#ParsedReport
21-11-2022
Brute Ratel C4 Badger. BRUTE RATEL C4 Badger analyzes actual combat and detection
https://mp.weixin.qq.com/s/Nnag6DSf_wx2YrnTXEwNug
Actors/Campaigns:
Duke
Threats:
Brc4_tool
Cobalt_strike
Beacon
Blackbasta
Sliver_tool
Metasploit_tool
Empire_loader
Industry:
Financial
Geo:
Guangdong
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 4
Softs:
esxi
Algorithms:
base64, ror13, rc4
Functions:
C4
Win API:
NtAllocateVirtualMemoryBadgerShellCode, NtProtectVirtualMemory, NtCreateThreadEx, NtWaitForSingleObject, NtCreateSectionSection, NtMapViewOfSectionsectionRuntimeBroker, RtlExitUserThreadWaitForSingleObject
YARA: Found
21-11-2022
Brute Ratel C4 Badger. BRUTE RATEL C4 Badger analyzes actual combat and detection
https://mp.weixin.qq.com/s/Nnag6DSf_wx2YrnTXEwNug
Actors/Campaigns:
Duke
Threats:
Brc4_tool
Cobalt_strike
Beacon
Blackbasta
Sliver_tool
Metasploit_tool
Empire_loader
Industry:
Financial
Geo:
Guangdong
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 4
Softs:
esxi
Algorithms:
base64, ror13, rc4
Functions:
C4
Win API:
NtAllocateVirtualMemoryBadgerShellCode, NtProtectVirtualMemory, NtCreateThreadEx, NtWaitForSingleObject, NtCreateSectionSection, NtMapViewOfSectionsectionRuntimeBroker, RtlExitUserThreadWaitForSingleObject
YARA: Found
#ParsedReport
21-11-2022
Threat Assessment: Luna Moth Callback Phishing Campaign
https://unit42.paloaltonetworks.com/luna-moth-callback-phishing
Actors/Campaigns:
Luna_moth
Threats:
Luna
Conti
Bazarbackdoor
Toad_technique
Syncro_tool
Atera_tool
Splashtop_tool
Industry:
Retail, Healthcare, Financial
Geo:
America, Emea, Japan, Japanese, Apac
IOCs:
Email: 2
Softs:
winscp
21-11-2022
Threat Assessment: Luna Moth Callback Phishing Campaign
https://unit42.paloaltonetworks.com/luna-moth-callback-phishing
Actors/Campaigns:
Luna_moth
Threats:
Luna
Conti
Bazarbackdoor
Toad_technique
Syncro_tool
Atera_tool
Splashtop_tool
Industry:
Retail, Healthcare, Financial
Geo:
America, Emea, Japan, Japanese, Apac
IOCs:
Email: 2
Softs:
winscp
Unit 42
Threat Assessment: Luna Moth Callback Phishing Campaign
Unit 42 investigates Luna Moth/Silent Ransom Group callback phishing extortion campaign that targeted businesses in multiple sectors.
👍1
#ParsedReport
21-11-2022
AxLocker: A new wave of ransomware attacks targeting Discord Servers
https://www.secureblink.com/threat-research/ax-locker-a-new-wave-of-ransomware-attacks-targeting-discord-servers
Threats:
Axlocker
IOCs:
Hash: 5
Softs:
discord
Algorithms:
aes
Functions:
startencryption
21-11-2022
AxLocker: A new wave of ransomware attacks targeting Discord Servers
https://www.secureblink.com/threat-research/ax-locker-a-new-wave-of-ransomware-attacks-targeting-discord-servers
Threats:
Axlocker
IOCs:
Hash: 5
Softs:
discord
Algorithms:
aes
Functions:
startencryption
Secureblink
AxLocker: A new wave of ransomware attacks targeting Discord Servers | Secure Blink
Discord servers credentials are being exploited involving newly emerged ransomware families out of which AxLocker…
#ParsedReport
21-11-2022
Aurora: a rising stealer flying under the radar. Summary
https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar
Actors/Campaigns:
Darkhalo
Threats:
Aurora
Traffer
Cheshire_botnet
Zelizzard_botnet
Redline_stealer
Raccoon_stealer
Sakura_dropper
Saturn
Bluefox_stealer
Envyscout
TTPs:
Tactics: 1
Technics: 17
IOCs:
File: 7
Path: 1
Url: 17
Domain: 9
Hash: 15
IP: 27
Coin: 2
Softs:
telegram, chromium, exodus wallet, windows defender, electrum, jaxx, zcash, coin98, terra, wombat, have more...
