#ParsedReport
22-11-2022
Nighthawk: An Up-and-Coming Pentest Tool Likely to Gain Threat Actor Notice
https://www.proofpoint.com/us/blog/threat-insight/nighthawk-and-coming-pentest-tool-likely-gain-threat-actor-notice
Threats:
Nighthawk_tool
Brc4_tool
Cobalt_strike
Sliver_tool
Reflectiveloader
IOCs:
File: 3
Coin: 1
Algorithms:
gzip, aes
Functions:
CreateQueueTimer
Win API:
LoadLibraryW, RtlQueueWorkItem, LoadLibrary, LsaQueryInformationPolicy, GetUserNameA, GetComputerNameA, NtSetContextThread, LoadLibraryExW, WriteProcessMemory, NtProtectVirtualMemory, have more...
Languages:
python
Links:
22-11-2022
Nighthawk: An Up-and-Coming Pentest Tool Likely to Gain Threat Actor Notice
https://www.proofpoint.com/us/blog/threat-insight/nighthawk-and-coming-pentest-tool-likely-gain-threat-actor-notice
Threats:
Nighthawk_tool
Brc4_tool
Cobalt_strike
Sliver_tool
Reflectiveloader
IOCs:
File: 3
Coin: 1
Algorithms:
gzip, aes
Functions:
CreateQueueTimer
Win API:
LoadLibraryW, RtlQueueWorkItem, LoadLibrary, LsaQueryInformationPolicy, GetUserNameA, GetComputerNameA, NtSetContextThread, LoadLibraryExW, WriteProcessMemory, NtProtectVirtualMemory, have more...
Languages:
python
Links:
https://github.com/BishopFox/sliver/tree/6c02971b54831884d30407b632a379947dd289adhttps://github.com/ionescu007/HookingNirvana/blob/master/Esoteric%20Hooks.pdfProofpoint
What Is a Threat Actor? - Definition, Types & More | Proofpoint US
A threat actor is a term used to describe individuals whose purpose is to engage in cyber-related offenses. Learn the definition, types, motivations, and more.
#ParsedReport
22-11-2022
. Distributed phishing site disguised as a famous webmail login site in Korea
https://asec.ahnlab.com/ko/41304
Geo:
Korea
IOCs:
File: 1
Url: 2
Hash: 1
Languages:
javascript, php
22-11-2022
. Distributed phishing site disguised as a famous webmail login site in Korea
https://asec.ahnlab.com/ko/41304
Geo:
Korea
IOCs:
File: 1
Url: 2
Hash: 1
Languages:
javascript, php
ASEC BLOG
국내 유명 웹메일 로그인 사이트로 위장한 피싱 사이트 유포 - ASEC BLOG
ASEC 분석팀은 국내 유명 웹메일 사이트의 계정 정보 탈취를 목적으로 하는 악성 사이트가 국내에 유포 중임을 확인하였다. 해당 피싱 사이트는 국내 특정 웹메일의 로그인 사이트를 위장한 것으로 국내에서 50건 이상 해당 사이트에 접근한 이력이 확인되었다. 따라서 사용자는 해당 웹메일 사이트에 로그인 시 각별한 주의가 필요하다. 피싱 사이트는 아래와 같이 국내 웹메일 로그인 페이지로 위장하고 있으며 해당 메일 계정에 대한 ID와 비밀번호를 입력 후 로그인…
#ParsedReport
22-11-2022
ASEC (20221114 \~ 20221120). ASEC Weekly Malware Statistics (20221114 \~ 20221120)
https://asec.ahnlab.com/ko/42589
Actors/Campaigns:
Ta505
Threats:
Beamwinhttp_loader
Garbage_cleaner
Redline_stealer
Postealer
Agent_tesla
Azorult
Amadey
Lockbit
Smokeloader
Gandcrab
Clop
Cloudeye
Formbook
Remcos_rat
Nanocore_rat
Industry:
Financial, Transport
Geo:
Korea
IOCs:
Url: 20
File: 24
Email: 6
Softs:
discord, nsis installer
Algorithms:
zip
Languages:
