#ParsedReport
13-12-2022
Driving Through Defenses \| Targeted Attacks Leverage Signed Malicious Microsoft Drivers
https://www.sentinelone.com/labs/driving-through-defenses-targeted-attacks-leverage-signed-malicious-microsoft-drivers
Threats:
Poortry
Stonestop
Hive
Vmprotect_tool
Industry:
Financial, Healthcare, Entertainment, Telco, Transport, Bp_outsourcing
IOCs:
File: 1
Hash: 3
Win API:
ZwTerminateProcess, PsSuspendProcess, PsResumeProcess
13-12-2022
Driving Through Defenses \| Targeted Attacks Leverage Signed Malicious Microsoft Drivers
https://www.sentinelone.com/labs/driving-through-defenses-targeted-attacks-leverage-signed-malicious-microsoft-drivers
Threats:
Poortry
Stonestop
Hive
Vmprotect_tool
Industry:
Financial, Healthcare, Entertainment, Telco, Transport, Bp_outsourcing
IOCs:
File: 1
Hash: 3
Win API:
ZwTerminateProcess, PsSuspendProcess, PsResumeProcess
SentinelOne
Driving Through Defenses | Targeted Attacks Leverage Signed Malicious Microsoft Drivers
Threat actors are abusing legitimately signed Microsoft drivers in active intrusions into telecommunication, BPO, MSSP, and financial services businesses.
#ParsedReport
14-12-2022
Probing Weaponized Chat Applications Abused in Supply-Chain Attacks
https://www.trendmicro.com/en_us/research/22/l/probing-weaponized-chat-applications-abused-in-supply-chain-atta.html
Actors/Campaigns:
Emissary_panda
Water_labbu
Threats:
Dll_sideloading_technique
Trojan.win64.commdcry.a
Trojan.win32.commpload.a
Trojan.win64.commsendr.a
Trojan.win64.commject.a
Backdoor.win64.commsock.a
Trojan.win64.commsock.a
Trojanspy.win64.commspy.a
Backdoor.js.commload.a
Geo:
Chinese
IOCs:
File: 13
Url: 3
Domain: 10
IP: 2
Path: 2
Hash: 23
Softs:
macos, node.js, telegram, windows registry, "microsoft edge", "chrome", "opera", chromium
Algorithms:
xor, zip, rc4
Languages:
golang, javascript
14-12-2022
Probing Weaponized Chat Applications Abused in Supply-Chain Attacks
https://www.trendmicro.com/en_us/research/22/l/probing-weaponized-chat-applications-abused-in-supply-chain-atta.html
Actors/Campaigns:
Emissary_panda
Water_labbu
Threats:
Dll_sideloading_technique
Trojan.win64.commdcry.a
Trojan.win32.commpload.a
Trojan.win64.commsendr.a
Trojan.win64.commject.a
Backdoor.win64.commsock.a
Trojan.win64.commsock.a
Trojanspy.win64.commspy.a
Backdoor.js.commload.a
Geo:
Chinese
IOCs:
File: 13
Url: 3
Domain: 10
IP: 2
Path: 2
Hash: 23
Softs:
macos, node.js, telegram, windows registry, "microsoft edge", "chrome", "opera", chromium
Algorithms:
xor, zip, rc4
Languages:
golang, javascript
Trend Micro
Probing Weaponized Chat Applications Abused in Supply-Chain Attacks
#ParsedReport
14-12-2022
Wouldve, Couldve, ShouldveDid: TA453 Refuses to be Bound by Expectations
https://www.proofpoint.com/us/blog/threat-insight/ta453-refuses-be-bound-expectations
Actors/Campaigns:
Cleaver (motivation: cyber_espionage)
Irgc
Phosphorus
Badblood
Threats:
Beacon
Credential_harvesting_technique
Charmpower
Hostile
Industry:
Education, Government, Aerospace, Energy, Healthcare
Geo:
Tehran, Israel, Iran, Iranians, Israeli, Bahrain, American, Iranian, Dubai
IOCs:
Domain: 7
Email: 1
Hash: 1
IP: 1
Softs:
microsoft word
Functions:
GhostEcho
14-12-2022
Wouldve, Couldve, ShouldveDid: TA453 Refuses to be Bound by Expectations
https://www.proofpoint.com/us/blog/threat-insight/ta453-refuses-be-bound-expectations
Actors/Campaigns:
Cleaver (motivation: cyber_espionage)
Irgc
Phosphorus
Badblood
Threats:
Beacon
Credential_harvesting_technique
Charmpower
Hostile
Industry:
Education, Government, Aerospace, Energy, Healthcare
Geo:
Tehran, Israel, Iran, Iranians, Israeli, Bahrain, American, Iranian, Dubai
IOCs:
Domain: 7
Email: 1
Hash: 1
IP: 1
Softs:
microsoft word
Functions:
GhostEcho
Proofpoint
TA453: Activity, Techniques, & Targeting Explained | Proofpoint US
Proofpoint provides insights into TA453's ever-evolving tools, tactics, techniques, and targeting. Learn more about this threat group.