Algorithms:
base64, zip
Languages:
golang
YARA: Found
Links:
21-11-2022
Aurora: a rising stealer flying under the radar. Summary
https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar
Actors/Campaigns:
Darkhalo
Threats:
Aurora
Traffer
Cheshire_botnet
Zelizzard_botnet
Redline_stealer
Raccoon_stealer
Sakura_dropper
Saturn
Bluefox_stealer
Envyscout
TTPs:
Tactics: 1
Technics: 17
IOCs:
File: 7
Path: 1
Url: 17
Domain: 9
Hash: 15
IP: 27
Coin: 2
Softs:
telegram, chromium, exodus wallet, windows defender, electrum, jaxx, zcash, coin98, terra, wombat, have more...
Algorithms:
base64, zip
Languages:
golang
YARA: Found
Links:
http://github.com/lxn/winhttps://github.com/SEKOIA-IO/Community/blob/main/IOCs/aurora/aurora\_iocs\_20221121.csvSekoia.io Blog
Aurora: a rising stealer flying under the radar
Since September 2022, Aurora malware is advertised as an infostealer and several traffers teams announced they added it to their malware toolset.
#ParsedReport
21-11-2022
LockBit. LOCKBIT ransomware similar file name in the form of mass distribution
https://asec.ahnlab.com/ko/42523
Threats:
Lockbit
Ransom/mdp.decoy.m1171
Geo:
Korean
IOCs:
File: 4
Hash: 2
Algorithms:
zip
Win API:
Sleep
21-11-2022
LockBit. LOCKBIT ransomware similar file name in the form of mass distribution
https://asec.ahnlab.com/ko/42523
Threats:
Lockbit
Ransom/mdp.decoy.m1171
Geo:
Korean
IOCs:
File: 4
Hash: 2
Algorithms:
zip
Win API:
Sleep
ASEC BLOG
LockBit 랜섬웨어 유사 파일명 형태로 대량 유포 중 - ASEC BLOG
ASEC 분석팀은 지난 3차례에 걸쳐 LockBit 랜섬웨어가 메일을 통해 유포되고 있음을 ASEC 블로그에 게시한 바가 있는데, 꾸준한 모니터링을 통해 LockBit 2.0과 LockBit 3.0 랜섬웨어가 파일명만 변경하여 또 다시 유포 중임을 알리고자 한다. 이번 유포 방식은 이전에 소개하였던 워드 문서나 저작권 사칭 메일이 아닌 입사지원 관련으로 위장한 피싱 메일을 통해 유포 중이다. 피싱 이메일에 첨부된 압축 파일은 [사람이름].zip 형태로…
#ParsedReport
21-11-2022
Caffeine: the Phishing-as-a-Service Platform Targeting Russian & Chinese Entities
https://cloudsek.com/threatintelligence/caffeine-the-phishing-as-a-service-platform-targeting-russian-chinese-entities/?utm_source=rss&utm_medium=rss&utm_campaign=caffeine-the-phishing-as-a-service-platform-targeting-russian-chinese-entities
Threats:
Caffeine_tool
Mrxcoder_actor
Industry:
Financial, Healthcare
Geo:
Italian, Russian, Dubai, America, Chinese
TTPs:
Tactics: 1
Technics: 0
IOCs:
Domain: 1
Softs:
telegram
Languages:
python
21-11-2022
Caffeine: the Phishing-as-a-Service Platform Targeting Russian & Chinese Entities
https://cloudsek.com/threatintelligence/caffeine-the-phishing-as-a-service-platform-targeting-russian-chinese-entities/?utm_source=rss&utm_medium=rss&utm_campaign=caffeine-the-phishing-as-a-service-platform-targeting-russian-chinese-entities
Threats:
Caffeine_tool
Mrxcoder_actor
Industry:
Financial, Healthcare
Geo:
Italian, Russian, Dubai, America, Chinese
TTPs:
Tactics: 1
Technics: 0
IOCs:
Domain: 1
Softs:
telegram
Languages:
python
Cloudsek
Caffeine: the Phishing-as-a-Service Platform Targeting Russian & Chinese Entities | Threat Intelligence | CloudSEK
New phishing-as-a-service platform named “Caffeine”, used to conduct phishing campaigns.
