#ParsedReport
29-11-2022
ASEC (20221121 \~ 20221127). ASEC Weekly Malware Statistics (20221121 \~ 20221127)
https://asec.ahnlab.com/ko/43051
Actors/Campaigns:
Ta505
Threats:
Agent_tesla
Azorult
Smokeloader
Smokerloader
Beamwinhttp_loader
Garbage_cleaner
Amadey
Lockbit
Gandcrab
Clop
Redline_stealer
Postealer
Industry:
Transport, Financial
Geo:
Korea
IOCs:
File: 19
Domain: 13
Email: 4
Url: 22
Softs:
discord
29-11-2022
ASEC (20221121 \~ 20221127). ASEC Weekly Malware Statistics (20221121 \~ 20221127)
https://asec.ahnlab.com/ko/43051
Actors/Campaigns:
Ta505
Threats:
Agent_tesla
Azorult
Smokeloader
Smokerloader
Beamwinhttp_loader
Garbage_cleaner
Amadey
Lockbit
Gandcrab
Clop
Redline_stealer
Postealer
Industry:
Transport, Financial
Geo:
Korea
IOCs:
File: 19
Domain: 13
Email: 4
Url: 22
Softs:
discord
ASEC BLOG
ASEC 주간 악성코드 통계 (20221121 ~ 20221127) - ASEC BLOG
ContentsTop 1 – AgentTeslaTop 2 – SmokeLoaderTop 3 – BeamWinHTTPTop 4 – AmadeyTop 5 – RedLine ASEC 분석팀에서는 ASEC 자동 분석 시스템 RAPIT 을 활용하여 알려진 악성코드들에 대한 분류 및 대응을 진행하고 있다. 본 포스팅에서는 2022년 11월 21일 월요일부터 11월 27일 일요일까지 한 주간 수집된 악성코드의 통계를 정리한다. 대분류 상으로는 다운로더가 40.3%로…
#ParsedReport
29-11-2022
Doing time with the YIPPHB dropper. Key takeaways
https://www.elastic.co/security-labs/doing-time-with-the-yipphb-dropper
Threats:
Yipphb_dropper
Seth_locker
Remcos_rat
Njrat_rat
Cyberchef_tool
Limerat_rat
Asyncrat_rat
TTPs:
Tactics: 6
Technics: 0
IOCs:
Hash: 3
Url: 6
Domain: 1
File: 7
Softs:
discord, curl, kibana
Algorithms:
base64, zip
Languages:
visual_basic
Platforms:
x86
Links:
29-11-2022
Doing time with the YIPPHB dropper. Key takeaways
https://www.elastic.co/security-labs/doing-time-with-the-yipphb-dropper
Threats:
Yipphb_dropper
Seth_locker
Remcos_rat
Njrat_rat
Cyberchef_tool
Limerat_rat
Asyncrat_rat
TTPs:
Tactics: 6
Technics: 0
IOCs:
Hash: 3
Url: 6
Domain: 1
File: 7
Softs:
discord, curl, kibana
Algorithms:
base64, zip
Languages:
visual_basic
Platforms:
x86
Links:
https://github.com/VirusTotal/vt-clihttps://github.com/elastic/protections-artifacts/blob/main/behavior/rules/execution\_suspicious\_powershell\_execution.tomlhttps://github.com/elastic/protections-artifacts/blob/main/behavior/rules/defense\_evasion\_process\_execution\_with\_unusual\_file\_extension.tomlhttps://github.com/elastic/protections-artifacts/blob/main/behavior/rules/persistence\_script\_file\_written\_to\_startup\_folder.tomlhttps://github.com/elastic/protections-artifacts/blob/main/behavior/rules/command\_and\_control\_connection\_to\_dynamic\_dns\_provider\_by\_an\_unsigned\_binary.tomlhttps://github.com/elastic/protections-artifacts/blob/main/behavior/rules/execution\_suspicious\_powershell\_execution\_via\_windows\_scripts.tomlhttps://github.com/pmelson/bsidesaugusta\_2022/blob/main/unk.yarahttps://github.com/elastic/protections-artifacts/blob/main/behavior/rules/command\_and\_control\_connection\_to\_webservice\_by\_a\_signed\_binary\_proxy.tomlhttps://github.com/elastic/securitylabs-thrunting-toolshttps://github.com/NYAN-x-CAT/njRAT-0.7d-Stub-CSharp/blob/master/njRAT%20C%23%20Stub/Program.cswww.elastic.co
Doing time with the YIPPHB dropper — Elastic Security Labs
Elastic Security Labs outlines the steps collect and analyze the various stages of the REF4526 intrusion set. This intrusion set uses a creative approach of Unicode icons in Powershell scripts to install a loader, a dropper, and RAT implants.
