#ParsedReport
01-12-2022
Lucky Mouse: Incident Response to Detection Engineering. Introduction
https://blog.sekoia.io/lucky-mouse-incident-response-to-detection-engineering
Actors/Campaigns:
Emissary_panda
Threats:
Impacket_tool
Procdump_tool
Ntdsutil_tool
Chisel_tool
Conti
IOCs:
Command: 4
File: 8
Path: 2
Softs:
windows defender, sysinternals, chrome
Algorithms:
base64
Win API:
PsLoggedOn
Platforms:
x86
SIGMA: Found
Links:
01-12-2022
Lucky Mouse: Incident Response to Detection Engineering. Introduction
https://blog.sekoia.io/lucky-mouse-incident-response-to-detection-engineering
Actors/Campaigns:
Emissary_panda
Threats:
Impacket_tool
Procdump_tool
Ntdsutil_tool
Chisel_tool
Conti
IOCs:
Command: 4
File: 8
Path: 2
Softs:
windows defender, sysinternals, chrome
Algorithms:
base64
Win API:
PsLoggedOn
Platforms:
x86
SIGMA: Found
Links:
https://github.com/SEKOIA-IO/Community/blob/main/sigma\_rules/host/non\_legit\_use\_eula\_parameter.ymlhttps://github.com/SecureAuthCorp/impacket/blob/master/examples/wmiexec.pyhttps://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/windefend/win\_defender\_exclusions.ymlhttps://github.com/SEKOIA-IO/Community/blob/main/sigma\_rules/host/impacket\_wmiexec.ymlhttps://github.com/SEKOIA-IO/Community/blob/main/sigma\_rules/host/wmic\_process\_call\_create.ymlhttps://github.com/SigmaHQ/sigma-specification/https://github.com/SEKOIA-IO/Community/blob/main/sigma\_rules/host/data\_compressed\_with\_rar\_with\_password.ymlhttps://github.com/SEKOIA-IO/Community/blob/main/sigma\_rules/host/disable\_windows\_defender.ymlhttps://github.com/SEKOIA-IO/Community/blob/main/sigma\_rules/host/powershell\_exchange\_snapin\_mailbox.ymlhttps://github.com/jpillora/chiselhttps://github.com/NVISOsecurity/sigma-public/blob/master/rules/windows/process\_creation/win\_susp\_ntdsutil.ymlhttps://github.com/SEKOIA-IO/Community/blob/main/sigma\_rules/host/procdump\_args.ymlhttps://github.com/SigmaHQ/sigma/blob/8b749fb1260b92b9170e4e69fa1bd2f34e94d766/rules/windows/builtin/application/win\_esent\_ntdsutil\_abuse.ymlhttps://github.com/SEKOIA-IO/Community/blob/main/sigma\_rules/host/socks\_tunneling\_tool.ymlSekoia.io Blog
Lucky Mouse: Incident Response to Detection Engineering
Discover how the Tactics, Techniques and Procedures (TTPs) used by the APT27 (Lucky Mouse) are detected using Sekoia.io.
#ParsedReport
01-12-2022
Whos swimming in South Korean waters? Meet ScarCrufts Dolphin
https://www.welivesecurity.com/2022/11/30/whos-swimming-south-korean-waters-meet-scarcrufts-dolphin
Actors/Campaigns:
Apt37 (motivation: cyber_espionage)
Threats:
Dolphin
Watering_hole_technique
Bluelight
Credential_stealing_technique
Process_injection_technique
Industry:
Government
Geo:
Korea, Asian, Korean, Ukraine
CVEs:
CVE-2020-1380 [Vulners]
Vulners: Score: 7.6, CVSS: 2.9,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft internet explorer (11)
TTPs:
Tactics: 9
Technics: 30
IOCs:
Path: 7
Registry: 1
Hash: 5
Softs:
internet explorer, chrome
Algorithms:
cbc, base64, zip, xor, aes
Win API:
GetAsyncKeyState
Languages:
javascript, python
Platforms:
x86, x64
Links:
01-12-2022
Whos swimming in South Korean waters? Meet ScarCrufts Dolphin
https://www.welivesecurity.com/2022/11/30/whos-swimming-south-korean-waters-meet-scarcrufts-dolphin
Actors/Campaigns:
Apt37 (motivation: cyber_espionage)
Threats:
Dolphin
Watering_hole_technique
Bluelight
Credential_stealing_technique
Process_injection_technique
Industry:
Government
Geo:
Korea, Asian, Korean, Ukraine
CVEs:
CVE-2020-1380 [Vulners]
Vulners: Score: 7.6, CVSS: 2.9,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft internet explorer (11)
TTPs:
Tactics: 9
Technics: 30
IOCs:
Path: 7
Registry: 1
Hash: 5
Softs:
internet explorer, chrome
Algorithms:
cbc, base64, zip, xor, aes
Win API:
GetAsyncKeyState
Languages:
javascript, python
Platforms:
x86, x64
Links:
https://github.com/microsoft/windows-classic-samples/tree/main/Samples/PortableDeviceCOMWelivesecurity
Who’s swimming in South Korean waters? Meet ScarCruft’s Dolphin
ESET researchers uncover Dolphin, a sophisticated backdoor extending the arsenal of the ScarCruft APT group
#ParsedReport
01-12-2022
Trigona ransomware spotted in increasing attacks worldwide
https://www.bleepingcomputer.com/news/security/trigona-ransomware-spotted-in-increasing-attacks-worldwide
Threats:
Trigona
Industry:
Financial
Geo:
Germany
IOCs:
File: 3
Softs:
lastpass
01-12-2022
Trigona ransomware spotted in increasing attacks worldwide
https://www.bleepingcomputer.com/news/security/trigona-ransomware-spotted-in-increasing-attacks-worldwide
Threats:
Trigona
Industry:
Financial
Geo:
Germany
IOCs:
File: 3
Softs:
lastpass
BleepingComputer
Trigona ransomware spotted in increasing attacks worldwide
A previously unnamed ransomware has rebranded under the name 'Trigona,' launching a new Tor negotiation site where they accept Monero as ransom payments.
#technique
Threat Analysis: MSI - Masquerading as a Software Installer
https://www.cybereason.com/blog/threat-analysis-msi-masquerading-as-software-installer
Threat Analysis: MSI - Masquerading as a Software Installer
https://www.cybereason.com/blog/threat-analysis-msi-masquerading-as-software-installer
Cybereason
Threat Analysis: MSI - Masquerading as a Software Installer
Learn how attackers embed malicious binaries in legitimate Microsoft Windows Installation (.msi). Find out how to detect this sophisticated technique.
#technique
Bypassing MFA with the Pass-the-Cookie Attack
https://blog.netwrix.com/2022/11/29/bypassing-mfa-with-pass-the-cookie-attack/
Bypassing MFA with the Pass-the-Cookie Attack
https://blog.netwrix.com/2022/11/29/bypassing-mfa-with-pass-the-cookie-attack/
Netwrix
Bypassing MFA with the Pass-the-Cookie Attack
Explore the Pass-the-Cookie attack, including how adversaries can bypass MFA authentication with it, and learn how to defend against it.
#ParsedReport
01-12-2022
Buyer Beware: Fake Cryptocurrency Applications Serving as Front for AppleJeus Malware
https://www.volexity.com/blog/2022/12/01/buyer-beware-fake-cryptocurrency-applications-serving-as-front-for-applejeus-malware
Actors/Campaigns:
Lazarus
Threats:
AppleJeus
Dll_sideloading_technique
Api_obfuscation_technique
Dll_hijacking_technique
Industry:
Financial
Geo:
Korean, Korea, Dprk
IOCs:
Domain: 7
File: 9
Path: 3
Hash: 18
Url: 1
Softs:
microsoft office, qtbitcointrader, microsoft excel, volexity volcano
Algorithms:
base64, xor
Functions:
OpenDrive, EXE
Languages:
php
YARA: Found
Links:
01-12-2022
Buyer Beware: Fake Cryptocurrency Applications Serving as Front for AppleJeus Malware
https://www.volexity.com/blog/2022/12/01/buyer-beware-fake-cryptocurrency-applications-serving-as-front-for-applejeus-malware
Actors/Campaigns:
Lazarus
Threats:
AppleJeus
Dll_sideloading_technique
Api_obfuscation_technique
Dll_hijacking_technique
Industry:
Financial
Geo:
Korean, Korea, Dprk
IOCs:
Domain: 7
File: 9
Path: 3
Hash: 18
Url: 1
Softs:
microsoft office, qtbitcointrader, microsoft excel, volexity volcano
Algorithms:
base64, xor
Functions:
OpenDrive, EXE
Languages:
php
YARA: Found
Links:
https://github.com/volexity/threat-intel/blob/main/2022/2022-12-01%20Buyer%20Beware%20-%20Fake%20Cryptocurrency%20Applications%20Serving%20as%20Front%20for%20AppleJeus%20Malware/yara.yar
https://github.com/volexity/threat-intel/blob/main/2022/2022-12-01%20Buyer%20Beware%20-%20Fake%20Cryptocurrency%20Applications%20Serving%20as%20Front%20for%20AppleJeus%20Malware/indicators.csv
https://github.com/JulyIGHOR/QtBitcoinTrader
https://github.com/volexity/threat-intelVolexity
₿uyer ₿eware: Fake Cryptocurrency Applications Serving as Front for AppleJeus Malware
