#ParsedReport
21-12-2022
Black Friday Alert: 4 Emerging Skimming Attacks to Watch for This Holiday Season
http://www.zscaler.com/blogs/security-research/black-friday-scams-4-emerging-skimming-attacks-watch-holiday-season
Actors/Campaigns:
Lazarus
Threats:
Magentocore
Industry:
Transport, Financial, E-commerce
Geo:
Australia, Canada
IOCs:
Url: 1
File: 4
Hash: 1
Domain: 23
IP: 2
Algorithms:
base64
Functions:
setInterval, findBtnAddAction, sendCardData, getCardData, Listener, pixtar, _0x54d008
Languages:
php, javascript
21-12-2022
Black Friday Alert: 4 Emerging Skimming Attacks to Watch for This Holiday Season
http://www.zscaler.com/blogs/security-research/black-friday-scams-4-emerging-skimming-attacks-watch-holiday-season
Actors/Campaigns:
Lazarus
Threats:
Magentocore
Industry:
Transport, Financial, E-commerce
Geo:
Australia, Canada
IOCs:
Url: 1
File: 4
Hash: 1
Domain: 23
IP: 2
Algorithms:
base64
Functions:
setInterval, findBtnAddAction, sendCardData, getCardData, Listener, pixtar, _0x54d008
Languages:
php, javascript
Zscaler
Black Friday Alert : 4 Emerging Skimming Attacks | Zscaler
Increasing credit card skimming activity against Magento and Presta-based e-commerce stores as Black Friday holiday season approaches.
#ParsedReport
21-12-2022
Back in Black... Basta. Key Points
http://www.zscaler.com/blogs/security-research/back-black-basta
Threats:
Blackbasta
Conti
Advobfuscator_tool
Industry:
Financial
IOCs:
Hash: 5
File: 4
Command: 1
Algorithms:
hmac, xchacha20, xor, chacha20, ecc
Links:
21-12-2022
Back in Black... Basta. Key Points
http://www.zscaler.com/blogs/security-research/back-black-basta
Threats:
Blackbasta
Conti
Advobfuscator_tool
Industry:
Financial
IOCs:
Hash: 5
File: 4
Command: 1
Algorithms:
hmac, xchacha20, xor, chacha20, ecc
Links:
https://github.com/threatlabz/iocs/tree/main/blackbastahttps://github.com/threatlabz/ransomware\_notes/blob/main/blackbasta/blackbasta3.txtZscaler
Back in Black... Basta | Zscaler
New BlackBasta ransomware code is likely designed to improve antivirus and EDR evasion
#ParsedReport
21-12-2022
Reports of ProxyNotShell Vulnerabilities Being Actively Exploited (CVE-2022-41040 and CVE-2022-41082)
https://socradar.io/reports-of-proxynotshell-vulnerabilities-being-actively-exploited-cve-2022-41040-and-cve-2022-41082
Threats:
Proxynotshell_vuln
Playcrypt
Owassrf
Plink
Anydesk_tool
Dllhijacker
Trojan.win64.agent.qwibok
CVEs:
CVE-2022-41082 [Vulners]
Vulners: Score: Unknown, CVSS: 2.8,
Vulners: Exploitation: Unknown
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)
CVE-2022-41040 [Vulners]
Vulners: Score: Unknown, CVSS: 3.2,
Vulners: Exploitation: True
X-Force: Risk: 6.5
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)
CVE-2022-41080 [Vulners]
Vulners: Score: Unknown, CVSS: 3.4,
Vulners: Exploitation: Unknown
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)
IOCs:
File: 2
IP: 1
Hash: 5
Softs:
microsoft exchange
21-12-2022
Reports of ProxyNotShell Vulnerabilities Being Actively Exploited (CVE-2022-41040 and CVE-2022-41082)
https://socradar.io/reports-of-proxynotshell-vulnerabilities-being-actively-exploited-cve-2022-41040-and-cve-2022-41082
Threats:
Proxynotshell_vuln
Playcrypt
Owassrf
Plink
Anydesk_tool
Dllhijacker
Trojan.win64.agent.qwibok
CVEs:
CVE-2022-41082 [Vulners]
Vulners: Score: Unknown, CVSS: 2.8,
Vulners: Exploitation: Unknown
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)
CVE-2022-41040 [Vulners]
Vulners: Score: Unknown, CVSS: 3.2,
Vulners: Exploitation: True
X-Force: Risk: 6.5
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)
CVE-2022-41080 [Vulners]
Vulners: Score: Unknown, CVSS: 3.4,
Vulners: Exploitation: Unknown
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)
IOCs:
File: 2
IP: 1
Hash: 5
Softs:
microsoft exchange
SOCRadar® Cyber Intelligence Inc.