#ParsedReport
30-11-2022
Domains Used for Magniber Distribution in Korea
https://asec.ahnlab.com/en/43008
Threats:
Magniber
Motw_bypass_technique
Typosquatting_technique
Geo:
Korea
IOCs:
File: 1
IP: 11
30-11-2022
Domains Used for Magniber Distribution in Korea
https://asec.ahnlab.com/en/43008
Threats:
Magniber
Motw_bypass_technique
Typosquatting_technique
Geo:
Korea
IOCs:
File: 1
IP: 11
ASEC
Domains Used for Magniber Distribution in Korea - ASEC
On November 7th, the ASEC analysis team introduced through a blog post the Magniber ransomware which attempted MOTW (Mark of the Web) bypassing. Afterward, using the data left in Zone.Identifier, we conducted an investigation on the sources used for the distribution…
#ParsedReport
30-11-2022
Phishing Website Disguised as a Famous Korean Email Login Website Being Distributed
https://asec.ahnlab.com/en/42999
Geo:
Korea, Korean
IOCs:
Url: 3
Hash: 1
Languages:
javascript
30-11-2022
Phishing Website Disguised as a Famous Korean Email Login Website Being Distributed
https://asec.ahnlab.com/en/42999
Geo:
Korea, Korean
IOCs:
Url: 3
Hash: 1
Languages:
javascript
ASEC BLOG
Phishing Website Disguised as a Famous Korean Email Login Website Being Distributed - ASEC BLOG
The ASEC analysis team has identified the distribution of a malicious website in Korea that aims to steal account credentials from a famous Korean email service website. The phishing website the email is redirected to is disguised as a login page for a Korean…
#ParsedReport
30-11-2022
Fodcha Is Coming Back, Raising A Wave of Ransom DDoS. Background
https://blog.netlab.360.com/fodcha-is-coming-back-with-rddos
Threats:
Fodcha
Mirai
Hostile
Geo:
China
IOCs:
File: 5
IP: 3
Hash: 1
Algorithms:
chacha20, chacha, xxtea
Languages:
python
30-11-2022
Fodcha Is Coming Back, Raising A Wave of Ransom DDoS. Background
https://blog.netlab.360.com/fodcha-is-coming-back-with-rddos
Threats:
Fodcha
Mirai
Hostile
Geo:
China
IOCs:
File: 5
IP: 3
Hash: 1
Algorithms:
chacha20, chacha, xxtea
Languages:
python
360 Netlab Blog - Network Security Research Lab at 360
Fodcha Is Coming Back, Raising A Wave of Ransom DDoS
Background
On April 13, 2022, 360Netlab first disclosed the Fodcha botnet. After our article was published, Fodcha suffered a crackdown from the relevant authorities, and its authors quickly responded by leaving "Netlab pls leave me alone I surrender" in…
On April 13, 2022, 360Netlab first disclosed the Fodcha botnet. After our article was published, Fodcha suffered a crackdown from the relevant authorities, and its authors quickly responded by leaving "Netlab pls leave me alone I surrender" in…
