#ParsedReport
19-12-2022
CVE-2022-41040 and CVE-2022-41082 zero-days in MS Exchange
https://securelist.com/cve-2022-41040-and-cve-2022-41082-zero-days-in-ms-exchange/108364
Threats:
Proxynotshell_vuln
Proxyshell_vuln
Dllhijacker
Trojan.win64.agent.qwibok
Dll_hijacking_technique
CVEs:
CVE-2021-31207 [Vulners]
Vulners: Score: 6.5, CVSS: 1.7,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
CVE-2021-34473 [Vulners]
Vulners: Score: 10.0, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
CVE-2022-41040 [Vulners]
Vulners: Score: Unknown, CVSS: 3.2,
Vulners: Exploitation: True
X-Force: Risk: 6.5
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)
CVE-2021-34523 [Vulners]
Vulners: Score: 7.5, CVSS: 3.4,
Vulners: Exploitation: True
X-Force: Risk: 9
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
CVE-2022-41082 [Vulners]
Vulners: Score: Unknown, CVSS: 2.8,
Vulners: Exploitation: Unknown
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)
IOCs:
File: 4
IP: 1
Hash: 5
Softs:
microsoft exchange server, microsoft exchange
Languages:
python
19-12-2022
CVE-2022-41040 and CVE-2022-41082 zero-days in MS Exchange
https://securelist.com/cve-2022-41040-and-cve-2022-41082-zero-days-in-ms-exchange/108364
Threats:
Proxynotshell_vuln
Proxyshell_vuln
Dllhijacker
Trojan.win64.agent.qwibok
Dll_hijacking_technique
CVEs:
CVE-2021-31207 [Vulners]
Vulners: Score: 6.5, CVSS: 1.7,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
CVE-2021-34473 [Vulners]
Vulners: Score: 10.0, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
CVE-2022-41040 [Vulners]
Vulners: Score: Unknown, CVSS: 3.2,
Vulners: Exploitation: True
X-Force: Risk: 6.5
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)
CVE-2021-34523 [Vulners]
Vulners: Score: 7.5, CVSS: 3.4,
Vulners: Exploitation: True
X-Force: Risk: 9
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
CVE-2022-41082 [Vulners]
Vulners: Score: Unknown, CVSS: 2.8,
Vulners: Exploitation: Unknown
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)
IOCs:
File: 4
IP: 1
Hash: 5
Softs:
microsoft exchange server, microsoft exchange
Languages:
python
Securelist
CVE-2022-41040 and CVE-2022-41082 – zero-days in MS Exchange
At the end of September, GTSC reported the finding of two 0-day vulnerabilities in Microsoft Exchange Server, CVE-2022-41040 and CVE-2022-41082. The cybersecurity community dubbed the pair of vulnerabilities ProxyNotShell.
#ParsedReport
19-12-2022
SentinelSneak: Malicious PyPI module poses as security software development kit
https://blog.reversinglabs.com/blog/sentinelsneak-malicious-pypi-module-poses-as-security-sdk
Actors/Campaigns:
Iconburst
Threats:
Sentinelsneak
Typosquatting_technique
W4sp
Geo:
German
IOCs:
IP: 1
Hash: 48
Languages:
ruby, javascript, python
Links:
19-12-2022
SentinelSneak: Malicious PyPI module poses as security software development kit
https://blog.reversinglabs.com/blog/sentinelsneak-malicious-pypi-module-poses-as-security-sdk
Actors/Campaigns:
Iconburst
Threats:
Sentinelsneak
Typosquatting_technique
W4sp
Geo:
German
IOCs:
IP: 1
Hash: 48
Languages:
ruby, javascript, python
Links:
https://github.com/javascript-obfuscator/javascript-obfuscatorReversingLabs
SentinelSneak: Malicious PyPI module poses as security software development kit
A malicious Python file found on the PyPI repo adds backdoor and data exfiltration features to what appears to be a legitimate SDK client from SentinelOne.