visual_basic
22-11-2022
ASEC (20221114 \~ 20221120). ASEC Weekly Malware Statistics (20221114 \~ 20221120)
https://asec.ahnlab.com/ko/42589
Actors/Campaigns:
Ta505
Threats:
Beamwinhttp_loader
Garbage_cleaner
Redline_stealer
Postealer
Agent_tesla
Azorult
Amadey
Lockbit
Smokeloader
Gandcrab
Clop
Cloudeye
Formbook
Remcos_rat
Nanocore_rat
Industry:
Financial, Transport
Geo:
Korea
IOCs:
Url: 20
File: 24
Email: 6
Softs:
discord, nsis installer
Algorithms:
zip
Languages:
visual_basic
ASEC BLOG
ASEC 주간 악성코드 통계 (20221114 ~ 20221120) - ASEC BLOG
ASEC 분석팀에서는 ASEC 자동 분석 시스템 RAPIT 을 활용하여 알려진 악성코드들에 대한 분류 및 대응을 진행하고 있다. 본 포스팅에서는 2022년 11월 14일 월요일부터 11월 20일 일요일까지 한 주간 수집된 악성코드의 통계를 정리한다. 대분류 상으로는 다운로더가 53.2%로 1위를 차지하였으며, 그 다음으로는 백도어가 24.1%, 인포스틸러 21.1%, 랜섬웨어 1.0%, 코인마이너가 0.4%, 뱅킹 0.2%로 집계되었다. Top 1 –…
#ParsedReport
23-11-2022
Surge of Fake FIFA World Cup Streaming Sites Targets Virtual Fans
https://www.zscaler.com/blogs/security-research/surge-fake-fifa-world-cup-streaming-sites-targets-virtual-fans
Threats:
Solarmarker
Industry:
Aerospace, E-commerce, Financial
Geo:
Africa, Tokyo, Qatar
IOCs:
Domain: 29
Hash: 10
Softs:
windows installer
Languages:
php, javascript
23-11-2022
Surge of Fake FIFA World Cup Streaming Sites Targets Virtual Fans
https://www.zscaler.com/blogs/security-research/surge-fake-fifa-world-cup-streaming-sites-targets-virtual-fans
Threats:
Solarmarker
Industry:
Aerospace, E-commerce, Financial
Geo:
Africa, Tokyo, Qatar
IOCs:
Domain: 29
Hash: 10
Softs:
windows installer
Languages:
php, javascript
Zscaler
Fake FIFA World Cup Streaming Sites target Virtual Fans
Attackers are using fake FIFA World Cup 2022 streaming sites and lottery scams to infect users with malware.
#ParsedReport
23-11-2022
Bahamut cybermercenary group targets Android users with fake VPN apps
https://www.welivesecurity.com/2022/11/23/bahamut-cybermercenary-group-targets-android-users-fake-vpn-apps
Actors/Campaigns:
Aridviper
Threats:
Bahamut
Geo:
Ukraine, Singapore, Asia
TTPs:
Tactics: 7
Technics: 9
IOCs:
Domain: 2
File: 8
Hash: 10
IP: 1
Softs:
android, telegram, securevpn, softvpn, securechat, wechat
YARA: Found
23-11-2022
Bahamut cybermercenary group targets Android users with fake VPN apps
https://www.welivesecurity.com/2022/11/23/bahamut-cybermercenary-group-targets-android-users-fake-vpn-apps
Actors/Campaigns:
Aridviper
Threats:
Bahamut
Geo:
Ukraine, Singapore, Asia
TTPs:
Tactics: 7
Technics: 9
IOCs:
Domain: 2
File: 8
Hash: 10
IP: 1
Softs:
android, telegram, securevpn, softvpn, securechat, wechat
YARA: Found
WeLiveSecurity
Bahamut cybermercenary group targets Android users with fake VPN apps
ESET researchers uncover an active campaign where the Bahamut APT targets Android users via trojanized versions of two legitimate VPN apps.
