#ParsedReport
06-12-2022
The Story of a Ransomware Turning into an Accidental Wiper
https://www.fortinet.com/blog/threat-research/The-story-of-a-ransomware-turning-into-an-accidental-wiper
Threats:
Cryptonite
Cyberdevilz_actor
Amsi_bypass_technique
W32/filecoder.ky!tr
W32/filecoder.ky!tr.ransom
Industry:
Financial
IOCs:
Hash: 1
File: 2
Url: 1
Domain: 1
Softs:
pyinstaller
Functions:
findFiles, warningScreen
Languages:
python
06-12-2022
The Story of a Ransomware Turning into an Accidental Wiper
https://www.fortinet.com/blog/threat-research/The-story-of-a-ransomware-turning-into-an-accidental-wiper
Threats:
Cryptonite
Cyberdevilz_actor
Amsi_bypass_technique
W32/filecoder.ky!tr
W32/filecoder.ky!tr.ransom
Industry:
Financial
IOCs:
Hash: 1
File: 2
Url: 1
Domain: 1
Softs:
pyinstaller
Functions:
findFiles, warningScreen
Languages:
python
Fortinet Blog
The Story of a Ransomware Turning into an Accidental Wiper | FortiGuard Labs
FortiGuard Labs provides a deeper analysis of an open-source Cryptonite ransomware sample that never offers a decryption window, but instead acts as wiper malware. Read to find out more.…
#ParsedReport
06-12-2022
Calisto show interests into entities involved in Ukraine war support
https://blog.sekoia.io/calisto-show-interests-into-entities-involved-in-ukraine-war-support
Actors/Campaigns:
Calisto
Coldriver
Gamaredon
Apt31
Threats:
Typosquatting_technique
Evilginx_tool
Velar
Industry:
Logistic, Ngo
Geo:
Ukraine, Russian, Indian, African, Syrian, Polish, Ukrainian
IOCs:
Domain: 5
SIGMA: Found
06-12-2022
Calisto show interests into entities involved in Ukraine war support
https://blog.sekoia.io/calisto-show-interests-into-entities-involved-in-ukraine-war-support
Actors/Campaigns:
Calisto
Coldriver
Gamaredon
Apt31
Threats:
Typosquatting_technique
Evilginx_tool
Velar
Industry:
Logistic, Ngo
Geo:
Ukraine, Russian, Indian, African, Syrian, Polish, Ukrainian
IOCs:
Domain: 5
SIGMA: Found
Sekoia.io Blog
Calisto show interests into entities involved in Ukraine war support
Calisto (aka Callisto, COLDRIVER) is suspected to be a Russian-nexus intrusion set active since at least April 2017. Although it was not publicly attributed to any Russian intelligence service, past Calisto operations showed objectives and victimology that…
#ParsedReport
06-12-2022
Vice Society: Profiling a Persistent Threat to the Education Sector
https://unit42.paloaltonetworks.com/vice-society-targets-education-sector
Actors/Campaigns:
Vice_society (motivation: cyber_criminal)
Unc2447
Threats:
Hellokitty
Printnightmare_vuln
Lockbit
Fivehands
Zeppelin
Lotl_technique
Blackcat
Bloodhound_tool
Systembc
Avoslocker
Sombrat_rat
Industry:
Education, Financial, Healthcare, Government, E-commerce, Ngo
Geo:
Emea, Germany, America, Japan, California, Spain, France, Italy, Apac, Brazil
CVEs:
CVE-2021-34527 [Vulners]
Vulners: Score: 9.0, CVSS: 3.7,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft windows server 2008 (r2, -)
- microsoft windows server 2012 (r2, -)
- microsoft windows 10 (1607, -, 20h2, 21h1, 1809, 1909, 2004)
- microsoft windows 8.1 (-)
- microsoft windows server 2016 (-, 20h2, 2004)
have more...
CVE-2021-1675 [Vulners]
Vulners: Score: 9.3, CVSS: 3.5,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft windows server 2008 (r2, -)
- microsoft windows server 2012 (r2, -)
- microsoft windows 10 (1607, -, 20h2, 21h1, 1809, 1909, 2004)
- microsoft windows 8.1 (-)
- microsoft windows server 2016 (-)
have more...