#ParsedReport
22-11-2022
Black Friday Scams: 4 Emerging Skimming Attacks to Watch for This Holiday Season
https://www.zscaler.com/blogs/security-research/black-friday-scams-4-emerging-skimming-attacks-watch-holiday-season
Actors/Campaigns:
Lazarus
Industry:
Transport, Financial, E-commerce
Geo:
Canada, Australia
IOCs:
Url: 1
File: 4
Hash: 1
Domain: 23
IP: 2
Algorithms:
base64
Functions:
setInterval, findBtnAddAction, sendCardData, getCardData, Listener, pixtar, _0x54d008
Languages:
php, javascript
22-11-2022
Black Friday Scams: 4 Emerging Skimming Attacks to Watch for This Holiday Season
https://www.zscaler.com/blogs/security-research/black-friday-scams-4-emerging-skimming-attacks-watch-holiday-season
Actors/Campaigns:
Lazarus
Industry:
Transport, Financial, E-commerce
Geo:
Canada, Australia
IOCs:
Url: 1
File: 4
Hash: 1
Domain: 23
IP: 2
Algorithms:
base64
Functions:
setInterval, findBtnAddAction, sendCardData, getCardData, Listener, pixtar, _0x54d008
Languages:
php, javascript
Zscaler
Black Friday Alert : 4 Emerging Skimming Attacks | Zscaler
Increasing credit card skimming activity against Magento and Presta-based e-commerce stores as Black Friday holiday season approaches.
#ParsedReport
22-11-2022
RobinBot DDoS. Robinbot -New DDOS Zombie Network in Quick Expansion
https://mp.weixin.qq.com/s/CQgBh46m3aU1ZDs503M8AQ
Threats:
Robinbot
Mirai
Bashlite
Omni
Industry:
Iot
CVEs:
CVE-2017-18368 [Vulners]
Vulners: Score: 10.0, CVSS: 3.1,
Vulners: Exploitation: True
X-Force: Risk: 7.3
X-Force: Patch: Unavailable
Soft:
- billion 5200w-t firmware (7.3.8.0)
- zyxel p660hn-t1a v2 firmware (7.3.15.0)
- zyxel p660hn-t1a v1 firmware (7.3.15.0)
CVE-2018-10562 [Vulners]
Vulners: Score: 7.5, CVSS: 4.6,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Unavailable
Soft:
- dasannetworks gpon router firmware (-)
CVE-2014-8361 [Vulners]
Vulners: Score: 10.0, CVSS: 8.1,
Vulners: Exploitation: True
X-Force: Risk: 8.3
X-Force: Patch: Official fix
Soft:
- d-link dir-905l firmware (le1.02)
- d-link dir-605l firmware (le1.13, le2.04)
- d-link dir-600l firmware (le1.15, le2.05)
- realtek realtek sdk (-)
- d-link dir-619l firmware (le1.15, le2.03)
have more...
CVE-2018-10561 [Vulners]
Vulners: Score: 7.5, CVSS: 4.1,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Unavailable
Soft:
- dasannetworks gpon router firmware (-)
CVE-2016-20016 [Vulners]
Vulners: Score: Unknown, CVSS: 5.0,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Unavailable
Soft:
- mvpower tv-7104he firmware (1.8.4_115215b9)
- mvpower tv7108he firmware (-)
CVE-2016-6277 [Vulners]
Vulners: Score: 9.3, CVSS: 7.9,
Vulners: Exploitation: True
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- netgear r6400 firmware (le1.0.1.18)
- netgear r8000 firmware (le1.0.3.26)
- netgear d6220 firmware (le1.0.0.22)
- netgear r7000 firmware (le1.0.7.2_1.1.93)
- netgear r7100lg firmware (le1.0.0.28)
have more...
