#ParsedReport
12-12-2022
A Custom Python Backdoor for VMWare ESXi Servers
https://blogs.juniper.net/en-us/threat-research/a-custom-python-backdoor-for-vmware-esxi-servers
Threats:
Netcat_tool
Asbit_rat
Tsunami_botnet
CVEs:
CVE-2020-3992 [Vulners]
Vulners: Score: 10.0, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- vmware esxi (6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 7.0.0, 6.5, 6.5, 6.5, 6.7, 6.7, 7.0.0)
- vmware cloud foundation (<4.1, <3.10.1.1)
CVE-2022-30190 [Vulners]
Vulners: Score: 9.3, CVSS: 3.4,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft windows server 2012 (r2, -)
- microsoft windows 10 (1607, -, 1809, 20h2, 21h1, 21h2)
- microsoft windows 8.1 (-)
- microsoft windows server 2016 (-)
- microsoft windows server 2008 (-, r2)
have more...
CVE-2019-5544 [Vulners]
Vulners: Score: 7.5, CVSS: 1.7,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Unavailable
Soft:
- vmware horizon daas (<9.0.0.0)
- vmware esxi (6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7)
- redhat enterprise linux desktop (7.0)
- redhat enterprise linux server (7.0)
- redhat enterprise linux server aus (7.7)
have more...
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 6
IP: 1
Softs:
esxi, redis
Algorithms:
base64
Languages:
python
12-12-2022
A Custom Python Backdoor for VMWare ESXi Servers
https://blogs.juniper.net/en-us/threat-research/a-custom-python-backdoor-for-vmware-esxi-servers
Threats:
Netcat_tool
Asbit_rat
Tsunami_botnet
CVEs:
CVE-2020-3992 [Vulners]
Vulners: Score: 10.0, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- vmware esxi (6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 7.0.0, 6.5, 6.5, 6.5, 6.7, 6.7, 7.0.0)
- vmware cloud foundation (<4.1, <3.10.1.1)
CVE-2022-30190 [Vulners]
Vulners: Score: 9.3, CVSS: 3.4,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft windows server 2012 (r2, -)
- microsoft windows 10 (1607, -, 1809, 20h2, 21h1, 21h2)
- microsoft windows 8.1 (-)
- microsoft windows server 2016 (-)
- microsoft windows server 2008 (-, r2)
have more...
CVE-2019-5544 [Vulners]
Vulners: Score: 7.5, CVSS: 1.7,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Unavailable
Soft:
- vmware horizon daas (<9.0.0.0)
- vmware esxi (6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7)
- redhat enterprise linux desktop (7.0)
- redhat enterprise linux server (7.0)
- redhat enterprise linux server aus (7.7)
have more...
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 6
IP: 1
Softs:
esxi, redis
Algorithms:
base64
Languages:
python
Juniper Networks
A Custom Python Backdoor for VMWare ESXi Servers
Juniper Threat Labs analyzes a backdoor installed on a compromised VMware ESXi server that can execute arbitrary commands and launch reverse shells.
Запилили новый API по данным, что генерит движок парсинга TI-отчетов (разбираем где-то 200-250 отчетов в мес. от 98 источников).
Очень много данных еще остается лежать на диске и не входит ни в одну из наших API (email, registry, coin wallets, commands, код yara|sigma, winapi). Думаю, добавим уже в новую версию API, где данные будут уже в STIX-формате.
Текущая версия API скорее про бюллетени по TI-отчету. Через API можно получить сразу все бюллетени по всем отчетам за выбранные сутки.
Выгляди это вот так.
Очень много данных еще остается лежать на диске и не входит ни в одну из наших API (email, registry, coin wallets, commands, код yara|sigma, winapi). Думаю, добавим уже в новую версию API, где данные будут уже в STIX-формате.
Текущая версия API скорее про бюллетени по TI-отчету. Через API можно получить сразу все бюллетени по всем отчетам за выбранные сутки.
Выгляди это вот так.
