#ParsedReport
25-11-2022
APT-C-09. 1. Analysis of attack activities
https://mp.weixin.qq.com/s/LOZTOz4Lo6cOpeD4mMC29g
Actors/Campaigns:
Dropping_elephant
Threats:
Badnews_rat
Dll_sideloading_technique
Industry:
Healthcare, Government
Geo:
Pakistan
CVEs:
CVE-2017-11882 [Vulners]
Vulners: Score: 9.3, CVSS: 4.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft office (2013, 2010, 2016, 2007)
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 6
Hash: 3
Registry: 1
Algorithms:
base64, aes-128-cbc, aes-256-cbc, aes, rc4
Functions:
CreateFilea
Languages:
php
25-11-2022
APT-C-09. 1. Analysis of attack activities
https://mp.weixin.qq.com/s/LOZTOz4Lo6cOpeD4mMC29g
Actors/Campaigns:
Dropping_elephant
Threats:
Badnews_rat
Dll_sideloading_technique
Industry:
Healthcare, Government
Geo:
Pakistan
CVEs:
CVE-2017-11882 [Vulners]
Vulners: Score: 9.3, CVSS: 4.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft office (2013, 2010, 2016, 2007)
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 6
Hash: 3
Registry: 1
Algorithms:
base64, aes-128-cbc, aes-256-cbc, aes, rc4
Functions:
CreateFilea
Languages:
php
Weixin Official Accounts Platform
APT-C-09(摩诃草)组织针对巴基斯坦最新攻击活动
该组织善于抓住热点事件及政府工作会议作为诱饵,并采用鱼叉式网络攻击手段投递攻击载荷,本次捕获的样本以“2022年总理赈灾基金”和“跨部门研讨会 - AML/CFT报名表格”为诱饵,释放“BADNEWS”最新变种木马程序进行窃密行动
#technique
Windows Access Tokens: Getting SYSTEM and demystifying Potato Exploits
https://eversinc33.github.io/posts/windows-access-tokens/
Windows Access Tokens: Getting SYSTEM and demystifying Potato Exploits
https://eversinc33.github.io/posts/windows-access-tokens/
eversinc33.github.io
Windows Access Tokens: Getting SYSTEM and demystifying Potato Exploits
If you are a penetration tester, you probably dealt with and abused windows access tokens before, e.g. to get SYSTEM privileges, using some kind of potato, from an account with the SeImpersonate privilege set, when using meterpreter’s incognito module or…
#ParsedReport
28-11-2022
Emotet Strikes Again Lnk File Leads to Domain Wide Ransomware
https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware
Threats:
Emotet
Cobalt_strike
Anydesk_tool
Quantum_locker
Adfind_tool
Nltest_tool
Beacon
Process_injection_technique
Zerologon_vuln
Mimikatz_tool
Powertool_tool
Process_hacker_tool
Cridex
TTPs:
Tactics: 12
Technics: 24
IOCs:
File: 21
Command: 2
Url: 7
Path: 15
IP: 33
Domain: 10
Email: 1
Hash: 7
Softs:
active directory, virtualbox, winlogon
Algorithms:
base64
Win API:
CreateThread, CreateRemoteThread, RtlCreateUserThread, Sleep
YARA: Found
SIGMA: Found
Links:
28-11-2022
Emotet Strikes Again Lnk File Leads to Domain Wide Ransomware
https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware
Threats:
Emotet
Cobalt_strike
