#ParsedReport
01-12-2022
Suspected Iran-Nexus TAG-56 Uses UAE Forum Lure for Credential Theft Against US Think Tank
https://www.recordedfuture.com/suspected-iran-nexus-tag-56-uses-uae-forum-lure-for-credential-theft-against-us-think-tank
Actors/Campaigns:
Tag-56
Apt42
Phosphorus
Cleaver
Threats:
Typosquatting_technique
Industry:
Ngo, Government
Geo:
Emirates, Israel, Israeli, Iran, Iranian
TTPs:
Tactics: 1
Technics: 0
IOCs:
Domain: 13
IP: 5
File: 3
Url: 5
Hash: 1
Softs:
telegram
Languages:
javascript
01-12-2022
Suspected Iran-Nexus TAG-56 Uses UAE Forum Lure for Credential Theft Against US Think Tank
https://www.recordedfuture.com/suspected-iran-nexus-tag-56-uses-uae-forum-lure-for-credential-theft-against-us-think-tank
Actors/Campaigns:
Tag-56
Apt42
Phosphorus
Cleaver
Threats:
Typosquatting_technique
Industry:
Ngo, Government
Geo:
Emirates, Israel, Israeli, Iran, Iranian
TTPs:
Tactics: 1
Technics: 0
IOCs:
Domain: 13
IP: 5
File: 3
Url: 5
Hash: 1
Softs:
telegram
Languages:
javascript
Recordedfuture
Suspected Iran-Nexus TAG-56 Uses UAE Forum Lure for Credential Theft Against US Think Tank
Insikt Group® reports on the tactics, techniques, and procedures (TTPs) used by TAG-56 in their recent targeting of a DC-based think tank.
#ParsedReport
01-12-2022
DuckLogs New Malware Strain Spotted In The Wild
https://blog.cyble.com/2022/12/01/ducklogs-new-malware-strain-spotted-in-the-wild
Threats:
Ducklogs
Process_hollowing_technique
Uac_bypass_technique
Process_injection_technique
Industry:
Financial
Geo:
Australia, India, Singapore, Dubai, Georgia
TTPs:
Tactics: 6
Technics: 14
IOCs:
File: 5
Command: 1
Path: 1
Domain: 5
Url: 16
IP: 1
Hash: 2
Softs:
windows defender
Algorithms:
base64
Functions:
Main, Bunifu_TextBox
01-12-2022
DuckLogs New Malware Strain Spotted In The Wild
https://blog.cyble.com/2022/12/01/ducklogs-new-malware-strain-spotted-in-the-wild
Threats:
Ducklogs
Process_hollowing_technique
Uac_bypass_technique
Process_injection_technique
Industry:
Financial
Geo:
Australia, India, Singapore, Dubai, Georgia
TTPs:
Tactics: 6
Technics: 14
IOCs:
File: 5
Command: 1
Path: 1
Domain: 5
Url: 16
IP: 1
Hash: 2
Softs:
windows defender
Algorithms:
base64
Functions:
Main, Bunifu_TextBox
Cyble
Cyble - DuckLogs - New Malware Strain Spotted In The Wild
Cyble analyzes DuckLogs - a new Malware-as-a-Service that provides sophisticated malware features to Threat Actors at a relatively low price.
