DUCKTAIL returns: Underneath the ruffled feathers
https://labs.withsecure.com/content/dam/labs/docs/WithSecure_Research_DUCKTAIL_Returns.pdf
https://labs.withsecure.com/content/dam/labs/docs/WithSecure_Research_DUCKTAIL_Returns.pdf
#ParsedReport
25-11-2022
Koxic Ransomware Being Distributed in Korea
https://asec.ahnlab.com/en/42343
Threats:
Koxic
Revil
Upx_tool
Deathransom
Trojan/win.generic.c4963639
Ransom/mdp.delete.m2117
Malware/mdp.behavior.m2771
Ransom/mdp.decoy.m4475
Geo:
Korea
IOCs:
File: 15
Registry: 4
Command: 3
Hash: 3
Softs:
mysql
Algorithms:
cbc, aes
Functions:
CreateFileMappingW
Win API:
SeBackupPrivilege, SeRestorePrivilege, SeManageVolumePrivilege, SeTakeOwnershipPrivilege, MoveFileExW, reateFileMappingW, ViewOfFile
Win Services:
SQLWriter, MSSQLServerOLAPService, MSSQLSERVER, MSSQL$SQLEXPRESS, ReportServer
Platforms:
intel
25-11-2022
Koxic Ransomware Being Distributed in Korea
https://asec.ahnlab.com/en/42343
Threats:
Koxic
Revil
Upx_tool
Deathransom
Trojan/win.generic.c4963639
Ransom/mdp.delete.m2117
Malware/mdp.behavior.m2771
Ransom/mdp.decoy.m4475
Geo:
Korea
IOCs:
File: 15
Registry: 4
Command: 3
Hash: 3
Softs:
mysql
Algorithms:
cbc, aes
Functions:
CreateFileMappingW
Win API:
SeBackupPrivilege, SeRestorePrivilege, SeManageVolumePrivilege, SeTakeOwnershipPrivilege, MoveFileExW, reateFileMappingW, ViewOfFile
Win Services:
SQLWriter, MSSQLServerOLAPService, MSSQLSERVER, MSSQL$SQLEXPRESS, ReportServer
Platforms:
intel
ASEC BLOG
Koxic Ransomware Being Distributed in Korea - ASEC BLOG
It has been discovered that Koxic ransomware is being distributed in Korea. It was first identified earlier this year, and recently, the team found that a file with a modified appearance and internal ransom note had been detected and blocked via the ASD infrastructure.…
#ParsedReport
25-11-2022
Wiki Ransomware Being Distributed in Korea
https://asec.ahnlab.com/en/42507
Threats:
Dharma
Geo:
Korea
IOCs:
Path: 1
File: 12
Command: 1
Email: 1
Hash: 2
25-11-2022
Wiki Ransomware Being Distributed in Korea
https://asec.ahnlab.com/en/42507
Threats:
Dharma
Geo:
Korea
IOCs:
Path: 1
File: 12
Command: 1
Email: 1
Hash: 2
ASEC BLOG
Wiki Ransomware Being Distributed in Korea - ASEC BLOG
Through the AhnLab ASD infrastructure’s history of blocking suspicious ransomware behavior, the ASEC analysis team has identified the distribution of Wiki ransomware, which has been determined to be a variant of Crysis ransomware, disguised as a normal program.…
#ParsedReport
25-11-2022
ASEC Weekly Malware Statistics (November 14th, 2022 November 20th, 2022)
https://asec.ahnlab.com/en/42757
Threats:
Beamwinhttp_loader
Garbage_cleaner
Redline_stealer
Agent_tesla
Amadey
Smokeloader
Lockbit
Cloudeye
Formbook
Remcos_rat
Nanocore_rat
Industry:
Financial
Geo:
Korea
IOCs:
Url: 20
Email: 6
File: 14
Softs:
discord, nsis installer
Languages:
visual_basic
25-11-2022
