#ParsedReport
28-11-2022
LockBit Ransomware Being Mass-distributed With Similar Filenames
https://asec.ahnlab.com/en/42890
Threats:
Lockbit
Ransom/mdp.decoy.m1171
IOCs:
File: 3
Hash: 2
Algorithms:
zip
28-11-2022
LockBit Ransomware Being Mass-distributed With Similar Filenames
https://asec.ahnlab.com/en/42890
Threats:
Lockbit
Ransom/mdp.decoy.m1171
IOCs:
File: 3
Hash: 2
Algorithms:
zip
ASEC BLOG
LockBit Ransomware Being Mass-distributed With Similar Filenames - ASEC BLOG
The ASEC analysis team had written about LockBit ransomware being distributed through emails over three blog posts. Through consistent monitoring, we hereby let you know that LockBit 2.0 and LockBit 3.0 are being distributed again with only a change to their…
#ParsedReport
28-11-2022
Attacker Uses a Popular TikTok Challenge to Lure Users Into Installing Malicious Package. TikToks Invisible Challenge
https://checkmarx.com/blog/attacker-uses-a-popular-tiktok-challenge-to-lure-users-into-installing-malicious-package
Threats:
Starjacking_technique
IOCs:
File: 1
Url: 9
Softs:
tiktok, discord
Languages:
python
Links:
28-11-2022
Attacker Uses a Popular TikTok Challenge to Lure Users Into Installing Malicious Package. TikToks Invisible Challenge
https://checkmarx.com/blog/attacker-uses-a-popular-tiktok-challenge-to-lure-users-into-installing-malicious-package
Threats:
Starjacking_technique
IOCs:
File: 1
Url: 9
Softs:
tiktok, discord
Languages:
python
Links:
https://web.archive.org/web/20221120230346/https:/github.com/trending/python?since=dailyhttps://github.com/420World69/Nitro-generatorhttps://github.com/420World69/Tiktok-Unfilter-ApiCheckmarx
Attacker Uses a Popular TikTok Challenge to Lure Users Into Installing Malicious Package
After a cat-mouse game, as the attacker’s packages have been caught, reported and removed by PyPi, the attacker decided to move his malicious infection line from the Python package to the requirements.txt as you can see in the blog.
#ParsedReport
23-11-2022
RansomExx Upgrades to Rust
https://securityintelligence.com/posts/ransomexx-upgrades-rust/
Actors/Campaigns:
Defrayx
Wizard_spider
Threats:
Ransomexx
Pyxie
Blackcat
Zeon
IOCs:
Hash: 1
Algorithms:
aes, xor, aes-256
Languages:
rust
23-11-2022
RansomExx Upgrades to Rust
https://securityintelligence.com/posts/ransomexx-upgrades-rust/
Actors/Campaigns:
Defrayx
Wizard_spider
Threats:
Ransomexx
Pyxie
Blackcat
Zeon
IOCs:
Hash: 1
Algorithms:
aes, xor, aes-256
Languages:
rust
Security Intelligence
RansomExx Upgrades to Rust
A variant of the RansomExx ransomware has been rewritten in the Rust programming language, joining a growing trend of ransomware developers switching to the language. Read more on this discovery from IBM Security X-Force researchers.
#ParsedReport
28-11-2022
Advanced Phishing Campaign Targeting Individuals & Businesses in the Middle East (Part 2). Resilience to Takedowns and Suspensions
https://cloudsek.com/threatintelligence/advanced-phishing-campaign-targeting-individuals-businesses-in-the-middle-east-part-2/?utm_source=rss&utm_medium=rss&utm_campaign=advanced-phishing-campaign-targeting-individuals-businesses-in-the-middle-east-part-2
Actors/Campaigns:
Bec
Threats:
Httrack_tool
Industry:
Financial, Chemical
Geo:
Dubai
TTPs:
Tactics: 1
Technics: 0
IOCs:
Domain: 107
Email: 2
28-11-2022
Advanced Phishing Campaign Targeting Individuals & Businesses in the Middle East (Part 2). Resilience to Takedowns and Suspensions
https://cloudsek.com/threatintelligence/advanced-phishing-campaign-targeting-individuals-businesses-in-the-middle-east-part-2/?utm_source=rss&utm_medium=rss&utm_campaign=advanced-phishing-campaign-targeting-individuals-businesses-in-the-middle-east-part-2
Actors/Campaigns:
Bec
Threats:
Httrack_tool
Industry:
Financial, Chemical
Geo:
Dubai
TTPs:
Tactics: 1
Technics: 0
IOCs:
Domain: 107
Email: 2
Cloudsek
Advanced Phishing Campaign Targeting Individuals & Businesses in the Middle East (Part 2) | Threat Intelligence | CloudSEK
CloudSEK’s contextual AI digital risk platform has uncovered a large-scale ongoing BEC scam that is targeting vendors of Middle East-based organizations and individuals.