#ParsedReport
14-12-2022
Unmasking MirrorFace: Operation LiberalFace targeting Japanese political entities
https://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities
Actors/Campaigns:
Liberalface (motivation: cyber_espionage)
Threats:
Mirrorface
Lodeinfo
Mirrorstealer
Putty_tool
Dll_sideloading_technique
Process_injection_technique
Geo:
Ukraine, Japan, Japanese
TTPs:
Tactics: 9
Technics: 26
IOCs:
File: 7
Path: 2
IP: 5
Command: 1
Domain: 2
Hash: 5
Algorithms:
base64, aes-256-cbc, xor, rc4
Win API:
CreateProcessA
14-12-2022
Unmasking MirrorFace: Operation LiberalFace targeting Japanese political entities
https://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities
Actors/Campaigns:
Liberalface (motivation: cyber_espionage)
Threats:
Mirrorface
Lodeinfo
Mirrorstealer
Putty_tool
Dll_sideloading_technique
Process_injection_technique
Geo:
Ukraine, Japan, Japanese
TTPs:
Tactics: 9
Technics: 26
IOCs:
File: 7
Path: 2
IP: 5
Command: 1
Domain: 2
Hash: 5
Algorithms:
base64, aes-256-cbc, xor, rc4
Win API:
CreateProcessA
WeLiveSecurity
Unmasking MirrorFace: Operation LiberalFace targeting Japanese political entities
ESET researchers uncover a spearphishing campaign targeting Japanese political entities a few weeks before the House of Councillors elections.
#ParsedReport
14-12-2022
Royal Rumble: Analysis of Royal Ransomware
https://www.cybereason.com/blog/royal-ransomware-analysis
Threats:
Royal_ransomware
Blackcat
Zeon
Lockbit
Batloader
Qakbot
Cobalt_strike
Blackbasta
Conti
Babuk
Geo:
England
TTPs:
Tactics: 3
Technics: 9
IOCs:
File: 4
Hash: 8
Algorithms:
aes, aes-256
Win API:
WSAIoctl, LPFN_CONNECTEX, GetIpAddrTable, WSASocketW, CreateIoCompletionPort, htons, NetShareEnum, GetNativeSystemInfo, RmStartSession, RmRegisterResources, have more...
Links:
14-12-2022
Royal Rumble: Analysis of Royal Ransomware
https://www.cybereason.com/blog/royal-ransomware-analysis
Threats:
Royal_ransomware
Blackcat
Zeon
Lockbit
Batloader
Qakbot
Cobalt_strike
Blackbasta
Conti
Babuk
Geo:
England
TTPs:
Tactics: 3
Technics: 9
IOCs:
File: 4
Hash: 8
Algorithms:
aes, aes-256
Win API:
WSAIoctl, LPFN_CONNECTEX, GetIpAddrTable, WSASocketW, CreateIoCompletionPort, htons, NetShareEnum, GetNativeSystemInfo, RmStartSession, RmRegisterResources, have more...
Links:
https://github.com/struppigel/PortExCybereason
Royal Rumble: Analysis of Royal Ransomware
Learn how Royal ransomware operations work, how they evade anti-ransomware defenses, how they accelerate encryption, and how you can outsmart them.