#ParsedReport
23-11-2022
THREAT ALERT:Aggressive Qakbot Campaign and the Black Basta Ransomware Group Targeting U.S. Companies. THREAT ALERT: Aggressive Qakbot Campaign and the Black Basta Ransomware Group Targeting U.S. Companies
https://www.cybereason.com/blog/threat-alert-aggressive-qakbot-campaign-and-the-black-basta-ransomware-group-targeting-u.s.-companies
Threats:
Blackbasta
Qakbot
Cobalt_strike
Netstat_tool
Bumblebee
Rubeus_tool
Credential_harvesting_technique
Industry:
Government, Financial
Geo:
Australia, Canada
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 30
Path: 6
Command: 7
Domain: 4
Url: 1
IP: 32
Hash: 3
Softs:
active directory domain services, active directory, windows explorer
Functions:
SetVolume
Languages:
javascript
Platforms:
x86
23-11-2022
THREAT ALERT:Aggressive Qakbot Campaign and the Black Basta Ransomware Group Targeting U.S. Companies. THREAT ALERT: Aggressive Qakbot Campaign and the Black Basta Ransomware Group Targeting U.S. Companies
https://www.cybereason.com/blog/threat-alert-aggressive-qakbot-campaign-and-the-black-basta-ransomware-group-targeting-u.s.-companies
Threats:
Blackbasta
Qakbot
Cobalt_strike
Netstat_tool
Bumblebee
Rubeus_tool
Credential_harvesting_technique
Industry:
Government, Financial
Geo:
Australia, Canada
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 30
Path: 6
Command: 7
Domain: 4
Url: 1
IP: 32
Hash: 3
Softs:
active directory domain services, active directory, windows explorer
Functions:
SetVolume
Languages:
javascript
Platforms:
x86
Cybereason
THREAT ALERT: Aggressive Qakbot Campaign and the Black Basta Ransomware Group Targeting U.S. Companies
Learn to detect and prevent an aggressive new Qakbot cttack campaign operated by the Black Basta ransomware group that's targeting U.S. companies.
👍1
#ParsedReport
23-11-2022
RansomExx Upgrades to Rust
https://securityintelligence.com/posts/ransomexx-upgrades-rust
Actors/Campaigns:
Defrayx
Wizard_spider
Threats:
Ransomexx
Pyxie
Blackcat
Zeon
IOCs:
Hash: 1
Algorithms:
aes, aes-256, xor
Languages:
rust
23-11-2022
RansomExx Upgrades to Rust
https://securityintelligence.com/posts/ransomexx-upgrades-rust
Actors/Campaigns:
Defrayx
Wizard_spider
Threats:
Ransomexx
Pyxie
Blackcat
Zeon
IOCs:
Hash: 1
Algorithms:
aes, aes-256, xor
Languages:
rust
Security Intelligence
RansomExx Upgrades to Rust
A variant of the RansomExx ransomware has been rewritten in the Rust programming language, joining a growing trend of ransomware developers switching to the language. Read more on this discovery from IBM Security X-Force researchers.
#ParsedReport
24-11-2022
New Wave of SocGholish cid=27x Injections
https://blog.sucuri.net/2022/11/new-wave-of-socgholish-cid27x-injections.html
Threats:
Socgholish_loader
IOCs:
Url: 1
Domain: 4
IP: 4
Languages:
php
24-11-2022
New Wave of SocGholish cid=27x Injections
https://blog.sucuri.net/2022/11/new-wave-of-socgholish-cid27x-injections.html
Threats:
Socgholish_loader
IOCs:
Url: 1
Domain: 4
IP: 4
Languages:
php
Sucuri Blog
New Wave of SocGholish cid=27x Injections
Recent changes in SocGholish malware include ommitted siteurl comments and obfuscation generated by the popular javascript-obfuscator library.
#ParsedReport
24-11-2022
Ransomware Roundup: Cryptonite Ransomware
https://www.fortinet.com/blog/threat-research/Ransomware-Roundup-Cryptonite-Ransomware
Threats:
Cryptonite
Chaos
Filecoder
Industry:
Financial
IOCs:
Hash: 3
Domain: 3
Softs:
exegen, sql lite, pyinstaller
Algorithms:
aes
Languages:
python
24-11-2022
Ransomware Roundup: Cryptonite Ransomware
https://www.fortinet.com/blog/threat-research/Ransomware-Roundup-Cryptonite-Ransomware
Threats:
Cryptonite
Chaos
Filecoder
Industry:
Financial
IOCs:
Hash: 3
Domain: 3
Softs:
exegen, sql lite, pyinstaller
Algorithms:
aes
Languages:
python
Fortinet Blog
Ransomware Roundup - Cryptonite
The latest FortiGuard Labs Threat Signal Ransomware Roundup covers the Cryptonite ransomware, along with protection recommendations. Read more.…
#ParsedReport
24-11-2022
WannaRen Returns as Life Ransomware, Targets India. Analysis
https://www.trendmicro.com/en_us/research/22/k/wannaren-returns-as-life-ransomware--targets-india.html
Actors/Campaigns:
Equation
Threats:
Wannaren
Ryuk
Maze
Dll_sideloading_technique
Lockbit
Wannacry
Eternalblue_vuln
Shadow_brokers_tool
Asyncrat_rat
Geo:
Taiwan, Chinese, China, India
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 13
Hash: 7
Path: 1
Softs:
microsoft word
24-11-2022
WannaRen Returns as Life Ransomware, Targets India. Analysis
https://www.trendmicro.com/en_us/research/22/k/wannaren-returns-as-life-ransomware--targets-india.html
Actors/Campaigns:
Equation
Threats:
Wannaren
Ryuk
Maze
Dll_sideloading_technique
Lockbit
Wannacry
Eternalblue_vuln
Shadow_brokers_tool
Asyncrat_rat
Geo:
Taiwan, Chinese, China, India
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 13
Hash: 7
Path: 1
Softs:
microsoft word
Trend Micro
WannaRen Returns as Life Ransomware, Targets India
This blog entry looks at the characteristics of a new WannaRen ransomware variant, which we named Life ransomware after its encryption extension.