Over the last few months, Volexity has observed new activity tied to a North Korean threat actor it tracks that is widely referred to as the Lazarus Group. This activity […]
#ParsedReport
01-12-2022
W4SP continues to nest in PyPI: Same supply chain attack, different distribution method
https://blog.reversinglabs.com/blog/w4sp-continues-to-nest-in-pypi-same-supply-chain-attack-different-distribution-method
Threats:
W4sp
Climax_loader
Typosquatting_technique
IOCs:
Url: 1
File: 3
IP: 2
Hash: 33
Softs:
discord, telegram
Algorithms:
base64, zip, lzma
Languages:
rust, python
YARA: Found
Links:
01-12-2022
W4SP continues to nest in PyPI: Same supply chain attack, different distribution method
https://blog.reversinglabs.com/blog/w4sp-continues-to-nest-in-pypi-same-supply-chain-attack-different-distribution-method
Threats:
W4sp
Climax_loader
Typosquatting_technique
IOCs:
Url: 1
File: 3
IP: 2
Hash: 33
Softs:
discord, telegram
Algorithms:
base64, zip, lzma
Languages:
rust, python
YARA: Found
Links:
https://github.com/cloudflare/cloudflared/releaseshttps://github.com/liftoff/pyminifierReversingLabs
W4SP continues to nest in PyPI: Same supply chain attack, different distribution method
Here's ReversingLabs' discoveries and indicators of compromise (IOCs) for W4SP, as well as links to our YARA rule that can be used to detect the malicious Python packages in your environment.
#ParsedReport
02-12-2022
ASEC Weekly Phishing Email Threat Trend (November 13th, 2022 November 19th, 2022 )
https://asec.ahnlab.com/en/43013
Threats:
Agent_tesla
Formbook
Smokeloader
Cloudeye
Industry:
Financial, Transport
Geo:
Korean
TTPs:
Tactics: 1
Technics: 1
IOCs:
File: 36
Url: 8
Algorithms:
zip
02-12-2022
ASEC Weekly Phishing Email Threat Trend (November 13th, 2022 November 19th, 2022 )
https://asec.ahnlab.com/en/43013
Threats:
Agent_tesla
Formbook
Smokeloader
Cloudeye
Industry:
Financial, Transport
Geo:
Korean
TTPs:
Tactics: 1
Technics: 1
IOCs:
File: 36
Url: 8
Algorithms:
zip
ASEC BLOG
ASEC Weekly Phishing Email Threat Trends (November 13th, 2022 - November 19th, 2022 ) - ASEC BLOG
The ASEC analysis team monitors phishing email threats with the ASEC automatic analysis system (RAPIT) and Honeypot. This post will cover the cases of distribution of phishing emails during the week from November 13th, 2022 to November 19th, 2022 and provide…
#ParsedReport
02-12-2022
ASEC Weekly Malware Statistics (November 21st, 2022 November 27th, 2022)
https://asec.ahnlab.com/en/43255
Threats:
Agent_tesla
Smokeloader
Beamwinhttp_loader
Garbage_cleaner
Amadey
Lockbit
Redline_stealer
Industry:
Financial
Geo:
Korea
IOCs:
Domain: 13
Email: 4
File: 13
Url: 22
Softs:
discord
02-12-2022
ASEC Weekly Malware Statistics (November 21st, 2022 November 27th, 2022)
https://asec.ahnlab.com/en/43255
Threats:
Agent_tesla
Smokeloader
Beamwinhttp_loader
Garbage_cleaner
Amadey
Lockbit
Redline_stealer
Industry:
Financial
Geo:
Korea
IOCs:
Domain: 13
Email: 4
File: 13
Url: 22
Softs:
discord
ASEC BLOG
ASEC Weekly Malware Statistics (November 21st, 2022 – November 27th, 2022) - ASEC BLOG
The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from November 21st, 2022 (Monday) to November 27th (Sunday). For the main category, downloader…
#ParsedReport
02-12-2022
FBI, CISA Issue Warning on Cuba Ransomware
https://www.cybereason.com/blog/fbi-cisa-warning-on-cuba-ransomware
Threats:
Cuba
Romcom_rat
Hancitor
Kerbercache_tool
Zerologon_vuln
Qakbot
Industry:
Government, Financial
CVEs:
CVE-2020-1472 [Vulners]
Vulners: Score: 9.3, CVSS: 3.8,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft windows server 2008 (r2)
- microsoft windows server 2012 (-, r2)
- microsoft windows server 2016 (-, 1903, 1909, 2004)
- microsoft windows server 2019 (-)
- fedoraproject fedora (31, 32, 33)
have more...
