#ParsedReport
30-11-2022
LockBit 3.0 Black attacks and leaks reveal wormable capabilities and tooling
https://news.sophos.com/en-us/2022/11/30/lockbit-3-0-black-attacks-and-leaks-reveal-wormable-capabilities-and-tooling
Actors/Campaigns:
Blackmatter
Threats:
Lockbit
Cyberchef_tool
Backstab_tool
Cobalt_strike
Revil
Bloodystealer
Avremover_tool
Gmer_tool
Netscan_tool
Mimikatz_tool
Neshta
Geo:
Georgia
IOCs:
Coin: 1
File: 4
Hash: 26
Softs:
psexec, process explorer, windows defender
Algorithms:
xor
Win API:
NtSetInformationThread, NetShareEnum
Links:
30-11-2022
LockBit 3.0 Black attacks and leaks reveal wormable capabilities and tooling
https://news.sophos.com/en-us/2022/11/30/lockbit-3-0-black-attacks-and-leaks-reveal-wormable-capabilities-and-tooling
Actors/Campaigns:
Blackmatter
Threats:
Lockbit
Cyberchef_tool
Backstab_tool
Cobalt_strike
Revil
Bloodystealer
Avremover_tool
Gmer_tool
Netscan_tool
Mimikatz_tool
Neshta
Geo:
Georgia
IOCs:
Coin: 1
File: 4
Hash: 26
Softs:
psexec, process explorer, windows defender
Algorithms:
xor
Win API:
NtSetInformationThread, NetShareEnum
Links:
https://github.com/sophoslabs/IoCs/blob/master/Ransomware-Lockbit3-IOCs.csvhttps://github.com/Yaxser/Backstabhttps://github.com/hegusung/netscanSophos News
LockBit 3.0 ‘Black’ attacks and leaks reveal wormable capabilities and tooling
Reverse-engineering reveals close similarities to BlackMatter ransomware, with some improvements
#ParsedReport
30-11-2022
(RIGHT-TO-LEFT OVERRIDE). Right-to-Left override distributed under the camouflage file name
https://asec.ahnlab.com/ko/43150
Threats:
Laplas_clipper
Redline_stealer
Tron
Trojan/win.rtlo.x2172
Dropper/win.agent.c5317732
Trojan/win.injection.c5313120
Trojan/win.generic.c535472
Trojan/win.generic.c5310136
Raccoon_stealer
Industry:
Financial
IOCs:
File: 3
Hash: 6
IP: 1
Softs:
zcash
Languages:
php
30-11-2022
(RIGHT-TO-LEFT OVERRIDE). Right-to-Left override distributed under the camouflage file name
https://asec.ahnlab.com/ko/43150
Threats:
Laplas_clipper
Redline_stealer
Tron
Trojan/win.rtlo.x2172
Dropper/win.agent.c5317732
Trojan/win.injection.c5313120
Trojan/win.generic.c535472
Trojan/win.generic.c5310136
Raccoon_stealer
Industry:
Financial
IOCs:
File: 3
Hash: 6
IP: 1
Softs:
zcash
Languages:
php
ASEC BLOG
위장 파일명으로 유포되는 악성코드(RIGHT-TO-LEFT OVERRIDE) - ASEC BLOG
ASEC 분석팀에서는 지난 8월 RIGHT-TO-LEFT OVERRIDE(이하 RTLO) 를 이용한 파일명을 사용하여 유포되고 있는 악성코드에 대한 블로그를 게시했다. RTLO는 설명된 내용처럼 오른쪽에서 왼쪽으로 오버라이드 하는 유니코드이다. 이를 이용하여 파일명과 확장자를 섞어 사용자의 실행을 유도하는 방식의 악성코드 유포는 현재도 계속되고 있다. GitHub에 솔루션파일(*.sln) 위장하여 유포되는 RAT 툴 이전 블로그 포스팅 내용을 토대로 GitHub에서…
#ParsedReport
01-12-2022
ZetaNile: Open source software trojans from North Korea. Indicators
https://blog.reversinglabs.com/blog/zetanile-open-source-software-trojans-from-north-korea
Actors/Campaigns:
Lazarus
Threats:
Zetanile
Putty_tool
Tightvnc_tool
Dll_hijacking_technique
Industry:
Energy
Geo:
Korean, Korea, Japanese
TTPs:
Tactics: 1
Technics: 0
IOCs:
IP: 1
Url: 2
Command: 3
Path: 2
File: 4
Hash: 8
