#ParsedReport
21-12-2022
New Supply Chain Attack Uses Python Package Index aioconsol
https://www.fortinet.com/blog/threat-research/new-supply-chain-attack-uses-python-package-index-aioconsol
Threats:
W32/agent.ahp!tr
IOCs:
File: 4
Hash: 2
Path: 2
IP: 4
Languages:
python
21-12-2022
New Supply Chain Attack Uses Python Package Index aioconsol
https://www.fortinet.com/blog/threat-research/new-supply-chain-attack-uses-python-package-index-aioconsol
Threats:
W32/agent.ahp!tr
IOCs:
File: 4
Hash: 2
Path: 2
IP: 4
Languages:
python
Fortinet Blog
New Supply Chain Attack Uses Python Package Index “aioconsol” | FortiGuard Labs
FortiGuardLabs recently discovered a 0-day attack in a PyPI package called “aioconsol.” Read our blog to learn about the executable file and how to protect against the attack.…
#ParsedReport
21-12-2022
Surge of Fake FIFA World Cup Streaming Sites Targets Virtual Fans
http://www.zscaler.com/blogs/security-research/surge-fake-fifa-world-cup-streaming-sites-targets-virtual-fans
Threats:
Solarmarker
Industry:
E-commerce, Financial, Aerospace
Geo:
Tokyo, Qatar, Africa
IOCs:
Domain: 29
Hash: 10
Softs:
wordpress, windows installer, joomla)
Languages:
javascript, php
21-12-2022
Surge of Fake FIFA World Cup Streaming Sites Targets Virtual Fans
http://www.zscaler.com/blogs/security-research/surge-fake-fifa-world-cup-streaming-sites-targets-virtual-fans
Threats:
Solarmarker
Industry:
E-commerce, Financial, Aerospace
Geo:
Tokyo, Qatar, Africa
IOCs:
Domain: 29
Hash: 10
Softs:
wordpress, windows installer, joomla)
Languages:
javascript, php
Zscaler
Fake FIFA World Cup Streaming Sites target Virtual Fans
Attackers are using fake FIFA World Cup 2022 streaming sites and lottery scams to infect users with malware.
#ParsedReport
21-12-2022
SMS scams trick Indian banking customers into installing malicious apps. Indicators of Compromise (IOC)
http://www.zscaler.com/blogs/security-research/sms-scams-trick-indian-banking-customers-installing-malicious-apps
Industry:
Financial
Geo:
Indian
IOCs:
Url: 20
Hash: 10
21-12-2022
SMS scams trick Indian banking customers into installing malicious apps. Indicators of Compromise (IOC)
http://www.zscaler.com/blogs/security-research/sms-scams-trick-indian-banking-customers-installing-malicious-apps
Industry:
Financial
Geo:
Indian
IOCs:
Url: 20
Hash: 10
Zscaler
Indian Banking Customers Fall for SMS Scams | Zscaler Blog
Indian banking customers are being targeted with fake complaint forms from phishing sites spreading info stealers with phony banking apps via SMS scams.
#ParsedReport
21-12-2022
Nokoyawa Ransomware: Rust orBust. Key Points
http://www.zscaler.com/blogs/security-research/nokoyawa-ransomware-rust-or-bust
Actors/Campaigns:
Qilin
Blackcat
Threats:
Nokoyawa
Karma
Nemty
Ransomexx
Blackcat
Industry:
Financial
IOCs:
Hash: 3
Algorithms:
salsa20, sect233r1, curve25519, ecc, base64
Languages:
golang, rust
Links:
21-12-2022
Nokoyawa Ransomware: Rust orBust. Key Points
http://www.zscaler.com/blogs/security-research/nokoyawa-ransomware-rust-or-bust
Actors/Campaigns:
Qilin
Blackcat
Threats:
Nokoyawa
Karma
Nemty
Ransomexx
Blackcat
Industry:
Financial
IOCs:
Hash: 3
Algorithms:
salsa20, sect233r1, curve25519, ecc, base64
Languages:
golang, rust
Links:
https://github.com/threatlabz/tools/tree/main/nokoyawahttps://github.com/kokke/tiny-ECDH-cZscaler
Nokoyawa Ransomware: Rust or Bust | Zscaler
Nokoyawa ransomware code ported from C to Rust with new configuration provided at runtime.
