#technique

Relaying to AD Certificate Services over RPC

https://blog.compass-security.com/2022/11/relaying-to-ad-certificate-services-over-rpc/

#technique

Titan is a User Defined Reflective DLL ( URDLL ) that uses a combination of techniques to achieve initial execution and maintain shell stability for Cobalt Strike in a modern endpoint-deteciton and response heavy environment.

https://github.com/SecIdiot/titan

#technique

A simple PoC to invoke an encrypted shellcode by using an hidden call.

https://github.com/enkomio/BrokenFlow

#technique

Bypassing Kerberoast Detections with Modified KDC Options and Encryption Types

https://github.com/trustedsec/orpheus

#ParsedReport
18-11-2022

Netskope Threat Coverage: Prestige Ransomware

https://www.netskope.com/blog/netskope-threat-coverage-prestige-ransomware

Actors/Campaigns:
Dev-0960
Sandworm

Threats:
Prestige_ransomware
Hermeticwiper
Vssadmin_tool
Blackcat
Lockbit

Industry:
Logistic, Transport

Geo:
Ukraine, Russian, Ukrainian, Poland

IOCs:
Path: 7
Command: 1
File: 2

Softs:
windows registry, mssql windows service, mssql, psexec

Algorithms:
aes, lzma, bzip, zipx

Win Services:
MSSQLSERVER

YARA: Found
SIGMA: Found

Links:
https://github.com/netskopeoss/NetskopeThreatLabsIOCs/tree/main/Prestige
https://github.com/SigmaHQ/sigma

#ParsedReport
18-11-2022

Securonix Threat Labs Security Advisory: Qbot/QakBot Malwares New Initial Execution Uses Grifted Regsvr32 Binary to Run DLL Payload

https://www.securonix.com/blog/qbot-qakbot-malwares-new-initial-execution

Actors/Campaigns:
Steep_maverick

Threats:
Qakbot

TTPs:
Tactics: 2
Technics: 3

IOCs:
Path: 3
File: 7
Command: 1
Hash: 6

Softs:
sysinternals

Algorithms:
zip

Win API:
WmiCreateProcess

#ParsedReport
21-11-2022

ViperSoftX: Hiding in System Logs and Spreading VenomSoftX. Campaign overview

https://decoded.avast.io/janrubin/vipersoftx-hiding-in-system-logs-and-spreading-venomsoftx/?utm_source=rss&utm_medium=rss&utm_campaign=vipersoftx-hiding-in-system-logs-and-spreading-venomsoftx

Threats:
Vipersoftx
Venomsoftx
Cyberchef_tool
Kraken

Industry:
Financial

Geo:
Italy, Usa, India

IOCs:
File: 3
Path: 8
Url: 2
Domain: 5
Hash: 16
Coin: 17

Softs:
adobe illustrator, corel video studio, microsoft office, task scheduler, chrome, opera, coinbase

Algorithms:
cbc, base64, aes, exhibit

Languages:
javascript, python

Links:
https://github.com/avast/ioc/blob/master/ViperSoftX/extras/list\_of\_locations.txt
https://github.com/avast/ioc/blob/master/ViperSoftX/extras/VenomSoftX\_address\_book.txt
https://github.com/avast/ioc/blob/master/ViperSoftX/
https://github.com/avast/ioc/blob/master/ViperSoftX/extras/extraction\_script
https://github.com/avast/ioc/blob/master/ViperSoftX/wallets.csv
https://github.com/avast/ioc/blob/master/ViperSoftX/extras/extraction\_script/extract\_files.py
https://github.com/avast/ioc/blob/master/ViperSoftX/extras/list\_of\_keywords.txt

#ParsedReport
21-11-2022

Mustang PandaClaimloader. Mustang Panda, a Chinese -based base, has a targeted attack on the malware "CLAIMLOADER", is it affected by Japan?

https://www.lac.co.jp/lacwatch/report/20221117_003189.html

Actors/Campaigns:
Red_delta

Threats:
Claimloader
Dll_sideloading_technique
Accevent_tool
Meterpreter_tool
Cobalt_strike
Plugx_rat
Antidebugging_technique

Industry:
Government

Geo:
Myanmar, Chinese, Philippine, Philippines, Asian, Japanese, Thailand, Japan

IOCs:
File: 5
Hash: 14
IP: 6

Softs:
task scheduler

Algorithms:
aes

Win API:
MessageBox

#ParsedReport
21-11-2022

Brute Ratel C4 Badger. BRUTE RATEL C4 Badger analyzes actual combat and detection

https://mp.weixin.qq.com/s/Nnag6DSf_wx2YrnTXEwNug

Actors/Campaigns:
Duke

Threats:
Brc4_tool
Cobalt_strike
Beacon
Blackbasta
Sliver_tool
Metasploit_tool
Empire_loader