🔥2
#ParsedReport
12-12-2022
How Similar Is the Microsoft Account-stealing Phishing Page to the Actual Page?
https://asec.ahnlab.com/en/43821
Geo:
Korea, Korean
IOCs:
File: 2
Hash: 2
Softs:
office365
Algorithms:
aes, base64
12-12-2022
How Similar Is the Microsoft Account-stealing Phishing Page to the Actual Page?
https://asec.ahnlab.com/en/43821
Geo:
Korea, Korean
IOCs:
File: 2
Hash: 2
Softs:
office365
Algorithms:
aes, base64
ASEC
How Similar Is the Microsoft Account-stealing Phishing Page to the Actual Page? - ASEC
Many corporations and users both in and outside Korea use Microsoft accounts to use major services offered by Microsoft, including Outlook, Office, OneDrive, and Windows. Users use integrated login to easily access all Microsoft services linked to their account.…
#ParsedReport
12-12-2022
ASEC Weekly Phishing Email Threat Trends (November 27th, 2022 December 3rd, 2022)
https://asec.ahnlab.com/en/43832
Actors/Campaigns:
Calypso
Threats:
Agent_tesla
Formbook
Neutrino_pos
Industry:
Transport, Financial
Geo:
Asia, India, Spain, Korean, Qatar
TTPs:
IOCs:
File: 33
Url: 7
Algorithms:
zip
Languages:
php
12-12-2022
ASEC Weekly Phishing Email Threat Trends (November 27th, 2022 December 3rd, 2022)
https://asec.ahnlab.com/en/43832
Actors/Campaigns:
Calypso
Threats:
Agent_tesla
Formbook
Neutrino_pos
Industry:
Transport, Financial
Geo:
Asia, India, Spain, Korean, Qatar
TTPs:
IOCs:
File: 33
Url: 7
Algorithms:
zip
Languages:
php
ASEC BLOG
ASEC Weekly Phishing Email Threat Trends (November 27th, 2022 – December 3rd, 2022) - ASEC BLOG
The ASEC analysis team monitors phishing email threats with the ASEC automatic sample analysis system (RAPIT) and Honeypot. This post will cover the cases of distribution of phishing emails during the week from November 27th, 2022 to December 3rd, 2022 and…
#ParsedReport
13-12-2022
Fortinet Released Patch for FortiOS SSL-VPN RCE VulnerabilityCVE-2022-42475. Fortinet Released Patch for FortiOS SSL-VPN RCE Vulnerability CVE-2022-42475
https://socradar.io/fortinet-released-patch-for-fortios-ssl-vpn-rce-vulnerability-cve-2022-42475
CVEs:
CVE-2022-42475 [Vulners]
Vulners: Score: Unknown, CVSS: Unknown,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Official fix
IOCs:
IP: 4
Languages:
javascript
13-12-2022
Fortinet Released Patch for FortiOS SSL-VPN RCE VulnerabilityCVE-2022-42475. Fortinet Released Patch for FortiOS SSL-VPN RCE Vulnerability CVE-2022-42475
https://socradar.io/fortinet-released-patch-for-fortios-ssl-vpn-rce-vulnerability-cve-2022-42475
CVEs:
CVE-2022-42475 [Vulners]
Vulners: Score: Unknown, CVSS: Unknown,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Official fix
IOCs:
IP: 4
Languages:
javascript
SOCRadar® Cyber Intelligence Inc.
Fortinet Released Patch for FortiOS SSL-VPN RCE Vulnerability CVE-2022-42475
The critical flaw, identified as CVE-2022-42475 (CVSS score: 9.3), relates to a heap-based buffer overflow (CWE-122) vulnerability that...
#ParsedReport
13-12-2022
How 140k NuGet, NPM, and PyPi Packages Were Used to Spread Phishing Links. What Happened?
https://checkmarx.com/blog/how-140k-nuget-npm-and-pypi-packages-were-used-to-spread-phishing-links
Industry:
Retail, E-commerce
IOCs:
Email: 1
Domain: 87
File: 3
Softs:
nuget package manager, tiktok, instagram
Links:
13-12-2022
How 140k NuGet, NPM, and PyPi Packages Were Used to Spread Phishing Links. What Happened?
