#ParsedReport
21-12-2022
Fake jQuery Domain Redirects Site Visitors to Scam Pages
https://blog.sucuri.net/2022/12/fake-jquery-domain-redirects-site-visitors-scam.html
Threats:
Parallax_rat
Socgholish_loader
Geo:
Russian
IOCs:
Url: 3
Domain: 12
IP: 1
Softs:
wordpress, cpanel
Languages:
javascript
Platforms:
apple
21-12-2022
Fake jQuery Domain Redirects Site Visitors to Scam Pages
https://blog.sucuri.net/2022/12/fake-jquery-domain-redirects-site-visitors-scam.html
Threats:
Parallax_rat
Socgholish_loader
Geo:
Russian
IOCs:
Url: 3
Domain: 12
IP: 1
Softs:
wordpress, cpanel
Languages:
javascript
Platforms:
apple
Sucuri Blog
Fake jQuery Domain Redirects Site Visitors to Scam Pages
Attackers are using jQuery0 in their domain name to trick visitors and webmasters into thinking sites are loading resources from the popular jQuery JavaScript library.
#ParsedReport
21-12-2022
BrasDex: A new Brazilian ATS Android Banker with ties to Desktop malware
https://www.threatfabric.com/blogs/brasdex-a-new-brazilian-ats-malware.html
Threats:
Brasdex
Metamorfo
Bratarat
Vultur
Flubot
Gustuff
Sharkbot
Cashback
Industry:
Financial
Geo:
Brasil, Brazil, Brazilian, Ita, Latam, America
IOCs:
Hash: 5
Domain: 1
File: 2
Softs:
android
Algorithms:
zip
Functions:
SetPwCharAt
Languages:
autoit, javascript, delphi
Platforms:
intel
21-12-2022
BrasDex: A new Brazilian ATS Android Banker with ties to Desktop malware
https://www.threatfabric.com/blogs/brasdex-a-new-brazilian-ats-malware.html
Threats:
Brasdex
Metamorfo
Bratarat
Vultur
Flubot
Gustuff
Sharkbot
Cashback
Industry:
Financial
Geo:
Brasil, Brazil, Brazilian, Ita, Latam, America
IOCs:
Hash: 5
Domain: 1
File: 2
Softs:
android
Algorithms:
zip
Functions:
SetPwCharAt
Languages:
autoit, javascript, delphi
Platforms:
intel
ThreatFabric
BrasDex: A new Brazilian ATS Android Banker with ties to Desktop malware
ThreatFabric’s analysts discovered a multi-platform banking malware campaign targeting Brazil, reaching thousands of victims.
#ParsedReport
21-12-2022
SpiderLabs Blog. Malicious Macros Adapt to Use Microsoft Publisher to Push Ekipa RAT
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/malicious-macros-adapt-to-use-microsoft-publisher-to-push-ekipa-rat
Threats:
Ekipa_rat
Amsi_bypass_technique
Cobalt_strike
Beacon
Quantum_locker
Emotet
Svcready_loader
Uac_bypass_technique
Industry:
Education, Government, Financial
Geo:
Ukraine, Ukrainian, Russia, Russian
TTPs:
Tactics: 1
Technics: 0
IOCs:
Hash: 56
File: 13
Domain: 3
IP: 7
Url: 10
Softs:
microsoft publisher, visual basic for applications, microsoft word, microsoft defender, microsoft office, microsoft excel
Algorithms:
zip
Win API:
SetTimer, SendInput
Languages:
visual_basic
Links:
21-12-2022
SpiderLabs Blog. Malicious Macros Adapt to Use Microsoft Publisher to Push Ekipa RAT
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/malicious-macros-adapt-to-use-microsoft-publisher-to-push-ekipa-rat
Threats:
Ekipa_rat
Amsi_bypass_technique
Cobalt_strike
Beacon
Quantum_locker
Emotet
Svcready_loader
Uac_bypass_technique
Industry:
Education, Government, Financial
Geo:
Ukraine, Ukrainian, Russia, Russian
TTPs:
Tactics: 1
Technics: 0
IOCs:
Hash: 56
File: 13
Domain: 3
IP: 7
Url: 10
Softs:
microsoft publisher, visual basic for applications, microsoft word, microsoft defender, microsoft office, microsoft excel
Algorithms:
zip
Win API:
SetTimer, SendInput
Languages:
visual_basic
Links:
https://github.com/S3cur3Th1sSh1t/WinPwnTrustwave
Malicious Macros Adapt to Use Microsoft Publisher to Push Ekipa RAT | Trustwave
After Microsoft announced this year that macros from the Internet will be blocked by default in Office , many threat actors have switched to different file types such as Windows Shortcut (LNK), ISO or ZIP files, to distribute their malware.