#ParsedReport
21-12-2022
Technical Analysis of DanaBot Obfuscation Techniques
http://www.zscaler.com/blogs/security-research/technical-analysis-danabot-obfuscation-techniques
Threats:
Danabot
Junk_code_technique
Beacon
Industry:
Financial
IOCs:
File: 1
Hash: 1
Languages:
delphi, python, prolog
Links:
21-12-2022
Technical Analysis of DanaBot Obfuscation Techniques
http://www.zscaler.com/blogs/security-research/technical-analysis-danabot-obfuscation-techniques
Threats:
Danabot
Junk_code_technique
Beacon
Industry:
Financial
IOCs:
File: 1
Hash: 1
Languages:
delphi, python, prolog
Links:
https://github.com/threatlabz/tools/blob/main/danabot/09\_empty\_loops.pyhttps://github.com/threatlabz/tools/blob/main/danabot/idr\_map\_to\_idapy.pyhttps://github.com/threatlabz/tools/blob/main/danabot/02\_dynamic\_return.pyhttps://github.com/crypto2011/IDRhttps://github.com/threatlabz/tools/blob/main/danabot/idr\_idc\_to\_idapy.pyhttps://github.com/OALabs/hashdb-idahttps://github.com/threatlabz/tools/blob/main/danabot/12\_rename\_junk\_random\_variables.pyhttps://github.com/threatlabz/tools/tree/main/danabothttps://github.com/threatlabz/tools/blob/main/danabot/04\_letter\_mapping.pyhttps://github.com/threatlabz/tools/blob/main/danabot/01\_junk\_byte\_jump.pyhttps://github.com/threatlabz/tools/blob/main/danabot/07\_stack\_string\_letters\_to\_last\_StrCatN\_call.pyhttps://github.com/threatlabz/tools/blob/main/danabot/05\_reset\_code.pyhttps://github.com/threatlabz/tools/blob/main/danabot/08\_set\_stack\_string\_letters\_comments.pyhttps://github.com/threatlabz/tools/blob/main/danabot/10\_math\_loops.pyhttps://github.com/threatlabz/tools/blob/main/danabot/11\_rename\_junk\_variables.pyhttps://github.com/threatlabz/tools/blob/main/danabot/06\_fake\_UStrLAsg\_and\_UStrCopy.pyhttps://github.com/threatlabz/tools/blob/main/danabot/03\_uppercase\_jumps.pyhttps://github.com/OALabs/hashdb/pull/35Zscaler
DanaBot | ThreatLabz
A technical analysis of the DanaBot malware's obfuscation techniques.
#ParsedReport
21-12-2022
Black Friday Alert: 4 Emerging Skimming Attacks to Watch for This Holiday Season
http://www.zscaler.com/blogs/security-research/black-friday-scams-4-emerging-skimming-attacks-watch-holiday-season
Actors/Campaigns:
Lazarus
Threats:
Magentocore
Industry:
Transport, Financial, E-commerce
Geo:
Australia, Canada
IOCs:
Url: 1
File: 4
Hash: 1
Domain: 23
IP: 2
Algorithms:
base64
Functions:
setInterval, findBtnAddAction, sendCardData, getCardData, Listener, pixtar, _0x54d008
Languages:
php, javascript
21-12-2022
Black Friday Alert: 4 Emerging Skimming Attacks to Watch for This Holiday Season
http://www.zscaler.com/blogs/security-research/black-friday-scams-4-emerging-skimming-attacks-watch-holiday-season
Actors/Campaigns:
Lazarus
Threats:
Magentocore
Industry:
Transport, Financial, E-commerce
Geo:
Australia, Canada
IOCs:
Url: 1
File: 4
Hash: 1
Domain: 23
IP: 2
Algorithms:
base64
Functions:
setInterval, findBtnAddAction, sendCardData, getCardData, Listener, pixtar, _0x54d008
Languages:
php, javascript
Zscaler
Black Friday Alert : 4 Emerging Skimming Attacks | Zscaler
Increasing credit card skimming activity against Magento and Presta-based e-commerce stores as Black Friday holiday season approaches.