https://checkmarx.com/blog/how-140k-nuget-npm-and-pypi-packages-were-used-to-spread-phishing-links
Industry:
Retail, E-commerce
IOCs:
Email: 1
Domain: 87
File: 3
Softs:
nuget package manager, tiktok, instagram
Links:
https://gist.github.com/jossef/77c4fd00fccf68b56d76a36c79799ca1https://gist.github.com/jossef/1c1152368ff6210340644f44afec7e8eCheckmarx.com
How 140k NuGet, NPM, and PyPi Packages Were Used to Spread Phishing Links
Joint research of Checkmarx and Illustria reveals new attack vector in NuGet ecosystem: attackers spam open-source ecosystem with packages containing links to phishing campaigns. Our teams have disclosed this info to NuGet security and the packages were unlisted.…
#ParsedReport
13-12-2022
GoTrim: Go-based Botnet Actively Brute Forces WordPress Websites
https://www.fortinet.com/blog/threat-research/gotrim-go-based-botnet-actively-brute-forces-wordpress-websites
Threats:
Gotrim_botnet
Stealthworker
Upx_tool
Beacon
Hostile
Industry:
E-commerce
IOCs:
Hash: 9
IP: 1
File: 1
Url: 11
Softs:
wordpress, joomla!
Algorithms:
gzip, aes-gcm, aes
Languages:
php, golang, javascript
13-12-2022
GoTrim: Go-based Botnet Actively Brute Forces WordPress Websites
https://www.fortinet.com/blog/threat-research/gotrim-go-based-botnet-actively-brute-forces-wordpress-websites
Threats:
Gotrim_botnet
Stealthworker
Upx_tool
Beacon
Hostile
Industry:
E-commerce
IOCs:
Hash: 9
IP: 1
File: 1
Url: 11
Softs:
wordpress, joomla!
Algorithms:
gzip, aes-gcm, aes
Languages:
php, golang, javascript
Fortinet Blog
GoTrim: Go-based Botnet Actively Brute Forces WordPress Websites
FortiGuard Labs encountered an unreported CMS scanner and brute forcer written in the Go programming language. Read our analysis of the malware and how this active botnet scans and compromises webs…
#ParsedReport
13-12-2022
Mallox Ransomware
https://labs.k7computing.com/index.php/mallox-ransomware
Threats:
Mallox
Intellilock_tool
Process_hollowing_technique
Bozon
IOCs:
File: 3
Softs:
mssql
Algorithms:
aes, rc4, des
Links:
13-12-2022
Mallox Ransomware
https://labs.k7computing.com/index.php/mallox-ransomware
Threats:
Mallox
Intellilock_tool
Process_hollowing_technique
Bozon
IOCs:
File: 3
Softs:
mssql
Algorithms:
aes, rc4, des
Links:
https://github.com/danielmiessler/SecLists/blob/master/Passwords/Default-Credentials/mssql-betterdefaultpasslist.txtK7 Labs
Mallox Ransomware
Recently we have seen a rush of ransomware attacks belonging to the Mallox family. This ransomware has been active since […]
#ParsedReport
13-12-2022
Venom RAT expands its operations by adding a Stealer Module
https://blog.cyble.com/2022/12/13/venom-rat-expands-its-operations-by-adding-a-stealer-module
Threats:
Venomrat
Hvnc_tool
Process_injection_technique
Industry:
Financial
TTPs:
Tactics: 8
Technics: 16
IOCs:
File: 4
Command: 1
Hash: 22
Softs:
chrome, internet explorer, pale moon, pale waterfox, windows defender, 360browser, chromium, opera, comodo dragon, 7star, have more...
Functions:
DetectBankingServices, DetectPornServices, DetectCryptocurrencyServices
13-12-2022
Venom RAT expands its operations by adding a Stealer Module
https://blog.cyble.com/2022/12/13/venom-rat-expands-its-operations-by-adding-a-stealer-module
Threats:
Venomrat
Hvnc_tool
Process_injection_technique
Industry:
Financial
TTPs:
Tactics: 8
Technics: 16
IOCs:
File: 4
Command: 1
Hash: 22
Softs:
chrome, internet explorer, pale moon, pale waterfox, windows defender, 360browser, chromium, opera, comodo dragon, 7star, have more...
Functions:
DetectBankingServices, DetectPornServices, DetectCryptocurrencyServices
Cyble
Venom RAT expands its operations by adding a Stealer Module
Cyble Research & Intelligence Labs analyzes the recent addition of a stealer module into Venom RAT.