#ParsedReport
29-11-2022
RansomBoggs: New ransomware targeting Ukraine
https://www.welivesecurity.com/2022/11/28/ransomboggs-new-ransomware-ukraine
Actors/Campaigns:
Sandworm
Threats:
Ransomboggs
Filecoder
Crashoverride
Killdisk
Arguepatch_loader
Prestige_ransomware
Hermeticwiper
Isaacwiper
Eternal_petya
Havoc
Industry:
Logistic, Energy
Geo:
Ukraines, Ukrainian, Ukraine, Russia, Poland
IOCs:
File: 2
Softs:
net framework
Algorithms:
aes-256, aes, cbc
29-11-2022
RansomBoggs: New ransomware targeting Ukraine
https://www.welivesecurity.com/2022/11/28/ransomboggs-new-ransomware-ukraine
Actors/Campaigns:
Sandworm
Threats:
Ransomboggs
Filecoder
Crashoverride
Killdisk
Arguepatch_loader
Prestige_ransomware
Hermeticwiper
Isaacwiper
Eternal_petya
Havoc
Industry:
Logistic, Energy
Geo:
Ukraines, Ukrainian, Ukraine, Russia, Poland
IOCs:
File: 2
Softs:
net framework
Algorithms:
aes-256, aes, cbc
WeLiveSecurity
RansomBoggs: New ransomware targeting Ukraine
ESET researchers spot a new ransomware campaign that targets multiple Ukrainian organizations and has Sandworm's fingerprints all over it.
#ParsedReport
29-11-2022
How IoT Botnets Evade Detection and Analysis Part 2
https://www.nozominetworks.com/blog/how-iot-botnets-evade-detection-and-analysis-part-2
Threats:
Upx_tool
Kaiten
Tsunami_botnet
Mirai
Industry:
Iot
IOCs:
Hash: 3
Softs:
qemu, crontab
Languages:
python
Platforms:
arm, x86, mips
YARA: Found
Links:
29-11-2022
How IoT Botnets Evade Detection and Analysis Part 2
https://www.nozominetworks.com/blog/how-iot-botnets-evade-detection-and-analysis-part-2
Threats:
Upx_tool
Kaiten
Tsunami_botnet
Mirai
Industry:
Iot
IOCs:
Hash: 3
Softs:
qemu, crontab
Languages:
python
Platforms:
arm, x86, mips
YARA: Found
Links:
https://github.com/nozominetworks/upx-recovery-toolNozomi Networks
How IoT Botnets Evade Detection and Analysis – Part 2
Nozomi Networks Labs analyzes new modification techniques malware authors use to evade detection and analysis tools.