Anydesk_tool
Quantum_locker
Adfind_tool
Nltest_tool
Beacon
Process_injection_technique
Zerologon_vuln
Mimikatz_tool
Powertool_tool
Process_hacker_tool
Cridex
TTPs:
Tactics: 12
Technics: 24
IOCs:
File: 21
Command: 2
Url: 7
Path: 15
IP: 33
Domain: 10
Email: 1
Hash: 7
Softs:
active directory, virtualbox, winlogon
Algorithms:
base64
Win API:
CreateThread, CreateRemoteThread, RtlCreateUserThread, Sleep
YARA: Found
SIGMA: Found
Links:
https://github.com/SigmaHQ/sigma/blob/3a2079b02bcb1a2653ba9b5a5f56fd8b14a59820/rules/windows/builtin/system/win\_system\_possible\_zerologon\_exploitation\_using\_wellknown\_tools.ymlhttps://github.com/SigmaHQ/sigma/blob/1f8e37351e7c5d89ce7808391edaef34bd8db6c0/rules/windows/process\_creation/proc\_creation\_win\_susp\_wmic\_execution.ymlhttps://github.com/amidaware/tacticalrmmhttps://github.com/SigmaHQ/sigma/blob/1f8e37351e7c5d89ce7808391edaef34bd8db6c0/rules/windows/process\_creation/proc\_creation\_win\_nltest\_recon.ymlhttps://github.com/SigmaHQ/sigma/blob/74e2d1bd3cec8fa72ba06cf4eef8e58fb5e0e237/rules/windows/process\_creation/proc\_creation\_win\_susp\_process\_hacker.ymlhttps://github.com/SigmaHQ/sigma/blob/8b749fb1260b92b9170e4e69fa1bd2f34e94d766/rules/windows/builtin/system/win\_system\_anydesk\_service\_installation.ymlhttps://github.com/DISREL/Conti-Leaked-Playbook-TTPs/blob/main/Conti-Leaked-Playbook-TTPs.pdfhttps://github.com/SigmaHQ/sigma/blob/master/rules/windows/process\_creation/proc\_creation\_win\_embed\_exe\_lnk.ymlhttps://github.com/SigmaHQ/sigma/blob/08651822714c977d40d3c126c20ba4033d6836d3/rules/windows/registry/registry\_set/registry\_set\_asep\_reg\_keys\_modification\_currentversion.ymlhttps://github.com/SigmaHQ/sigma/blob/master/rules/windows/process\_creation/proc\_creation\_win\_susp\_rclone\_execution.ymlhttps://github.com/NVISOsecurity/sigma-public/blob/master/rules/windows/process\_creation/win\_susp\_recon\_activity.ymlhttps://github.com/SigmaHQ/sigma/blob/1f8e37351e7c5d89ce7808391edaef34bd8db6c0/rules/windows/process\_creation/proc\_creation\_win\_susp\_powershell\_cmd\_patterns.ymlhttps://github.com/SigmaHQ/sigma/blob/a3eed2b760abddfd62014fcf9ae81f435b216473/rules/windows/process\_access/proc\_access\_win\_lsass\_memdump.ymlThe DFIR Report
Emotet Strikes Again – LNK File Leads to Domain Wide Ransomware
In June of 2022, we observed a threat actor gaining access to an environment via Emotet and operating over a eight day period. During this time period, multiple rounds of enumeration and lateral mo…
#ParsedReport
28-11-2022
How Is My Phone Number Leaked?
https://asec.ahnlab.com/en/42898
IOCs:
File: 2
Hash: 1
Softs:
chrome
Platforms:
x64
28-11-2022
How Is My Phone Number Leaked?