#ParsedReport
20-12-2022
Lazarus APTs Operation Interception Uses Signed Binary
https://labs.k7computing.com/index.php/lazarus-apts-operation-interception-uses-signed-binary
Actors/Campaigns:
Lazarus
IOCs:
File: 2
Hash: 1
Softs:
macos, coinbase, microsoft word, curl
Functions:
startDaemon, DownloadFile, curl_easy_init, curl_easy_setopt
Platforms:
apple, intel, arm
20-12-2022
Lazarus APTs Operation Interception Uses Signed Binary
https://labs.k7computing.com/index.php/lazarus-apts-operation-interception-uses-signed-binary
Actors/Campaigns:
Lazarus
IOCs:
File: 2
Hash: 1
Softs:
macos, coinbase, microsoft word, curl
Functions:
startDaemon, DownloadFile, curl_easy_init, curl_easy_setopt
Platforms:
apple, intel, arm
K7 Labs
Lazarus APT’s Operation Interception Uses Signed Binary
Malware authors have regularly used signed binaries to bypass the Apple security mechanism and infect macOS users. We came across […]
#ParsedReport
20-12-2022
Nokoyawa Ransomware: Rust orBust. Key Points
https://www.zscaler.com/blogs/security-research/nokoyawa-ransomware-rust-or-bust
Actors/Campaigns:
Blackcat
Threats:
Nokoyawa
Karma
Nemty
Hive
Blackcat
Industry:
Financial
IOCs:
Hash: 3
Algorithms:
curve25519, salsa20, base64, ecc, sect233r1
Languages:
rust, golang
Links:
20-12-2022
Nokoyawa Ransomware: Rust orBust. Key Points
https://www.zscaler.com/blogs/security-research/nokoyawa-ransomware-rust-or-bust
Actors/Campaigns:
Blackcat
Threats:
Nokoyawa
Karma
Nemty
Hive
Blackcat
Industry:
Financial
IOCs:
Hash: 3
Algorithms:
curve25519, salsa20, base64, ecc, sect233r1
Languages:
rust, golang
Links:
https://github.com/threatlabz/tools/tree/main/nokoyawahttps://github.com/kokke/tiny-ECDH-cZscaler
Nokoyawa Ransomware: Rust or Bust | Zscaler
Nokoyawa ransomware code ported from C to Rust with new configuration provided at runtime.
#ParsedReport
20-12-2022
Raspberry Robin Malware Targets Telecom, Governments
https://www.trendmicro.com/en_us/research/22/l/raspberry-robin-malware-targets-telecom-governments.html
Threats:
Raspberry_robin
Browserassistant
Uacme
Uac_bypass_technique
Lockbit
Industry:
Government, Telco
Geo:
Australia, Oceania, America
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 9
Registry: 3
Path: 1
Hash: 1
Softs:
windows installer, windows shell, (windows installer)
Algorithms:
rc4
20-12-2022
Raspberry Robin Malware Targets Telecom, Governments
https://www.trendmicro.com/en_us/research/22/l/raspberry-robin-malware-targets-telecom-governments.html
Threats:
Raspberry_robin
Browserassistant
Uacme
Uac_bypass_technique
Lockbit
Industry:
Government, Telco
Geo:
Australia, Oceania, America
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 9
Registry: 3
Path: 1
Hash: 1
Softs:
windows installer, windows shell, (windows installer)
Algorithms:
rc4
Trend Micro
Raspberry Robin Malware Targets Telecom, Governments
We found samples of the Raspberry Robin malware spreading in telecommunications and government office systems beginning September. The main payload itself is packed with more than 10 layers for obfuscation and is capable of delivering a fake payload once…
#ParsedReport
20-12-2022
GodFather Malware Returns Targeting Banking Users
https://blog.cyble.com/2022/12/20/godfather-malware-returns-targeting-banking-users
Threats:
Godfather
Industry:
Financial
Geo:
Turkish, Turkey
TTPs:
Tactics: 4
Technics: 6
IOCs:
Hash: 21
Url: 1
Softs:
android, telegram
20-12-2022
GodFather Malware Returns Targeting Banking Users
https://blog.cyble.com/2022/12/20/godfather-malware-returns-targeting-banking-users
Threats:
Godfather
Industry:
Financial
Geo:
Turkish, Turkey
TTPs:
Tactics: 4
Technics: 6
IOCs:
Hash: 21
Url: 1
Softs:
android, telegram
Cyble
Godfather Malware Returns: Targeting Banking Users And Online Security
The Godfather malware is back, specifically targeting banking users. Learn how this threat works and what steps you can take to protect your online banking security.