#ParsedReport
14-12-2022
APT5 Exploits Zero-Day Vulnerability on Citrix ADC and Gateway Devices
https://socradar.io/apt5-exploits-zero-day-vulnerability-on-citrix-adc-and-gateway-devices
Actors/Campaigns:
Apt5
Industry:
Telco
Geo:
Asia, Chinese
CVEs:
CVE-2022-27518 [Vulners]
Vulners: Score: Unknown, CVSS: 4.3,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- citrix application delivery controller firmware (<12.1-55.291, <12.1-55.291, <13.0-58.32, <12.1-65.25)
- citrix gateway firmware (<12.1-65.25, <13.0-58.32)
IOCs:
File: 1
14-12-2022
APT5 Exploits Zero-Day Vulnerability on Citrix ADC and Gateway Devices
https://socradar.io/apt5-exploits-zero-day-vulnerability-on-citrix-adc-and-gateway-devices
Actors/Campaigns:
Apt5
Industry:
Telco
Geo:
Asia, Chinese
CVEs:
CVE-2022-27518 [Vulners]
Vulners: Score: Unknown, CVSS: 4.3,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- citrix application delivery controller firmware (<12.1-55.291, <12.1-55.291, <13.0-58.32, <12.1-65.25)
- citrix gateway firmware (<12.1-65.25, <13.0-58.32)
IOCs:
File: 1
SOCRadar® Cyber Intelligence Inc.
APT5 Exploits Zero-Day Vulnerability on Citrix ADC and Gateway Devices
APT5 has targeted several organizations affected by CVE-2022-27518, but Citrix and the NSA have not provided any additional information.
#ParsedReport
14-12-2022
Black Basta: Riding the Crimeware Sleigh
https://inquest.net/blog/2022/12/13/black-basta-riding-crimeware-sleigh
Threats:
Blackbasta
Qakbot
Cobalt_strike
Beacon
Mimikatz_tool
Html_smuggling_technique
Vssadmin_tool
Geo:
Crimea, Ukrainian, Russian, Ukraine
IOCs:
File: 2
Url: 1
Softs:
nginx
Algorithms:
zip, chacha20
Languages:
javascript
YARA: Found
14-12-2022
Black Basta: Riding the Crimeware Sleigh
https://inquest.net/blog/2022/12/13/black-basta-riding-crimeware-sleigh
Threats:
Blackbasta
Qakbot
Cobalt_strike
Beacon
Mimikatz_tool
Html_smuggling_technique
Vssadmin_tool
Geo:
Crimea, Ukrainian, Russian, Ukraine
IOCs:
File: 2
Url: 1
Softs:
nginx
Algorithms:
zip, chacha20
Languages:
javascript
YARA: Found
InQuest
Black Basta: Riding the Crimeware Sleigh | InQuest Blog
#ParsedReport
14-12-2022
Signed driver malware moves up the software trust chain
https://news.sophos.com/en-us/2022/12/13/signed-driver-malware-moves-up-the-software-trust-chain
Actors/Campaigns:
Lapsus
Unc2596
Threats:
Burntcigar_tool
Byovd_technique
Cuba
Robinhood
Blackbyte
Vmprotect_tool
Avkill_tool
Geo:
Chinese, China
IOCs:
File: 8
Hash: 15
Softs:
windows kernel, jenkins
Win API:
DeviceIoControl
Links:
14-12-2022
Signed driver malware moves up the software trust chain
https://news.sophos.com/en-us/2022/12/13/signed-driver-malware-moves-up-the-software-trust-chain
Actors/Campaigns:
Lapsus
Unc2596
Threats:
Burntcigar_tool
Byovd_technique
Cuba
Robinhood
Blackbyte
Vmprotect_tool
Avkill_tool
Geo:
Chinese, China
IOCs:
File: 8
Hash: 15
Softs:
windows kernel, jenkins
Win API:
DeviceIoControl
Links:
https://github.com/sophoslabs/IoCs/blob/master/Troj\_Agent-BJJB.csvSophos News
Signed driver malware moves up the software trust chain
The criminals signed their AV-killer malware, closely related to one known as BURNTCIGAR, with a legitimate WHCP certificate
#ParsedReport
14-12-2022
Silence is golden partner for Truebot and Clop ransomware
https://www.malwarebytes.com/blog/news/2022/12/silence-is-golden-partner-for-truebot-and-clop-ransomware
Actors/Campaigns:
Whisper_spider
Ta505
Fin11
Threats:
Truebot
Clop
Raspberry_robin
Winrm_tool
Cobalt_strike
Flawedgrace_rat
Teleport_tool
Ransom.agent
Geo:
Pakistan, Brazil, Mexico
CVEs:
CVE-2022-31199 [Vulners]
Vulners: Score: Unknown, CVSS: 4.8,
Vulners: Exploitation: Unknown
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- netwrix auditor (<10.5)
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 1
Softs:
active directory
14-12-2022
Silence is golden partner for Truebot and Clop ransomware
https://www.malwarebytes.com/blog/news/2022/12/silence-is-golden-partner-for-truebot-and-clop-ransomware
Actors/Campaigns:
Whisper_spider
Ta505
Fin11
Threats:
Truebot
Clop
Raspberry_robin
Winrm_tool
Cobalt_strike
Flawedgrace_rat
Teleport_tool
Ransom.agent
Geo:
Pakistan, Brazil, Mexico
CVEs:
CVE-2022-31199 [Vulners]
Vulners: Score: Unknown, CVSS: 4.8,
Vulners: Exploitation: Unknown
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- netwrix auditor (<10.5)
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 1
Softs:
active directory
Malwarebytes
Silence is golden partner for Truebot and Clop ransomware
Researchers have identified two new Truebot botnets that are using new versions of the Truebot downloader Trojan to infiltrate and explore a target's network.
#ParsedReport
14-12-2022
(*.vhd) Qakbot. QAKBOT is distributed as a virtual disk file (*.vhd)
https://asec.ahnlab.com/ko/44002
Threats:
Qakbot
Motw_bypass_technique
Trojan/win.bankerx-gen.r538785
Industry:
Financial
IOCs:
File: 7
IP: 1
Hash: 5
14-12-2022
(*.vhd) Qakbot. QAKBOT is distributed as a virtual disk file (*.vhd)
https://asec.ahnlab.com/ko/44002
Threats:
Qakbot
Motw_bypass_technique
Trojan/win.bankerx-gen.r538785
Industry:
Financial
IOCs:
File: 7
IP: 1
Hash: 5
ASEC BLOG
가상 디스크 파일 (*.vhd) 로 유포 중인 Qakbot - ASEC BLOG
최근 디스크 이미지 파일을 이용한 악성코드 유포가 증가하고 있다. 그 중 Qakbot 악성코드는 ISO 및 IMG 파일을 통해 유포되어 왔으며, 현재는 VHD 파일로 변경되어 유포 중인 것을 확인하였다. 이와 같이 Qakbot 악성코드가 디스크 이미지 파일(IMG, ISO, VHD) 을 이용하는 것은 MOTW(Mark of the Web) 을 우회하기 위한 것으로 보인다. 디스크 이미지 파일은 내부 파일 추출 또는 마운트 시, 내부 파일에 MOTW 가…
#ParsedReport
14-12-2022
. Famous domestic financial app impersonation attack attack
https://asec.ahnlab.com/ko/44225
Actors/Campaigns:
Kimsuky
Industry:
Financial
Geo:
Japan, Korea, Singapore
IOCs:
IP: 3
Domain: 25
Url: 25
14-12-2022
. Famous domestic financial app impersonation attack attack
https://asec.ahnlab.com/ko/44225
Actors/Campaigns:
Kimsuky
Industry:
Financial
Geo:
Japan, Korea, Singapore
IOCs:
IP: 3
Domain: 25
Url: 25
ASEC
국내 유명 금융 앱 사칭한 피싱공격 - ASEC
국내 유명 금융 앱 사칭한 피싱공격 ASEC
#ParsedReport
14-12-2022
Quick Update on Recent Denonia Samples
https://www.cadosecurity.com/quick-update-on-recent-denonia-samples
Threats:
Denonia
Xmrig_miner
Log4shell_vuln
Geo:
Philippines
IOCs:
Hash: 7
Softs:
unix, macos
Languages:
golang
Platforms:
arm
YARA: Found
Links:
14-12-2022
Quick Update on Recent Denonia Samples
https://www.cadosecurity.com/quick-update-on-recent-denonia-samples
Threats:
Denonia
Xmrig_miner
Log4shell_vuln
Geo:
Philippines
IOCs:
Hash: 7
Softs:
unix, macos
Languages:
golang
Platforms:
arm
YARA: Found
Links:
https://github.com/cado-securityhttps://github.com/likexian/doh-goCado Security | Cloud Investigation
Quick Update on Recent Denonia Samples - Cado Security | Cloud Investigation
Back in April 2022, Cado discovered a suspicious ELF binary that utilized DNS over HTTPS to conduct cryptojacking.
