#ParsedReport
05-12-2022
Blowing Cobalt Strike Out of the Water With Memory Analysis
https://unit42.paloaltonetworks.com/cobalt-strike-memory-analysis
Threats:
Cobalt_strike
Lithiumloader
Magnetloader
Beacon
Reflectiveloader
Dll_sideloading_technique
Metasploit_tool
Industry:
Education
Geo:
Thailand, Japan, Japanese
IOCs:
Hash: 12
File: 10
Path: 4
Domain: 1
Url: 2
Softs:
windows defender
Algorithms:
xor, base64
Functions:
load_shellcode
Win API:
NtCreateSection, NtMapViewOfSection, NtCreateFile, NtAllocateVirtualMemory, RtlCreateProcessParameters, RtlCreateUserProcess, RtlCreateUserThread, RtlExitUserProcess, DllCanUnloadNow, HeapAlloc, have more...
Platforms:
x86
Links:
05-12-2022
Blowing Cobalt Strike Out of the Water With Memory Analysis
https://unit42.paloaltonetworks.com/cobalt-strike-memory-analysis
Threats:
Cobalt_strike
Lithiumloader
Magnetloader
Beacon
Reflectiveloader
Dll_sideloading_technique
Metasploit_tool
Industry:
Education
Geo:
Thailand, Japan, Japanese
IOCs:
Hash: 12
File: 10
Path: 4
Domain: 1
Url: 2
Softs:
windows defender
Algorithms:
xor, base64
Functions:
load_shellcode
Win API:
NtCreateSection, NtMapViewOfSection, NtCreateFile, NtAllocateVirtualMemory, RtlCreateProcessParameters, RtlCreateUserProcess, RtlCreateUserThread, RtlExitUserProcess, DllCanUnloadNow, HeapAlloc, have more...
Platforms:
x86
Links:
https://github.com/curl/curl/blob/2610142139d14265ed9acf9ed83cdf73d6bb4d05/lib/easy.c#L727https://github.com/Sentinel-One/CobaltStrikeParserUnit 42
Blowing Cobalt Strike Out of the Water With Memory Analysis
Unit 42 researchers examine several malware samples that incorporate Cobalt Strike components, and discuss some of the ways that we catch these samples by analyzing artifacts from the deltas in process memory at key points of execution. We will also discuss…
#ParsedReport
05-12-2022
Chinese Gambling Spam Targets World Cup Keywords
https://blog.sucuri.net/2022/12/chinese-gambling-spam-targets-world-cup-keywords.html
Geo:
Chinese, Qatar, China
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 4
Url: 2
IP: 9
05-12-2022
Chinese Gambling Spam Targets World Cup Keywords
https://blog.sucuri.net/2022/12/chinese-gambling-spam-targets-world-cup-keywords.html
Geo:
Chinese, Qatar, China
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 4
Url: 2
IP: 9
Sucuri Blog
Chinese Gambling Spam Targets World Cup Keywords
In recent weeks, a massive Chinese SEO spam campaign redirecting search traffic to gambling and sports betting websites has begun leveraging World Cup keywords and search traffic.
#ParsedReport
05-12-2022
Exbyte: BlackByte. EXBYTE: BLACKBYTE Ransomware Attack Group develops new data theft tools
https://broadcom-software.security.com/japanese-broadcom-software/exbyte-blackbyteransamuueanogongjikurufukaxintanatetaqiequtsuruwozhankai
Actors/Campaigns:
Blackmatter
Blackcat
Unc3524
Threats:
Exbyte_stealer
Blackbyte
Megadumper_tool
Ollydbg_tool
Windbg_tool
Lockbit
Exmatter_tool
Ryuk
Stealbit
Proxylogon_exploit
Adfind_tool
Anydesk_tool
Netscan_tool
Powerview
Edrsandblast_tool
Vssadmin_tool
Conti
Revil
Geo:
Japanese
CVEs:
CVE-2021-34523 [Vulners]
Vulners: Score: 7.5, CVSS: 3.4,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
CVE-2021-27065 [Vulners]
Vulners: Score: 6.8, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft exchange server (2013, 2016, 2016, 2016, 2016, 2013, 2016, 2019, 2013, 2016, 2016, 2016, 2016, 2016, 2016, 2016, 2019, 2019, 2019, 2019, 2019, 2019, 2019)
CVE-2021-31207 [Vulners]
Vulners: Score: 6.5, CVSS: 1.7,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
CVE-2021-26855 [Vulners]