#ParsedReport
30-11-2022
. Phishing mail disguised as a famous domestic airline
https://asec.ahnlab.com/ko/43117
Industry:
Aerospace, Financial
Geo:
Korean, Korea
IOCs:
Url: 1
30-11-2022
. Phishing mail disguised as a famous domestic airline
https://asec.ahnlab.com/ko/43117
Industry:
Aerospace, Financial
Geo:
Korean, Korea
IOCs:
Url: 1
ASEC BLOG
국내 유명 항공사로 위장한 피싱 메일 - ASEC BLOG
ASEC 분석팀은 최근 국내 유명 항공사를 사칭하여 이용자의 정보를 수집하는 피싱 메일을 확인하였다. 해당 피싱 메일은 항공권 결제에 대한 내용을 공지하며 자세한 항공권 가격과 사전 정보를 파악한 것으로 추정되는 내용과 함께 위장한 피싱 사이트 접속을 유도한다. 메일 제목 및 본문은 아래와 같다. 본문에 첨부된 HTML파일을 확인하면, 아래와 같이 국내 유명 항공사로 위장한 피싱 사이트로 연결된다. 해당 사이트는 국내 유명 항공사 경영 지원 부서의 출처로…
#ParsedReport
30-11-2022
Redline Stealer being Distributed via Fake Express VPN Sites
https://blog.cyble.com/2022/11/30/redline-stealer-being-distributed-via-fake-express-vpn-sites
Threats:
Redline_stealer
Process_injection_technique
Vidar_stealer
Record_breaker_stealer
Beacon
Geo:
Georgia, Australia, India, Singapore, Dubai
TTPs:
Tactics: 7
Technics: 16
IOCs:
Domain: 6
Url: 2
File: 4
Hash: 1
Softs:
discord
Algorithms:
zip
Languages:
javascript
30-11-2022
Redline Stealer being Distributed via Fake Express VPN Sites
https://blog.cyble.com/2022/11/30/redline-stealer-being-distributed-via-fake-express-vpn-sites
Threats:
Redline_stealer
Process_injection_technique
Vidar_stealer
Record_breaker_stealer
Beacon
Geo:
Georgia, Australia, India, Singapore, Dubai
TTPs:
Tactics: 7
Technics: 16
IOCs:
Domain: 6
Url: 2
File: 4
Hash: 1
Softs:
discord
Algorithms:
zip
Languages:
javascript
#ParsedReport
30-11-2022
LockBit 3.0 Black attacks and leaks reveal wormable capabilities and tooling
https://news.sophos.com/en-us/2022/11/30/lockbit-3-0-black-attacks-and-leaks-reveal-wormable-capabilities-and-tooling
Actors/Campaigns:
Blackmatter
Threats:
Lockbit
Cyberchef_tool
Backstab_tool
Cobalt_strike
Revil
Bloodystealer
Avremover_tool
Gmer_tool
Netscan_tool
Mimikatz_tool
Neshta
Geo:
Georgia
IOCs:
Coin: 1
File: 4
Hash: 26
Softs:
psexec, process explorer, windows defender
Algorithms:
xor
Win API:
NtSetInformationThread, NetShareEnum
Links:
30-11-2022
LockBit 3.0 Black attacks and leaks reveal wormable capabilities and tooling
https://news.sophos.com/en-us/2022/11/30/lockbit-3-0-black-attacks-and-leaks-reveal-wormable-capabilities-and-tooling
Actors/Campaigns:
Blackmatter
Threats:
Lockbit
Cyberchef_tool
Backstab_tool
Cobalt_strike
Revil
Bloodystealer
Avremover_tool
Gmer_tool
Netscan_tool
Mimikatz_tool
Neshta
Geo:
Georgia
IOCs:
Coin: 1
File: 4
Hash: 26
Softs:
psexec, process explorer, windows defender
Algorithms:
xor
Win API:
NtSetInformationThread, NetShareEnum
Links:
https://github.com/sophoslabs/IoCs/blob/master/Ransomware-Lockbit3-IOCs.csvhttps://github.com/Yaxser/Backstabhttps://github.com/hegusung/netscanSophos News
LockBit 3.0 ‘Black’ attacks and leaks reveal wormable capabilities and tooling
Reverse-engineering reveals close similarities to BlackMatter ransomware, with some improvements
#ParsedReport
30-11-2022
(RIGHT-TO-LEFT OVERRIDE). Right-to-Left override distributed under the camouflage file name
https://asec.ahnlab.com/ko/43150
Threats:
Laplas_clipper
Redline_stealer
Tron
Trojan/win.rtlo.x2172
Dropper/win.agent.c5317732
Trojan/win.injection.c5313120
Trojan/win.generic.c535472
Trojan/win.generic.c5310136
Raccoon_stealer
Industry:
Financial
IOCs:
File: 3
Hash: 6
IP: 1
Softs:
zcash
Languages:
php
30-11-2022
(RIGHT-TO-LEFT OVERRIDE). Right-to-Left override distributed under the camouflage file name
https://asec.ahnlab.com/ko/43150
Threats:
Laplas_clipper
Redline_stealer
Tron
Trojan/win.rtlo.x2172
Dropper/win.agent.c5317732
Trojan/win.injection.c5313120
Trojan/win.generic.c535472
Trojan/win.generic.c5310136
Raccoon_stealer
Industry:
Financial
IOCs:
File: 3
Hash: 6
IP: 1
Softs:
zcash
Languages:
php
ASEC BLOG
위장 파일명으로 유포되는 악성코드(RIGHT-TO-LEFT OVERRIDE) - ASEC BLOG
ASEC 분석팀에서는 지난 8월 RIGHT-TO-LEFT OVERRIDE(이하 RTLO) 를 이용한 파일명을 사용하여 유포되고 있는 악성코드에 대한 블로그를 게시했다. RTLO는 설명된 내용처럼 오른쪽에서 왼쪽으로 오버라이드 하는 유니코드이다. 이를 이용하여 파일명과 확장자를 섞어 사용자의 실행을 유도하는 방식의 악성코드 유포는 현재도 계속되고 있다. GitHub에 솔루션파일(*.sln) 위장하여 유포되는 RAT 툴 이전 블로그 포스팅 내용을 토대로 GitHub에서…
#ParsedReport
01-12-2022
ZetaNile: Open source software trojans from North Korea. Indicators
https://blog.reversinglabs.com/blog/zetanile-open-source-software-trojans-from-north-korea
Actors/Campaigns:
Lazarus
Threats:
Zetanile
Putty_tool
Tightvnc_tool
Dll_hijacking_technique
Industry:
Energy
Geo:
Korean, Korea, Japanese
TTPs:
Tactics: 1
Technics: 0
IOCs:
IP: 1
Url: 2
Command: 3
Path: 2
File: 4
Hash: 8
Softs:
sumatra pdf
Algorithms:
aes, base64
Languages:
php
Platforms:
x64
01-12-2022
ZetaNile: Open source software trojans from North Korea. Indicators
https://blog.reversinglabs.com/blog/zetanile-open-source-software-trojans-from-north-korea
Actors/Campaigns:
Lazarus
Threats:
Zetanile
Putty_tool
Tightvnc_tool
Dll_hijacking_technique
Industry:
Energy
Geo:
Korean, Korea, Japanese
TTPs:
Tactics: 1
Technics: 0
IOCs:
IP: 1
Url: 2
Command: 3
Path: 2
File: 4
Hash: 8
Softs:
sumatra pdf
Algorithms:
aes, base64
Languages:
php
Platforms:
x64
ReversingLabs
ZetaNile: Open source software trojans from North Korea
ReversingLabs Malware Researcher Joseph Edwards takes a deep dive into ZetaNile, a set of open-source software trojans being used by Lazarus/ZINC.