Reports of ProxyNotShell Vulnerabilities Being Actively Exploited (CVE-2022-41040 and CVE-2022-41082) - SOCRadar® Cyber Intelligence…
According to reports, the zero-day vulnerabilities CVE-2022-41040 and CVE-2022-41082, dubbed ProxyNotShell, are still being actively exploited.
#ParsedReport
21-12-2022
Conti Team One Splinter Group Resurfaces as Royal Ransomware with Callback Phishing Attacks
https://www.trendmicro.com/en_us/research/22/l/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-wit.html
Threats:
Royal_ransomware
Conti
Zeon
Cobalt_strike
Qakbot
Netscan_tool
Process_hacker_tool
Pchunter_tool
Powertool_tool
Gmer_tool
Adfind_tool
Ransom.win64.yoral.smyxcjct
Trojan.win64.cobalt.be
Trojan.win32.deyma.am
Swrort
Ransom.win32.yoral.yxckb
Ransom.win32.yoral.yecjyt
Geo:
Brazil
IOCs:
Command: 1
File: 2
Hash: 20
Softs:
psexec
Algorithms:
aes
Functions:
OpenSSLs
Win API:
FindFirstFileW, FindNextFileW, FindClose, NetShareEnum
21-12-2022
Conti Team One Splinter Group Resurfaces as Royal Ransomware with Callback Phishing Attacks
https://www.trendmicro.com/en_us/research/22/l/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-wit.html
Threats:
Royal_ransomware
Conti
Zeon
Cobalt_strike
Qakbot
Netscan_tool
Process_hacker_tool
Pchunter_tool
Powertool_tool
Gmer_tool
Adfind_tool
Ransom.win64.yoral.smyxcjct
Trojan.win64.cobalt.be
Trojan.win32.deyma.am
Swrort
Ransom.win32.yoral.yxckb
Ransom.win32.yoral.yecjyt
Geo:
Brazil
IOCs:
Command: 1
File: 2
Hash: 20
Softs:
psexec
Algorithms:
aes
Functions:
OpenSSLs
Win API:
FindFirstFileW, FindNextFileW, FindClose, NetShareEnum
Trend Micro
Conti Team One Splinter Group Resurfaces as Royal Ransomware with Callback Phishing Attacks
#ParsedReport
21-12-2022
Kiss-a-Dog Discovered Utilizing a 20- Year-Old Process Hider
https://www.cadosecurity.com/kiss-a-dog-discovered-utilizing-a-20-year-old-process-hider
Actors/Campaigns:
Kiss_a_dog
Teamtnt
Threats:
Xhide_tool
Tsunami_botnet
Xmrig_miner
Diamorphine_rootkit
Libprocesshider_rootkit
Log4shell_vuln
TTPs:
Tactics: 1
Technics: 0
IOCs:
Domain: 1
Url: 1
Hash: 7
Softs:
docker, redis, ubuntu, unix, macos
Algorithms:
base64
Languages:
python
Platforms:
arm
Links:
21-12-2022
Kiss-a-Dog Discovered Utilizing a 20- Year-Old Process Hider
https://www.cadosecurity.com/kiss-a-dog-discovered-utilizing-a-20-year-old-process-hider
Actors/Campaigns:
Kiss_a_dog
Teamtnt
Threats:
Xhide_tool
Tsunami_botnet
Xmrig_miner
Diamorphine_rootkit
Libprocesshider_rootkit
Log4shell_vuln
TTPs:
Tactics: 1
Technics: 0
IOCs:
Domain: 1
Url: 1
Hash: 7
Softs:
docker, redis, ubuntu, unix, macos
Algorithms:
base64
Languages:
python
Platforms:
arm
Links:
https://github.com/chenkaie/junkcode/blob/master/xhide.chttps://github.com/cado-securityhttps://github.com/m0nad/Diamorphinehttps://github.com/gianlucaborello/libprocesshiderCado Security | Cloud Forensics & Incident Response
Kiss-a-Dog Discovered Utilizing a 20-Year-Old Process Hider - Cado Security | Cloud Forensics & Incident Response
Researchers at Crowdstrike recently discovered a novel cryptojacking campaign, targeting Docker and Kubernetes, that they named Kiss-a-Dog.
