#ParsedReport
02-12-2022
ASEC Weekly Phishing Email Threat Trend (November 13th, 2022 November 19th, 2022 )
https://asec.ahnlab.com/en/43013
Threats:
Agent_tesla
Formbook
Smokeloader
Cloudeye
Industry:
Financial, Transport
Geo:
Korean
TTPs:
Tactics: 1
Technics: 1
IOCs:
File: 36
Url: 8
Algorithms:
zip
02-12-2022
ASEC Weekly Phishing Email Threat Trend (November 13th, 2022 November 19th, 2022 )
https://asec.ahnlab.com/en/43013
Threats:
Agent_tesla
Formbook
Smokeloader
Cloudeye
Industry:
Financial, Transport
Geo:
Korean
TTPs:
Tactics: 1
Technics: 1
IOCs:
File: 36
Url: 8
Algorithms:
zip
ASEC BLOG
ASEC Weekly Phishing Email Threat Trends (November 13th, 2022 - November 19th, 2022 ) - ASEC BLOG
The ASEC analysis team monitors phishing email threats with the ASEC automatic analysis system (RAPIT) and Honeypot. This post will cover the cases of distribution of phishing emails during the week from November 13th, 2022 to November 19th, 2022 and provide…
#ParsedReport
02-12-2022
ASEC Weekly Malware Statistics (November 21st, 2022 November 27th, 2022)
https://asec.ahnlab.com/en/43255
Threats:
Agent_tesla
Smokeloader
Beamwinhttp_loader
Garbage_cleaner
Amadey
Lockbit
Redline_stealer
Industry:
Financial
Geo:
Korea
IOCs:
Domain: 13
Email: 4
File: 13
Url: 22
Softs:
discord
02-12-2022
ASEC Weekly Malware Statistics (November 21st, 2022 November 27th, 2022)
https://asec.ahnlab.com/en/43255
Threats:
Agent_tesla
Smokeloader
Beamwinhttp_loader
Garbage_cleaner
Amadey
Lockbit
Redline_stealer
Industry:
Financial
Geo:
Korea
IOCs:
Domain: 13
Email: 4
File: 13
Url: 22
Softs:
discord
ASEC BLOG
ASEC Weekly Malware Statistics (November 21st, 2022 – November 27th, 2022) - ASEC BLOG
The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from November 21st, 2022 (Monday) to November 27th (Sunday). For the main category, downloader…
#ParsedReport
02-12-2022
FBI, CISA Issue Warning on Cuba Ransomware
https://www.cybereason.com/blog/fbi-cisa-warning-on-cuba-ransomware
Threats:
Cuba
Romcom_rat
Hancitor
Kerbercache_tool
Zerologon_vuln
Qakbot
Industry:
Government, Financial
CVEs:
CVE-2020-1472 [Vulners]
Vulners: Score: 9.3, CVSS: 3.8,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft windows server 2008 (r2)
- microsoft windows server 2012 (-, r2)
- microsoft windows server 2016 (-, 1903, 1909, 2004)
- microsoft windows server 2019 (-)
- fedoraproject fedora (31, 32, 33)
have more...
CVE-2022-24521 [Vulners]
Vulners: Score: 4.6, CVSS: 4.2,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft windows 10 (-, 20h2, 21h1, 21h2, 1607, 1809, 1909)
- microsoft windows 11 (-, -)
- microsoft windows 7 (-)
- microsoft windows 8.1 (-)
- microsoft windows rt 8.1 (-)
have more...
Softs:
active directory, local security authority
Languages:
jscript
02-12-2022
FBI, CISA Issue Warning on Cuba Ransomware
https://www.cybereason.com/blog/fbi-cisa-warning-on-cuba-ransomware
Threats:
Cuba
Romcom_rat
Hancitor
Kerbercache_tool
Zerologon_vuln
Qakbot
Industry:
Government, Financial
CVEs:
CVE-2020-1472 [Vulners]
Vulners: Score: 9.3, CVSS: 3.8,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft windows server 2008 (r2)
- microsoft windows server 2012 (-, r2)
- microsoft windows server 2016 (-, 1903, 1909, 2004)
- microsoft windows server 2019 (-)
- fedoraproject fedora (31, 32, 33)
have more...
CVE-2022-24521 [Vulners]
Vulners: Score: 4.6, CVSS: 4.2,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft windows 10 (-, 20h2, 21h1, 21h2, 1607, 1809, 1909)
- microsoft windows 11 (-, -)
- microsoft windows 7 (-)
- microsoft windows 8.1 (-)
- microsoft windows rt 8.1 (-)
have more...
Softs:
active directory, local security authority
Languages:
jscript
Cybereason
FBI, CISA Issue Warning on Cuba Ransomware
The FBI and CISA issued a joint advisory on Cuba ransomware actors. The advisory is the latest in the government’s #StopRansomware campaign.