ASEC Weekly Malware Statistics (November 14th, 2022 November 20th, 2022)
https://asec.ahnlab.com/en/42757
Threats:
Beamwinhttp_loader
Garbage_cleaner
Redline_stealer
Agent_tesla
Amadey
Smokeloader
Lockbit
Cloudeye
Formbook
Remcos_rat
Nanocore_rat
Industry:
Financial
Geo:
Korea
IOCs:
Url: 20
Email: 6
File: 14
Softs:
discord, nsis installer
Languages:
visual_basic
ASEC BLOG
ASEC Weekly Malware Statistics (November 14th, 2022 – November 20th, 2022) - ASEC BLOG
The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from November 14th, 2022 (Monday) to November 20th (Sunday). For the main category, downloader…
#ParsedReport
25-11-2022
Punisher Ransomware Spreading Through Fake COVID Site
https://blog.cyble.com/2022/11/25/punisher-ransomware-spreading-through-fake-covid-site
Threats:
Punisher
Timestomp_technique
Industry:
Financial
Geo:
India, Australia, Singapore, Georgia, Dubai, Chile
TTPs:
Tactics: 7
Technics: 10
IOCs:
Domain: 1
File: 3
Url: 3
Path: 1
Hash: 2
Algorithms:
aes-128, base64
Functions:
MakeConnection, GeneratePassword, RNGCryptoServiceProvider, GetBytes
Win API:
Sleep
Languages:
javascript
25-11-2022
Punisher Ransomware Spreading Through Fake COVID Site
https://blog.cyble.com/2022/11/25/punisher-ransomware-spreading-through-fake-covid-site
Threats:
Punisher
Timestomp_technique
Industry:
Financial
Geo:
India, Australia, Singapore, Georgia, Dubai, Chile
TTPs:
Tactics: 7
Technics: 10
IOCs:
Domain: 1
File: 3
Url: 3
Path: 1
Hash: 2
Algorithms:
aes-128, base64
Functions:
MakeConnection, GeneratePassword, RNGCryptoServiceProvider, GetBytes
Win API:
Sleep
Languages:
javascript
Cyble
Punisher Ransomware Spreading Through Fake COVID Site
Cyble analyzes the spread of Punisher Ransomware amongst Chilean users via the use of fake COVID-19 portals.
#ParsedReport
25-11-2022
Yanluowang Ransomware Leaks Analysis: Organization, Collaboration with HelloKitty, Babuk and Conti
https://www.trellix.com/en-us/about/newsroom/stories/research/yanluowang-ransomware-leaks-analysis.html
Actors/Campaigns:
Evil_corp
Threats:
Yanluowang
Hellokitty
Babuk
Conti
Killanas_actor
Xander2727_actor
Sailormorgan32_actor
Guki_actor
Gykko_actor
Matanbuchus
Wazawaka_actor
Payloadbin
Lockbit
Industry:
Entertainment, Financial
Geo:
Chinese, Ukrainian, Russian, Ukraine
IOCs:
Domain: 1
File: 1
Platforms:
intel
25-11-2022
Yanluowang Ransomware Leaks Analysis: Organization, Collaboration with HelloKitty, Babuk and Conti
https://www.trellix.com/en-us/about/newsroom/stories/research/yanluowang-ransomware-leaks-analysis.html
Actors/Campaigns:
Evil_corp
Threats:
Yanluowang
Hellokitty
Babuk
Conti
Killanas_actor
Xander2727_actor
Sailormorgan32_actor
Guki_actor
Gykko_actor
Matanbuchus
Wazawaka_actor
Payloadbin
Lockbit
Industry:
Entertainment, Financial
Geo:
Chinese, Ukrainian, Russian, Ukraine
IOCs:
Domain: 1
File: 1
Platforms:
intel
Trellix