Industry:
Financial

Geo:
Guangdong

TTPs:
Tactics: 1
Technics: 0

IOCs:
File: 4

Softs:
esxi

Algorithms:
base64, ror13, rc4

Functions:
C4

Win API:
NtAllocateVirtualMemoryBadgerShellCode, NtProtectVirtualMemory, NtCreateThreadEx, NtWaitForSingleObject, NtCreateSectionSection, NtMapViewOfSectionsectionRuntimeBroker, RtlExitUserThreadWaitForSingleObject

YARA: Found

#ParsedReport
21-11-2022

Threat Assessment: Luna Moth Callback Phishing Campaign

https://unit42.paloaltonetworks.com/luna-moth-callback-phishing

Actors/Campaigns:
Luna_moth

Threats:
Luna
Conti
Bazarbackdoor
Toad_technique
Syncro_tool
Atera_tool
Splashtop_tool

Industry:
Retail, Healthcare, Financial

Geo:
America, Emea, Japan, Japanese, Apac

IOCs:
Email: 2

Softs:
winscp

#ParsedReport
21-11-2022

AxLocker: A new wave of ransomware attacks targeting Discord Servers

https://www.secureblink.com/threat-research/ax-locker-a-new-wave-of-ransomware-attacks-targeting-discord-servers

Threats:
Axlocker

IOCs:
Hash: 5

Softs:
discord

Algorithms:
aes

Functions:
startencryption

#ParsedReport
21-11-2022

Aurora: a rising stealer flying under the radar. Summary

https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar

Actors/Campaigns:
Darkhalo

Threats:
Aurora
Traffer
Cheshire_botnet
Zelizzard_botnet
Redline_stealer
Raccoon_stealer
Sakura_dropper
Saturn
Bluefox_stealer
Envyscout

TTPs:
Tactics: 1
Technics: 17

IOCs:
File: 7
Path: 1
Url: 17
Domain: 9
Hash: 15
IP: 27
Coin: 2

Softs:
telegram, chromium, exodus wallet, windows defender, electrum, jaxx, zcash, coin98, terra, wombat, have more...

Algorithms:
base64, zip

Languages:
golang

YARA: Found

Links:
http://github.com/lxn/win
https://github.com/SEKOIA-IO/Community/blob/main/IOCs/aurora/aurora\_iocs\_20221121.csv

#ParsedReport
21-11-2022

LockBit. LOCKBIT ransomware similar file name in the form of mass distribution

https://asec.ahnlab.com/ko/42523

Threats:
Lockbit
Ransom/mdp.decoy.m1171

Geo:
Korean

IOCs:
File: 4
Hash: 2

Algorithms:
zip

Win API:
Sleep

#ParsedReport
21-11-2022

Caffeine: the Phishing-as-a-Service Platform Targeting Russian & Chinese Entities

https://cloudsek.com/threatintelligence/caffeine-the-phishing-as-a-service-platform-targeting-russian-chinese-entities/?utm_source=rss&utm_medium=rss&utm_campaign=caffeine-the-phishing-as-a-service-platform-targeting-russian-chinese-entities

Threats:
Caffeine_tool
Mrxcoder_actor

Industry:
Financial, Healthcare

Geo:
Italian, Russian, Dubai, America, Chinese

TTPs:
Tactics: 1
Technics: 0

IOCs:
Domain: 1

Softs:
telegram

Languages:
python

#ParsedReport
22-11-2022

Black Friday Scams: 4 Emerging Skimming Attacks to Watch for This Holiday Season

https://www.zscaler.com/blogs/security-research/black-friday-scams-4-emerging-skimming-attacks-watch-holiday-season

Actors/Campaigns:
Lazarus

Industry:
Transport, Financial, E-commerce

Geo:
Canada, Australia

IOCs:
Url: 1
File: 4
Hash: 1
Domain: 23
IP: 2

Algorithms:
base64

Functions:
setInterval, findBtnAddAction, sendCardData, getCardData, Listener, pixtar, _0x54d008

Languages:
php, javascript

#ParsedReport
22-11-2022

RobinBot DDoS. Robinbot -New DDOS Zombie Network in Quick Expansion

https://mp.weixin.qq.com/s/CQgBh46m3aU1ZDs503M8AQ

Threats:
Robinbot
Mirai
Bashlite
Omni

Industry:
Iot

CVEs:
CVE-2017-18368 [Vulners]
Vulners: Score: 10.0, CVSS: 3.1,
Vulners: Exploitation: True
X-Force: Risk: 7.3
X-Force: Patch: Unavailable
Soft:
- billion 5200w-t firmware (7.3.8.0)
- zyxel p660hn-t1a v2 firmware (7.3.15.0)
- zyxel p660hn-t1a v1 firmware (7.3.15.0)

CVE-2018-10562 [Vulners]
Vulners: Score: 7.5, CVSS: 4.6,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Unavailable
Soft:
- dasannetworks gpon router firmware (-)

