#ParsedReport
22-12-2022
Nitol DDoS Malware Installing Amadey Bot
https://asec.ahnlab.com/en/44504
Threats:
Nitol
Amadey
Lockbit
Themida_tool
Njrat_rat
Smokeloader
Teamviewer_tool
Anydesk_tool
Trojan/win.generic.r539958
Malware/mdp.behavior.m3108
Geo:
Korean
IOCs:
File: 7
Path: 1
Hash: 6
Url: 9
IP: 3
Domain: 1
Softs:
internet explorer
Languages:
csharp
22-12-2022
Nitol DDoS Malware Installing Amadey Bot
https://asec.ahnlab.com/en/44504
Threats:
Nitol
Amadey
Lockbit
Themida_tool
Njrat_rat
Smokeloader
Teamviewer_tool
Anydesk_tool
Trojan/win.generic.r539958
Malware/mdp.behavior.m3108
Geo:
Korean
IOCs:
File: 7
Path: 1
Hash: 6
Url: 9
IP: 3
Domain: 1
Softs:
internet explorer
Languages:
csharp
ASEC
Nitol DDoS Malware Installing Amadey Bot - ASEC
The ASEC analysis team recently discovered that a threat actor has been using Nitol DDoS Bot to install Amadey. Amadey is a downloader that has been in circulation since 2018, and besides extorting user credentials, it can also be used for the purpose of…
#ParsedReport
22-12-2022
ASEC Weekly Phishing Email Threat Trends (December 4th, 2022 December 10th, 2022)
https://asec.ahnlab.com/en/44596
Threats:
Agent_tesla
Formbook
Smokeloader
Cloudeye
Industry:
Financial, Transport
Geo:
Korea, Korean
TTPs:
IOCs:
File: 17
Url: 5
Algorithms:
zip
22-12-2022
ASEC Weekly Phishing Email Threat Trends (December 4th, 2022 December 10th, 2022)
https://asec.ahnlab.com/en/44596
Threats:
Agent_tesla
Formbook
Smokeloader
Cloudeye
Industry:
Financial, Transport
Geo:
Korea, Korean
TTPs:
IOCs:
File: 17
Url: 5
Algorithms:
zip
ASEC BLOG
ASEC Weekly Phishing Email Threat Trends (December 4th, 2022 – December 10th, 2022) - ASEC BLOG
Contents The ASEC analysis team monitors phishing email threats with the ASEC automatic sample analysis system (RAPIT) and Honeypot. This post will cover the cases of distribution of phishing emails during the week from December 4th, 2022 to December 10th…
#ParsedReport
22-12-2022
Qakbot Being Distributed via Virtual Disk Files (*.vhd)
https://asec.ahnlab.com/en/44662
Threats:
Qakbot
Motw_bypass_technique
Trojan/win.bankerx-gen.r538785
Industry:
Financial
IOCs:
File: 4
IP: 1
Hash: 5
22-12-2022
Qakbot Being Distributed via Virtual Disk Files (*.vhd)
https://asec.ahnlab.com/en/44662
Threats:
Qakbot
Motw_bypass_technique
Trojan/win.bankerx-gen.r538785
Industry:
Financial
IOCs:
File: 4
IP: 1
Hash: 5
ASEC BLOG
Qakbot Being Distributed via Virtual Disk Files (*.vhd) - ASEC BLOG
There’s been a recent increase in the distribution of malware using disk image files. Out of these, the Qakbot malware has been distributed in ISO and IMG file formats, and the ASEC analysis team discovered that it has recently changed its distribution to…
#ParsedReport
22-12-2022
MoneyMonger: Predatory Loan Scam Campaigns Move to Flutter
https://zimpstage.wpengine.com/blog/moneymonger-predatory-loan-scam-campaigns-move-to-flutter
Actors/Campaigns:
Moneymonger (motivation: information_theft)
Threats:
Bazarbackdoor
Industry:
Financial
Geo:
Peru, Indian
IOCs:
Url: 33
Hash: 39
File: 1
Softs:
flutter, flutters, flutter-java, android
Algorithms:
xor, aes
Functions:
collects_privateInfo
Languages:
java
22-12-2022
MoneyMonger: Predatory Loan Scam Campaigns Move to Flutter
https://zimpstage.wpengine.com/blog/moneymonger-predatory-loan-scam-campaigns-move-to-flutter
Actors/Campaigns:
Moneymonger (motivation: information_theft)
Threats:
Bazarbackdoor
Industry:
Financial
Geo:
Peru, Indian
IOCs:
Url: 33
Hash: 39
File: 1
Softs:
flutter, flutters, flutter-java, android
Algorithms:
xor, aes
Functions:
collects_privateInfo
Languages:
java
Zimperium
MoneyMonger: Predatory Loan Scam Campaigns Move to Flutter - Zimperium
The Zimperium zLabs team recently discovered a Flutter application with malicious code. The Flutter-obfuscated malware campaign, MoneyMonger, is solely distributed through third-party app stores and sideloaded onto the victim’s Android device. Read more to…
#ParsedReport
22-12-2022
Vidar Stealer Exploiting Various Platforms
https://asec.ahnlab.com/en/44554
Threats:
Vidar_stealer
Trojan/win.injection.c5318441
Infostealer/win.generic.c5308804
Arkei_stealer
IOCs:
IP: 1
File: 1
Hash: 5
Softs:
telegram, tiktok, windows defender
Algorithms:
xor, zip, base64
22-12-2022
Vidar Stealer Exploiting Various Platforms
https://asec.ahnlab.com/en/44554
Threats:
Vidar_stealer
Trojan/win.injection.c5318441
Infostealer/win.generic.c5308804
Arkei_stealer
IOCs:
IP: 1
File: 1
Hash: 5
Softs:
telegram, tiktok, windows defender
Algorithms:
xor, zip, base64
ASEC
Vidar Stealer Exploiting Various Platforms - ASEC
Vidar Stealer Exploiting Various Platforms ASEC
#ParsedReport
22-12-2022
Phishing Attacks Impersonating Famous Korean Banking Apps
https://asec.ahnlab.com/en/44680
Actors/Campaigns:
Kimsuky
Industry:
Financial
Geo:
Korea, Japan, Singapore, Korean
IOCs:
IP: 3
Domain: 25
Url: 25
22-12-2022
Phishing Attacks Impersonating Famous Korean Banking Apps
https://asec.ahnlab.com/en/44680
Actors/Campaigns:
Kimsuky
Industry:
Financial
Geo:
Korea, Japan, Singapore, Korean
IOCs:
IP: 3
Domain: 25
Url: 25
ASEC BLOG
Phishing Attacks Impersonating Famous Korean Banking Apps - ASEC BLOG
The ASEC analysis team recently identified that multiple malicious domains targeting normal websites of the financial sector had been created. From early November, we detected multiple distribution cases of phishing emails impersonating Naver Help. Through…
#ParsedReport
22-12-2022
Ransomware and wiper signed with stolen certificates
https://securelist.com/ransomware-and-wiper-signed-with-stolen-certificates/108350
Threats:
Roadsweep
Zerocleare_wiper
Anydesk_tool
Disttrack
Dustman_wiper
Alureon
Ransom.win32.agent.gen
Ransom.win32.gen.aghh
Ransom.win64.agent.dpf
Industry:
Telco, Government, Ngo
Geo:
Albanian, Albania, Iran, Kuwait
IOCs:
Hash: 8
File: 2
Path: 1
Algorithms:
rc4
Functions:
CreateFile
Win API:
WriteFile, CryptDecrypt
Links:
22-12-2022
Ransomware and wiper signed with stolen certificates
https://securelist.com/ransomware-and-wiper-signed-with-stolen-certificates/108350
Threats:
Roadsweep
Zerocleare_wiper
Anydesk_tool
Disttrack
Dustman_wiper
Alureon
Ransom.win32.agent.gen
Ransom.win32.gen.aghh
Ransom.win64.agent.dpf
Industry:
Telco, Government, Ngo
Geo:
Albanian, Albania, Iran, Kuwait
IOCs:
Hash: 8
File: 2
Path: 1
Algorithms:
rc4
Functions:
CreateFile
Win API:
WriteFile, CryptDecrypt
Links:
https://github.com/maldevel/WinRC4/blob/master/WinRC4/rc4.chttps://github.com/hfiref0x/TDLSecurelist
Stolen certificates in two waves of ransomware and wiper attacks
In this report, we compare the ROADSWEEP ransomware and ZEROCLEARE wiper versions used in two waves of attacks against Albanian government organizations.
