#ParsedReport
07-12-2022
Magniber (11/29 ). Suspension of the dissemination of Magniber ransomware (after 11/29)
https://asec.ahnlab.com/ko/43442
Threats:
Magniber
Uac_bypass_technique
Ransomware/win.magniberxg20
Ransom/mdp.edit.m1947
07-12-2022
Magniber (11/29 ). Suspension of the dissemination of Magniber ransomware (after 11/29)
https://asec.ahnlab.com/ko/43442
Threats:
Magniber
Uac_bypass_technique
Ransomware/win.magniberxg20
Ransom/mdp.edit.m1947
ASEC BLOG
Magniber 랜섬웨어의 유포 중단 (11/29 이후) - ASEC BLOG
안랩 ASEC 분석팀은 도메인 오탈자를 악용한 타이포스쿼팅(Typosquatting) 방식을 통해 활발하게 유포되는 대표적인 악성코드인 매그니베르(Magniber) 랜섬웨어의 유포를 지속적인 모니터링 과정을 통해 신속하게 대응하고 있다. 이와 같은 지속적 대응을 통해 11/29일자 기준으로 매그니베르 랜섬웨어의 유포 중단 현황을 포착하였다. 최근 매그니베르 랜섬웨어 제작자는 확장자 변경, 인젝션, UAC 우회 기법 등의 다양한 백신 탐지 회피를 위한 시도를…
#ParsedReport
07-12-2022
An Update on HIVE Ransomware
https://www.avertium.com/resources/threat-reports/an-update-on-hive-ransomware
Threats:
Hive
Vssadmin_tool
Industry:
Energy, Financial, Government, Retail, Healthcare
Geo:
Quebec, Indias, Canada, Ontario
CVEs:
CVE-2021-34523 [Vulners]
Vulners: Score: 7.5, CVSS: 3.4,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
CVE-2021-31207 [Vulners]
Vulners: Score: 6.5, CVSS: 1.7,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
CVE-2021-34473 [Vulners]
Vulners: Score: 10.0, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
IOCs:
Domain: 4
Softs:
esxi, microsoft exchange server, macos
Algorithms:
zip
Languages:
golang
Links:
07-12-2022
An Update on HIVE Ransomware
https://www.avertium.com/resources/threat-reports/an-update-on-hive-ransomware
Threats:
Hive
Vssadmin_tool
Industry:
Energy, Financial, Government, Retail, Healthcare
Geo:
Quebec, Indias, Canada, Ontario
CVEs:
CVE-2021-34523 [Vulners]
Vulners: Score: 7.5, CVSS: 3.4,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
CVE-2021-31207 [Vulners]
Vulners: Score: 6.5, CVSS: 1.7,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
CVE-2021-34473 [Vulners]
Vulners: Score: 10.0, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
IOCs:
Domain: 4
Softs:
esxi, microsoft exchange server, macos
Algorithms:
zip
Languages:
golang
Links:
https://github.com/reecdeep/HiveV5\_file\_decryptor/blob/main/README.mdAvertium
An Update on HIVE Ransomware
Last month, CISA & the FBI released an advisory stating that HIVE ransomware attacks have continued, and they have attacked over 1300 businesses since 2021
#ParsedReport
07-12-2022
Torii. Reference materials:
https://mp.weixin.qq.com/s/2RluW4O56UWiNSQB2hQtGA
Actors/Campaigns:
Oceanlotus
Threats:
Torii_botnet
Mirai
Rotajakiro
Phantomlance
Kerrdown
Cobalt_strike
Industry:
Iot, Government
Geo:
China
TTPs:
Tactics: 3
Technics: 0
IOCs:
File: 6
Softs:
android, macos, crontab
Algorithms:
aes, gzip, aes-128, rc4
Platforms:
arm, x86, mips, x64
07-12-2022
Torii. Reference materials:
https://mp.weixin.qq.com/s/2RluW4O56UWiNSQB2hQtGA
Actors/Campaigns:
Oceanlotus
Threats:
Torii_botnet
Mirai
Rotajakiro
Phantomlance
Kerrdown
Cobalt_strike
Industry:
Iot, Government
Geo:
China
TTPs:
Tactics: 3
Technics: 0
IOCs:
File: 6
Softs:
android, macos, crontab
Algorithms:
aes, gzip, aes-128, rc4
Platforms:
arm, x86, mips, x64
Weixin Official Accounts Platform
海莲花组织Torii远控的网络攻击活动分析
海莲花组织使用Torii远控家族针对物联网设备的窃密控制活动。
#ParsedReport
07-12-2022
AndroxGh0st the python malware exploiting your AWS keys
https://www.lacework.com/blog/androxghost-the-python-malware-exploiting-your-aws-keys
Threats:
Androxgh0st
Xcatze_actor
Redline_stealer
IOCs:
IP: 1
Hash: 7
Url: 2
