-the-phishing-as-a-service-platform-targeting-russian-chinese-entities/?utm_source=rss&utm_medium=rss&utm_campaign=caffeine-the-phishing-as-a-service-platform-targeting-russian-chinese-entities
Threats:
Caffeine_tool
Mrxcoder_actor
Industry:
Financial, Healthcare
Geo:
Italian, Russian, Dubai, America, Chinese
TTPs:
Tactics: 1
Technics: 0
IOCs:
Domain: 1
Softs:
telegram
Languages:
python
Cloudsek
Caffeine: the Phishing-as-a-Service Platform Targeting Russian & Chinese Entities | Threat Intelligence | CloudSEK
New phishing-as-a-service platform named “Caffeine”, used to conduct phishing campaigns.
#ParsedReport
22-11-2022
Black Friday Scams: 4 Emerging Skimming Attacks to Watch for This Holiday Season
https://www.zscaler.com/blogs/security-research/black-friday-scams-4-emerging-skimming-attacks-watch-holiday-season
Actors/Campaigns:
Lazarus
Industry:
Transport, Financial, E-commerce
Geo:
Canada, Australia
IOCs:
Url: 1
File: 4
Hash: 1
Domain: 23
IP: 2
Algorithms:
base64
Functions:
setInterval, findBtnAddAction, sendCardData, getCardData, Listener, pixtar, _0x54d008
Languages:
php, javascript
22-11-2022
Black Friday Scams: 4 Emerging Skimming Attacks to Watch for This Holiday Season
https://www.zscaler.com/blogs/security-research/black-friday-scams-4-emerging-skimming-attacks-watch-holiday-season
Actors/Campaigns:
Lazarus
Industry:
Transport, Financial, E-commerce
Geo:
Canada, Australia
IOCs:
Url: 1
File: 4
Hash: 1
Domain: 23
IP: 2
Algorithms:
base64
Functions:
setInterval, findBtnAddAction, sendCardData, getCardData, Listener, pixtar, _0x54d008
Languages:
php, javascript
Zscaler
Black Friday Alert : 4 Emerging Skimming Attacks | Zscaler
Increasing credit card skimming activity against Magento and Presta-based e-commerce stores as Black Friday holiday season approaches.