#ParsedReport
13-12-2022
Dissecting the Empire C2 Framework
https://blog.qualys.com/vulnerabilities-threat-research/2022/12/12/dissecting-the-empire-c2-framework
Actors/Campaigns:
Vice_society
Wizard_spider
Turla
Leviathan
Fin12
Darkhydrus
Apt33
Shell_crew
Axiom
Threats:
Empire_loader
Confuserex_tool
Trickbot
Metasploit_tool
Cactustorch
Meterpreter_tool
Lazagne
Beacon
Industry:
Healthcare
Geo:
Usa, Australia, Canada
TTPs:
IOCs:
Url: 1
Domain: 1
IP: 4
Softs:
ubuntu, debian, docker, process explorer, android
Languages:
ironpython, visual_basic, php, csharp, python
Links:
13-12-2022
Dissecting the Empire C2 Framework
https://blog.qualys.com/vulnerabilities-threat-research/2022/12/12/dissecting-the-empire-c2-framework
Actors/Campaigns:
Vice_society
Wizard_spider
Turla
Leviathan
Fin12
Darkhydrus
Apt33
Shell_crew
Axiom
Threats:
Empire_loader
Confuserex_tool
Trickbot
Metasploit_tool
Cactustorch
Meterpreter_tool
Lazagne
Beacon
Industry:
Healthcare
Geo:
Usa, Australia, Canada
TTPs:
IOCs:
Url: 1
Domain: 1
IP: 4
Softs:
ubuntu, debian, docker, process explorer, android
Languages:
ironpython, visual_basic, php, csharp, python
Links:
https://github.com/BC-SECURITY/EmpireQualys Security Blog
Dissecting the Empire C2 Framework | Qualys Security Blog
In this blog we will be taking a quick dive into Empire, a popular open-source post-exploitation framework. Empire provides an adversary with the capability to expand his foothold in a victim’s…
#ParsedReport
13-12-2022
Vidar Stealer. Vidar Stealer to exploit various platforms
https://asec.ahnlab.com/ko/43871
Threats:
Vidar_stealer
Stop_ransomware
Postealer
Trojan/win.injection.c5318441
Infostealer/win.generic.c5308804
Arkei_stealer
IOCs:
File: 5
IP: 1
Hash: 5
Softs:
telegram, kmsauto, tiktok, windows defender
Algorithms:
base64, xor, zip
13-12-2022
Vidar Stealer. Vidar Stealer to exploit various platforms
https://asec.ahnlab.com/ko/43871
Threats:
Vidar_stealer
Stop_ransomware
Postealer
Trojan/win.injection.c5318441
Infostealer/win.generic.c5308804
Arkei_stealer
IOCs:
File: 5
IP: 1
Hash: 5
Softs:
telegram, kmsauto, tiktok, windows defender
Algorithms:
base64, xor, zip
ASEC BLOG
다양한 플랫폼을 악용하는 Vidar Stealer - ASEC BLOG
Vidar 악성코드는 꾸준하게 유포 중인 정보탈취 유형의 악성코드로 최근 유포량이 눈에 띄게 늘었다. Telegram, Mastodon등의 유명 플랫폼을 중간 C2로 활용하는 것이 특징이다. 다음 링크는 Mastodon을 활용하여 악성 행위를 수행하는 사례에 대한 포스팅이다. 이후에도 Vidar 악성코드는 활발히 유포되며 지속적으로 버전이 업데이트되었고, 최근 유포 중인 샘플군에서는 Telegram, Mastodon 뿐만 아니라 Steam, TikTok…
#technique
Cloud Threats Memo: Understanding the Dead Drop Resolver Technique
https://www.netskope.com/blog/cloud-threats-memo-understanding-the-dead-drop-resolver-technique
Cloud Threats Memo: Understanding the Dead Drop Resolver Technique
https://www.netskope.com/blog/cloud-threats-memo-understanding-the-dead-drop-resolver-technique
Netskope
Cloud Threats Memo: Understanding the Dead Drop Resolver Technique
If I asked you what the common ways to exploit a cloud app for malicious purposes are, I bet your answer would probably be either to use it to distribute
#technique
HTML smugglers turn to SVG images
https://blog.talosintelligence.com/html-smugglers-turn-to-svg-images/
HTML smugglers turn to SVG images
https://blog.talosintelligence.com/html-smugglers-turn-to-svg-images/
Cisco Talos Blog
HTML smugglers turn to SVG images
* HTML smuggling is a technique attackers use to hide an encoded malicious script within an HTML email attachment or webpage.