#ParsedReport
01-12-2022
Fake Security App Found Abuses Japanese Payment System
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/fake-security-app-found-abuses-japanese-payment-system
Industry:
Financial
Geo:
Japanese, Japan
IOCs:
Domain: 1
Hash: 6
Languages:
golang
01-12-2022
Fake Security App Found Abuses Japanese Payment System
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/fake-security-app-found-abuses-japanese-payment-system
Industry:
Financial
Geo:
Japanese, Japan
IOCs:
Domain: 1
Hash: 6
Languages:
golang
McAfee Blog
Fake Security App Found Abuses Japanese Payment System | McAfee Blog
Authored by SangRyol Ryu and Yukihiro Okutomi McAfee’s Mobile Research team recently analyzed new malware targeting mobile payment users in Japan. The
#ParsedReport
01-12-2022
SpiderLabs Blog. Tis the Season for Online Shopping and Phishing Scams
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tis-the-season-for-online-shopping-and-phishing-scams
Threats:
Uac_bypass_technique
Avemaria_rat
Industry:
Retail, Transport, Financial
Geo:
French
IOCs:
File: 3
Url: 10
Domain: 4
Softs:
microsoft word
Functions:
PHP
01-12-2022
SpiderLabs Blog. Tis the Season for Online Shopping and Phishing Scams
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tis-the-season-for-online-shopping-and-phishing-scams
Threats:
Uac_bypass_technique
Avemaria_rat
Industry:
Retail, Transport, Financial
Geo:
French
IOCs:
File: 3
Url: 10
Domain: 4
Softs:
microsoft word
Functions:
PHP
Trustwave
‘Tis the Season for Online Shopping and Phishing Scams
The 2022 holiday shopping season is here. Retailers’ discounts are kicking off early, and shoppers are eager to spend, especially with big price markdowns to come as the season progresses. And with the COVID-19 pandemic still a concern to shoppers, more people…
#ParsedReport
01-12-2022
Crafty threat actor uses 'aged' domains to evade security platforms
https://www.bleepingcomputer.com/news/security/crafty-threat-actor-uses-aged-domains-to-evade-security-platforms
Geo:
Africa, America, Asia
Softs:
lastpass
Languages:
javascript
01-12-2022
Crafty threat actor uses 'aged' domains to evade security platforms
https://www.bleepingcomputer.com/news/security/crafty-threat-actor-uses-aged-domains-to-evade-security-platforms
Geo:
Africa, America, Asia
Softs:
lastpass
Languages:
javascript
BleepingComputer
Crafty threat actor uses 'aged' domains to evade security platforms
A sophisticated threat actor named 'CashRewindo' has been using aged domains in global malvertising campaigns that lead to investment scam sites.
#ParsedReport
01-12-2022
New details on commercial spyware vendor Variston
https://blog.google/threat-analysis-group/new-details-on-commercial-spyware-vendor-variston
Threats:
Heliconia_noise_tool
Industry:
Government
Geo:
Spain
CVEs:
CVE-2021-42298 [Vulners]
Vulners: Score: 9.3, CVSS: 2.8,
Vulners: Exploitation: Unknown
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft malware protection engine (<1.1.18700.3)
CVE-2022-26485 [Vulners]
Vulners: Score: Unknown, CVSS: 1.5,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Softs:
chrome, microsoft defender, windows defender
Algorithms:
rc4
Functions:
hello
Win API:
VirtualAlloc, NdrServerCall2, WinExec
Languages:
javascript
01-12-2022
New details on commercial spyware vendor Variston
https://blog.google/threat-analysis-group/new-details-on-commercial-spyware-vendor-variston
Threats:
Heliconia_noise_tool
Industry:
Government
Geo:
Spain
CVEs:
CVE-2021-42298 [Vulners]
Vulners: Score: 9.3, CVSS: 2.8,
Vulners: Exploitation: Unknown
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft malware protection engine (<1.1.18700.3)
CVE-2022-26485 [Vulners]
Vulners: Score: Unknown, CVSS: 1.5,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Softs:
chrome, microsoft defender, windows defender
Algorithms:
rc4
Functions:
hello
Win API:
VirtualAlloc, NdrServerCall2, WinExec
Languages:
javascript
Google
New details on commercial spyware vendor Variston
The Threat Analysis Group shares new information on the commercial spyware vendor Variston.
#ParsedReport
01-12-2022
The Mystery of Metador \| Unpicking Mafaldas Anti-Analysis Techniques
https://www.sentinelone.com/labs/the-mystery-of-metador-unpicking-mafaldas-anti-analysis-techniques
Actors/Campaigns:
Metador
Threats:
Mafalda
Industry:
Education, Telco
Geo:
Africa
IOCs:
File: 1
Algorithms:
xor
Links:
01-12-2022
The Mystery of Metador \| Unpicking Mafaldas Anti-Analysis Techniques
https://www.sentinelone.com/labs/the-mystery-of-metador-unpicking-mafaldas-anti-analysis-techniques
Actors/Campaigns:
Metador
Threats:
Mafalda
Industry:
Education, Telco
Geo:
Africa
IOCs:
File: 1
Algorithms:
xor
Links:
https://github.com/mandiant/flare-emuSentinelOne
The Mystery of Metador | Unpicking Mafalda’s Anti-Analysis Techniques
Discover the anti-analysis techniques of the Mafalda implant, a unique, feature-rich backdoor used by the Metador threat actor.