#ParsedReport
21-12-2022
Back in Black... Basta. Key Points
http://www.zscaler.com/blogs/security-research/back-black-basta
Threats:
Blackbasta
Conti
Advobfuscator_tool
Industry:
Financial
IOCs:
Hash: 5
File: 4
Command: 1
Algorithms:
hmac, xchacha20, xor, chacha20, ecc
Links:
21-12-2022
Back in Black... Basta. Key Points
http://www.zscaler.com/blogs/security-research/back-black-basta
Threats:
Blackbasta
Conti
Advobfuscator_tool
Industry:
Financial
IOCs:
Hash: 5
File: 4
Command: 1
Algorithms:
hmac, xchacha20, xor, chacha20, ecc
Links:
https://github.com/threatlabz/iocs/tree/main/blackbastahttps://github.com/threatlabz/ransomware\_notes/blob/main/blackbasta/blackbasta3.txtZscaler
Back in Black... Basta | Zscaler
New BlackBasta ransomware code is likely designed to improve antivirus and EDR evasion
#ParsedReport
21-12-2022
Reports of ProxyNotShell Vulnerabilities Being Actively Exploited (CVE-2022-41040 and CVE-2022-41082)
https://socradar.io/reports-of-proxynotshell-vulnerabilities-being-actively-exploited-cve-2022-41040-and-cve-2022-41082
Threats:
Proxynotshell_vuln
Playcrypt
Owassrf
Plink
Anydesk_tool
Dllhijacker
Trojan.win64.agent.qwibok
CVEs:
CVE-2022-41082 [Vulners]
Vulners: Score: Unknown, CVSS: 2.8,
Vulners: Exploitation: Unknown
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)
CVE-2022-41040 [Vulners]
Vulners: Score: Unknown, CVSS: 3.2,
Vulners: Exploitation: True
X-Force: Risk: 6.5
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)
CVE-2022-41080 [Vulners]
Vulners: Score: Unknown, CVSS: 3.4,
Vulners: Exploitation: Unknown
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)
IOCs:
File: 2
IP: 1
Hash: 5
Softs:
microsoft exchange
21-12-2022
Reports of ProxyNotShell Vulnerabilities Being Actively Exploited (CVE-2022-41040 and CVE-2022-41082)
https://socradar.io/reports-of-proxynotshell-vulnerabilities-being-actively-exploited-cve-2022-41040-and-cve-2022-41082
Threats:
Proxynotshell_vuln
Playcrypt
Owassrf
Plink
Anydesk_tool
Dllhijacker
Trojan.win64.agent.qwibok
CVEs:
CVE-2022-41082 [Vulners]
Vulners: Score: Unknown, CVSS: 2.8,
Vulners: Exploitation: Unknown
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)
CVE-2022-41040 [Vulners]
Vulners: Score: Unknown, CVSS: 3.2,
Vulners: Exploitation: True
X-Force: Risk: 6.5
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)
CVE-2022-41080 [Vulners]
Vulners: Score: Unknown, CVSS: 3.4,
Vulners: Exploitation: Unknown
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)
IOCs:
File: 2
IP: 1
Hash: 5
Softs:
microsoft exchange
SOCRadar® Cyber Intelligence Inc.
Reports of ProxyNotShell Vulnerabilities Being Actively Exploited (CVE-2022-41040 and CVE-2022-41082) - SOCRadar® Cyber Intelligence…
According to reports, the zero-day vulnerabilities CVE-2022-41040 and CVE-2022-41082, dubbed ProxyNotShell, are still being actively exploited.