#ParsedReport
05-12-2022
Aqua Nautilus Discovers Redigo New Redis Backdoor Malware
https://blog.aquasec.com/redigo-redis-backdoor-malware
Threats:
Nautilus
Redigo
CVEs:
CVE-2022-0543 [Vulners]
Vulners: Score: 10.0, CVSS: 4.8,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- redis (-)
- debian debian linux (9.0, 10.0, 11.0)
TTPs:
Tactics: 6
Technics: 0
IOCs:
File: 1
IP: 1
Hash: 2
Softs:
redis, scripting engine, debian
Languages:
lua, golang
Links:
05-12-2022
Aqua Nautilus Discovers Redigo New Redis Backdoor Malware
https://blog.aquasec.com/redigo-redis-backdoor-malware
Threats:
Nautilus
Redigo
CVEs:
CVE-2022-0543 [Vulners]
Vulners: Score: 10.0, CVSS: 4.8,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- redis (-)
- debian debian linux (9.0, 10.0, 11.0)
TTPs:
Tactics: 6
Technics: 0
IOCs:
File: 1
IP: 1
Hash: 2
Softs:
redis, scripting engine, debian
Languages:
lua, golang
Links:
https://github.com/aquasecurity/trivyhttps://github.com/aquasecurity/chain-benchhttps://github.com/aquasecurity/chain-bench/blob/main/docs/CIS-Software-Supply-Chain-Security-Guide-v1.0.pdfhttps://github.com/aquasecurity/traceeAqua
Aqua Nautilus Discovers Redigo — New Redis Backdoor Malware
Aqua Nautilus discovers Redigo, new previously undetected Go-based malware that targets Redis servers to gain domination on the compromised machine
#ParsedReport
05-12-2022
Blowing Cobalt Strike Out of the Water With Memory Analysis
https://unit42.paloaltonetworks.com/cobalt-strike-memory-analysis
Threats:
Cobalt_strike
Lithiumloader
Magnetloader
Beacon
Reflectiveloader
Dll_sideloading_technique
Metasploit_tool
Industry:
Education
Geo:
Thailand, Japan, Japanese
IOCs:
Hash: 12
File: 10
Path: 4
Domain: 1
Url: 2
Softs:
windows defender
Algorithms:
xor, base64
Functions:
load_shellcode
Win API:
NtCreateSection, NtMapViewOfSection, NtCreateFile, NtAllocateVirtualMemory, RtlCreateProcessParameters, RtlCreateUserProcess, RtlCreateUserThread, RtlExitUserProcess, DllCanUnloadNow, HeapAlloc, have more...
Platforms:
x86
Links:
05-12-2022
Blowing Cobalt Strike Out of the Water With Memory Analysis
https://unit42.paloaltonetworks.com/cobalt-strike-memory-analysis
Threats:
Cobalt_strike
Lithiumloader
Magnetloader
Beacon
Reflectiveloader
Dll_sideloading_technique
Metasploit_tool
Industry:
Education
Geo:
Thailand, Japan, Japanese
IOCs:
Hash: 12
File: 10
Path: 4
Domain: 1
Url: 2
Softs:
windows defender
Algorithms:
xor, base64
Functions:
load_shellcode
Win API:
NtCreateSection, NtMapViewOfSection, NtCreateFile, NtAllocateVirtualMemory, RtlCreateProcessParameters, RtlCreateUserProcess, RtlCreateUserThread, RtlExitUserProcess, DllCanUnloadNow, HeapAlloc, have more...
Platforms:
x86
Links:
https://github.com/curl/curl/blob/2610142139d14265ed9acf9ed83cdf73d6bb4d05/lib/easy.c#L727https://github.com/Sentinel-One/CobaltStrikeParserUnit 42
Blowing Cobalt Strike Out of the Water With Memory Analysis
Unit 42 researchers examine several malware samples that incorporate Cobalt Strike components, and discuss some of the ways that we catch these samples by analyzing artifacts from the deltas in process memory at key points of execution. We will also discuss…
#ParsedReport
05-12-2022
Chinese Gambling Spam Targets World Cup Keywords
https://blog.sucuri.net/2022/12/chinese-gambling-spam-targets-world-cup-keywords.html
Geo:
Chinese, Qatar, China
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 4
Url: 2
IP: 9
05-12-2022
Chinese Gambling Spam Targets World Cup Keywords
https://blog.sucuri.net/2022/12/chinese-gambling-spam-targets-world-cup-keywords.html
Geo:
Chinese, Qatar, China
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 4
Url: 2
IP: 9
Sucuri Blog
Chinese Gambling Spam Targets World Cup Keywords
In recent weeks, a massive Chinese SEO spam campaign redirecting search traffic to gambling and sports betting websites has begun leveraging World Cup keywords and search traffic.