Softs:
laravel
Functions:
GetSendQuota, CreateUser-, CreateLoginProfile-, DeleteAccessKey-, CreateUser, CreateLoginProfile, DeleteAccessKey
Languages:
php, python
Platforms:
intel
Links:
07-12-2022
AndroxGh0st the python malware exploiting your AWS keys
https://www.lacework.com/blog/androxghost-the-python-malware-exploiting-your-aws-keys
Threats:
Androxgh0st
Xcatze_actor
Redline_stealer
IOCs:
IP: 1
Hash: 7
Url: 2
Softs:
laravel
Functions:
GetSendQuota, CreateUser-, CreateLoginProfile-, DeleteAccessKey-, CreateUser, CreateLoginProfile, DeleteAccessKey
Languages:
php, python
Platforms:
intel
Links:
https://github.com/search?q=%22androxgh0st%22&type=codehttps://github.com/lacework/lacework-labs/blob/master/blog/androxgh0st\_IOCs.csvFortinet
Cloud-Native Application Protection Platform (CNAPP)
Lacework FortiCNAPP is the most comprehensive cloud-native application protection platform available. AI-driven and organically developed, it empowers organizations to easily secure everything from code to cloud.
#ParsedReport
07-12-2022
Mustang Panda Uses the Russian-Ukrainian War to Attack Europe and Asia Pacific Targets
https://blogs.blackberry.com/en/2022/12/mustang-panda-uses-the-russian-ukrainian-war-to-attack-europe-and-asia-pacific-targets
Actors/Campaigns:
Red_delta (motivation: cyber_espionage)
Threats:
Plugx_rat
Dll_sideloading_technique
Crashoverride
Romcom_rat
Industry:
Ngo, Telco, Education, Government, Financial
Geo:
Chinese, Vietnam, Pacific, Ukraine, China, Apac, Asia, Myanmar
TTPs:
Tactics: 6
Technics: 21
IOCs:
File: 6
Command: 1
Path: 1
IP: 11
Hash: 4
Softs:
component object model, keepass
Win API:
EnumThreadWindows, EnumSystemCodePagesW
Platforms:
intel
07-12-2022
Mustang Panda Uses the Russian-Ukrainian War to Attack Europe and Asia Pacific Targets
https://blogs.blackberry.com/en/2022/12/mustang-panda-uses-the-russian-ukrainian-war-to-attack-europe-and-asia-pacific-targets
Actors/Campaigns:
Red_delta (motivation: cyber_espionage)
Threats:
Plugx_rat
Dll_sideloading_technique
Crashoverride
Romcom_rat
Industry:
Ngo, Telco, Education, Government, Financial
Geo:
Chinese, Vietnam, Pacific, Ukraine, China, Apac, Asia, Myanmar
TTPs:
Tactics: 6
Technics: 21
IOCs:
File: 6
Command: 1
Path: 1
IP: 11
Hash: 4
Softs:
component object model, keepass
Win API:
EnumThreadWindows, EnumSystemCodePagesW
Platforms:
intel
BlackBerry
Mustang Panda Uses the Russian-Ukrainian War to Attack Europe and Asia Pacific Targets
APT group Mustang Panda now appears to have Europe and Asia Pacific targets in its sights. The BlackBerry Research and Intelligence team recently unearthed evidence that the group may be using global interest in the Russian-Ukraine war to deliver PlugX malware…
#ParsedReport
07-12-2022
Top 10 macOS Malware Discoveries in 2022
https://www.sentinelone.com/blog/top-10-macos-malware-discoveries-in-2022
Actors/Campaigns:
Lazarus
Earth_berberoka
Emissary_panda
Threats:
Alchimist_tool
Chromeloader
Cloudmensis
Cratedepression
Dazzlespy
Gimmick
Pymafka
Pkexec_tool
Poseidon
Macma
Typosquatting_technique
Cobalt_strike
Upx_tool
Sliver_tool
Xcsset
Pirrit
Bundlore
Adload_loader
Geo:
Chinese, Asia, Korean
CVEs:
CVE-2021-4034 [Vulners]
Vulners: Score: 7.2, CVSS: 4.4,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- polkit project polkit (*)
- redhat enterprise linux desktop (7.0)
- redhat enterprise linux workstation (7.0)
- redhat enterprise linux for scientific computing (7.0)
- redhat enterprise linux server (7.0, 6.0)
have more...