#ParsedReport
01-12-2022
Back in Black... Basta. Key Points
https://www.zscaler.com/blogs/security-research/back-black-basta
Threats:
Blackbasta
Conti
Advobfuscator_tool
Industry:
Financial
IOCs:
Hash: 5
File: 4
Command: 1
Algorithms:
ecc, hmac, chacha20, xchacha20, xor
Links:
01-12-2022
Back in Black... Basta. Key Points
https://www.zscaler.com/blogs/security-research/back-black-basta
Threats:
Blackbasta
Conti
Advobfuscator_tool
Industry:
Financial
IOCs:
Hash: 5
File: 4
Command: 1
Algorithms:
ecc, hmac, chacha20, xchacha20, xor
Links:
https://github.com/threatlabz/ransomware\_notes/blob/main/blackbasta/blackbasta3.txthttps://github.com/threatlabz/iocs/tree/main/blackbastaZscaler
Back in Black... Basta | Zscaler
New BlackBasta ransomware code is likely designed to improve antivirus and EDR evasion
#ParsedReport
01-12-2022
APT-C-55 Kimsuky.
https://mp.weixin.qq.com/s/OaECtSaeClPzFHslN_WamA
Actors/Campaigns:
Kimsuky
Threats:
Babyshark
Fake-trusteer
Industry:
Education, Government
Geo:
Korean
IOCs:
Hash: 27
Url: 18
File: 24
Domain: 1
Command: 1
Path: 2
Softs:
curl, chrome
Languages:
php, visual_basic
01-12-2022
APT-C-55 Kimsuky.
https://mp.weixin.qq.com/s/OaECtSaeClPzFHslN_WamA
Actors/Campaigns:
Kimsuky
Threats:
Babyshark
Fake-trusteer
Industry:
Education, Government
Geo:
Korean
IOCs:
Hash: 27
Url: 18
File: 24
Domain: 1
Command: 1
Path: 2
Softs:
curl, chrome
Languages:
php, visual_basic
Weixin Official Accounts Platform
APT-C-55(Kimsuky)组织以IBM公司安全产品为诱饵的攻击活动分析
360高级威胁研究院捕获了一起APT-C-55(Kimsuky)组织利用IBM公司安全产品为诱饵投递BabyShark攻击组件的攻击活动
#ParsedReport
01-12-2022
Lazarus. Job search trap: Lazarus organization analyzes the recruitment information of Japanese Risui Bank and other recruitment information as a bait analysis analysis
https://mp.weixin.qq.com/s/nnLqUBPX8xZ3hCr5u-iSjQ
Actors/Campaigns:
Lazarus
Threats:
Adfind_tool
Industry:
Energy, Financial, Government
Geo:
Japanese, Bangladesh, Asia, Korea
TTPs:
Tactics: 1
Technics: 1
IOCs:
File: 27
Hash: 14
Softs:
sophos anti-virus, windows defender, curl, android
Algorithms:
rc4
Win API:
LoadlibraryW
Win Services:
klnagent
01-12-2022
Lazarus. Job search trap: Lazarus organization analyzes the recruitment information of Japanese Risui Bank and other recruitment information as a bait analysis analysis
https://mp.weixin.qq.com/s/nnLqUBPX8xZ3hCr5u-iSjQ
Actors/Campaigns:
Lazarus
Threats:
Adfind_tool
Industry:
Energy, Financial, Government
Geo:
Japanese, Bangladesh, Asia, Korea
TTPs:
Tactics: 1
Technics: 1
IOCs:
File: 27
Hash: 14
Softs:
sophos anti-virus, windows defender, curl, android
Algorithms:
rc4
Win API:
LoadlibraryW