TTPs:
Tactics: 11
Technics: 0
IOCs:
Domain: 5
File: 4
Email: 14
Registry: 1
Hash: 15
Path: 1
Softs:
esxi, psexec, windows defender, microsoft defender, local security authority, ive directory data, windows print spooler
Algorithms:
aes
06-12-2022
Vice Society: Profiling a Persistent Threat to the Education Sector
https://unit42.paloaltonetworks.com/vice-society-targets-education-sector
Actors/Campaigns:
Vice_society (motivation: cyber_criminal)
Unc2447
Threats:
Hellokitty
Printnightmare_vuln
Lockbit
Fivehands
Zeppelin
Lotl_technique
Blackcat
Bloodhound_tool
Systembc
Avoslocker
Sombrat_rat
Industry:
Education, Financial, Healthcare, Government, E-commerce, Ngo
Geo:
Emea, Germany, America, Japan, California, Spain, France, Italy, Apac, Brazil
CVEs:
CVE-2021-34527 [Vulners]
Vulners: Score: 9.0, CVSS: 3.7,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft windows server 2008 (r2, -)
- microsoft windows server 2012 (r2, -)
- microsoft windows 10 (1607, -, 20h2, 21h1, 1809, 1909, 2004)
- microsoft windows 8.1 (-)
- microsoft windows server 2016 (-, 20h2, 2004)
have more...
CVE-2021-1675 [Vulners]
Vulners: Score: 9.3, CVSS: 3.5,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft windows server 2008 (r2, -)
- microsoft windows server 2012 (r2, -)
- microsoft windows 10 (1607, -, 20h2, 21h1, 1809, 1909, 2004)
- microsoft windows 8.1 (-)
- microsoft windows server 2016 (-)
have more...
TTPs:
Tactics: 11
Technics: 0
IOCs:
Domain: 5
File: 4
Email: 14
Registry: 1
Hash: 15
Path: 1
Softs:
esxi, psexec, windows defender, microsoft defender, local security authority, ive directory data, windows print spooler
Algorithms:
aes
Unit 42
Vice Society: Profiling a Persistent Threat to the Education Sector
Vice Society, a ransomware gang, has been involved in high-profile activity against schools this year.
#ParsedReport
06-12-2022
Iran: State-Backed Hacking of Activists, Journalists, Politicians
https://www.hrw.org/news/2022/12/05/iran-state-backed-hacking-activists-journalists-politicians
Actors/Campaigns:
Cleaver
Phosphorus
Irgc
Threats:
Credential_harvesting_technique
Hostile
Hyperscrape_tool
Industry:
Government, Financial
Geo:
Usa, Qatar, Iranian, Morocco, Iran, Africa, Tehran, Indian, Beirut, American, Israeli, Libya, Lebanon, Irans
IOCs:
Domain: 7
Url: 7
Softs:
telegram, google takeout
Languages:
javascript, php
06-12-2022
Iran: State-Backed Hacking of Activists, Journalists, Politicians
https://www.hrw.org/news/2022/12/05/iran-state-backed-hacking-activists-journalists-politicians
Actors/Campaigns:
Cleaver
Phosphorus
Irgc
Threats:
Credential_harvesting_technique
Hostile
Hyperscrape_tool
Industry:
Government, Financial
Geo:
Usa, Qatar, Iranian, Morocco, Iran, Africa, Tehran, Indian, Beirut, American, Israeli, Libya, Lebanon, Irans
IOCs:
Domain: 7
Url: 7
Softs:
telegram, google takeout
Languages:
javascript, php
Human Rights Watch
Iran: State-Backed Hacking of Activists, Journalists, Politicians
Hackers backed by the Iranian government have targeted Human Rights Watch and at least 18 other high-profile journalists, researchers, and politicians working on Middle East issues in an ongoing social engineering and credential phishing campaign.
#ParsedReport
06-12-2022
Blue Callisto orbits around US Laboratories in 2022
https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/blue-callisto-orbits-around-us.html
Actors/Campaigns:
Coldriver (motivation: cyber_espionage)
Tick
Threats:
Seaborgium
Evilginx_tool
Industry:
Financial, Aerospace, Education, Government, Healthcare, Telco, Transport, Logistic, Energy
Geo:
Ukraine, Australia, Russia, Ukrainian
TTPs:
IOCs:
Domain: 5
File: 3
Url: 6
IP: 7
Functions:
OpenSSL
Languages:
javascript
06-12-2022
Blue Callisto orbits around US Laboratories in 2022
https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/blue-callisto-orbits-around-us.html
Actors/Campaigns:
Coldriver (motivation: cyber_espionage)
Tick
Threats:
Seaborgium
Evilginx_tool
Industry:
Financial, Aerospace, Education, Government, Healthcare, Telco, Transport, Logistic, Energy
Geo:
Ukraine, Australia, Russia, Ukrainian
TTPs:
IOCs:
Domain: 5
File: 3
Url: 6
IP: 7
Functions:
OpenSSL
Languages:
javascript
PwC
Blue Callisto orbits around US Laboratories in 2022
In this blog post we detail 2022 phishing activity the PwC threat intelligence team attributes to Blue Callisto and list indicators for defenders to query.