Yanluowang Ransomware Leaks Analysis: Organization, Collaboration with HelloKitty, Babuk and Conti
The recently leaked Yanluowang messages span from mid-January to September 2022 and include around 2.7K messages. However, from this relatively small dataset we have gained a valuable intel on Yanluowang threat actor, their innerworkings, victims and possible…
#ParsedReport
25-11-2022
APT-C-09. 1. Analysis of attack activities
https://mp.weixin.qq.com/s/LOZTOz4Lo6cOpeD4mMC29g
Actors/Campaigns:
Dropping_elephant
Threats:
Badnews_rat
Dll_sideloading_technique
Industry:
Healthcare, Government
Geo:
Pakistan
CVEs:
CVE-2017-11882 [Vulners]
Vulners: Score: 9.3, CVSS: 4.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft office (2013, 2010, 2016, 2007)
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 6
Hash: 3
Registry: 1
Algorithms:
base64, aes-128-cbc, aes-256-cbc, aes, rc4
Functions:
CreateFilea
Languages:
php
25-11-2022
APT-C-09. 1. Analysis of attack activities
https://mp.weixin.qq.com/s/LOZTOz4Lo6cOpeD4mMC29g
Actors/Campaigns:
Dropping_elephant
Threats:
Badnews_rat
Dll_sideloading_technique
Industry:
Healthcare, Government
Geo:
Pakistan
CVEs:
CVE-2017-11882 [Vulners]
Vulners: Score: 9.3, CVSS: 4.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft office (2013, 2010, 2016, 2007)
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 6
Hash: 3
Registry: 1
Algorithms:
base64, aes-128-cbc, aes-256-cbc, aes, rc4
Functions:
CreateFilea
Languages:
php
Weixin Official Accounts Platform
APT-C-09(摩诃草)组织针对巴基斯坦最新攻击活动
该组织善于抓住热点事件及政府工作会议作为诱饵,并采用鱼叉式网络攻击手段投递攻击载荷,本次捕获的样本以“2022年总理赈灾基金”和“跨部门研讨会 - AML/CFT报名表格”为诱饵,释放“BADNEWS”最新变种木马程序进行窃密行动
#technique
Windows Access Tokens: Getting SYSTEM and demystifying Potato Exploits
https://eversinc33.github.io/posts/windows-access-tokens/
Windows Access Tokens: Getting SYSTEM and demystifying Potato Exploits
https://eversinc33.github.io/posts/windows-access-tokens/
eversinc33.github.io
Windows Access Tokens: Getting SYSTEM and demystifying Potato Exploits
If you are a penetration tester, you probably dealt with and abused windows access tokens before, e.g. to get SYSTEM privileges, using some kind of potato, from an account with the SeImpersonate privilege set, when using meterpreter’s incognito module or…
#ParsedReport
28-11-2022
Emotet Strikes Again Lnk File Leads to Domain Wide Ransomware
https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware
Threats:
Emotet
Cobalt_strike
Anydesk_tool
Quantum_locker
Adfind_tool
Nltest_tool
Beacon
Process_injection_technique
Zerologon_vuln
Mimikatz_tool
Powertool_tool
Process_hacker_tool
Cridex
TTPs:
Tactics: 12
Technics: 24
IOCs:
File: 21
Command: 2
Url: 7
Path: 15
IP: 33
Domain: 10
Email: 1
Hash: 7
Softs:
active directory, virtualbox, winlogon
Algorithms:
base64
Win API:
CreateThread, CreateRemoteThread, RtlCreateUserThread, Sleep
YARA: Found
SIGMA: Found