https://asec.ahnlab.com/en/42898
IOCs:
File: 2
Hash: 1
Softs:
chrome
Platforms:
x64
ASEC BLOG
How Is My Phone Number Leaked? - ASEC BLOG
The PERSONAL INFORMATION PROTECTION ACT is a law to protect the freedom and rights of individuals, and it aims to actualize the individual dignity and value of people. According to the act, personal information is defined as pieces of information that can…
#ParsedReport
28-11-2022
LockBit Ransomware Being Mass-distributed With Similar Filenames
https://asec.ahnlab.com/en/42890
Threats:
Lockbit
Ransom/mdp.decoy.m1171
IOCs:
File: 3
Hash: 2
Algorithms:
zip
28-11-2022
LockBit Ransomware Being Mass-distributed With Similar Filenames
https://asec.ahnlab.com/en/42890
Threats:
Lockbit
Ransom/mdp.decoy.m1171
IOCs:
File: 3
Hash: 2
Algorithms:
zip
ASEC BLOG
LockBit Ransomware Being Mass-distributed With Similar Filenames - ASEC BLOG
The ASEC analysis team had written about LockBit ransomware being distributed through emails over three blog posts. Through consistent monitoring, we hereby let you know that LockBit 2.0 and LockBit 3.0 are being distributed again with only a change to their…
#ParsedReport
28-11-2022
Attacker Uses a Popular TikTok Challenge to Lure Users Into Installing Malicious Package. TikToks Invisible Challenge
https://checkmarx.com/blog/attacker-uses-a-popular-tiktok-challenge-to-lure-users-into-installing-malicious-package
Threats:
Starjacking_technique
IOCs:
File: 1
Url: 9
Softs:
tiktok, discord
Languages:
python
Links:
28-11-2022
Attacker Uses a Popular TikTok Challenge to Lure Users Into Installing Malicious Package. TikToks Invisible Challenge
https://checkmarx.com/blog/attacker-uses-a-popular-tiktok-challenge-to-lure-users-into-installing-malicious-package
Threats:
Starjacking_technique
IOCs:
File: 1
Url: 9
Softs:
tiktok, discord
Languages:
python
Links:
https://web.archive.org/web/20221120230346/https:/github.com/trending/python?since=dailyhttps://github.com/420World69/Nitro-generatorhttps://github.com/420World69/Tiktok-Unfilter-ApiCheckmarx
Attacker Uses a Popular TikTok Challenge to Lure Users Into Installing Malicious Package
After a cat-mouse game, as the attacker’s packages have been caught, reported and removed by PyPi, the attacker decided to move his malicious infection line from the Python package to the requirements.txt as you can see in the blog.
#ParsedReport
23-11-2022
RansomExx Upgrades to Rust
https://securityintelligence.com/posts/ransomexx-upgrades-rust/
Actors/Campaigns:
Defrayx
Wizard_spider
Threats:
Ransomexx
Pyxie
Blackcat
Zeon
IOCs:
Hash: 1
Algorithms:
aes, xor, aes-256
Languages:
rust
23-11-2022
RansomExx Upgrades to Rust
https://securityintelligence.com/posts/ransomexx-upgrades-rust/
Actors/Campaigns:
Defrayx
Wizard_spider
Threats:
Ransomexx
Pyxie
Blackcat
Zeon
IOCs:
Hash: 1
Algorithms:
aes, xor, aes-256
Languages:
rust
Security Intelligence
RansomExx Upgrades to Rust
A variant of the RansomExx ransomware has been rewritten in the Rust programming language, joining a growing trend of ransomware developers switching to the language. Read more on this discovery from IBM Security X-Force researchers.
#ParsedReport
28-11-2022
Advanced Phishing Campaign Targeting Individuals & Businesses in the Middle East (Part 2). Resilience to Takedowns and Suspensions
https://cloudsek.com/threatintelligence/advanced-phishing-campaign-targeting-individuals-businesses-in-the-middle-east-part-2/?utm_source=rss&utm_medium=rss&utm_campaign=advanced-phishing-campaign-targeting-individuals-businesses-in-the-middle-east-part-2
Actors/Campaigns:
Bec
Threats:
Httrack_tool
Industry:
Financial, Chemical
Geo:
Dubai
TTPs:
Tactics: 1
Technics: 0
IOCs:
Domain: 107
Email: 2
28-11-2022
Advanced Phishing Campaign Targeting Individuals & Businesses in the Middle East (Part 2). Resilience to Takedowns and Suspensions
https://cloudsek.com/threatintelligence/advanced-phishing-campaign-targeting-individuals-businesses-in-the-middle-east-part-2/?utm_source=rss&utm_medium=rss&utm_campaign=advanced-phishing-campaign-targeting-individuals-businesses-in-the-middle-east-part-2
Actors/Campaigns:
Bec
Threats:
Httrack_tool
Industry:
Financial, Chemical
Geo:
Dubai
TTPs:
Tactics: 1
Technics: 0
IOCs:
Domain: 107
Email: 2
Cloudsek
Advanced Phishing Campaign Targeting Individuals & Businesses in the Middle East (Part 2) | Threat Intelligence | CloudSEK
CloudSEK’s contextual AI digital risk platform has uncovered a large-scale ongoing BEC scam that is targeting vendors of Middle East-based organizations and individuals.