Vulners: Score: 7.5, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft exchange server (2016, 2016, 2013, 2016, 2016, 2013, 2016, 2019, 2013, 2016, 2016, 2016, 2016, 2016, 2016, 2016, 2019, 2019, 2019, 2019, 2019, 2019, 2019, 2019)
CVE-2021-34473 [Vulners]
Vulners: Score: 10.0, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
IOCs:
File: 20
Command: 15
Path: 1
IP: 1
Hash: 15
Url: 7
YARA: Found
Links:
05-12-2022
Exbyte: BlackByte. EXBYTE: BLACKBYTE Ransomware Attack Group develops new data theft tools
https://broadcom-software.security.com/japanese-broadcom-software/exbyte-blackbyteransamuueanogongjikurufukaxintanatetaqiequtsuruwozhankai
Actors/Campaigns:
Blackmatter
Blackcat
Unc3524
Threats:
Exbyte_stealer
Blackbyte
Megadumper_tool
Ollydbg_tool
Windbg_tool
Lockbit
Exmatter_tool
Ryuk
Stealbit
Proxylogon_exploit
Adfind_tool
Anydesk_tool
Netscan_tool
Powerview
Edrsandblast_tool
Vssadmin_tool
Conti
Revil
Geo:
Japanese
CVEs:
CVE-2021-34523 [Vulners]
Vulners: Score: 7.5, CVSS: 3.4,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
CVE-2021-27065 [Vulners]
Vulners: Score: 6.8, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft exchange server (2013, 2016, 2016, 2016, 2016, 2013, 2016, 2019, 2013, 2016, 2016, 2016, 2016, 2016, 2016, 2016, 2019, 2019, 2019, 2019, 2019, 2019, 2019)
CVE-2021-31207 [Vulners]
Vulners: Score: 6.5, CVSS: 1.7,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
CVE-2021-26855 [Vulners]
Vulners: Score: 7.5, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft exchange server (2016, 2016, 2013, 2016, 2016, 2013, 2016, 2019, 2013, 2016, 2016, 2016, 2016, 2016, 2016, 2016, 2019, 2019, 2019, 2019, 2019, 2019, 2019, 2019)
CVE-2021-34473 [Vulners]
Vulners: Score: 10.0, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
IOCs:
File: 20
Command: 15
Path: 1
IP: 1
Hash: 15
Url: 7
YARA: Found
Links:
https://github.com/wavestone-cdt/EDRSandblastSecurity
Exbyte: BlackByteランサムウェアの攻撃グループが新たなデータ窃取ツールを展開
Exbyteは、ランサムウェア攻撃者が標的組織からのデータ窃取を迅速化するために開発した最新のツールです。
#ParsedReport
05-12-2022
KoiVM Loader Resurfaces With a Bang
https://labs.k7computing.com/index.php/koivm-loader-resurfaces-with-a-bang
Threats:
Koivm
Remcos_rat
Agent_tesla
M4use_loader
Confuserex_tool
Process_injection_technique
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 2
Email: 1
Hash: 5
Url: 2
IP: 1
Algorithms:
base64, zip, rc4, xor
Languages:
python
Links:
05-12-2022
KoiVM Loader Resurfaces With a Bang
https://labs.k7computing.com/index.php/koivm-loader-resurfaces-with-a-bang
Threats:
Koivm
Remcos_rat
Agent_tesla
M4use_loader
Confuserex_tool
Process_injection_technique
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 2
Email: 1
Hash: 5
Url: 2
IP: 1
Algorithms:
base64, zip, rc4, xor
Languages:
python
Links:
https://github.com/dnSpyExhttps://github.com/Loksie/KoiVM-Virtualization#koivmhttps://github.com/yck1509/ConfuserExhttps://github.com/SychicBoy/NETReactorSlayerhttps://github.com/horsicq/Detect-It-Easyhttps://github.com/Loksie/KoiVM-Virtualization#:\~:text=first%20one%20is%20certainly%20ridiculous%20as%20it%20will%20%22merge%22%20with%20cex%20and%20virtualize%20every%20single%20method%2C%20including%20protections%20from%20ConfuserEX%2C%20however%20note%20that%20this%20might%20KILL%20your%20performanK7 Labs
KoiVM Loader Resurfaces With a Bang
We at K7 Labs recently found an interesting new .NET loader which downloads and executes KoiVM virtualized binary, which in […]
#ParsedReport
05-12-2022
ASEC (20221120 \~ 20221126). ASEC Weekly phishing email threat trend (20221120 \~ 20221126)
https://asec.ahnlab.com/ko/43163
Threats:
Agent_tesla
Formbook
Purecrypter
Industry:
Transport, Financial
Geo:
Mongolian, Korean
TTPs:
IOCs:
File: 46
Url: 9
Algorithms:
zip
05-12-2022