#ParsedReport
06-12-2022
Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies
https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies
Threats:
Credential_harvesting_technique
Anydesk_tool
Dwservice_tool
Logmein_tool
Screenconnect_tool
Teamviewer_tool
Sorillus_rat
Rustscan_tool
Impacket_tool
Dcsync_technique
Industry:
Bp_outsourcing, Telco
CVEs:
CVE-2021-35464 [Vulners]
Vulners: Score: 10.0, CVSS: 5.4,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- forgerock am (<6.5.3)
- forgerock openam (<14.6.3)
IOCs:
Domain: 3
IP: 86
Hash: 8
File: 1
Softs:
telegram, curl, beanywhere, domotz, pulseway, rport, rsocx, trendmicro basecamp, zerotier, esxi, have more...
Languages:
python
Links:
06-12-2022
Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies
https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies
Threats:
Credential_harvesting_technique
Anydesk_tool
Dwservice_tool
Logmein_tool
Screenconnect_tool
Teamviewer_tool
Sorillus_rat
Rustscan_tool
Impacket_tool
Dcsync_technique
Industry:
Bp_outsourcing, Telco
CVEs:
CVE-2021-35464 [Vulners]
Vulners: Score: 10.0, CVSS: 5.4,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- forgerock am (<6.5.3)
- forgerock openam (<14.6.3)
IOCs:
Domain: 3
IP: 86
Hash: 8
File: 1
Softs:
telegram, curl, beanywhere, domotz, pulseway, rport, rsocx, trendmicro basecamp, zerotier, esxi, have more...
Languages:
python
Links:
https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS
https://github.com/NetSPI/aws\_consoler
https://github.com/RustScan/RustScan
https://github.com/b23r0/rsocxCrowdStrike.com
Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies
CrowdStrike Services analyzes a recent intrusion campaign targeting telecom and business process outsourcing companies and shares how to defend against this attack.
#ParsedReport
06-12-2022
Microsoft ?. How much similar to the Microsoft account stealing phishing page is real?
https://asec.ahnlab.com/ko/43416
Geo:
Korean
IOCs:
File: 2
Hash: 2
Algorithms:
base64, aes
06-12-2022
Microsoft ?. How much similar to the Microsoft account stealing phishing page is real?
https://asec.ahnlab.com/ko/43416
Geo:
Korean
IOCs:
File: 2
Hash: 2
Algorithms:
base64, aes
ASEC BLOG
Microsoft 계정 탈취 피싱 페이지는 진짜와 얼마나 비슷할까? - ASEC BLOG
국내외 많은 기업과 개인 사용자가 Microsoft 계정을 이용하여 Outlook, Office, OneDrive, Windows를 비롯한 Microsoft의 주요 서비스를 이용하고 있다. 사용자는 통합 로그인을 이용하여 계정과 연결된 모든 Microsoft 서비스에 편리하게 접속할 수 있다. 공격자 입장에서는 어떨까? 단 한 개의 계정을 이용하여 취할 수 있는 정보가 많기 때문에 더없이 좋은 공격 타깃이다. 특히 기업 내에서 민감 정보를 취급하는 사용자인…
#ParsedReport
06-12-2022
Exposing TAG-53s Credential Harvesting Infrastructure Used for Russia-Aligned Espionage Operations
https://www.recordedfuture.com/exposing-tag-53-credential-harvesting-infrastructure-for-russia-aligned-espionage-operations
Actors/Campaigns:
Tag-53 (motivation: cyber_espionage, information_theft)
Coldriver (motivation: cyber_espionage, information_theft)
Seaborgium (motivation: cyber_espionage, information_theft)
Threats:
Credential_harvesting_technique
Typosquatting_technique
Industry:
Ngo, Logistic, Government, Telco, Aerospace
Geo:
Russian, Ukraine, Poland, Russia
TTPs:
IOCs:
Domain: 38
IP: 38
Softs:
microsoft onedrive
06-12-2022
Exposing TAG-53s Credential Harvesting Infrastructure Used for Russia-Aligned Espionage Operations
https://www.recordedfuture.com/exposing-tag-53-credential-harvesting-infrastructure-for-russia-aligned-espionage-operations
Actors/Campaigns:
Tag-53 (motivation: cyber_espionage, information_theft)
Coldriver (motivation: cyber_espionage, information_theft)
Seaborgium (motivation: cyber_espionage, information_theft)
Threats:
Credential_harvesting_technique
Typosquatting_technique
Industry:
Ngo, Logistic, Government, Telco, Aerospace
Geo:
Russian, Ukraine, Poland, Russia
TTPs:
IOCs:
Domain: 38
IP: 38
Softs:
microsoft onedrive
Recordedfuture
Exposing TAG-53’s Credential Harvesting Infrastructure Used for Russia-Aligned Espionage Operations
A recent spear phishing attempt uncovers a Russia-aligned cyber espionage campaign targeting government, intelligence, and military industries.