CVE-2020-9934 [Vulners]
Vulners: Score: 2.1, CVSS: 2.3,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- apple ipad os (<13.6)
- apple iphone os (<13.6)
- apple mac os x (<10.15.6)
IOCs:
Hash: 29
File: 12
Url: 3
Domain: 4
IP: 1
Softs:
macos, unix, chrome, keychain, coinbase
Algorithms:
zip
Languages:
rust, objective_c, python
Platforms:
intel, apple, x86
07-12-2022
Top 10 macOS Malware Discoveries in 2022
https://www.sentinelone.com/blog/top-10-macos-malware-discoveries-in-2022
Actors/Campaigns:
Lazarus
Earth_berberoka
Emissary_panda
Threats:
Alchimist_tool
Chromeloader
Cloudmensis
Cratedepression
Dazzlespy
Gimmick
Pymafka
Pkexec_tool
Poseidon
Macma
Typosquatting_technique
Cobalt_strike
Upx_tool
Sliver_tool
Xcsset
Pirrit
Bundlore
Adload_loader
Geo:
Chinese, Asia, Korean
CVEs:
CVE-2021-4034 [Vulners]
Vulners: Score: 7.2, CVSS: 4.4,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- polkit project polkit (*)
- redhat enterprise linux desktop (7.0)
- redhat enterprise linux workstation (7.0)
- redhat enterprise linux for scientific computing (7.0)
- redhat enterprise linux server (7.0, 6.0)
have more...
CVE-2020-9934 [Vulners]
Vulners: Score: 2.1, CVSS: 2.3,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- apple ipad os (<13.6)
- apple iphone os (<13.6)
- apple mac os x (<10.15.6)
IOCs:
Hash: 29
File: 12
Url: 3
Domain: 4
IP: 1
Softs:
macos, unix, chrome, keychain, coinbase
Algorithms:
zip
Languages:
rust, objective_c, python
Platforms:
intel, apple, x86
SentinelOne
Top 10 macOS Malware Discoveries in 2022
Learn about all the new malware targeting macOS users in 2022 and how to stay safe from the latest Mac-focused campaigns.
#ParsedReport
08-12-2022
Phishing Email Impersonating Quasi-governmental Organization Being Distributed
https://asec.ahnlab.com/en/43596
Geo:
Korea
IOCs:
Url: 2
08-12-2022
Phishing Email Impersonating Quasi-governmental Organization Being Distributed
https://asec.ahnlab.com/en/43596
Geo:
Korea
IOCs:
Url: 2
ASEC BLOG
Phishing Email Impersonating Quasi-governmental Organization Being Distributed - ASEC BLOG
The ASEC analysis team has recently detected the distribution of a phishing email impersonating a non-profit quasi-governmental organization. Since the email is using a webpage disguised as a login page of GobizKOREA serviced by Korea SMEs and Startups Agency…
#ParsedReport
08-12-2022
ASEC Weekly Malware Statistics (November 28th, 2022 December 4th, 2022)
https://asec.ahnlab.com/en/43544
Threats:
Smokeloader
Agent_tesla
Vidar_stealer
Clipbanker
Redline_stealer
Beamwinhttp_loader
Industry:
Financial
Geo:
Korea
IOCs:
File: 9
Email: 5
Url: 9
IP: 6
Softs:
telegram
Languages:
php
08-12-2022
ASEC Weekly Malware Statistics (November 28th, 2022 December 4th, 2022)
https://asec.ahnlab.com/en/43544
Threats:
Smokeloader
Agent_tesla
Vidar_stealer
Clipbanker
Redline_stealer
Beamwinhttp_loader
Industry:
Financial
Geo:
Korea
IOCs:
File: 9
Email: 5
Url: 9
IP: 6
Softs:
telegram
Languages:
php
ASEC BLOG
ASEC Weekly Malware Statistics (November 28th, 2022 – December 4th, 2022) - ASEC BLOG
The ASEC analysis team uses the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from November 28th, 2022 (Monday) to December 4th, 2022 (Sunday). For the main category, Infostealer…
#ParsedReport
08-12-2022
ASEC Weekly Phishing Email Threat Trend (November 20th, 2022 November 26th, 2022)
https://asec.ahnlab.com/en/43570
Threats:
Agent_tesla
Formbook
Purecrypter
Industry:
Financial, Transport
Geo:
Mongolian, Korean
TTPs:
IOCs:
File: 43
Url: 9
Algorithms:
zip
08-12-2022
ASEC Weekly Phishing Email Threat Trend (November 20th, 2022 November 26th, 2022)
https://asec.ahnlab.com/en/43570
Threats:
Agent_tesla
Formbook
Purecrypter
Industry:
Financial, Transport
Geo:
Mongolian, Korean
TTPs:
IOCs:
File: 43
Url: 9
Algorithms:
zip
ASEC BLOG
ASEC Weekly Phishing Email Threat Trend (November 20th, 2022 – November 26th, 2022) - ASEC BLOG
The ASEC analysis team monitors phishing email threats with the ASEC automatic sample analysis system (RAPIT) and Honeypot. This post will cover the cases of distribution of phishing emails during the week from November 20th, 2022 to November 26th, 2022 and…
#ParsedReport
08-12-2022
DeathStalker targets legal entities with new Janicab variant
https://securelist.com/deathstalker-targets-legal-entities-with-new-janicab-variant/108131
Actors/Campaigns:
Evilnum
Threats:
Janicab
Dead_drop_technique
Powersing
Powerpepper
Plink
Beacon
Icmpshell_tool
Procdump_tool
Industry:
Financial
Geo:
Egypt, Emirates, Georgia, Bulgaria
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 26
Registry: 1
IP: 4
Hash: 19
Url: 3
Softs:
macos, virtualbox, internet explorer, sysinternals
Algorithms:
base64, zip
Functions:
isVmDrivers, isVmMAC, isVmProduct, InternetExplorer, checkRunningProcess, delFFcookies, delGCcookies, delIEcookies, isMalwb, HandleCCleaner, have more...
Languages:
php, python
Platforms:
apple, intel
Links:
08-12-2022
DeathStalker targets legal entities with new Janicab variant
https://securelist.com/deathstalker-targets-legal-entities-with-new-janicab-variant/108131
Actors/Campaigns:
Evilnum
Threats:
Janicab
Dead_drop_technique
Powersing
Powerpepper
Plink
Beacon
Icmpshell_tool
Procdump_tool
Industry:
Financial
Geo:
Egypt, Emirates, Georgia, Bulgaria
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 26
Registry: 1
IP: 4
Hash: 19
Url: 3
Softs:
macos, virtualbox, internet explorer, sysinternals
Algorithms:
base64, zip
Functions:
isVmDrivers, isVmMAC, isVmProduct, InternetExplorer, checkRunningProcess, delFFcookies, delGCcookies, delIEcookies, isMalwb, HandleCCleaner, have more...
Languages:
php, python
Platforms:
apple, intel
Links:
https://github.com/bdamele/icmpshSecurelist
DeathStalker targets legal entities with new Janicab variant
While hunting for less common Deathstalker intrusions, we identified a new Janicab variant used in targeting legal entities in the Middle East throughout 2020.