Links:
28-11-2022
Emotet Strikes Again Lnk File Leads to Domain Wide Ransomware
https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware
Threats:
Emotet
Cobalt_strike
Anydesk_tool
Quantum_locker
Adfind_tool
Nltest_tool
Beacon
Process_injection_technique
Zerologon_vuln
Mimikatz_tool
Powertool_tool
Process_hacker_tool
Cridex
TTPs:
Tactics: 12
Technics: 24
IOCs:
File: 21
Command: 2
Url: 7
Path: 15
IP: 33
Domain: 10
Email: 1
Hash: 7
Softs:
active directory, virtualbox, winlogon
Algorithms:
base64
Win API:
CreateThread, CreateRemoteThread, RtlCreateUserThread, Sleep
YARA: Found
SIGMA: Found
Links:
https://github.com/SigmaHQ/sigma/blob/3a2079b02bcb1a2653ba9b5a5f56fd8b14a59820/rules/windows/builtin/system/win\_system\_possible\_zerologon\_exploitation\_using\_wellknown\_tools.ymlhttps://github.com/SigmaHQ/sigma/blob/1f8e37351e7c5d89ce7808391edaef34bd8db6c0/rules/windows/process\_creation/proc\_creation\_win\_susp\_wmic\_execution.ymlhttps://github.com/amidaware/tacticalrmmhttps://github.com/SigmaHQ/sigma/blob/1f8e37351e7c5d89ce7808391edaef34bd8db6c0/rules/windows/process\_creation/proc\_creation\_win\_nltest\_recon.ymlhttps://github.com/SigmaHQ/sigma/blob/74e2d1bd3cec8fa72ba06cf4eef8e58fb5e0e237/rules/windows/process\_creation/proc\_creation\_win\_susp\_process\_hacker.ymlhttps://github.com/SigmaHQ/sigma/blob/8b749fb1260b92b9170e4e69fa1bd2f34e94d766/rules/windows/builtin/system/win\_system\_anydesk\_service\_installation.ymlhttps://github.com/DISREL/Conti-Leaked-Playbook-TTPs/blob/main/Conti-Leaked-Playbook-TTPs.pdfhttps://github.com/SigmaHQ/sigma/blob/master/rules/windows/process\_creation/proc\_creation\_win\_embed\_exe\_lnk.ymlhttps://github.com/SigmaHQ/sigma/blob/08651822714c977d40d3c126c20ba4033d6836d3/rules/windows/registry/registry\_set/registry\_set\_asep\_reg\_keys\_modification\_currentversion.ymlhttps://github.com/SigmaHQ/sigma/blob/master/rules/windows/process\_creation/proc\_creation\_win\_susp\_rclone\_execution.ymlhttps://github.com/NVISOsecurity/sigma-public/blob/master/rules/windows/process\_creation/win\_susp\_recon\_activity.ymlhttps://github.com/SigmaHQ/sigma/blob/1f8e37351e7c5d89ce7808391edaef34bd8db6c0/rules/windows/process\_creation/proc\_creation\_win\_susp\_powershell\_cmd\_patterns.ymlhttps://github.com/SigmaHQ/sigma/blob/a3eed2b760abddfd62014fcf9ae81f435b216473/rules/windows/process\_access/proc\_access\_win\_lsass\_memdump.ymlThe DFIR Report
Emotet Strikes Again – LNK File Leads to Domain Wide Ransomware
In June of 2022, we observed a threat actor gaining access to an environment via Emotet and operating over a eight day period. During this time period, multiple rounds of enumeration and lateral mo…
#ParsedReport
28-11-2022
How Is My Phone Number Leaked?
https://asec.ahnlab.com/en/42898
IOCs:
File: 2
Hash: 1
Softs:
chrome
Platforms:
x64
28-11-2022
How Is My Phone Number Leaked?