CVE-2022-24521 [Vulners]
Vulners: Score: 4.6, CVSS: 4.2,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft windows 10 (-, 20h2, 21h1, 21h2, 1607, 1809, 1909)
- microsoft windows 11 (-, -)
- microsoft windows 7 (-)
- microsoft windows 8.1 (-)
- microsoft windows rt 8.1 (-)
have more...
Softs:
active directory, local security authority
Languages:
jscript
02-12-2022
FBI, CISA Issue Warning on Cuba Ransomware
https://www.cybereason.com/blog/fbi-cisa-warning-on-cuba-ransomware
Threats:
Cuba
Romcom_rat
Hancitor
Kerbercache_tool
Zerologon_vuln
Qakbot
Industry:
Government, Financial
CVEs:
CVE-2020-1472 [Vulners]
Vulners: Score: 9.3, CVSS: 3.8,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft windows server 2008 (r2)
- microsoft windows server 2012 (-, r2)
- microsoft windows server 2016 (-, 1903, 1909, 2004)
- microsoft windows server 2019 (-)
- fedoraproject fedora (31, 32, 33)
have more...
CVE-2022-24521 [Vulners]
Vulners: Score: 4.6, CVSS: 4.2,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft windows 10 (-, 20h2, 21h1, 21h2, 1607, 1809, 1909)
- microsoft windows 11 (-, -)
- microsoft windows 7 (-)
- microsoft windows 8.1 (-)
- microsoft windows rt 8.1 (-)
have more...
Softs:
active directory, local security authority
Languages:
jscript
Cybereason
FBI, CISA Issue Warning on Cuba Ransomware
The FBI and CISA issued a joint advisory on Cuba ransomware actors. The advisory is the latest in the government’s #StopRansomware campaign.
#ParsedReport
05-12-2022
Aqua Nautilus Discovers Redigo New Redis Backdoor Malware
https://blog.aquasec.com/redigo-redis-backdoor-malware
Threats:
Nautilus
Redigo
CVEs:
CVE-2022-0543 [Vulners]
Vulners: Score: 10.0, CVSS: 4.8,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- redis (-)
- debian debian linux (9.0, 10.0, 11.0)
TTPs:
Tactics: 6
Technics: 0
IOCs:
File: 1
IP: 1
Hash: 2
Softs:
redis, scripting engine, debian
Languages:
lua, golang
Links:
05-12-2022
Aqua Nautilus Discovers Redigo New Redis Backdoor Malware
https://blog.aquasec.com/redigo-redis-backdoor-malware
Threats:
Nautilus
Redigo
CVEs:
CVE-2022-0543 [Vulners]
Vulners: Score: 10.0, CVSS: 4.8,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- redis (-)
- debian debian linux (9.0, 10.0, 11.0)
TTPs:
Tactics: 6
Technics: 0
IOCs:
File: 1
IP: 1
Hash: 2
Softs:
redis, scripting engine, debian
Languages:
lua, golang
Links:
https://github.com/aquasecurity/trivyhttps://github.com/aquasecurity/chain-benchhttps://github.com/aquasecurity/chain-bench/blob/main/docs/CIS-Software-Supply-Chain-Security-Guide-v1.0.pdfhttps://github.com/aquasecurity/traceeAqua
Aqua Nautilus Discovers Redigo — New Redis Backdoor Malware
Aqua Nautilus discovers Redigo, new previously undetected Go-based malware that targets Redis servers to gain domination on the compromised machine
#ParsedReport
05-12-2022
Blowing Cobalt Strike Out of the Water With Memory Analysis
https://unit42.paloaltonetworks.com/cobalt-strike-memory-analysis
Threats:
Cobalt_strike
Lithiumloader
Magnetloader
Beacon
Reflectiveloader
Dll_sideloading_technique
Metasploit_tool
Industry:
Education
Geo:
Thailand, Japan, Japanese
IOCs:
Hash: 12
File: 10
Path: 4
Domain: 1
Url: 2
Softs:
windows defender
Algorithms:
xor, base64
Functions:
load_shellcode
Win API:
NtCreateSection, NtMapViewOfSection, NtCreateFile, NtAllocateVirtualMemory, RtlCreateProcessParameters, RtlCreateUserProcess, RtlCreateUserThread, RtlExitUserProcess, DllCanUnloadNow, HeapAlloc, have more...