#ParsedReport
21-12-2022
Adult popunder campaign used in mainstream ad fraud scheme
https://www.malwarebytes.com/blog/threat-intelligence/2022/12/adult-popunder-campaign-used-in-mainstream-ad-fraud-scheme
Threats:
Popunder_technique
Geo:
Russian
Softs:
wordpress
21-12-2022
Adult popunder campaign used in mainstream ad fraud scheme
https://www.malwarebytes.com/blog/threat-intelligence/2022/12/adult-popunder-campaign-used-in-mainstream-ad-fraud-scheme
Threats:
Popunder_technique
Geo:
Russian
Softs:
wordpress
Malwarebytes
Adult popunder campaign used in mainstream ad fraud scheme
Taking advantage of cost effective and high traffic adult portals, a threat actor is secretly defrauding advertisers by displaying Google ads under the disguise of an XXX page.
#ParsedReport
21-12-2022
Meddler-in-the-Middle Phishing Attacks Explained
https://unit42.paloaltonetworks.com/meddler-phishing-attacks
Threats:
Evilginx_tool
Mitm_technique
Cloaking_technique
Robin_banks_tool
Caffeine_tool
Modlishka_tool
Muraena_tool
Evilnovnc_tool
Evilproxy_tool
Credential_stealing_technique
Industry:
Financial
IOCs:
Domain: 7
Softs:
chrome
Links:
21-12-2022
Meddler-in-the-Middle Phishing Attacks Explained
https://unit42.paloaltonetworks.com/meddler-phishing-attacks
Threats:
Evilginx_tool
Mitm_technique
Cloaking_technique
Robin_banks_tool
Caffeine_tool
Modlishka_tool
Muraena_tool
Evilnovnc_tool
Evilproxy_tool
Credential_stealing_technique
Industry:
Financial
IOCs:
Domain: 7
Softs:
chrome
Links:
https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication#configuring-two-factor-authentication-using-a-security-keyUnit 42
Meddler-in-the-Middle Phishing Attacks Explained
Meddler-in-the-Middle (MitM) phishing attacks show how threat actors find ways to get around traditional defenses and advice.
#ParsedReport
21-12-2022
OWASSRF: CrowdStrike Identifies New Exploit Method for Exchange Bypassing ProxyNotShell Mitigations
https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations
Threats:
Owassrf
Proxynotshell_vuln
Playcrypt
Plink
Anydesk_tool
CVEs:
CVE-2022-41082 [Vulners]
Vulners: Score: Unknown, CVSS: 2.8,
Vulners: Exploitation: Unknown
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)
CVE-2022-41123 [Vulners]
Vulners: Score: Unknown, CVSS: 3.4,
Vulners: Exploitation: Unknown
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2016, 2019, 2019, 2016)
CVE-2022-41040 [Vulners]
Vulners: Score: Unknown, CVSS: 3.2,
Vulners: Exploitation: True
X-Force: Risk: 6.5
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)
CVE-2022-41080 [Vulners]
Vulners: Score: Unknown, CVSS: 3.4,
Vulners: Exploitation: Unknown
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)
IOCs:
Path: 1
Email: 1
Softs:
microsoft exchange, microsoft exchange server, microsoft iis server
Languages:
python
Links:
21-12-2022
OWASSRF: CrowdStrike Identifies New Exploit Method for Exchange Bypassing ProxyNotShell Mitigations
https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations
Threats:
Owassrf
Proxynotshell_vuln
Playcrypt
Plink
Anydesk_tool
CVEs:
CVE-2022-41082 [Vulners]
Vulners: Score: Unknown, CVSS: 2.8,
Vulners: Exploitation: Unknown
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)
CVE-2022-41123 [Vulners]
Vulners: Score: Unknown, CVSS: 3.4,
Vulners: Exploitation: Unknown
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2016, 2019, 2019, 2016)
CVE-2022-41040 [Vulners]
Vulners: Score: Unknown, CVSS: 3.2,
Vulners: Exploitation: True
X-Force: Risk: 6.5
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)
CVE-2022-41080 [Vulners]
Vulners: Score: Unknown, CVSS: 3.4,
Vulners: Exploitation: Unknown
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)
IOCs:
Path: 1
Email: 1
Softs:
microsoft exchange, microsoft exchange server, microsoft iis server
Languages:
python
Links:
https://github.com/CrowdStrike/OWASSRFCrowdStrike.com
OWASSRF: CrowdStrike Identifies New Exploit Method for Exchange Bypassing ProxyNotShell Mitigations
Learn how CrowdStrike recently discovered a new exploit method using CVE-2022-41080 and CVE-2022-41082 to achieve remote code execution (RCE) through Outlook Web Access.