#ParsedReport
29-11-2022
.xll (LockBit 2.0). 'Resume.XLL' file is being distributed domestically (LOCKBIT 2.0)
https://asec.ahnlab.com/ko/43029
Threats:
Lockbit
IOCs:
File: 5
Url: 1
Path: 1
Hash: 2
Softs:
microsoft excel
29-11-2022
.xll (LockBit 2.0). 'Resume.XLL' file is being distributed domestically (LOCKBIT 2.0)
https://asec.ahnlab.com/ko/43029
Threats:
Lockbit
IOCs:
File: 5
Url: 1
Path: 1
Hash: 2
Softs:
microsoft excel
ASEC
‘이력서.xll’ 파일 국내 유포 중 (LockBit 2.0)
올해 중순에 ASEC 분석팀에서는 이메일을 통해 XLL 파일(확장자: .xll) 형식의 악성코드가 유포됨을 공유한 바 있다. XLL 파일은 실행파일인 PE(Portable Executable) 파일의 DLL 외형을 가졌으나, Microsoft Excel(엑셀)을 통해 실행된다. 그동안 이 유형의 악성코드 유포가 활발하지 않았으나, 오랜만에 ‘…
#ParsedReport
29-11-2022
Always Another Secret: Lifting the Haze on China-nexus Espionage in Southeast Asia
https://www.mandiant.com/resources/blog/china-nexus-espionage-southeast-asia
Actors/Campaigns:
Unc4191 (motivation: cyber_espionage)
Threats:
Mistcloak
Darkdew
Bluehaze
Ncat_tool
Nmap_tool
Netcat_tool
Dll_sideloading_technique
Geo:
Usa, China, Asia, Chinas, Philippines, Chinese
TTPs:
IOCs:
File: 11
Path: 15
Hash: 8
Registry: 2
Domain: 2
Command: 1
Softs:
windows explorer, chromium
YARA: Found
29-11-2022
Always Another Secret: Lifting the Haze on China-nexus Espionage in Southeast Asia
https://www.mandiant.com/resources/blog/china-nexus-espionage-southeast-asia
Actors/Campaigns:
Unc4191 (motivation: cyber_espionage)
Threats:
Mistcloak
Darkdew
Bluehaze
Ncat_tool
Nmap_tool
Netcat_tool
Dll_sideloading_technique
Geo:
Usa, China, Asia, Chinas, Philippines, Chinese
TTPs:
IOCs:
File: 11
Path: 15
Hash: 8
Registry: 2
Domain: 2
Command: 1
Softs:
windows explorer, chromium
YARA: Found
Google Cloud Blog
Always Another Secret: Lifting the Haze on China-nexus Espionage in Southeast Asia | Mandiant | Google Cloud Blog
#ParsedReport
29-11-2022
ASEC (20221121 \~ 20221127). ASEC Weekly Malware Statistics (20221121 \~ 20221127)
https://asec.ahnlab.com/ko/43051
Actors/Campaigns:
Ta505
Threats:
Agent_tesla
Azorult
Smokeloader
Smokerloader
Beamwinhttp_loader
Garbage_cleaner
Amadey
Lockbit
Gandcrab
Clop
Redline_stealer
Postealer
Industry:
Transport, Financial
Geo:
Korea
IOCs:
File: 19
Domain: 13
Email: 4
Url: 22
Softs:
discord
29-11-2022
ASEC (20221121 \~ 20221127). ASEC Weekly Malware Statistics (20221121 \~ 20221127)
https://asec.ahnlab.com/ko/43051
Actors/Campaigns:
Ta505
Threats:
Agent_tesla
Azorult
Smokeloader
Smokerloader
Beamwinhttp_loader
Garbage_cleaner
Amadey
Lockbit
Gandcrab
Clop
Redline_stealer
Postealer
Industry:
Transport, Financial
Geo:
Korea
IOCs:
File: 19
Domain: 13
Email: 4
Url: 22
Softs:
discord
ASEC BLOG
ASEC 주간 악성코드 통계 (20221121 ~ 20221127) - ASEC BLOG
ContentsTop 1 – AgentTeslaTop 2 – SmokeLoaderTop 3 – BeamWinHTTPTop 4 – AmadeyTop 5 – RedLine ASEC 분석팀에서는 ASEC 자동 분석 시스템 RAPIT 을 활용하여 알려진 악성코드들에 대한 분류 및 대응을 진행하고 있다. 본 포스팅에서는 2022년 11월 21일 월요일부터 11월 27일 일요일까지 한 주간 수집된 악성코드의 통계를 정리한다. 대분류 상으로는 다운로더가 40.3%로…
#ParsedReport
29-11-2022
Doing time with the YIPPHB dropper. Key takeaways
https://www.elastic.co/security-labs/doing-time-with-the-yipphb-dropper
Threats:
Yipphb_dropper
Seth_locker
Remcos_rat
Njrat_rat
Cyberchef_tool
Limerat_rat
Asyncrat_rat
TTPs:
Tactics: 6
Technics: 0
IOCs:
Hash: 3
Url: 6
Domain: 1
File: 7
Softs:
discord, curl, kibana
Algorithms:
base64, zip
Languages:
visual_basic
Platforms:
x86
Links:
29-11-2022
Doing time with the YIPPHB dropper. Key takeaways
https://www.elastic.co/security-labs/doing-time-with-the-yipphb-dropper
Threats:
Yipphb_dropper
Seth_locker
Remcos_rat
Njrat_rat
Cyberchef_tool
Limerat_rat
Asyncrat_rat
TTPs:
Tactics: 6
Technics: 0
IOCs:
Hash: 3
Url: 6
Domain: 1
File: 7
Softs:
discord, curl, kibana
Algorithms:
base64, zip
Languages:
visual_basic
Platforms:
x86
Links:
https://github.com/VirusTotal/vt-clihttps://github.com/elastic/protections-artifacts/blob/main/behavior/rules/execution\_suspicious\_powershell\_execution.tomlhttps://github.com/elastic/protections-artifacts/blob/main/behavior/rules/defense\_evasion\_process\_execution\_with\_unusual\_file\_extension.tomlhttps://github.com/elastic/protections-artifacts/blob/main/behavior/rules/persistence\_script\_file\_written\_to\_startup\_folder.tomlhttps://github.com/elastic/protections-artifacts/blob/main/behavior/rules/command\_and\_control\_connection\_to\_dynamic\_dns\_provider\_by\_an\_unsigned\_binary.tomlhttps://github.com/elastic/protections-artifacts/blob/main/behavior/rules/execution\_suspicious\_powershell\_execution\_via\_windows\_scripts.tomlhttps://github.com/pmelson/bsidesaugusta\_2022/blob/main/unk.yarahttps://github.com/elastic/protections-artifacts/blob/main/behavior/rules/command\_and\_control\_connection\_to\_webservice\_by\_a\_signed\_binary\_proxy.tomlhttps://github.com/elastic/securitylabs-thrunting-toolshttps://github.com/NYAN-x-CAT/njRAT-0.7d-Stub-CSharp/blob/master/njRAT%20C%23%20Stub/Program.cswww.elastic.co
Doing time with the YIPPHB dropper — Elastic Security Labs
Elastic Security Labs outlines the steps collect and analyze the various stages of the REF4526 intrusion set. This intrusion set uses a creative approach of Unicode icons in Powershell scripts to install a loader, a dropper, and RAT implants.
#ParsedReport
30-11-2022
Domains Used for Magniber Distribution in Korea
https://asec.ahnlab.com/en/43008
Threats:
Magniber
Motw_bypass_technique
Typosquatting_technique
Geo:
Korea
IOCs:
File: 1
IP: 11
30-11-2022
Domains Used for Magniber Distribution in Korea
https://asec.ahnlab.com/en/43008
Threats:
Magniber
Motw_bypass_technique
Typosquatting_technique
Geo:
Korea
IOCs:
File: 1
IP: 11
ASEC
Domains Used for Magniber Distribution in Korea - ASEC
On November 7th, the ASEC analysis team introduced through a blog post the Magniber ransomware which attempted MOTW (Mark of the Web) bypassing. Afterward, using the data left in Zone.Identifier, we conducted an investigation on the sources used for the distribution…
#ParsedReport
30-11-2022
Phishing Website Disguised as a Famous Korean Email Login Website Being Distributed
https://asec.ahnlab.com/en/42999
Geo:
Korea, Korean
IOCs:
Url: 3
Hash: 1
Languages:
javascript
30-11-2022
Phishing Website Disguised as a Famous Korean Email Login Website Being Distributed
https://asec.ahnlab.com/en/42999
Geo:
Korea, Korean
IOCs:
Url: 3
Hash: 1
Languages:
javascript
ASEC BLOG
Phishing Website Disguised as a Famous Korean Email Login Website Being Distributed - ASEC BLOG
The ASEC analysis team has identified the distribution of a malicious website in Korea that aims to steal account credentials from a famous Korean email service website. The phishing website the email is redirected to is disguised as a login page for a Korean…