#ParsedReport
20-12-2022
ASEC (20221212 \~ 20221218). ASEC Weekly Malware Statistics (20221212 \~ 20221218)
https://asec.ahnlab.com/ko/44565
Actors/Campaigns:
Ta505
Threats:
Smokeloader
Smokerloader
Beamwinhttp_loader
Garbage_cleaner
Agent_tesla
Azorult
Amadey
Lockbit
Gandcrab
Clop
Formbook
Clipboard_grabbing_technique
Industry:
Transport
Geo:
Korea
IOCs:
File: 14
Domain: 8
Url: 20
Email: 4
Softs:
telegram
20-12-2022
ASEC (20221212 \~ 20221218). ASEC Weekly Malware Statistics (20221212 \~ 20221218)
https://asec.ahnlab.com/ko/44565
Actors/Campaigns:
Ta505
Threats:
Smokeloader
Smokerloader
Beamwinhttp_loader
Garbage_cleaner
Agent_tesla
Azorult
Amadey
Lockbit
Gandcrab
Clop
Formbook
Clipboard_grabbing_technique
Industry:
Transport
Geo:
Korea
IOCs:
File: 14
Domain: 8
Url: 20
Email: 4
Softs:
telegram
ASEC BLOG
ASEC 주간 악성코드 통계 (20221212 ~ 20221218) - ASEC BLOG
Contents ASEC 분석팀에서는 ASEC 자동 분석 시스템 RAPIT 을 활용하여 알려진 악성코드들에 대한 분류 및 대응을 진행하고 있다. 본 포스팅에서는 2022년 12월 12일 월요일부터 12월 18일 일요일까지 한 주간 수집된 악성코드의 통계를 정리한다. 대분류 상으로는 다운로더가 61.9%로 1위를 차지하였으며, 그 다음으로는 인포스틸러가 24.7%, 백도어 12.5%, 랜섬웨어 0.9%로 집계되었다. Top 1 – SmokeLoader Smokerloader는…
#ParsedReport
20-12-2022
Cisco Talos Intelligence Blog. Threat Spotlight: XLLing in Excel - threat actors using malicious add-ins
https://blog.talosintelligence.com/xlling-in-excel-malicious-add-ins
Actors/Campaigns:
Stone_panda (motivation: cyber_espionage)
Ta410 (motivation: cyber_espionage)
Donot
Carbanak (motivation: financially_motivated)
Threats:
Motw_bypass_technique
Meterpreter_tool
Dridex
Formbook
Anel
Process_injection_technique
Buer_loader
Agent_tesla
Vidar_stealer
Nanocore_rat
Icedid
Arkei_stealer
Asyncrat_rat
Bazarbackdoor
Avemaria_rat
Lokibot_stealer
Ducktail_stealer
Industry:
Education, Government, Healthcare
Geo:
Pakistan, Japan, India, Vietnam, China, Russia, Hungarian, Budapest, Africa, Pakistani
IOCs:
Registry: 1
File: 12
Hash: 11
Url: 1
Softs:
microsoft office, visual basic for applications, windows explorer, microsoft excel, net framework, discord
Algorithms:
aes, base32
YARA: Found
Links:
20-12-2022
Cisco Talos Intelligence Blog. Threat Spotlight: XLLing in Excel - threat actors using malicious add-ins
https://blog.talosintelligence.com/xlling-in-excel-malicious-add-ins
Actors/Campaigns:
Stone_panda (motivation: cyber_espionage)
Ta410 (motivation: cyber_espionage)
Donot
Carbanak (motivation: financially_motivated)
Threats:
Motw_bypass_technique
Meterpreter_tool
Dridex
Formbook
Anel
Process_injection_technique
Buer_loader
Agent_tesla
Vidar_stealer
Nanocore_rat
Icedid
Arkei_stealer
Asyncrat_rat
Bazarbackdoor
Avemaria_rat
Lokibot_stealer
Ducktail_stealer
Industry:
Education, Government, Healthcare
Geo:
Pakistan, Japan, India, Vietnam, China, Russia, Hungarian, Budapest, Africa, Pakistani
IOCs:
Registry: 1
File: 12
Hash: 11
Url: 1
Softs:
microsoft office, visual basic for applications, windows explorer, microsoft excel, net framework, discord
Algorithms:
aes, base32
YARA: Found
Links:
https://github.com/Cisco-Talos/osquery\_queries/blob/master/win\_malware/donot\_mutex.yaml
https://github.com/Cisco-Talos/IOCs/blob/main/2022/12/xlling-in-excel-malicious-add-ins.txt
https://github.com/Cisco-Talos/osquery\_queries/blob/master/win\_malware/malware\_avemaria\_filepath.yaml
https://github.com/Cisco-Talos/osquery\_queries/blob/master/win\_malware/malware\_lokibot\_filepath.yamlCisco Talos Blog
Threat Spotlight: XLLing in Excel - threat actors using malicious add-ins
As more and more users adopt new versions of Microsoft Office, it is likely that threat actors will turn away from VBA-based malicious documents to other formats such as XLLs or rely on exploiting newly discovered vulnerabilities to launch malicious code.
#ParsedReport
20-12-2022
Russias Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine
https://unit42.paloaltonetworks.com/trident-ursa
Actors/Campaigns:
Gamaredon
Threats:
Mispadu
Fastflux_technique
Beacon
Industry:
Petroleum, Government
Geo:
Apac, Russian, Russia, Ukrainian, Emea, America, Japan, Ukraine
IOCs:
Hash: 12
Domain: 7
Url: 10
IP: 3
File: 9
Path: 3
Softs:
telegram, windows scheduled task, mac os
Algorithms:
xor, base64
Functions:
GetSynchronization-USA
Win API:
CreateProcessA
Platforms:
intel, x64
Links:
20-12-2022
Russias Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine
https://unit42.paloaltonetworks.com/trident-ursa
Actors/Campaigns:
Gamaredon
Threats:
Mispadu
Fastflux_technique
Beacon
Industry:
Petroleum, Government
Geo:
Apac, Russian, Russia, Ukrainian, Emea, America, Japan, Ukraine
IOCs:
Hash: 12
Domain: 7
Url: 10
IP: 3
File: 9
Path: 3
Softs:
telegram, windows scheduled task, mac os
Algorithms:
xor, base64
Functions:
GetSynchronization-USA
Win API:
CreateProcessA
Platforms:
intel, x64
Links:
https://github.com/pan-unit42/iocs/blob/master/Gamaredon/Gamaredon\_IoCs\_DEC2022.txtUnit 42
Russia’s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine
Ukraine and its cyber domain has faced ever-increasing threats from Russia. We give an update on APT group Trident Ursa (aka Gamaredon).
#technique
Venom is a C++ library that is meant to give an alternative way to communicate, instead of creating a socket that could be traced back to the process, it creates a new "hidden" (there is no window shown) detached edge process (edge was chosen because it is a browser that is installed on every Windows 10+ and won't raise suspicious) and stealing one of its sockets to perform the network operations.
https://github.com/Idov31/Venom
Venom is a C++ library that is meant to give an alternative way to communicate, instead of creating a socket that could be traced back to the process, it creates a new "hidden" (there is no window shown) detached edge process (edge was chosen because it is a browser that is installed on every Windows 10+ and won't raise suspicious) and stealing one of its sockets to perform the network operations.