#ParsedReport
08-12-2022
STOP. Stop ransomware domestic distribution
https://asec.ahnlab.com/ko/43680
Threats:
Smokeloader
Trojan/win.generic.r533564
Raccoon_stealer
Ransomware/win.extensions.c5314354
Beamwinhttp_loader
Industry:
Financial
Geo:
Uzbekistan, Russia, Azerbaijan, Belarus, Tajikistan, Armenia, Ukraine, Kazakhstan, Syria, Kyrgyzstan
IOCs:
File: 7
Path: 6
Registry: 1
Hash: 7
Url: 3
Softs:
task scheduler
Languages:
php
Platforms:
intel, x86
08-12-2022
STOP. Stop ransomware domestic distribution
https://asec.ahnlab.com/ko/43680
Threats:
Smokeloader
Trojan/win.generic.r533564
Raccoon_stealer
Ransomware/win.extensions.c5314354
Beamwinhttp_loader
Industry:
Financial
Geo:
Uzbekistan, Russia, Azerbaijan, Belarus, Tajikistan, Armenia, Ukraine, Kazakhstan, Syria, Kyrgyzstan
IOCs:
File: 7
Path: 6
Registry: 1
Hash: 7
Url: 3
Softs:
task scheduler
Languages:
php
Platforms:
intel, x86
ASEC BLOG
STOP 랜섬웨어 국내 유포 중 - ASEC BLOG
ASEC 분석팀은 STOP 랜섬웨어가 국내에 유포되고 있음을 확인하였다. 해당 랜섬웨어는 ASEC 주간 악성코드 통계 (20221128 ~ 20221204)에서 Top3를 차지하고 있을 정도로 다수 유포되고 있다. 최근 유포되는 파일은 SmokeLoader, Vidar와 같이 MalPe 외형을 지니는 것이 특징이다. STOP 랜섬웨어는 실행 시 먼저 hxxps://api.2ip.ua/geo.json에 접속하여 country code를 확인한다. 아래에…
#ParsedReport
08-12-2022
Multiple Indian Entities Targeted by the Khalifah Cyber Crew Under the #OpsBantaiKaw2 Campaign
https://cloudsek.com/threatintelligence/multiple-indian-entities-targeted-by-the-khalifah-cyber-crew-under-the-opsbantaikaw2-campaign/
Actors/Campaigns:
Khalifah_cybercrew
Opsbantaikaw
Geo:
Indian
08-12-2022
Multiple Indian Entities Targeted by the Khalifah Cyber Crew Under the #OpsBantaiKaw2 Campaign
https://cloudsek.com/threatintelligence/multiple-indian-entities-targeted-by-the-khalifah-cyber-crew-under-the-opsbantaikaw2-campaign/
Actors/Campaigns:
Khalifah_cybercrew
Opsbantaikaw
Geo:
Indian
Cloudsek
Multiple Indian Entities Targeted by the Khalifah Cyber Crew Under the #OpsBantaiKaw2 Campaign | Threat Intelligence | CloudSEK
CloudSEK’s contextual AI digital risk platform XVigil discovered a tweet by the threat group “Khalifah Cyber Crew” announcing a new campaign “OpsBantaiKaw2” for targeting Indian websites.
#ParsedReport
08-12-2022
Lazarus group uses fake cryptocurrency apps to plant AppleJeus malware
https://www.malwarebytes.com/blog/news/2022/12/lazarus-group-uses-fake-cryptocurrency-apps-to-plant-applejeus-malware
Actors/Campaigns:
Lazarus
Threats:
Applejeus
Dll_sideloading_technique
Industry:
Government, Financial
Geo:
Korean
IOCs:
Domain: 6
File: 4
Path: 4
Softs:
microsoft office, qtbitcointrader
Functions:
OpenDrive
Links:
08-12-2022
Lazarus group uses fake cryptocurrency apps to plant AppleJeus malware
https://www.malwarebytes.com/blog/news/2022/12/lazarus-group-uses-fake-cryptocurrency-apps-to-plant-applejeus-malware
Actors/Campaigns:
Lazarus
Threats:
Applejeus
Dll_sideloading_technique
Industry:
Government, Financial
Geo:
Korean
IOCs:
Domain: 6
File: 4
Path: 4
Softs:
microsoft office, qtbitcointrader
Functions:
OpenDrive
Links:
https://github.com/JulyIGHOR/QtBitcoinTraderMalwarebytes
Lazarus group uses fake cryptocurrency apps to plant AppleJeus malware
Researchers have found a new Lazarus campaign, once again targeting cryptocurrency users and organizations by deploying a fake website and malicious documents.