#ParsedReport
05-12-2022
Exbyte: BlackByte. EXBYTE: BLACKBYTE Ransomware Attack Group develops new data theft tools
https://broadcom-software.security.com/japanese-broadcom-software/exbyte-blackbyteransamuueanogongjikurufukaxintanatetaqiequtsuruwozhankai
Actors/Campaigns:
Blackmatter
Blackcat
Unc3524
Threats:
Exbyte_stealer
Blackbyte
Megadumper_tool
Ollydbg_tool
Windbg_tool
Lockbit
Exmatter_tool
Ryuk
Stealbit
Proxylogon_exploit
Adfind_tool
Anydesk_tool
Netscan_tool
Powerview
Edrsandblast_tool
Vssadmin_tool
Conti
Revil
Geo:
Japanese
CVEs:
CVE-2021-34523 [Vulners]
Vulners: Score: 7.5, CVSS: 3.4,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
CVE-2021-27065 [Vulners]
Vulners: Score: 6.8, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft exchange server (2013, 2016, 2016, 2016, 2016, 2013, 2016, 2019, 2013, 2016, 2016, 2016, 2016, 2016, 2016, 2016, 2019, 2019, 2019, 2019, 2019, 2019, 2019)
CVE-2021-31207 [Vulners]
Vulners: Score: 6.5, CVSS: 1.7,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
CVE-2021-26855 [Vulners]
Vulners: Score: 7.5, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft exchange server (2016, 2016, 2013, 2016, 2016, 2013, 2016, 2019, 2013, 2016, 2016, 2016, 2016, 2016, 2016, 2016, 2019, 2019, 2019, 2019, 2019, 2019, 2019, 2019)
CVE-2021-34473 [Vulners]
Vulners: Score: 10.0, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
IOCs:
File: 20
Command: 15
Path: 1
IP: 1
Hash: 15
Url: 7
YARA: Found
Links:
05-12-2022
Exbyte: BlackByte. EXBYTE: BLACKBYTE Ransomware Attack Group develops new data theft tools
https://broadcom-software.security.com/japanese-broadcom-software/exbyte-blackbyteransamuueanogongjikurufukaxintanatetaqiequtsuruwozhankai
Actors/Campaigns:
Blackmatter
Blackcat
Unc3524
Threats:
Exbyte_stealer
Blackbyte
Megadumper_tool
Ollydbg_tool
Windbg_tool
Lockbit
Exmatter_tool
Ryuk
Stealbit
Proxylogon_exploit
Adfind_tool
Anydesk_tool
Netscan_tool
Powerview
Edrsandblast_tool
Vssadmin_tool
Conti
Revil
Geo:
Japanese
CVEs:
CVE-2021-34523 [Vulners]
Vulners: Score: 7.5, CVSS: 3.4,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
CVE-2021-27065 [Vulners]
Vulners: Score: 6.8, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft exchange server (2013, 2016, 2016, 2016, 2016, 2013, 2016, 2019, 2013, 2016, 2016, 2016, 2016, 2016, 2016, 2016, 2019, 2019, 2019, 2019, 2019, 2019, 2019)
CVE-2021-31207 [Vulners]
Vulners: Score: 6.5, CVSS: 1.7,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
CVE-2021-26855 [Vulners]
Vulners: Score: 7.5, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft exchange server (2016, 2016, 2013, 2016, 2016, 2013, 2016, 2019, 2013, 2016, 2016, 2016, 2016, 2016, 2016, 2016, 2019, 2019, 2019, 2019, 2019, 2019, 2019, 2019)
CVE-2021-34473 [Vulners]
Vulners: Score: 10.0, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
IOCs:
File: 20
Command: 15
Path: 1
IP: 1
Hash: 15
Url: 7
YARA: Found
Links:
https://github.com/wavestone-cdt/EDRSandblastSecurity
Exbyte: BlackByteランサムウェアの攻撃グループが新たなデータ窃取ツールを展開
Exbyteは、ランサムウェア攻撃者が標的組織からのデータ窃取を迅速化するために開発した最新のツールです。
#ParsedReport
05-12-2022
KoiVM Loader Resurfaces With a Bang
https://labs.k7computing.com/index.php/koivm-loader-resurfaces-with-a-bang
Threats:
Koivm
Remcos_rat
Agent_tesla
M4use_loader
Confuserex_tool
Process_injection_technique
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 2
Email: 1
Hash: 5
Url: 2
IP: 1
Algorithms:
base64, zip, rc4, xor
Languages:
python
Links:
05-12-2022
KoiVM Loader Resurfaces With a Bang
https://labs.k7computing.com/index.php/koivm-loader-resurfaces-with-a-bang
Threats:
Koivm
Remcos_rat
Agent_tesla
M4use_loader
Confuserex_tool
Process_injection_technique
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 2
Email: 1
Hash: 5
Url: 2
IP: 1
Algorithms:
base64, zip, rc4, xor
Languages:
python
Links:
https://github.com/dnSpyExhttps://github.com/Loksie/KoiVM-Virtualization#koivmhttps://github.com/yck1509/ConfuserExhttps://github.com/SychicBoy/NETReactorSlayerhttps://github.com/horsicq/Detect-It-Easyhttps://github.com/Loksie/KoiVM-Virtualization#:\~:text=first%20one%20is%20certainly%20ridiculous%20as%20it%20will%20%22merge%22%20with%20cex%20and%20virtualize%20every%20single%20method%2C%20including%20protections%20from%20ConfuserEX%2C%20however%20note%20that%20this%20might%20KILL%20your%20performanK7 Labs
KoiVM Loader Resurfaces With a Bang
We at K7 Labs recently found an interesting new .NET loader which downloads and executes KoiVM virtualized binary, which in […]
#ParsedReport
05-12-2022
ASEC (20221120 \~ 20221126). ASEC Weekly phishing email threat trend (20221120 \~ 20221126)
https://asec.ahnlab.com/ko/43163
Threats:
Agent_tesla
Formbook
Purecrypter
Industry:
Transport, Financial
Geo:
Mongolian, Korean
TTPs:
IOCs:
File: 46
Url: 9
Algorithms:
zip
05-12-2022
ASEC (20221120 \~ 20221126). ASEC Weekly phishing email threat trend (20221120 \~ 20221126)
https://asec.ahnlab.com/ko/43163
Threats:
Agent_tesla
Formbook
Purecrypter
Industry:
Transport, Financial
Geo:
Mongolian, Korean
TTPs:
IOCs:
File: 46
Url: 9
Algorithms:
zip
ASEC BLOG
ASEC 주간 피싱 이메일 위협 트렌드 (20221120 ~ 20221126) - ASEC BLOG
ASEC 분석팀에서는 샘플 자동 분석 시스템(RAPIT)과 허니팟을 활용하여 피싱 이메일 위협을 모니터링하고 있다. 본 포스팅에서는 2022년 11월 20일부터 11월 26일까지 한 주간 확인된 피싱 이메일 공격의 유포 사례와 이를 유형별로 분류한 통계 정보를 제공한다. 일반적으로 피싱은 공격자가 사회공학 기법을 이용하여 주로 이메일을 통해 기관, 기업, 개인 등으로 위장하거나 사칭함으로써 사용자의 로그인 계정(크리덴셜) 정보를 유출하는 공격을 의미한다.…
#ParsedReport
05-12-2022
Exposed Remote Desktop Protocol actively targeted by Threat Actors to deploy Ransomware
https://blog.cyble.com/2022/12/02/exposed-remote-desktop-protocol-actively-targeted-by-threat-actors-to-deploy-ransomware
Threats:
Redeemer
Vohuk
Amelia
Blackhunt
Daixin
Medusalocker
Conti
Bluekeep_vuln
Industry:
Financial, Government, Telco
Geo:
Korea, India, Vietnam, Russian, Netherlands, Russia
CVEs:
CVE-2019-0708 [Vulners]
Vulners: Score: 10.0, CVSS: 5.4,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft windows vista (-)
- microsoft windows server 2008 (r2, r2, -)
- microsoft windows xp (-, -)
- microsoft windows server 2003 (-, -, r2)
- microsoft windows 7 (-)
have more...
IOCs:
File: 1
Hash: 3
Softs:
remote desktop services
05-12-2022
Exposed Remote Desktop Protocol actively targeted by Threat Actors to deploy Ransomware
https://blog.cyble.com/2022/12/02/exposed-remote-desktop-protocol-actively-targeted-by-threat-actors-to-deploy-ransomware
Threats:
Redeemer
Vohuk
Amelia
Blackhunt
Daixin
Medusalocker
Conti
Bluekeep_vuln
Industry:
Financial, Government, Telco
Geo:
Korea, India, Vietnam, Russian, Netherlands, Russia
CVEs:
CVE-2019-0708 [Vulners]
Vulners: Score: 10.0, CVSS: 5.4,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft windows vista (-)
- microsoft windows server 2008 (r2, r2, -)
- microsoft windows xp (-, -)
- microsoft windows server 2003 (-, -, r2)
- microsoft windows 7 (-)
have more...
IOCs:
File: 1
Hash: 3
Softs:
remote desktop services
Cyble
Exposed RDP Actively Targeted By Threat Actors To Deploy Ransomware
Exposed RDP (Remote Desktop Protocol) is being actively targeted by cybercriminals to deploy ransomware. Learn how to secure your RDP access and protect your systems from these attacks.