https://github.com/Idov31/Venom
GitHub
GitHub - Idov31/Venom: Venom is a library that meant to perform evasive communication using stolen browser socket
Venom is a library that meant to perform evasive communication using stolen browser socket - Idov31/Venom
#ParsedReport
21-12-2022
New Supply Chain Attack Uses Python Package Index aioconsol
https://www.fortinet.com/blog/threat-research/new-supply-chain-attack-uses-python-package-index-aioconsol
Threats:
W32/agent.ahp!tr
IOCs:
File: 4
Hash: 2
Path: 2
IP: 4
Languages:
python
21-12-2022
New Supply Chain Attack Uses Python Package Index aioconsol
https://www.fortinet.com/blog/threat-research/new-supply-chain-attack-uses-python-package-index-aioconsol
Threats:
W32/agent.ahp!tr
IOCs:
File: 4
Hash: 2
Path: 2
IP: 4
Languages:
python
Fortinet Blog
New Supply Chain Attack Uses Python Package Index “aioconsol” | FortiGuard Labs
FortiGuardLabs recently discovered a 0-day attack in a PyPI package called “aioconsol.” Read our blog to learn about the executable file and how to protect against the attack.…
#ParsedReport
21-12-2022
Surge of Fake FIFA World Cup Streaming Sites Targets Virtual Fans
http://www.zscaler.com/blogs/security-research/surge-fake-fifa-world-cup-streaming-sites-targets-virtual-fans
Threats:
Solarmarker
Industry:
E-commerce, Financial, Aerospace
Geo:
Tokyo, Qatar, Africa
IOCs:
Domain: 29
Hash: 10
Softs:
wordpress, windows installer, joomla)
Languages:
javascript, php
21-12-2022
Surge of Fake FIFA World Cup Streaming Sites Targets Virtual Fans
http://www.zscaler.com/blogs/security-research/surge-fake-fifa-world-cup-streaming-sites-targets-virtual-fans
Threats:
Solarmarker
Industry:
E-commerce, Financial, Aerospace
Geo:
Tokyo, Qatar, Africa
IOCs:
Domain: 29
Hash: 10
Softs:
wordpress, windows installer, joomla)
Languages:
javascript, php
Zscaler
Fake FIFA World Cup Streaming Sites target Virtual Fans
Attackers are using fake FIFA World Cup 2022 streaming sites and lottery scams to infect users with malware.
#ParsedReport
21-12-2022
SMS scams trick Indian banking customers into installing malicious apps. Indicators of Compromise (IOC)
http://www.zscaler.com/blogs/security-research/sms-scams-trick-indian-banking-customers-installing-malicious-apps
Industry:
Financial
Geo:
Indian
IOCs:
Url: 20
Hash: 10
21-12-2022
SMS scams trick Indian banking customers into installing malicious apps. Indicators of Compromise (IOC)
http://www.zscaler.com/blogs/security-research/sms-scams-trick-indian-banking-customers-installing-malicious-apps
Industry:
Financial
Geo:
Indian
IOCs:
Url: 20
Hash: 10
Zscaler
Indian Banking Customers Fall for SMS Scams | Zscaler Blog
Indian banking customers are being targeted with fake complaint forms from phishing sites spreading info stealers with phony banking apps via SMS scams.
#ParsedReport
21-12-2022
Nokoyawa Ransomware: Rust orBust. Key Points
http://www.zscaler.com/blogs/security-research/nokoyawa-ransomware-rust-or-bust
Actors/Campaigns:
Qilin
Blackcat
Threats:
Nokoyawa
Karma
Nemty
Ransomexx
Blackcat
Industry:
Financial
IOCs:
Hash: 3
Algorithms:
salsa20, sect233r1, curve25519, ecc, base64
Languages:
golang, rust
Links:
21-12-2022
Nokoyawa Ransomware: Rust orBust. Key Points
http://www.zscaler.com/blogs/security-research/nokoyawa-ransomware-rust-or-bust
Actors/Campaigns:
Qilin
Blackcat
Threats:
Nokoyawa
Karma
Nemty
Ransomexx
Blackcat
Industry:
Financial
IOCs:
Hash: 3
Algorithms:
salsa20, sect233r1, curve25519, ecc, base64
Languages:
golang, rust
Links:
https://github.com/threatlabz/tools/tree/main/nokoyawahttps://github.com/kokke/tiny-ECDH-cZscaler
Nokoyawa Ransomware: Rust or Bust | Zscaler
Nokoyawa ransomware code ported from C to Rust with new configuration provided at runtime.