#ParsedReport
01-12-2022
Lucky Mouse: Incident Response to Detection Engineering. Introduction
https://blog.sekoia.io/lucky-mouse-incident-response-to-detection-engineering
Actors/Campaigns:
Emissary_panda
Threats:
Impacket_tool
Procdump_tool
Ntdsutil_tool
Chisel_tool
Conti
IOCs:
Command: 4
File: 8
Path: 2
Softs:
windows defender, sysinternals, chrome
Algorithms:
base64
Win API:
PsLoggedOn
Platforms:
x86
SIGMA: Found
Links:
01-12-2022
Lucky Mouse: Incident Response to Detection Engineering. Introduction
https://blog.sekoia.io/lucky-mouse-incident-response-to-detection-engineering
Actors/Campaigns:
Emissary_panda
Threats:
Impacket_tool
Procdump_tool
Ntdsutil_tool
Chisel_tool
Conti
IOCs:
Command: 4
File: 8
Path: 2
Softs:
windows defender, sysinternals, chrome
Algorithms:
base64
Win API:
PsLoggedOn
Platforms:
x86
SIGMA: Found
Links:
https://github.com/SEKOIA-IO/Community/blob/main/sigma\_rules/host/non\_legit\_use\_eula\_parameter.ymlhttps://github.com/SecureAuthCorp/impacket/blob/master/examples/wmiexec.pyhttps://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/windefend/win\_defender\_exclusions.ymlhttps://github.com/SEKOIA-IO/Community/blob/main/sigma\_rules/host/impacket\_wmiexec.ymlhttps://github.com/SEKOIA-IO/Community/blob/main/sigma\_rules/host/wmic\_process\_call\_create.ymlhttps://github.com/SigmaHQ/sigma-specification/https://github.com/SEKOIA-IO/Community/blob/main/sigma\_rules/host/data\_compressed\_with\_rar\_with\_password.ymlhttps://github.com/SEKOIA-IO/Community/blob/main/sigma\_rules/host/disable\_windows\_defender.ymlhttps://github.com/SEKOIA-IO/Community/blob/main/sigma\_rules/host/powershell\_exchange\_snapin\_mailbox.ymlhttps://github.com/jpillora/chiselhttps://github.com/NVISOsecurity/sigma-public/blob/master/rules/windows/process\_creation/win\_susp\_ntdsutil.ymlhttps://github.com/SEKOIA-IO/Community/blob/main/sigma\_rules/host/procdump\_args.ymlhttps://github.com/SigmaHQ/sigma/blob/8b749fb1260b92b9170e4e69fa1bd2f34e94d766/rules/windows/builtin/application/win\_esent\_ntdsutil\_abuse.ymlhttps://github.com/SEKOIA-IO/Community/blob/main/sigma\_rules/host/socks\_tunneling\_tool.ymlSekoia.io Blog
Lucky Mouse: Incident Response to Detection Engineering
Discover how the Tactics, Techniques and Procedures (TTPs) used by the APT27 (Lucky Mouse) are detected using Sekoia.io.