Softs:
sumatra pdf
Algorithms:
aes, base64
Languages:
php
Platforms:
x64
01-12-2022
ZetaNile: Open source software trojans from North Korea. Indicators
https://blog.reversinglabs.com/blog/zetanile-open-source-software-trojans-from-north-korea
Actors/Campaigns:
Lazarus
Threats:
Zetanile
Putty_tool
Tightvnc_tool
Dll_hijacking_technique
Industry:
Energy
Geo:
Korean, Korea, Japanese
TTPs:
Tactics: 1
Technics: 0
IOCs:
IP: 1
Url: 2
Command: 3
Path: 2
File: 4
Hash: 8
Softs:
sumatra pdf
Algorithms:
aes, base64
Languages:
php
Platforms:
x64
ReversingLabs
ZetaNile: Open source software trojans from North Korea
ReversingLabs Malware Researcher Joseph Edwards takes a deep dive into ZetaNile, a set of open-source software trojans being used by Lazarus/ZINC.
#ParsedReport
01-12-2022
Back in Black... Basta. Key Points
https://www.zscaler.com/blogs/security-research/back-black-basta
Threats:
Blackbasta
Conti
Advobfuscator_tool
Industry:
Financial
IOCs:
Hash: 5
File: 4
Command: 1
Algorithms:
ecc, hmac, chacha20, xchacha20, xor
Links:
01-12-2022
Back in Black... Basta. Key Points
https://www.zscaler.com/blogs/security-research/back-black-basta
Threats:
Blackbasta
Conti
Advobfuscator_tool
Industry:
Financial
IOCs:
Hash: 5
File: 4
Command: 1
Algorithms:
ecc, hmac, chacha20, xchacha20, xor
Links:
https://github.com/threatlabz/ransomware\_notes/blob/main/blackbasta/blackbasta3.txthttps://github.com/threatlabz/iocs/tree/main/blackbastaZscaler
Back in Black... Basta | Zscaler
New BlackBasta ransomware code is likely designed to improve antivirus and EDR evasion
#ParsedReport
01-12-2022
APT-C-55 Kimsuky.
https://mp.weixin.qq.com/s/OaECtSaeClPzFHslN_WamA
Actors/Campaigns:
Kimsuky
Threats:
Babyshark
Fake-trusteer
Industry:
Education, Government
Geo:
Korean
IOCs:
Hash: 27
Url: 18
File: 24
Domain: 1
Command: 1
Path: 2
Softs:
curl, chrome
Languages:
php, visual_basic
01-12-2022
APT-C-55 Kimsuky.
https://mp.weixin.qq.com/s/OaECtSaeClPzFHslN_WamA
Actors/Campaigns:
Kimsuky
Threats:
Babyshark
Fake-trusteer
Industry:
Education, Government
Geo:
Korean
IOCs:
Hash: 27
Url: 18
File: 24
Domain: 1
Command: 1
Path: 2
Softs:
curl, chrome
Languages:
php, visual_basic
Weixin Official Accounts Platform
APT-C-55(Kimsuky)组织以IBM公司安全产品为诱饵的攻击活动分析
360高级威胁研究院捕获了一起APT-C-55(Kimsuky)组织利用IBM公司安全产品为诱饵投递BabyShark攻击组件的攻击活动
#ParsedReport
01-12-2022
Lazarus. Job search trap: Lazarus organization analyzes the recruitment information of Japanese Risui Bank and other recruitment information as a bait analysis analysis
https://mp.weixin.qq.com/s/nnLqUBPX8xZ3hCr5u-iSjQ
Actors/Campaigns:
Lazarus
Threats:
Adfind_tool
Industry:
Energy, Financial, Government
Geo:
Japanese, Bangladesh, Asia, Korea
TTPs:
Tactics: 1
Technics: 1
IOCs:
File: 27
Hash: 14
Softs:
sophos anti-virus, windows defender, curl, android
Algorithms:
rc4
Win API:
LoadlibraryW
Win Services:
klnagent
01-12-2022
Lazarus. Job search trap: Lazarus organization analyzes the recruitment information of Japanese Risui Bank and other recruitment information as a bait analysis analysis