Platforms:
x86
Links:
05-12-2022
Blowing Cobalt Strike Out of the Water With Memory Analysis
https://unit42.paloaltonetworks.com/cobalt-strike-memory-analysis
Threats:
Cobalt_strike
Lithiumloader
Magnetloader
Beacon
Reflectiveloader
Dll_sideloading_technique
Metasploit_tool
Industry:
Education
Geo:
Thailand, Japan, Japanese
IOCs:
Hash: 12
File: 10
Path: 4
Domain: 1
Url: 2
Softs:
windows defender
Algorithms:
xor, base64
Functions:
load_shellcode
Win API:
NtCreateSection, NtMapViewOfSection, NtCreateFile, NtAllocateVirtualMemory, RtlCreateProcessParameters, RtlCreateUserProcess, RtlCreateUserThread, RtlExitUserProcess, DllCanUnloadNow, HeapAlloc, have more...
Platforms:
x86
Links:
https://github.com/curl/curl/blob/2610142139d14265ed9acf9ed83cdf73d6bb4d05/lib/easy.c#L727https://github.com/Sentinel-One/CobaltStrikeParserUnit 42
Blowing Cobalt Strike Out of the Water With Memory Analysis
Unit 42 researchers examine several malware samples that incorporate Cobalt Strike components, and discuss some of the ways that we catch these samples by analyzing artifacts from the deltas in process memory at key points of execution. We will also discuss…
#ParsedReport
05-12-2022
Chinese Gambling Spam Targets World Cup Keywords
https://blog.sucuri.net/2022/12/chinese-gambling-spam-targets-world-cup-keywords.html
Geo:
Chinese, Qatar, China
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 4
Url: 2
IP: 9
05-12-2022
Chinese Gambling Spam Targets World Cup Keywords
https://blog.sucuri.net/2022/12/chinese-gambling-spam-targets-world-cup-keywords.html
Geo:
Chinese, Qatar, China
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 4
Url: 2
IP: 9
Sucuri Blog
Chinese Gambling Spam Targets World Cup Keywords
In recent weeks, a massive Chinese SEO spam campaign redirecting search traffic to gambling and sports betting websites has begun leveraging World Cup keywords and search traffic.