#ParsedReport
01-12-2022
Whos swimming in South Korean waters? Meet ScarCrufts Dolphin
https://www.welivesecurity.com/2022/11/30/whos-swimming-south-korean-waters-meet-scarcrufts-dolphin
Actors/Campaigns:
Apt37 (motivation: cyber_espionage)
Threats:
Dolphin
Watering_hole_technique
Bluelight
Credential_stealing_technique
Process_injection_technique
Industry:
Government
Geo:
Korea, Asian, Korean, Ukraine
CVEs:
CVE-2020-1380 [Vulners]
Vulners: Score: 7.6, CVSS: 2.9,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft internet explorer (11)
TTPs:
Tactics: 9
Technics: 30
IOCs:
Path: 7
Registry: 1
Hash: 5
Softs:
internet explorer, chrome
Algorithms:
cbc, base64, zip, xor, aes
Win API:
GetAsyncKeyState
Languages:
javascript, python
Platforms:
x86, x64
Links:
01-12-2022
Whos swimming in South Korean waters? Meet ScarCrufts Dolphin
https://www.welivesecurity.com/2022/11/30/whos-swimming-south-korean-waters-meet-scarcrufts-dolphin
Actors/Campaigns:
Apt37 (motivation: cyber_espionage)
Threats:
Dolphin
Watering_hole_technique
Bluelight
Credential_stealing_technique
Process_injection_technique
Industry:
Government
Geo:
Korea, Asian, Korean, Ukraine
CVEs:
CVE-2020-1380 [Vulners]
Vulners: Score: 7.6, CVSS: 2.9,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft internet explorer (11)
TTPs:
Tactics: 9
Technics: 30
IOCs:
Path: 7
Registry: 1
Hash: 5
Softs:
internet explorer, chrome
Algorithms:
cbc, base64, zip, xor, aes
Win API:
GetAsyncKeyState
Languages:
javascript, python
Platforms:
x86, x64
Links:
https://github.com/microsoft/windows-classic-samples/tree/main/Samples/PortableDeviceCOMWelivesecurity
Who’s swimming in South Korean waters? Meet ScarCruft’s Dolphin
ESET researchers uncover Dolphin, a sophisticated backdoor extending the arsenal of the ScarCruft APT group
#ParsedReport
01-12-2022
Trigona ransomware spotted in increasing attacks worldwide
https://www.bleepingcomputer.com/news/security/trigona-ransomware-spotted-in-increasing-attacks-worldwide
Threats:
Trigona
Industry:
Financial
Geo:
Germany
IOCs:
File: 3
Softs:
lastpass
01-12-2022
Trigona ransomware spotted in increasing attacks worldwide
https://www.bleepingcomputer.com/news/security/trigona-ransomware-spotted-in-increasing-attacks-worldwide
Threats:
Trigona
Industry:
Financial
Geo:
Germany
IOCs:
File: 3
Softs:
lastpass
BleepingComputer
Trigona ransomware spotted in increasing attacks worldwide
A previously unnamed ransomware has rebranded under the name 'Trigona,' launching a new Tor negotiation site where they accept Monero as ransom payments.
#technique
Threat Analysis: MSI - Masquerading as a Software Installer
https://www.cybereason.com/blog/threat-analysis-msi-masquerading-as-software-installer
Threat Analysis: MSI - Masquerading as a Software Installer
https://www.cybereason.com/blog/threat-analysis-msi-masquerading-as-software-installer
Cybereason
Threat Analysis: MSI - Masquerading as a Software Installer
Learn how attackers embed malicious binaries in legitimate Microsoft Windows Installation (.msi). Find out how to detect this sophisticated technique.
#technique
Bypassing MFA with the Pass-the-Cookie Attack
https://blog.netwrix.com/2022/11/29/bypassing-mfa-with-pass-the-cookie-attack/
Bypassing MFA with the Pass-the-Cookie Attack
https://blog.netwrix.com/2022/11/29/bypassing-mfa-with-pass-the-cookie-attack/
Netwrix
Bypassing MFA with the Pass-the-Cookie Attack
Explore the Pass-the-Cookie attack, including how adversaries can bypass MFA authentication with it, and learn how to defend against it.