#ParsedReport
06-12-2022
ASEC (20221128 \~ 20221204). ASEC Weekly Malware Statistics (20221128 \~ 20221204)
https://asec.ahnlab.com/ko/43356
Threats:
Smokeloader
Smokerloader
Agent_tesla
Azorult
Vidar_stealer
Antefrigus
Revil
Ransomware.later
Postealer
Clipbanker
Redline_stealer
Beamwinhttp_loader
Industry:
Transport, Financial
Geo:
Korea
IOCs:
File: 17
Email: 5
Url: 9
IP: 6
Softs:
telegram
Languages:
php
06-12-2022
ASEC (20221128 \~ 20221204). ASEC Weekly Malware Statistics (20221128 \~ 20221204)
https://asec.ahnlab.com/ko/43356
Threats:
Smokeloader
Smokerloader
Agent_tesla
Azorult
Vidar_stealer
Antefrigus
Revil
Ransomware.later
Postealer
Clipbanker
Redline_stealer
Beamwinhttp_loader
Industry:
Transport, Financial
Geo:
Korea
IOCs:
File: 17
Email: 5
Url: 9
IP: 6
Softs:
telegram
Languages:
php
ASEC BLOG
ASEC 주간 악성코드 통계 (20221128 ~ 20221204) - ASEC BLOG
ASEC 분석팀에서는 ASEC 자동 분석 시스템 RAPIT 을 활용하여 알려진 악성코드들에 대한 분류 및 대응을 진행하고 있다. 본 포스팅에서는 2022년 11월 28일 월요일부터 12월 4일 일요일까지 한 주간 수집된 악성코드의 통계를 정리한다. 대분류 상으로는 인포스틸러가 34.8%로 1위를 차지하였으며, 그 다음으로는 다운로더가 28.2%, 백도어 21.1%, 랜섬웨어 14.6%, 코인마이너가 0.3%로 집계되었다. Top 1 – SmokeLoader…
#ParsedReport
06-12-2022
DEV-0139 launches targeted attacks against the cryptocurrency industry
https://www.microsoft.com/en-us/security/blog/2022/12/06/dev-0139-launches-targeted-attacks-against-the-cryptocurrency-industry
Threats:
Dll_sideloading_technique
Industry:
Financial
TTPs:
Tactics: 6
Technics: 13
IOCs:
File: 27
Path: 7
Url: 1
Hash: 10
Domain: 1
IP: 1
Softs:
microsoft defender, microsoft defender for endpoint, telegram, microsoft excel, windows media player, "powerpnt", microsoft 365 defender
Algorithms:
base64, xor
Functions:
CreateDate, CreateFile, OpenDrive, Win32
Win API:
CreateProcess
Languages:
visual_basic
Platforms:
x64
Links:
06-12-2022
DEV-0139 launches targeted attacks against the cryptocurrency industry
https://www.microsoft.com/en-us/security/blog/2022/12/06/dev-0139-launches-targeted-attacks-against-the-cryptocurrency-industry
Threats:
Dll_sideloading_technique
Industry:
Financial
TTPs:
Tactics: 6
Technics: 13
IOCs:
File: 27
Path: 7
Url: 1
Hash: 10
Domain: 1
IP: 1
Softs:
microsoft defender, microsoft defender for endpoint, telegram, microsoft excel, windows media player, "powerpnt", microsoft 365 defender
Algorithms:
base64, xor
Functions:
CreateDate, CreateFile, OpenDrive, Win32
Win API:
CreateProcess
Languages:
visual_basic
Platforms:
x64
Links:
https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows%20Security%20Events/Hunting%20Queries/Least\_Common\_Parent\_Child\_Process.yamlhttps://github.com/Azure/Azure-Sentinel/blob/46906229919827bffa14211341f52dd68e27ad81/Hunting%20Queries/Microsoft%20365%20Defender/Execution/detect-anomalous-process-trees.yamlMicrosoft News
DEV-0139 launches targeted attacks against the cryptocurrency industry
Microsoft security researchers investigate an attack where the threat actor, tracked DEV-0139, used chat groups to target specific cryptocurrency investment companies and run a backdoor within their network.