https://asec.ahnlab.com/en/42898
IOCs:
File: 2
Hash: 1
Softs:
chrome
Platforms:
x64
ASEC BLOG
How Is My Phone Number Leaked? - ASEC BLOG
The PERSONAL INFORMATION PROTECTION ACT is a law to protect the freedom and rights of individuals, and it aims to actualize the individual dignity and value of people. According to the act, personal information is defined as pieces of information that can…
#ParsedReport
28-11-2022
LockBit Ransomware Being Mass-distributed With Similar Filenames
https://asec.ahnlab.com/en/42890
Threats:
Lockbit
Ransom/mdp.decoy.m1171
IOCs:
File: 3
Hash: 2
Algorithms:
zip
28-11-2022
LockBit Ransomware Being Mass-distributed With Similar Filenames
https://asec.ahnlab.com/en/42890
Threats:
Lockbit
Ransom/mdp.decoy.m1171
IOCs:
File: 3
Hash: 2
Algorithms:
zip
ASEC BLOG
LockBit Ransomware Being Mass-distributed With Similar Filenames - ASEC BLOG
The ASEC analysis team had written about LockBit ransomware being distributed through emails over three blog posts. Through consistent monitoring, we hereby let you know that LockBit 2.0 and LockBit 3.0 are being distributed again with only a change to their…
#ParsedReport
28-11-2022
Attacker Uses a Popular TikTok Challenge to Lure Users Into Installing Malicious Package. TikToks Invisible Challenge
https://checkmarx.com/blog/attacker-uses-a-popular-tiktok-challenge-to-lure-users-into-installing-malicious-package
Threats:
Starjacking_technique
IOCs:
File: 1
Url: 9
Softs:
tiktok, discord
Languages:
python
Links:
28-11-2022
Attacker Uses a Popular TikTok Challenge to Lure Users Into Installing Malicious Package. TikToks Invisible Challenge
https://checkmarx.com/blog/attacker-uses-a-popular-tiktok-challenge-to-lure-users-into-installing-malicious-package
Threats:
Starjacking_technique
IOCs:
File: 1
Url: 9
Softs:
tiktok, discord
Languages:
python
Links:
https://web.archive.org/web/20221120230346/https:/github.com/trending/python?since=dailyhttps://github.com/420World69/Nitro-generatorhttps://github.com/420World69/Tiktok-Unfilter-ApiCheckmarx
Attacker Uses a Popular TikTok Challenge to Lure Users Into Installing Malicious Package
After a cat-mouse game, as the attacker’s packages have been caught, reported and removed by PyPi, the attacker decided to move his malicious infection line from the Python package to the requirements.txt as you can see in the blog.
#ParsedReport
23-11-2022
RansomExx Upgrades to Rust
https://securityintelligence.com/posts/ransomexx-upgrades-rust/
Actors/Campaigns:
Defrayx
Wizard_spider
Threats:
Ransomexx
Pyxie
Blackcat
Zeon
IOCs:
Hash: 1
Algorithms:
aes, xor, aes-256
Languages:
rust
23-11-2022
RansomExx Upgrades to Rust
https://securityintelligence.com/posts/ransomexx-upgrades-rust/
Actors/Campaigns:
Defrayx
Wizard_spider
Threats:
Ransomexx
Pyxie
Blackcat
Zeon
IOCs:
Hash: 1
Algorithms:
aes, xor, aes-256
Languages:
rust
Security Intelligence
RansomExx Upgrades to Rust
A variant of the RansomExx ransomware has been rewritten in the Rust programming language, joining a growing trend of ransomware developers switching to the language. Read more on this discovery from IBM Security X-Force researchers.
#ParsedReport
28-11-2022
Advanced Phishing Campaign Targeting Individuals & Businesses in the Middle East (Part 2). Resilience to Takedowns and Suspensions
https://cloudsek.com/threatintelligence/advanced-phishing-campaign-targeting-individuals-businesses-in-the-middle-east-part-2/?utm_source=rss&utm_medium=rss&utm_campaign=advanced-phishing-campaign-targeting-individuals-businesses-in-the-middle-east-part-2
Actors/Campaigns:
Bec
Threats:
Httrack_tool
Industry:
Financial, Chemical
Geo:
Dubai
TTPs:
Tactics: 1
Technics: 0
IOCs:
Domain: 107
Email: 2
28-11-2022
Advanced Phishing Campaign Targeting Individuals & Businesses in the Middle East (Part 2). Resilience to Takedowns and Suspensions
https://cloudsek.com/threatintelligence/advanced-phishing-campaign-targeting-individuals-businesses-in-the-middle-east-part-2/?utm_source=rss&utm_medium=rss&utm_campaign=advanced-phishing-campaign-targeting-individuals-businesses-in-the-middle-east-part-2
Actors/Campaigns:
Bec
Threats:
Httrack_tool
Industry:
Financial, Chemical
Geo:
Dubai
TTPs:
Tactics: 1
Technics: 0
IOCs:
Domain: 107
Email: 2
Cloudsek
Advanced Phishing Campaign Targeting Individuals & Businesses in the Middle East (Part 2) | Threat Intelligence | CloudSEK
CloudSEK’s contextual AI digital risk platform has uncovered a large-scale ongoing BEC scam that is targeting vendors of Middle East-based organizations and individuals.