Win Services:
klnagent
Weixin Official Accounts Platform
求职陷阱:Lazarus组织以日本瑞穗銀行等招聘信息为诱饵的攻击活动分析
近日,奇安信威胁情报中心红雨滴团队在日常的威胁狩猎中便发现Lazarus组织最新的杀软0查杀攻击样本,样本为VHD(虚拟磁盘映像)文件,以日本瑞穗银行(Mizuho Bank)的招聘信息为诱饵进行攻击。
#ParsedReport
01-12-2022
Suspected Iran-Nexus TAG-56 Uses UAE Forum Lure for Credential Theft Against US Think Tank
https://www.recordedfuture.com/suspected-iran-nexus-tag-56-uses-uae-forum-lure-for-credential-theft-against-us-think-tank
Actors/Campaigns:
Tag-56
Apt42
Phosphorus
Cleaver
Threats:
Typosquatting_technique
Industry:
Ngo, Government
Geo:
Emirates, Israel, Israeli, Iran, Iranian
TTPs:
Tactics: 1
Technics: 0
IOCs:
Domain: 13
IP: 5
File: 3
Url: 5
Hash: 1
Softs:
telegram
Languages:
javascript
01-12-2022
Suspected Iran-Nexus TAG-56 Uses UAE Forum Lure for Credential Theft Against US Think Tank
https://www.recordedfuture.com/suspected-iran-nexus-tag-56-uses-uae-forum-lure-for-credential-theft-against-us-think-tank
Actors/Campaigns:
Tag-56
Apt42
Phosphorus
Cleaver
Threats:
Typosquatting_technique
Industry:
Ngo, Government
Geo:
Emirates, Israel, Israeli, Iran, Iranian
TTPs:
Tactics: 1
Technics: 0
IOCs:
Domain: 13
IP: 5
File: 3
Url: 5
Hash: 1
Softs:
telegram
Languages:
javascript
Recordedfuture
Suspected Iran-Nexus TAG-56 Uses UAE Forum Lure for Credential Theft Against US Think Tank
Insikt Group® reports on the tactics, techniques, and procedures (TTPs) used by TAG-56 in their recent targeting of a DC-based think tank.
#ParsedReport
01-12-2022
DuckLogs New Malware Strain Spotted In The Wild
https://blog.cyble.com/2022/12/01/ducklogs-new-malware-strain-spotted-in-the-wild
Threats:
Ducklogs
Process_hollowing_technique
Uac_bypass_technique
Process_injection_technique
Industry:
Financial
Geo:
Australia, India, Singapore, Dubai, Georgia
TTPs:
Tactics: 6
Technics: 14
IOCs:
File: 5
Command: 1
Path: 1
Domain: 5
Url: 16
IP: 1
Hash: 2
Softs:
windows defender
Algorithms:
base64
Functions:
Main, Bunifu_TextBox
01-12-2022
DuckLogs New Malware Strain Spotted In The Wild
https://blog.cyble.com/2022/12/01/ducklogs-new-malware-strain-spotted-in-the-wild
Threats:
Ducklogs
Process_hollowing_technique
Uac_bypass_technique
Process_injection_technique
Industry:
Financial
Geo:
Australia, India, Singapore, Dubai, Georgia
TTPs:
Tactics: 6
Technics: 14
IOCs:
File: 5
Command: 1
Path: 1
Domain: 5
Url: 16
IP: 1
Hash: 2
Softs:
windows defender
Algorithms:
base64
Functions:
Main, Bunifu_TextBox
Cyble
Cyble - DuckLogs - New Malware Strain Spotted In The Wild
Cyble analyzes DuckLogs - a new Malware-as-a-Service that provides sophisticated malware features to Threat Actors at a relatively low price.