#ParsedReport
24-11-2022
Introduction. Static Analysis
https://www.0ffset.net/reverse-engineering/analysing-snake-ransomware
Actors/Campaigns:
Dream_job
Threats:
Snake_ransomware
Gobfuscate_tool
IOCs:
Hash: 1
File: 19
IP: 1
Path: 1
Email: 1
Command: 1
Softs:
windows firewall, bootnxt
Algorithms:
xor, aes, rsa-2048
Functions:
LazyDLL, OpenService, DeleteInstance, WriteAt
Win API:
CoInitializeEx, CoInitializeSecurity, CoCreateInstance, OpenProcess, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, OpenSCManagerA, OpenServiceW, have more...
Languages:
python, golang
Links:
24-11-2022
Introduction. Static Analysis
https://www.0ffset.net/reverse-engineering/analysing-snake-ransomware
Actors/Campaigns:
Dream_job
Threats:
Snake_ransomware
Gobfuscate_tool
IOCs:
Hash: 1
File: 19
IP: 1
Path: 1
Email: 1
Command: 1
Softs:
windows firewall, bootnxt
Algorithms:
xor, aes, rsa-2048
Functions:
LazyDLL, OpenService, DeleteInstance, WriteAt
Win API:
CoInitializeEx, CoInitializeSecurity, CoCreateInstance, OpenProcess, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, OpenSCManagerA, OpenServiceW, have more...
Languages:
python, golang
Links:
https://github.com/unixpickle/gobfuscate0ffset Training Solutions | Practical and Affordable Cyber Security Training
Reversing Golang Developed Ransomware: SNAKE | 0ffset Training Solutions
Introduction Snake Ransomware (or EKANS Ransomware) is a Golang ransomware which in the past has affected several companies such as Enel and Honda. The MD5 hashing of the analyzed sample is ED3C05BDE9F0EA0F1321355B03AC42D0. This sample in particular is obfuscated…
DUCKTAIL returns: Underneath the ruffled feathers
https://labs.withsecure.com/content/dam/labs/docs/WithSecure_Research_DUCKTAIL_Returns.pdf
https://labs.withsecure.com/content/dam/labs/docs/WithSecure_Research_DUCKTAIL_Returns.pdf
#ParsedReport
25-11-2022
Koxic Ransomware Being Distributed in Korea
https://asec.ahnlab.com/en/42343
Threats:
Koxic
Revil
Upx_tool
Deathransom
Trojan/win.generic.c4963639
Ransom/mdp.delete.m2117
Malware/mdp.behavior.m2771
Ransom/mdp.decoy.m4475
Geo:
Korea
IOCs:
File: 15
Registry: 4
Command: 3
Hash: 3
Softs:
mysql
Algorithms:
cbc, aes
Functions:
CreateFileMappingW
Win API:
SeBackupPrivilege, SeRestorePrivilege, SeManageVolumePrivilege, SeTakeOwnershipPrivilege, MoveFileExW, reateFileMappingW, ViewOfFile
Win Services:
SQLWriter, MSSQLServerOLAPService, MSSQLSERVER, MSSQL$SQLEXPRESS, ReportServer
Platforms:
intel
25-11-2022
Koxic Ransomware Being Distributed in Korea
https://asec.ahnlab.com/en/42343
Threats:
Koxic
Revil
Upx_tool
Deathransom
Trojan/win.generic.c4963639
Ransom/mdp.delete.m2117
Malware/mdp.behavior.m2771
Ransom/mdp.decoy.m4475
Geo:
Korea
IOCs:
File: 15
Registry: 4
Command: 3
Hash: 3
Softs:
mysql
Algorithms:
cbc, aes
Functions:
CreateFileMappingW
Win API:
SeBackupPrivilege, SeRestorePrivilege, SeManageVolumePrivilege, SeTakeOwnershipPrivilege, MoveFileExW, reateFileMappingW, ViewOfFile
Win Services:
SQLWriter, MSSQLServerOLAPService, MSSQLSERVER, MSSQL$SQLEXPRESS, ReportServer
Platforms:
intel
ASEC BLOG
Koxic Ransomware Being Distributed in Korea - ASEC BLOG