* Once a victim receives the email and opens the attachment, their browser decodes and runs the script, which then assembles a malicious…
* Once a victim receives the email and opens the attachment, their browser decodes and runs the script, which then assembles a malicious…
#ParsedReport
13-12-2022
Driving Through Defenses \| Targeted Attacks Leverage Signed Malicious Microsoft Drivers
https://www.sentinelone.com/labs/driving-through-defenses-targeted-attacks-leverage-signed-malicious-microsoft-drivers
Threats:
Poortry
Stonestop
Hive
Vmprotect_tool
Industry:
Financial, Healthcare, Entertainment, Telco, Transport, Bp_outsourcing
IOCs:
File: 1
Hash: 3
Win API:
ZwTerminateProcess, PsSuspendProcess, PsResumeProcess
13-12-2022
Driving Through Defenses \| Targeted Attacks Leverage Signed Malicious Microsoft Drivers
https://www.sentinelone.com/labs/driving-through-defenses-targeted-attacks-leverage-signed-malicious-microsoft-drivers
Threats:
Poortry
Stonestop
Hive
Vmprotect_tool
Industry:
Financial, Healthcare, Entertainment, Telco, Transport, Bp_outsourcing
IOCs:
File: 1
Hash: 3
Win API:
ZwTerminateProcess, PsSuspendProcess, PsResumeProcess
SentinelOne
Driving Through Defenses | Targeted Attacks Leverage Signed Malicious Microsoft Drivers
Threat actors are abusing legitimately signed Microsoft drivers in active intrusions into telecommunication, BPO, MSSP, and financial services businesses.
#ParsedReport
14-12-2022
Probing Weaponized Chat Applications Abused in Supply-Chain Attacks
https://www.trendmicro.com/en_us/research/22/l/probing-weaponized-chat-applications-abused-in-supply-chain-atta.html
Actors/Campaigns:
Emissary_panda
Water_labbu
Threats:
Dll_sideloading_technique
Trojan.win64.commdcry.a
Trojan.win32.commpload.a
Trojan.win64.commsendr.a
Trojan.win64.commject.a
Backdoor.win64.commsock.a
Trojan.win64.commsock.a
Trojanspy.win64.commspy.a
Backdoor.js.commload.a
Geo:
Chinese
IOCs:
File: 13
Url: 3
Domain: 10
IP: 2
Path: 2
Hash: 23
Softs:
macos, node.js, telegram, windows registry, "microsoft edge", "chrome", "opera", chromium
Algorithms:
xor, zip, rc4
Languages:
golang, javascript
14-12-2022
Probing Weaponized Chat Applications Abused in Supply-Chain Attacks
https://www.trendmicro.com/en_us/research/22/l/probing-weaponized-chat-applications-abused-in-supply-chain-atta.html
Actors/Campaigns:
Emissary_panda
Water_labbu
Threats:
Dll_sideloading_technique
Trojan.win64.commdcry.a
Trojan.win32.commpload.a
Trojan.win64.commsendr.a
Trojan.win64.commject.a
Backdoor.win64.commsock.a
Trojan.win64.commsock.a
Trojanspy.win64.commspy.a
Backdoor.js.commload.a
Geo:
Chinese
IOCs:
File: 13
Url: 3
Domain: 10
IP: 2
Path: 2
Hash: 23
Softs:
macos, node.js, telegram, windows registry, "microsoft edge", "chrome", "opera", chromium
Algorithms:
xor, zip, rc4
Languages:
golang, javascript
Trend Micro
Probing Weaponized Chat Applications Abused in Supply-Chain Attacks
#ParsedReport
14-12-2022
Wouldve, Couldve, ShouldveDid: TA453 Refuses to be Bound by Expectations
https://www.proofpoint.com/us/blog/threat-insight/ta453-refuses-be-bound-expectations
Actors/Campaigns:
Cleaver (motivation: cyber_espionage)
Irgc
Phosphorus
Badblood
Threats:
Beacon
Credential_harvesting_technique
Charmpower
Hostile
Industry:
Education, Government, Aerospace, Energy, Healthcare
Geo:
Tehran, Israel, Iran, Iranians, Israeli, Bahrain, American, Iranian, Dubai
IOCs:
Domain: 7
Email: 1
Hash: 1
IP: 1
Softs:
microsoft word
Functions:
GhostEcho
14-12-2022
Wouldve, Couldve, ShouldveDid: TA453 Refuses to be Bound by Expectations
https://www.proofpoint.com/us/blog/threat-insight/ta453-refuses-be-bound-expectations
Actors/Campaigns:
Cleaver (motivation: cyber_espionage)
Irgc
Phosphorus
Badblood
Threats:
Beacon
Credential_harvesting_technique
Charmpower
Hostile
Industry:
Education, Government, Aerospace, Energy, Healthcare
Geo:
Tehran, Israel, Iran, Iranians, Israeli, Bahrain, American, Iranian, Dubai
IOCs:
Domain: 7
Email: 1
Hash: 1
IP: 1
Softs:
microsoft word
Functions:
GhostEcho
Proofpoint
TA453: Activity, Techniques, & Targeting Explained | Proofpoint US
Proofpoint provides insights into TA453's ever-evolving tools, tactics, techniques, and targeting. Learn more about this threat group.