ASEC (20221120 \~ 20221126). ASEC Weekly phishing email threat trend (20221120 \~ 20221126)
https://asec.ahnlab.com/ko/43163
Threats:
Agent_tesla
Formbook
Purecrypter
Industry:
Transport, Financial
Geo:
Mongolian, Korean
TTPs:
IOCs:
File: 46
Url: 9
Algorithms:
zip
ASEC BLOG
ASEC 주간 피싱 이메일 위협 트렌드 (20221120 ~ 20221126) - ASEC BLOG
ASEC 분석팀에서는 샘플 자동 분석 시스템(RAPIT)과 허니팟을 활용하여 피싱 이메일 위협을 모니터링하고 있다. 본 포스팅에서는 2022년 11월 20일부터 11월 26일까지 한 주간 확인된 피싱 이메일 공격의 유포 사례와 이를 유형별로 분류한 통계 정보를 제공한다. 일반적으로 피싱은 공격자가 사회공학 기법을 이용하여 주로 이메일을 통해 기관, 기업, 개인 등으로 위장하거나 사칭함으로써 사용자의 로그인 계정(크리덴셜) 정보를 유출하는 공격을 의미한다.…
#ParsedReport
05-12-2022
Exposed Remote Desktop Protocol actively targeted by Threat Actors to deploy Ransomware
https://blog.cyble.com/2022/12/02/exposed-remote-desktop-protocol-actively-targeted-by-threat-actors-to-deploy-ransomware
Threats:
Redeemer
Vohuk
Amelia
Blackhunt
Daixin
Medusalocker
Conti
Bluekeep_vuln
Industry:
Financial, Government, Telco
Geo:
Korea, India, Vietnam, Russian, Netherlands, Russia
CVEs:
CVE-2019-0708 [Vulners]
Vulners: Score: 10.0, CVSS: 5.4,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft windows vista (-)
- microsoft windows server 2008 (r2, r2, -)
- microsoft windows xp (-, -)
- microsoft windows server 2003 (-, -, r2)
- microsoft windows 7 (-)
have more...
IOCs:
File: 1
Hash: 3
Softs:
remote desktop services
05-12-2022
Exposed Remote Desktop Protocol actively targeted by Threat Actors to deploy Ransomware
https://blog.cyble.com/2022/12/02/exposed-remote-desktop-protocol-actively-targeted-by-threat-actors-to-deploy-ransomware
Threats:
Redeemer
Vohuk
Amelia
Blackhunt
Daixin
Medusalocker
Conti
Bluekeep_vuln
Industry:
Financial, Government, Telco
Geo:
Korea, India, Vietnam, Russian, Netherlands, Russia
CVEs:
CVE-2019-0708 [Vulners]
Vulners: Score: 10.0, CVSS: 5.4,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft windows vista (-)
- microsoft windows server 2008 (r2, r2, -)
- microsoft windows xp (-, -)
- microsoft windows server 2003 (-, -, r2)
- microsoft windows 7 (-)
have more...
IOCs:
File: 1
Hash: 3
Softs:
remote desktop services
Cyble
Exposed RDP Actively Targeted By Threat Actors To Deploy Ransomware
Exposed RDP (Remote Desktop Protocol) is being actively targeted by cybercriminals to deploy ransomware. Learn how to secure your RDP access and protect your systems from these attacks.
#ParsedReport
05-12-2022
. Distribution of phishing mail impersonating quasi -governmental organizations
https://asec.ahnlab.com/ko/43341
Industry:
Government
Geo:
Korea
IOCs:
Url: 2
05-12-2022
. Distribution of phishing mail impersonating quasi -governmental organizations
https://asec.ahnlab.com/ko/43341
Industry:
Government
Geo:
Korea
IOCs:
Url: 2
ASEC BLOG
준정부기관을 사칭한 피싱 메일 유포 - ASEC BLOG
ASEC 분석팀은 최근 비영리 정부기관을 사칭한 피싱메일이 유포되고 있는 정황을 확인하였다. 중소벤처기업진흥공단(KOSME)에서 서비스하는 고비즈코리아(GobizKOREA)의 로그인 화면을 위장한 웹페이지를 사용하여 사용자의 로그인을 유도하기 때문에, 무역 분야에 종사하는 사용자들의 각별한 주의가 필요하다. 피싱메일의 제목 및 본문은 다음과 같다.메일 본문에는 바이어의 새로운 문의가 등록되었다는 내용이 있으며, 본문에 포함된 다섯개의 모든 하이퍼링크에는…
#ParsedReport
05-12-2022
Hitching a ride with Mustang Panda
https://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups
Actors/Campaigns:
Red_delta
Luminousmoth
Nightscout
Threats:
Plugx_rat
Hodur_rat
Uac_bypass_technique
Nbtscan_tool
Industry:
Petroleum, Financial, Ngo, Government
Geo:
Pacific, Czech, Chinese, Myanmar, American, Vietnam, Burmese, Mongolia, Russia, Malaysia, Canada, Myanmars, Australia, Usa, China, France, Asian, Netherlands, Serbia, Israel, Tatarstan
TTPs:
Tactics: 2
Technics: 0
IOCs:
File: 109
Domain: 6
IP: 38
Hash: 129
Softs:
microsoft office, chrome, opera, telegram, vivaldi
Algorithms:
xor, exhibit
Functions:
GDU1_NEW, GDU_OLD
Languages:
delphi, javascript
05-12-2022