#ParsedReport
01-12-2022
Fake Security App Found Abuses Japanese Payment System
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/fake-security-app-found-abuses-japanese-payment-system
Industry:
Financial
Geo:
Japanese, Japan
IOCs:
Domain: 1
Hash: 6
Languages:
golang
01-12-2022
Fake Security App Found Abuses Japanese Payment System
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/fake-security-app-found-abuses-japanese-payment-system
Industry:
Financial
Geo:
Japanese, Japan
IOCs:
Domain: 1
Hash: 6
Languages:
golang
McAfee Blog
Fake Security App Found Abuses Japanese Payment System | McAfee Blog
Authored by SangRyol Ryu and Yukihiro Okutomi McAfee’s Mobile Research team recently analyzed new malware targeting mobile payment users in Japan. The
#ParsedReport
01-12-2022
SpiderLabs Blog. Tis the Season for Online Shopping and Phishing Scams
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tis-the-season-for-online-shopping-and-phishing-scams
Threats:
Uac_bypass_technique
Avemaria_rat
Industry:
Retail, Transport, Financial
Geo:
French
IOCs:
File: 3
Url: 10
Domain: 4
Softs:
microsoft word
Functions:
PHP
01-12-2022
SpiderLabs Blog. Tis the Season for Online Shopping and Phishing Scams
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tis-the-season-for-online-shopping-and-phishing-scams
Threats:
Uac_bypass_technique
Avemaria_rat
Industry:
Retail, Transport, Financial
Geo:
French
IOCs:
File: 3
Url: 10
Domain: 4
Softs:
microsoft word
Functions:
PHP
Trustwave
‘Tis the Season for Online Shopping and Phishing Scams
The 2022 holiday shopping season is here. Retailers’ discounts are kicking off early, and shoppers are eager to spend, especially with big price markdowns to come as the season progresses. And with the COVID-19 pandemic still a concern to shoppers, more people…
#ParsedReport
01-12-2022
Crafty threat actor uses 'aged' domains to evade security platforms
https://www.bleepingcomputer.com/news/security/crafty-threat-actor-uses-aged-domains-to-evade-security-platforms
Geo:
Africa, America, Asia
Softs:
lastpass
Languages:
javascript
01-12-2022
Crafty threat actor uses 'aged' domains to evade security platforms
https://www.bleepingcomputer.com/news/security/crafty-threat-actor-uses-aged-domains-to-evade-security-platforms
Geo:
Africa, America, Asia
Softs:
lastpass
Languages:
javascript
BleepingComputer
Crafty threat actor uses 'aged' domains to evade security platforms
A sophisticated threat actor named 'CashRewindo' has been using aged domains in global malvertising campaigns that lead to investment scam sites.
#ParsedReport
01-12-2022
New details on commercial spyware vendor Variston
https://blog.google/threat-analysis-group/new-details-on-commercial-spyware-vendor-variston
Threats:
Heliconia_noise_tool
Industry:
Government
Geo:
Spain
CVEs:
CVE-2021-42298 [Vulners]
Vulners: Score: 9.3, CVSS: 2.8,
Vulners: Exploitation: Unknown
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft malware protection engine (<1.1.18700.3)
CVE-2022-26485 [Vulners]
Vulners: Score: Unknown, CVSS: 1.5,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Softs:
chrome, microsoft defender, windows defender
Algorithms:
rc4
Functions:
hello
Win API:
VirtualAlloc, NdrServerCall2, WinExec
Languages:
javascript
01-12-2022
New details on commercial spyware vendor Variston
https://blog.google/threat-analysis-group/new-details-on-commercial-spyware-vendor-variston
Threats:
Heliconia_noise_tool
Industry:
Government
Geo:
Spain
CVEs:
CVE-2021-42298 [Vulners]
Vulners: Score: 9.3, CVSS: 2.8,
Vulners: Exploitation: Unknown
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft malware protection engine (<1.1.18700.3)
CVE-2022-26485 [Vulners]
Vulners: Score: Unknown, CVSS: 1.5,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Softs:
chrome, microsoft defender, windows defender
Algorithms:
rc4
Functions:
hello
Win API:
VirtualAlloc, NdrServerCall2, WinExec
Languages:
javascript
Google
New details on commercial spyware vendor Variston
The Threat Analysis Group shares new information on the commercial spyware vendor Variston.