https://mp.weixin.qq.com/s/nnLqUBPX8xZ3hCr5u-iSjQ
Actors/Campaigns:
Lazarus
Threats:
Adfind_tool
Industry:
Energy, Financial, Government
Geo:
Japanese, Bangladesh, Asia, Korea
TTPs:
Tactics: 1
Technics: 1
IOCs:
File: 27
Hash: 14
Softs:
sophos anti-virus, windows defender, curl, android
Algorithms:
rc4
Win API:
LoadlibraryW
Win Services:
klnagent
Weixin Official Accounts Platform
求职陷阱:Lazarus组织以日本瑞穗銀行等招聘信息为诱饵的攻击活动分析
近日,奇安信威胁情报中心红雨滴团队在日常的威胁狩猎中便发现Lazarus组织最新的杀软0查杀攻击样本,样本为VHD(虚拟磁盘映像)文件,以日本瑞穗银行(Mizuho Bank)的招聘信息为诱饵进行攻击。
#ParsedReport
01-12-2022
Suspected Iran-Nexus TAG-56 Uses UAE Forum Lure for Credential Theft Against US Think Tank
https://www.recordedfuture.com/suspected-iran-nexus-tag-56-uses-uae-forum-lure-for-credential-theft-against-us-think-tank
Actors/Campaigns:
Tag-56
Apt42
Phosphorus
Cleaver
Threats:
Typosquatting_technique
Industry:
Ngo, Government
Geo:
Emirates, Israel, Israeli, Iran, Iranian
TTPs:
Tactics: 1
Technics: 0
IOCs:
Domain: 13
IP: 5
File: 3
Url: 5
Hash: 1
Softs:
telegram
Languages:
javascript
01-12-2022
Suspected Iran-Nexus TAG-56 Uses UAE Forum Lure for Credential Theft Against US Think Tank
https://www.recordedfuture.com/suspected-iran-nexus-tag-56-uses-uae-forum-lure-for-credential-theft-against-us-think-tank
Actors/Campaigns:
Tag-56
Apt42
Phosphorus
Cleaver
Threats:
Typosquatting_technique
Industry:
Ngo, Government
Geo:
Emirates, Israel, Israeli, Iran, Iranian
TTPs:
Tactics: 1
Technics: 0
IOCs:
Domain: 13
IP: 5
File: 3
Url: 5
Hash: 1
Softs:
telegram
Languages:
javascript
Recordedfuture
Suspected Iran-Nexus TAG-56 Uses UAE Forum Lure for Credential Theft Against US Think Tank
Insikt Group® reports on the tactics, techniques, and procedures (TTPs) used by TAG-56 in their recent targeting of a DC-based think tank.
#ParsedReport
01-12-2022
DuckLogs New Malware Strain Spotted In The Wild
https://blog.cyble.com/2022/12/01/ducklogs-new-malware-strain-spotted-in-the-wild
Threats:
Ducklogs
Process_hollowing_technique
Uac_bypass_technique
Process_injection_technique
Industry:
Financial
Geo:
Australia, India, Singapore, Dubai, Georgia
TTPs:
Tactics: 6
Technics: 14
IOCs:
File: 5
Command: 1
Path: 1
Domain: 5
Url: 16
IP: 1
Hash: 2
Softs:
windows defender
Algorithms:
base64
Functions:
Main, Bunifu_TextBox
01-12-2022
DuckLogs New Malware Strain Spotted In The Wild
https://blog.cyble.com/2022/12/01/ducklogs-new-malware-strain-spotted-in-the-wild
Threats:
Ducklogs
Process_hollowing_technique
Uac_bypass_technique
Process_injection_technique
Industry:
Financial
Geo:
Australia, India, Singapore, Dubai, Georgia
TTPs:
Tactics: 6
Technics: 14
IOCs:
File: 5
Command: 1
Path: 1
Domain: 5
Url: 16
IP: 1
Hash: 2
Softs:
windows defender
Algorithms:
base64
Functions:
Main, Bunifu_TextBox
Cyble
Cyble - DuckLogs - New Malware Strain Spotted In The Wild
Cyble analyzes DuckLogs - a new Malware-as-a-Service that provides sophisticated malware features to Threat Actors at a relatively low price.