#ParsedReport
29-11-2022
RansomBoggs: New ransomware targeting Ukraine
https://www.welivesecurity.com/2022/11/28/ransomboggs-new-ransomware-ukraine
Actors/Campaigns:
Sandworm
Threats:
Ransomboggs
Filecoder
Crashoverride
Killdisk
Arguepatch_loader
Prestige_ransomware
Hermeticwiper
Isaacwiper
Eternal_petya
Havoc
Industry:
Logistic, Energy
Geo:
Ukraines, Ukrainian, Ukraine, Russia, Poland
IOCs:
File: 2
Softs:
net framework
Algorithms:
aes-256, aes, cbc
29-11-2022
RansomBoggs: New ransomware targeting Ukraine
https://www.welivesecurity.com/2022/11/28/ransomboggs-new-ransomware-ukraine
Actors/Campaigns:
Sandworm
Threats:
Ransomboggs
Filecoder
Crashoverride
Killdisk
Arguepatch_loader
Prestige_ransomware
Hermeticwiper
Isaacwiper
Eternal_petya
Havoc
Industry:
Logistic, Energy
Geo:
Ukraines, Ukrainian, Ukraine, Russia, Poland
IOCs:
File: 2
Softs:
net framework
Algorithms:
aes-256, aes, cbc
WeLiveSecurity
RansomBoggs: New ransomware targeting Ukraine
ESET researchers spot a new ransomware campaign that targets multiple Ukrainian organizations and has Sandworm's fingerprints all over it.
#ParsedReport
29-11-2022
How IoT Botnets Evade Detection and Analysis Part 2
https://www.nozominetworks.com/blog/how-iot-botnets-evade-detection-and-analysis-part-2
Threats:
Upx_tool
Kaiten
Tsunami_botnet
Mirai
Industry:
Iot
IOCs:
Hash: 3
Softs:
qemu, crontab
Languages:
python
Platforms:
arm, x86, mips
YARA: Found
Links:
29-11-2022
How IoT Botnets Evade Detection and Analysis Part 2
https://www.nozominetworks.com/blog/how-iot-botnets-evade-detection-and-analysis-part-2
Threats:
Upx_tool
Kaiten
Tsunami_botnet
Mirai
Industry:
Iot
IOCs:
Hash: 3
Softs:
qemu, crontab
Languages:
python
Platforms:
arm, x86, mips
YARA: Found
Links:
https://github.com/nozominetworks/upx-recovery-toolNozomi Networks
How IoT Botnets Evade Detection and Analysis – Part 2
Nozomi Networks Labs analyzes new modification techniques malware authors use to evade detection and analysis tools.