#ParsedReport
21-12-2022
Conti Team One Splinter Group Resurfaces as Royal Ransomware with Callback Phishing Attacks
https://www.trendmicro.com/en_us/research/22/l/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-wit.html
Threats:
Royal_ransomware
Conti
Zeon
Cobalt_strike
Qakbot
Netscan_tool
Process_hacker_tool
Pchunter_tool
Powertool_tool
Gmer_tool
Adfind_tool
Ransom.win64.yoral.smyxcjct
Trojan.win64.cobalt.be
Trojan.win32.deyma.am
Swrort
Ransom.win32.yoral.yxckb
Ransom.win32.yoral.yecjyt
Geo:
Brazil
IOCs:
Command: 1
File: 2
Hash: 20
Softs:
psexec
Algorithms:
aes
Functions:
OpenSSLs
Win API:
FindFirstFileW, FindNextFileW, FindClose, NetShareEnum
21-12-2022
Conti Team One Splinter Group Resurfaces as Royal Ransomware with Callback Phishing Attacks
https://www.trendmicro.com/en_us/research/22/l/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-wit.html
Threats:
Royal_ransomware
Conti
Zeon
Cobalt_strike
Qakbot
Netscan_tool
Process_hacker_tool
Pchunter_tool
Powertool_tool
Gmer_tool
Adfind_tool
Ransom.win64.yoral.smyxcjct
Trojan.win64.cobalt.be
Trojan.win32.deyma.am
Swrort
Ransom.win32.yoral.yxckb
Ransom.win32.yoral.yecjyt
Geo:
Brazil
IOCs:
Command: 1
File: 2
Hash: 20
Softs:
psexec
Algorithms:
aes
Functions:
OpenSSLs
Win API:
FindFirstFileW, FindNextFileW, FindClose, NetShareEnum
Trend Micro
Conti Team One Splinter Group Resurfaces as Royal Ransomware with Callback Phishing Attacks
#ParsedReport
21-12-2022
Kiss-a-Dog Discovered Utilizing a 20- Year-Old Process Hider
https://www.cadosecurity.com/kiss-a-dog-discovered-utilizing-a-20-year-old-process-hider
Actors/Campaigns:
Kiss_a_dog
Teamtnt
Threats:
Xhide_tool
Tsunami_botnet
Xmrig_miner
Diamorphine_rootkit
Libprocesshider_rootkit
Log4shell_vuln
TTPs:
Tactics: 1
Technics: 0
IOCs:
Domain: 1
Url: 1
Hash: 7
Softs:
docker, redis, ubuntu, unix, macos
Algorithms:
base64
Languages:
python
Platforms:
arm
Links:
21-12-2022
Kiss-a-Dog Discovered Utilizing a 20- Year-Old Process Hider
https://www.cadosecurity.com/kiss-a-dog-discovered-utilizing-a-20-year-old-process-hider
Actors/Campaigns:
Kiss_a_dog
Teamtnt
Threats:
Xhide_tool
Tsunami_botnet
Xmrig_miner
Diamorphine_rootkit
Libprocesshider_rootkit
Log4shell_vuln
TTPs:
Tactics: 1
Technics: 0
IOCs:
Domain: 1
Url: 1
Hash: 7
Softs:
docker, redis, ubuntu, unix, macos
Algorithms:
base64
Languages:
python
Platforms:
arm
Links:
https://github.com/chenkaie/junkcode/blob/master/xhide.chttps://github.com/cado-securityhttps://github.com/m0nad/Diamorphinehttps://github.com/gianlucaborello/libprocesshiderCado Security | Cloud Forensics & Incident Response
Kiss-a-Dog Discovered Utilizing a 20-Year-Old Process Hider - Cado Security | Cloud Forensics & Incident Response
Researchers at Crowdstrike recently discovered a novel cryptojacking campaign, targeting Docker and Kubernetes, that they named Kiss-a-Dog.
#ParsedReport
21-12-2022
RisePro Stealer and Pay-Per-Install Malware PrivateLoader
https://flashpoint.io/blog/risepro-stealer-and-pay-per-install-malware-privateloader
Threats:
Risepro
Privateloader
Vidar_stealer
Arkei_stealer
Oski_stealer
Geo:
Russian
IOCs:
Hash: 6
Domain: 2
Softs:
telegram
Languages:
php
21-12-2022
RisePro Stealer and Pay-Per-Install Malware PrivateLoader
https://flashpoint.io/blog/risepro-stealer-and-pay-per-install-malware-privateloader
Threats:
Risepro
Privateloader
Vidar_stealer
Arkei_stealer
Oski_stealer
Geo:
Russian
IOCs:
Hash: 6
Domain: 2
Softs:
telegram
Languages:
php
Flashpoint
“RisePro” Stealer Returns with New Updates
RisePro stealer, which was first identified in December 2022 and went dark shortly after, has returned with improvements for its operators.