#ParsedReport
20-12-2022
GuLoaders Unique Approach to Obfuscation: Understanding Stack Manipulation
https://www.0ffset.net/reverse-engineering/guloaders-stack-manipulation
Actors/Campaigns:
Tick
Threats:
Cloudeye
Agent_tesla
Formbook
Remcos_rat
Smokeloader
Cyberchef_tool
IOCs:
Hash: 1
Softs:
visual studio
Algorithms:
xor
Functions:
w_string_decrypt, string_decrypt, malloc, main, sub_401010, printf
Win API:
MessageBoxA
Languages:
python
YARA: Found
20-12-2022
GuLoaders Unique Approach to Obfuscation: Understanding Stack Manipulation
https://www.0ffset.net/reverse-engineering/guloaders-stack-manipulation
Actors/Campaigns:
Tick
Threats:
Cloudeye
Agent_tesla
Formbook
Remcos_rat
Smokeloader
Cyberchef_tool
IOCs:
Hash: 1
Softs:
visual studio
Algorithms:
xor
Functions:
w_string_decrypt, string_decrypt, malloc, main, sub_401010, printf
Win API:
MessageBoxA
Languages:
python
YARA: Found
0ffset Training Solutions | Practical and Affordable Cyber Security Training
GuLoader's Obfuscation Technique: Understanding Stack Manipulation | 0ffset Training Solutions
Learn about GuLoader malware's stack manipulation technique for decrypting data blobs and how to implement it. A useful resource for those interested in reverse engineering shellcode or obfuscated malware.
[FIN7] Fin7 Unveiled: A deep dive into notorious cybercrime gang
https://www.prodaft.com/resource/detail/fin7-unveiled-deep-dive-notorious-cybercrime-gang
https://www.prodaft.com/resource/detail/fin7-unveiled-deep-dive-notorious-cybercrime-gang
PRODAFT
PRODAFT – Cyber Threat Intelligence and Risk Intelligence
Explore advanced cybersecurity solutions, providing proactive defense against emerging threats. Learn more about our tailored intelligence, and cybercrime investigation solutions.
#ParsedReport
21-12-2022
Inside the IcedID BackConnect Protocol
https://www.team-cymru.com/post/inside-the-icedid-backconnect-protocol
Threats:
Icedid
Teamviewer_tool
Emotet
Geo:
Russia, Moldova, Chelyabinsk, Ukraine, Ukrainian
IOCs:
IP: 4
Domain: 1
Softs:
telegram, wireguard
21-12-2022
Inside the IcedID BackConnect Protocol
https://www.team-cymru.com/post/inside-the-icedid-backconnect-protocol
Threats:
Icedid
Teamviewer_tool
Emotet
Geo:
Russia, Moldova, Chelyabinsk, Ukraine, Ukrainian
IOCs:
IP: 4
Domain: 1
Softs:
telegram, wireguard
Team-Cymru
Unveiling the IcedID BackConnect Protocol: Team Cymru Reveals
Discover the inner workings of the IcedID BackConnect Protocol with insights from a leading technology company. Uncover the intricate details in our blog post!