#ParsedReport
05-12-2022
Exbyte: BlackByte. EXBYTE: BLACKBYTE Ransomware Attack Group develops new data theft tools
https://broadcom-software.security.com/japanese-broadcom-software/exbyte-blackbyteransamuueanogongjikurufukaxintanatetaqiequtsuruwozhankai
Actors/Campaigns:
Blackmatter
Blackcat
Unc3524
Threats:
Exbyte_stealer
Blackbyte
Megadumper_tool
Ollydbg_tool
Windbg_tool
Lockbit
Exmatter_tool
Ryuk
Stealbit
Proxylogon_exploit
Adfind_tool
Anydesk_tool
Netscan_tool
Powerview
Edrsandblast_tool
Vssadmin_tool
Conti
Revil
Geo:
Japanese
CVEs:
CVE-2021-34523 [Vulners]
Vulners: Score: 7.5, CVSS: 3.4,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
CVE-2021-27065 [Vulners]
Vulners: Score: 6.8, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft exchange server (2013, 2016, 2016, 2016, 2016, 2013, 2016, 2019, 2013, 2016, 2016, 2016, 2016, 2016, 2016, 2016, 2019, 2019, 2019, 2019, 2019, 2019, 2019)
CVE-2021-31207 [Vulners]
Vulners: Score: 6.5, CVSS: 1.7,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
CVE-2021-26855 [Vulners]
Vulners: Score: 7.5, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft exchange server (2016, 2016, 2013, 2016, 2016, 2013, 2016, 2019, 2013, 2016, 2016, 2016, 2016, 2016, 2016, 2016, 2019, 2019, 2019, 2019, 2019, 2019, 2019, 2019)
CVE-2021-34473 [Vulners]
Vulners: Score: 10.0, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
IOCs:
File: 20
Command: 15
Path: 1
IP: 1
Hash: 15
Url: 7
YARA: Found
Links:
05-12-2022
Exbyte: BlackByte. EXBYTE: BLACKBYTE Ransomware Attack Group develops new data theft tools
https://broadcom-software.security.com/japanese-broadcom-software/exbyte-blackbyteransamuueanogongjikurufukaxintanatetaqiequtsuruwozhankai
Actors/Campaigns:
Blackmatter
Blackcat
Unc3524
Threats:
Exbyte_stealer
Blackbyte
Megadumper_tool
Ollydbg_tool
Windbg_tool
Lockbit
Exmatter_tool
Ryuk
Stealbit
Proxylogon_exploit
Adfind_tool
Anydesk_tool
Netscan_tool
Powerview
Edrsandblast_tool
Vssadmin_tool
Conti
Revil
Geo:
Japanese
CVEs:
CVE-2021-34523 [Vulners]
Vulners: Score: 7.5, CVSS: 3.4,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
CVE-2021-27065 [Vulners]
Vulners: Score: 6.8, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft exchange server (2013, 2016, 2016, 2016, 2016, 2013, 2016, 2019, 2013, 2016, 2016, 2016, 2016, 2016, 2016, 2016, 2019, 2019, 2019, 2019, 2019, 2019, 2019)
CVE-2021-31207 [Vulners]
Vulners: Score: 6.5, CVSS: 1.7,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
CVE-2021-26855 [Vulners]
Vulners: Score: 7.5, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft exchange server (2016, 2016, 2013, 2016, 2016, 2013, 2016, 2019, 2013, 2016, 2016, 2016, 2016, 2016, 2016, 2016, 2019, 2019, 2019, 2019, 2019, 2019, 2019, 2019)
CVE-2021-34473 [Vulners]
Vulners: Score: 10.0, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
IOCs:
File: 20
Command: 15
Path: 1
IP: 1
Hash: 15
Url: 7
YARA: Found
Links:
https://github.com/wavestone-cdt/EDRSandblastSecurity
Exbyte: BlackByteランサムウェアの攻撃グループが新たなデータ窃取ツールを展開
Exbyteは、ランサムウェア攻撃者が標的組織からのデータ窃取を迅速化するために開発した最新のツールです。
#ParsedReport
05-12-2022
KoiVM Loader Resurfaces With a Bang
https://labs.k7computing.com/index.php/koivm-loader-resurfaces-with-a-bang
Threats:
Koivm
Remcos_rat
Agent_tesla
M4use_loader
Confuserex_tool
Process_injection_technique
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 2
Email: 1
Hash: 5
Url: 2
IP: 1
Algorithms:
base64, zip, rc4, xor
Languages:
python
Links:
05-12-2022
KoiVM Loader Resurfaces With a Bang
https://labs.k7computing.com/index.php/koivm-loader-resurfaces-with-a-bang
Threats:
Koivm
Remcos_rat
Agent_tesla
M4use_loader
Confuserex_tool
Process_injection_technique
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 2
Email: 1
Hash: 5
Url: 2
IP: 1
Algorithms:
base64, zip, rc4, xor
Languages:
python
Links:
https://github.com/dnSpyExhttps://github.com/Loksie/KoiVM-Virtualization#koivmhttps://github.com/yck1509/ConfuserExhttps://github.com/SychicBoy/NETReactorSlayerhttps://github.com/horsicq/Detect-It-Easyhttps://github.com/Loksie/KoiVM-Virtualization#:\~:text=first%20one%20is%20certainly%20ridiculous%20as%20it%20will%20%22merge%22%20with%20cex%20and%20virtualize%20every%20single%20method%2C%20including%20protections%20from%20ConfuserEX%2C%20however%20note%20that%20this%20might%20KILL%20your%20performanK7 Labs
KoiVM Loader Resurfaces With a Bang
We at K7 Labs recently found an interesting new .NET loader which downloads and executes KoiVM virtualized binary, which in […]
#ParsedReport
05-12-2022
ASEC (20221120 \~ 20221126). ASEC Weekly phishing email threat trend (20221120 \~ 20221126)
https://asec.ahnlab.com/ko/43163
Threats:
Agent_tesla
Formbook
Purecrypter
Industry:
Transport, Financial
Geo:
Mongolian, Korean
TTPs:
IOCs:
File: 46
Url: 9
Algorithms:
zip
05-12-2022
ASEC (20221120 \~ 20221126). ASEC Weekly phishing email threat trend (20221120 \~ 20221126)
https://asec.ahnlab.com/ko/43163
Threats:
Agent_tesla
Formbook
Purecrypter
Industry:
Transport, Financial
Geo:
Mongolian, Korean
TTPs:
IOCs:
File: 46
Url: 9
Algorithms:
zip
ASEC BLOG
ASEC 주간 피싱 이메일 위협 트렌드 (20221120 ~ 20221126) - ASEC BLOG
ASEC 분석팀에서는 샘플 자동 분석 시스템(RAPIT)과 허니팟을 활용하여 피싱 이메일 위협을 모니터링하고 있다. 본 포스팅에서는 2022년 11월 20일부터 11월 26일까지 한 주간 확인된 피싱 이메일 공격의 유포 사례와 이를 유형별로 분류한 통계 정보를 제공한다. 일반적으로 피싱은 공격자가 사회공학 기법을 이용하여 주로 이메일을 통해 기관, 기업, 개인 등으로 위장하거나 사칭함으로써 사용자의 로그인 계정(크리덴셜) 정보를 유출하는 공격을 의미한다.…
#ParsedReport
05-12-2022
Exposed Remote Desktop Protocol actively targeted by Threat Actors to deploy Ransomware
https://blog.cyble.com/2022/12/02/exposed-remote-desktop-protocol-actively-targeted-by-threat-actors-to-deploy-ransomware
Threats:
Redeemer
Vohuk
Amelia
Blackhunt
Daixin
Medusalocker
Conti
Bluekeep_vuln
Industry:
Financial, Government, Telco
Geo:
Korea, India, Vietnam, Russian, Netherlands, Russia
CVEs:
CVE-2019-0708 [Vulners]
Vulners: Score: 10.0, CVSS: 5.4,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft windows vista (-)
- microsoft windows server 2008 (r2, r2, -)
- microsoft windows xp (-, -)
- microsoft windows server 2003 (-, -, r2)
- microsoft windows 7 (-)
have more...
IOCs:
File: 1
Hash: 3
Softs:
remote desktop services
05-12-2022
Exposed Remote Desktop Protocol actively targeted by Threat Actors to deploy Ransomware
https://blog.cyble.com/2022/12/02/exposed-remote-desktop-protocol-actively-targeted-by-threat-actors-to-deploy-ransomware
Threats:
Redeemer
Vohuk
Amelia
Blackhunt
Daixin
Medusalocker
Conti
Bluekeep_vuln
Industry:
Financial, Government, Telco
Geo:
Korea, India, Vietnam, Russian, Netherlands, Russia
CVEs:
CVE-2019-0708 [Vulners]
Vulners: Score: 10.0, CVSS: 5.4,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft windows vista (-)
- microsoft windows server 2008 (r2, r2, -)
- microsoft windows xp (-, -)
- microsoft windows server 2003 (-, -, r2)
- microsoft windows 7 (-)
have more...
IOCs:
File: 1
Hash: 3
Softs:
remote desktop services
Cyble
Exposed RDP Actively Targeted By Threat Actors To Deploy Ransomware
Exposed RDP (Remote Desktop Protocol) is being actively targeted by cybercriminals to deploy ransomware. Learn how to secure your RDP access and protect your systems from these attacks.