#ParsedReport
29-11-2022
RansomBoggs: New ransomware targeting Ukraine
https://www.welivesecurity.com/2022/11/28/ransomboggs-new-ransomware-ukraine
Actors/Campaigns:
Sandworm
Threats:
Ransomboggs
Filecoder
Crashoverride
Killdisk
Arguepatch_loader
Prestige_ransomware
Hermeticwiper
Isaacwiper
Eternal_petya
Havoc
Industry:
Logistic, Energy
Geo:
Ukraines, Ukrainian, Ukraine, Russia, Poland
IOCs:
File: 2
Softs:
net framework
Algorithms:
aes-256, aes, cbc
29-11-2022
RansomBoggs: New ransomware targeting Ukraine
https://www.welivesecurity.com/2022/11/28/ransomboggs-new-ransomware-ukraine
Actors/Campaigns:
Sandworm
Threats:
Ransomboggs
Filecoder
Crashoverride
Killdisk
Arguepatch_loader
Prestige_ransomware
Hermeticwiper
Isaacwiper
Eternal_petya
Havoc
Industry:
Logistic, Energy
Geo:
Ukraines, Ukrainian, Ukraine, Russia, Poland
IOCs:
File: 2
Softs:
net framework
Algorithms:
aes-256, aes, cbc
WeLiveSecurity
RansomBoggs: New ransomware targeting Ukraine
ESET researchers spot a new ransomware campaign that targets multiple Ukrainian organizations and has Sandworm's fingerprints all over it.
#ParsedReport
29-11-2022
How IoT Botnets Evade Detection and Analysis Part 2
https://www.nozominetworks.com/blog/how-iot-botnets-evade-detection-and-analysis-part-2
Threats:
Upx_tool
Kaiten
Tsunami_botnet
Mirai
Industry:
Iot
IOCs:
Hash: 3
Softs:
qemu, crontab
Languages:
python
Platforms:
arm, x86, mips
YARA: Found
Links:
29-11-2022
How IoT Botnets Evade Detection and Analysis Part 2
https://www.nozominetworks.com/blog/how-iot-botnets-evade-detection-and-analysis-part-2
Threats:
Upx_tool
Kaiten
Tsunami_botnet
Mirai
Industry:
Iot
IOCs:
Hash: 3
Softs:
qemu, crontab
Languages:
python
Platforms:
arm, x86, mips
YARA: Found
Links:
https://github.com/nozominetworks/upx-recovery-toolNozomi Networks
How IoT Botnets Evade Detection and Analysis – Part 2
Nozomi Networks Labs analyzes new modification techniques malware authors use to evade detection and analysis tools.