CVE-2017-17215 [Vulners]
Vulners: Score: 6.5, CVSS: 6.1,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Unavailable
Soft:
- huawei hg532 firmware (-)
CVE-2016-10372 [Vulners]
Vulners: Score: 10.0, CVSS: 7.6,
Vulners: Exploitation: Unknown
X-Force: Risk: 7.3
X-Force: Patch: Unavailable
Soft:
- eir d1000 modem firmware (-)
CVE-2015-2051 [Vulners]
Vulners: Score: 10.0, CVSS: 8.6,
Vulners: Exploitation: True
X-Force: Risk: 10
X-Force: Patch: Official fix
Soft:
- d-link dir-645 firmware (le1.04b12)
IOCs:
File: 7
Hash: 10
IP: 6
Languages:
c_language, java
Platforms:
x86
22-11-2022
RobinBot DDoS. Robinbot -New DDOS Zombie Network in Quick Expansion
https://mp.weixin.qq.com/s/CQgBh46m3aU1ZDs503M8AQ
Threats:
Robinbot
Mirai
Bashlite
Omni
Industry:
Iot
CVEs:
CVE-2017-18368 [Vulners]
Vulners: Score: 10.0, CVSS: 3.1,
Vulners: Exploitation: True
X-Force: Risk: 7.3
X-Force: Patch: Unavailable
Soft:
- billion 5200w-t firmware (7.3.8.0)
- zyxel p660hn-t1a v2 firmware (7.3.15.0)
- zyxel p660hn-t1a v1 firmware (7.3.15.0)
CVE-2018-10562 [Vulners]
Vulners: Score: 7.5, CVSS: 4.6,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Unavailable
Soft:
- dasannetworks gpon router firmware (-)
CVE-2014-8361 [Vulners]
Vulners: Score: 10.0, CVSS: 8.1,
Vulners: Exploitation: True
X-Force: Risk: 8.3
X-Force: Patch: Official fix
Soft:
- d-link dir-905l firmware (le1.02)
- d-link dir-605l firmware (le1.13, le2.04)
- d-link dir-600l firmware (le1.15, le2.05)
- realtek realtek sdk (-)
- d-link dir-619l firmware (le1.15, le2.03)
have more...
CVE-2018-10561 [Vulners]
Vulners: Score: 7.5, CVSS: 4.1,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Unavailable
Soft:
- dasannetworks gpon router firmware (-)
CVE-2016-20016 [Vulners]
Vulners: Score: Unknown, CVSS: 5.0,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Unavailable
Soft:
- mvpower tv-7104he firmware (1.8.4_115215b9)
- mvpower tv7108he firmware (-)
CVE-2016-6277 [Vulners]
Vulners: Score: 9.3, CVSS: 7.9,
Vulners: Exploitation: True
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- netgear r6400 firmware (le1.0.1.18)
- netgear r8000 firmware (le1.0.3.26)
- netgear d6220 firmware (le1.0.0.22)
- netgear r7000 firmware (le1.0.7.2_1.1.93)
- netgear r7100lg firmware (le1.0.0.28)
have more...