#ParsedReport
21-12-2022
RisePro Stealer and Pay-Per-Install Malware PrivateLoader
https://flashpoint.io/blog/risepro-stealer-and-pay-per-install-malware-privateloader
Threats:
Risepro
Privateloader
Vidar_stealer
Arkei_stealer
Oski_stealer
Geo:
Russian
IOCs:
Hash: 6
Domain: 2
Softs:
telegram
Languages:
php
21-12-2022
RisePro Stealer and Pay-Per-Install Malware PrivateLoader
https://flashpoint.io/blog/risepro-stealer-and-pay-per-install-malware-privateloader
Threats:
Risepro
Privateloader
Vidar_stealer
Arkei_stealer
Oski_stealer
Geo:
Russian
IOCs:
Hash: 6
Domain: 2
Softs:
telegram
Languages:
php
Flashpoint
“RisePro” Stealer Returns with New Updates
RisePro stealer, which was first identified in December 2022 and went dark shortly after, has returned with improvements for its operators.
#ParsedReport
21-12-2022
Godfather:
https://blog.group-ib.com/godfather-trojan
Threats:
Godfather
Anubis
Cerberus
Industry:
Financial
Geo:
Belarus, Moldova, Turkey, France, Uzbekistan, Poland, Spanish, Armenia, Canada, Germany, Azerbaijan, Kyrgyzstan, Italy, Tajikistan, Russian, Spain, Kazakhstan, Turkish, Russia
TTPs:
Tactics: 1
Technics: 0
IOCs:
Domain: 4
File: 1
Hash: 11
Url: 6
Softs:
android, telegram, unix
Algorithms:
aes, cbc
Languages:
php, java
Links:
21-12-2022
Godfather:
https://blog.group-ib.com/godfather-trojan
Threats:
Godfather
Anubis
Cerberus
Industry:
Financial
Geo:
Belarus, Moldova, Turkey, France, Uzbekistan, Poland, Spanish, Armenia, Canada, Germany, Azerbaijan, Kyrgyzstan, Italy, Tajikistan, Russian, Spain, Kazakhstan, Turkish, Russia
TTPs:
Tactics: 1
Technics: 0
IOCs:
Domain: 4
File: 1
Hash: 11
Url: 6
Softs:
android, telegram, unix
Algorithms:
aes, cbc
Languages:
php, java
Links:
https://github.com/LibVNC/libvncserverGroup-IB
Godfather Trojan - mobile banking malware that is impossible to refuse
Trojan Godfather is currently being utilized to attack users of financial services across the globe. Find out what it is and how to protect yourself from it!
#ParsedReport
21-12-2022
Fake jQuery Domain Redirects Site Visitors to Scam Pages
https://blog.sucuri.net/2022/12/fake-jquery-domain-redirects-site-visitors-scam.html
Threats:
Parallax_rat
Socgholish_loader
Geo:
Russian
IOCs:
Url: 3
Domain: 12
IP: 1
Softs:
wordpress, cpanel
Languages:
javascript
Platforms:
apple
21-12-2022
Fake jQuery Domain Redirects Site Visitors to Scam Pages
https://blog.sucuri.net/2022/12/fake-jquery-domain-redirects-site-visitors-scam.html
Threats:
Parallax_rat
Socgholish_loader
Geo:
Russian
IOCs:
Url: 3
Domain: 12
IP: 1
Softs:
wordpress, cpanel
Languages:
javascript
Platforms:
apple
Sucuri Blog
Fake jQuery Domain Redirects Site Visitors to Scam Pages
Attackers are using jQuery0 in their domain name to trick visitors and webmasters into thinking sites are loading resources from the popular jQuery JavaScript library.