#ParsedReport
01-12-2022
Fake Security App Found Abuses Japanese Payment System
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/fake-security-app-found-abuses-japanese-payment-system
Industry:
Financial
Geo:
Japanese, Japan
IOCs:
Domain: 1
Hash: 6
Languages:
golang
01-12-2022
Fake Security App Found Abuses Japanese Payment System
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/fake-security-app-found-abuses-japanese-payment-system
Industry:
Financial
Geo:
Japanese, Japan
IOCs:
Domain: 1
Hash: 6
Languages:
golang
McAfee Blog
Fake Security App Found Abuses Japanese Payment System | McAfee Blog
Authored by SangRyol Ryu and Yukihiro Okutomi McAfee’s Mobile Research team recently analyzed new malware targeting mobile payment users in Japan. The
#ParsedReport
01-12-2022
SpiderLabs Blog. Tis the Season for Online Shopping and Phishing Scams
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tis-the-season-for-online-shopping-and-phishing-scams
Threats:
Uac_bypass_technique
Avemaria_rat
Industry:
Retail, Transport, Financial
Geo:
French
IOCs:
File: 3
Url: 10
Domain: 4
Softs:
microsoft word
Functions:
PHP
01-12-2022
SpiderLabs Blog. Tis the Season for Online Shopping and Phishing Scams
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tis-the-season-for-online-shopping-and-phishing-scams
Threats:
Uac_bypass_technique
Avemaria_rat
Industry:
Retail, Transport, Financial
Geo:
French
IOCs:
File: 3
Url: 10
Domain: 4
Softs:
microsoft word
Functions:
PHP
Trustwave
‘Tis the Season for Online Shopping and Phishing Scams
The 2022 holiday shopping season is here. Retailers’ discounts are kicking off early, and shoppers are eager to spend, especially with big price markdowns to come as the season progresses. And with the COVID-19 pandemic still a concern to shoppers, more people…
#ParsedReport
01-12-2022
Crafty threat actor uses 'aged' domains to evade security platforms
https://www.bleepingcomputer.com/news/security/crafty-threat-actor-uses-aged-domains-to-evade-security-platforms
Geo:
Africa, America, Asia
Softs:
lastpass
Languages:
javascript
01-12-2022
Crafty threat actor uses 'aged' domains to evade security platforms
https://www.bleepingcomputer.com/news/security/crafty-threat-actor-uses-aged-domains-to-evade-security-platforms
Geo:
Africa, America, Asia
Softs:
lastpass
Languages:
javascript
BleepingComputer
Crafty threat actor uses 'aged' domains to evade security platforms
A sophisticated threat actor named 'CashRewindo' has been using aged domains in global malvertising campaigns that lead to investment scam sites.
#ParsedReport
01-12-2022
New details on commercial spyware vendor Variston
https://blog.google/threat-analysis-group/new-details-on-commercial-spyware-vendor-variston
Threats:
Heliconia_noise_tool
Industry:
Government
Geo:
Spain
CVEs:
CVE-2021-42298 [Vulners]
Vulners: Score: 9.3, CVSS: 2.8,
Vulners: Exploitation: Unknown
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft malware protection engine (<1.1.18700.3)
CVE-2022-26485 [Vulners]
Vulners: Score: Unknown, CVSS: 1.5,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Softs:
chrome, microsoft defender, windows defender
Algorithms:
rc4
Functions:
hello
Win API:
VirtualAlloc, NdrServerCall2, WinExec
Languages:
javascript
01-12-2022
New details on commercial spyware vendor Variston
https://blog.google/threat-analysis-group/new-details-on-commercial-spyware-vendor-variston
Threats:
Heliconia_noise_tool
Industry:
Government
Geo:
Spain
CVEs:
CVE-2021-42298 [Vulners]
Vulners: Score: 9.3, CVSS: 2.8,
Vulners: Exploitation: Unknown
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft malware protection engine (<1.1.18700.3)
CVE-2022-26485 [Vulners]
Vulners: Score: Unknown, CVSS: 1.5,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Softs:
chrome, microsoft defender, windows defender
Algorithms:
rc4
Functions:
hello
Win API:
VirtualAlloc, NdrServerCall2, WinExec
Languages:
javascript
Google
New details on commercial spyware vendor Variston
The Threat Analysis Group shares new information on the commercial spyware vendor Variston.