CVE-2017-17215 [Vulners]
Vulners: Score: 6.5, CVSS: 6.1,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Unavailable
Soft:
- huawei hg532 firmware (-)
CVE-2016-10372 [Vulners]
Vulners: Score: 10.0, CVSS: 7.6,
Vulners: Exploitation: Unknown
X-Force: Risk: 7.3
X-Force: Patch: Unavailable
Soft:
- eir d1000 modem firmware (-)
CVE-2015-2051 [Vulners]
Vulners: Score: 10.0, CVSS: 8.6,
Vulners: Exploitation: True
X-Force: Risk: 10
X-Force: Patch: Official fix
Soft:
- d-link dir-645 firmware (le1.04b12)
IOCs:
File: 7
Hash: 10
IP: 6
Languages:
c_language, java
Platforms:
x86
Weixin Official Accounts Platform
RobinBot——快速扩张中的新型 DDoS 僵尸网络
2022年11月,奇安信威胁情报中心监测到一起未知家族恶意样本传播事件。经分析,恶意样本借鉴Mirai和Gafgyt家族的恶意代码,支持多种DDoS攻击方式,集成了多个漏洞Exp。根据特殊文件夹名称,我们把这个家族命名为RobinBot。
#ParsedReport
22-11-2022
Cybercrime Group Expands Cryptocurrency Phishing Campaign. Introduction
https://pixmsecurity.com/blog/phish/cybercrime-group-expands-cryptocurrency-phishing-operation
Threats:
Teamviewer_tool
IOCs:
File: 26
Email: 2
Softs:
coinbase
22-11-2022
Cybercrime Group Expands Cryptocurrency Phishing Campaign. Introduction
https://pixmsecurity.com/blog/phish/cybercrime-group-expands-cryptocurrency-phishing-operation
Threats:
Teamviewer_tool
IOCs:
File: 26
Email: 2
Softs:
coinbase
Pixm Anti-Phishing
Cybercrime Group Expands Cryptocurrency Phishing Campaign
PIXM is continuing to track a criminal group operating four separate campaigns targeting the users of cryptocurrency exchanges and wallets, which have evolved over the last 30 days as news surrounding the collapse of a major cryptocurrency exchange continues.…
#ParsedReport
22-11-2022
Part 1: SocGholish, a very real threat from a very fake update
https://www.proofpoint.com/us/blog/threat-insight/part-1-socgholish-very-real-threat-very-fake-update
Actors/Campaigns:
Ta569 (motivation: financially_motivated)
Evil_corp
Silverfish
Threats:
Socgholish_loader
Wastedlocker
Lockbit
Geo:
Spain, Poland, Iran, Italy, Germany, France
IOCs:
File: 1
Functions:
WMI
Languages:
javascript
22-11-2022
Part 1: SocGholish, a very real threat from a very fake update
https://www.proofpoint.com/us/blog/threat-insight/part-1-socgholish-very-real-threat-very-fake-update
Actors/Campaigns:
Ta569 (motivation: financially_motivated)
Evil_corp
Silverfish
Threats:
Socgholish_loader
Wastedlocker
Lockbit
Geo:
Spain, Poland, Iran, Italy, Germany, France
IOCs:
File: 1
Functions:
WMI
Languages:
javascript
Proofpoint
SocGholish Malware: A Real Threat from a Fake Update | Proofpoint US
SocGholish malware is a very real threat from a very fake update. Proofpoint breaks down the threat, what it is, how it's delivered, and more.
#ParsedReport
22-11-2022
Nighthawk: An Up-and-Coming Pentest Tool Likely to Gain Threat Actor Notice
https://www.proofpoint.com/us/blog/threat-insight/nighthawk-and-coming-pentest-tool-likely-gain-threat-actor-notice
Threats:
Nighthawk_tool
Brc4_tool
Cobalt_strike
Sliver_tool
Reflectiveloader
IOCs:
File: 3
Coin: 1
Algorithms:
gzip, aes
Functions:
CreateQueueTimer
Win API:
LoadLibraryW, RtlQueueWorkItem, LoadLibrary, LsaQueryInformationPolicy, GetUserNameA, GetComputerNameA, NtSetContextThread, LoadLibraryExW, WriteProcessMemory, NtProtectVirtualMemory, have more...
Languages:
python
Links:
22-11-2022
Nighthawk: An Up-and-Coming Pentest Tool Likely to Gain Threat Actor Notice
https://www.proofpoint.com/us/blog/threat-insight/nighthawk-and-coming-pentest-tool-likely-gain-threat-actor-notice
Threats:
Nighthawk_tool
Brc4_tool
Cobalt_strike
Sliver_tool
Reflectiveloader
IOCs:
File: 3
Coin: 1
Algorithms:
gzip, aes
Functions:
CreateQueueTimer
Win API:
LoadLibraryW, RtlQueueWorkItem, LoadLibrary, LsaQueryInformationPolicy, GetUserNameA, GetComputerNameA, NtSetContextThread, LoadLibraryExW, WriteProcessMemory, NtProtectVirtualMemory, have more...