#ParsedReport
22-12-2022
Nitol DDoS Malware Installing Amadey Bot
https://asec.ahnlab.com/en/44504
Threats:
Nitol
Amadey
Lockbit
Themida_tool
Njrat_rat
Smokeloader
Teamviewer_tool
Anydesk_tool
Trojan/win.generic.r539958
Malware/mdp.behavior.m3108
Geo:
Korean
IOCs:
File: 7
Path: 1
Hash: 6
Url: 9
IP: 3
Domain: 1
Softs:
internet explorer
Languages:
csharp
22-12-2022
Nitol DDoS Malware Installing Amadey Bot
https://asec.ahnlab.com/en/44504
Threats:
Nitol
Amadey
Lockbit
Themida_tool
Njrat_rat
Smokeloader
Teamviewer_tool
Anydesk_tool
Trojan/win.generic.r539958
Malware/mdp.behavior.m3108
Geo:
Korean
IOCs:
File: 7
Path: 1
Hash: 6
Url: 9
IP: 3
Domain: 1
Softs:
internet explorer
Languages:
csharp
ASEC
Nitol DDoS Malware Installing Amadey Bot - ASEC
The ASEC analysis team recently discovered that a threat actor has been using Nitol DDoS Bot to install Amadey. Amadey is a downloader that has been in circulation since 2018, and besides extorting user credentials, it can also be used for the purpose of…
#ParsedReport
22-12-2022
ASEC Weekly Phishing Email Threat Trends (December 4th, 2022 December 10th, 2022)
https://asec.ahnlab.com/en/44596
Threats:
Agent_tesla
Formbook
Smokeloader
Cloudeye
Industry:
Financial, Transport
Geo:
Korea, Korean
TTPs:
IOCs:
File: 17
Url: 5
Algorithms:
zip
22-12-2022
ASEC Weekly Phishing Email Threat Trends (December 4th, 2022 December 10th, 2022)
https://asec.ahnlab.com/en/44596
Threats:
Agent_tesla
Formbook
Smokeloader
Cloudeye
Industry:
Financial, Transport
Geo:
Korea, Korean
TTPs:
IOCs:
File: 17
Url: 5
Algorithms:
zip
ASEC BLOG
ASEC Weekly Phishing Email Threat Trends (December 4th, 2022 – December 10th, 2022) - ASEC BLOG
Contents The ASEC analysis team monitors phishing email threats with the ASEC automatic sample analysis system (RAPIT) and Honeypot. This post will cover the cases of distribution of phishing emails during the week from December 4th, 2022 to December 10th…
#ParsedReport
22-12-2022
Qakbot Being Distributed via Virtual Disk Files (*.vhd)
https://asec.ahnlab.com/en/44662
Threats:
Qakbot
Motw_bypass_technique
Trojan/win.bankerx-gen.r538785
Industry:
Financial
IOCs:
File: 4
IP: 1
Hash: 5
22-12-2022
Qakbot Being Distributed via Virtual Disk Files (*.vhd)
https://asec.ahnlab.com/en/44662
Threats:
Qakbot
Motw_bypass_technique
Trojan/win.bankerx-gen.r538785
Industry:
Financial
IOCs:
File: 4
IP: 1
Hash: 5
ASEC BLOG
Qakbot Being Distributed via Virtual Disk Files (*.vhd) - ASEC BLOG
There’s been a recent increase in the distribution of malware using disk image files. Out of these, the Qakbot malware has been distributed in ISO and IMG file formats, and the ASEC analysis team discovered that it has recently changed its distribution to…
#ParsedReport
22-12-2022
MoneyMonger: Predatory Loan Scam Campaigns Move to Flutter
https://zimpstage.wpengine.com/blog/moneymonger-predatory-loan-scam-campaigns-move-to-flutter
Actors/Campaigns:
Moneymonger (motivation: information_theft)
Threats:
Bazarbackdoor
Industry:
Financial
Geo:
Peru, Indian
IOCs:
Url: 33
Hash: 39
File: 1
Softs:
flutter, flutters, flutter-java, android
Algorithms:
xor, aes
Functions:
collects_privateInfo
Languages:
java
22-12-2022
MoneyMonger: Predatory Loan Scam Campaigns Move to Flutter
https://zimpstage.wpengine.com/blog/moneymonger-predatory-loan-scam-campaigns-move-to-flutter
Actors/Campaigns:
Moneymonger (motivation: information_theft)
Threats:
Bazarbackdoor
Industry:
Financial
Geo:
Peru, Indian
IOCs:
Url: 33
Hash: 39
File: 1
Softs:
flutter, flutters, flutter-java, android
Algorithms:
xor, aes
Functions:
collects_privateInfo
Languages:
java
Zimperium
MoneyMonger: Predatory Loan Scam Campaigns Move to Flutter - Zimperium
The Zimperium zLabs team recently discovered a Flutter application with malicious code. The Flutter-obfuscated malware campaign, MoneyMonger, is solely distributed through third-party app stores and sideloaded onto the victim’s Android device. Read more to…
#ParsedReport
22-12-2022
Vidar Stealer Exploiting Various Platforms
https://asec.ahnlab.com/en/44554
Threats:
Vidar_stealer
Trojan/win.injection.c5318441
Infostealer/win.generic.c5308804
Arkei_stealer
IOCs:
IP: 1
File: 1
Hash: 5
Softs:
telegram, tiktok, windows defender
Algorithms:
xor, zip, base64
22-12-2022
Vidar Stealer Exploiting Various Platforms
https://asec.ahnlab.com/en/44554
Threats:
Vidar_stealer
Trojan/win.injection.c5318441
Infostealer/win.generic.c5308804
Arkei_stealer
IOCs:
IP: 1
File: 1
Hash: 5
Softs:
telegram, tiktok, windows defender
Algorithms:
xor, zip, base64
ASEC
Vidar Stealer Exploiting Various Platforms - ASEC
Vidar Stealer Exploiting Various Platforms ASEC
#ParsedReport
22-12-2022
Phishing Attacks Impersonating Famous Korean Banking Apps
https://asec.ahnlab.com/en/44680
Actors/Campaigns:
Kimsuky
Industry:
Financial
Geo:
Korea, Japan, Singapore, Korean
IOCs:
IP: 3
Domain: 25
Url: 25
22-12-2022
Phishing Attacks Impersonating Famous Korean Banking Apps
https://asec.ahnlab.com/en/44680
Actors/Campaigns:
Kimsuky
Industry:
Financial
Geo:
Korea, Japan, Singapore, Korean
IOCs:
IP: 3
Domain: 25
Url: 25
ASEC BLOG
Phishing Attacks Impersonating Famous Korean Banking Apps - ASEC BLOG
The ASEC analysis team recently identified that multiple malicious domains targeting normal websites of the financial sector had been created. From early November, we detected multiple distribution cases of phishing emails impersonating Naver Help. Through…
#ParsedReport
22-12-2022
Ransomware and wiper signed with stolen certificates
https://securelist.com/ransomware-and-wiper-signed-with-stolen-certificates/108350
Threats:
Roadsweep
Zerocleare_wiper
Anydesk_tool
Disttrack
Dustman_wiper
Alureon
Ransom.win32.agent.gen
Ransom.win32.gen.aghh
Ransom.win64.agent.dpf
Industry:
Telco, Government, Ngo
Geo:
Albanian, Albania, Iran, Kuwait
IOCs:
Hash: 8
File: 2
Path: 1
Algorithms:
rc4
Functions:
CreateFile
Win API:
WriteFile, CryptDecrypt
Links:
22-12-2022
Ransomware and wiper signed with stolen certificates
https://securelist.com/ransomware-and-wiper-signed-with-stolen-certificates/108350
Threats:
Roadsweep
Zerocleare_wiper
Anydesk_tool
Disttrack
Dustman_wiper
Alureon
Ransom.win32.agent.gen
Ransom.win32.gen.aghh
Ransom.win64.agent.dpf
Industry:
Telco, Government, Ngo
Geo:
Albanian, Albania, Iran, Kuwait
IOCs:
Hash: 8
File: 2
Path: 1
Algorithms:
rc4
Functions:
CreateFile
Win API:
WriteFile, CryptDecrypt
Links:
https://github.com/maldevel/WinRC4/blob/master/WinRC4/rc4.chttps://github.com/hfiref0x/TDLSecurelist
Stolen certificates in two waves of ransomware and wiper attacks
In this report, we compare the ROADSWEEP ransomware and ZEROCLEARE wiper versions used in two waves of attacks against Albanian government organizations.