#ParsedReport
08-12-2022
SpiderLabs Blog. Trojanized OneNote Document Leads to Formbook Malware
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware
Threats:
Formbook
IOCs:
File: 2
Domain: 1
Hash: 3
Softs:
onenote
08-12-2022
SpiderLabs Blog. Trojanized OneNote Document Leads to Formbook Malware
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware
Threats:
Formbook
IOCs:
File: 2
Domain: 1
Hash: 3
Softs:
onenote
Trustwave
Trojanized OneNote Document Leads to Formbook Malware | Trustwave
Cybercriminals have long used Microsoft documents to pass along malware and they are always experimenting with new ways to deliver malicious packages. As defenders, Trustwave SpiderLabs’ researchers are always looking out for new or unusual file types, and…
#ParsedReport
08-12-2022
APT-C-56. 1. Analysis of attack activities
https://mp.weixin.qq.com/s/J_A12SOX0k5TOYFAegBv_w
Actors/Campaigns:
Transparenttribe
Comment_crew
Manling_flower
Threats:
Spynote_rat
Sonicspy
Ahmyth_rat
Metasploit_tool
Asyncrat_rat
Beacon
Industry:
Government
Geo:
Syrian, Pakistan, Pakistani, Asia
IOCs:
File: 6
Hash: 23
Softs:
android
08-12-2022
APT-C-56. 1. Analysis of attack activities
https://mp.weixin.qq.com/s/J_A12SOX0k5TOYFAegBv_w
Actors/Campaigns:
Transparenttribe
Comment_crew
Manling_flower
Threats:
Spynote_rat
Sonicspy
Ahmyth_rat
Metasploit_tool
Asyncrat_rat
Beacon
Industry:
Government
Geo:
Syrian, Pakistan, Pakistani, Asia
IOCs:
File: 6
Hash: 23
Softs:
android
Weixin Official Accounts Platform
疑似APT-C-56(透明部落)针对恐怖主义的攻击活动分析
360烽火实验发现了一批疑似APT-C-56(透明部落)针对恐怖主义发起攻击的恶意样本,通过溯源关联分析发现,攻击活动至少开始于2018年6月,至今仍处于活跃状态
#ParsedReport
08-12-2022
Breach Prevention Blog. New Babuk Ransomware Found in Major Attack
https://blog.morphisec.com/babuk-ransomware-variant-major-attack
Actors/Campaigns:
Blackmatter
Threats:
Babuk
Wannaren
Dll_sideloading_technique
Uac_bypass_technique
Reflectiveloader
Conti
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 33
Path: 2
Softs:
dbsnmp, onenote, powerpnt, encsvc, thebat, wordpad, event tracing for windows
08-12-2022
Breach Prevention Blog. New Babuk Ransomware Found in Major Attack
https://blog.morphisec.com/babuk-ransomware-variant-major-attack
Actors/Campaigns:
Blackmatter
Threats:
Babuk
Wannaren
Dll_sideloading_technique
Uac_bypass_technique
Reflectiveloader
Conti
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 33
Path: 2
Softs:
dbsnmp, onenote, powerpnt, encsvc, thebat, wordpad, event tracing for windows
Morphisec
Babuk Ransomware Variant in Major New Attack
Previously unseen variant of Babuk ransomware strikes multibillion-dollar manufacturing company.
#ParsedReport
08-12-2022
Mallox Ransomware showing signs of Increased Activity. IoCs
https://blog.cyble.com/2022/12/08/mallox-ransomware-showing-signs-of-increased-activity
Threats:
Mallox
Snake_keylogger
Agent_tesla
Remcos_rat
Intellilock_tool
Gozi
Industry:
Financial
Geo:
Georgia, Australia, Singapore, India, Dubai
TTPs:
Tactics: 6
Technics: 8
IOCs:
Url: 2
File: 4
Hash: 12
Softs:
microsoft sql, mssql, postgresql, microsoft exchange server, wamp, nginx, jenkins, redis, kingdee, virtualbox, have more...
Algorithms:
aes
Functions:
InvokeMember
08-12-2022
Mallox Ransomware showing signs of Increased Activity. IoCs
https://blog.cyble.com/2022/12/08/mallox-ransomware-showing-signs-of-increased-activity
Threats:
Mallox
Snake_keylogger
Agent_tesla
Remcos_rat
Intellilock_tool
Gozi
Industry:
Financial
Geo:
Georgia, Australia, Singapore, India, Dubai
TTPs:
Tactics: 6
Technics: 8
IOCs:
Url: 2
File: 4
Hash: 12
Softs:
microsoft sql, mssql, postgresql, microsoft exchange server, wamp, nginx, jenkins, redis, kingdee, virtualbox, have more...