#ParsedReport
30-11-2022
Fodcha Is Coming Back, Raising A Wave of Ransom DDoS. Background
https://blog.netlab.360.com/fodcha-is-coming-back-with-rddos
Threats:
Fodcha
Mirai
Hostile
Geo:
China
IOCs:
File: 5
IP: 3
Hash: 1
Algorithms:
chacha20, chacha, xxtea
Languages:
python
30-11-2022
Fodcha Is Coming Back, Raising A Wave of Ransom DDoS. Background
https://blog.netlab.360.com/fodcha-is-coming-back-with-rddos
Threats:
Fodcha
Mirai
Hostile
Geo:
China
IOCs:
File: 5
IP: 3
Hash: 1
Algorithms:
chacha20, chacha, xxtea
Languages:
python
360 Netlab Blog - Network Security Research Lab at 360
Fodcha Is Coming Back, Raising A Wave of Ransom DDoS
Background
On April 13, 2022, 360Netlab first disclosed the Fodcha botnet. After our article was published, Fodcha suffered a crackdown from the relevant authorities, and its authors quickly responded by leaving "Netlab pls leave me alone I surrender" in…
On April 13, 2022, 360Netlab first disclosed the Fodcha botnet. After our article was published, Fodcha suffered a crackdown from the relevant authorities, and its authors quickly responded by leaving "Netlab pls leave me alone I surrender" in…
#ParsedReport
30-11-2022
. Phishing mail disguised as a famous domestic airline
https://asec.ahnlab.com/ko/43117
Industry:
Aerospace, Financial
Geo:
Korean, Korea
IOCs:
Url: 1
30-11-2022
. Phishing mail disguised as a famous domestic airline
https://asec.ahnlab.com/ko/43117
Industry:
Aerospace, Financial
Geo:
Korean, Korea
IOCs:
Url: 1
ASEC BLOG
국내 유명 항공사로 위장한 피싱 메일 - ASEC BLOG
ASEC 분석팀은 최근 국내 유명 항공사를 사칭하여 이용자의 정보를 수집하는 피싱 메일을 확인하였다. 해당 피싱 메일은 항공권 결제에 대한 내용을 공지하며 자세한 항공권 가격과 사전 정보를 파악한 것으로 추정되는 내용과 함께 위장한 피싱 사이트 접속을 유도한다. 메일 제목 및 본문은 아래와 같다. 본문에 첨부된 HTML파일을 확인하면, 아래와 같이 국내 유명 항공사로 위장한 피싱 사이트로 연결된다. 해당 사이트는 국내 유명 항공사 경영 지원 부서의 출처로…
#ParsedReport
30-11-2022
Redline Stealer being Distributed via Fake Express VPN Sites
https://blog.cyble.com/2022/11/30/redline-stealer-being-distributed-via-fake-express-vpn-sites
Threats:
Redline_stealer
Process_injection_technique
Vidar_stealer
Record_breaker_stealer
Beacon
Geo:
Georgia, Australia, India, Singapore, Dubai
TTPs:
Tactics: 7
Technics: 16
IOCs:
Domain: 6
Url: 2
File: 4
Hash: 1
Softs:
discord
Algorithms:
zip
Languages:
javascript
30-11-2022
Redline Stealer being Distributed via Fake Express VPN Sites
https://blog.cyble.com/2022/11/30/redline-stealer-being-distributed-via-fake-express-vpn-sites
Threats:
Redline_stealer
Process_injection_technique
Vidar_stealer
Record_breaker_stealer
Beacon
Geo:
Georgia, Australia, India, Singapore, Dubai
TTPs:
Tactics: 7
Technics: 16
IOCs:
Domain: 6
Url: 2
File: 4
Hash: 1
Softs:
discord
Algorithms:
zip
Languages:
javascript
#ParsedReport
30-11-2022
LockBit 3.0 Black attacks and leaks reveal wormable capabilities and tooling
https://news.sophos.com/en-us/2022/11/30/lockbit-3-0-black-attacks-and-leaks-reveal-wormable-capabilities-and-tooling
Actors/Campaigns:
Blackmatter
Threats:
Lockbit
Cyberchef_tool
Backstab_tool
Cobalt_strike
Revil
Bloodystealer
Avremover_tool
Gmer_tool
Netscan_tool
Mimikatz_tool
Neshta
Geo:
Georgia
IOCs:
Coin: 1
File: 4
Hash: 26
Softs:
psexec, process explorer, windows defender