#ParsedReport
01-12-2022
The Mystery of Metador \| Unpicking Mafaldas Anti-Analysis Techniques
https://www.sentinelone.com/labs/the-mystery-of-metador-unpicking-mafaldas-anti-analysis-techniques
Actors/Campaigns:
Metador
Threats:
Mafalda
Industry:
Education, Telco
Geo:
Africa
IOCs:
File: 1
Algorithms:
xor
Links:
01-12-2022
The Mystery of Metador \| Unpicking Mafaldas Anti-Analysis Techniques
https://www.sentinelone.com/labs/the-mystery-of-metador-unpicking-mafaldas-anti-analysis-techniques
Actors/Campaigns:
Metador
Threats:
Mafalda
Industry:
Education, Telco
Geo:
Africa
IOCs:
File: 1
Algorithms:
xor
Links:
https://github.com/mandiant/flare-emuSentinelOne
The Mystery of Metador | Unpicking Mafalda’s Anti-Analysis Techniques
Discover the anti-analysis techniques of the Mafalda implant, a unique, feature-rich backdoor used by the Metador threat actor.
#ParsedReport
01-12-2022
Lucky Mouse: Incident Response to Detection Engineering. Introduction
https://blog.sekoia.io/lucky-mouse-incident-response-to-detection-engineering
Actors/Campaigns:
Emissary_panda
Threats:
Impacket_tool
Procdump_tool
Ntdsutil_tool
Chisel_tool
Conti
IOCs:
Command: 4
File: 8
Path: 2
Softs:
windows defender, sysinternals, chrome
Algorithms:
base64
Win API:
PsLoggedOn
Platforms:
x86
SIGMA: Found
Links:
01-12-2022
Lucky Mouse: Incident Response to Detection Engineering. Introduction
https://blog.sekoia.io/lucky-mouse-incident-response-to-detection-engineering
Actors/Campaigns:
Emissary_panda
Threats:
Impacket_tool
Procdump_tool
Ntdsutil_tool
Chisel_tool
Conti
IOCs:
Command: 4
File: 8
Path: 2
Softs:
windows defender, sysinternals, chrome
Algorithms:
base64
Win API:
PsLoggedOn
Platforms:
x86
SIGMA: Found
Links:
https://github.com/SEKOIA-IO/Community/blob/main/sigma\_rules/host/non\_legit\_use\_eula\_parameter.ymlhttps://github.com/SecureAuthCorp/impacket/blob/master/examples/wmiexec.pyhttps://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/windefend/win\_defender\_exclusions.ymlhttps://github.com/SEKOIA-IO/Community/blob/main/sigma\_rules/host/impacket\_wmiexec.ymlhttps://github.com/SEKOIA-IO/Community/blob/main/sigma\_rules/host/wmic\_process\_call\_create.ymlhttps://github.com/SigmaHQ/sigma-specification/https://github.com/SEKOIA-IO/Community/blob/main/sigma\_rules/host/data\_compressed\_with\_rar\_with\_password.ymlhttps://github.com/SEKOIA-IO/Community/blob/main/sigma\_rules/host/disable\_windows\_defender.ymlhttps://github.com/SEKOIA-IO/Community/blob/main/sigma\_rules/host/powershell\_exchange\_snapin\_mailbox.ymlhttps://github.com/jpillora/chiselhttps://github.com/NVISOsecurity/sigma-public/blob/master/rules/windows/process\_creation/win\_susp\_ntdsutil.ymlhttps://github.com/SEKOIA-IO/Community/blob/main/sigma\_rules/host/procdump\_args.ymlhttps://github.com/SigmaHQ/sigma/blob/8b749fb1260b92b9170e4e69fa1bd2f34e94d766/rules/windows/builtin/application/win\_esent\_ntdsutil\_abuse.ymlhttps://github.com/SEKOIA-IO/Community/blob/main/sigma\_rules/host/socks\_tunneling\_tool.ymlSekoia.io Blog
Lucky Mouse: Incident Response to Detection Engineering
Discover how the Tactics, Techniques and Procedures (TTPs) used by the APT27 (Lucky Mouse) are detected using Sekoia.io.