Algorithms:
aes
Functions:
InvokeMember
Cyble
Mallox Ransomware showing signs of Increased Activity
Cyble Research & Intelligence Labs analyzes a surge in activity from the Mallox Ransomware group and details how it operates in this analysis.
#ParsedReport
08-12-2022
(Operation EvilPlane) : APT by 4 2022. 12. 7. 13:41. Text title Operation Evilplane: APT attack using files containing personal information of domestic usersMalware Analysis Report
https://blog.alyac.co.kr/5009
Actors/Campaigns:
Evilplane
Threats:
Uac_bypass_technique
Konni
Vidar_stealer
Geo:
Korean
IOCs:
File: 6
Algorithms:
zip
08-12-2022
(Operation EvilPlane) : APT by 4 2022. 12. 7. 13:41. Text title Operation Evilplane: APT attack using files containing personal information of domestic usersMalware Analysis Report
https://blog.alyac.co.kr/5009
Actors/Campaigns:
Evilplane
Threats:
Uac_bypass_technique
Konni
Vidar_stealer
Geo:
Korean
IOCs:
File: 6
Algorithms:
zip
이스트시큐리티 알약 블로그
오퍼레이션 이블플레인(Operation EvilPlane) : 국내 이용자의 개인정보가 담긴 파일을 이용한 APT 공격
안녕하세요? 이스트시큐리티 시큐리티대응센터(이하 ESRC)입니다. 국내 이용자의 개인정보가 담긴 파일을 이용한 APT 공격이 발견되어 사용자들의 각별하나 주의가 필요합니다. 이번에 발견된 공격 파일은 문서(docx) 파일로, 최근 공격자들이 자주 사용하는 원격 템플릿 주입(Remote Template Injection) 기술을 사용하였습니다. 해당 문서 파일은 ‘Paypal’ 이름의 계정에서 22년 12월 6일 19시 26분경 수정된 것으로 확인되며,…
#ParsedReport
08-12-2022
Internet Explorer 0-day exploited by North Korean actor APT37
https://blog.google/threat-analysis-group/internet-explorer-0-day-exploited-by-north-korean-actor-apt37
Actors/Campaigns:
Apt37 (motivation: government_sponsored)
Threats:
Rtf_template_inject_technique
Rokrat_rat
Bluelight
Dolphin
Geo:
Korea, Korean
CVEs:
CVE-2017-0199 [Vulners]
Vulners: Score: 9.3, CVSS: 7.8,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft windows server 2008 (r2, *)
- microsoft windows server 2012 (-)
- microsoft windows vista (*)
- microsoft office (2010, 2013, 2016, 2007)
- microsoft windows 7 (*)
have more...
CVE-2021-34480 [Vulners]
Vulners: Score: 6.8, CVSS: 2.4,
Vulners: Exploitation: Unknown
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft windows 10 (-, 20h2, 21h1, 1607, 1809, 1909, 2004)
- microsoft windows 7 (-)
- microsoft windows 8.1 (-)
- microsoft windows rt 8.1 (-)
- microsoft windows server 2008 (r2)
have more...
CVE-2022-41128 [Vulners]
Vulners: Score: Unknown, CVSS: 2.5,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft windows server 2008 (r2)
- microsoft windows server 2012 (r2, -)
- microsoft windows 10 (1607, -, 20h2, 21h1, 21h2, 22h2, 1809)
- microsoft windows 8.1 (-, -)
- microsoft windows server 2016 (-)
have more...
IOCs:
File: 1
Hash: 6
Domain: 5
Softs:
internet explorer, microsoft office
Languages:
javascript, jscript
08-12-2022
Internet Explorer 0-day exploited by North Korean actor APT37
https://blog.google/threat-analysis-group/internet-explorer-0-day-exploited-by-north-korean-actor-apt37
Actors/Campaigns:
Apt37 (motivation: government_sponsored)
Threats:
Rtf_template_inject_technique
Rokrat_rat
Bluelight
Dolphin
Geo:
Korea, Korean
CVEs:
CVE-2017-0199 [Vulners]
Vulners: Score: 9.3, CVSS: 7.8,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft windows server 2008 (r2, *)
- microsoft windows server 2012 (-)
- microsoft windows vista (*)
- microsoft office (2010, 2013, 2016, 2007)
- microsoft windows 7 (*)
have more...