#ParsedReport
14-12-2022
Unmasking MirrorFace: Operation LiberalFace targeting Japanese political entities
https://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities
Actors/Campaigns:
Liberalface (motivation: cyber_espionage)
Threats:
Mirrorface
Lodeinfo
Mirrorstealer
Putty_tool
Dll_sideloading_technique
Process_injection_technique
Geo:
Ukraine, Japan, Japanese
TTPs:
Tactics: 9
Technics: 26
IOCs:
File: 7
Path: 2
IP: 5
Command: 1
Domain: 2
Hash: 5
Algorithms:
base64, aes-256-cbc, xor, rc4
Win API:
CreateProcessA
14-12-2022
Unmasking MirrorFace: Operation LiberalFace targeting Japanese political entities
https://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities
Actors/Campaigns:
Liberalface (motivation: cyber_espionage)
Threats:
Mirrorface
Lodeinfo
Mirrorstealer
Putty_tool
Dll_sideloading_technique
Process_injection_technique
Geo:
Ukraine, Japan, Japanese
TTPs:
Tactics: 9
Technics: 26
IOCs:
File: 7
Path: 2
IP: 5
Command: 1
Domain: 2
Hash: 5
Algorithms:
base64, aes-256-cbc, xor, rc4
Win API:
CreateProcessA
WeLiveSecurity
Unmasking MirrorFace: Operation LiberalFace targeting Japanese political entities
ESET researchers uncover a spearphishing campaign targeting Japanese political entities a few weeks before the House of Councillors elections.
#ParsedReport
14-12-2022
Royal Rumble: Analysis of Royal Ransomware
https://www.cybereason.com/blog/royal-ransomware-analysis
Threats:
Royal_ransomware
Blackcat
Zeon
Lockbit
Batloader
Qakbot
Cobalt_strike
Blackbasta
Conti
Babuk
Geo:
England
TTPs:
Tactics: 3
Technics: 9
IOCs:
File: 4
Hash: 8
Algorithms:
aes, aes-256
Win API:
WSAIoctl, LPFN_CONNECTEX, GetIpAddrTable, WSASocketW, CreateIoCompletionPort, htons, NetShareEnum, GetNativeSystemInfo, RmStartSession, RmRegisterResources, have more...
Links:
14-12-2022
Royal Rumble: Analysis of Royal Ransomware
https://www.cybereason.com/blog/royal-ransomware-analysis
Threats:
Royal_ransomware
Blackcat
Zeon
Lockbit
Batloader
Qakbot
Cobalt_strike
Blackbasta
Conti
Babuk
Geo:
England
TTPs:
Tactics: 3
Technics: 9
IOCs:
File: 4
Hash: 8
Algorithms:
aes, aes-256
Win API:
WSAIoctl, LPFN_CONNECTEX, GetIpAddrTable, WSASocketW, CreateIoCompletionPort, htons, NetShareEnum, GetNativeSystemInfo, RmStartSession, RmRegisterResources, have more...
Links:
https://github.com/struppigel/PortExCybereason
Royal Rumble: Analysis of Royal Ransomware
Learn how Royal ransomware operations work, how they evade anti-ransomware defenses, how they accelerate encryption, and how you can outsmart them.