#ParsedReport
22-12-2022
New Ransomware Strains Emerging from Leaked Contis Source Code
https://blog.cyble.com/2022/12/22/new-ransomware-strains-emerging-from-leaked-contis-source-code
Actors/Campaigns:
Putin_team
Bluesky
Threats:
Conti
Scarecrow
Babuk
Industry:
Financial
Geo:
Russian
TTPs:
Tactics: 4
Technics: 6
IOCs:
File: 10
Hash: 6
Softs:
telegram
Algorithms:
exhibit, chacha20
Functions:
CreateIOCompletionPort, GetQueuedCompletionPort
Win API:
GetLogicalDriveStringsW, PostQueuedCompletionStatus
22-12-2022
New Ransomware Strains Emerging from Leaked Contis Source Code
https://blog.cyble.com/2022/12/22/new-ransomware-strains-emerging-from-leaked-contis-source-code
Actors/Campaigns:
Putin_team
Bluesky
Threats:
Conti
Scarecrow
Babuk
Industry:
Financial
Geo:
Russian
TTPs:
Tactics: 4
Technics: 6
IOCs:
File: 10
Hash: 6
Softs:
telegram
Algorithms:
exhibit, chacha20
Functions:
CreateIOCompletionPort, GetQueuedCompletionPort
Win API:
GetLogicalDriveStringsW, PostQueuedCompletionStatus
Cyble
New Ransomware Strains From Leaked Conti Code
Cyble Research and Intelligence Labs analyzes multiple ransomware strains created based on leaked source code of Conti Ransomware.
#ParsedReport
22-12-2022
Web3 IPFS Currently Used For Phishing
https://www.trendmicro.com/en_us/research/22/l/web3-ipfs-only-used-for-phishing---so-far.html
Industry:
Financial
IOCs:
Url: 1
Hash: 1
22-12-2022
Web3 IPFS Currently Used For Phishing
https://www.trendmicro.com/en_us/research/22/l/web3-ipfs-only-used-for-phishing---so-far.html
Industry:
Financial
IOCs:
Url: 1
Hash: 1
Trend Micro
Web3 IPFS Currently Used For Phishing
We discuss the use of the InterPlanetary File System (IPFS) in phishing attacks.
#ParsedReport
22-12-2022
SiestaGraph: New implant uncovered in ASEAN member foreign ministry. Key takeaways
https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry
Threats:
Siestagraph
Seth_locker
Doorme
Dll_sideloading_technique
Cobalt_strike
Chinachopper
Godzilla_loader
Dcsync_technique
Process_injection_technique
Industry:
Foodtech, Government
Geo:
Netherlands, Asia, China, Asian
TTPs:
Tactics: 10
Technics: 0
IOCs:
File: 17
IP: 1
Path: 6
Hash: 14
Softs:
microsoft exchange server, windows service, microsoft exchange, windows media player, kibana
Algorithms:
base64, zip, 7zip
Win API:
NtAllocateVirtualMemory, NtProtectVirtualMemory, NtCreateThreadEx
Languages:
javascript, jscript
YARA: Found
Links:
22-12-2022
SiestaGraph: New implant uncovered in ASEAN member foreign ministry. Key takeaways
https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry
Threats:
Siestagraph
Seth_locker
Doorme
Dll_sideloading_technique
Cobalt_strike
Chinachopper
Godzilla_loader
Dcsync_technique
Process_injection_technique
Industry:
Foodtech, Government
Geo:
Netherlands, Asia, China, Asian
TTPs:
Tactics: 10
Technics: 0
IOCs:
File: 17
IP: 1
Path: 6
Hash: 14
Softs:
microsoft exchange server, windows service, microsoft exchange, windows media player, kibana
Algorithms:
base64, zip, 7zip
Win API:
NtAllocateVirtualMemory, NtProtectVirtualMemory, NtCreateThreadEx
Languages:
javascript, jscript
YARA: Found
Links:
https://github.com/elastic/detection-rules/blob/main/rules/windows/credential\_access\_copy\_ntds\_sam\_volshadowcp\_cmdline.tomlhttps://github.com/elastic/protections-artifacts/blob/main/behavior/rules/initial\_access\_suspicious\_microsoft\_iis\_worker\_descendant.tomlhttps://github.com/elastic/detection-rules/blob/main/rules/windows/collection\_email\_powershell\_exchange\_mailbox.tomlhttps://github.com/elastic/detection-rules/blob/main/rules/windows/collection\_winrar\_encryption.tomlhttps://github.com/ysrc/webshell-sample/blob/master/aspx/54a5620d4ea42e41beac08d8b1240b642dd6fd7c.aspx#L11https://github.