#ParsedReport
22-12-2022
New Ransomware Strains Emerging from Leaked Contis Source Code
https://blog.cyble.com/2022/12/22/new-ransomware-strains-emerging-from-leaked-contis-source-code
Actors/Campaigns:
Putin_team
Bluesky
Threats:
Conti
Scarecrow
Babuk
Industry:
Financial
Geo:
Russian
TTPs:
Tactics: 4
Technics: 6
IOCs:
File: 10
Hash: 6
Softs:
telegram
Algorithms:
exhibit, chacha20
Functions:
CreateIOCompletionPort, GetQueuedCompletionPort
Win API:
GetLogicalDriveStringsW, PostQueuedCompletionStatus
22-12-2022
New Ransomware Strains Emerging from Leaked Contis Source Code
https://blog.cyble.com/2022/12/22/new-ransomware-strains-emerging-from-leaked-contis-source-code
Actors/Campaigns:
Putin_team
Bluesky
Threats:
Conti
Scarecrow
Babuk
Industry:
Financial
Geo:
Russian
TTPs:
Tactics: 4
Technics: 6
IOCs:
File: 10
Hash: 6
Softs:
telegram
Algorithms:
exhibit, chacha20
Functions:
CreateIOCompletionPort, GetQueuedCompletionPort
Win API:
GetLogicalDriveStringsW, PostQueuedCompletionStatus
Cyble
New Ransomware Strains From Leaked Conti Code
Cyble Research and Intelligence Labs analyzes multiple ransomware strains created based on leaked source code of Conti Ransomware.
#ParsedReport
22-12-2022
Web3 IPFS Currently Used For Phishing
https://www.trendmicro.com/en_us/research/22/l/web3-ipfs-only-used-for-phishing---so-far.html
Industry:
Financial
IOCs:
Url: 1
Hash: 1
22-12-2022
Web3 IPFS Currently Used For Phishing
https://www.trendmicro.com/en_us/research/22/l/web3-ipfs-only-used-for-phishing---so-far.html
Industry:
Financial
IOCs:
Url: 1
Hash: 1
Trend Micro
Web3 IPFS Currently Used For Phishing
We discuss the use of the InterPlanetary File System (IPFS) in phishing attacks.
#ParsedReport
22-12-2022
SiestaGraph: New implant uncovered in ASEAN member foreign ministry. Key takeaways
https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry
Threats:
Siestagraph
Seth_locker
Doorme
Dll_sideloading_technique
Cobalt_strike
Chinachopper
Godzilla_loader
Dcsync_technique
Process_injection_technique
Industry:
Foodtech, Government
Geo:
Netherlands, Asia, China, Asian
TTPs:
Tactics: 10
Technics: 0
IOCs:
File: 17
IP: 1
Path: 6
Hash: 14
Softs:
microsoft exchange server, windows service, microsoft exchange, windows media player, kibana
Algorithms:
base64, zip, 7zip
Win API:
NtAllocateVirtualMemory, NtProtectVirtualMemory, NtCreateThreadEx
Languages:
javascript, jscript
YARA: Found
Links:
22-12-2022
SiestaGraph: New implant uncovered in ASEAN member foreign ministry. Key takeaways
https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry
Threats:
Siestagraph
Seth_locker
Doorme
Dll_sideloading_technique
Cobalt_strike
Chinachopper
Godzilla_loader
Dcsync_technique
Process_injection_technique
Industry:
Foodtech, Government
Geo:
Netherlands, Asia, China, Asian
TTPs:
Tactics: 10
Technics: 0
IOCs:
File: 17
IP: 1
Path: 6
Hash: 14
Softs:
microsoft exchange server, windows service, microsoft exchange, windows media player, kibana
Algorithms:
base64, zip, 7zip
Win API:
NtAllocateVirtualMemory, NtProtectVirtualMemory, NtCreateThreadEx
Languages:
javascript, jscript
YARA: Found
Links:
https://github.com/elastic/detection-rules/blob/main/rules/windows/credential\_access\_copy\_ntds\_sam\_volshadowcp\_cmdline.tomlhttps://github.com/elastic/protections-artifacts/blob/main/behavior/rules/initial\_access\_suspicious\_microsoft\_iis\_worker\_descendant.tomlhttps://github.com/elastic/detection-rules/blob/main/rules/windows/collection\_email\_powershell\_exchange\_mailbox.tomlhttps://github.com/elastic/detection-rules/blob/main/rules/windows/collection\_winrar\_encryption.tomlhttps://github.com/ysrc/webshell-sample/blob/master/aspx/54a5620d4ea42e41beac08d8b1240b642dd6fd7c.aspx#L11https://github.com/elastic/protections-artifacts/blob/main/behavior/rules/defense\_evasion\_potential\_masquerading\_as\_svchost.tomlhttps://github.com/tennc/webshell/blob/master/Godzilla/123.ashxhttps://github.com/elastic/detection-rules/blob/main/rules/windows/discovery\_net\_view.tomlhttps://github.com/elastic/detection-rules/blob/main/rules/windows/credential\_access\_dcsync\_replication\_rights.tomlhttps://github.com/elastic/detection-rules/blob/main/rules/windows/privilege\_escalation\_windows\_service\_via\_unusual\_client.tomlhttps://github.com/elastic/detection-rules/blob/main/rules/windows/defense\_evasion\_suspicious\_certutil\_commands.tomlhttps://github.com/elastic/protections-artifacts/blob/main/yara/rules/Windows\_VulnDriver\_Mhyprot.yarhttps://github.com/KoenZomers/OneDriveAPIhttps://github.com/elastic/protections-artifacts/blob/main/behavior/rules/defense\_evasion\_binary\_masquerading\_via\_untrusted\_path.tomlwww.elastic.co
SiestaGraph: New implant uncovered in ASEAN member foreign ministry — Elastic Security Labs
Elastic Security Labs is tracking likely multiple on-net threat actors leveraging Exchange exploits, web shells, and the newly discovered SiestaGraph implant to achieve and maintain access, escalate privilege, and exfiltrate targeted data.
#ParsedReport
22-12-2022
Custom-Branded Ransomware: The Vice Society Group and the Threat of Outsourced Development
https://www.sentinelone.com/labs/custom-branded-ransomware-the-vice-society-group-and-the-threat-of-outsourced-development
Actors/Campaigns:
Vice_society (motivation: financially_motivated)
Threats:
Polyvice
Printnightmare_vuln
Lolbin_technique
Hellokitty
Zeppelin
Redalert
Sunnyday
IOCs:
Hash: 8
Email: 5
Domain: 8
Softs:
esxi
Algorithms:
chacha20-poly1305, ntruencrypt
Functions:
WaitForMultipleObject, Win32, FindFirstFile, FindNextFile
Win API:
CreateThread, CreateIoCompletionPort, GetQueuedCompletionStatus, PostQueuedCompletionStatus, WaitForMultipleObjects
YARA: Found
Links:
22-12-2022
Custom-Branded Ransomware: The Vice Society Group and the Threat of Outsourced Development
https://www.sentinelone.com/labs/custom-branded-ransomware-the-vice-society-group-and-the-threat-of-outsourced-development
Actors/Campaigns:
Vice_society (motivation: financially_motivated)
Threats:
Polyvice
Printnightmare_vuln
Lolbin_technique
Hellokitty
Zeppelin
Redalert
Sunnyday
IOCs:
Hash: 8
Email: 5
Domain: 8
Softs:
esxi
Algorithms:
chacha20-poly1305, ntruencrypt
Functions:
WaitForMultipleObject, Win32, FindFirstFile, FindNextFile
Win API:
CreateThread, CreateIoCompletionPort, GetQueuedCompletionStatus, PostQueuedCompletionStatus, WaitForMultipleObjects
YARA: Found
Links:
https://github.com/tbuktu/libntruhttps://github.com/grigorig/chachapolySentinelOne
Custom-Branded Ransomware: The Vice Society Group and the Threat of Outsourced Development
New PolyVice ransomware is likely in use by multiple threat actors building re-branded payloads with the same custom encryption scheme.