Languages:
python
Links:
https://github.com/BishopFox/sliver/tree/6c02971b54831884d30407b632a379947dd289adhttps://github.com/ionescu007/HookingNirvana/blob/master/Esoteric%20Hooks.pdfProofpoint
What Is a Threat Actor? - Definition, Types & More | Proofpoint US
A threat actor is a term used to describe individuals whose purpose is to engage in cyber-related offenses. Learn the definition, types, motivations, and more.
#ParsedReport
22-11-2022
. Distributed phishing site disguised as a famous webmail login site in Korea
https://asec.ahnlab.com/ko/41304
Geo:
Korea
IOCs:
File: 1
Url: 2
Hash: 1
Languages:
javascript, php
22-11-2022
. Distributed phishing site disguised as a famous webmail login site in Korea
https://asec.ahnlab.com/ko/41304
Geo:
Korea
IOCs:
File: 1
Url: 2
Hash: 1
Languages:
javascript, php
ASEC BLOG
국내 유명 웹메일 로그인 사이트로 위장한 피싱 사이트 유포 - ASEC BLOG
ASEC 분석팀은 국내 유명 웹메일 사이트의 계정 정보 탈취를 목적으로 하는 악성 사이트가 국내에 유포 중임을 확인하였다. 해당 피싱 사이트는 국내 특정 웹메일의 로그인 사이트를 위장한 것으로 국내에서 50건 이상 해당 사이트에 접근한 이력이 확인되었다. 따라서 사용자는 해당 웹메일 사이트에 로그인 시 각별한 주의가 필요하다. 피싱 사이트는 아래와 같이 국내 웹메일 로그인 페이지로 위장하고 있으며 해당 메일 계정에 대한 ID와 비밀번호를 입력 후 로그인…
#ParsedReport
22-11-2022
ASEC (20221114 \~ 20221120). ASEC Weekly Malware Statistics (20221114 \~ 20221120)
https://asec.ahnlab.com/ko/42589
Actors/Campaigns:
Ta505
Threats:
Beamwinhttp_loader
Garbage_cleaner
Redline_stealer
Postealer
Agent_tesla
Azorult
Amadey
Lockbit
Smokeloader
Gandcrab
Clop
Cloudeye
Formbook
Remcos_rat
Nanocore_rat
Industry:
Financial, Transport
Geo:
Korea
IOCs:
Url: 20
File: 24
Email: 6
Softs:
discord, nsis installer
Algorithms:
zip
Languages:
visual_basic
22-11-2022
ASEC (20221114 \~ 20221120). ASEC Weekly Malware Statistics (20221114 \~ 20221120)
https://asec.ahnlab.com/ko/42589
Actors/Campaigns:
Ta505
Threats:
Beamwinhttp_loader
Garbage_cleaner
Redline_stealer
Postealer
Agent_tesla
Azorult
Amadey
Lockbit
Smokeloader
Gandcrab
Clop
Cloudeye
Formbook
Remcos_rat
Nanocore_rat
Industry:
Financial, Transport
Geo:
Korea
IOCs:
Url: 20
File: 24
Email: 6
Softs:
discord, nsis installer
Algorithms:
zip
Languages:
visual_basic
ASEC BLOG
ASEC 주간 악성코드 통계 (20221114 ~ 20221120) - ASEC BLOG
ASEC 분석팀에서는 ASEC 자동 분석 시스템 RAPIT 을 활용하여 알려진 악성코드들에 대한 분류 및 대응을 진행하고 있다. 본 포스팅에서는 2022년 11월 14일 월요일부터 11월 20일 일요일까지 한 주간 수집된 악성코드의 통계를 정리한다. 대분류 상으로는 다운로더가 53.2%로 1위를 차지하였으며, 그 다음으로는 백도어가 24.1%, 인포스틸러 21.1%, 랜섬웨어 1.0%, 코인마이너가 0.4%, 뱅킹 0.2%로 집계되었다. Top 1 –…
#ParsedReport
23-11-2022
Surge of Fake FIFA World Cup Streaming Sites Targets Virtual Fans
https://www.zscaler.com/blogs/security-research/surge-fake-fifa-world-cup-streaming-sites-targets-virtual-fans
Threats:
Solarmarker
Industry:
Aerospace, E-commerce, Financial
Geo:
Africa, Tokyo, Qatar
IOCs:
Domain: 29
Hash: 10
Softs:
windows installer
Languages:
php, javascript
23-11-2022
Surge of Fake FIFA World Cup Streaming Sites Targets Virtual Fans
https://www.zscaler.com/blogs/security-research/surge-fake-fifa-world-cup-streaming-sites-targets-virtual-fans
Threats:
Solarmarker
Industry:
Aerospace, E-commerce, Financial
Geo:
Africa, Tokyo, Qatar
IOCs:
Domain: 29
Hash: 10
Softs:
windows installer
Languages:
php, javascript
Zscaler
Fake FIFA World Cup Streaming Sites target Virtual Fans
Attackers are using fake FIFA World Cup 2022 streaming sites and lottery scams to infect users with malware.