Hitching a ride with Mustang Panda
https://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups
Actors/Campaigns:
Red_delta
Luminousmoth
Nightscout
Threats:
Plugx_rat
Hodur_rat
Uac_bypass_technique
Nbtscan_tool
Industry:
Petroleum, Financial, Ngo, Government
Geo:
Pacific, Czech, Chinese, Myanmar, American, Vietnam, Burmese, Mongolia, Russia, Malaysia, Canada, Myanmars, Australia, Usa, China, France, Asian, Netherlands, Serbia, Israel, Tatarstan
TTPs:
Tactics: 2
Technics: 0
IOCs:
File: 109
Domain: 6
IP: 38
Hash: 129
Softs:
microsoft office, chrome, opera, telegram, vivaldi
Algorithms:
xor, exhibit
Functions:
GDU1_NEW, GDU_OLD
Languages:
delphi, javascript
Gendigital
Hitching a ride with Mustang Panda
APT Campaign Targets Myanmar Government
#ParsedReport
05-12-2022
. Analysis of the network attack activity of Torii remote control of the sea lotus organization
https://www.antiy.cn/research/notice&report/research_report/20221202.html
Actors/Campaigns:
Oceanlotus (motivation: information_theft)
Threats:
Torii_botnet
Kerrdown
Phantomlance
Cobalt_strike
Industry:
Government, Iot
Geo:
China
TTPs:
Tactics: 3
Technics: 0
IOCs:
File: 6
Softs:
android, macos, crontab
Algorithms:
aes, aes-128, rc4, gzip
Platforms:
x86, mips, arm, x64
05-12-2022
. Analysis of the network attack activity of Torii remote control of the sea lotus organization
https://www.antiy.cn/research/notice&report/research_report/20221202.html
Actors/Campaigns:
Oceanlotus (motivation: information_theft)
Threats:
Torii_botnet
Kerrdown
Phantomlance
Cobalt_strike
Industry:
Government, Iot
Geo:
China
TTPs:
Tactics: 3
Technics: 0
IOCs:
File: 6
Softs:
android, macos, crontab
Algorithms:
aes, aes-128, rc4, gzip
Platforms:
x86, mips, arm, x64
www.antiy.cn
海莲花组织Torii远控的网络攻击活动分析
安天CERT捕获到一批活跃中的物联网远控木马,背发现该木马属于Torii僵尸网络家族的升级版本,与海莲花组织的同类远控木马存在一定的同源性和差别,且在依托的网络资产上与早期海莲花组织的攻击活动也存在重叠。
#ParsedReport
05-12-2022
Schoolyard Bully Trojan Facebook Credential Stealer
https://www.zimperium.com/blog/schoolyard-bully-trojan-facebook-credential-stealer
Threats:
Schoolyardbully
Flytrap
Industry:
Financial, Chemical
Geo:
Vietnamese, Nederlands
TTPs:
Tactics: 1
Technics: 0
IOCs:
Hash: 175
Softs:
android, google chrome, mozilla firefox, opera, microsoft edge
Algorithms:
zip
Languages:
java, javascript
Platforms:
apple
05-12-2022
Schoolyard Bully Trojan Facebook Credential Stealer
https://www.zimperium.com/blog/schoolyard-bully-trojan-facebook-credential-stealer
Threats:
Schoolyardbully
Flytrap
Industry:
Financial, Chemical
Geo:
Vietnamese, Nederlands
TTPs:
Tactics: 1
Technics: 0
IOCs:
Hash: 175
Softs:
android, google chrome, mozilla firefox, opera, microsoft edge
Algorithms:
zip
Languages:
java, javascript
Platforms:
apple
Zimperium
Schoolyard Bully Trojan Facebook Credential Stealer - Zimperium
Zimperium zLabs has discovered a new Android threat campaign, the Schoolyard Bully Trojan, which has been active since 2018 and has spread to over 300,000 victims and is specifically targeting Facebook credentials. To learn more about this new threat, read…
#ParsedReport
05-12-2022
Alert (AA22-335A)
https://us-cert.cisa.gov/ncas/alerts/aa22-335a
Actors/Campaigns:
Lapsus
Threats:
Cuba
Romcom_rat
Ransomware.gov
Hancitor
Kerberoasting_technique
Kerbercache_tool
Zerologon_vuln
Qakbot
Impacket_tool
Meterpreter_tool
Iobit_tool
Powerview
Industry:
Foodtech, Government, E-commerce, Healthcare, Financial
Geo:
Ukrainian, Ukraine
CVEs:
CVE-2022-24521 [Vulners]
Vulners: Score: 4.6, CVSS: 4.2,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft windows 10 (-, 20h2, 21h1, 21h2, 1607, 1809, 1909)
- microsoft windows 11 (-, -)
- microsoft windows 7 (-)
- microsoft windows 8.1 (-)
- microsoft windows rt 8.1 (-)
have more...