#ParsedReport
14-12-2022
RedGoBotGoDDoS. Redgobot DDOS zombie network written in the new Go language
https://mp.weixin.qq.com/s/4iTA4LBNEnOQ5T5AcvZCCA
Threats:
Redgobot_botnet
Robinbot
Gobot
Bashlite
Tcpsynflood_technique
Tcpackflood_technique
Moobot
IOCs:
Hash: 11
File: 1
IP: 3
Softs:
curl
Functions:
OpenVpn_Send
Languages:
golang
Platforms:
arm, ppc64, amd64, mips
14-12-2022
RedGoBotGoDDoS. Redgobot DDOS zombie network written in the new Go language
https://mp.weixin.qq.com/s/4iTA4LBNEnOQ5T5AcvZCCA
Threats:
Redgobot_botnet
Robinbot
Gobot
Bashlite
Tcpsynflood_technique
Tcpackflood_technique
Moobot
IOCs:
Hash: 11
File: 1
IP: 3
Softs:
curl
Functions:
OpenVpn_Send
Languages:
golang
Platforms:
arm, ppc64, amd64, mips
Weixin Official Accounts Platform
RedGoBot——新型Go语言编写的DDoS僵尸网络
2022年11月底,奇安信威胁情报中心监测到一起未知家族恶意样本利用 Vacron NVR RCE 漏洞传播的事件。参考作者在其资产网站中的输出“@redbot on top\x26quot;,我们把它命名为 RedGoBot。
#ParsedReport
14-12-2022
ASEC (20221205 \~ 20221211). ASEC Weekly Malware Statistics (20221205 \~ 20221211)
https://asec.ahnlab.com/ko/44149
Actors/Campaigns:
Ta505
Threats:
Amadey
Lockbit
Smokeloader
Gandcrab
Clop
Beamwinhttp_loader
Garbage_cleaner
Agent_tesla
Azorult
Smokerloader
Formbook
Clipboard_grabbing_technique
Industry:
Financial, Transport
Geo:
Korea
IOCs:
File: 12
Url: 21
Email: 5
Domain: 5
Softs:
telegram
Languages:
php
14-12-2022
ASEC (20221205 \~ 20221211). ASEC Weekly Malware Statistics (20221205 \~ 20221211)
https://asec.ahnlab.com/ko/44149
Actors/Campaigns:
Ta505
Threats:
Amadey
Lockbit
Smokeloader
Gandcrab
Clop
Beamwinhttp_loader
Garbage_cleaner
Agent_tesla
Azorult
Smokerloader
Formbook
Clipboard_grabbing_technique
Industry:
Financial, Transport
Geo:
Korea
IOCs:
File: 12
Url: 21
Email: 5
Domain: 5
Softs:
telegram
Languages:
php
ASEC BLOG
ASEC 주간 악성코드 통계 (20221205 ~ 20221211) - ASEC BLOG
ASEC 분석팀에서는 ASEC 자동 분석 시스템 RAPIT 을 활용하여 알려진 악성코드들에 대한 분류 및 대응을 진행하고 있다. 본 포스팅에서는 2022년 12월 05일 월요일부터 12월 11일 일요일까지 한 주간 수집된 악성코드의 통계를 정리한다. 대분류 상으로는 다운로더가 44.3%로 1위를 차지하였으며, 그 다음으로는 인포스틸러가 28.2%, 백도어 18.3%, 랜섬웨어 8.5%, 코인마이너가 0.7%로 집계되었다. Top 1 – Amadey Amadey…
#ParsedReport
15-12-2022
STOP Ransomware Being Distributed in Korea
https://asec.ahnlab.com/en/43861
Threats:
Stop_ransomware
Smokeloader
Vidar_stealer
Trojan/win.generic.r533564
Raccoon_stealer
Ransomware/win.extensions.c5314354
Beamwinhttp_loader
Industry:
Financial
Geo:
Korea
IOCs:
Path: 6
Url: 5
Registry: 1
File: 5
Hash: 7
Softs:
task scheduler
Platforms:
intel, x86
15-12-2022
STOP Ransomware Being Distributed in Korea
https://asec.ahnlab.com/en/43861
Threats:
Stop_ransomware
Smokeloader
Vidar_stealer
Trojan/win.generic.r533564
Raccoon_stealer
Ransomware/win.extensions.c5314354
Beamwinhttp_loader
Industry:
Financial
Geo:
Korea
IOCs:
Path: 6
Url: 5
Registry: 1
File: 5
Hash: 7
Softs:
task scheduler
Platforms:
intel, x86
ASEC BLOG