Algorithms:
xor
Win API:
NtSetInformationThread, NetShareEnum
Links:
30-11-2022
LockBit 3.0 Black attacks and leaks reveal wormable capabilities and tooling
https://news.sophos.com/en-us/2022/11/30/lockbit-3-0-black-attacks-and-leaks-reveal-wormable-capabilities-and-tooling
Actors/Campaigns:
Blackmatter
Threats:
Lockbit
Cyberchef_tool
Backstab_tool
Cobalt_strike
Revil
Bloodystealer
Avremover_tool
Gmer_tool
Netscan_tool
Mimikatz_tool
Neshta
Geo:
Georgia
IOCs:
Coin: 1
File: 4
Hash: 26
Softs:
psexec, process explorer, windows defender
Algorithms:
xor
Win API:
NtSetInformationThread, NetShareEnum
Links:
https://github.com/sophoslabs/IoCs/blob/master/Ransomware-Lockbit3-IOCs.csvhttps://github.com/Yaxser/Backstabhttps://github.com/hegusung/netscanSophos News
LockBit 3.0 ‘Black’ attacks and leaks reveal wormable capabilities and tooling
Reverse-engineering reveals close similarities to BlackMatter ransomware, with some improvements
#ParsedReport
30-11-2022
(RIGHT-TO-LEFT OVERRIDE). Right-to-Left override distributed under the camouflage file name
https://asec.ahnlab.com/ko/43150
Threats:
Laplas_clipper
Redline_stealer
Tron
Trojan/win.rtlo.x2172
Dropper/win.agent.c5317732
Trojan/win.injection.c5313120
Trojan/win.generic.c535472
Trojan/win.generic.c5310136
Raccoon_stealer
Industry:
Financial
IOCs:
File: 3
Hash: 6
IP: 1
Softs:
zcash
Languages:
php
30-11-2022
(RIGHT-TO-LEFT OVERRIDE). Right-to-Left override distributed under the camouflage file name
https://asec.ahnlab.com/ko/43150
Threats:
Laplas_clipper
Redline_stealer
Tron
Trojan/win.rtlo.x2172
Dropper/win.agent.c5317732
Trojan/win.injection.c5313120
Trojan/win.generic.c535472
Trojan/win.generic.c5310136
Raccoon_stealer
Industry:
Financial
IOCs:
File: 3
Hash: 6
IP: 1
Softs:
zcash
Languages:
php
ASEC BLOG
위장 파일명으로 유포되는 악성코드(RIGHT-TO-LEFT OVERRIDE) - ASEC BLOG
ASEC 분석팀에서는 지난 8월 RIGHT-TO-LEFT OVERRIDE(이하 RTLO) 를 이용한 파일명을 사용하여 유포되고 있는 악성코드에 대한 블로그를 게시했다. RTLO는 설명된 내용처럼 오른쪽에서 왼쪽으로 오버라이드 하는 유니코드이다. 이를 이용하여 파일명과 확장자를 섞어 사용자의 실행을 유도하는 방식의 악성코드 유포는 현재도 계속되고 있다. GitHub에 솔루션파일(*.sln) 위장하여 유포되는 RAT 툴 이전 블로그 포스팅 내용을 토대로 GitHub에서…
#ParsedReport
01-12-2022
ZetaNile: Open source software trojans from North Korea. Indicators
https://blog.reversinglabs.com/blog/zetanile-open-source-software-trojans-from-north-korea
Actors/Campaigns:
Lazarus
Threats:
Zetanile
Putty_tool
Tightvnc_tool
Dll_hijacking_technique
Industry:
Energy
Geo:
Korean, Korea, Japanese
TTPs:
Tactics: 1
Technics: 0
IOCs:
IP: 1
Url: 2
Command: 3
Path: 2
File: 4
Hash: 8
Softs:
sumatra pdf
Algorithms:
aes, base64
Languages:
php
Platforms:
x64
01-12-2022
ZetaNile: Open source software trojans from North Korea. Indicators
https://blog.reversinglabs.com/blog/zetanile-open-source-software-trojans-from-north-korea
Actors/Campaigns:
Lazarus
Threats:
Zetanile
Putty_tool
Tightvnc_tool
Dll_hijacking_technique
Industry:
Energy
Geo:
Korean, Korea, Japanese
TTPs:
Tactics: 1
Technics: 0
IOCs:
IP: 1
Url: 2
Command: 3
Path: 2
File: 4
Hash: 8
Softs:
sumatra pdf
Algorithms:
aes, base64
Languages:
php
Platforms:
x64
ReversingLabs
ZetaNile: Open source software trojans from North Korea
ReversingLabs Malware Researcher Joseph Edwards takes a deep dive into ZetaNile, a set of open-source software trojans being used by Lazarus/ZINC.