It has been discovered that Koxic ransomware is being distributed in Korea. It was first identified earlier this year, and recently, the team found that a file with a modified appearance and internal ransom note had been detected and blocked via the ASD infrastructure.…
#ParsedReport
25-11-2022
Wiki Ransomware Being Distributed in Korea
https://asec.ahnlab.com/en/42507
Threats:
Dharma
Geo:
Korea
IOCs:
Path: 1
File: 12
Command: 1
Email: 1
Hash: 2
25-11-2022
Wiki Ransomware Being Distributed in Korea
https://asec.ahnlab.com/en/42507
Threats:
Dharma
Geo:
Korea
IOCs:
Path: 1
File: 12
Command: 1
Email: 1
Hash: 2
ASEC BLOG
Wiki Ransomware Being Distributed in Korea - ASEC BLOG
Through the AhnLab ASD infrastructure’s history of blocking suspicious ransomware behavior, the ASEC analysis team has identified the distribution of Wiki ransomware, which has been determined to be a variant of Crysis ransomware, disguised as a normal program.…
#ParsedReport
25-11-2022
ASEC Weekly Malware Statistics (November 14th, 2022 November 20th, 2022)
https://asec.ahnlab.com/en/42757
Threats:
Beamwinhttp_loader
Garbage_cleaner
Redline_stealer
Agent_tesla
Amadey
Smokeloader
Lockbit
Cloudeye
Formbook
Remcos_rat
Nanocore_rat
Industry:
Financial
Geo:
Korea
IOCs:
Url: 20
Email: 6
File: 14
Softs:
discord, nsis installer
Languages:
visual_basic
25-11-2022
ASEC Weekly Malware Statistics (November 14th, 2022 November 20th, 2022)
https://asec.ahnlab.com/en/42757
Threats:
Beamwinhttp_loader
Garbage_cleaner
Redline_stealer
Agent_tesla
Amadey
Smokeloader
Lockbit
Cloudeye
Formbook
Remcos_rat
Nanocore_rat
Industry:
Financial
Geo:
Korea
IOCs:
Url: 20
Email: 6
File: 14
Softs:
discord, nsis installer
Languages:
visual_basic
ASEC BLOG
ASEC Weekly Malware Statistics (November 14th, 2022 – November 20th, 2022) - ASEC BLOG
The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from November 14th, 2022 (Monday) to November 20th (Sunday). For the main category, downloader…
#ParsedReport
25-11-2022
Punisher Ransomware Spreading Through Fake COVID Site
https://blog.cyble.com/2022/11/25/punisher-ransomware-spreading-through-fake-covid-site
Threats:
Punisher
Timestomp_technique
Industry:
Financial
Geo:
India, Australia, Singapore, Georgia, Dubai, Chile
TTPs:
Tactics: 7
Technics: 10
IOCs:
Domain: 1
File: 3
Url: 3
Path: 1
Hash: 2
Algorithms:
aes-128, base64
Functions:
MakeConnection, GeneratePassword, RNGCryptoServiceProvider, GetBytes
Win API:
Sleep
Languages:
javascript
25-11-2022
Punisher Ransomware Spreading Through Fake COVID Site
https://blog.cyble.com/2022/11/25/punisher-ransomware-spreading-through-fake-covid-site
Threats:
Punisher
Timestomp_technique
Industry:
Financial
Geo:
India, Australia, Singapore, Georgia, Dubai, Chile
TTPs:
Tactics: 7
Technics: 10
IOCs:
Domain: 1
File: 3
Url: 3
Path: 1
Hash: 2
Algorithms:
aes-128, base64
Functions:
MakeConnection, GeneratePassword, RNGCryptoServiceProvider, GetBytes
Win API:
Sleep
Languages:
javascript
Cyble
Punisher Ransomware Spreading Through Fake COVID Site
Cyble analyzes the spread of Punisher Ransomware amongst Chilean users via the use of fake COVID-19 portals.