#ParsedReport
01-12-2022
Whos swimming in South Korean waters? Meet ScarCrufts Dolphin
https://www.welivesecurity.com/2022/11/30/whos-swimming-south-korean-waters-meet-scarcrufts-dolphin
Actors/Campaigns:
Apt37 (motivation: cyber_espionage)
Threats:
Dolphin
Watering_hole_technique
Bluelight
Credential_stealing_technique
Process_injection_technique
Industry:
Government
Geo:
Korea, Asian, Korean, Ukraine
CVEs:
CVE-2020-1380 [Vulners]
Vulners: Score: 7.6, CVSS: 2.9,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft internet explorer (11)
TTPs:
Tactics: 9
Technics: 30
IOCs:
Path: 7
Registry: 1
Hash: 5
Softs:
internet explorer, chrome
Algorithms:
cbc, base64, zip, xor, aes
Win API:
GetAsyncKeyState
Languages:
javascript, python
Platforms:
x86, x64
Links:
01-12-2022
Whos swimming in South Korean waters? Meet ScarCrufts Dolphin
https://www.welivesecurity.com/2022/11/30/whos-swimming-south-korean-waters-meet-scarcrufts-dolphin
Actors/Campaigns:
Apt37 (motivation: cyber_espionage)
Threats:
Dolphin
Watering_hole_technique
Bluelight
Credential_stealing_technique
Process_injection_technique
Industry:
Government
Geo:
Korea, Asian, Korean, Ukraine
CVEs:
CVE-2020-1380 [Vulners]
Vulners: Score: 7.6, CVSS: 2.9,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft internet explorer (11)
TTPs:
Tactics: 9
Technics: 30
IOCs:
Path: 7
Registry: 1
Hash: 5
Softs:
internet explorer, chrome
Algorithms:
cbc, base64, zip, xor, aes
Win API:
GetAsyncKeyState
Languages:
javascript, python
Platforms:
x86, x64
Links:
https://github.com/microsoft/windows-classic-samples/tree/main/Samples/PortableDeviceCOMWelivesecurity
Who’s swimming in South Korean waters? Meet ScarCruft’s Dolphin
ESET researchers uncover Dolphin, a sophisticated backdoor extending the arsenal of the ScarCruft APT group
#ParsedReport
01-12-2022
Trigona ransomware spotted in increasing attacks worldwide
https://www.bleepingcomputer.com/news/security/trigona-ransomware-spotted-in-increasing-attacks-worldwide
Threats:
Trigona
Industry:
Financial
Geo:
Germany
IOCs:
File: 3
Softs:
lastpass
01-12-2022
Trigona ransomware spotted in increasing attacks worldwide
https://www.bleepingcomputer.com/news/security/trigona-ransomware-spotted-in-increasing-attacks-worldwide
Threats:
Trigona
Industry:
Financial
Geo:
Germany
IOCs:
File: 3
Softs:
lastpass
BleepingComputer
Trigona ransomware spotted in increasing attacks worldwide
A previously unnamed ransomware has rebranded under the name 'Trigona,' launching a new Tor negotiation site where they accept Monero as ransom payments.
#technique
Threat Analysis: MSI - Masquerading as a Software Installer
https://www.cybereason.com/blog/threat-analysis-msi-masquerading-as-software-installer
Threat Analysis: MSI - Masquerading as a Software Installer
https://www.cybereason.com/blog/threat-analysis-msi-masquerading-as-software-installer
Cybereason
Threat Analysis: MSI - Masquerading as a Software Installer
Learn how attackers embed malicious binaries in legitimate Microsoft Windows Installation (.msi). Find out how to detect this sophisticated technique.