#ParsedReport
21-12-2022
Technical Analysis of DanaBot Obfuscation Techniques
http://www.zscaler.com/blogs/security-research/technical-analysis-danabot-obfuscation-techniques
Threats:
Danabot
Junk_code_technique
Beacon
Industry:
Financial
IOCs:
File: 1
Hash: 1
Languages:
delphi, python, prolog
Links:
21-12-2022
Technical Analysis of DanaBot Obfuscation Techniques
http://www.zscaler.com/blogs/security-research/technical-analysis-danabot-obfuscation-techniques
Threats:
Danabot
Junk_code_technique
Beacon
Industry:
Financial
IOCs:
File: 1
Hash: 1
Languages:
delphi, python, prolog
Links:
https://github.com/threatlabz/tools/blob/main/danabot/09\_empty\_loops.pyhttps://github.com/threatlabz/tools/blob/main/danabot/idr\_map\_to\_idapy.pyhttps://github.com/threatlabz/tools/blob/main/danabot/02\_dynamic\_return.pyhttps://github.com/crypto2011/IDRhttps://github.com/threatlabz/tools/blob/main/danabot/idr\_idc\_to\_idapy.pyhttps://github.com/OALabs/hashdb-idahttps://github.com/threatlabz/tools/blob/main/danabot/12\_rename\_junk\_random\_variables.pyhttps://github.com/threatlabz/tools/tree/main/danabothttps://github.com/threatlabz/tools/blob/main/danabot/04\_letter\_mapping.pyhttps://github.com/threatlabz/tools/blob/main/danabot/01\_junk\_byte\_jump.pyhttps://github.com/threatlabz/tools/blob/main/danabot/07\_stack\_string\_letters\_to\_last\_StrCatN\_call.pyhttps://github.com/threatlabz/tools/blob/main/danabot/05\_reset\_code.pyhttps://github.com/threatlabz/tools/blob/main/danabot/08\_set\_stack\_string\_letters\_comments.pyhttps://github.com/threatlabz/tools/blob/main/danabot/10\_math\_loops.pyhttps://github.com/threatlabz/tools/blob/main/danabot/11\_rename\_junk\_variables.pyhttps://github.com/threatlabz/tools/blob/main/danabot/06\_fake\_UStrLAsg\_and\_UStrCopy.pyhttps://github.com/threatlabz/tools/blob/main/danabot/03\_uppercase\_jumps.pyhttps://github.com/OALabs/hashdb/pull/35Zscaler
DanaBot | ThreatLabz
A technical analysis of the DanaBot malware's obfuscation techniques.
#ParsedReport
21-12-2022
Black Friday Alert: 4 Emerging Skimming Attacks to Watch for This Holiday Season
http://www.zscaler.com/blogs/security-research/black-friday-scams-4-emerging-skimming-attacks-watch-holiday-season
Actors/Campaigns:
Lazarus
Threats:
Magentocore
Industry:
Transport, Financial, E-commerce
Geo:
Australia, Canada
IOCs:
Url: 1
File: 4
Hash: 1
Domain: 23
IP: 2
Algorithms:
base64
Functions:
setInterval, findBtnAddAction, sendCardData, getCardData, Listener, pixtar, _0x54d008
Languages:
php, javascript
21-12-2022
Black Friday Alert: 4 Emerging Skimming Attacks to Watch for This Holiday Season
http://www.zscaler.com/blogs/security-research/black-friday-scams-4-emerging-skimming-attacks-watch-holiday-season
Actors/Campaigns:
Lazarus
Threats:
Magentocore
Industry:
Transport, Financial, E-commerce
Geo:
Australia, Canada
IOCs:
Url: 1
File: 4
Hash: 1
Domain: 23
IP: 2
Algorithms:
base64
Functions:
setInterval, findBtnAddAction, sendCardData, getCardData, Listener, pixtar, _0x54d008
Languages:
php, javascript
Zscaler
Black Friday Alert : 4 Emerging Skimming Attacks | Zscaler
Increasing credit card skimming activity against Magento and Presta-based e-commerce stores as Black Friday holiday season approaches.