CVE-2020-1472 [Vulners]
Vulners: Score: 9.3, CVSS: 3.8,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft windows server 2008 (r2)
- microsoft windows server 2012 (-, r2)
- microsoft windows server 2016 (-, 1903, 1909, 2004)
- microsoft windows server 2019 (-)
- fedoraproject fedora (31, 32, 33)
have more...
TTPs:
Tactics: 8
Technics: 13
IOCs:
File: 71
Path: 1
Hash: 48
IP: 53
Email: 4
Softs:
active directory, local security authority, keepass
05-12-2022
Alert (AA22-335A)
https://us-cert.cisa.gov/ncas/alerts/aa22-335a
Actors/Campaigns:
Lapsus
Threats:
Cuba
Romcom_rat
Ransomware.gov
Hancitor
Kerberoasting_technique
Kerbercache_tool
Zerologon_vuln
Qakbot
Impacket_tool
Meterpreter_tool
Iobit_tool
Powerview
Industry:
Foodtech, Government, E-commerce, Healthcare, Financial
Geo:
Ukrainian, Ukraine
CVEs:
CVE-2022-24521 [Vulners]
Vulners: Score: 4.6, CVSS: 4.2,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft windows 10 (-, 20h2, 21h1, 21h2, 1607, 1809, 1909)
- microsoft windows 11 (-, -)
- microsoft windows 7 (-)
- microsoft windows 8.1 (-)
- microsoft windows rt 8.1 (-)
have more...
CVE-2020-1472 [Vulners]
Vulners: Score: 9.3, CVSS: 3.8,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft windows server 2008 (r2)
- microsoft windows server 2012 (-, r2)
- microsoft windows server 2016 (-, 1903, 1909, 2004)
- microsoft windows server 2019 (-)
- fedoraproject fedora (31, 32, 33)
have more...
TTPs:
Tactics: 8
Technics: 13
IOCs:
File: 71
Path: 1
Hash: 48
IP: 53
Email: 4
Softs:
active directory, local security authority, keepass
www.cisa.gov
#StopRansomware: Cuba Ransomware | CISA
Actions to take today to mitigate cyber threats from ransomware: • Prioritize remediating known exploited vulnerabilities. • Train users to recognize and report phishing attempts. • Enable and enforce phishing-resistant multifactor authentication.
#ParsedReport
06-12-2022
Technical Analysis of the Winbox Payload in WindiGo
https://www.nozominetworks.com/blog/technical-analysis-of-the-winbox-payload-in-windigo
Threats:
Windigo
Plaguebot
Meris_botnet
Revil
Glupteba
Mirai
Industry:
Telco, Iot
Geo:
Brazil, China, Vietnam
CVEs:
CVE-2018-14847 [Vulners]
Vulners: Score: 6.4, CVSS: 5.7,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- mikrotik routeros (le6.42)
TTPs:
Tactics: 1
Technics: 0
IOCs:
Hash: 4
File: 1
Domain: 17
Registry: 3
06-12-2022
Technical Analysis of the Winbox Payload in WindiGo
https://www.nozominetworks.com/blog/technical-analysis-of-the-winbox-payload-in-windigo
Threats:
Windigo
Plaguebot
Meris_botnet
Revil
Glupteba
Mirai
Industry:
Telco, Iot
Geo:
Brazil, China, Vietnam
CVEs:
CVE-2018-14847 [Vulners]
Vulners: Score: 6.4, CVSS: 5.7,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- mikrotik routeros (le6.42)
TTPs:
Tactics: 1
Technics: 0
IOCs:
Hash: 4
File: 1
Domain: 17
Registry: 3
Nozominetworks
Technical Analysis of the Winbox Payload in WindiGo
This blog provides a technical analysis of WindiGo as well as Indicators of Compromise (IoCs) you can use to detect WindiGo in your network.
#ParsedReport
06-12-2022
Danger Lurking in GitHub Repositories
https://socradar.io/danger-lurking-in-github-repositories
Threats:
Repojacking_technique
Bluekeep_vuln
Houdini_rat
CVEs:
CVE-2019-0708 [Vulners]
Vulners: Score: 10.0, CVSS: 5.4,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft windows vista (-)
- microsoft windows server 2008 (r2, r2, -)
- microsoft windows xp (-, -)
- microsoft windows server 2003 (-, -, r2)
- microsoft windows 7 (-)
have more...