#technique
Bypassing MFA with the Pass-the-Cookie Attack
https://blog.netwrix.com/2022/11/29/bypassing-mfa-with-pass-the-cookie-attack/
Bypassing MFA with the Pass-the-Cookie Attack
https://blog.netwrix.com/2022/11/29/bypassing-mfa-with-pass-the-cookie-attack/
Netwrix
Bypassing MFA with the Pass-the-Cookie Attack
Explore the Pass-the-Cookie attack, including how adversaries can bypass MFA authentication with it, and learn how to defend against it.
#ParsedReport
01-12-2022
Buyer Beware: Fake Cryptocurrency Applications Serving as Front for AppleJeus Malware
https://www.volexity.com/blog/2022/12/01/buyer-beware-fake-cryptocurrency-applications-serving-as-front-for-applejeus-malware
Actors/Campaigns:
Lazarus
Threats:
AppleJeus
Dll_sideloading_technique
Api_obfuscation_technique
Dll_hijacking_technique
Industry:
Financial
Geo:
Korean, Korea, Dprk
IOCs:
Domain: 7
File: 9
Path: 3
Hash: 18
Url: 1
Softs:
microsoft office, qtbitcointrader, microsoft excel, volexity volcano
Algorithms:
base64, xor
Functions:
OpenDrive, EXE
Languages:
php
YARA: Found
Links:
01-12-2022
Buyer Beware: Fake Cryptocurrency Applications Serving as Front for AppleJeus Malware
https://www.volexity.com/blog/2022/12/01/buyer-beware-fake-cryptocurrency-applications-serving-as-front-for-applejeus-malware
Actors/Campaigns:
Lazarus
Threats:
AppleJeus
Dll_sideloading_technique
Api_obfuscation_technique
Dll_hijacking_technique
Industry:
Financial
Geo:
Korean, Korea, Dprk
IOCs:
Domain: 7
File: 9
Path: 3
Hash: 18
Url: 1
Softs:
microsoft office, qtbitcointrader, microsoft excel, volexity volcano
Algorithms:
base64, xor
Functions:
OpenDrive, EXE
Languages:
php
YARA: Found
Links:
https://github.com/volexity/threat-intel/blob/main/2022/2022-12-01%20Buyer%20Beware%20-%20Fake%20Cryptocurrency%20Applications%20Serving%20as%20Front%20for%20AppleJeus%20Malware/yara.yar
https://github.com/volexity/threat-intel/blob/main/2022/2022-12-01%20Buyer%20Beware%20-%20Fake%20Cryptocurrency%20Applications%20Serving%20as%20Front%20for%20AppleJeus%20Malware/indicators.csv
https://github.com/JulyIGHOR/QtBitcoinTrader
https://github.com/volexity/threat-intelVolexity
₿uyer ₿eware: Fake Cryptocurrency Applications Serving as Front for AppleJeus Malware
Over the last few months, Volexity has observed new activity tied to a North Korean threat actor it tracks that is widely referred to as the Lazarus Group. This activity […]
#ParsedReport
01-12-2022
W4SP continues to nest in PyPI: Same supply chain attack, different distribution method
https://blog.reversinglabs.com/blog/w4sp-continues-to-nest-in-pypi-same-supply-chain-attack-different-distribution-method
Threats:
W4sp
Climax_loader
Typosquatting_technique
IOCs:
Url: 1
File: 3
IP: 2
Hash: 33
Softs:
discord, telegram
Algorithms:
base64, zip, lzma
Languages:
rust, python
YARA: Found
Links:
01-12-2022
W4SP continues to nest in PyPI: Same supply chain attack, different distribution method
https://blog.reversinglabs.com/blog/w4sp-continues-to-nest-in-pypi-same-supply-chain-attack-different-distribution-method
Threats:
W4sp
Climax_loader
Typosquatting_technique
IOCs:
Url: 1
File: 3
IP: 2
Hash: 33
Softs:
discord, telegram
Algorithms:
base64, zip, lzma
Languages:
rust, python
YARA: Found
Links:
https://github.com/cloudflare/cloudflared/releaseshttps://github.com/liftoff/pyminifierReversingLabs
W4SP continues to nest in PyPI: Same supply chain attack, different distribution method
Here's ReversingLabs' discoveries and indicators of compromise (IOCs) for W4SP, as well as links to our YARA rule that can be used to detect the malicious Python packages in your environment.