#ParsedReport
29-11-2022
.xll (LockBit 2.0). 'Resume.XLL' file is being distributed domestically (LOCKBIT 2.0)
https://asec.ahnlab.com/ko/43029
Threats:
Lockbit
IOCs:
File: 5
Url: 1
Path: 1
Hash: 2
Softs:
microsoft excel
29-11-2022
.xll (LockBit 2.0). 'Resume.XLL' file is being distributed domestically (LOCKBIT 2.0)
https://asec.ahnlab.com/ko/43029
Threats:
Lockbit
IOCs:
File: 5
Url: 1
Path: 1
Hash: 2
Softs:
microsoft excel
ASEC
‘이력서.xll’ 파일 국내 유포 중 (LockBit 2.0)
올해 중순에 ASEC 분석팀에서는 이메일을 통해 XLL 파일(확장자: .xll) 형식의 악성코드가 유포됨을 공유한 바 있다. XLL 파일은 실행파일인 PE(Portable Executable) 파일의 DLL 외형을 가졌으나, Microsoft Excel(엑셀)을 통해 실행된다. 그동안 이 유형의 악성코드 유포가 활발하지 않았으나, 오랜만에 ‘…
#ParsedReport
29-11-2022
Always Another Secret: Lifting the Haze on China-nexus Espionage in Southeast Asia
https://www.mandiant.com/resources/blog/china-nexus-espionage-southeast-asia
Actors/Campaigns:
Unc4191 (motivation: cyber_espionage)
Threats:
Mistcloak
Darkdew
Bluehaze
Ncat_tool
Nmap_tool
Netcat_tool
Dll_sideloading_technique
Geo:
Usa, China, Asia, Chinas, Philippines, Chinese
TTPs:
IOCs:
File: 11
Path: 15
Hash: 8
Registry: 2
Domain: 2
Command: 1
Softs:
windows explorer, chromium
YARA: Found
29-11-2022
Always Another Secret: Lifting the Haze on China-nexus Espionage in Southeast Asia
https://www.mandiant.com/resources/blog/china-nexus-espionage-southeast-asia
Actors/Campaigns:
Unc4191 (motivation: cyber_espionage)
Threats:
Mistcloak
Darkdew
Bluehaze
Ncat_tool
Nmap_tool
Netcat_tool
Dll_sideloading_technique
Geo:
Usa, China, Asia, Chinas, Philippines, Chinese
TTPs:
IOCs:
File: 11
Path: 15
Hash: 8
Registry: 2
Domain: 2
Command: 1
Softs:
windows explorer, chromium
YARA: Found
Google Cloud Blog
Always Another Secret: Lifting the Haze on China-nexus Espionage in Southeast Asia | Mandiant | Google Cloud Blog
#ParsedReport
29-11-2022
ASEC (20221121 \~ 20221127). ASEC Weekly Malware Statistics (20221121 \~ 20221127)
https://asec.ahnlab.com/ko/43051
Actors/Campaigns:
Ta505
Threats:
Agent_tesla
Azorult
Smokeloader
Smokerloader
Beamwinhttp_loader
Garbage_cleaner
Amadey
Lockbit
Gandcrab
Clop
Redline_stealer
Postealer
Industry:
Transport, Financial
Geo:
Korea
IOCs:
File: 19
Domain: 13
Email: 4
Url: 22
Softs:
discord
29-11-2022
ASEC (20221121 \~ 20221127). ASEC Weekly Malware Statistics (20221121 \~ 20221127)
https://asec.ahnlab.com/ko/43051
Actors/Campaigns:
Ta505
Threats:
Agent_tesla
Azorult
Smokeloader
Smokerloader
Beamwinhttp_loader
Garbage_cleaner
Amadey
Lockbit
Gandcrab
Clop
Redline_stealer
Postealer
Industry:
Transport, Financial
Geo:
Korea
IOCs:
File: 19
Domain: 13
Email: 4
Url: 22
Softs:
discord
ASEC BLOG
ASEC 주간 악성코드 통계 (20221121 ~ 20221127) - ASEC BLOG
ContentsTop 1 – AgentTeslaTop 2 – SmokeLoaderTop 3 – BeamWinHTTPTop 4 – AmadeyTop 5 – RedLine ASEC 분석팀에서는 ASEC 자동 분석 시스템 RAPIT 을 활용하여 알려진 악성코드들에 대한 분류 및 대응을 진행하고 있다. 본 포스팅에서는 2022년 11월 21일 월요일부터 11월 27일 일요일까지 한 주간 수집된 악성코드의 통계를 정리한다. 대분류 상으로는 다운로더가 40.3%로…
#ParsedReport
29-11-2022