#ParsedReport
01-12-2022
Buyer Beware: Fake Cryptocurrency Applications Serving as Front for AppleJeus Malware
https://www.volexity.com/blog/2022/12/01/buyer-beware-fake-cryptocurrency-applications-serving-as-front-for-applejeus-malware
Actors/Campaigns:
Lazarus
Threats:
AppleJeus
Dll_sideloading_technique
Api_obfuscation_technique
Dll_hijacking_technique
Industry:
Financial
Geo:
Korean, Korea, Dprk
IOCs:
Domain: 7
File: 9
Path: 3
Hash: 18
Url: 1
Softs:
microsoft office, qtbitcointrader, microsoft excel, volexity volcano
Algorithms:
base64, xor
Functions:
OpenDrive, EXE
Languages:
php
YARA: Found
Links:
01-12-2022
Buyer Beware: Fake Cryptocurrency Applications Serving as Front for AppleJeus Malware
https://www.volexity.com/blog/2022/12/01/buyer-beware-fake-cryptocurrency-applications-serving-as-front-for-applejeus-malware
Actors/Campaigns:
Lazarus
Threats:
AppleJeus
Dll_sideloading_technique
Api_obfuscation_technique
Dll_hijacking_technique
Industry:
Financial
Geo:
Korean, Korea, Dprk
IOCs:
Domain: 7
File: 9
Path: 3
Hash: 18
Url: 1
Softs:
microsoft office, qtbitcointrader, microsoft excel, volexity volcano
Algorithms:
base64, xor
Functions:
OpenDrive, EXE
Languages:
php
YARA: Found
Links:
https://github.com/volexity/threat-intel/blob/main/2022/2022-12-01%20Buyer%20Beware%20-%20Fake%20Cryptocurrency%20Applications%20Serving%20as%20Front%20for%20AppleJeus%20Malware/yara.yar
https://github.com/volexity/threat-intel/blob/main/2022/2022-12-01%20Buyer%20Beware%20-%20Fake%20Cryptocurrency%20Applications%20Serving%20as%20Front%20for%20AppleJeus%20Malware/indicators.csv
https://github.com/JulyIGHOR/QtBitcoinTrader
https://github.com/volexity/threat-intelVolexity
₿uyer ₿eware: Fake Cryptocurrency Applications Serving as Front for AppleJeus Malware
Over the last few months, Volexity has observed new activity tied to a North Korean threat actor it tracks that is widely referred to as the Lazarus Group. This activity […]
#ParsedReport
01-12-2022
W4SP continues to nest in PyPI: Same supply chain attack, different distribution method
https://blog.reversinglabs.com/blog/w4sp-continues-to-nest-in-pypi-same-supply-chain-attack-different-distribution-method
Threats:
W4sp
Climax_loader
Typosquatting_technique
IOCs:
Url: 1
File: 3
IP: 2
Hash: 33
Softs:
discord, telegram
Algorithms:
base64, zip, lzma
Languages:
rust, python
YARA: Found
Links:
01-12-2022
W4SP continues to nest in PyPI: Same supply chain attack, different distribution method
https://blog.reversinglabs.com/blog/w4sp-continues-to-nest-in-pypi-same-supply-chain-attack-different-distribution-method
Threats:
W4sp
Climax_loader
Typosquatting_technique
IOCs:
Url: 1
File: 3
IP: 2
Hash: 33
Softs:
discord, telegram
Algorithms:
base64, zip, lzma
Languages:
rust, python
YARA: Found
Links:
https://github.com/cloudflare/cloudflared/releaseshttps://github.com/liftoff/pyminifierReversingLabs
W4SP continues to nest in PyPI: Same supply chain attack, different distribution method
Here's ReversingLabs' discoveries and indicators of compromise (IOCs) for W4SP, as well as links to our YARA rule that can be used to detect the malicious Python packages in your environment.