STOP Ransomware Being Distributed in Korea - ASEC BLOG
The ASEC analysis team discovered that the STOP ransomware is being distributed in Korea. This ransomware is being distributed at a very high volume that it is ranked among the Top 3 in the ASEC Weekly Malware Statistics (November 28th, 2022 – December 4th…
#ParsedReport
15-12-2022
Caution! Magniber Ransomware Restarts Its Propagation on December 9th With COVID-19 Related Filenames
https://asec.ahnlab.com/en/44315
Threats:
Magniber
Gandcrab
Revil
Lockbit
Motw_bypass_technique
TTPs:
Tactics: 1
Technics: 0
IOCs:
Path: 1
File: 4
Softs:
internet explorer, chrome
15-12-2022
Caution! Magniber Ransomware Restarts Its Propagation on December 9th With COVID-19 Related Filenames
https://asec.ahnlab.com/en/44315
Threats:
Magniber
Gandcrab
Revil
Lockbit
Motw_bypass_technique
TTPs:
Tactics: 1
Technics: 0
IOCs:
Path: 1
File: 4
Softs:
internet explorer, chrome
ASEC BLOG
Caution! Magniber Ransomware Restarts Its Propagation on December 9th With COVID-19 Related Filenames - ASEC BLOG
On December 9th, 2022, the ASEC analysis team discovered that Magniber Ransomware is being distributed again. During the peak of the COVID-19 outbreak, Magniber was found being distributed with COVID-19 related filenames alongside the previous security update…
#ParsedReport
15-12-2022
ASEC Weekly Malware Statistics (December 5th, 2022 December 11th, 2022)
https://asec.ahnlab.com/en/44354
Threats:
Amadey
Smokeloader
Lockbit
Beamwinhttp_loader
Garbage_cleaner
Agent_tesla
Formbook
Clipboard_grabbing_technique
Industry:
Financial
Geo:
Korea
IOCs:
Url: 21
Email: 5
File: 6
Domain: 5
Softs:
telegram
Languages:
php
15-12-2022
ASEC Weekly Malware Statistics (December 5th, 2022 December 11th, 2022)
https://asec.ahnlab.com/en/44354
Threats:
Amadey
Smokeloader
Lockbit
Beamwinhttp_loader
Garbage_cleaner
Agent_tesla
Formbook
Clipboard_grabbing_technique
Industry:
Financial
Geo:
Korea
IOCs:
Url: 21
Email: 5
File: 6
Domain: 5
Softs:
telegram
Languages:
php
ASEC BLOG
ASEC Weekly Malware Statistics (December 5th, 2022 – December 11th, 2022) - ASEC BLOG
The ASEC analysis team uses the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from December 5th, 2022 (Monday) to December 11th, 2022 (Sunday). For the main category, downloader…
#ParsedReport
15-12-2022
MoneyMonger: Predatory Loan Scam Campaigns Move to Flutter
https://www.zimperium.com/blog/moneymonger-predatory-loan-scam-campaigns-move-to-flutter
Actors/Campaigns:
Moneymonger (motivation: information_theft)
Threats:
Bazarbackdoor
Industry:
Financial
Geo:
Peru, Indian, Nederlands
IOCs:
Url: 33
Hash: 39
File: 1
Softs:
flutter, flutters, flutter-java, android, google chrome, mozilla firefox, opera, microsoft edge
Algorithms:
aes, xor
Functions:
collects_privateInfo
Languages:
java, javascript
Platforms:
apple
15-12-2022
MoneyMonger: Predatory Loan Scam Campaigns Move to Flutter