#ParsedReport
06-12-2022
Technical Analysis of DanaBot Obfuscation Techniques
https://www.zscaler.com/blogs/security-research/technical-analysis-danabot-obfuscation-techniques
Threats:
Danabot
Junk_code_technique
Beacon
Industry:
Financial
IOCs:
File: 1
Hash: 1
Languages:
delphi, prolog, python
Links:
06-12-2022
Technical Analysis of DanaBot Obfuscation Techniques
https://www.zscaler.com/blogs/security-research/technical-analysis-danabot-obfuscation-techniques
Threats:
Danabot
Junk_code_technique
Beacon
Industry:
Financial
IOCs:
File: 1
Hash: 1
Languages:
delphi, prolog, python
Links:
https://github.com/threatlabz/tools/blob/main/danabot/10\_math\_loops.pyhttps://github.com/threatlabz/tools/blob/main/danabot/11\_rename\_junk\_variables.pyhttps://github.com/threatlabz/tools/blob/main/danabot/idr\_map\_to\_idapy.pyhttps://github.com/threatlabz/tools/blob/main/danabot/02\_dynamic\_return.pyhttps://github.com/OALabs/hashdb-idahttps://github.com/OALabs/hashdb/pull/35https://github.com/threatlabz/tools/blob/main/danabot/06\_fake\_UStrLAsg\_and\_UStrCopy.pyhttps://github.com/threatlabz/tools/tree/main/danabothttps://github.com/threatlabz/tools/blob/main/danabot/01\_junk\_byte\_jump.pyhttps://github.com/threatlabz/tools/blob/main/danabot/03\_uppercase\_jumps.pyhttps://github.com/threatlabz/tools/blob/main/danabot/09\_empty\_loops.pyhttps://github.com/threatlabz/tools/blob/main/danabot/idr\_idc\_to\_idapy.pyhttps://github.com/threatlabz/tools/blob/main/danabot/04\_letter\_mapping.pyhttps://github.com/threatlabz/tools/blob/main/danabot/12\_rename\_junk\_random\_variables.pyhttps://github.com/crypto2011/IDRhttps://github.com/threatlabz/tools/blob/main/danabot/08\_set\_stack\_string\_letters\_comments.pyhttps://github.com/threatlabz/tools/blob/main/danabot/07\_stack\_string\_letters\_to\_last\_StrCatN\_call.pyhttps://github.com/threatlabz/tools/blob/main/danabot/05\_reset\_code.pyZscaler
DanaBot | ThreatLabz
A technical analysis of the DanaBot malware's obfuscation techniques.