#ParsedReport
23-11-2022
Bahamut cybermercenary group targets Android users with fake VPN apps
https://www.welivesecurity.com/2022/11/23/bahamut-cybermercenary-group-targets-android-users-fake-vpn-apps
Actors/Campaigns:
Aridviper
Threats:
Bahamut
Geo:
Ukraine, Singapore, Asia
TTPs:
Tactics: 7
Technics: 9
IOCs:
Domain: 2
File: 8
Hash: 10
IP: 1
Softs:
android, telegram, securevpn, softvpn, securechat, wechat
YARA: Found
23-11-2022
Bahamut cybermercenary group targets Android users with fake VPN apps
https://www.welivesecurity.com/2022/11/23/bahamut-cybermercenary-group-targets-android-users-fake-vpn-apps
Actors/Campaigns:
Aridviper
Threats:
Bahamut
Geo:
Ukraine, Singapore, Asia
TTPs:
Tactics: 7
Technics: 9
IOCs:
Domain: 2
File: 8
Hash: 10
IP: 1
Softs:
android, telegram, securevpn, softvpn, securechat, wechat
YARA: Found
WeLiveSecurity
Bahamut cybermercenary group targets Android users with fake VPN apps
ESET researchers uncover an active campaign where the Bahamut APT targets Android users via trojanized versions of two legitimate VPN apps.
#ParsedReport
23-11-2022
THREAT ALERT:Aggressive Qakbot Campaign and the Black Basta Ransomware Group Targeting U.S. Companies. THREAT ALERT: Aggressive Qakbot Campaign and the Black Basta Ransomware Group Targeting U.S. Companies
https://www.cybereason.com/blog/threat-alert-aggressive-qakbot-campaign-and-the-black-basta-ransomware-group-targeting-u.s.-companies
Threats:
Blackbasta
Qakbot
Cobalt_strike
Netstat_tool
Bumblebee
Rubeus_tool
Credential_harvesting_technique
Industry:
Government, Financial
Geo:
Australia, Canada
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 30
Path: 6
Command: 7
Domain: 4
Url: 1
IP: 32
Hash: 3
Softs:
active directory domain services, active directory, windows explorer
Functions:
SetVolume
Languages:
javascript
Platforms:
x86
23-11-2022
THREAT ALERT:Aggressive Qakbot Campaign and the Black Basta Ransomware Group Targeting U.S. Companies. THREAT ALERT: Aggressive Qakbot Campaign and the Black Basta Ransomware Group Targeting U.S. Companies
https://www.cybereason.com/blog/threat-alert-aggressive-qakbot-campaign-and-the-black-basta-ransomware-group-targeting-u.s.-companies
Threats:
Blackbasta
Qakbot
Cobalt_strike
Netstat_tool
Bumblebee
Rubeus_tool
Credential_harvesting_technique
Industry:
Government, Financial
Geo:
Australia, Canada
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 30
Path: 6
Command: 7
Domain: 4
Url: 1
IP: 32
Hash: 3
Softs:
active directory domain services, active directory, windows explorer
Functions:
SetVolume
Languages:
javascript
Platforms:
x86
Cybereason
THREAT ALERT: Aggressive Qakbot Campaign and the Black Basta Ransomware Group Targeting U.S. Companies
Learn to detect and prevent an aggressive new Qakbot cttack campaign operated by the Black Basta ransomware group that's targeting U.S. companies.