#ParsedReport
05-12-2022
. Distribution of phishing mail impersonating quasi -governmental organizations
https://asec.ahnlab.com/ko/43341
Industry:
Government
Geo:
Korea
IOCs:
Url: 2
05-12-2022
. Distribution of phishing mail impersonating quasi -governmental organizations
https://asec.ahnlab.com/ko/43341
Industry:
Government
Geo:
Korea
IOCs:
Url: 2
ASEC BLOG
준정부기관을 사칭한 피싱 메일 유포 - ASEC BLOG
ASEC 분석팀은 최근 비영리 정부기관을 사칭한 피싱메일이 유포되고 있는 정황을 확인하였다. 중소벤처기업진흥공단(KOSME)에서 서비스하는 고비즈코리아(GobizKOREA)의 로그인 화면을 위장한 웹페이지를 사용하여 사용자의 로그인을 유도하기 때문에, 무역 분야에 종사하는 사용자들의 각별한 주의가 필요하다. 피싱메일의 제목 및 본문은 다음과 같다.메일 본문에는 바이어의 새로운 문의가 등록되었다는 내용이 있으며, 본문에 포함된 다섯개의 모든 하이퍼링크에는…
#ParsedReport
05-12-2022
Hitching a ride with Mustang Panda
https://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups
Actors/Campaigns:
Red_delta
Luminousmoth
Nightscout
Threats:
Plugx_rat
Hodur_rat
Uac_bypass_technique
Nbtscan_tool
Industry:
Petroleum, Financial, Ngo, Government
Geo:
Pacific, Czech, Chinese, Myanmar, American, Vietnam, Burmese, Mongolia, Russia, Malaysia, Canada, Myanmars, Australia, Usa, China, France, Asian, Netherlands, Serbia, Israel, Tatarstan
TTPs:
Tactics: 2
Technics: 0
IOCs:
File: 109
Domain: 6
IP: 38
Hash: 129
Softs:
microsoft office, chrome, opera, telegram, vivaldi
Algorithms:
xor, exhibit
Functions:
GDU1_NEW, GDU_OLD
Languages:
delphi, javascript
05-12-2022
Hitching a ride with Mustang Panda
https://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups
Actors/Campaigns:
Red_delta
Luminousmoth
Nightscout
Threats:
Plugx_rat
Hodur_rat
Uac_bypass_technique
Nbtscan_tool
Industry:
Petroleum, Financial, Ngo, Government
Geo:
Pacific, Czech, Chinese, Myanmar, American, Vietnam, Burmese, Mongolia, Russia, Malaysia, Canada, Myanmars, Australia, Usa, China, France, Asian, Netherlands, Serbia, Israel, Tatarstan
TTPs:
Tactics: 2
Technics: 0
IOCs:
File: 109
Domain: 6
IP: 38
Hash: 129
Softs:
microsoft office, chrome, opera, telegram, vivaldi
Algorithms:
xor, exhibit
Functions:
GDU1_NEW, GDU_OLD
Languages:
delphi, javascript
Gendigital
Hitching a ride with Mustang Panda
APT Campaign Targets Myanmar Government
#ParsedReport
05-12-2022
. Analysis of the network attack activity of Torii remote control of the sea lotus organization
https://www.antiy.cn/research/notice&report/research_report/20221202.html
Actors/Campaigns:
Oceanlotus (motivation: information_theft)
Threats:
Torii_botnet
Kerrdown
Phantomlance
Cobalt_strike
Industry:
Government, Iot
Geo:
China
TTPs:
Tactics: 3
Technics: 0
IOCs:
File: 6
Softs:
android, macos, crontab
Algorithms:
aes, aes-128, rc4, gzip
Platforms:
x86, mips, arm, x64
05-12-2022
. Analysis of the network attack activity of Torii remote control of the sea lotus organization
https://www.antiy.cn/research/notice&report/research_report/20221202.html
Actors/Campaigns:
Oceanlotus (motivation: information_theft)
Threats:
Torii_botnet
Kerrdown
Phantomlance
Cobalt_strike
Industry:
Government, Iot
Geo:
China
TTPs:
Tactics: 3
Technics: 0
IOCs:
File: 6
Softs:
android, macos, crontab
Algorithms:
aes, aes-128, rc4, gzip
Platforms:
x86, mips, arm, x64
www.antiy.cn
海莲花组织Torii远控的网络攻击活动分析
安天CERT捕获到一批活跃中的物联网远控木马,背发现该木马属于Torii僵尸网络家族的升级版本,与海莲花组织的同类远控木马存在一定的同源性和差别,且在依托的网络资产上与早期海莲花组织的攻击活动也存在重叠。
#ParsedReport
05-12-2022
Schoolyard Bully Trojan Facebook Credential Stealer
https://www.zimperium.com/blog/schoolyard-bully-trojan-facebook-credential-stealer
Threats:
Schoolyardbully
Flytrap
Industry:
Financial, Chemical
Geo:
Vietnamese, Nederlands
TTPs:
Tactics: 1
Technics: 0
IOCs:
Hash: 175
Softs:
android, google chrome, mozilla firefox, opera, microsoft edge
Algorithms:
zip
Languages:
java, javascript
Platforms:
apple
05-12-2022
Schoolyard Bully Trojan Facebook Credential Stealer
https://www.zimperium.com/blog/schoolyard-bully-trojan-facebook-credential-stealer
Threats:
Schoolyardbully
Flytrap
Industry:
Financial, Chemical
Geo:
Vietnamese, Nederlands
TTPs:
Tactics: 1
Technics: 0
IOCs:
Hash: 175
Softs:
android, google chrome, mozilla firefox, opera, microsoft edge
Algorithms:
zip
Languages:
java, javascript
Platforms:
apple
Zimperium
Schoolyard Bully Trojan Facebook Credential Stealer - Zimperium
Zimperium zLabs has discovered a new Android threat campaign, the Schoolyard Bully Trojan, which has been active since 2018 and has spread to over 300,000 victims and is specifically targeting Facebook credentials. To learn more about this new threat, read…
#ParsedReport
05-12-2022
Alert (AA22-335A)
https://us-cert.cisa.gov/ncas/alerts/aa22-335a
Actors/Campaigns:
Lapsus
Threats:
Cuba
Romcom_rat
Ransomware.gov
Hancitor
Kerberoasting_technique
Kerbercache_tool
Zerologon_vuln
Qakbot
Impacket_tool
Meterpreter_tool
Iobit_tool
Powerview
Industry:
Foodtech, Government, E-commerce, Healthcare, Financial
Geo:
Ukrainian, Ukraine
CVEs:
CVE-2022-24521 [Vulners]
Vulners: Score: 4.6, CVSS: 4.2,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft windows 10 (-, 20h2, 21h1, 21h2, 1607, 1809, 1909)
- microsoft windows 11 (-, -)
- microsoft windows 7 (-)
- microsoft windows 8.1 (-)
- microsoft windows rt 8.1 (-)
have more...
CVE-2020-1472 [Vulners]
Vulners: Score: 9.3, CVSS: 3.8,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft windows server 2008 (r2)
- microsoft windows server 2012 (-, r2)
- microsoft windows server 2016 (-, 1903, 1909, 2004)
- microsoft windows server 2019 (-)
- fedoraproject fedora (31, 32, 33)
have more...
TTPs:
Tactics: 8
Technics: 13
IOCs:
File: 71
Path: 1
Hash: 48
IP: 53
Email: 4
Softs:
active directory, local security authority, keepass
05-12-2022
Alert (AA22-335A)
https://us-cert.cisa.gov/ncas/alerts/aa22-335a
Actors/Campaigns:
Lapsus
Threats:
Cuba
Romcom_rat
Ransomware.gov
Hancitor
Kerberoasting_technique
Kerbercache_tool
Zerologon_vuln
Qakbot
Impacket_tool
Meterpreter_tool
Iobit_tool
Powerview
Industry:
Foodtech, Government, E-commerce, Healthcare, Financial
Geo:
Ukrainian, Ukraine
CVEs:
CVE-2022-24521 [Vulners]
Vulners: Score: 4.6, CVSS: 4.2,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft windows 10 (-, 20h2, 21h1, 21h2, 1607, 1809, 1909)
- microsoft windows 11 (-, -)
- microsoft windows 7 (-)
- microsoft windows 8.1 (-)
- microsoft windows rt 8.1 (-)
have more...
CVE-2020-1472 [Vulners]
Vulners: Score: 9.3, CVSS: 3.8,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft windows server 2008 (r2)
- microsoft windows server 2012 (-, r2)
- microsoft windows server 2016 (-, 1903, 1909, 2004)
- microsoft windows server 2019 (-)
- fedoraproject fedora (31, 32, 33)
have more...
TTPs:
Tactics: 8
Technics: 13
IOCs:
File: 71
Path: 1
Hash: 48
IP: 53
Email: 4
Softs:
active directory, local security authority, keepass
www.cisa.gov
#StopRansomware: Cuba Ransomware | CISA
Actions to take today to mitigate cyber threats from ransomware: • Prioritize remediating known exploited vulnerabilities. • Train users to recognize and report phishing attempts. • Enable and enforce phishing-resistant multifactor authentication.
#ParsedReport
06-12-2022
Technical Analysis of the Winbox Payload in WindiGo
https://www.nozominetworks.com/blog/technical-analysis-of-the-winbox-payload-in-windigo
Threats:
Windigo
Plaguebot
Meris_botnet
Revil
Glupteba
Mirai
Industry:
Telco, Iot
Geo:
Brazil, China, Vietnam
CVEs:
CVE-2018-14847 [Vulners]
Vulners: Score: 6.4, CVSS: 5.7,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- mikrotik routeros (le6.42)
TTPs:
Tactics: 1
Technics: 0
IOCs:
Hash: 4
File: 1
Domain: 17
Registry: 3
06-12-2022
Technical Analysis of the Winbox Payload in WindiGo
https://www.nozominetworks.com/blog/technical-analysis-of-the-winbox-payload-in-windigo
Threats:
Windigo
Plaguebot
Meris_botnet
Revil
Glupteba
Mirai
Industry:
Telco, Iot
Geo:
Brazil, China, Vietnam
CVEs:
CVE-2018-14847 [Vulners]
Vulners: Score: 6.4, CVSS: 5.7,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- mikrotik routeros (le6.42)
TTPs:
Tactics: 1
Technics: 0
IOCs:
Hash: 4
File: 1
Domain: 17
Registry: 3
Nozominetworks
Technical Analysis of the Winbox Payload in WindiGo
This blog provides a technical analysis of WindiGo as well as Indicators of Compromise (IoCs) you can use to detect WindiGo in your network.