IOCs:
IP: 1
Hash: 27
File: 2
Algorithms:
base64
Languages:
python
Links:
06-12-2022
Danger Lurking in GitHub Repositories
https://socradar.io/danger-lurking-in-github-repositories
Threats:
Repojacking_technique
Bluekeep_vuln
Houdini_rat
CVEs:
CVE-2019-0708 [Vulners]
Vulners: Score: 10.0, CVSS: 5.4,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft windows vista (-)
- microsoft windows server 2008 (r2, r2, -)
- microsoft windows xp (-, -)
- microsoft windows server 2003 (-, -, r2)
- microsoft windows 7 (-)
have more...
IOCs:
IP: 1
Hash: 27
File: 2
Algorithms:
base64
Languages:
python
Links:
https://docs.github.com/en/repositories/creating-and-managing-repositories/transferring-a-repositorySOCRadar® Cyber Intelligence Inc.
Danger Lurking in GitHub Repositories - SOCRadar® Cyber Intelligence Inc.
As a threat actor claims, up to 14 million GitHub users and repository credentials have been stolen recently and offered for sale.
#ParsedReport
06-12-2022
- TgRat. The TGRAT virus was detected
https://www.ptsecurity.com/ru-ru/research/pt-esc-threat-intelligence/vyyavlen-virus-shpion-tgrat
Threats:
Tgrat
Impacket_tool
Mimikatz_tool
IOCs:
File: 5
Softs:
telegram
Algorithms:
aes
Links:
06-12-2022
- TgRat. The TGRAT virus was detected
https://www.ptsecurity.com/ru-ru/research/pt-esc-threat-intelligence/vyyavlen-virus-shpion-tgrat
Threats:
Tgrat
Impacket_tool
Mimikatz_tool
IOCs:
File: 5
Softs:
telegram
Algorithms:
aes
Links:
https://github.com/wrwrabbit/telegram-bot-api-go)ptsecurity.com
Блог PT ESC Threat Intelligence
В этом блоге вы можете найти информацию об актуальных атаках хакерских группировок по всему миру, разбор их инструментов, информацию об инцидентах, TTP группировок, индикаторы компрометации и названия детектов в наших продуктах
#ParsedReport
06-12-2022
The Story of a Ransomware Turning into an Accidental Wiper
https://www.fortinet.com/blog/threat-research/The-story-of-a-ransomware-turning-into-an-accidental-wiper
Threats:
Cryptonite
Cyberdevilz_actor
Amsi_bypass_technique
W32/filecoder.ky!tr
W32/filecoder.ky!tr.ransom
Industry:
Financial
IOCs:
Hash: 1
File: 2
Url: 1
Domain: 1
Softs:
pyinstaller
Functions:
findFiles, warningScreen
Languages:
python
06-12-2022
The Story of a Ransomware Turning into an Accidental Wiper
https://www.fortinet.com/blog/threat-research/The-story-of-a-ransomware-turning-into-an-accidental-wiper
Threats:
Cryptonite
Cyberdevilz_actor
Amsi_bypass_technique
W32/filecoder.ky!tr
W32/filecoder.ky!tr.ransom
Industry:
Financial
IOCs:
Hash: 1
File: 2
Url: 1
Domain: 1
Softs:
pyinstaller
Functions:
findFiles, warningScreen
Languages:
python
Fortinet Blog
The Story of a Ransomware Turning into an Accidental Wiper | FortiGuard Labs
FortiGuard Labs provides a deeper analysis of an open-source Cryptonite ransomware sample that never offers a decryption window, but instead acts as wiper malware. Read to find out more.…
#ParsedReport
06-12-2022
Calisto show interests into entities involved in Ukraine war support
https://blog.sekoia.io/calisto-show-interests-into-entities-involved-in-ukraine-war-support
Actors/Campaigns:
Calisto
Coldriver
Gamaredon
Apt31
Threats:
Typosquatting_technique
Evilginx_tool
Velar
Industry:
Logistic, Ngo
Geo:
Ukraine, Russian, Indian, African, Syrian, Polish, Ukrainian
IOCs:
Domain: 5
SIGMA: Found
06-12-2022
Calisto show interests into entities involved in Ukraine war support
https://blog.sekoia.io/calisto-show-interests-into-entities-involved-in-ukraine-war-support
Actors/Campaigns:
Calisto
Coldriver
Gamaredon
Apt31
Threats:
Typosquatting_technique
Evilginx_tool
Velar
Industry:
Logistic, Ngo
Geo:
Ukraine, Russian, Indian, African, Syrian, Polish, Ukrainian
IOCs:
Domain: 5
SIGMA: Found
Sekoia.io Blog
Calisto show interests into entities involved in Ukraine war support
Calisto (aka Callisto, COLDRIVER) is suspected to be a Russian-nexus intrusion set active since at least April 2017. Although it was not publicly attributed to any Russian intelligence service, past Calisto operations showed objectives and victimology that…
#ParsedReport
06-12-2022
Vice Society: Profiling a Persistent Threat to the Education Sector
https://unit42.paloaltonetworks.com/vice-society-targets-education-sector
Actors/Campaigns:
Vice_society (motivation: cyber_criminal)
Unc2447
Threats:
Hellokitty
Printnightmare_vuln
Lockbit
Fivehands
Zeppelin
Lotl_technique
Blackcat
Bloodhound_tool
Systembc
Avoslocker
Sombrat_rat
Industry:
Education, Financial, Healthcare, Government, E-commerce, Ngo
Geo:
Emea, Germany, America, Japan, California, Spain, France, Italy, Apac, Brazil
CVEs:
CVE-2021-34527 [Vulners]
Vulners: Score: 9.0, CVSS: 3.7,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft windows server 2008 (r2, -)
- microsoft windows server 2012 (r2, -)
- microsoft windows 10 (1607, -, 20h2, 21h1, 1809, 1909, 2004)
- microsoft windows 8.1 (-)
- microsoft windows server 2016 (-, 20h2, 2004)
have more...