#ParsedReport
21-12-2022
BrasDex: A new Brazilian ATS Android Banker with ties to Desktop malware
https://www.threatfabric.com/blogs/brasdex-a-new-brazilian-ats-malware.html
Threats:
Brasdex
Metamorfo
Bratarat
Vultur
Flubot
Gustuff
Sharkbot
Cashback
Industry:
Financial
Geo:
Brasil, Brazil, Brazilian, Ita, Latam, America
IOCs:
Hash: 5
Domain: 1
File: 2
Softs:
android
Algorithms:
zip
Functions:
SetPwCharAt
Languages:
autoit, javascript, delphi
Platforms:
intel
21-12-2022
BrasDex: A new Brazilian ATS Android Banker with ties to Desktop malware
https://www.threatfabric.com/blogs/brasdex-a-new-brazilian-ats-malware.html
Threats:
Brasdex
Metamorfo
Bratarat
Vultur
Flubot
Gustuff
Sharkbot
Cashback
Industry:
Financial
Geo:
Brasil, Brazil, Brazilian, Ita, Latam, America
IOCs:
Hash: 5
Domain: 1
File: 2
Softs:
android
Algorithms:
zip
Functions:
SetPwCharAt
Languages:
autoit, javascript, delphi
Platforms:
intel
ThreatFabric
BrasDex: A new Brazilian ATS Android Banker with ties to Desktop malware
ThreatFabric’s analysts discovered a multi-platform banking malware campaign targeting Brazil, reaching thousands of victims.
#ParsedReport
21-12-2022
SpiderLabs Blog. Malicious Macros Adapt to Use Microsoft Publisher to Push Ekipa RAT
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/malicious-macros-adapt-to-use-microsoft-publisher-to-push-ekipa-rat
Threats:
Ekipa_rat
Amsi_bypass_technique
Cobalt_strike
Beacon
Quantum_locker
Emotet
Svcready_loader
Uac_bypass_technique
Industry:
Education, Government, Financial
Geo:
Ukraine, Ukrainian, Russia, Russian
TTPs:
Tactics: 1
Technics: 0
IOCs:
Hash: 56
File: 13
Domain: 3
IP: 7
Url: 10
Softs:
microsoft publisher, visual basic for applications, microsoft word, microsoft defender, microsoft office, microsoft excel
Algorithms:
zip
Win API:
SetTimer, SendInput
Languages:
visual_basic
Links:
21-12-2022
SpiderLabs Blog. Malicious Macros Adapt to Use Microsoft Publisher to Push Ekipa RAT
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/malicious-macros-adapt-to-use-microsoft-publisher-to-push-ekipa-rat
Threats:
Ekipa_rat
Amsi_bypass_technique
Cobalt_strike
Beacon
Quantum_locker
Emotet
Svcready_loader
Uac_bypass_technique
Industry:
Education, Government, Financial
Geo:
Ukraine, Ukrainian, Russia, Russian
TTPs:
Tactics: 1
Technics: 0
IOCs:
Hash: 56
File: 13
Domain: 3
IP: 7
Url: 10
Softs:
microsoft publisher, visual basic for applications, microsoft word, microsoft defender, microsoft office, microsoft excel
Algorithms:
zip
Win API:
SetTimer, SendInput
Languages:
visual_basic
Links:
https://github.com/S3cur3Th1sSh1t/WinPwnTrustwave
Malicious Macros Adapt to Use Microsoft Publisher to Push Ekipa RAT | Trustwave
After Microsoft announced this year that macros from the Internet will be blocked by default in Office , many threat actors have switched to different file types such as Windows Shortcut (LNK), ISO or ZIP files, to distribute their malware.
#ParsedReport
21-12-2022
Adult popunder campaign used in mainstream ad fraud scheme
https://www.malwarebytes.com/blog/threat-intelligence/2022/12/adult-popunder-campaign-used-in-mainstream-ad-fraud-scheme
Threats:
Popunder_technique
Geo:
Russian
Softs:
wordpress
21-12-2022
Adult popunder campaign used in mainstream ad fraud scheme
https://www.malwarebytes.com/blog/threat-intelligence/2022/12/adult-popunder-campaign-used-in-mainstream-ad-fraud-scheme
Threats:
Popunder_technique
Geo:
Russian
Softs:
wordpress
Malwarebytes
Adult popunder campaign used in mainstream ad fraud scheme
Taking advantage of cost effective and high traffic adult portals, a threat actor is secretly defrauding advertisers by displaying Google ads under the disguise of an XXX page.