#ParsedReport
02-12-2022
ASEC Weekly Phishing Email Threat Trend (November 13th, 2022 November 19th, 2022 )
https://asec.ahnlab.com/en/43013
Threats:
Agent_tesla
Formbook
Smokeloader
Cloudeye
Industry:
Financial, Transport
Geo:
Korean
TTPs:
Tactics: 1
Technics: 1
IOCs:
File: 36
Url: 8
Algorithms:
zip
02-12-2022
ASEC Weekly Phishing Email Threat Trend (November 13th, 2022 November 19th, 2022 )
https://asec.ahnlab.com/en/43013
Threats:
Agent_tesla
Formbook
Smokeloader
Cloudeye
Industry:
Financial, Transport
Geo:
Korean
TTPs:
Tactics: 1
Technics: 1
IOCs:
File: 36
Url: 8
Algorithms:
zip
ASEC BLOG
ASEC Weekly Phishing Email Threat Trends (November 13th, 2022 - November 19th, 2022 ) - ASEC BLOG
The ASEC analysis team monitors phishing email threats with the ASEC automatic analysis system (RAPIT) and Honeypot. This post will cover the cases of distribution of phishing emails during the week from November 13th, 2022 to November 19th, 2022 and provide…
#ParsedReport
02-12-2022
ASEC Weekly Malware Statistics (November 21st, 2022 November 27th, 2022)
https://asec.ahnlab.com/en/43255
Threats:
Agent_tesla
Smokeloader
Beamwinhttp_loader
Garbage_cleaner
Amadey
Lockbit
Redline_stealer
Industry:
Financial
Geo:
Korea
IOCs:
Domain: 13
Email: 4
File: 13
Url: 22
Softs:
discord
02-12-2022
ASEC Weekly Malware Statistics (November 21st, 2022 November 27th, 2022)
https://asec.ahnlab.com/en/43255
Threats:
Agent_tesla
Smokeloader
Beamwinhttp_loader
Garbage_cleaner
Amadey
Lockbit
Redline_stealer
Industry:
Financial
Geo:
Korea
IOCs:
Domain: 13
Email: 4
File: 13
Url: 22
Softs:
discord
ASEC BLOG
ASEC Weekly Malware Statistics (November 21st, 2022 – November 27th, 2022) - ASEC BLOG
The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from November 21st, 2022 (Monday) to November 27th (Sunday). For the main category, downloader…
#ParsedReport
02-12-2022
FBI, CISA Issue Warning on Cuba Ransomware
https://www.cybereason.com/blog/fbi-cisa-warning-on-cuba-ransomware
Threats:
Cuba
Romcom_rat
Hancitor
Kerbercache_tool
Zerologon_vuln
Qakbot
Industry:
Government, Financial
CVEs:
CVE-2020-1472 [Vulners]
Vulners: Score: 9.3, CVSS: 3.8,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft windows server 2008 (r2)
- microsoft windows server 2012 (-, r2)
- microsoft windows server 2016 (-, 1903, 1909, 2004)
- microsoft windows server 2019 (-)
- fedoraproject fedora (31, 32, 33)
have more...
CVE-2022-24521 [Vulners]
Vulners: Score: 4.6, CVSS: 4.2,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft windows 10 (-, 20h2, 21h1, 21h2, 1607, 1809, 1909)
- microsoft windows 11 (-, -)
- microsoft windows 7 (-)
- microsoft windows 8.1 (-)
- microsoft windows rt 8.1 (-)
have more...
Softs:
active directory, local security authority
Languages:
jscript
02-12-2022
FBI, CISA Issue Warning on Cuba Ransomware
https://www.cybereason.com/blog/fbi-cisa-warning-on-cuba-ransomware
Threats:
Cuba
Romcom_rat
Hancitor
Kerbercache_tool
Zerologon_vuln
Qakbot
Industry:
Government, Financial
CVEs:
CVE-2020-1472 [Vulners]
Vulners: Score: 9.3, CVSS: 3.8,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft windows server 2008 (r2)
- microsoft windows server 2012 (-, r2)
- microsoft windows server 2016 (-, 1903, 1909, 2004)
- microsoft windows server 2019 (-)
- fedoraproject fedora (31, 32, 33)
have more...
CVE-2022-24521 [Vulners]
Vulners: Score: 4.6, CVSS: 4.2,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft windows 10 (-, 20h2, 21h1, 21h2, 1607, 1809, 1909)
- microsoft windows 11 (-, -)
- microsoft windows 7 (-)
- microsoft windows 8.1 (-)
- microsoft windows rt 8.1 (-)
have more...
Softs:
active directory, local security authority
Languages:
jscript
Cybereason
FBI, CISA Issue Warning on Cuba Ransomware
The FBI and CISA issued a joint advisory on Cuba ransomware actors. The advisory is the latest in the government’s #StopRansomware campaign.