#ParsedReport
07-12-2022
Phishing Email Disguised as a Well-Known Korean Airline
https://asec.ahnlab.com/en/43510
Industry:
Aerospace, Financial
Geo:
Koreas, Korean
IOCs:
Url: 1
07-12-2022
Phishing Email Disguised as a Well-Known Korean Airline
https://asec.ahnlab.com/en/43510
Industry:
Aerospace, Financial
Geo:
Koreas, Korean
IOCs:
Url: 1
ASEC BLOG
Phishing Email Disguised as a Well-Known Korean Airline - ASEC BLOG
The ASEC analysis team has recently discovered a phishing email that impersonates a well-known Korean airline to collect user credentials. The phishing email contains a notice on airline ticket payment, inducing the reader to connect to the disguised phishing…
👍1
#ParsedReport
07-12-2022
Polonium APT Group: Uncovering New Elements
https://www.deepinstinct.com/blog/polonium-apt-group-uncovering-new-elements
Actors/Campaigns:
Polonium
Threats:
Megacreep
Vbcreep
Industry:
Chemical
Geo:
Israeli, Israel, Lebanon
IOCs:
Hash: 4
File: 6
Registry: 2
Softs:
sysinternals
Functions:
MainZero
Languages:
visual_basic
Links:
07-12-2022
Polonium APT Group: Uncovering New Elements
https://www.deepinstinct.com/blog/polonium-apt-group-uncovering-new-elements
Actors/Campaigns:
Polonium
Threats:
Megacreep
Vbcreep
Industry:
Chemical
Geo:
Israeli, Israel, Lebanon
IOCs:
Hash: 4
File: 6
Registry: 2
Softs:
sysinternals
Functions:
MainZero
Languages:
visual_basic
Links:
https://github.com/eset/malware-ioc/tree/master/poloniumDeep Instinct
Polonium APT Group: Uncovering New Elements | Deep Instinct
The Polonium APT group activity was first detected by Microsoft in June 2022. The group is based in Lebanon and exclusively attacks Israeli companies.
#ParsedReport
07-12-2022
Malware Distributed with Disguised Filenames (RIGHT-TO-LEFT OVERRIDE)
https://asec.ahnlab.com/en/43518
Threats:
Laplas_clipper
Redline_stealer
Tron
Trojan/win.rtlo.x2172
Dropper/win.agent.c5317732
Trojan/win.injection.c5313120
Trojan/win.generic.c535472
Trojan/win.generic.c5310136
Raccoon_stealer
Industry:
Financial
IOCs:
File: 3
Hash: 6
IP: 1
Softs:
zcash
Languages:
php
07-12-2022
Malware Distributed with Disguised Filenames (RIGHT-TO-LEFT OVERRIDE)
https://asec.ahnlab.com/en/43518
Threats:
Laplas_clipper
Redline_stealer
Tron
Trojan/win.rtlo.x2172
Dropper/win.agent.c5317732
Trojan/win.injection.c5313120
Trojan/win.generic.c535472
Trojan/win.generic.c5310136
Raccoon_stealer
Industry:
Financial
IOCs:
File: 3
Hash: 6
IP: 1
Softs:
zcash
Languages:
php
ASEC BLOG
Malware Distributed with Disguised Filenames (RIGHT-TO-LEFT OVERRIDE) - ASEC BLOG
In August, the ASEC analysis team made a post on the malware being distributed with filenames that utilize RTLO (Right-To-Left Override). RTLO is a unicode that makes an override from right to left. This type of malware induces users to execute its files…
#ParsedReport
07-12-2022
Resume.xll File Being Distributed in Korea (LockBit 2.0)
https://asec.ahnlab.com/en/43332
Threats:
Lockbit
Geo:
Korea
IOCs:
File: 3
Url: 1
Path: 1
Hash: 2
Softs:
microsoft excel
07-12-2022
Resume.xll File Being Distributed in Korea (LockBit 2.0)
https://asec.ahnlab.com/en/43332
Threats:
Lockbit
Geo:
Korea
IOCs:
File: 3
Url: 1
Path: 1
Hash: 2
Softs:
microsoft excel
ASEC BLOG
'Resume.xll' File Being Distributed in Korea (LockBit 2.0) - ASEC BLOG
In mid-2022, the ASEC analysis team shared that malware with the XLL file format (file extension: .xll) was being distributed via email. The XLL file has a DLL form of a PE (Portable Executable) file but is executed with Microsoft Excel. Since then, this…
#ParsedReport
07-12-2022
An upsurge of new Android Banking Trojan Zanubis
https://labs.k7computing.com/index.php/an-upsurge-of-new-android-banking-trojan-zanubis
Threats:
Zanubis
Cyberchef_tool
Industry:
Financial, Government
Geo:
Peru, Peruvian
TTPs:
Tactics: 4
Technics: 0
IOCs:
Url: 1
File: 22
IP: 1
Hash: 1
Softs:
android
07-12-2022