#ParsedReport
29-11-2022
.xll (LockBit 2.0). 'Resume.XLL' file is being distributed domestically (LOCKBIT 2.0)
https://asec.ahnlab.com/ko/43029
Threats:
Lockbit
IOCs:
File: 5
Url: 1
Path: 1
Hash: 2
Softs:
microsoft excel
29-11-2022
.xll (LockBit 2.0). 'Resume.XLL' file is being distributed domestically (LOCKBIT 2.0)
https://asec.ahnlab.com/ko/43029
Threats:
Lockbit
IOCs:
File: 5
Url: 1
Path: 1
Hash: 2
Softs:
microsoft excel
ASEC
‘이력서.xll’ 파일 국내 유포 중 (LockBit 2.0)
올해 중순에 ASEC 분석팀에서는 이메일을 통해 XLL 파일(확장자: .xll) 형식의 악성코드가 유포됨을 공유한 바 있다. XLL 파일은 실행파일인 PE(Portable Executable) 파일의 DLL 외형을 가졌으나, Microsoft Excel(엑셀)을 통해 실행된다. 그동안 이 유형의 악성코드 유포가 활발하지 않았으나, 오랜만에 ‘…
#ParsedReport
29-11-2022
Always Another Secret: Lifting the Haze on China-nexus Espionage in Southeast Asia
https://www.mandiant.com/resources/blog/china-nexus-espionage-southeast-asia
Actors/Campaigns:
Unc4191 (motivation: cyber_espionage)
Threats:
Mistcloak
Darkdew
Bluehaze
Ncat_tool
Nmap_tool
Netcat_tool
Dll_sideloading_technique
Geo:
Usa, China, Asia, Chinas, Philippines, Chinese
TTPs:
IOCs:
File: 11
Path: 15
Hash: 8
Registry: 2
Domain: 2
Command: 1
Softs:
windows explorer, chromium
YARA: Found
29-11-2022
Always Another Secret: Lifting the Haze on China-nexus Espionage in Southeast Asia
https://www.mandiant.com/resources/blog/china-nexus-espionage-southeast-asia
Actors/Campaigns:
Unc4191 (motivation: cyber_espionage)
Threats:
Mistcloak
Darkdew
Bluehaze
Ncat_tool
Nmap_tool
Netcat_tool
Dll_sideloading_technique
Geo:
Usa, China, Asia, Chinas, Philippines, Chinese
TTPs:
IOCs:
File: 11
Path: 15
Hash: 8
Registry: 2
Domain: 2
Command: 1
Softs:
windows explorer, chromium
YARA: Found
Google Cloud Blog
Always Another Secret: Lifting the Haze on China-nexus Espionage in Southeast Asia | Mandiant | Google Cloud Blog
#ParsedReport
29-11-2022
ASEC (20221121 \~ 20221127). ASEC Weekly Malware Statistics (20221121 \~ 20221127)
https://asec.ahnlab.com/ko/43051
Actors/Campaigns:
Ta505
Threats:
Agent_tesla
Azorult
Smokeloader
Smokerloader
Beamwinhttp_loader
Garbage_cleaner
Amadey
Lockbit
Gandcrab
Clop
Redline_stealer
Postealer
Industry:
Transport, Financial
Geo:
Korea
IOCs:
File: 19
Domain: 13
Email: 4
Url: 22
Softs:
discord
29-11-2022
ASEC (20221121 \~ 20221127). ASEC Weekly Malware Statistics (20221121 \~ 20221127)
https://asec.ahnlab.com/ko/43051
Actors/Campaigns:
Ta505
Threats:
Agent_tesla
Azorult
Smokeloader
Smokerloader
Beamwinhttp_loader
Garbage_cleaner
Amadey
Lockbit
Gandcrab
Clop
Redline_stealer
Postealer
Industry:
Transport, Financial
Geo:
Korea
IOCs:
File: 19
Domain: 13
Email: 4
Url: 22
Softs:
discord
ASEC BLOG
ASEC 주간 악성코드 통계 (20221121 ~ 20221127) - ASEC BLOG
ContentsTop 1 – AgentTeslaTop 2 – SmokeLoaderTop 3 – BeamWinHTTPTop 4 – AmadeyTop 5 – RedLine ASEC 분석팀에서는 ASEC 자동 분석 시스템 RAPIT 을 활용하여 알려진 악성코드들에 대한 분류 및 대응을 진행하고 있다. 본 포스팅에서는 2022년 11월 21일 월요일부터 11월 27일 일요일까지 한 주간 수집된 악성코드의 통계를 정리한다. 대분류 상으로는 다운로더가 40.3%로…
#ParsedReport
29-11-2022
Doing time with the YIPPHB dropper. Key takeaways