#ParsedReport
06-12-2022
Danger Lurking in GitHub Repositories
https://socradar.io/danger-lurking-in-github-repositories
Threats:
Repojacking_technique
Bluekeep_vuln
Houdini_rat
CVEs:
CVE-2019-0708 [Vulners]
Vulners: Score: 10.0, CVSS: 5.4,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft windows vista (-)
- microsoft windows server 2008 (r2, r2, -)
- microsoft windows xp (-, -)
- microsoft windows server 2003 (-, -, r2)
- microsoft windows 7 (-)
have more...
IOCs:
IP: 1
Hash: 27
File: 2
Algorithms:
base64
Languages:
python
Links:
06-12-2022
Danger Lurking in GitHub Repositories
https://socradar.io/danger-lurking-in-github-repositories
Threats:
Repojacking_technique
Bluekeep_vuln
Houdini_rat
CVEs:
CVE-2019-0708 [Vulners]
Vulners: Score: 10.0, CVSS: 5.4,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft windows vista (-)
- microsoft windows server 2008 (r2, r2, -)
- microsoft windows xp (-, -)
- microsoft windows server 2003 (-, -, r2)
- microsoft windows 7 (-)
have more...
IOCs:
IP: 1
Hash: 27
File: 2
Algorithms:
base64
Languages:
python
Links:
https://docs.github.com/en/repositories/creating-and-managing-repositories/transferring-a-repositorySOCRadar® Cyber Intelligence Inc.
Danger Lurking in GitHub Repositories - SOCRadar® Cyber Intelligence Inc.
As a threat actor claims, up to 14 million GitHub users and repository credentials have been stolen recently and offered for sale.
#ParsedReport
06-12-2022
- TgRat. The TGRAT virus was detected
https://www.ptsecurity.com/ru-ru/research/pt-esc-threat-intelligence/vyyavlen-virus-shpion-tgrat
Threats:
Tgrat
Impacket_tool
Mimikatz_tool
IOCs:
File: 5
Softs:
telegram
Algorithms:
aes
Links:
06-12-2022
- TgRat. The TGRAT virus was detected
https://www.ptsecurity.com/ru-ru/research/pt-esc-threat-intelligence/vyyavlen-virus-shpion-tgrat
Threats:
Tgrat
Impacket_tool
Mimikatz_tool
IOCs:
File: 5
Softs:
telegram
Algorithms:
aes
Links:
https://github.com/wrwrabbit/telegram-bot-api-go)ptsecurity.com
Блог PT ESC Threat Intelligence
В этом блоге вы можете найти информацию об актуальных атаках хакерских группировок по всему миру, разбор их инструментов, информацию об инцидентах, TTP группировок, индикаторы компрометации и названия детектов в наших продуктах
#ParsedReport
06-12-2022
The Story of a Ransomware Turning into an Accidental Wiper
https://www.fortinet.com/blog/threat-research/The-story-of-a-ransomware-turning-into-an-accidental-wiper
Threats:
Cryptonite
Cyberdevilz_actor
Amsi_bypass_technique
W32/filecoder.ky!tr
W32/filecoder.ky!tr.ransom
Industry:
Financial
IOCs:
Hash: 1
File: 2
Url: 1
Domain: 1
Softs:
pyinstaller
Functions:
findFiles, warningScreen
Languages:
python
06-12-2022
The Story of a Ransomware Turning into an Accidental Wiper
https://www.fortinet.com/blog/threat-research/The-story-of-a-ransomware-turning-into-an-accidental-wiper
Threats:
Cryptonite
Cyberdevilz_actor
Amsi_bypass_technique
W32/filecoder.ky!tr
W32/filecoder.ky!tr.ransom
Industry:
Financial
IOCs:
Hash: 1
File: 2
Url: 1
Domain: 1
Softs:
pyinstaller
Functions:
findFiles, warningScreen
Languages:
python
Fortinet Blog
The Story of a Ransomware Turning into an Accidental Wiper | FortiGuard Labs
FortiGuard Labs provides a deeper analysis of an open-source Cryptonite ransomware sample that never offers a decryption window, but instead acts as wiper malware. Read to find out more.…
#ParsedReport
06-12-2022
Calisto show interests into entities involved in Ukraine war support
https://blog.sekoia.io/calisto-show-interests-into-entities-involved-in-ukraine-war-support
Actors/Campaigns:
Calisto
Coldriver
Gamaredon
Apt31
Threats:
Typosquatting_technique
Evilginx_tool
Velar
Industry:
Logistic, Ngo
Geo:
Ukraine, Russian, Indian, African, Syrian, Polish, Ukrainian
IOCs:
Domain: 5