#ParsedReport
21-12-2022
Meddler-in-the-Middle Phishing Attacks Explained
https://unit42.paloaltonetworks.com/meddler-phishing-attacks
Threats:
Evilginx_tool
Mitm_technique
Cloaking_technique
Robin_banks_tool
Caffeine_tool
Modlishka_tool
Muraena_tool
Evilnovnc_tool
Evilproxy_tool
Credential_stealing_technique
Industry:
Financial
IOCs:
Domain: 7
Softs:
chrome
Links:
21-12-2022
Meddler-in-the-Middle Phishing Attacks Explained
https://unit42.paloaltonetworks.com/meddler-phishing-attacks
Threats:
Evilginx_tool
Mitm_technique
Cloaking_technique
Robin_banks_tool
Caffeine_tool
Modlishka_tool
Muraena_tool
Evilnovnc_tool
Evilproxy_tool
Credential_stealing_technique
Industry:
Financial
IOCs:
Domain: 7
Softs:
chrome
Links:
https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication#configuring-two-factor-authentication-using-a-security-keyUnit 42
Meddler-in-the-Middle Phishing Attacks Explained
Meddler-in-the-Middle (MitM) phishing attacks show how threat actors find ways to get around traditional defenses and advice.
#ParsedReport
21-12-2022
OWASSRF: CrowdStrike Identifies New Exploit Method for Exchange Bypassing ProxyNotShell Mitigations
https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations
Threats:
Owassrf
Proxynotshell_vuln
Playcrypt
Plink
Anydesk_tool
CVEs:
CVE-2022-41082 [Vulners]
Vulners: Score: Unknown, CVSS: 2.8,
Vulners: Exploitation: Unknown
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)
CVE-2022-41123 [Vulners]
Vulners: Score: Unknown, CVSS: 3.4,
Vulners: Exploitation: Unknown
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2016, 2019, 2019, 2016)
CVE-2022-41040 [Vulners]
Vulners: Score: Unknown, CVSS: 3.2,
Vulners: Exploitation: True
X-Force: Risk: 6.5
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)
CVE-2022-41080 [Vulners]
Vulners: Score: Unknown, CVSS: 3.4,
Vulners: Exploitation: Unknown
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)
IOCs:
Path: 1
Email: 1
Softs:
microsoft exchange, microsoft exchange server, microsoft iis server
Languages:
python
Links:
21-12-2022
OWASSRF: CrowdStrike Identifies New Exploit Method for Exchange Bypassing ProxyNotShell Mitigations
https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations
Threats:
Owassrf
Proxynotshell_vuln
Playcrypt
Plink
Anydesk_tool
CVEs:
CVE-2022-41082 [Vulners]
Vulners: Score: Unknown, CVSS: 2.8,
Vulners: Exploitation: Unknown
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)
CVE-2022-41123 [Vulners]
Vulners: Score: Unknown, CVSS: 3.4,
Vulners: Exploitation: Unknown
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2016, 2019, 2019, 2016)
CVE-2022-41040 [Vulners]
Vulners: Score: Unknown, CVSS: 3.2,
Vulners: Exploitation: True
X-Force: Risk: 6.5
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)
CVE-2022-41080 [Vulners]
Vulners: Score: Unknown, CVSS: 3.4,
Vulners: Exploitation: Unknown
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)
IOCs:
Path: 1
Email: 1
Softs:
microsoft exchange, microsoft exchange server, microsoft iis server
Languages:
python
Links:
https://github.com/CrowdStrike/OWASSRFCrowdStrike.com
OWASSRF: CrowdStrike Identifies New Exploit Method for Exchange Bypassing ProxyNotShell Mitigations
Learn how CrowdStrike recently discovered a new exploit method using CVE-2022-41080 and CVE-2022-41082 to achieve remote code execution (RCE) through Outlook Web Access.