An upsurge of new Android Banking Trojan Zanubis
https://labs.k7computing.com/index.php/an-upsurge-of-new-android-banking-trojan-zanubis
Threats:
Zanubis
Cyberchef_tool
Industry:
Financial, Government
Geo:
Peru, Peruvian
TTPs:
Tactics: 4
Technics: 0
IOCs:
Url: 1
File: 22
IP: 1
Hash: 1
Softs:
android
K7 Labs
An upsurge of new Android Banking Trojan “Zanubis”
We came across the tweet of an Android malware sample, a banking trojan that mainly targets Peru banks by […]
#ParsedReport
07-12-2022
A Closer look at BlackMagic ransomware
https://blog.cyble.com/2022/12/07/a-closer-look-at-blackmagic-ransomware
Threats:
Blackmagic
Anydesk_tool
Mosesstaff
Industry:
Logistic, Transport, Financial
Geo:
Israeli, Australia, India, Georgia, Israel, Israels, Singapore, Dubai, Iran
TTPs:
Tactics: 4
Technics: 8
IOCs:
Url: 2
File: 7
Path: 1
Registry: 1
IP: 2
Hash: 2
Softs:
nginx, docker, qemu, cpanel, virtualbox
Functions:
Sleep
Win API:
GetLogicalDriveStringsA
Win Services:
powerpnt
Languages:
java, python
07-12-2022
A Closer look at BlackMagic ransomware
https://blog.cyble.com/2022/12/07/a-closer-look-at-blackmagic-ransomware
Threats:
Blackmagic
Anydesk_tool
Mosesstaff
Industry:
Logistic, Transport, Financial
Geo:
Israeli, Australia, India, Georgia, Israel, Israels, Singapore, Dubai, Iran
TTPs:
Tactics: 4
Technics: 8
IOCs:
Url: 2
File: 7
Path: 1
Registry: 1
IP: 2
Hash: 2
Softs:
nginx, docker, qemu, cpanel, virtualbox
Functions:
Sleep
Win API:
GetLogicalDriveStringsA
Win Services:
powerpnt
Languages:
java, python
#ParsedReport
07-12-2022
Securonix Threat Labs Security Advisory: ProxyNotShell Revisited: Detecting Latest Exploits Using Security Analytics
https://www.securonix.com/blog/proxynotshell-revisited
Actors/Campaigns:
Steep_maverick
Threats:
Proxynotshell_vuln
Proxyshell_vuln
Chinachopper
Havoc
Qakbot
CVEs:
CVE-2022-41040 [Vulners]
Vulners: Score: Unknown, CVSS: 3.2,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)
CVE-2021-34523 [Vulners]
Vulners: Score: 7.5, CVSS: 3.4,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
CVE-2021-31207 [Vulners]
Vulners: Score: 6.5, CVSS: 1.7,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
CVE-2021-34473 [Vulners]
Vulners: Score: 10.0, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
CVE-2022-41082 [Vulners]
Vulners: Score: Unknown, CVSS: 2.8,
Vulners: Exploitation: Unknown
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)
TTPs:
Tactics: 3
Technics: 3
IOCs:
File: 10
Path: 2
Command: 2
Softs:
microsoft exchange, microsoft exchange server, msexchange
Win API:
WmiCreateProcess
Languages:
python
07-12-2022
Securonix Threat Labs Security Advisory: ProxyNotShell Revisited: Detecting Latest Exploits Using Security Analytics
https://www.securonix.com/blog/proxynotshell-revisited
Actors/Campaigns:
Steep_maverick
Threats:
Proxynotshell_vuln
Proxyshell_vuln
Chinachopper
Havoc
Qakbot
CVEs:
CVE-2022-41040 [Vulners]
Vulners: Score: Unknown, CVSS: 3.2,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)
CVE-2021-34523 [Vulners]
Vulners: Score: 7.5, CVSS: 3.4,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
CVE-2021-31207 [Vulners]
Vulners: Score: 6.5, CVSS: 1.7,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
CVE-2021-34473 [Vulners]
Vulners: Score: 10.0, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
CVE-2022-41082 [Vulners]
Vulners: Score: Unknown, CVSS: 2.8,
Vulners: Exploitation: Unknown
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)
TTPs:
Tactics: 3
Technics: 3
IOCs:
File: 10
Path: 2
Command: 2
Softs:
microsoft exchange, microsoft exchange server, msexchange
Win API:
WmiCreateProcess
Languages:
python
Securonix
Securonix Threat Labs Security Advisory: ProxyNotShell Revisited: Detecting Latest Exploits Using Security Analytics
Detect and mitigate ProxyNotShell exploits on Microsoft Exchange Servers with insights on vulnerabilities, attack chains, and defense strategies.