#ParsedReport
01-12-2022
The Mystery of Metador \| Unpicking Mafaldas Anti-Analysis Techniques
https://www.sentinelone.com/labs/the-mystery-of-metador-unpicking-mafaldas-anti-analysis-techniques
Actors/Campaigns:
Metador
Threats:
Mafalda
Industry:
Education, Telco
Geo:
Africa
IOCs:
File: 1
Algorithms:
xor
Links:
01-12-2022
The Mystery of Metador \| Unpicking Mafaldas Anti-Analysis Techniques
https://www.sentinelone.com/labs/the-mystery-of-metador-unpicking-mafaldas-anti-analysis-techniques
Actors/Campaigns:
Metador
Threats:
Mafalda
Industry:
Education, Telco
Geo:
Africa
IOCs:
File: 1
Algorithms:
xor
Links:
https://github.com/mandiant/flare-emuSentinelOne
The Mystery of Metador | Unpicking Mafalda’s Anti-Analysis Techniques
Discover the anti-analysis techniques of the Mafalda implant, a unique, feature-rich backdoor used by the Metador threat actor.
#ParsedReport
01-12-2022
Lucky Mouse: Incident Response to Detection Engineering. Introduction
https://blog.sekoia.io/lucky-mouse-incident-response-to-detection-engineering
Actors/Campaigns:
Emissary_panda
Threats:
Impacket_tool
Procdump_tool
Ntdsutil_tool
Chisel_tool
Conti
IOCs:
Command: 4
File: 8
Path: 2
Softs:
windows defender, sysinternals, chrome
Algorithms:
base64
Win API:
PsLoggedOn
Platforms:
x86
SIGMA: Found
Links:
01-12-2022
Lucky Mouse: Incident Response to Detection Engineering. Introduction
https://blog.sekoia.io/lucky-mouse-incident-response-to-detection-engineering
Actors/Campaigns:
Emissary_panda
Threats:
Impacket_tool
Procdump_tool
Ntdsutil_tool
Chisel_tool
Conti
IOCs:
Command: 4
File: 8
Path: 2
Softs:
windows defender, sysinternals, chrome
Algorithms:
base64
Win API:
PsLoggedOn
Platforms:
x86
SIGMA: Found
Links:
https://github.com/SEKOIA-IO/Community/blob/main/sigma\_rules/host/non\_legit\_use\_eula\_parameter.ymlhttps://github.com/SecureAuthCorp/impacket/blob/master/examples/wmiexec.pyhttps://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/windefend/win\_defender\_exclusions.ymlhttps://github.com/SEKOIA-IO/Community/blob/main/sigma\_rules/host/impacket\_wmiexec.ymlhttps://github.com/SEKOIA-IO/Community/blob/main/sigma\_rules/host/wmic\_process\_call\_create.ymlhttps://github.com/SigmaHQ/sigma-specification/https://github.com/SEKOIA-IO/Community/blob/main/sigma\_rules/host/data\_compressed\_with\_rar\_with\_password.ymlhttps://github.com/SEKOIA-IO/Community/blob/main/sigma\_rules/host/disable\_windows\_defender.ymlhttps://github.com/SEKOIA-IO/Community/blob/main/sigma\_rules/host/powershell\_exchange\_snapin\_mailbox.ymlhttps://github.com/jpillora/chiselhttps://github.com/NVISOsecurity/sigma-public/blob/master/rules/windows/process\_creation/win\_susp\_ntdsutil.ymlhttps://github.com/SEKOIA-IO/Community/blob/main/sigma\_rules/host/procdump\_args.ymlhttps://github.com/SigmaHQ/sigma/blob/8b749fb1260b92b9170e4e69fa1bd2f34e94d766/rules/windows/builtin/application/win\_esent\_ntdsutil\_abuse.ymlhttps://github.com/SEKOIA-IO/Community/blob/main/sigma\_rules/host/socks\_tunneling\_tool.ymlSekoia.io Blog
Lucky Mouse: Incident Response to Detection Engineering
Discover how the Tactics, Techniques and Procedures (TTPs) used by the APT27 (Lucky Mouse) are detected using Sekoia.io.