com/elastic/protections-artifacts/blob/main/behavior/rules/defense\_evasion\_potential\_masquerading\_as\_svchost.tomlhttps://github.com/tennc/webshell/blob/master/Godzilla/123.ashxhttps://github.com/elastic/detection-rules/blob/main/rules/windows/discovery\_net\_view.tomlhttps://github.com/elastic/detection-rules/blob/main/rules/windows/credential\_access\_dcsync\_replication\_rights.tomlhttps://github.com/elastic/detection-rules/blob/main/rules/windows/privilege\_escalation\_windows\_service\_via\_unusual\_client.tomlhttps://github.com/elastic/detection-rules/blob/main/rules/windows/defense\_evasion\_suspicious\_certutil\_commands.tomlhttps://github.com/elastic/protections-artifacts/blob/main/yara/rules/Windows\_VulnDriver\_Mhyprot.yarhttps://github.com/KoenZomers/OneDriveAPIhttps://github.com/elastic/protections-artifacts/blob/main/behavior/rules/defense\_evasion\_binary\_masquerading\_via\_untrusted\_path.tomlwww.elastic.co
SiestaGraph: New implant uncovered in ASEAN member foreign ministry — Elastic Security Labs
Elastic Security Labs is tracking likely multiple on-net threat actors leveraging Exchange exploits, web shells, and the newly discovered SiestaGraph implant to achieve and maintain access, escalate privilege, and exfiltrate targeted data.
#ParsedReport
22-12-2022
Custom-Branded Ransomware: The Vice Society Group and the Threat of Outsourced Development
https://www.sentinelone.com/labs/custom-branded-ransomware-the-vice-society-group-and-the-threat-of-outsourced-development
Actors/Campaigns:
Vice_society (motivation: financially_motivated)
Threats:
Polyvice
Printnightmare_vuln
Lolbin_technique
Hellokitty
Zeppelin
Redalert
Sunnyday
IOCs:
Hash: 8
Email: 5
Domain: 8
Softs:
esxi
Algorithms:
chacha20-poly1305, ntruencrypt
Functions:
WaitForMultipleObject, Win32, FindFirstFile, FindNextFile
Win API:
CreateThread, CreateIoCompletionPort, GetQueuedCompletionStatus, PostQueuedCompletionStatus, WaitForMultipleObjects
YARA: Found
Links:
22-12-2022
Custom-Branded Ransomware: The Vice Society Group and the Threat of Outsourced Development
https://www.sentinelone.com/labs/custom-branded-ransomware-the-vice-society-group-and-the-threat-of-outsourced-development
Actors/Campaigns:
Vice_society (motivation: financially_motivated)
Threats:
Polyvice
Printnightmare_vuln
Lolbin_technique
Hellokitty
Zeppelin
Redalert
Sunnyday
IOCs:
Hash: 8
Email: 5
Domain: 8
Softs:
esxi
Algorithms:
chacha20-poly1305, ntruencrypt
Functions:
WaitForMultipleObject, Win32, FindFirstFile, FindNextFile
Win API:
CreateThread, CreateIoCompletionPort, GetQueuedCompletionStatus, PostQueuedCompletionStatus, WaitForMultipleObjects
YARA: Found
Links:
https://github.com/tbuktu/libntruhttps://github.com/grigorig/chachapolySentinelOne
Custom-Branded Ransomware: The Vice Society Group and the Threat of Outsourced Development
New PolyVice ransomware is likely in use by multiple threat actors building re-branded payloads with the same custom encryption scheme.
#ParsedReport
22-12-2022
Google Ad fraud campaign used adult content to make millions
https://www.bleepingcomputer.com/news/security/google-ad-fraud-campaign-used-adult-content-to-make-millions
Threats:
Popunder_technique
Geo:
Russian
22-12-2022
Google Ad fraud campaign used adult content to make millions
https://www.bleepingcomputer.com/news/security/google-ad-fraud-campaign-used-adult-content-to-make-millions
Threats:
Popunder_technique
Geo:
Russian
BleepingComputer
Google Ad fraud campaign used adult content to make millions
A massive advertising fraud campaign using Google Ads and 'popunders' on adult sites is estimated to have generated millions of ad impressions on stolen articles, making the fraudsters an estimated $275k per month.