#ParsedReport
20-12-2022
GuLoaders Unique Approach to Obfuscation: Understanding Stack Manipulation
https://www.0ffset.net/reverse-engineering/guloaders-stack-manipulation
Actors/Campaigns:
Tick
Threats:
Cloudeye
Agent_tesla
Formbook
Remcos_rat
Smokeloader
Cyberchef_tool
IOCs:
Hash: 1
Softs:
visual studio
Algorithms:
xor
Functions:
w_string_decrypt, string_decrypt, malloc, main, sub_401010, printf
Win API:
MessageBoxA
Languages:
python
YARA: Found
20-12-2022
GuLoaders Unique Approach to Obfuscation: Understanding Stack Manipulation
https://www.0ffset.net/reverse-engineering/guloaders-stack-manipulation
Actors/Campaigns:
Tick
Threats:
Cloudeye
Agent_tesla
Formbook
Remcos_rat
Smokeloader
Cyberchef_tool
IOCs:
Hash: 1
Softs:
visual studio
Algorithms:
xor
Functions:
w_string_decrypt, string_decrypt, malloc, main, sub_401010, printf
Win API:
MessageBoxA
Languages:
python
YARA: Found
0ffset Training Solutions | Practical and Affordable Cyber Security Training
GuLoader's Obfuscation Technique: Understanding Stack Manipulation | 0ffset Training Solutions
Learn about GuLoader malware's stack manipulation technique for decrypting data blobs and how to implement it. A useful resource for those interested in reverse engineering shellcode or obfuscated malware.
[FIN7] Fin7 Unveiled: A deep dive into notorious cybercrime gang
https://www.prodaft.com/resource/detail/fin7-unveiled-deep-dive-notorious-cybercrime-gang
https://www.prodaft.com/resource/detail/fin7-unveiled-deep-dive-notorious-cybercrime-gang
PRODAFT
PRODAFT – Cyber Threat Intelligence and Risk Intelligence
Explore advanced cybersecurity solutions, providing proactive defense against emerging threats. Learn more about our tailored intelligence, and cybercrime investigation solutions.
#ParsedReport
21-12-2022
Inside the IcedID BackConnect Protocol
https://www.team-cymru.com/post/inside-the-icedid-backconnect-protocol
Threats:
Icedid
Teamviewer_tool
Emotet
Geo:
Russia, Moldova, Chelyabinsk, Ukraine, Ukrainian
IOCs:
IP: 4
Domain: 1
Softs:
telegram, wireguard
21-12-2022
Inside the IcedID BackConnect Protocol
https://www.team-cymru.com/post/inside-the-icedid-backconnect-protocol
Threats:
Icedid
Teamviewer_tool
Emotet
Geo:
Russia, Moldova, Chelyabinsk, Ukraine, Ukrainian
IOCs:
IP: 4
Domain: 1
Softs:
telegram, wireguard
Team-Cymru
Unveiling the IcedID BackConnect Protocol: Team Cymru Reveals
Discover the inner workings of the IcedID BackConnect Protocol with insights from a leading technology company. Uncover the intricate details in our blog post!
#ParsedReport
22-12-2022
Nitol DDoS Malware Installing Amadey Bot
https://asec.ahnlab.com/en/44504
Threats:
Nitol
Amadey
Lockbit
Themida_tool
Njrat_rat
Smokeloader
Teamviewer_tool
Anydesk_tool
Trojan/win.generic.r539958
Malware/mdp.behavior.m3108
Geo:
Korean
IOCs:
File: 7
Path: 1
Hash: 6
Url: 9
IP: 3
Domain: 1
Softs:
internet explorer
Languages:
csharp
22-12-2022
Nitol DDoS Malware Installing Amadey Bot
https://asec.ahnlab.com/en/44504
Threats:
Nitol
Amadey
Lockbit
Themida_tool
Njrat_rat
Smokeloader
Teamviewer_tool
Anydesk_tool
Trojan/win.generic.r539958
Malware/mdp.behavior.m3108
Geo:
Korean
IOCs:
File: 7
Path: 1
Hash: 6
Url: 9
IP: 3
Domain: 1
Softs:
internet explorer
Languages:
csharp
ASEC
Nitol DDoS Malware Installing Amadey Bot - ASEC
The ASEC analysis team recently discovered that a threat actor has been using Nitol DDoS Bot to install Amadey. Amadey is a downloader that has been in circulation since 2018, and besides extorting user credentials, it can also be used for the purpose of…
#ParsedReport
22-12-2022