#ParsedReport
22-12-2022
Google Ad fraud campaign used adult content to make millions
https://www.bleepingcomputer.com/news/security/google-ad-fraud-campaign-used-adult-content-to-make-millions
Threats:
Popunder_technique
Geo:
Russian
22-12-2022
Google Ad fraud campaign used adult content to make millions
https://www.bleepingcomputer.com/news/security/google-ad-fraud-campaign-used-adult-content-to-make-millions
Threats:
Popunder_technique
Geo:
Russian
BleepingComputer
Google Ad fraud campaign used adult content to make millions
A massive advertising fraud campaign using Google Ads and 'popunders' on adult sites is estimated to have generated millions of ad impressions on stolen articles, making the fraudsters an estimated $275k per month.
#ParsedReport
22-12-2022
The Taxman Never Sleeps
https://www.fortinet.com/blog/threat-research/the-taxman-never-sleeps
Threats:
Emotet
Spectre_rat
Industry:
Financial
Geo:
Canada, Pakistan
IOCs:
File: 4
Path: 2
Url: 4
IP: 20
Hash: 3
Softs:
microsoft office
Algorithms:
zip
Languages:
python
22-12-2022
The Taxman Never Sleeps
https://www.fortinet.com/blog/threat-research/the-taxman-never-sleeps
Threats:
Emotet
Spectre_rat
Industry:
Financial
Geo:
Canada, Pakistan
IOCs:
File: 4
Path: 2
Url: 4
IP: 20
Hash: 3
Softs:
microsoft office
Algorithms:
zip
Languages:
python
Fortinet Blog
The Taxman Never Sleeps | FortiGuard Labs
FortiGuardLabs discovered a malicious email that included a tax form seemingly from the United States Internal Revenue Service (IRS) sent by the recently resurgent Emotet group. Read our blog to le…
#ParsedReport
22-12-2022
Chinese Phishing Campaign Abuses QR Codes to Steal Credit Card Details
https://threatresearch.ext.hp.com/chinese-phishing-campaign-abuses-qr-codes-to-steal-credit-card-details
Industry:
Government, Financial
Geo:
China, Chinese
IOCs:
Hash: 108
Domain: 100
Softs:
wechat
Algorithms:
aes
Languages:
javascript
YARA: Found
22-12-2022
Chinese Phishing Campaign Abuses QR Codes to Steal Credit Card Details
https://threatresearch.ext.hp.com/chinese-phishing-campaign-abuses-qr-codes-to-steal-credit-card-details
Industry:
Government, Financial
Geo:
China, Chinese
IOCs:
Hash: 108
Domain: 100
Softs:
Algorithms:
aes
Languages:
javascript
YARA: Found
HP Wolf Security
Phishing Campaign Abuses QR Codes to Steal Credit Card Details | HP Wolf Security
Don’t let cyber threats get the best of you. Read our post, Phishing Campaign Abuses QR Codes to Steal Credit Card Details, to learn more about cyber threats and cyber security.
#ParsedReport
22-12-2022
Ransomware Roundup Play Ransomware
https://www.fortinet.com/blog/threat-research/ransomware-roundup-play-ransomware
Threats:
Playcrypt
Lotl_technique
Lolbin_technique
W32/filecoder.play!tr.ransom
W32/filecoder.olt!tr.ransom
W32/filecoder.nhqdtez!tr.ransom
Industry:
Financial
TTPs:
Tactics: 1
Technics: 0
IOCs:
Hash: 38
Softs:
microsoft visual c++
Functions:
ReadMe
22-12-2022
Ransomware Roundup Play Ransomware
https://www.fortinet.com/blog/threat-research/ransomware-roundup-play-ransomware
Threats:
Playcrypt
Lotl_technique
Lolbin_technique
W32/filecoder.play!tr.ransom
W32/filecoder.olt!tr.ransom
W32/filecoder.nhqdtez!tr.ransom
Industry:
Financial
TTPs:
Tactics: 1
Technics: 0
IOCs:
Hash: 38
Softs:
microsoft visual c++
Functions:
ReadMe
Fortinet Blog
Ransomware Roundup – Play | FortiGuard Labs
In this week's ransomware roundup, FortiGuard Labs covers the Play ransomware along with protection recommendations. Read our blog to find out more.…
#ParsedReport
22-12-2022
Trying to Steal Christmas (Again!)