#ParsedReport
14-12-2022
APT5 Exploits Zero-Day Vulnerability on Citrix ADC and Gateway Devices
https://socradar.io/apt5-exploits-zero-day-vulnerability-on-citrix-adc-and-gateway-devices
Actors/Campaigns:
Apt5
Industry:
Telco
Geo:
Asia, Chinese
CVEs:
CVE-2022-27518 [Vulners]
Vulners: Score: Unknown, CVSS: 4.3,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- citrix application delivery controller firmware (<12.1-55.291, <12.1-55.291, <13.0-58.32, <12.1-65.25)
- citrix gateway firmware (<12.1-65.25, <13.0-58.32)
IOCs:
File: 1
14-12-2022
APT5 Exploits Zero-Day Vulnerability on Citrix ADC and Gateway Devices
https://socradar.io/apt5-exploits-zero-day-vulnerability-on-citrix-adc-and-gateway-devices
Actors/Campaigns:
Apt5
Industry:
Telco
Geo:
Asia, Chinese
CVEs:
CVE-2022-27518 [Vulners]
Vulners: Score: Unknown, CVSS: 4.3,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- citrix application delivery controller firmware (<12.1-55.291, <12.1-55.291, <13.0-58.32, <12.1-65.25)
- citrix gateway firmware (<12.1-65.25, <13.0-58.32)
IOCs:
File: 1
SOCRadar® Cyber Intelligence Inc.
APT5 Exploits Zero-Day Vulnerability on Citrix ADC and Gateway Devices
APT5 has targeted several organizations affected by CVE-2022-27518, but Citrix and the NSA have not provided any additional information.
#ParsedReport
14-12-2022
Black Basta: Riding the Crimeware Sleigh
https://inquest.net/blog/2022/12/13/black-basta-riding-crimeware-sleigh
Threats:
Blackbasta
Qakbot
Cobalt_strike
Beacon
Mimikatz_tool
Html_smuggling_technique
Vssadmin_tool
Geo:
Crimea, Ukrainian, Russian, Ukraine
IOCs:
File: 2
Url: 1
Softs:
nginx
Algorithms:
zip, chacha20
Languages:
javascript
YARA: Found
14-12-2022
Black Basta: Riding the Crimeware Sleigh
https://inquest.net/blog/2022/12/13/black-basta-riding-crimeware-sleigh
Threats:
Blackbasta
Qakbot
Cobalt_strike
Beacon
Mimikatz_tool
Html_smuggling_technique
Vssadmin_tool
Geo:
Crimea, Ukrainian, Russian, Ukraine
IOCs:
File: 2
Url: 1
Softs:
nginx
Algorithms:
zip, chacha20
Languages:
javascript
YARA: Found
InQuest
Black Basta: Riding the Crimeware Sleigh | InQuest Blog
#ParsedReport
14-12-2022
Signed driver malware moves up the software trust chain
https://news.sophos.com/en-us/2022/12/13/signed-driver-malware-moves-up-the-software-trust-chain
Actors/Campaigns:
Lapsus
Unc2596
Threats:
Burntcigar_tool
Byovd_technique
Cuba
Robinhood
Blackbyte
Vmprotect_tool
Avkill_tool
Geo:
Chinese, China
IOCs:
File: 8
Hash: 15
Softs:
windows kernel, jenkins
Win API:
DeviceIoControl
Links:
14-12-2022
Signed driver malware moves up the software trust chain
https://news.sophos.com/en-us/2022/12/13/signed-driver-malware-moves-up-the-software-trust-chain
Actors/Campaigns:
Lapsus
Unc2596
Threats:
Burntcigar_tool
Byovd_technique
Cuba
Robinhood
Blackbyte
Vmprotect_tool
Avkill_tool
Geo:
Chinese, China
IOCs:
File: 8
Hash: 15
Softs:
windows kernel, jenkins
Win API:
DeviceIoControl
Links:
https://github.com/sophoslabs/IoCs/blob/master/Troj\_Agent-BJJB.csvSophos News
Signed driver malware moves up the software trust chain
The criminals signed their AV-killer malware, closely related to one known as BURNTCIGAR, with a legitimate WHCP certificate