#ParsedReport
25-11-2022
Yanluowang Ransomware Leaks Analysis: Organization, Collaboration with HelloKitty, Babuk and Conti
https://www.trellix.com/en-us/about/newsroom/stories/research/yanluowang-ransomware-leaks-analysis.html
Actors/Campaigns:
Evil_corp
Threats:
Yanluowang
Hellokitty
Babuk
Conti
Killanas_actor
Xander2727_actor
Sailormorgan32_actor
Guki_actor
Gykko_actor
Matanbuchus
Wazawaka_actor
Payloadbin
Lockbit
Industry:
Entertainment, Financial
Geo:
Chinese, Ukrainian, Russian, Ukraine
IOCs:
Domain: 1
File: 1
Platforms:
intel
25-11-2022
Yanluowang Ransomware Leaks Analysis: Organization, Collaboration with HelloKitty, Babuk and Conti
https://www.trellix.com/en-us/about/newsroom/stories/research/yanluowang-ransomware-leaks-analysis.html
Actors/Campaigns:
Evil_corp
Threats:
Yanluowang
Hellokitty
Babuk
Conti
Killanas_actor
Xander2727_actor
Sailormorgan32_actor
Guki_actor
Gykko_actor
Matanbuchus
Wazawaka_actor
Payloadbin
Lockbit
Industry:
Entertainment, Financial
Geo:
Chinese, Ukrainian, Russian, Ukraine
IOCs:
Domain: 1
File: 1
Platforms:
intel
Trellix
Yanluowang Ransomware Leaks Analysis: Organization, Collaboration with HelloKitty, Babuk and Conti
The recently leaked Yanluowang messages span from mid-January to September 2022 and include around 2.7K messages. However, from this relatively small dataset we have gained a valuable intel on Yanluowang threat actor, their innerworkings, victims and possible…
#ParsedReport
25-11-2022
APT-C-09. 1. Analysis of attack activities
https://mp.weixin.qq.com/s/LOZTOz4Lo6cOpeD4mMC29g
Actors/Campaigns:
Dropping_elephant
Threats:
Badnews_rat
Dll_sideloading_technique
Industry:
Healthcare, Government
Geo:
Pakistan
CVEs:
CVE-2017-11882 [Vulners]
Vulners: Score: 9.3, CVSS: 4.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft office (2013, 2010, 2016, 2007)
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 6
Hash: 3
Registry: 1
Algorithms:
base64, aes-128-cbc, aes-256-cbc, aes, rc4
Functions:
CreateFilea
Languages:
php
25-11-2022
APT-C-09. 1. Analysis of attack activities
https://mp.weixin.qq.com/s/LOZTOz4Lo6cOpeD4mMC29g
Actors/Campaigns:
Dropping_elephant
Threats:
Badnews_rat
Dll_sideloading_technique
Industry:
Healthcare, Government
Geo:
Pakistan
CVEs:
CVE-2017-11882 [Vulners]
Vulners: Score: 9.3, CVSS: 4.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft office (2013, 2010, 2016, 2007)
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 6
Hash: 3
Registry: 1
Algorithms:
base64, aes-128-cbc, aes-256-cbc, aes, rc4
Functions:
CreateFilea
Languages:
php
Weixin Official Accounts Platform
APT-C-09(摩诃草)组织针对巴基斯坦最新攻击活动
该组织善于抓住热点事件及政府工作会议作为诱饵,并采用鱼叉式网络攻击手段投递攻击载荷,本次捕获的样本以“2022年总理赈灾基金”和“跨部门研讨会 - AML/CFT报名表格”为诱饵,释放“BADNEWS”最新变种木马程序进行窃密行动
#technique
Windows Access Tokens: Getting SYSTEM and demystifying Potato Exploits
https://eversinc33.github.io/posts/windows-access-tokens/
Windows Access Tokens: Getting SYSTEM and demystifying Potato Exploits
https://eversinc33.github.io/posts/windows-access-tokens/
eversinc33.github.io
Windows Access Tokens: Getting SYSTEM and demystifying Potato Exploits
If you are a penetration tester, you probably dealt with and abused windows access tokens before, e.g. to get SYSTEM privileges, using some kind of potato, from an account with the SeImpersonate privilege set, when using meterpreter’s incognito module or…