#ParsedReport
05-12-2022
. Distribution of phishing mail impersonating quasi -governmental organizations
https://asec.ahnlab.com/ko/43341
Industry:
Government
Geo:
Korea
IOCs:
Url: 2
05-12-2022
. Distribution of phishing mail impersonating quasi -governmental organizations
https://asec.ahnlab.com/ko/43341
Industry:
Government
Geo:
Korea
IOCs:
Url: 2
ASEC BLOG
준정부기관을 사칭한 피싱 메일 유포 - ASEC BLOG
ASEC 분석팀은 최근 비영리 정부기관을 사칭한 피싱메일이 유포되고 있는 정황을 확인하였다. 중소벤처기업진흥공단(KOSME)에서 서비스하는 고비즈코리아(GobizKOREA)의 로그인 화면을 위장한 웹페이지를 사용하여 사용자의 로그인을 유도하기 때문에, 무역 분야에 종사하는 사용자들의 각별한 주의가 필요하다. 피싱메일의 제목 및 본문은 다음과 같다.메일 본문에는 바이어의 새로운 문의가 등록되었다는 내용이 있으며, 본문에 포함된 다섯개의 모든 하이퍼링크에는…
#ParsedReport
05-12-2022
Hitching a ride with Mustang Panda
https://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups
Actors/Campaigns:
Red_delta
Luminousmoth
Nightscout
Threats:
Plugx_rat
Hodur_rat
Uac_bypass_technique
Nbtscan_tool
Industry:
Petroleum, Financial, Ngo, Government
Geo:
Pacific, Czech, Chinese, Myanmar, American, Vietnam, Burmese, Mongolia, Russia, Malaysia, Canada, Myanmars, Australia, Usa, China, France, Asian, Netherlands, Serbia, Israel, Tatarstan
TTPs:
Tactics: 2
Technics: 0
IOCs:
File: 109
Domain: 6
IP: 38
Hash: 129
Softs:
microsoft office, chrome, opera, telegram, vivaldi
Algorithms:
xor, exhibit
Functions:
GDU1_NEW, GDU_OLD
Languages:
delphi, javascript
05-12-2022
Hitching a ride with Mustang Panda
https://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups
Actors/Campaigns:
Red_delta
Luminousmoth
Nightscout
Threats:
Plugx_rat
Hodur_rat
Uac_bypass_technique
Nbtscan_tool
Industry:
Petroleum, Financial, Ngo, Government
Geo:
Pacific, Czech, Chinese, Myanmar, American, Vietnam, Burmese, Mongolia, Russia, Malaysia, Canada, Myanmars, Australia, Usa, China, France, Asian, Netherlands, Serbia, Israel, Tatarstan
TTPs:
Tactics: 2
Technics: 0
IOCs:
File: 109
Domain: 6
IP: 38
Hash: 129
Softs:
microsoft office, chrome, opera, telegram, vivaldi
Algorithms:
xor, exhibit
Functions:
GDU1_NEW, GDU_OLD
Languages:
delphi, javascript
Gendigital
Hitching a ride with Mustang Panda
APT Campaign Targets Myanmar Government
#ParsedReport
05-12-2022
. Analysis of the network attack activity of Torii remote control of the sea lotus organization
https://www.antiy.cn/research/notice&report/research_report/20221202.html
Actors/Campaigns:
Oceanlotus (motivation: information_theft)
Threats:
Torii_botnet
Kerrdown
Phantomlance
Cobalt_strike
Industry:
Government, Iot
Geo:
China
TTPs:
Tactics: 3
Technics: 0
IOCs:
File: 6
Softs:
android, macos, crontab
Algorithms:
aes, aes-128, rc4, gzip
Platforms:
x86, mips, arm, x64
05-12-2022
. Analysis of the network attack activity of Torii remote control of the sea lotus organization
https://www.antiy.cn/research/notice&report/research_report/20221202.html
Actors/Campaigns:
Oceanlotus (motivation: information_theft)
Threats:
Torii_botnet
Kerrdown
Phantomlance
Cobalt_strike
Industry:
Government, Iot
Geo:
China
TTPs:
Tactics: 3
Technics: 0
IOCs:
File: 6
Softs:
android, macos, crontab
Algorithms:
aes, aes-128, rc4, gzip
Platforms:
x86, mips, arm, x64
www.antiy.cn
海莲花组织Torii远控的网络攻击活动分析
安天CERT捕获到一批活跃中的物联网远控木马,背发现该木马属于Torii僵尸网络家族的升级版本,与海莲花组织的同类远控木马存在一定的同源性和差别,且在依托的网络资产上与早期海莲花组织的攻击活动也存在重叠。