#ParsedReport
21-12-2022
Godfather:
https://blog.group-ib.com/godfather-trojan
Threats:
Godfather
Anubis
Cerberus
Industry:
Financial
Geo:
Belarus, Moldova, Turkey, France, Uzbekistan, Poland, Spanish, Armenia, Canada, Germany, Azerbaijan, Kyrgyzstan, Italy, Tajikistan, Russian, Spain, Kazakhstan, Turkish, Russia
TTPs:
Tactics: 1
Technics: 0
IOCs:
Domain: 4
File: 1
Hash: 11
Url: 6
Softs:
android, telegram, unix
Algorithms:
aes, cbc
Languages:
php, java
Links:
21-12-2022
Godfather:
https://blog.group-ib.com/godfather-trojan
Threats:
Godfather
Anubis
Cerberus
Industry:
Financial
Geo:
Belarus, Moldova, Turkey, France, Uzbekistan, Poland, Spanish, Armenia, Canada, Germany, Azerbaijan, Kyrgyzstan, Italy, Tajikistan, Russian, Spain, Kazakhstan, Turkish, Russia
TTPs:
Tactics: 1
Technics: 0
IOCs:
Domain: 4
File: 1
Hash: 11
Url: 6
Softs:
android, telegram, unix
Algorithms:
aes, cbc
Languages:
php, java
Links:
https://github.com/LibVNC/libvncserverGroup-IB
Godfather Trojan - mobile banking malware that is impossible to refuse
Trojan Godfather is currently being utilized to attack users of financial services across the globe. Find out what it is and how to protect yourself from it!
#ParsedReport
21-12-2022
Fake jQuery Domain Redirects Site Visitors to Scam Pages
https://blog.sucuri.net/2022/12/fake-jquery-domain-redirects-site-visitors-scam.html
Threats:
Parallax_rat
Socgholish_loader
Geo:
Russian
IOCs:
Url: 3
Domain: 12
IP: 1
Softs:
wordpress, cpanel
Languages:
javascript
Platforms:
apple
21-12-2022
Fake jQuery Domain Redirects Site Visitors to Scam Pages
https://blog.sucuri.net/2022/12/fake-jquery-domain-redirects-site-visitors-scam.html
Threats:
Parallax_rat
Socgholish_loader
Geo:
Russian
IOCs:
Url: 3
Domain: 12
IP: 1
Softs:
wordpress, cpanel
Languages:
javascript
Platforms:
apple
Sucuri Blog
Fake jQuery Domain Redirects Site Visitors to Scam Pages
Attackers are using jQuery0 in their domain name to trick visitors and webmasters into thinking sites are loading resources from the popular jQuery JavaScript library.
#ParsedReport
21-12-2022
BrasDex: A new Brazilian ATS Android Banker with ties to Desktop malware
https://www.threatfabric.com/blogs/brasdex-a-new-brazilian-ats-malware.html
Threats:
Brasdex
Metamorfo
Bratarat
Vultur
Flubot
Gustuff
Sharkbot
Cashback
Industry:
Financial
Geo:
Brasil, Brazil, Brazilian, Ita, Latam, America
IOCs:
Hash: 5
Domain: 1
File: 2
Softs:
android
Algorithms:
zip
Functions:
SetPwCharAt
Languages:
autoit, javascript, delphi
Platforms:
intel
21-12-2022
BrasDex: A new Brazilian ATS Android Banker with ties to Desktop malware
https://www.threatfabric.com/blogs/brasdex-a-new-brazilian-ats-malware.html
Threats:
Brasdex
Metamorfo
Bratarat
Vultur
Flubot
Gustuff
Sharkbot
Cashback
Industry:
Financial
Geo:
Brasil, Brazil, Brazilian, Ita, Latam, America
IOCs:
Hash: 5
Domain: 1
File: 2
Softs:
android
Algorithms:
zip
Functions:
SetPwCharAt
Languages:
autoit, javascript, delphi
Platforms:
intel
ThreatFabric
BrasDex: A new Brazilian ATS Android Banker with ties to Desktop malware
ThreatFabric’s analysts discovered a multi-platform banking malware campaign targeting Brazil, reaching thousands of victims.