Doing time with the YIPPHB dropper. Key takeaways
https://www.elastic.co/security-labs/doing-time-with-the-yipphb-dropper
Threats:
Yipphb_dropper
Seth_locker
Remcos_rat
Njrat_rat
Cyberchef_tool
Limerat_rat
Asyncrat_rat
TTPs:
Tactics: 6
Technics: 0
IOCs:
Hash: 3
Url: 6
Domain: 1
File: 7
Softs:
discord, curl, kibana
Algorithms:
base64, zip
Languages:
visual_basic
Platforms:
x86
Links:
29-11-2022
Doing time with the YIPPHB dropper. Key takeaways
https://www.elastic.co/security-labs/doing-time-with-the-yipphb-dropper
Threats:
Yipphb_dropper
Seth_locker
Remcos_rat
Njrat_rat
Cyberchef_tool
Limerat_rat
Asyncrat_rat
TTPs:
Tactics: 6
Technics: 0
IOCs:
Hash: 3
Url: 6
Domain: 1
File: 7
Softs:
discord, curl, kibana
Algorithms:
base64, zip
Languages:
visual_basic
Platforms:
x86
Links:
https://github.com/VirusTotal/vt-clihttps://github.com/elastic/protections-artifacts/blob/main/behavior/rules/execution\_suspicious\_powershell\_execution.tomlhttps://github.com/elastic/protections-artifacts/blob/main/behavior/rules/defense\_evasion\_process\_execution\_with\_unusual\_file\_extension.tomlhttps://github.com/elastic/protections-artifacts/blob/main/behavior/rules/persistence\_script\_file\_written\_to\_startup\_folder.tomlhttps://github.com/elastic/protections-artifacts/blob/main/behavior/rules/command\_and\_control\_connection\_to\_dynamic\_dns\_provider\_by\_an\_unsigned\_binary.tomlhttps://github.com/elastic/protections-artifacts/blob/main/behavior/rules/execution\_suspicious\_powershell\_execution\_via\_windows\_scripts.tomlhttps://github.com/pmelson/bsidesaugusta\_2022/blob/main/unk.yarahttps://github.com/elastic/protections-artifacts/blob/main/behavior/rules/command\_and\_control\_connection\_to\_webservice\_by\_a\_signed\_binary\_proxy.tomlhttps://github.com/elastic/securitylabs-thrunting-toolshttps://github.com/NYAN-x-CAT/njRAT-0.7d-Stub-CSharp/blob/master/njRAT%20C%23%20Stub/Program.cswww.elastic.co
Doing time with the YIPPHB dropper — Elastic Security Labs
Elastic Security Labs outlines the steps collect and analyze the various stages of the REF4526 intrusion set. This intrusion set uses a creative approach of Unicode icons in Powershell scripts to install a loader, a dropper, and RAT implants.
#ParsedReport
30-11-2022
Domains Used for Magniber Distribution in Korea
https://asec.ahnlab.com/en/43008
Threats:
Magniber
Motw_bypass_technique
Typosquatting_technique
Geo:
Korea
IOCs:
File: 1
IP: 11
30-11-2022
Domains Used for Magniber Distribution in Korea
https://asec.ahnlab.com/en/43008
Threats:
Magniber
Motw_bypass_technique
Typosquatting_technique
Geo:
Korea
IOCs:
File: 1
IP: 11
ASEC
Domains Used for Magniber Distribution in Korea - ASEC
On November 7th, the ASEC analysis team introduced through a blog post the Magniber ransomware which attempted MOTW (Mark of the Web) bypassing. Afterward, using the data left in Zone.Identifier, we conducted an investigation on the sources used for the distribution…