#ParsedReport
21-12-2022
Back in Black... Basta. Key Points
http://www.zscaler.com/blogs/security-research/back-black-basta
Threats:
Blackbasta
Conti
Advobfuscator_tool
Industry:
Financial
IOCs:
Hash: 5
File: 4
Command: 1
Algorithms:
hmac, xchacha20, xor, chacha20, ecc
Links:
21-12-2022
Back in Black... Basta. Key Points
http://www.zscaler.com/blogs/security-research/back-black-basta
Threats:
Blackbasta
Conti
Advobfuscator_tool
Industry:
Financial
IOCs:
Hash: 5
File: 4
Command: 1
Algorithms:
hmac, xchacha20, xor, chacha20, ecc
Links:
https://github.com/threatlabz/iocs/tree/main/blackbastahttps://github.com/threatlabz/ransomware\_notes/blob/main/blackbasta/blackbasta3.txtZscaler
Back in Black... Basta | Zscaler
New BlackBasta ransomware code is likely designed to improve antivirus and EDR evasion
#ParsedReport
21-12-2022
Reports of ProxyNotShell Vulnerabilities Being Actively Exploited (CVE-2022-41040 and CVE-2022-41082)
https://socradar.io/reports-of-proxynotshell-vulnerabilities-being-actively-exploited-cve-2022-41040-and-cve-2022-41082
Threats:
Proxynotshell_vuln
Playcrypt
Owassrf
Plink
Anydesk_tool
Dllhijacker
Trojan.win64.agent.qwibok
CVEs:
CVE-2022-41082 [Vulners]
Vulners: Score: Unknown, CVSS: 2.8,
Vulners: Exploitation: Unknown
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)
CVE-2022-41040 [Vulners]
Vulners: Score: Unknown, CVSS: 3.2,
Vulners: Exploitation: True
X-Force: Risk: 6.5
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)
CVE-2022-41080 [Vulners]
Vulners: Score: Unknown, CVSS: 3.4,
Vulners: Exploitation: Unknown
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)
IOCs:
File: 2
IP: 1
Hash: 5
Softs:
microsoft exchange
21-12-2022
Reports of ProxyNotShell Vulnerabilities Being Actively Exploited (CVE-2022-41040 and CVE-2022-41082)
https://socradar.io/reports-of-proxynotshell-vulnerabilities-being-actively-exploited-cve-2022-41040-and-cve-2022-41082
Threats:
Proxynotshell_vuln
Playcrypt
Owassrf
Plink
Anydesk_tool
Dllhijacker
Trojan.win64.agent.qwibok
CVEs:
CVE-2022-41082 [Vulners]
Vulners: Score: Unknown, CVSS: 2.8,
Vulners: Exploitation: Unknown
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)
CVE-2022-41040 [Vulners]
Vulners: Score: Unknown, CVSS: 3.2,
Vulners: Exploitation: True
X-Force: Risk: 6.5
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)
CVE-2022-41080 [Vulners]
Vulners: Score: Unknown, CVSS: 3.4,
Vulners: Exploitation: Unknown
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)
IOCs:
File: 2
IP: 1
Hash: 5
Softs:
microsoft exchange
SOCRadar® Cyber Intelligence Inc.
Reports of ProxyNotShell Vulnerabilities Being Actively Exploited (CVE-2022-41040 and CVE-2022-41082) - SOCRadar® Cyber Intelligence…
According to reports, the zero-day vulnerabilities CVE-2022-41040 and CVE-2022-41082, dubbed ProxyNotShell, are still being actively exploited.