https://www.fortinet.com/blog/threat-research/trying-to-steal-christmas-again
Threats:
Agent_tesla
Geo:
Dubai, Chile
IOCs:
File: 12
Hash: 5
Url: 1
Softs:
telegram
Win API:
VirtualAlloc
Languages:
autoit
22-12-2022
Trying to Steal Christmas (Again!)
https://www.fortinet.com/blog/threat-research/trying-to-steal-christmas-again
Threats:
Agent_tesla
Geo:
Dubai, Chile
IOCs:
File: 12
Hash: 5
Url: 1
Softs:
telegram
Win API:
VirtualAlloc
Languages:
autoit
Fortinet Blog
Trying to Steal Christmas (Again!) | FortiGuard Labs
FortiGuard Labs discovered some holiday-themed phishing examples that exploit excitement and interest in the holidays created by an AgentTesla affiliate. Read our blog to learn more about how malwa…
#ParsedReport
23-12-2022
Godfather Android banking malware is on the rise
https://www.malwarebytes.com/blog/news/2022/12/godfather-android-banking-malware-is-on-the-rise
Threats:
Godfather
Anubis
Industry:
Financial
Geo:
Spain, France, Belarusian, Germany, Azerbaijani, Canada, Turkish, Turkey, Russian
IOCs:
Hash: 1
Softs:
android, telegram
23-12-2022
Godfather Android banking malware is on the rise
https://www.malwarebytes.com/blog/news/2022/12/godfather-android-banking-malware-is-on-the-rise
Threats:
Godfather
Anubis
Industry:
Financial
Geo:
Spain, France, Belarusian, Germany, Azerbaijani, Canada, Turkish, Turkey, Russian
IOCs:
Hash: 1
Softs:
android, telegram
Malwarebytes
Godfather Android banking malware is on the rise
Researchers have uncovered a new campaign of the Godfather banking Trojan, that comes with some new tricks.
#ParsedReport
23-12-2022
Python crawling on your keys. Source Code Extraction
https://labs.k7computing.com/index.php/python-crawling-on-your-keys
IOCs:
File: 3
Hash: 1
Softs:
pyinstaller, chrome, internet explorer
Functions:
createStartup
Languages:
python
Links:
23-12-2022
Python crawling on your keys. Source Code Extraction
https://labs.k7computing.com/index.php/python-crawling-on-your-keys
IOCs:
File: 3
Hash: 1
Softs:
pyinstaller, chrome, internet explorer
Functions:
createStartup
Languages:
python
Links:
https://github.com/rocky/python-decompile3https://github.com/extremecoders-re/pyinstxtractorK7 Labs
Python crawling on your keys - K7 Labs
Python is extensively being used for developing software, testing, automating tasks and for data interpretation. Similar to how it is […]
#ParsedReport
23-12-2022
New RisePro Stealer distributed by the prominent PrivateLoader. Context
https://blog.sekoia.io/new-risepro-stealer-distributed-by-the-prominent-privateloader
Actors/Campaigns:
Lapsus
Dev-0960
Threats:
Risepro
Privateloader
Redline_stealer
Raccoon_stealer
Dead_drop_technique
Cobalt_strike
Bumblebee
Mixloader
Vidar_stealer
Industry:
Financial
TTPs:
Tactics: 6
Technics: 16
IOCs:
Hash: 63
File: 8
Url: 3
Domain: 37
Path: 1
IP: 3
Softs:
telegram, google chrome, nichrome, chromodo, torch, orbitum, coowon, chromium, vivaldi, chedot, have more...