https://www.zimperium.com/blog/moneymonger-predatory-loan-scam-campaigns-move-to-flutter
Actors/Campaigns:
Moneymonger (motivation: information_theft)
Threats:
Bazarbackdoor
Industry:
Financial
Geo:
Peru, Indian, Nederlands
IOCs:
Url: 33
Hash: 39
File: 1
Softs:
flutter, flutters, flutter-java, android, google chrome, mozilla firefox, opera, microsoft edge
Algorithms:
aes, xor
Functions:
collects_privateInfo
Languages:
java, javascript
Platforms:
apple
Zimperium
MoneyMonger: Predatory Loan Scam Campaigns Move to Flutter - Zimperium
The Zimperium zLabs team recently discovered a Flutter application with malicious code. The Flutter-obfuscated malware campaign, MoneyMonger, is solely distributed through third-party app stores and sideloaded onto the victim’s Android device. Read more to…
#ParsedReport
15-12-2022
SpiderLabs Blog. Meta-Phish: Facebook Infrastructure Used in Phishing Attack Chain
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/meta-phish-facebook-infrastructure-used-in-phishing-attack-chain
IOCs:
Url: 5
File: 3
Softs:
instagram, telegram
Languages:
javascript
15-12-2022
SpiderLabs Blog. Meta-Phish: Facebook Infrastructure Used in Phishing Attack Chain
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/meta-phish-facebook-infrastructure-used-in-phishing-attack-chain
IOCs:
Url: 5
File: 3
Softs:
instagram, telegram
Languages:
javascript
Trustwave
Meta-Phish: Facebook Infrastructure Used in Phishing Attack Chain | Trustwave
Meta has two of the largest social media platforms today, Facebook and Instagram. These platforms became the modern gateway for people not just to socialize and eavesdrop on the lives of famous personalities, but more importantly, to stay connected with their…
#ParsedReport
15-12-2022
Supply Chain Attack via New Malicious Python Package, shaderz (Part 2)
https://www.fortinet.com/blog/threat-research/supply-chain-attack-via-new-malicious-python-package-shaderz-part-2
Threats:
W64/agent.7ec7!tr
IOCs:
File: 7
Path: 2
Url: 1
Hash: 1
IP: 1
Softs:
pyinstaller
Languages:
python
15-12-2022
Supply Chain Attack via New Malicious Python Package, shaderz (Part 2)
https://www.fortinet.com/blog/threat-research/supply-chain-attack-via-new-malicious-python-package-shaderz-part-2
Threats:
W64/agent.7ec7!tr
IOCs:
File: 7
Path: 2
Url: 1
Hash: 1
IP: 1
Softs:
pyinstaller
Languages:
python
Fortinet Blog
Supply Chain Attack via New Malicious Python Package, “shaderz” (Part 2) | FortiGuard Labs
FortiGuard Labs recently discovered a 0-day attack in a PyPI package called “shaderz.” Read Part 2 of this blog to learn about the downloaded executables and how to protect against the attack.…
Интересный проект с TTP и инфой по ним (детекты, новости, софты, группировки и т.д.)
https://app.tidalcyber.com/
https://app.tidalcyber.com/
Tidalcyber
Tidal Cyber
Threat-Led Defense