#ParsedReport
07-12-2022
Zerobot New Go-Based Botnet Campaign Targets Multiple Vulnerabilities
https://www.fortinet.com/blog/threat-research/zerobot-new-go-based-botnet-campaign-targets-multiple-vulnerabilities
Threats:
Zerobot
Spring4shell
Hostile
Industry:
Iot
IOCs:
Url: 2
IP: 3
File: 2
Hash: 30
Languages:
golang
Softs:
phpadmin
Platforms:
arm, riscv64, ppc64, mips, amd64
07-12-2022
Zerobot New Go-Based Botnet Campaign Targets Multiple Vulnerabilities
https://www.fortinet.com/blog/threat-research/zerobot-new-go-based-botnet-campaign-targets-multiple-vulnerabilities
Threats:
Zerobot
Spring4shell
Hostile
Industry:
Iot
IOCs:
Url: 2
IP: 3
File: 2
Hash: 30
Languages:
golang
Softs:
phpadmin
Platforms:
arm, riscv64, ppc64, mips, amd64
Fortinet Blog
Zerobot – New Go-Based Botnet Campaign Targets Multiple Vulnerabilities
FortiGuardLabs examines a botnet known as Zerobot written in the Go language targeting IoT vulnerabilities. Read our blog to learn about how it evolves, including self-replication, attacks for diff…
#ParsedReport
07-12-2022
Magniber (11/29 ). Suspension of the dissemination of Magniber ransomware (after 11/29)
https://asec.ahnlab.com/ko/43442
Threats:
Magniber
Uac_bypass_technique
Ransomware/win.magniberxg20
Ransom/mdp.edit.m1947
07-12-2022
Magniber (11/29 ). Suspension of the dissemination of Magniber ransomware (after 11/29)
https://asec.ahnlab.com/ko/43442
Threats:
Magniber
Uac_bypass_technique
Ransomware/win.magniberxg20
Ransom/mdp.edit.m1947
ASEC BLOG
Magniber 랜섬웨어의 유포 중단 (11/29 이후) - ASEC BLOG
안랩 ASEC 분석팀은 도메인 오탈자를 악용한 타이포스쿼팅(Typosquatting) 방식을 통해 활발하게 유포되는 대표적인 악성코드인 매그니베르(Magniber) 랜섬웨어의 유포를 지속적인 모니터링 과정을 통해 신속하게 대응하고 있다. 이와 같은 지속적 대응을 통해 11/29일자 기준으로 매그니베르 랜섬웨어의 유포 중단 현황을 포착하였다. 최근 매그니베르 랜섬웨어 제작자는 확장자 변경, 인젝션, UAC 우회 기법 등의 다양한 백신 탐지 회피를 위한 시도를…
#ParsedReport
07-12-2022
An Update on HIVE Ransomware
https://www.avertium.com/resources/threat-reports/an-update-on-hive-ransomware
Threats:
Hive
Vssadmin_tool
Industry:
Energy, Financial, Government, Retail, Healthcare
Geo:
Quebec, Indias, Canada, Ontario
CVEs:
CVE-2021-34523 [Vulners]
Vulners: Score: 7.5, CVSS: 3.4,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
CVE-2021-31207 [Vulners]
Vulners: Score: 6.5, CVSS: 1.7,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
CVE-2021-34473 [Vulners]
Vulners: Score: 10.0, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
IOCs:
Domain: 4
Softs:
esxi, microsoft exchange server, macos
Algorithms:
zip
Languages:
golang
Links:
07-12-2022
An Update on HIVE Ransomware
https://www.avertium.com/resources/threat-reports/an-update-on-hive-ransomware
Threats:
Hive
Vssadmin_tool
Industry:
Energy, Financial, Government, Retail, Healthcare
Geo:
Quebec, Indias, Canada, Ontario
CVEs:
CVE-2021-34523 [Vulners]
Vulners: Score: 7.5, CVSS: 3.4,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
CVE-2021-31207 [Vulners]
Vulners: Score: 6.5, CVSS: 1.7,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
CVE-2021-34473 [Vulners]
Vulners: Score: 10.0, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
IOCs:
Domain: 4
Softs:
esxi, microsoft exchange server, macos
Algorithms:
zip
Languages:
golang
Links:
https://github.com/reecdeep/HiveV5\_file\_decryptor/blob/main/README.mdAvertium
An Update on HIVE Ransomware
Last month, CISA & the FBI released an advisory stating that HIVE ransomware attacks have continued, and they have attacked over 1300 businesses since 2021