#ParsedReport
28-11-2022
Emotet Strikes Again Lnk File Leads to Domain Wide Ransomware
https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware
Threats:
Emotet
Cobalt_strike
Anydesk_tool
Quantum_locker
Adfind_tool
Nltest_tool
Beacon
Process_injection_technique
Zerologon_vuln
Mimikatz_tool
Powertool_tool
Process_hacker_tool
Cridex
TTPs:
Tactics: 12
Technics: 24
IOCs:
File: 21
Command: 2
Url: 7
Path: 15
IP: 33
Domain: 10
Email: 1
Hash: 7
Softs:
active directory, virtualbox, winlogon
Algorithms:
base64
Win API:
CreateThread, CreateRemoteThread, RtlCreateUserThread, Sleep
YARA: Found
SIGMA: Found
Links:
28-11-2022
Emotet Strikes Again Lnk File Leads to Domain Wide Ransomware
https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware
Threats:
Emotet
Cobalt_strike
Anydesk_tool
Quantum_locker
Adfind_tool
Nltest_tool
Beacon
Process_injection_technique
Zerologon_vuln
Mimikatz_tool
Powertool_tool
Process_hacker_tool
Cridex
TTPs:
Tactics: 12
Technics: 24
IOCs:
File: 21
Command: 2
Url: 7
Path: 15
IP: 33
Domain: 10
Email: 1
Hash: 7
Softs:
active directory, virtualbox, winlogon
Algorithms:
base64
Win API:
CreateThread, CreateRemoteThread, RtlCreateUserThread, Sleep
YARA: Found
SIGMA: Found
Links:
https://github.com/SigmaHQ/sigma/blob/3a2079b02bcb1a2653ba9b5a5f56fd8b14a59820/rules/windows/builtin/system/win\_system\_possible\_zerologon\_exploitation\_using\_wellknown\_tools.ymlhttps://github.com/SigmaHQ/sigma/blob/1f8e37351e7c5d89ce7808391edaef34bd8db6c0/rules/windows/process\_creation/proc\_creation\_win\_susp\_wmic\_execution.ymlhttps://github.com/amidaware/tacticalrmmhttps://github.com/SigmaHQ/sigma/blob/1f8e37351e7c5d89ce7808391edaef34bd8db6c0/rules/windows/process\_creation/proc\_creation\_win\_nltest\_recon.ymlhttps://github.com/SigmaHQ/sigma/blob/74e2d1bd3cec8fa72ba06cf4eef8e58fb5e0e237/rules/windows/process\_creation/proc\_creation\_win\_susp\_process\_hacker.ymlhttps://github.com/SigmaHQ/sigma/blob/8b749fb1260b92b9170e4e69fa1bd2f34e94d766/rules/windows/builtin/system/win\_system\_anydesk\_service\_installation.ymlhttps://github.com/DISREL/Conti-Leaked-Playbook-TTPs/blob/main/Conti-Leaked-Playbook-TTPs.pdfhttps://github.com/SigmaHQ/sigma/blob/master/rules/windows/process\_creation/proc\_creation\_win\_embed\_exe\_lnk.ymlhttps://github.com/SigmaHQ/sigma/blob/08651822714c977d40d3c126c20ba4033d6836d3/rules/windows/registry/registry\_set/registry\_set\_asep\_reg\_keys\_modification\_currentversion.ymlhttps://github.com/SigmaHQ/sigma/blob/master/rules/windows/process\_creation/proc\_creation\_win\_susp\_rclone\_execution.ymlhttps://github.com/NVISOsecurity/sigma-public/blob/master/rules/windows/process\_creation/win\_susp\_recon\_activity.ymlhttps://github.com/SigmaHQ/sigma/blob/1f8e37351e7c5d89ce7808391edaef34bd8db6c0/rules/windows/process\_creation/proc\_creation\_win\_susp\_powershell\_cmd\_patterns.ymlhttps://github.com/SigmaHQ/sigma/blob/a3eed2b760abddfd62014fcf9ae81f435b216473/rules/windows/process\_access/proc\_access\_win\_lsass\_memdump.ymlThe DFIR Report
Emotet Strikes Again – LNK File Leads to Domain Wide Ransomware
In June of 2022, we observed a threat actor gaining access to an environment via Emotet and operating over a eight day period. During this time period, multiple rounds of enumeration and lateral mo…