#ParsedReport
21-12-2022
SpiderLabs Blog. Malicious Macros Adapt to Use Microsoft Publisher to Push Ekipa RAT
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/malicious-macros-adapt-to-use-microsoft-publisher-to-push-ekipa-rat
Threats:
Ekipa_rat
Amsi_bypass_technique
Cobalt_strike
Beacon
Quantum_locker
Emotet
Svcready_loader
Uac_bypass_technique
Industry:
Education, Government, Financial
Geo:
Ukraine, Ukrainian, Russia, Russian
TTPs:
Tactics: 1
Technics: 0
IOCs:
Hash: 56
File: 13
Domain: 3
IP: 7
Url: 10
Softs:
microsoft publisher, visual basic for applications, microsoft word, microsoft defender, microsoft office, microsoft excel
Algorithms:
zip
Win API:
SetTimer, SendInput
Languages:
visual_basic
Links:
21-12-2022
SpiderLabs Blog. Malicious Macros Adapt to Use Microsoft Publisher to Push Ekipa RAT
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/malicious-macros-adapt-to-use-microsoft-publisher-to-push-ekipa-rat
Threats:
Ekipa_rat
Amsi_bypass_technique
Cobalt_strike
Beacon
Quantum_locker
Emotet
Svcready_loader
Uac_bypass_technique
Industry:
Education, Government, Financial
Geo:
Ukraine, Ukrainian, Russia, Russian
TTPs:
Tactics: 1
Technics: 0
IOCs:
Hash: 56
File: 13
Domain: 3
IP: 7
Url: 10
Softs:
microsoft publisher, visual basic for applications, microsoft word, microsoft defender, microsoft office, microsoft excel
Algorithms:
zip
Win API:
SetTimer, SendInput
Languages:
visual_basic
Links:
https://github.com/S3cur3Th1sSh1t/WinPwnTrustwave
Malicious Macros Adapt to Use Microsoft Publisher to Push Ekipa RAT | Trustwave
After Microsoft announced this year that macros from the Internet will be blocked by default in Office , many threat actors have switched to different file types such as Windows Shortcut (LNK), ISO or ZIP files, to distribute their malware.
#ParsedReport
21-12-2022
Adult popunder campaign used in mainstream ad fraud scheme
https://www.malwarebytes.com/blog/threat-intelligence/2022/12/adult-popunder-campaign-used-in-mainstream-ad-fraud-scheme
Threats:
Popunder_technique
Geo:
Russian
Softs:
wordpress
21-12-2022
Adult popunder campaign used in mainstream ad fraud scheme
https://www.malwarebytes.com/blog/threat-intelligence/2022/12/adult-popunder-campaign-used-in-mainstream-ad-fraud-scheme
Threats:
Popunder_technique
Geo:
Russian
Softs:
wordpress
Malwarebytes
Adult popunder campaign used in mainstream ad fraud scheme
Taking advantage of cost effective and high traffic adult portals, a threat actor is secretly defrauding advertisers by displaying Google ads under the disguise of an XXX page.
#ParsedReport
21-12-2022
Meddler-in-the-Middle Phishing Attacks Explained
https://unit42.paloaltonetworks.com/meddler-phishing-attacks
Threats:
Evilginx_tool
Mitm_technique
Cloaking_technique
Robin_banks_tool
Caffeine_tool
Modlishka_tool
Muraena_tool
Evilnovnc_tool
Evilproxy_tool
Credential_stealing_technique
Industry:
Financial
IOCs:
Domain: 7
Softs:
chrome
Links:
21-12-2022
Meddler-in-the-Middle Phishing Attacks Explained
https://unit42.paloaltonetworks.com/meddler-phishing-attacks
Threats:
Evilginx_tool
Mitm_technique
Cloaking_technique
Robin_banks_tool
Caffeine_tool
Modlishka_tool
Muraena_tool
Evilnovnc_tool
Evilproxy_tool
Credential_stealing_technique
Industry:
Financial
IOCs:
Domain: 7
Softs:
chrome
Links:
https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication#configuring-two-factor-authentication-using-a-security-keyUnit 42
Meddler-in-the-Middle Phishing Attacks Explained
Meddler-in-the-Middle (MitM) phishing attacks show how threat actors find ways to get around traditional defenses and advice.