CVE-2014-8361 [Vulners]
Vulners: Score: 10.0, CVSS: 8.1,
Vulners: Exploitation: True
X-Force: Risk: 8.3
X-Force: Patch: Official fix
Soft:
- d-link dir-905l firmware (le1.02)
- d-link dir-605l firmware (le1.13, le2.04)
- d-link dir-600l firmware (le1.15, le2.05)
- realtek realtek sdk (-)
- d-link dir-619l firmware (le1.15, le2.03)
have more...
CVE-2018-10561 [Vulners]
Vulners: Score: 7.5, CVSS: 4.1,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Unavailable
Soft:
- dasannetworks gpon router firmware (-)

CVE-2016-20016 [Vulners]
Vulners: Score: Unknown, CVSS: 5.0,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Unavailable
Soft:
- mvpower tv-7104he firmware (1.8.4_115215b9)
- mvpower tv7108he firmware (-)

CVE-2016-6277 [Vulners]
Vulners: Score: 9.3, CVSS: 7.9,
Vulners: Exploitation: True
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- netgear r6400 firmware (le1.0.1.18)
- netgear r8000 firmware (le1.0.3.26)
- netgear d6220 firmware (le1.0.0.22)
- netgear r7000 firmware (le1.0.7.2_1.1.93)
- netgear r7100lg firmware (le1.0.0.28)
have more...
CVE-2017-17215 [Vulners]
Vulners: Score: 6.5, CVSS: 6.1,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Unavailable
Soft:
- huawei hg532 firmware (-)

CVE-2016-10372 [Vulners]
Vulners: Score: 10.0, CVSS: 7.6,
Vulners: Exploitation: Unknown
X-Force: Risk: 7.3
X-Force: Patch: Unavailable
Soft:
- eir d1000 modem firmware (-)

CVE-2015-2051 [Vulners]
Vulners: Score: 10.0, CVSS: 8.6,
Vulners: Exploitation: True
X-Force: Risk: 10
X-Force: Patch: Official fix
Soft:
- d-link dir-645 firmware (le1.04b12)


IOCs:
File: 7
Hash: 10
IP: 6

Languages:
c_language, java

Platforms:
x86

#ParsedReport
22-11-2022

Cybercrime Group Expands Cryptocurrency Phishing Campaign. Introduction

https://pixmsecurity.com/blog/phish/cybercrime-group-expands-cryptocurrency-phishing-operation

Threats:
Teamviewer_tool

IOCs:
File: 26
Email: 2

Softs:
coinbase

#ParsedReport
22-11-2022

Part 1: SocGholish, a very real threat from a very fake update

https://www.proofpoint.com/us/blog/threat-insight/part-1-socgholish-very-real-threat-very-fake-update

Actors/Campaigns:
Ta569 (motivation: financially_motivated)
Evil_corp
Silverfish

Threats:
Socgholish_loader
Wastedlocker
Lockbit

Geo:
Spain, Poland, Iran, Italy, Germany, France

IOCs:
File: 1

Functions:
WMI

Languages:
javascript

#ParsedReport
22-11-2022

Nighthawk: An Up-and-Coming Pentest Tool Likely to Gain Threat Actor Notice

https://www.proofpoint.com/us/blog/threat-insight/nighthawk-and-coming-pentest-tool-likely-gain-threat-actor-notice

Threats:
Nighthawk_tool
Brc4_tool
Cobalt_strike
Sliver_tool
Reflectiveloader

IOCs:
File: 3
Coin: 1

Algorithms:
gzip, aes

Functions:
CreateQueueTimer

Win API:
LoadLibraryW, RtlQueueWorkItem, LoadLibrary, LsaQueryInformationPolicy, GetUserNameA, GetComputerNameA, NtSetContextThread, LoadLibraryExW, WriteProcessMemory, NtProtectVirtualMemory, have more...

Languages:
python

Links:
https://github.com/BishopFox/sliver/tree/6c02971b54831884d30407b632a379947dd289ad
https://github.com/ionescu007/HookingNirvana/blob/master/Esoteric%20Hooks.pdf

#ParsedReport
22-11-2022

. Distributed phishing site disguised as a famous webmail login site in Korea

https://asec.ahnlab.com/ko/41304

Geo:
Korea

IOCs:
File: 1
Url: 2
Hash: 1

Languages:
javascript, php

#ParsedReport
22-11-2022

ASEC (20221114 \~ 20221120). ASEC Weekly Malware Statistics (20221114 \~ 20221120)

https://asec.ahnlab.com/ko/42589

Actors/Campaigns:
Ta505

Threats:
Beamwinhttp_loader
Garbage_cleaner
Redline_stealer
Postealer
Agent_tesla
Azorult
Amadey
Lockbit
Smokeloader
Gandcrab
Clop
Cloudeye
Formbook
Remcos_rat
Nanocore_rat

Industry:
Financial, Transport

Geo:
Korea

IOCs:
Url: 20
File: 24
Email: 6

Softs:
discord, nsis installer

Algorithms:
zip

Languages:
visual_basic