#ParsedReport
21-12-2022
Conti Team One Splinter Group Resurfaces as Royal Ransomware with Callback Phishing Attacks
https://www.trendmicro.com/en_us/research/22/l/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-wit.html
Threats:
Royal_ransomware
Conti
Zeon
Cobalt_strike
Qakbot
Netscan_tool
Process_hacker_tool
Pchunter_tool
Powertool_tool
Gmer_tool
Adfind_tool
Ransom.win64.yoral.smyxcjct
Trojan.win64.cobalt.be
Trojan.win32.deyma.am
Swrort
Ransom.win32.yoral.yxckb
Ransom.win32.yoral.yecjyt
Geo:
Brazil
IOCs:
Command: 1
File: 2
Hash: 20
Softs:
psexec
Algorithms:
aes
Functions:
OpenSSLs
Win API:
FindFirstFileW, FindNextFileW, FindClose, NetShareEnum
21-12-2022
Conti Team One Splinter Group Resurfaces as Royal Ransomware with Callback Phishing Attacks
https://www.trendmicro.com/en_us/research/22/l/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-wit.html
Threats:
Royal_ransomware
Conti
Zeon
Cobalt_strike
Qakbot
Netscan_tool
Process_hacker_tool
Pchunter_tool
Powertool_tool
Gmer_tool
Adfind_tool
Ransom.win64.yoral.smyxcjct
Trojan.win64.cobalt.be
Trojan.win32.deyma.am
Swrort
Ransom.win32.yoral.yxckb
Ransom.win32.yoral.yecjyt
Geo:
Brazil
IOCs:
Command: 1
File: 2
Hash: 20
Softs:
psexec
Algorithms:
aes
Functions:
OpenSSLs
Win API:
FindFirstFileW, FindNextFileW, FindClose, NetShareEnum
Trend Micro
Conti Team One Splinter Group Resurfaces as Royal Ransomware with Callback Phishing Attacks
#ParsedReport
21-12-2022
Kiss-a-Dog Discovered Utilizing a 20- Year-Old Process Hider
https://www.cadosecurity.com/kiss-a-dog-discovered-utilizing-a-20-year-old-process-hider
Actors/Campaigns:
Kiss_a_dog
Teamtnt
Threats:
Xhide_tool
Tsunami_botnet
Xmrig_miner
Diamorphine_rootkit
Libprocesshider_rootkit
Log4shell_vuln
TTPs:
Tactics: 1
Technics: 0
IOCs:
Domain: 1
Url: 1
Hash: 7
Softs:
docker, redis, ubuntu, unix, macos
Algorithms:
base64
Languages:
python
Platforms:
arm
Links:
21-12-2022
Kiss-a-Dog Discovered Utilizing a 20- Year-Old Process Hider
https://www.cadosecurity.com/kiss-a-dog-discovered-utilizing-a-20-year-old-process-hider
Actors/Campaigns:
Kiss_a_dog
Teamtnt
Threats:
Xhide_tool
Tsunami_botnet
Xmrig_miner
Diamorphine_rootkit
Libprocesshider_rootkit
Log4shell_vuln
TTPs:
Tactics: 1
Technics: 0
IOCs:
Domain: 1
Url: 1
Hash: 7
Softs:
docker, redis, ubuntu, unix, macos
Algorithms:
base64
Languages:
python
Platforms:
arm
Links:
https://github.com/chenkaie/junkcode/blob/master/xhide.chttps://github.com/cado-securityhttps://github.com/m0nad/Diamorphinehttps://github.com/gianlucaborello/libprocesshiderCado Security | Cloud Forensics & Incident Response
Kiss-a-Dog Discovered Utilizing a 20-Year-Old Process Hider - Cado Security | Cloud Forensics & Incident Response
Researchers at Crowdstrike recently discovered a novel cryptojacking campaign, targeting Docker and Kubernetes, that they named Kiss-a-Dog.