#ParsedReport
21-12-2022
OWASSRF: CrowdStrike Identifies New Exploit Method for Exchange Bypassing ProxyNotShell Mitigations
https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations
Threats:
Owassrf
Proxynotshell_vuln
Playcrypt
Plink
Anydesk_tool
CVEs:
CVE-2022-41082 [Vulners]
Vulners: Score: Unknown, CVSS: 2.8,
Vulners: Exploitation: Unknown
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)
CVE-2022-41123 [Vulners]
Vulners: Score: Unknown, CVSS: 3.4,
Vulners: Exploitation: Unknown
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2016, 2019, 2019, 2016)
CVE-2022-41040 [Vulners]
Vulners: Score: Unknown, CVSS: 3.2,
Vulners: Exploitation: True
X-Force: Risk: 6.5
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)
CVE-2022-41080 [Vulners]
Vulners: Score: Unknown, CVSS: 3.4,
Vulners: Exploitation: Unknown
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)
IOCs:
Path: 1
Email: 1
Softs:
microsoft exchange, microsoft exchange server, microsoft iis server
Languages:
python
Links:
21-12-2022
OWASSRF: CrowdStrike Identifies New Exploit Method for Exchange Bypassing ProxyNotShell Mitigations
https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations
Threats:
Owassrf
Proxynotshell_vuln
Playcrypt
Plink
Anydesk_tool
CVEs:
CVE-2022-41082 [Vulners]
Vulners: Score: Unknown, CVSS: 2.8,
Vulners: Exploitation: Unknown
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)
CVE-2022-41123 [Vulners]
Vulners: Score: Unknown, CVSS: 3.4,
Vulners: Exploitation: Unknown
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2016, 2019, 2019, 2016)
CVE-2022-41040 [Vulners]
Vulners: Score: Unknown, CVSS: 3.2,
Vulners: Exploitation: True
X-Force: Risk: 6.5
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)
CVE-2022-41080 [Vulners]
Vulners: Score: Unknown, CVSS: 3.4,
Vulners: Exploitation: Unknown
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)
IOCs:
Path: 1
Email: 1
Softs:
microsoft exchange, microsoft exchange server, microsoft iis server
Languages:
python
Links:
https://github.com/CrowdStrike/OWASSRFCrowdStrike.com
OWASSRF: CrowdStrike Identifies New Exploit Method for Exchange Bypassing ProxyNotShell Mitigations
Learn how CrowdStrike recently discovered a new exploit method using CVE-2022-41080 and CVE-2022-41082 to achieve remote code execution (RCE) through Outlook Web Access.
#ParsedReport
20-12-2022
GuLoaders Unique Approach to Obfuscation: Understanding Stack Manipulation
https://www.0ffset.net/reverse-engineering/guloaders-stack-manipulation
Actors/Campaigns:
Tick
Threats:
Cloudeye
Agent_tesla
Formbook
Remcos_rat
Smokeloader
Cyberchef_tool
IOCs:
Hash: 1
Softs:
visual studio
Algorithms:
xor
Functions:
w_string_decrypt, string_decrypt, malloc, main, sub_401010, printf
Win API:
MessageBoxA
Languages:
python
YARA: Found
20-12-2022
GuLoaders Unique Approach to Obfuscation: Understanding Stack Manipulation
https://www.0ffset.net/reverse-engineering/guloaders-stack-manipulation
Actors/Campaigns:
Tick
Threats:
Cloudeye
Agent_tesla
Formbook
Remcos_rat
Smokeloader
Cyberchef_tool
IOCs:
Hash: 1
Softs:
visual studio
Algorithms:
xor
Functions:
w_string_decrypt, string_decrypt, malloc, main, sub_401010, printf
Win API:
MessageBoxA
Languages:
python
YARA: Found
0ffset Training Solutions | Practical and Affordable Cyber Security Training
GuLoader's Obfuscation Technique: Understanding Stack Manipulation | 0ffset Training Solutions
Learn about GuLoader malware's stack manipulation technique for decrypting data blobs and how to implement it. A useful resource for those interested in reverse engineering shellcode or obfuscated malware.
[FIN7] Fin7 Unveiled: A deep dive into notorious cybercrime gang
https://www.prodaft.com/resource/detail/fin7-unveiled-deep-dive-notorious-cybercrime-gang
https://www.prodaft.com/resource/detail/fin7-unveiled-deep-dive-notorious-cybercrime-gang
PRODAFT
PRODAFT – Cyber Threat Intelligence and Risk Intelligence
Explore advanced cybersecurity solutions, providing proactive defense against emerging threats. Learn more about our tailored intelligence, and cybercrime investigation solutions.