Algorithms:
xor, zip
Functions:
GetModuleHandle
Win API:
GetProcAddress, RtlGetVersion
Languages:
php
YARA: Found
23-12-2022
New RisePro Stealer distributed by the prominent PrivateLoader. Context
https://blog.sekoia.io/new-risepro-stealer-distributed-by-the-prominent-privateloader
Actors/Campaigns:
Lapsus
Dev-0960
Threats:
Risepro
Privateloader
Redline_stealer
Raccoon_stealer
Dead_drop_technique
Cobalt_strike
Bumblebee
Mixloader
Vidar_stealer
Industry:
Financial
TTPs:
Tactics: 6
Technics: 16
IOCs:
Hash: 63
File: 8
Url: 3
Domain: 37
Path: 1
IP: 3
Softs:
telegram, google chrome, nichrome, chromodo, torch, orbitum, coowon, chromium, vivaldi, chedot, have more...
Algorithms:
xor, zip
Functions:
GetModuleHandle
Win API:
GetProcAddress, RtlGetVersion
Languages:
php
YARA: Found
Sekoia.io Blog
New RisePro Stealer distributed by the prominent PrivateLoader
RisePro is a new undocumented stealer. According to SEKOIA.IO analysts, it has similarities with PrivateLoader.
#ParsedReport
23-12-2022
New YouTube Bot Malware Spotted Stealing Users Sensitive Information
https://blog.cyble.com/2022/12/23/new-youtube-bots-malware-spotted-stealing-users-sensitive-information
Threats:
Antivm
Beacon
Process_injection_technique
TTPs:
Tactics: 8
Technics: 15
IOCs:
Hash: 12
File: 6
Path: 1
Softs:
virtualbox, task scheduler, chromium, chrome
Functions:
DetectVM, DeleteProcessesByMutexName, RegisterScheduledTask, Grab, CookieRecovery, AutofillRecovery, PassRecovery, ClickAsync, ConnectToServer, OnServerMessageReceived, have more...
23-12-2022
New YouTube Bot Malware Spotted Stealing Users Sensitive Information
https://blog.cyble.com/2022/12/23/new-youtube-bots-malware-spotted-stealing-users-sensitive-information
Threats:
Antivm
Beacon
Process_injection_technique
TTPs:
Tactics: 8
Technics: 15
IOCs:
Hash: 12
File: 6
Path: 1
Softs:
virtualbox, task scheduler, chromium, chrome
Functions:
DetectVM, DeleteProcessesByMutexName, RegisterScheduledTask, Grab, CookieRecovery, AutofillRecovery, PassRecovery, ClickAsync, ConnectToServer, OnServerMessageReceived, have more...
Cyble
New YouTube Bot Malware Steals User Info
CRIL analyzes how Threat Actors are using YouTube bot malware to increase the views of YouTube videos and how it communicates with C&C server.
#ParsedReport
23-12-2022
ASEC (20221211 \~ 20221217). ASEC Weekly phishing email threat trend (20221211 \~ 20221217)
https://asec.ahnlab.com/ko/44684
Threats:
Agent_tesla
Formbook
Amadey
Beamwinhttp_loader
Industry:
Transport, Financial
Geo:
Korean
TTPs:
IOCs:
File: 38
Url: 5
Algorithms:
zip
23-12-2022
ASEC (20221211 \~ 20221217). ASEC Weekly phishing email threat trend (20221211 \~ 20221217)
https://asec.ahnlab.com/ko/44684
Threats:
Agent_tesla
Formbook
Amadey
Beamwinhttp_loader
Industry:
Transport, Financial
Geo:
Korean
TTPs:
IOCs:
File: 38
Url: 5
Algorithms:
zip
ASEC BLOG
ASEC 주간 피싱 이메일 위협 트렌드 (20221211 ~ 20221217) - ASEC BLOG
ASEC 분석팀에서는 샘플 자동 분석 시스템(RAPIT)과 허니팟을 활용하여 피싱 이메일 위협을 모니터링하고 있다. 본 포스팅에서는 2022년 12월 11일부터 12월 17일까지 한 주간 확인된 피싱 이메일 공격의 유포 사례와 이를 유형별로 분류한 통계 정보를 제공한다. 일반적으로 피싱은 공격자가 사회공학 기법을 이용하여 주로 이메일을 통해 기관, 기업, 개인 등으로 위장하거나 사칭함으로써 사용자의 로그인 계정(크리덴셜) 정보를 유출하는 공격을 의미한다.…