ASEC Weekly Phishing Email Threat Trends (December 4th, 2022 December 10th, 2022)
https://asec.ahnlab.com/en/44596
Threats:
Agent_tesla
Formbook
Smokeloader
Cloudeye
Industry:
Financial, Transport
Geo:
Korea, Korean
TTPs:
IOCs:
File: 17
Url: 5
Algorithms:
zip
22-12-2022
ASEC Weekly Phishing Email Threat Trends (December 4th, 2022 December 10th, 2022)
https://asec.ahnlab.com/en/44596
Threats:
Agent_tesla
Formbook
Smokeloader
Cloudeye
Industry:
Financial, Transport
Geo:
Korea, Korean
TTPs:
IOCs:
File: 17
Url: 5
Algorithms:
zip
ASEC BLOG
ASEC Weekly Phishing Email Threat Trends (December 4th, 2022 – December 10th, 2022) - ASEC BLOG
Contents The ASEC analysis team monitors phishing email threats with the ASEC automatic sample analysis system (RAPIT) and Honeypot. This post will cover the cases of distribution of phishing emails during the week from December 4th, 2022 to December 10th…
#ParsedReport
22-12-2022
Qakbot Being Distributed via Virtual Disk Files (*.vhd)
https://asec.ahnlab.com/en/44662
Threats:
Qakbot
Motw_bypass_technique
Trojan/win.bankerx-gen.r538785
Industry:
Financial
IOCs:
File: 4
IP: 1
Hash: 5
22-12-2022
Qakbot Being Distributed via Virtual Disk Files (*.vhd)
https://asec.ahnlab.com/en/44662
Threats:
Qakbot
Motw_bypass_technique
Trojan/win.bankerx-gen.r538785
Industry:
Financial
IOCs:
File: 4
IP: 1
Hash: 5
ASEC BLOG
Qakbot Being Distributed via Virtual Disk Files (*.vhd) - ASEC BLOG
There’s been a recent increase in the distribution of malware using disk image files. Out of these, the Qakbot malware has been distributed in ISO and IMG file formats, and the ASEC analysis team discovered that it has recently changed its distribution to…
#ParsedReport
22-12-2022
MoneyMonger: Predatory Loan Scam Campaigns Move to Flutter
https://zimpstage.wpengine.com/blog/moneymonger-predatory-loan-scam-campaigns-move-to-flutter
Actors/Campaigns:
Moneymonger (motivation: information_theft)
Threats:
Bazarbackdoor
Industry:
Financial
Geo:
Peru, Indian
IOCs:
Url: 33
Hash: 39
File: 1
Softs:
flutter, flutters, flutter-java, android
Algorithms:
xor, aes
Functions:
collects_privateInfo
Languages:
java
22-12-2022
MoneyMonger: Predatory Loan Scam Campaigns Move to Flutter
https://zimpstage.wpengine.com/blog/moneymonger-predatory-loan-scam-campaigns-move-to-flutter
Actors/Campaigns:
Moneymonger (motivation: information_theft)
Threats:
Bazarbackdoor
Industry:
Financial
Geo:
Peru, Indian
IOCs:
Url: 33
Hash: 39
File: 1
Softs:
flutter, flutters, flutter-java, android
Algorithms:
xor, aes
Functions:
collects_privateInfo
Languages:
java
Zimperium
MoneyMonger: Predatory Loan Scam Campaigns Move to Flutter - Zimperium
The Zimperium zLabs team recently discovered a Flutter application with malicious code. The Flutter-obfuscated malware campaign, MoneyMonger, is solely distributed through third-party app stores and sideloaded onto the victim’s Android device. Read more to…
#ParsedReport
22-12-2022
Vidar Stealer Exploiting Various Platforms
https://asec.ahnlab.com/en/44554
Threats:
Vidar_stealer
Trojan/win.injection.c5318441
Infostealer/win.generic.c5308804
Arkei_stealer
IOCs:
IP: 1
File: 1
Hash: 5
Softs:
telegram, tiktok, windows defender
Algorithms:
xor, zip, base64
22-12-2022
Vidar Stealer Exploiting Various Platforms
https://asec.ahnlab.com/en/44554
Threats:
Vidar_stealer
Trojan/win.injection.c5318441
Infostealer/win.generic.c5308804
Arkei_stealer
IOCs:
IP: 1
File: 1
Hash: 5
Softs:
telegram, tiktok, windows defender
Algorithms:
xor, zip, base64
ASEC
Vidar Stealer Exploiting Various Platforms - ASEC
Vidar Stealer Exploiting Various Platforms ASEC