#ParsedReport
05-12-2022
Aqua Nautilus Discovers Redigo New Redis Backdoor Malware
https://blog.aquasec.com/redigo-redis-backdoor-malware
Threats:
Nautilus
Redigo
CVEs:
CVE-2022-0543 [Vulners]
Vulners: Score: 10.0, CVSS: 4.8,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- redis (-)
- debian debian linux (9.0, 10.0, 11.0)
TTPs:
Tactics: 6
Technics: 0
IOCs:
File: 1
IP: 1
Hash: 2
Softs:
redis, scripting engine, debian
Languages:
lua, golang
Links:
05-12-2022
Aqua Nautilus Discovers Redigo New Redis Backdoor Malware
https://blog.aquasec.com/redigo-redis-backdoor-malware
Threats:
Nautilus
Redigo
CVEs:
CVE-2022-0543 [Vulners]
Vulners: Score: 10.0, CVSS: 4.8,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- redis (-)
- debian debian linux (9.0, 10.0, 11.0)
TTPs:
Tactics: 6
Technics: 0
IOCs:
File: 1
IP: 1
Hash: 2
Softs:
redis, scripting engine, debian
Languages:
lua, golang
Links:
https://github.com/aquasecurity/trivyhttps://github.com/aquasecurity/chain-benchhttps://github.com/aquasecurity/chain-bench/blob/main/docs/CIS-Software-Supply-Chain-Security-Guide-v1.0.pdfhttps://github.com/aquasecurity/traceeAqua
Aqua Nautilus Discovers Redigo — New Redis Backdoor Malware
Aqua Nautilus discovers Redigo, new previously undetected Go-based malware that targets Redis servers to gain domination on the compromised machine
#ParsedReport
05-12-2022
Blowing Cobalt Strike Out of the Water With Memory Analysis
https://unit42.paloaltonetworks.com/cobalt-strike-memory-analysis
Threats:
Cobalt_strike
Lithiumloader
Magnetloader
Beacon
Reflectiveloader
Dll_sideloading_technique
Metasploit_tool
Industry:
Education
Geo:
Thailand, Japan, Japanese
IOCs:
Hash: 12
File: 10
Path: 4
Domain: 1
Url: 2
Softs:
windows defender
Algorithms:
xor, base64
Functions:
load_shellcode
Win API:
NtCreateSection, NtMapViewOfSection, NtCreateFile, NtAllocateVirtualMemory, RtlCreateProcessParameters, RtlCreateUserProcess, RtlCreateUserThread, RtlExitUserProcess, DllCanUnloadNow, HeapAlloc, have more...
Platforms:
x86
Links:
05-12-2022
Blowing Cobalt Strike Out of the Water With Memory Analysis
https://unit42.paloaltonetworks.com/cobalt-strike-memory-analysis
Threats:
Cobalt_strike
Lithiumloader
Magnetloader
Beacon
Reflectiveloader
Dll_sideloading_technique
Metasploit_tool
Industry:
Education
Geo:
Thailand, Japan, Japanese
IOCs:
Hash: 12
File: 10
Path: 4
Domain: 1
Url: 2
Softs:
windows defender
Algorithms:
xor, base64
Functions:
load_shellcode
Win API:
NtCreateSection, NtMapViewOfSection, NtCreateFile, NtAllocateVirtualMemory, RtlCreateProcessParameters, RtlCreateUserProcess, RtlCreateUserThread, RtlExitUserProcess, DllCanUnloadNow, HeapAlloc, have more...
Platforms:
x86
Links:
https://github.com/curl/curl/blob/2610142139d14265ed9acf9ed83cdf73d6bb4d05/lib/easy.c#L727https://github.com/Sentinel-One/CobaltStrikeParserUnit 42
Blowing Cobalt Strike Out of the Water With Memory Analysis
Unit 42 researchers examine several malware samples that incorporate Cobalt Strike components, and discuss some of the ways that we catch these samples by analyzing artifacts from the deltas in process memory at key points of execution. We will also discuss…
#ParsedReport
05-12-2022
Chinese Gambling Spam Targets World Cup Keywords
https://blog.sucuri.net/2022/12/chinese-gambling-spam-targets-world-cup-keywords.html
Geo:
Chinese, Qatar, China
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 4
Url: 2
IP: 9
05-12-2022
Chinese Gambling Spam Targets World Cup Keywords
https://blog.sucuri.net/2022/12/chinese-gambling-spam-targets-world-cup-keywords.html
Geo:
Chinese, Qatar, China
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 4
Url: 2
IP: 9
Sucuri Blog
Chinese Gambling Spam Targets World Cup Keywords
In recent weeks, a massive Chinese SEO spam campaign redirecting search traffic to gambling and sports betting websites has begun leveraging World Cup keywords and search traffic.