https://www.elastic.co/security-labs/doing-time-with-the-yipphb-dropper
Threats:
Yipphb_dropper
Seth_locker
Remcos_rat
Njrat_rat
Cyberchef_tool
Limerat_rat
Asyncrat_rat
TTPs:
Tactics: 6
Technics: 0
IOCs:
Hash: 3
Url: 6
Domain: 1
File: 7
Softs:
discord, curl, kibana
Algorithms:
base64, zip
Languages:
visual_basic
Platforms:
x86
Links:
29-11-2022
Doing time with the YIPPHB dropper. Key takeaways
https://www.elastic.co/security-labs/doing-time-with-the-yipphb-dropper
Threats:
Yipphb_dropper
Seth_locker
Remcos_rat
Njrat_rat
Cyberchef_tool
Limerat_rat
Asyncrat_rat
TTPs:
Tactics: 6
Technics: 0
IOCs:
Hash: 3
Url: 6
Domain: 1
File: 7
Softs:
discord, curl, kibana
Algorithms:
base64, zip
Languages:
visual_basic
Platforms:
x86
Links:
https://github.com/VirusTotal/vt-clihttps://github.com/elastic/protections-artifacts/blob/main/behavior/rules/execution\_suspicious\_powershell\_execution.tomlhttps://github.com/elastic/protections-artifacts/blob/main/behavior/rules/defense\_evasion\_process\_execution\_with\_unusual\_file\_extension.tomlhttps://github.com/elastic/protections-artifacts/blob/main/behavior/rules/persistence\_script\_file\_written\_to\_startup\_folder.tomlhttps://github.com/elastic/protections-artifacts/blob/main/behavior/rules/command\_and\_control\_connection\_to\_dynamic\_dns\_provider\_by\_an\_unsigned\_binary.tomlhttps://github.com/elastic/protections-artifacts/blob/main/behavior/rules/execution\_suspicious\_powershell\_execution\_via\_windows\_scripts.tomlhttps://github.com/pmelson/bsidesaugusta\_2022/blob/main/unk.yarahttps://github.com/elastic/protections-artifacts/blob/main/behavior/rules/command\_and\_control\_connection\_to\_webservice\_by\_a\_signed\_binary\_proxy.tomlhttps://github.com/elastic/securitylabs-thrunting-toolshttps://github.com/NYAN-x-CAT/njRAT-0.7d-Stub-CSharp/blob/master/njRAT%20C%23%20Stub/Program.cswww.elastic.co
Doing time with the YIPPHB dropper — Elastic Security Labs
Elastic Security Labs outlines the steps collect and analyze the various stages of the REF4526 intrusion set. This intrusion set uses a creative approach of Unicode icons in Powershell scripts to install a loader, a dropper, and RAT implants.
#ParsedReport
30-11-2022
Domains Used for Magniber Distribution in Korea
https://asec.ahnlab.com/en/43008
Threats:
Magniber
Motw_bypass_technique
Typosquatting_technique
Geo:
Korea
IOCs:
File: 1
IP: 11
30-11-2022
Domains Used for Magniber Distribution in Korea
https://asec.ahnlab.com/en/43008
Threats:
Magniber
Motw_bypass_technique
Typosquatting_technique
Geo:
Korea
IOCs:
File: 1
IP: 11
ASEC
Domains Used for Magniber Distribution in Korea - ASEC
On November 7th, the ASEC analysis team introduced through a blog post the Magniber ransomware which attempted MOTW (Mark of the Web) bypassing. Afterward, using the data left in Zone.Identifier, we conducted an investigation on the sources used for the distribution…
#ParsedReport
30-11-2022