#ParsedReport
01-12-2022
Back in Black... Basta. Key Points
https://www.zscaler.com/blogs/security-research/back-black-basta
Threats:
Blackbasta
Conti
Advobfuscator_tool
Industry:
Financial
IOCs:
Hash: 5
File: 4
Command: 1
Algorithms:
ecc, hmac, chacha20, xchacha20, xor
Links:
01-12-2022
Back in Black... Basta. Key Points
https://www.zscaler.com/blogs/security-research/back-black-basta
Threats:
Blackbasta
Conti
Advobfuscator_tool
Industry:
Financial
IOCs:
Hash: 5
File: 4
Command: 1
Algorithms:
ecc, hmac, chacha20, xchacha20, xor
Links:
https://github.com/threatlabz/ransomware\_notes/blob/main/blackbasta/blackbasta3.txthttps://github.com/threatlabz/iocs/tree/main/blackbastaZscaler
Back in Black... Basta | Zscaler
New BlackBasta ransomware code is likely designed to improve antivirus and EDR evasion
#ParsedReport
01-12-2022
APT-C-55 Kimsuky.
https://mp.weixin.qq.com/s/OaECtSaeClPzFHslN_WamA
Actors/Campaigns:
Kimsuky
Threats:
Babyshark
Fake-trusteer
Industry:
Education, Government
Geo:
Korean
IOCs:
Hash: 27
Url: 18
File: 24
Domain: 1
Command: 1
Path: 2
Softs:
curl, chrome
Languages:
php, visual_basic
01-12-2022
APT-C-55 Kimsuky.
https://mp.weixin.qq.com/s/OaECtSaeClPzFHslN_WamA
Actors/Campaigns:
Kimsuky
Threats:
Babyshark
Fake-trusteer
Industry:
Education, Government
Geo:
Korean
IOCs:
Hash: 27
Url: 18
File: 24
Domain: 1
Command: 1
Path: 2
Softs:
curl, chrome
Languages:
php, visual_basic
Weixin Official Accounts Platform
APT-C-55(Kimsuky)组织以IBM公司安全产品为诱饵的攻击活动分析
360高级威胁研究院捕获了一起APT-C-55(Kimsuky)组织利用IBM公司安全产品为诱饵投递BabyShark攻击组件的攻击活动
#ParsedReport
01-12-2022
Lazarus. Job search trap: Lazarus organization analyzes the recruitment information of Japanese Risui Bank and other recruitment information as a bait analysis analysis
https://mp.weixin.qq.com/s/nnLqUBPX8xZ3hCr5u-iSjQ
Actors/Campaigns:
Lazarus
Threats:
Adfind_tool
Industry:
Energy, Financial, Government
Geo:
Japanese, Bangladesh, Asia, Korea
TTPs:
Tactics: 1
Technics: 1
IOCs:
File: 27
Hash: 14
Softs:
sophos anti-virus, windows defender, curl, android
Algorithms:
rc4
Win API:
LoadlibraryW
Win Services:
klnagent
01-12-2022
Lazarus. Job search trap: Lazarus organization analyzes the recruitment information of Japanese Risui Bank and other recruitment information as a bait analysis analysis
https://mp.weixin.qq.com/s/nnLqUBPX8xZ3hCr5u-iSjQ
Actors/Campaigns:
Lazarus
Threats:
Adfind_tool
Industry:
Energy, Financial, Government
Geo:
Japanese, Bangladesh, Asia, Korea
TTPs:
Tactics: 1
Technics: 1
IOCs:
File: 27
Hash: 14
Softs:
sophos anti-virus, windows defender, curl, android
Algorithms:
rc4
Win API:
LoadlibraryW
Win Services:
klnagent
Weixin Official Accounts Platform
求职陷阱:Lazarus组织以日本瑞穗銀行等招聘信息为诱饵的攻击活动分析
近日,奇安信威胁情报中心红雨滴团队在日常的威胁狩猎中便发现Lazarus组织最新的杀软0查杀攻击样本,样本为VHD(虚拟磁盘映像)文件,以日本瑞穗银行(Mizuho Bank)的招聘信息为诱饵进行攻击。