CVE-2021-1675 [Vulners]
Vulners: Score: 9.3, CVSS: 3.5,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft windows server 2008 (r2, -)
- microsoft windows server 2012 (r2, -)
- microsoft windows 10 (1607, -, 20h2, 21h1, 1809, 1909, 2004)
- microsoft windows 8.1 (-)
- microsoft windows server 2016 (-)
have more...
TTPs:
Tactics: 11
Technics: 0
IOCs:
Domain: 5
File: 4
Email: 14
Registry: 1
Hash: 15
Path: 1
Softs:
esxi, psexec, windows defender, microsoft defender, local security authority, ive directory data, windows print spooler
Algorithms:
aes
06-12-2022
Vice Society: Profiling a Persistent Threat to the Education Sector
https://unit42.paloaltonetworks.com/vice-society-targets-education-sector
Actors/Campaigns:
Vice_society (motivation: cyber_criminal)
Unc2447
Threats:
Hellokitty
Printnightmare_vuln
Lockbit
Fivehands
Zeppelin
Lotl_technique
Blackcat
Bloodhound_tool
Systembc
Avoslocker
Sombrat_rat
Industry:
Education, Financial, Healthcare, Government, E-commerce, Ngo
Geo:
Emea, Germany, America, Japan, California, Spain, France, Italy, Apac, Brazil
CVEs:
CVE-2021-34527 [Vulners]
Vulners: Score: 9.0, CVSS: 3.7,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft windows server 2008 (r2, -)
- microsoft windows server 2012 (r2, -)
- microsoft windows 10 (1607, -, 20h2, 21h1, 1809, 1909, 2004)
- microsoft windows 8.1 (-)
- microsoft windows server 2016 (-, 20h2, 2004)
have more...
CVE-2021-1675 [Vulners]
Vulners: Score: 9.3, CVSS: 3.5,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft windows server 2008 (r2, -)
- microsoft windows server 2012 (r2, -)
- microsoft windows 10 (1607, -, 20h2, 21h1, 1809, 1909, 2004)
- microsoft windows 8.1 (-)
- microsoft windows server 2016 (-)
have more...
TTPs:
Tactics: 11
Technics: 0
IOCs:
Domain: 5
File: 4
Email: 14
Registry: 1
Hash: 15
Path: 1
Softs:
esxi, psexec, windows defender, microsoft defender, local security authority, ive directory data, windows print spooler
Algorithms:
aes
Unit 42
Vice Society: Profiling a Persistent Threat to the Education Sector
Vice Society, a ransomware gang, has been involved in high-profile activity against schools this year.
#ParsedReport
06-12-2022
Iran: State-Backed Hacking of Activists, Journalists, Politicians
https://www.hrw.org/news/2022/12/05/iran-state-backed-hacking-activists-journalists-politicians
Actors/Campaigns:
Cleaver
Phosphorus
Irgc
Threats:
Credential_harvesting_technique
Hostile
Hyperscrape_tool
Industry:
Government, Financial
Geo:
Usa, Qatar, Iranian, Morocco, Iran, Africa, Tehran, Indian, Beirut, American, Israeli, Libya, Lebanon, Irans
IOCs:
Domain: 7
Url: 7
Softs:
telegram, google takeout
Languages:
javascript, php
06-12-2022
Iran: State-Backed Hacking of Activists, Journalists, Politicians
https://www.hrw.org/news/2022/12/05/iran-state-backed-hacking-activists-journalists-politicians
Actors/Campaigns:
Cleaver
Phosphorus
Irgc
Threats:
Credential_harvesting_technique
Hostile
Hyperscrape_tool
Industry:
Government, Financial
Geo:
Usa, Qatar, Iranian, Morocco, Iran, Africa, Tehran, Indian, Beirut, American, Israeli, Libya, Lebanon, Irans
IOCs:
Domain: 7
Url: 7
Softs:
telegram, google takeout
Languages:
javascript, php
Human Rights Watch
Iran: State-Backed Hacking of Activists, Journalists, Politicians
Hackers backed by the Iranian government have targeted Human Rights Watch and at least 18 other high-profile journalists, researchers, and politicians working on Middle East issues in an ongoing social engineering and credential phishing campaign.