CVE-2021-34480 [Vulners]
Vulners: Score: 6.8, CVSS: 2.4,
Vulners: Exploitation: Unknown
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft windows 10 (-, 20h2, 21h1, 1607, 1809, 1909, 2004)
- microsoft windows 7 (-)
- microsoft windows 8.1 (-)
- microsoft windows rt 8.1 (-)
- microsoft windows server 2008 (r2)
have more...
CVE-2022-41128 [Vulners]
Vulners: Score: Unknown, CVSS: 2.5,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft windows server 2008 (r2)
- microsoft windows server 2012 (r2, -)
- microsoft windows 10 (1607, -, 20h2, 21h1, 21h2, 22h2, 1809)
- microsoft windows 8.1 (-, -)
- microsoft windows server 2016 (-)
have more...
IOCs:
File: 1
Hash: 6
Domain: 5
Softs:
internet explorer, microsoft office
Languages:
javascript, jscript
Google
Internet Explorer 0-day exploited by North Korean actor APT37
Google’s Threat Analysis Group describes a new 0-day vulnerability attributed to North Korean government-backed actors known as APT37.
#ParsedReport
08-12-2022
Fantasy a new Agrius wiper deployed through a supplychain attack
https://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack
Actor/Campaign:
Agrius
Threats:
Fantasywiper
Apostle
Credential_harvesting_technique
Minidump_tool
Mimikatz_tool
Secretsdump_tool
Killdisk
Lsass_dumper_tool
Impacket_tool
Timestomp_technique
Stop_ransomware
Industry:
Petroleum, Financial
Geo:
Iran, Emirates, Ukraine, African, Israel, Israeli, Africa
TTPs:
Tactics: 9
Technics: 15
IOCs:
Path: 5
File: 4
Registry: 3
Hash: 7
Softs:
psexec
Algorithms:
base64, zip, des
Functions:
SetLastAccessTimeUtc, GetSubDirectoryFileListRecursive
Win API:
SeShutdownPrivilege
Languages:
php, java, lua, python
Links:
08-12-2022
Fantasy a new Agrius wiper deployed through a supplychain attack
https://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack
Actor/Campaign:
Agrius
Threats:
Fantasywiper
Apostle
Credential_harvesting_technique
Minidump_tool
Mimikatz_tool
Secretsdump_tool
Killdisk
Lsass_dumper_tool
Impacket_tool
Timestomp_technique
Stop_ransomware
Industry:
Petroleum, Financial
Geo:
Iran, Emirates, Ukraine, African, Israel, Israeli, Africa
TTPs:
Tactics: 9
Technics: 15
IOCs:
Path: 5
File: 4
Registry: 3
Hash: 7
Softs:
psexec
Algorithms:
base64, zip, des
Functions:
SetLastAccessTimeUtc, GetSubDirectoryFileListRecursive
Win API:
SeShutdownPrivilege
Languages:
php, java, lua, python
Links:
https://github.com/cube0x0/MiniDump
https://github.com/bb00/zer0dump/blob/master/secretsdump.pyWeLiveSecurity
Fantasy – a new Agrius wiper deployed through a supply‑chain attack
ESET researchers analyzed a supply-chain attack abusing an Israeli software developer to deploy Fantasy, Agrius’s new wiper.
#ParsedReport
08-12-2022
CISA and the FBI issue alert about Cuba ransomware
https://www.malwarebytes.com/blog/news/2022/12/cisa-and-fbi-issue-alert-about-cuba-ransomware
Threats:
Cuba
Stop_ransomware
Romcom_rat
Hancitor
Industry:
Financial, Government, Healthcare
Geo:
Ukraine, California, Russian
Softs:
psexec
08-12-2022
CISA and the FBI issue alert about Cuba ransomware
https://www.malwarebytes.com/blog/news/2022/12/cisa-and-fbi-issue-alert-about-cuba-ransomware
Threats:
Cuba
Stop_ransomware
Romcom_rat
Hancitor
Industry:
Financial, Government, Healthcare
Geo:
Ukraine, California, Russian
Softs:
psexec
Malwarebytes
CISA and the FBI issue alert about Cuba ransomware
Cuba ransomware is spotlighted in a recent cybersecurity advisory (CSA) in the ongoing #StopRansomware campaign spearheaded by CISA and the FBI.