👍1
#ParsedReport
23-11-2022
RansomExx Upgrades to Rust
https://securityintelligence.com/posts/ransomexx-upgrades-rust
Actors/Campaigns:
Defrayx
Wizard_spider
Threats:
Ransomexx
Pyxie
Blackcat
Zeon
IOCs:
Hash: 1
Algorithms:
aes, aes-256, xor
Languages:
rust
23-11-2022
RansomExx Upgrades to Rust
https://securityintelligence.com/posts/ransomexx-upgrades-rust
Actors/Campaigns:
Defrayx
Wizard_spider
Threats:
Ransomexx
Pyxie
Blackcat
Zeon
IOCs:
Hash: 1
Algorithms:
aes, aes-256, xor
Languages:
rust
Security Intelligence
RansomExx Upgrades to Rust
A variant of the RansomExx ransomware has been rewritten in the Rust programming language, joining a growing trend of ransomware developers switching to the language. Read more on this discovery from IBM Security X-Force researchers.
#ParsedReport
24-11-2022
New Wave of SocGholish cid=27x Injections
https://blog.sucuri.net/2022/11/new-wave-of-socgholish-cid27x-injections.html
Threats:
Socgholish_loader
IOCs:
Url: 1
Domain: 4
IP: 4
Languages:
php
24-11-2022
New Wave of SocGholish cid=27x Injections
https://blog.sucuri.net/2022/11/new-wave-of-socgholish-cid27x-injections.html
Threats:
Socgholish_loader
IOCs:
Url: 1
Domain: 4
IP: 4
Languages:
php
Sucuri Blog
New Wave of SocGholish cid=27x Injections
Recent changes in SocGholish malware include ommitted siteurl comments and obfuscation generated by the popular javascript-obfuscator library.
#ParsedReport
24-11-2022
Ransomware Roundup: Cryptonite Ransomware
https://www.fortinet.com/blog/threat-research/Ransomware-Roundup-Cryptonite-Ransomware
Threats:
Cryptonite
Chaos
Filecoder
Industry:
Financial
IOCs:
Hash: 3
Domain: 3
Softs:
exegen, sql lite, pyinstaller
Algorithms:
aes
Languages:
python
24-11-2022
Ransomware Roundup: Cryptonite Ransomware
https://www.fortinet.com/blog/threat-research/Ransomware-Roundup-Cryptonite-Ransomware
Threats:
Cryptonite
Chaos
Filecoder
Industry:
Financial
IOCs:
Hash: 3
Domain: 3
Softs:
exegen, sql lite, pyinstaller
Algorithms:
aes
Languages:
python
Fortinet Blog
Ransomware Roundup - Cryptonite
The latest FortiGuard Labs Threat Signal Ransomware Roundup covers the Cryptonite ransomware, along with protection recommendations. Read more.…
#ParsedReport
24-11-2022
WannaRen Returns as Life Ransomware, Targets India. Analysis
https://www.trendmicro.com/en_us/research/22/k/wannaren-returns-as-life-ransomware--targets-india.html
Actors/Campaigns:
Equation
Threats:
Wannaren
Ryuk
Maze
Dll_sideloading_technique
Lockbit
Wannacry
Eternalblue_vuln
Shadow_brokers_tool
Asyncrat_rat
Geo:
Taiwan, Chinese, China, India
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 13
Hash: 7
Path: 1
Softs:
microsoft word
24-11-2022
WannaRen Returns as Life Ransomware, Targets India. Analysis
https://www.trendmicro.com/en_us/research/22/k/wannaren-returns-as-life-ransomware--targets-india.html
Actors/Campaigns:
Equation
Threats:
Wannaren
Ryuk
Maze
Dll_sideloading_technique
Lockbit
Wannacry
Eternalblue_vuln
Shadow_brokers_tool
Asyncrat_rat
Geo:
Taiwan, Chinese, China, India
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 13
Hash: 7
Path: 1
Softs:
microsoft word
Trend Micro
WannaRen Returns as Life Ransomware, Targets India
This blog entry looks at the characteristics of a new WannaRen ransomware variant, which we named Life ransomware after its encryption extension.