Phishing Website Disguised as a Famous Korean Email Login Website Being Distributed
https://asec.ahnlab.com/en/42999
Geo:
Korea, Korean
IOCs:
Url: 3
Hash: 1
Languages:
javascript
30-11-2022
Phishing Website Disguised as a Famous Korean Email Login Website Being Distributed
https://asec.ahnlab.com/en/42999
Geo:
Korea, Korean
IOCs:
Url: 3
Hash: 1
Languages:
javascript
ASEC BLOG
Phishing Website Disguised as a Famous Korean Email Login Website Being Distributed - ASEC BLOG
The ASEC analysis team has identified the distribution of a malicious website in Korea that aims to steal account credentials from a famous Korean email service website. The phishing website the email is redirected to is disguised as a login page for a Korean…
#ParsedReport
30-11-2022
Fodcha Is Coming Back, Raising A Wave of Ransom DDoS. Background
https://blog.netlab.360.com/fodcha-is-coming-back-with-rddos
Threats:
Fodcha
Mirai
Hostile
Geo:
China
IOCs:
File: 5
IP: 3
Hash: 1
Algorithms:
chacha20, chacha, xxtea
Languages:
python
30-11-2022
Fodcha Is Coming Back, Raising A Wave of Ransom DDoS. Background
https://blog.netlab.360.com/fodcha-is-coming-back-with-rddos
Threats:
Fodcha
Mirai
Hostile
Geo:
China
IOCs:
File: 5
IP: 3
Hash: 1
Algorithms:
chacha20, chacha, xxtea
Languages:
python
360 Netlab Blog - Network Security Research Lab at 360
Fodcha Is Coming Back, Raising A Wave of Ransom DDoS
Background
On April 13, 2022, 360Netlab first disclosed the Fodcha botnet. After our article was published, Fodcha suffered a crackdown from the relevant authorities, and its authors quickly responded by leaving "Netlab pls leave me alone I surrender" in…
On April 13, 2022, 360Netlab first disclosed the Fodcha botnet. After our article was published, Fodcha suffered a crackdown from the relevant authorities, and its authors quickly responded by leaving "Netlab pls leave me alone I surrender" in…
#ParsedReport
30-11-2022
. Phishing mail disguised as a famous domestic airline
https://asec.ahnlab.com/ko/43117
Industry:
Aerospace, Financial
Geo:
Korean, Korea
IOCs:
Url: 1
30-11-2022
. Phishing mail disguised as a famous domestic airline
https://asec.ahnlab.com/ko/43117
Industry:
Aerospace, Financial
Geo:
Korean, Korea
IOCs:
Url: 1
ASEC BLOG
국내 유명 항공사로 위장한 피싱 메일 - ASEC BLOG
ASEC 분석팀은 최근 국내 유명 항공사를 사칭하여 이용자의 정보를 수집하는 피싱 메일을 확인하였다. 해당 피싱 메일은 항공권 결제에 대한 내용을 공지하며 자세한 항공권 가격과 사전 정보를 파악한 것으로 추정되는 내용과 함께 위장한 피싱 사이트 접속을 유도한다. 메일 제목 및 본문은 아래와 같다. 본문에 첨부된 HTML파일을 확인하면, 아래와 같이 국내 유명 항공사로 위장한 피싱 사이트로 연결된다. 해당 사이트는 국내 유명 항공사 경영 지원 부서의 출처로…
#ParsedReport
30-11-2022
Redline Stealer being Distributed via Fake Express VPN Sites
https://blog.cyble.com/2022/11/30/redline-stealer-being-distributed-via-fake-express-vpn-sites
Threats:
Redline_stealer
Process_injection_technique
Vidar_stealer
Record_breaker_stealer
Beacon
Geo:
Georgia, Australia, India, Singapore, Dubai
TTPs:
Tactics: 7
Technics: 16
IOCs:
Domain: 6
Url: 2
File: 4
Hash: 1
Softs:
discord
Algorithms:
zip
Languages:
javascript
30-11-2022
Redline Stealer being Distributed via Fake Express VPN Sites