SIGMA: Found
06-12-2022
Calisto show interests into entities involved in Ukraine war support
https://blog.sekoia.io/calisto-show-interests-into-entities-involved-in-ukraine-war-support
Actors/Campaigns:
Calisto
Coldriver
Gamaredon
Apt31
Threats:
Typosquatting_technique
Evilginx_tool
Velar
Industry:
Logistic, Ngo
Geo:
Ukraine, Russian, Indian, African, Syrian, Polish, Ukrainian
IOCs:
Domain: 5
SIGMA: Found
Sekoia.io Blog
Calisto show interests into entities involved in Ukraine war support
Calisto (aka Callisto, COLDRIVER) is suspected to be a Russian-nexus intrusion set active since at least April 2017. Although it was not publicly attributed to any Russian intelligence service, past Calisto operations showed objectives and victimology that…
#ParsedReport
06-12-2022
Vice Society: Profiling a Persistent Threat to the Education Sector
https://unit42.paloaltonetworks.com/vice-society-targets-education-sector
Actors/Campaigns:
Vice_society (motivation: cyber_criminal)
Unc2447
Threats:
Hellokitty
Printnightmare_vuln
Lockbit
Fivehands
Zeppelin
Lotl_technique
Blackcat
Bloodhound_tool
Systembc
Avoslocker
Sombrat_rat
Industry:
Education, Financial, Healthcare, Government, E-commerce, Ngo
Geo:
Emea, Germany, America, Japan, California, Spain, France, Italy, Apac, Brazil
CVEs:
CVE-2021-34527 [Vulners]
Vulners: Score: 9.0, CVSS: 3.7,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft windows server 2008 (r2, -)
- microsoft windows server 2012 (r2, -)
- microsoft windows 10 (1607, -, 20h2, 21h1, 1809, 1909, 2004)
- microsoft windows 8.1 (-)
- microsoft windows server 2016 (-, 20h2, 2004)
have more...
CVE-2021-1675 [Vulners]
Vulners: Score: 9.3, CVSS: 3.5,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft windows server 2008 (r2, -)
- microsoft windows server 2012 (r2, -)
- microsoft windows 10 (1607, -, 20h2, 21h1, 1809, 1909, 2004)
- microsoft windows 8.1 (-)
- microsoft windows server 2016 (-)
have more...
TTPs:
Tactics: 11
Technics: 0
IOCs:
Domain: 5
File: 4
Email: 14
Registry: 1
Hash: 15
Path: 1
Softs:
esxi, psexec, windows defender, microsoft defender, local security authority, ive directory data, windows print spooler
Algorithms:
aes
06-12-2022
Vice Society: Profiling a Persistent Threat to the Education Sector
https://unit42.paloaltonetworks.com/vice-society-targets-education-sector
Actors/Campaigns:
Vice_society (motivation: cyber_criminal)
Unc2447
Threats:
Hellokitty
Printnightmare_vuln
Lockbit
Fivehands
Zeppelin
Lotl_technique
Blackcat
Bloodhound_tool
Systembc
Avoslocker
Sombrat_rat
Industry:
Education, Financial, Healthcare, Government, E-commerce, Ngo
Geo:
Emea, Germany, America, Japan, California, Spain, France, Italy, Apac, Brazil
CVEs:
CVE-2021-34527 [Vulners]
Vulners: Score: 9.0, CVSS: 3.7,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft windows server 2008 (r2, -)
- microsoft windows server 2012 (r2, -)
- microsoft windows 10 (1607, -, 20h2, 21h1, 1809, 1909, 2004)
- microsoft windows 8.1 (-)
- microsoft windows server 2016 (-, 20h2, 2004)
have more...
CVE-2021-1675 [Vulners]
Vulners: Score: 9.3, CVSS: 3.5,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft windows server 2008 (r2, -)
- microsoft windows server 2012 (r2, -)
- microsoft windows 10 (1607, -, 20h2, 21h1, 1809, 1909, 2004)
- microsoft windows 8.1 (-)
- microsoft windows server 2016 (-)
have more...
TTPs:
Tactics: 11
Technics: 0
IOCs:
Domain: 5
File: 4
Email: 14
Registry: 1
Hash: 15
Path: 1
Softs:
esxi, psexec, windows defender, microsoft defender, local security authority, ive directory data, windows print spooler
Algorithms:
aes
Unit 42
Vice Society: Profiling a Persistent Threat to the Education Sector
Vice Society, a ransomware gang, has been involved in high-profile activity against schools this year.