#ParsedReport
06-12-2022
Blue Callisto orbits around US Laboratories in 2022
https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/blue-callisto-orbits-around-us.html
Actors/Campaigns:
Coldriver (motivation: cyber_espionage)
Tick
Threats:
Seaborgium
Evilginx_tool
Industry:
Financial, Aerospace, Education, Government, Healthcare, Telco, Transport, Logistic, Energy
Geo:
Ukraine, Australia, Russia, Ukrainian
TTPs:
IOCs:
Domain: 5
File: 3
Url: 6
IP: 7
Functions:
OpenSSL
Languages:
javascript
06-12-2022
Blue Callisto orbits around US Laboratories in 2022
https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/blue-callisto-orbits-around-us.html
Actors/Campaigns:
Coldriver (motivation: cyber_espionage)
Tick
Threats:
Seaborgium
Evilginx_tool
Industry:
Financial, Aerospace, Education, Government, Healthcare, Telco, Transport, Logistic, Energy
Geo:
Ukraine, Australia, Russia, Ukrainian
TTPs:
IOCs:
Domain: 5
File: 3
Url: 6
IP: 7
Functions:
OpenSSL
Languages:
javascript
PwC
Blue Callisto orbits around US Laboratories in 2022
In this blog post we detail 2022 phishing activity the PwC threat intelligence team attributes to Blue Callisto and list indicators for defenders to query.
#ParsedReport
06-12-2022
Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies
https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies
Threats:
Credential_harvesting_technique
Anydesk_tool
Dwservice_tool
Logmein_tool
Screenconnect_tool
Teamviewer_tool
Sorillus_rat
Rustscan_tool
Impacket_tool
Dcsync_technique
Industry:
Bp_outsourcing, Telco
CVEs:
CVE-2021-35464 [Vulners]
Vulners: Score: 10.0, CVSS: 5.4,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- forgerock am (<6.5.3)
- forgerock openam (<14.6.3)
IOCs:
Domain: 3
IP: 86
Hash: 8
File: 1
Softs:
telegram, curl, beanywhere, domotz, pulseway, rport, rsocx, trendmicro basecamp, zerotier, esxi, have more...
Languages:
python
Links:
06-12-2022
Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies
https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies
Threats:
Credential_harvesting_technique
Anydesk_tool
Dwservice_tool
Logmein_tool
Screenconnect_tool
Teamviewer_tool
Sorillus_rat
Rustscan_tool
Impacket_tool
Dcsync_technique
Industry:
Bp_outsourcing, Telco
CVEs:
CVE-2021-35464 [Vulners]
Vulners: Score: 10.0, CVSS: 5.4,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- forgerock am (<6.5.3)
- forgerock openam (<14.6.3)
IOCs:
Domain: 3
IP: 86
Hash: 8
File: 1
Softs:
telegram, curl, beanywhere, domotz, pulseway, rport, rsocx, trendmicro basecamp, zerotier, esxi, have more...
Languages:
python
Links:
https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS
https://github.com/NetSPI/aws\_consoler
https://github.com/RustScan/RustScan
https://github.com/b23r0/rsocxCrowdStrike.com
Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies
CrowdStrike Services analyzes a recent intrusion campaign targeting telecom and business process outsourcing companies and shares how to defend against this attack.
#ParsedReport
06-12-2022
Microsoft ?. How much similar to the Microsoft account stealing phishing page is real?
https://asec.ahnlab.com/ko/43416
Geo:
Korean
IOCs:
File: 2
Hash: 2
Algorithms:
base64, aes
06-12-2022
Microsoft ?. How much similar to the Microsoft account stealing phishing page is real?
https://asec.ahnlab.com/ko/43416
Geo:
Korean
IOCs:
File: 2
Hash: 2
Algorithms:
base64, aes
ASEC BLOG
Microsoft 계정 탈취 피싱 페이지는 진짜와 얼마나 비슷할까? - ASEC BLOG
국내외 많은 기업과 개인 사용자가 Microsoft 계정을 이용하여 Outlook, Office, OneDrive, Windows를 비롯한 Microsoft의 주요 서비스를 이용하고 있다. 사용자는 통합 로그인을 이용하여 계정과 연결된 모든 Microsoft 서비스에 편리하게 접속할 수 있다. 공격자 입장에서는 어떨까? 단 한 개의 계정을 이용하여 취할 수 있는 정보가 많기 때문에 더없이 좋은 공격 타깃이다. 특히 기업 내에서 민감 정보를 취급하는 사용자인…