https://blog.cyble.com/2022/11/30/redline-stealer-being-distributed-via-fake-express-vpn-sites
Threats:
Redline_stealer
Process_injection_technique
Vidar_stealer
Record_breaker_stealer
Beacon
Geo:
Georgia, Australia, India, Singapore, Dubai
TTPs:
Tactics: 7
Technics: 16
IOCs:
Domain: 6
Url: 2
File: 4
Hash: 1
Softs:
discord
Algorithms:
zip
Languages:
javascript
#ParsedReport
30-11-2022
LockBit 3.0 Black attacks and leaks reveal wormable capabilities and tooling
https://news.sophos.com/en-us/2022/11/30/lockbit-3-0-black-attacks-and-leaks-reveal-wormable-capabilities-and-tooling
Actors/Campaigns:
Blackmatter
Threats:
Lockbit
Cyberchef_tool
Backstab_tool
Cobalt_strike
Revil
Bloodystealer
Avremover_tool
Gmer_tool
Netscan_tool
Mimikatz_tool
Neshta
Geo:
Georgia
IOCs:
Coin: 1
File: 4
Hash: 26
Softs:
psexec, process explorer, windows defender
Algorithms:
xor
Win API:
NtSetInformationThread, NetShareEnum
Links:
30-11-2022
LockBit 3.0 Black attacks and leaks reveal wormable capabilities and tooling
https://news.sophos.com/en-us/2022/11/30/lockbit-3-0-black-attacks-and-leaks-reveal-wormable-capabilities-and-tooling
Actors/Campaigns:
Blackmatter
Threats:
Lockbit
Cyberchef_tool
Backstab_tool
Cobalt_strike
Revil
Bloodystealer
Avremover_tool
Gmer_tool
Netscan_tool
Mimikatz_tool
Neshta
Geo:
Georgia
IOCs:
Coin: 1
File: 4
Hash: 26
Softs:
psexec, process explorer, windows defender
Algorithms:
xor
Win API:
NtSetInformationThread, NetShareEnum
Links:
https://github.com/sophoslabs/IoCs/blob/master/Ransomware-Lockbit3-IOCs.csvhttps://github.com/Yaxser/Backstabhttps://github.com/hegusung/netscanSophos News
LockBit 3.0 ‘Black’ attacks and leaks reveal wormable capabilities and tooling
Reverse-engineering reveals close similarities to BlackMatter ransomware, with some improvements
#ParsedReport
30-11-2022
(RIGHT-TO-LEFT OVERRIDE). Right-to-Left override distributed under the camouflage file name
https://asec.ahnlab.com/ko/43150
Threats:
Laplas_clipper
Redline_stealer
Tron
Trojan/win.rtlo.x2172
Dropper/win.agent.c5317732
Trojan/win.injection.c5313120
Trojan/win.generic.c535472
Trojan/win.generic.c5310136
Raccoon_stealer
Industry:
Financial
IOCs:
File: 3
Hash: 6
IP: 1
Softs:
zcash
Languages:
php
30-11-2022
(RIGHT-TO-LEFT OVERRIDE). Right-to-Left override distributed under the camouflage file name
https://asec.ahnlab.com/ko/43150
Threats:
Laplas_clipper
Redline_stealer
Tron
Trojan/win.rtlo.x2172
Dropper/win.agent.c5317732
Trojan/win.injection.c5313120
Trojan/win.generic.c535472
Trojan/win.generic.c5310136
Raccoon_stealer
Industry:
Financial
IOCs:
File: 3
Hash: 6
IP: 1
Softs:
zcash
Languages:
php
ASEC BLOG
위장 파일명으로 유포되는 악성코드(RIGHT-TO-LEFT OVERRIDE) - ASEC BLOG
ASEC 분석팀에서는 지난 8월 RIGHT-TO-LEFT OVERRIDE(이하 RTLO) 를 이용한 파일명을 사용하여 유포되고 있는 악성코드에 대한 블로그를 게시했다. RTLO는 설명된 내용처럼 오른쪽에서 왼쪽으로 오버라이드 하는 유니코드이다. 이를 이용하여 파일명과 확장자를 섞어 사용자의 실행을 유도하는 방식의 악성코드 유포는 현재도 계속되고 있다. GitHub에 솔루션파일(*.sln) 위장하여 유포되는 RAT 툴 이전 블로그 포스팅 내용을 토대로 GitHub에서…